SERIAL NUMBER IS FISHY - DECLINE YOUR PATCH'ITCH'ING Registry Crawler v3.0 A Cracking Tutorial by ASTAGA [WTF/TTM] DISCLAIMER This reading material is not intended to violate Copyrights and/or it is law, but educational purposes only. I hold no responsibility ( by all means and in any shape whatsoever ) of the mis-used of this material. Read END NOTES section at the end of this file. ABOUT THE PROGRAM Registry Crawler enables power users and developers to quickly find and configure Registry settings. A powerful search engine allows you to find Registry information based on a search criteria. Results are displayed in a list allowing you to access any key found with a single mouse click. Registry Crawler has built in support for "bookmarks". You can bookmark any key in the Registry and then access it directly from the system tray. This powerful feature allows you to create a set of Registry keys that you frequently access eliminating the need to manually open REGEDIT. Users that access the Registry on a daily basis will find Registry Crawler to be a great time saver. WHERE TO DOWNLOAD Author : 4Developers LLC Copyright : 4Developers LLC Homepage : http://www.4Developers.com URL : http://www.4developers.com/software/regc.exe Size : 353 KB as of 1/10/01 Rel Date : December 11, 2000 HOW TO GET VALID SERIAL NUMBER by using SoftIce This one is my fave program to s/n fishing since 2 years ago, dunno why just like it and now come to my curious does prefix "8267- " and that table ( base counter? ) " YMA19X@24$Z% " still here ? Let's fish the S/N. 1. Run RCRAWLER.EXE, in the registration dialog box type these below informations : Name : Pirates Order Code : 73881050 Do not click UNLOCK button yet 2. Load SoftIce by pressing [ CTRL + D ], set a breakpoint as follow : BPX Getwindowtexta [enter] and F5 to return to the main program 3. Now, click UNLOCK button... you'll return back into SoftIce! In within SoftIce press F11, F5, F11, then F10 once until you break at : ______________________________________________________________ 015F:0040A08C E8F9B80100 CALL 0042598A <== break here 015F:0040A091 6868164500 PUSH 00451668 015F:0040A096 8D4C240C LEA ECX,[ESP+0C] 015F:0040A09A E8DFC20100 CALL 0042637E 015F:0040A09F 8B00 MOV EAX,[EAX] 015F:0040A0A1 68E8CC4400 PUSH 0044CCE8 ==> D EAX 015F:0040A0A6 50 PUSH EAX 015F:0040A0A7 E8075E0000 CALL 0040FEB3 015F:0040A0AC 83C408 ADD ESP,08 015F:0040A0AC 83C408 ADD ESP,08 015F:0040A0AF 8D4C2408 LEA ECX,[ESP+08] 015F:0040A0B3 85C0 TEST EAX,EAX 015F:0040A0B5 0F94C3 SETZ BL 015F:0040A0B8 E853C20100 CALL 00426310 _________________________ RCRAWLER!.text+9086 _______________ Create new breakpoint for later evaluation : : bpx 015F:0040A08C [enter] Press F10 5 times - stop at 015F:0040A0A1 - dump EAX register : d eax [enter] ==> your name at virtual address 0167:006A4F70 Now, disable all breakpoints and do a search string for your fake code : : bd * [enter] : s 0 l fffffffffffffff '73881050' [enter] Pattern found at 0167:00451768 (00451768) : bpr 0167:00451768 0167:00451768+15 rw [enter] : press X or F5 to let SoftIce break into this location 4. If nothing goes wrong you'll break again at these below snippet codes : 015F:00414D32 3A01 CMP AL,[ECX] <== break here 015F:00414D34 752E JNZ 00414D64 015F:00414D36 0AC0 OR AL,AL 015F:00414D38 7426 JZ 00414D60 015F:00414D3A 3A6101 CMP AH,[ECX+01] 015F:00414D3D 7525 JNZ 00414D64 015F:00414D3F 0AE4 OR AH,AH 015F:00414D41 741D JZ 00414D60 ... ___________________ RCRAWLER!.text+00013D30 _________________ Break due to BPR #0167:00451768 #0167:0045177D RW While at 015F:00414D32 - dump EDX register : : d edx [enter] ==> did you see 8267-MJRaaa% at virtual adreess 0167:006A4F70 ?? Write it down this potential reg code. NOTE : As I expected this program still using their old protection scheme ( passed 2 YEARS ALREADY !! ). If you wanna keygen follow the CALL at 015F:0040A0A7 and/or 015F:0040A0B8 - you'll see where are prefix "8267-" and base counter " YMA19X@24$Z% " were located then how do they checked your name. 5. Disable all breakpoints by typing BD * [enter] Press F5 or X to return to the main program 6. Repeat registration procedure and keyed-in 8267-MJRaaa% as your S/N. Click UNLOCK button ..... there you're registered. 7. Where the hell is my registration code is stored ?? The correct registration code is stored in the registry as follows : REGEDIT4 [HKEY_LOCAL_MACHINE\Software\4Developers] [HKEY_LOCAL_MACHINE\Software\4Developers\RCrawler] "4D"=hex:41,53,54,41,47,41,20,5b,54,54,4d,5d,00,00,00,00, 00,00,00,00,00,00,00,\ ... ... 00,00,00,00,00,00,00,00,38,32,36,37,2d,59,42,42,32,4c,5a, 00,00,00,00,00,00,\ ... ... Note : Deletion over this "4D" key will return the program to be unregistered. 8. How can I practise with my own user name ? - I strongly recommended you not to do this ! E N D N O T E S Distributing your serial number is illegal and is no different than distributing illegal copies of the registered software. Violation of this rule may result in temporary or permanent revocation of this license and cancellation of the serial number; the original licensee will also be held responsible for damages, physical and estimated. Do not distribute your crack release based on this tutorial, because you become a LAMER(s)!!!!!!!! ( tHATDUDE (PC97) defined LAMER(s) is the guy who sits in front of personal computer, using Hex Editor, ripping off other group(s) crack release, repacking (distro) them under his name. Adopted from newsgroup alt.cracks, alt.crackers - February 1997 ) More about LAMER(s): lamer /n./ [prob. originated in skateboarder slang] Synonym for luser, not used much by hackers but common among warez d00dz, crackers, and phreakers. Oppose elite. Has the same connota tions of self-conscious elitism that use of luser does among hackers. < SOURCE: http://sagan.earthspace.net/jargon/jargon_27.html > Never attribute to malice that which is adequately explained by stupidity ASTAGA [WTF/TTM/D4C/C4A] tute-registrycrawler30.zip [EOF] 1/10/01 9:15:57 PM0F4]