KEYGEN IS DEMON, PATCHING IS EVIL , SERIAL FISHING IS LESS ATTITUDE WinBrush 2001 v1.0 A Cracking Tutorial by ASTAGA [TTM] http://www.magellass.com/brushz.html http://www.magellass.com/br2001.zip WinBrush 2001 : Automatically clean sweep all tracks and garbage files! WinBrush for Windows Me/9X/NT/2000 is a handy tool that will save guard your privacy and make your system clean. It works by cleaning up your tracks (document histories, cookies, temporary internet files, etc.) while you are working on Windows and surfing the Internet. It is also removing all garbage files such as application temporary files, unneeded log or backup files. HOW TO GET VALID S/N by using SoftICE At first attemp Iam using TRW2000 v1.23 ( thanks to WKT's Mr_Black for your kindness by sending me this v1.23 ), with the reason can breakthrough PE packed program as their always be. To my surprise, I found unbelievable string in the TRW2K screen - main program's code - that is " WINBRUSH.tolol+ 000XXYZ " which does not appear in SoftICE screen! " tolol " means " stupid, fool, and dumb ". I really ( always ) like Mr. Dani Okianto & his friends' (aka the Authors) jokes and sticky notes found in their routine(s) program's. Iam not sure whether guys at Magellass Corp are genius or crazy, as you can see the real reg code(s) are hard coded within the programs. If there is only one valid reg code is hard coded then that's reasonable, but there are lot of potential reg codes inside ! ... to me it's bizzare! Until I finished wrote this tute, I can't come into con clusion why do they hardcoded these serial numbers. So, who the hell is WEIRDO ? me, us or them ???? Unlike previous products they hide REAL registration info in the registry ( last time I found them deep inside CLSID! ) in different location of registry key value at HKCR. LASTLY, I personally expressed my sincere salutation to the Author(s) at Magellass Corporation : Dani Okianto, Diki Septanto, Sandi Yulianto and Irma Aryani - the " barudak Bandung " - " juragan bakso " - " juragan kurupuk " - you guys do the great job since you released first WinBoost mid 1998. You never gave up fighting against crackers all over the Net. Keep da GOOD WORK. You too ... si Brinos. Next time hide that IJN (=Irma arJaNi?) in the safest and secret location ... Hallo-hallo hore-hore ... ham pura abdi kasep. Let's dance ... dance across the floor 1. Run the program, in the registration dialog box type these below informations : Name : Pirates Order Code : 73881050 Do not click OK button yet. 2. Load SoftIce by pressing [ CTRL + D ], set a breakpoint as follow : BPX hmemcpy [enter] and F5 to return to the main program 3. Now, click OK button... you'll return back into SoftIce! In within SoftIce press F11, F5, F11, then F12 11 times until you see and break at : 015F:00482C2D E80AE9FAFF CALL 0043153C 015F:00482C32 8B55F4 MOV EDX,[EBP-0C] 015F:00482C35 B8685D4900 MOV EAX,00495D68 015F:00482C3A E8D10FF8FF CALL 00403C10 015F:00482C3F 33C0 XOR EAX,EAX 015F:00482C41 5A POP EDX 015F:00482C42 59 POP ECX 015F:00482C43 59 POP ECX 015F:00482C44 648910 MOV FS:[EAX],EDX 015F:00482C47 68742F4800 PUSH 00482F74 015F:00482C4C 8B45FC MOV EAX,[EBP-04] 015F:00482C4F E8BCFEFFFF CALL 00482B10 ==> F8 here 015F:00482C54 A1605D4900 MOV EAX,[00495D60] .... .... __________________ WINBRUSH!CODE+00081C27 ________________ Break due to BPX #0167:00482C2D Press F10 once - stop at 015F:00482C35 - dump EDX register your fake code appear at 0167:00C86BB4 Press F10 9 times - stop at 015F:00482C4F - follow this CALL instruction by pressing F8 key. Here you dropped upon return CALL instruction : cont'd 015F:00482B10 55 PUSH EBP <== drop here 015F:00482B11 8BEC MOV EBP,ESP 015F:00482B13 6A00 PUSH 00 