              How to crack ELDOS Advanced Disk Catalog 1.30a
                  





           With dedication for thE Eldos programmers:)                                            
           +DzA kRAker/TNT

       Tools:

- debugger (I use TRW2000,coz it will not change the bpxed code  like softice does,this is bcoz of the memory checksum...)
- The awesome regmon from System Internals
- Some process patcher to make things easyer (see unpacking)...i use the one by R!sc.

       We start the proggie...sigh..unregistered,a ugly nag pops,with 3 buttons.
Looks like a dialog box to me.Well,let's remove it fast...
       Enter TRW2000 with CTRL+N , put a brekpoint on dialogboxparama (bpx dialogboxparama).Start adc.exe...TRW 2000 pops press f11
...now u are back to the nag ...press "I agree" button , TRW 2000 pops again,
,scrool up a little with ctrl+up until u see something like this:
       44AF14 CALL 0044AA2C
       44AF19 TEST EAX,EAX
       44AF1B JZ   0044AF26----jumps to the nag if not registered
       44AF1D MOV  EAX,[005103B0]
       44AF22 TEST EAX,EAX
       44AF24 JZ   0044AF45
       So we just nop that jump,or make it a jnz ,the nag dissapears,and Adiskcatalog runs perfectly...we try to use it a little and in about 4-5
seconds the proggie leaves without sayng bye(bcoz of the the memory checksum)...or it does say bye???
Let's run the proggie again....modify that jz again ...now wait and
see what happens...the proggie exits ...but i hear something
from my speaker...and i wonder,was that a message beep?Yes...it was..
       So we just enter TRW 2000 and put a breakpoint on  messagebeep (bpx messagebeep)
       We run MODIFYED adc.exe again...and wait...TRW 2000 breaks right
before the exit process routine.Press f11 to return to the caller.
Now u should see something like this:
       80B82B CALL KERNEL32!GETTICKCOUNT
       80B830 MOV  EDX,EBX
       80B832 ADD  EDX,00001388
       80B838 JNO  80B83F      -----this is were we will make the loop
       80B824 CALL KERNEL32!GETTICKCOUNT
       80B829 MOV  EBX,EAX
       80B82B CALL KERNEL32!GETTICKCOUNT
       80B83F CMP  EAX,EDX
       80B841 JLE  80B92B
       80B843 CALL KERNEL32!GETTICKCOUNT
       80B848 MOV  EBX,EAX
       80B84A CALL 80B784-------checksum
       80B851 JZ   80B92B
       80B853 PUSH 01
       80B855 CALL KERNEL32!MESSAGEBEEP--bye,bye (very polite)
       80B85A PUSH FF
       80B85C CALL KERNEL32!EXITPROCESS
       Heh,how stupid..the proggie uses gettickcount to establish a interval for the checksum.Well we can kill this checksum in many ways,but the best way i think it's to make an infinite loop  (adc.exe is checksumed by an external pe file,so we don't care about it)
       How we will do this loop? 
       Well,i chosen adress 80B838...we will replace that conditional jump (jno)
to an unconditional one (jmp)...we will jump right before it , at adress 80b832 (add edx,00001388),
       So our new code will look like this:
       80B82B CALL KERNEL32!GETTICKCOUNT
       80B830 MOV  EDX,EBX
       80B832 ADD  EDX,00001388
       80B838 JMP  80B832  
       So the  poor checksum will NEVER be executed and we can modify the exe how do we wannt...nice. 
       The opcodes of the jump at 80B832: EBF8 (was 7105)
       We still have unregistered version limitations...(5 disks only in a database) , and an ugly unregistered version splash screen...now that we can
modify the proggie,let's quickly fix that.
       Remember this :?
       44AF14 CALL 0044AA2C---this is the magic call
       44AF19 TEST EAX,EAX
       44AF1B JZ   0044AF26----jumps to the nag if not registered
       44AF1D MOV  EAX,[005103B0]
       Just enter TRW 2000,breakpoint the adress that is called at 44AF14
...bpx 44AA2C.
       Now run adc.exe again...TRW 2000 pops...press F11...u should land
were adc.exe decides if it should show us the nag or not...we patched that
already,so exit TRW 2000, and let adc.exe run...TRW 2000 pops the second
time,press F11...u will be in adc.exe again...u should land at another adress wich will  call 0044AA2C followed by another TEST EAX,EAX JZ XXXXXXX ---checks if we are regged or not
...if we make the jz a jnz,the proggie will show us the "right" splash screen
and the 5 disks limit will be out.
       Now...we can say that our target is fully cracked?Nope,it isn't...
there is ANOTHER check...make a 6 voulmes data base,save it.
       Now try to open it...ooops...acd.exe gives an error about he cannot
open our saved file (error code 0)---yeah right...this is a surely a dirty trick.
Omg...let's start to trace again.
       Run adc.exe,then run regmon from System Internals (or another windowze
registry monitoring tool)...with regmon active try to open your saved database
(wich will be 6 disks or more)...the error message will pop.Let's see what
regmon got...and groovie!...adc.exe looks for the key  HKEY_LOCAL_MACHINE\SOFTWARE\Elcom\Advanced Disk Catalog\Registration\code.
       Right before opening your saved database,put a bpx regqueryvalueexa.
Press open,now TRW2000 will pop,press F12 until u are in adc.exe.
Well,now if i will explain what to do next,maybe i will finish this tute in
2-3 years...just do like i did:see what every jump does (There are not
so many).If this will piss u off,take my loader...but remember that cracking needs patience.

      Advanced Disk Catalog is down!

         
       
dzakraker@yahoo.com
Greetingz : UMBRA,Xasx,SiR dREAm,_Blade_,Catalin,Stefan,Aldea,Alg...and you!
             

       
       
          
                   
          String15, lNumber10);