How to crack ELDOS Advanced Disk Catalog 1.30a With dedication for thE Eldos programmers:) +DzA kRAker/TNT Tools: - debugger (I use TRW2000,coz it will not change the bpxed code like softice does,this is bcoz of the memory checksum...) - The awesome regmon from System Internals - Some process patcher to make things easyer (see unpacking)...i use the one by R!sc. We start the proggie...sigh..unregistered,a ugly nag pops,with 3 buttons. Looks like a dialog box to me.Well,let's remove it fast... Enter TRW2000 with CTRL+N , put a brekpoint on dialogboxparama (bpx dialogboxparama).Start adc.exe...TRW 2000 pops press f11 ...now u are back to the nag ...press "I agree" button , TRW 2000 pops again, ,scrool up a little with ctrl+up until u see something like this: 44AF14 CALL 0044AA2C 44AF19 TEST EAX,EAX 44AF1B JZ 0044AF26----jumps to the nag if not registered 44AF1D MOV EAX,[005103B0] 44AF22 TEST EAX,EAX 44AF24 JZ 0044AF45 So we just nop that jump,or make it a jnz ,the nag dissapears,and Adiskcatalog runs perfectly...we try to use it a little and in about 4-5 seconds the proggie leaves without sayng bye(bcoz of the the memory checksum)...or it does say bye??? Let's run the proggie again....modify that jz again ...now wait and see what happens...the proggie exits ...but i hear something from my speaker...and i wonder,was that a message beep?Yes...it was.. So we just enter TRW 2000 and put a breakpoint on messagebeep (bpx messagebeep) We run MODIFYED adc.exe again...and wait...TRW 2000 breaks right before the exit process routine.Press f11 to return to the caller. Now u should see something like this: 80B82B CALL KERNEL32!GETTICKCOUNT 80B830 MOV EDX,EBX 80B832 ADD EDX,00001388 80B838 JNO 80B83F -----this is were we will make the loop 80B824 CALL KERNEL32!GETTICKCOUNT 80B829 MOV EBX,EAX 80B82B CALL KERNEL32!GETTICKCOUNT 80B83F CMP EAX,EDX 80B841 JLE 80B92B 80B843 CALL KERNEL32!GETTICKCOUNT 80B848 MOV EBX,EAX 80B84A CALL 80B784-------checksum 80B851 JZ 80B92B 80B853 PUSH 01 80B855 CALL KERNEL32!MESSAGEBEEP--bye,bye (very polite) 80B85A PUSH FF 80B85C CALL KERNEL32!EXITPROCESS Heh,how stupid..the proggie uses gettickcount to establish a interval for the checksum.Well we can kill this checksum in many ways,but the best way i think it's to make an infinite loop (adc.exe is checksumed by an external pe file,so we don't care about it) How we will do this loop? Well,i chosen adress 80B838...we will replace that conditional jump (jno) to an unconditional one (jmp)...we will jump right before it , at adress 80b832 (add edx,00001388), So our new code will look like this: 80B82B CALL KERNEL32!GETTICKCOUNT 80B830 MOV EDX,EBX 80B832 ADD EDX,00001388 80B838 JMP 80B832 So the poor checksum will NEVER be executed and we can modify the exe how do we wannt...nice. The opcodes of the jump at 80B832: EBF8 (was 7105) We still have unregistered version limitations...(5 disks only in a database) , and an ugly unregistered version splash screen...now that we can modify the proggie,let's quickly fix that. Remember this :? 44AF14 CALL 0044AA2C---this is the magic call 44AF19 TEST EAX,EAX 44AF1B JZ 0044AF26----jumps to the nag if not registered 44AF1D MOV EAX,[005103B0] Just enter TRW 2000,breakpoint the adress that is called at 44AF14 ...bpx 44AA2C. Now run adc.exe again...TRW 2000 pops...press F11...u should land were adc.exe decides if it should show us the nag or not...we patched that already,so exit TRW 2000, and let adc.exe run...TRW 2000 pops the second time,press F11...u will be in adc.exe again...u should land at another adress wich will call 0044AA2C followed by another TEST EAX,EAX JZ XXXXXXX ---checks if we are regged or not ...if we make the jz a jnz,the proggie will show us the "right" splash screen and the 5 disks limit will be out. Now...we can say that our target is fully cracked?Nope,it isn't... there is ANOTHER check...make a 6 voulmes data base,save it. Now try to open it...ooops...acd.exe gives an error about he cannot open our saved file (error code 0)---yeah right...this is a surely a dirty trick. Omg...let's start to trace again. Run adc.exe,then run regmon from System Internals (or another windowze registry monitoring tool)...with regmon active try to open your saved database (wich will be 6 disks or more)...the error message will pop.Let's see what regmon got...and groovie!...adc.exe looks for the key HKEY_LOCAL_MACHINE\SOFTWARE\Elcom\Advanced Disk Catalog\Registration\code. Right before opening your saved database,put a bpx regqueryvalueexa. Press open,now TRW2000 will pop,press F12 until u are in adc.exe. Well,now if i will explain what to do next,maybe i will finish this tute in 2-3 years...just do like i did:see what every jump does (There are not so many).If this will piss u off,take my loader...but remember that cracking needs patience. Advanced Disk Catalog is down! dzakraker@yahoo.com Greetingz : UMBRA,Xasx,SiR dREAm,_Blade_,Catalin,Stefan,Aldea,Alg...and you! String15, lNumber10);