015F:00482B15 6A00 PUSH 00 015F:00482B17 53 PUSH EBX 015F:00482B18 56 PUSH ESI 015F:00482B19 8BD8 MOV EBX,EAX 015F:00482B1B 33C0 XOR EAX,EAX 015F:00482B1D 55 PUSH EBP 015F:00482B1E 68BB2B4800 PUSH 00482BBB 015F:00482B23 64FF30 PUSH DWORD PTR FS:[EAX] 015F:00482B26 648920 MOV FS:[EAX],ESP 015F:00482B29 8D55FC LEA EDX,[EBP-04] 015F:00482B2C 8B83E0020000 MOV EAX,[EBX+000002E0] 015F:00482B32 E805EAFAFF CALL 0043153C 015F:00482B37 8B55FC MOV EDX,[EBP-04] 015F:00482B3A B8645D4900 MOV EAX,00495D64 ==> D EDX 015F:00482B3F E8CC10F8FF CALL 00403C10 015F:00482B44 8D55FC LEA EDX,[EBP-04] 015F:00482B47 8B83E4020000 MOV EAX,[EBX+000002E4] ____________________ WINBRUSH!CODE+00081B10 __________________ Press F10 16 times - stop at 015F:00482B3A - dump EDX register : d edx [enter] your name appear at virtual address 0167: 00C86C18 Press F10 again until you reach these below snippet codes : cont'd 015F:00482B47 8B83E4020000 MOV EAX,[EBX+000002E4] 015F:00482B4D E8EAE9FAFF CALL 0043153C ==> bpx here 015F:00482B52 8B55FC MOV EDX,[EBP-04] 015F:00482B55 B8685D4900 MOV EAX,00495D68 ==> d edx 015F:00482B5A E8B110F8FF CALL 00403C10 ==> bpx here 015F:00482B5F 33DB XOR EBX,EBX ==> d edx 015F:00482B61 8D4DF8 LEA ECX,[EBP-08] 015F:00482B64 0FBFD3 MOVSX EDX,BX 015F:00482B67 A1D43F4900 MOV EAX,[00493FD4] 015F:00482B6C 8B00 MOV EAX,[EAX] 015F:00482B6E 8B802C040000 MOV EAX,[EAX+0000042C] 015F:00482B74 8B4024 MOV EAX,[EAX+24] 015F:00482B77 8B30 MOV ESI,[EAX] 015F:00482B79 FF560C CALL [ESI+0C] ==> bpx here 015F:00482B7C 8B55F8 MOV EDX,[EBP-08] 015F:00482B7F A1685D4900 MOV EAX,[00495D68] 015F:00482B84 E8BF13F8FF CALL 00403F48 015F:00482B89 750A JNZ 00482B95 015F:00482B8B C705605D4900FFFF MOV WORD PTR [00495D60],FFF 015F:00482B95 43 INC EBX ______________________ WINBRUSH!CODE+00081B47 ___________________ Press F10 2 times - stop at 015F:00482B55 - dump EDX register :d edx [enter] your fakecode appear again at virtual 0167:00C86C34 Disable current breakpoint and set a new one at 015F:00482B4D : bd* [enter] bpx 015F:00482B4D [enter] Press F10 2 times - stop at 015F:00482B5F - dump EDX register :d edx [enter] your fakecode appear again at virtual 0167:00C86C00 and one line below is your user name. Disable current breakpoint and set a new one at 015F:00482B5A : bd * [enter] : bpx 015F:00482B5A Press F10 10 times - stop at 015F:00482B7F - dump EDX register : d edx [enter] did you see interesting 2A4B2-Z584-MD48-4EAX at 0167:00C75140 ? Look at several lines below there are lot of interesting similar to a reg codes, and if you scroll down you'll see more potential regcodes between virtual address 0167:00C75140 upto 0167:00C797C0 Press F10 once - stop at 015F:00482B84 - dump EAX register your fakecode appear at 0167:00C86C34 Upto this step now you understand how do I found memory address where potential serial can be caught, that is after you had step passed CALL instruction at 015F:00482B79. Now, let's create new breakpoint closed to the address where S/N can be fish(ed) in this regard is at 015F:00482B79. Do these following steps : : bd * [enter] : bpx 015F:00482B79 [enter] Press X or F5 to return to registration dialog box NOTE : You should repeat registration procedure by entering user name and fake code. 4. If nothing goes wrong you'll break again at these below snippet codes : ______________________________________________________________ 015F:00482B61 8D4DF8 LEA ECX,[EBP-08] <== ret loop 015F:00482B64 0FBFD3 MOVSX EDX,BX 015F:00482B67 A1D43F4900 MOV EAX,[00493FD4] 015F:00482B6C 8B00 MOV EAX,[EAX] 015F:00482B6E 8B802C040000 MOV EAX,[EAX+0000042C] 015F:00482B74 8B4024 MOV EAX,[EAX+24] 015F:00482B77 8B30 MOV ESI,[EAX] 015F:00482B79 FF560C CALL [ESI+0C] <== break here 015F:00482B7C 8B55F8 MOV EDX,[EBP-08] 