tARGET pROGRAM: TweakJr 99 1.01
pROTECTION: - Nag Screen with
Delay + an OK Button
-
Help Button Disabled.
- Auto run
programs in Folder/Run is Disabled
cURE: Regg
Patch
uRL: http://home3.swipnet.se/~w-31362/tweakjrenj.htm
pROGRAM sIZE:
312 KB
tOOLS uSED: - W32Dasm 8.93
-
Hex Workshop 2.54
-
Turbo Pascal 7.0
- Pcom 2.8b3
dESCRIPTION: One of the most
complete Tweaking tools, with alot of possible setting-changes. Copyright İ
Joakim Fredlund 1998. You can
change the registry in a safe way, you don´t have to worry about
will the computer start after I´ve done this changes.
cOMPILED bY: MS-Visual C++
rEGISTRATION fEE: $19.95
Well, this cracking tutorial it's for
beginner, I'll show you how to crack TweakJr 99, and make a patch using two
ways, very easy, I hope you will enjoy this TuT and helps you learn! OK, guys, let's
get started, Open TweakJr. There is a window, telling us to register the copy,
after 3 sec a button appear, Click ok and look for strange things... Yes it's
the help button, it was disabled bye the author Good! now go to about, what we see here is the #1 magic word "UNREGISTERED" Very Good! and we can't enter any UserName
or UnlockKey Exellent! We'll show him
what a shitty protection it is!!! ĥ:)
Launch W32Dasm and disassemble the target,
and look for the #2 magic word REGISTERED or something like that, Yes!!! we
found it!! one reference "Thank You for your Registration" Double
Click and... (this method allow us to go all over the protection scheme)
ĥĤĴ| Register The Program
`ŻŻŻ'ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ'ŻŻŻŻ´
I said Double Click and...
* Referenced by a (U)nconditional or (C)onditional Jump at
Address:
|:0040D4CC(C) <-- here it is!!
|
* Possible StringData Ref from Data Obj ->"Thank You for your Registration " <-- we land here
->"and
for Supporting TweakJr 99 "
->"!"
|
:0040D4DA 68D8284400 push
004428D8
:0040D4DF 8D8E24100000 lea
ecx, dword ptr [esi+00001024]
:0040D4E5 E8E6B60100 call
00428BD0
:0040D4EA 6A00 push
00000000
:0040D4EC 685D040000 push
0000045D
:0040D4F1 8D8E740B0000 lea
ecx, dword ptr [esi+00000B74]
:0040D4F7 E8CBAA0100 call
00427FC7
:0040D4FC 8BC8 mov
ecx, eax
:0040D4FE E8E6AC0100 call
004281E9
:0040D503 6A01 push
00000001
:0040D505 684C040000 push
0000044C
We are in the end of the registration
routine, so let's come up, to the code location 40D4CC
* Reference To: ADVAPI32.RegCloseKey, Ord:015Bh
|
:0040D4AF FF1500404300 Call
dword ptr [00434000]
:0040D4B5 E9E0000000 jmp
0040D59A
* Referenced by a (U)nconditional or (C)onditional Jump at
Address:
|:0040D483(C) <-- here it is again!!
|
:0040D4BA 8B07 mov
eax, dword ptr [edi]
:0040D4BC 68605D4400 push
00445D60
:0040D4C1 50 push
eax
:0040D4C2 E8979E0000 call
0041735E
:0040D4C7 83C408 add
esp, 00000008
:0040D4CA 85C0 test
eax, eax
:0040D4CC 750C jne
0040D4DA <--We are here! You think if we change it to je, we'll be
registered! WRONG!! Because,
we are still in the routine that made us registered! so we must come upagain!!
* Possible StringData Ref from Data Obj ->"John Doe" <---What's
That! Hmmm Maybe the boyfriend of the author, because the program looks
after his name, and if ok, it will register itself without any
patch, lovely boy ĥ;)
|
:0040D4CE 6818294400 push
00442918
:0040D4D3 8BCF mov
ecx, edi
:0040D4D5 E8F6B60100 call
00428BD0
Double right click in code location
:0040D483(C) and scroll up until you see this:
* Possible StringData Ref from Data Obj
->"Software\JockeSoft\TweakJr 99\1.0" <-- Check for TweakJr Entry
|
:0040D3EF 6818214400 push
00442118
:0040D3F4 6801000080 push
80000001
:0040D3F9 FFD3 call
ebx <--- read entry
:0040D3FB 85C0 test
eax, eax <--- is eax=0 ?? (xor eax,eax)
:0040D3FD 0F8577010000 jne
0040D57A <--- if eax<>0 then jump to UNREGISTERED
:0040D403 8B4C2410 mov
ecx, dword ptr [esp+10]
:0040D407 8D542414 lea
edx, dword ptr [esp+14]
:0040D40B 52 push
edx
:0040D40C 50 push
eax
:0040D40D 8D442420 lea
eax, dword ptr [esp+20]
:0040D411 50 push
eax
:0040D412 6A00 push
00000000
* Possible StringData Ref from Data Obj ->"UserName" <-- Checks for
UserName
|
:0040D414 680C214400 push
0044210C
:0040D419 51 push
ecx
:0040D41A FFD5 call
ebp <--- read UserName
:0040D41C 85C0 test
eax, eax <--- is eax=0 ?? (xor eax,eax)
:0040D41E 0F8529010000 jne
0040D54D <--- if eax<>0 then jump to UNREGISTERED
:0040D424 8B542414 mov
edx, dword ptr [esp+14]
:0040D428 52 push
edx
:0040D429 E863770100 call
00424B91
:0040D42E 8B542414 mov
edx, dword ptr [esp+14]
:0040D432 83C404 add
esp, 00000004
:0040D435 8BD8 mov
ebx, eax
:0040D437 8D442414 lea
eax, dword ptr [esp+14]
:0040D43B 50 push
eax
:0040D43C 8D4C241C lea
ecx, dword ptr [esp+1C]
:0040D440 53 push
ebx
:0040D441 51 push
ecx
:0040D442 6A00 push
00000000
* Possible StringData Ref from Data Obj ->"UserName"
|
:0040D444 680C214400 push
0044210C
:0040D449 52 push
edx
:0040D44A FFD5 call
ebp <--- read UserName again
:0040D44C 8B442410 mov
eax, dword ptr [esp+10]
:0040D450 50 push
eax
but we don't need to go into the code,
because we found the magic jmp in 40D41E, so here we can replace it by je, and
the program take the username from windows registered owner, easy hein!
