StartClean Crack by DR Farohar

StartClean 1.2 Crack
Serial Crack by DR Farohar 02/12/99

A nice prog to learn from... After having loads of failures on other progs the second program cracked in a day. I'm not really proud though because both where really easy... but they might help other newbies to learn.. and - I'm a fast learner, so if I stick to it you will soon get some tuts for medioce crackers out there ;)

Faro

Target group:

Newbies.

Prerequisites:

Basic knowledge of SoftIce
Either basic knowledge of cracking or tutorials by myself written before this one.

Tools used:

SoftIce (demo version available at http://www.numega.com (check out the various tutorials on cracking SoftIce.. but this program is worth to be paid for!!!))
Start Clean V1.2 by Firas El-Hasan as actual target (available at ??? search it)
your brain (well not much though :)

Crack:

Well, I'm sitting here in my room - freezing to death 'cause Great Britain still has not heard of using heaters in the winter - having finished another (really easy) crack. It is a nice one for newbies (again) - a lot more to learn from than from Gold Wave. I finally got some fags of a friend I just met, so I'm feeling better. Remember: if you dont smoke, don't start to smoke, rather drink a nice wodka-martini once in a while (+ORC would say "Only real russian wodka will do!" and I go even further and say "Only Moskovskaja will do!" - It's a really great wodka, try it pure... not a good thing to do though when you wanna reverse something) You could also try "Stroh 80" which is a fucking strong rum but you better really don't think 'bout reversing if you do. A good rum if you need to get pissed because your crack does not work (or for even worse things). Ok, lets go!

OK, when we start the program it tells us that if we want to use it for more than 30 days we have to reg it. Because we (I) don't intend to use it for longer than 30 days I won't reg it but I certainly would like anybody who actually DOES use it longer than 30 days to do so. Some of you out there are programmers by yourself and know how much work (and love :) some has to put into their work. Anyway, we click on register and type our name and some serial. After we pressed enter, the program tells us that it is not the registration code it expected - if it said you entered the right code then you are a lucky bastard but you wont learn how to crack this little program ;) All right, leave the program and run QuickView on it. The first thing we see in the Import Table is "lstrcmp", har, har. OK, lets try that.

Prepare the program (enter name and some code into the registration form) and fire up SIce. Set a bpx on lstrcmp and Ctrl+D back out. Hit Enter and you'll find yourself straight back in SIce. Now if you press F11 you will land right there:



004011E9	85C0	test eax,eax	test if strings match
004011EB	0F8580000000	jnz 00401271	"good cracker" does not jump

That looks like the classic sequence and it indeed is. So if we either change the jump into an jz (good if you want to hex-patch the program so others get regged as well (what we dont do because then we would be lamer)) or we could change the zero flag to make the jump nil. Any way if we Ctrl+D out of Sice the prog does not tell us that we are registered, but we are (remark: I did NOT say that it told us that we are unregistered, right?). But because that was too easy and we want to learn a bit more of the program we don't really want to be registered yet. So we delete the program and unzip it again. But if we run it we are still registered. That can only mean that it saved the registering information either in an file (most likely an ini file in the win directory if we don't find a file in the same directory the program is in, must not be though) or into the Registry. Running FileMon we don't find anything interesting. The program does only a Findopen and a Findclose on the Win.ini (for whatever reason..). So lets run RegistryMonitor and start the file again. Ohhhh, lookie her we go..

...\Start Clean\Configuration\Name
...\Start Clean\Configuration\Code <-- he he

Delete it. (doubleclick on it in RegMon and then del it out of the Registry, of course..) Now lets try another approach, the hmemcpy approach:

Start the (now unregistered) program again and enter all the stuff. Ctrl+D into SIce and set a bpx on hmemcpy. Ctrl+D back and hit Enter. SIce will pop up. Remember: we had two textboxes with information in 'em, so this will most likely be the first textbox (with the name). Because we already know the name we entered we Ctrl+D back out of SoftIce and it will break on hmemcpy again, this time for the right textbox. Now we will see the following:



004011C7	6830604000	PUSH 00406030	holds good code (serial)
004011CC	6830614000	PUSH 00406130	holds name
004011D1	E8AA000000	CALL 00401280	calculations if serial is right
004011D6	8D442418	Lea eax,[esp+18]	copy "bad" code into eax
004011DA	83C408	add esp,8	.... ? not important for us
004011DD	50	PUSH eax	push "bad" code onto the stack
004011DE	6830604000	PUSH 00406030	push "good" code onto the stack
004011E3	FF1520924000	CALL[KERNEL!lstrcmp]	compare both serials
004011E9	85C0	Test eax,eax	test the returned values
004011EB	0F8580000000	jnz 00401271	jmp if they dont match



00401247	6830604000	PUSH 00406030	push "good" code onto the stack so it can get written to the registry

So, how do we know/find out the above? Well, we step through the code and after each step we look into the registers that have changed... so when we reach lea eax,[esp+18] we step once more and do 'd eax' which shows us eax in the data window. We can do the same with memory adresses. If we 'd 00406030' we'll see that it holds the good code. So now we can (again) patch the jnz or we write down the serial and type it in. I like the first better ;) (er.. remark: only do the first if, and only if, the RIGHT serial will be saved in the registry or ini file. If the entered (wrong) serial gets saved the program might read it out of the file when started the next time and you'll still be unregistered. In those cases write the "good" serial down and enter it in the textbox for the serial..)

What could Firas El-Hasan have done better in this protection? Propably a lot, but the first thing that stings into your eye is that always when you patch the jump, it don't matter what code you enter, it writes the good serial into the registry. If he would have changed this so that the entered serial would get written into the registry, cracking this program would have been quite a bit harder.. (even though you could still write the serial down and type it in).

Well, I almost can't use my fingers anymore because it is so cold in my room so I better stop *g*. By the way, I tried to patch the "good code to the registry write part" with:



00401247	8B642410	mov esp,[esp+10]	move "bad" code into esp
0040124B	54	PUSH esp	push "bad" code onto the stack so it can get written to the registry

which did not quite work... If you know why (and how to change that) please let me know. [add esp,10 / push esp / nop] does not work either... Im not quite perfect in asm (yet..). (Lawyers, etc. listen! Here you see that there are actually reversers that try to improve the code of programs. If I would have been successful I would have had enhanced Firas El-Hasan's protection... well, maybe I'll succeed another time ;)

One of the next things I will try to reverse will be 'Creatures' and a CD-removal-crack. I can't really do it right now because my CD is at home (not here in my dormatory but a few thousand miles away..). I already started this one but stopped when the loader patch (which was successful) was not enough to get the game running w/o CD but the main exe also asked for it in a quite different way than the loader.exe. So I believe this will be quite interesting and a mediocre level crack...

CU, Faro

Disclaimer: The stuff on this page should be legal. If you encounter any
illegal files/info/etc. please mail us and we will remove it.