WHY PATCHING WHILE SERIAL NUMBER IS FISHY
revised : 11/9/00 6:43:01 PM
AdRegCln v2.1
A Cracking Tutorial
by ASTAGA [D4C/C4A]
DISCLAIMER
This reading material is not intended to violate Copyrights
and/or it is law, but educational purposes only. I hold no
responsibility ( by all means and in any shape whatsoever )
of the mis-used of this material.
ABOUT THE PROGRAM
AdRegCln is a small program, that allows You to revise system registry
for entries, that seem to be incorrect. It helps You to wipe out some
garbage from Your system registry.
Features available:
· Detailed registry checking (CLSID,FILES, Interfaces, ...)
· Search options file - knowbase.ini
· RegEdit smart calls
· Common file for back-ups (.REG-file (REGEDIT4), safely to be
viewed by RegEditor http://www.nit.mk.ua/regeditr/index.html)
Search options file (knowbase.ini) allows You to select starting
positions for checking, desired searching options.
RegEdit smart calls allows You to edit selected entries from standard
RegEdit directly.
WHERE TO DOWNLOAD
Author : NIT Limited
Homepage : http://www.nit.mk.ua/adregcln/index.html
URL : http://www.nit.mk.ua/adregcln/adregcln.zip
Size : 429 KB - as of September 12,2000
HOW TO GET VALID SERIAL NUMBER by using SoftIce
This program will create self program ID based on Window's default
user name.
My ID looks like as follow :
AdvRegCln
License number: 58C0-0802-1BF7 <== may differ in your PC
Name: Pirates Order
Country: United States
E-Mail address: privateering@iname.com
Comments:
Secondly, this program is packed with UPX and I didn't unpacking it
as their normally should be. So, if you follow my step an unexpected
occurances may posibly performed.
1. Run ADREGCLN.EXE, in the main program click on ENTER REG CODE
button.
In the registration dialog box type these below information :
Registration Key : 73881050
Do not click OK button yet
2. Fire up SoftIce by pressing [ CTRL + D ], create a new breakpoint
as follow :
BPX HMEMCPY [enter] and
F5 to return to the main program
3. Now click OK button... you'll return back into SoftIce.
In within SoftIce press F11, then press F12 several times
until you see these below following snippet codes :
( note : If you cannot reach the snippet codes as I explained,
try to get into main program's code by using another breakpoint.
Do a search string by typing :
s 0 l ffffffff E8C4BAFDFF8B55 [enter]
Pattern found at 0167:00XXXXXX <=== bpx this location
: bpx 0167:00XXXXXX [enter]
then continue tracing the codes ).
___________________________________________________________________
015F:0045207F E8C4BAFDFF CALL 0042DB48 <== break here
015F:00452084 8B55D4 MOV EDX,[EBP-2C]
015F:00452087 8B45F8 MOV EAX,[EBP-08] ==> d edx
015F:0045208A E8F51AFBFF CALL 00403B84
015F:0045208F C645F701 MOV BYTE PTR [EBP-09],01
015F:00452093 33C0 XOR EAX,EAX
.....
.....
______________________ADREGCLN!UPX0+0005107D_______________________
Clear previous breakpoint because you don't need anymore :
: BC * [enter]
Create new breakpoint as follow :
: bpx 015F:0045207F [enter]
: x or F5
Break due to BPX #015F:0045207F (ET=717.34 milliseconds)
Press F10 2 times - stop at 015F:00452087 - display EDX register :
: d edx [enter] ==> your fake code appear in the Data Window
at virtual address 0167:00C05CD8 .
Set a new breakpoint at location where your fake code being
copied to :
: bpm 0167:00C05CD8 [enter]
: x [enter]
4. If nothing goes wrong you'll break at these below snippet codes :
_______________________________________________________________
015F:00403EEB 8B1F MOV EBX,[EDI]
015F:00403EED 39D9 CMP ECX,EBX <== BREAK HERE
015F:00403EEF 7558 JNZ 00403F49
015F:00403EF1 4A DEC EDX
.....
.....
______________________ADREGCLN!UPX0+2EEB_______________________
Break due to BPMB #0167:00C05CD8 RW DR2
Did you recognize the CMP instruction at 015F:00403EED ?
Let's check what are the contents of those two registers :
: ? ecx [enter]
30413437 0809579575 "0A47" ==> posible valid reg.code
in reverse order
: ? ebx [enter]
38383337 0943207223 "8837" ==> your fake code in reverse order
So, where is the real code is located ?
Just display ESI and EDI registers as follows :
: d esi [enter] ==> lookie the Data Window, did you see
74A0-0C03-160C at virtual address
0167:00C05E98 ????
5. Disable all current existing breakpoint(s) :
: bd * [enter]
: x or F5 to return to registration dialog box
6. Repeat registration procedure, and keyed-in 74A0-0C03-160C
as your registration key.
Click OK button ....... you're registered !
7. Where the hell is my registration code is stored ??
The correct registration code is stored in the registry CLSID
as follow ( nice try Bro .... ) :
REGEDIT4
[HKEY_CLASSES_ROOT\CLSID\{EC5811A0-00F1-11D4-9395-CE85BCDF585A}]
[HKEY_CLASSES_ROOT\CLSID\{EC5811A0-00F1-11D4-9395-CE85BCDF585A}\
InprocServer32]
@="shell32.dll"
[HKEY_CLASSES_ROOT\CLSID\{EC5811A0-00F1-11D4-9395-CE85BCDF585A}\
Version]
@="FFFF"
8. How can I practise with my own reg. key ?
- I strongly recommended you not to do this !
END NOTES
This program is sold as shareware, so you can try before you buy.
This is convenient for you, saves expenses by dispensing with all
that packaging, and cuts out the middle person. So it is cheap,
but it is not free.
If you like the program, and you will, be sure to register and pay.
To keep shareware prices low, users must do the right thing:
Register, pay up, and smile/grin at yourself in the mirror.
Do not distribute your crack release based on this tutorial, because
you become a LAMER(s)!!!!!!!!
( tHATDUDE (PC97) defined LAMER(s) is the guy who sits in front of
personal computer, using Hex Editor, ripping off other group(s)
crack release, repacking (distro) them under his name.
Adopted from newsgroup alt.cracks, alt.crackers - February 1997 )
More about LAMER(s):
lamer /n./ [prob. originated in skateboarder slang]
Synonym for luser, not used much by hackers but common among warez
d00dz, crackers, and phreakers. Oppose elite. Has the same connota
tions of self-conscious elitism that use of luser does among
hackers.
< SOURCE: http://sagan.earthspace.net/jargon/jargon_27.html >
_ Never attribute to malice that which is adequately explained by stupidity _
ASTAGA [D4C/C4A] tute-adregclean21.zip
[EOF] October 16,2000 12:45:24 PM Revised/Updated : Nov 09, 2000