0F 85 29 01 00 00
to
-- 84 -- -- -- --
(--) stay unchanged.
ĥĤĴ| Enable Auto run programs in Folder/Run
`ŻŻŻŻ'ŻŻŻŻŻŻŻŻ'ŻŻŻŻŻ'ŻŻŻŻ'ŻŻŻŻŻŻŻŻŻŻ'ŻŻŻ'ŻŻŻŻŻ´
Now we are looking for somethings that
relates Run, RunOnce, RunServices etc , and we found
"Software\Microsoft\Windows\CurrentVersion\Run" <-- So
let's try this!
"Software\Microsoft\Windows\CurrentVersion\RunS"
* Possible StringData Ref from Data Obj
->"Software\Microsoft\Windows\CurrentVersion\Run"
|
:00404175 6840164400 push
00441640
:0040417A 6801000080 push
80000001
* Reference To: ADVAPI32.RegOpenKeyExA, Ord:0172h
|
:0040417F FF1508404300 Call
dword ptr [00434008]
:00404185 85C0 test
eax, eax
:00404187 7551 jne
004041DA <-- this is the magic jump that we are after.
:00404189 55 push
ebp
75 51
to
74 --
(--) stay unchanged.
Find the two offsets and change them in
HexWorkShop, Restart, Yes!!! it's registered WoW, the help button is now
enabled Great!!! and all the function are enabled now.
Quickly Let's do the patch with TP first:
-------------------------------------Cut-Here--------------------------------------------------
Program TweakJr_Patch;
Uses Crt;
Const A: Array[1..2] of Record
A : Longint;
B : Byte;
End = ((A:$D41F;B:$84) , (A:$4187;B:$74));
Var Ch:Char;
I:Byte;
F:File;
FN:file of byte;
Size:longint;
Begin
writeln('Crack for TweakJr 99 1.01 by tBS ''99');
Assign(F,'tweakjr.exe');
{$I-} Reset(F,1); {$I+}
If IOResult <> 0 then
begin
writeln('No file found!');
halt(1);
end;
For I:=1 to 2 do
Begin
Seek(F,A[I].A);
Ch:=Char(A[I].B);
Blockwrite(F,Ch,1);
End;
Writeln('Patch completed');
Writeln('Enjoy it');
End.
-------------------------------------Cut-Here--------------------------------------------------
Let's do the patch with Pcom:
it's very simple and powerful, and before to
use it you must read the DOC, you can learn lot of things. you can Download it
here!.
the command line is : pcom tweakjr.src -p -i -e
-p Compression
-i Include anti-hacking code
-e Encrypt output file
Open notepad when paste this code, save it
as tweakjr.src
-------------------------------------Cut-Here--------------------------------------------------
; BEGIN
$cls
@TweakJr 99 1.01 Crack by tBS '99
@
@Press Y to apply patch, any other key to quit.
$y/n
@
@~!:Finding tweakjr.exe...
+tweakjr.exe
@ Found!
@
@~!:Checking size...
!319488
@ Ok!
@
@~!:Checking bytes...
>0000:d41f
=85
>0000:4187
=75
@ Ok!
@
@~!:Patching file...
>0000:d41f
'84
>0000:4187
'74
@ Ok!
-
@
@[Patch completed - press a key]
$snd
$key
; END
-------------------------------------Cut-Here--------------------------------------------------
ĥĤĴ| Ending:
`ŻŻŻŻŻŻŻŻŻŻŻ´
Well, that's that. I hope you could follow it all, For any comments or if there's anything that I didn't explain too well then don't hesitate to mail me at: tBS@iquebec.com
Greetingz to:
tKC , Northpole , Styx2000 , WaVeR`, DyNoBrEmO , Ivanopulo , rEd , schUmU , DaVinci , Nitallica , LagPRO , Socko , Fli7e , DnNuke, TDVFR ,
MonoMeow.