SERIAL NUMBER IS FISHY - DECLINE YOUR PATCH'ITCH'ING WatchDISK v2.0 A Cracking Tutorial by ASTAGA [WTF/TTM] DISCLAIMER This reading material is not intended to violate Copyrights and/or it is law, but educational purposes only. I hold no responsibility ( by all means and in any shape whatsoever ) of the mis-used of this material. Read END NOTES section at the end of this file. ABOUT THE PROGRAM WatchDISK is the perfect tool for keeping track of where disk space is disappearing to--especially on a network. Network administrators at fortune 500 companies, government agencies and universities around the world are using WatchDISK to help manage their disk space. Features : o Automated alerts that allow WatchDISK to warn you of disk space that disappears, without having to keep WatchDISK continually running. o Command line support for use in automated scripts o Scan drives that are thousands of Terabytes in size o Scan data is saved and can be compared side by side to easily see where the disk space is being used o Scan data can be saved or printed in comma-delimited format and imported into most spreadsheets o Ability to scan directories with an unlimited number of subdirectories o Print Disk Space Reports that display only the number of columns you're interested in WHERE TO DOWNLOAD Author : Douglas R Nebeker Copyright : Douglas R Nebeker Homepage : http://ourworld.compuserve.com/homepages/ dnebeker/watchdsk.htm URL : http://ourworld.compuserve.com/homepages/ dnebeker/wdsk20.exe Size : 600 KB as of September 28, 1999 Rel Date : May 18, 1999 HOW TO GET VALID SERIAL NUMBER by using SoftIce 1. Run WATCHDSK.EXE, in the registration dialog box type these below informations : Name : Red Rackham Code : 73881050 Do not click OK button yet 2. Load SoftIce by pressing [ CTRL + D ], set a breakpoint as follow : BPX getwindowtexta [enter] and F5 to return to the main program 3. Now, click OK button... you'll return back into SoftIce! In within SoftIce press F11, F5, F11, until you see and break at : ______________________________________________________________ 015F:0046AA35 FF15EC834700 CALL [USER32!GetWindowTextA] 015F:0046AA3B 8B4D10 MOV ECX,[EBP+10] <== BREAK HERE 015F:0046AA3E 6AFF PUSH FF 015F:0046AA40 E8B7B5FFFF CALL 00465FFC ..... _____________________ WATCHDSK!.text+00069A35 _______________ Disable current breakpoint and do a search string as follows : : bd * [enter] ==> no longer needed : s 0 l fffffffffffffff E8 DA 00 00 00 59 59 [enter] Pattern found at 0167:0040B6C5 (0040B6C5) : bpx 015f:0040B6C5 [enter] Press F5 to let SoftIce break into this location, repeat registration procedure if necessary. 5. If nothing goes wrong you'll break again at these below snippet codes : 015F:0040B6C5 E8DA000000 CALL 0040B7A4 <== break here 015F:0040B6CA 59 POP ECX 015F:0040B6CB 59 POP ECX 015F:0040B6CC 50 PUSH EAX ==> d ecx 015F:0040B6CD 8D4DEC LEA ECX,[EBP-14] 015F:0040B6D0 C645FC04 MOV BYTE PTR [EBP-04],04 015F:0040B6D4 E8DDA50500 CALL 00465CB6 015F:0040B6D9 8D4DE8 LEA ECX,[EBP-18] ==> d ecx 015F:0040B6DC C645FC03 MOV BYTE PTR [EBP-04],03 015F:0040B6E0 E88AA40500 CALL 00465B6F 015F:0040B6E5 FF750C PUSH DWORD PTR [EBP+0C] ==> 015F:0040B6E8 FF75EC PUSH DWORD PTR [EBP-14] 015F:0040B6EB E880EB0300 CALL 0044A270 015F:0040B6F0 59 POP ECX 015F:0040B6F1 C645FC02 MOV BYTE PTR [EBP-04],02 ==> 015F:0040B6F5 59 POP ECX 015F:0040B6F6 85C0 TEST EAX,EAX 015F:0040B6F8 8D4DEC LEA ECX,[EBP-14] 015F:0040B6FB 7522 JNZ 0040B71F ______________________ WATCHDSK!.text+A6C4 ____________________ Break due to BPX #015F:0040B6C5 Press F10 3 times - stop at 015F:0040B6CC - dump ECX register :d ecx [enter] ==> your name appear at virtual address 0167:00E38B4C Press F10 4 times - stop at 015F:0040B6D9 - dump ECX register :d ecx [enter] ==> did you see an interesting 80B652C8-60DBD 109-73AA7335-F67D5A6D at virtual address 0167:00E38C50 ? Write it down ! Press F10 3 times - stop at 015F:0040B6E5 - check contents SS register ( mine is SS:006ECE04=00E38EBC ) : : d 00E38EBC [enter] ==> your fake code at virtual address 0167:00E38EBC . Press F10 4 times - stop at 015F:0040B6F1 - dump ECX register :d ecx [enter] ==> did you see an interesting 80B652C8-60DBD 109-73AA7335-F67D5A6D at virtual address 0167:00E38C5C ? Write it down ! 7. Disable all breakpoints by typing BD * [enter] Press F5 or X to return to the main program 8. Repeat registration procedure and keyed-in 80B652C8-60DBD109 -73AA7335-F67D5A6D as your S/N. Click OK button ..... there you're registered. 9. Where the hell is my registration code is stored ?? The correct registration code is stored in the registry as follows : REGEDIT4 [HKEY_CURRENT_USER\Software\DNebeker\WATCHDSK\Settings] "RegisteredTo"="Red Rackham" "RegistrationKey"="80B652C8-60DBD109-73AA7335-F67D5A6D" 10. How can I practise with my own user name ? - I strongly recommended you not to do this ! E N D N O T E S Distributing your serial number is illegal and is no different than distributing illegal copies of the registered software. Violation of this rule may result in temporary or permanent revocation of this license and cancellation of the serial number; the original licensee will also be held responsible for damages, physical and estimated. Do not distribute your crack release based on this tutorial, because you become a LAMER(s)!!!!!!!! ( tHATDUDE (PC97) defined LAMER(s) is the guy who sits in front of personal computer, using Hex Editor, ripping off other group(s) crack release, repacking (distro) them under his name. Adopted from newsgroup alt.cracks, alt.crackers - February 1997 ) More about LAMER(s): lamer /n./ [prob. originated in skateboarder slang] Synonym for luser, not used much by hackers but common among warez d00dz, crackers, and phreakers. Oppose elite. Has the same connota tions of self-conscious elitism that use of luser does among hackers. < SOURCE: http://sagan.earthspace.net/jargon/jargon_27.html > Never attribute to malice that which is adequately explained by stupidity ASTAGA [WTF/TTM/D4C/C4A] tute-watchdisk20.zip [EOF] First released/edited : Revised/updated : 1/24/01 4:57:09 AM