015F:00482B7F A1685D4900 MOV EAX,[00495D68] ==> d edx 015F:00482B84 E8BF13F8FF CALL 00403F48 015F:00482B89 750A JNZ 00482B95 ==> jump to 015F:00482B8B C705605D4900 FFFFFFFF MOV DWORD PTR [00495D60], FFFFFFFF 015F:00482B95 43 INC EBX <== ret jump 015F:00482B96 6681FBF401 CMP BX,01F4 015F:00482B9B 75C4 JNZ 00482B61 ==> loop to 015F:00482B9D 33C0 XOR EAX,EAX 015F:00482B9F 5A POP EDX 015F:00482BA0 59 POP ECX 015F:00482BA1 59 POP ECX 015F:00482BA2 648910 MOV FS:[EAX],EDX 015F:00482BA5 68C22B4800 PUSH 00482BC2 015F:00482BAA 8D45F8 LEA EAX,[EBP-08] 015F:00482BAD E80A10F8FF CALL 00403BBC 015F:00482BB2 8D45FC LEA EAX,[EBP-04] 015F:00482BB5 E80210F8FF CALL 00403BBC ___________________ WINBRUSH!CODE+00081B77 ___________________ Break due to BPX #015F:00482B79 Press F10 2 times - stop at 015F:00482B7F - dump EDX register : : d edx [enter] did you see that alphanumeric characters starting 0167:00C75130 ? In my case I found 2A4B2-Z584-MD48-4EAX. It's most likely a reg code, and if you scroll down the Data Window you'll see lot of similar potential reg codes. But, which one is valid in accordance to your user name ?????? Press F10 5 times - step pass JNZ instruction at 015F:00482B9B, now loop procedure just begin between 015F:00482B61 and 015F:00 482B9B. During this loop, every time you step pass call instruction at 015F:00482B79 you'll get another new potential reg code by dumping EDX register at 015F:00482B7F. I dunno how many posible reg codes will appear in your Data Window screen until this looping is finished. 5. Let's register this program, repeat registration procedure and keyed-in 2A4B2-Z584-MD48-4EAX ( I myself using 3Z7R6- E3C7-DXC3-9U5J ) as your S/N .... there you're registered. However, in the bottom of this file you'll find another potential reg codes in random order. 6. Respect the Author and do not attemp to register this program by using your own user name, unless you pay US$20.00 for official licensing. END NOTES DON'T BE A LAMER BY DISTRIBUTING YOUR CRACK RELEASE BASED ON THIS TUTORIAL. ============== D I S C L A I M E R ============= THIS PAPER IS NOT INTENTED TO VIOLATE COPYRIGHTS LAW BUT EDUCATIONAL PURPOSES ONLY. I HOLD NO RES PONSIBILITY ( IN ANY SHAPE WHATSOEVER ) OF THE MIS-USE OF THIS MATERIAL. NO PARTS OF THIS PAPER IS SOLD/RENT FOR COMMERCIAL NOR PERSONAL BENEFIT. [EOF] ASTAGA [TTM] - tute-winbrush2001.zip Tutorial Free Version C 2/6/01 7:45:34 PM List of Potential Reg Codes for WinBrush2001 Captured by ASTAGA - The Tutorial Machine 2A4B2-Z584-MD48-4EAX 2A4Z5-W447-DM27-6EAP 2A6J7-S987-WZ27-4L8T 2A6S8-Z374-UL78-2M4N 2ACXA-Z982-BT97-2N8Z 2B6XA-F675-PG26-2Y3L 2B9E2-Q627-TR2C-4Y4G 2C7NC-T526-CZ53-4Y4P 2D6S6-K7A6-JS75-6F3N 2D8B2-D844-PCA5-AC9Y 2E7FC-M84A-PN64-4R6Z 2EAP7-FA35-YZ54-9QCT 2F3G4-H37C-JQ56-4T5H 2F3R6-Z478-WQ2A-5V4M 2F7X7-C82A-TG22-9N3T 2F8P4-U743-SKC4-3E8A 2V8S9-S8A8-KB52-9BCU 2W3U5-GAA8-EQ38-2Z6J 2W9Z4-L37A-SU97-4H9G 2X7P2-SAC7-SM32-6G4A 2XAU8-F776-NZAA-9B4Z 2XCR7-YA25-NP68-6Z2Q 2Y5X8-X256-ES45-6K5Y 2Y8G8-KA62-JG54-7B5X 2ZAP6-B8AA-CC2A-3Z5S 3Z7R6-E3C7-DXC3-9U5J 3Z8VC-M868-FC68-5P2V 3Z8XA-F276-EF37-6PAK 3Z9G2-E95C-EXA6-7T7Q 4AAE7-T69A-MB49-4X2H 4B4J8-J66A-GJ66-ADAQ 4C3X3-K485-XA77-8S3X 4C4B6-P85A-ZX27-3X5X 4C5X2-W283-MD56-4X2R 6V6GA-J585-QF73-AZAK 6W7J2-R647-UA53-AV5C 6W9G6-A4A2-ZX64-6D4U 6WABA-Q533-VF7A-AF8H AK8CA-B677-DT4A-4P7D AK8L7-XC38-JE22-9S9Q AL7S7-M859-FG22-4L4U AL8UC-H729-LMC6-9K7U AR4TA-N34A-QJ7A-AY2U AR8Z6-C45A-XQ94-3QAL AS3PC-E2A9-CL9C-3JCX ASCXC-U684-AW66-4G8D CXAJC-N233-JU49-3P7T CY5XC-K3C2-YJC2-3SAQ CY6WA-N847-KZ76-AE4K Breakpoint(s) history for WinBrush2001 v1.0 by ASTAGA [TTM] 00) * BPX KERNEL!HMEMCPY 01) * BPX #015F:00482C2D 02) * BPX #015F:00482B4D 03) BPX #015F:00482B79 2/6/01 8:13 PM Ijn=hex:0e,27,04,f0 Hey Brino ... guk ...guk