Welcome to Cracking Tutorial #104! Hiya guys, Well, here is another tut104.tKC... Let's rave! ...or crack babes? :) You'll need the following tools: (I use these tools, I assume you'll use 'em, but it doesn't mean that you'll need to use all those tools, so be sure to get them handy for the examples in this tutorial!) SoftICE v4.05 W32Dasm v8.93 Hacker's View v6.55 SmartCheck v6.03 ProcDump32 v1.6.2 TRW2000 v1.22 IDA v4.04 Windows Commander v4.51 (I use it coz of easier to multitask) Delphi, VB, C++, or TASM to code a keygen or a patch.. Don't ask me where to download all these tools since you had a chance to get them when you used my older tutorials. Here are a few good sites where you can grab tools from: http://protools.cjb.net http://w3.to/protools http://www.crackstore.com or ask any crackers to get you these tools! Are you ready?! OK! ;) WHY PATCHING WHILE SERIAL NUMBER IS FISHY Bubbles Screensaver A Cracking Tutorial by ASTAGA [D4C/C4A] DISCLAIMER This reading material is not intended to violate Copyrights and/or it is law, but educational purposes only. I hold no responsibility ( by all means and in any shape whatsoever ) of the mis-used of this material. ABOUT THE PROGRAM This screensaver displays animated colored translucent bubbles that pop on your desktop. This screensaver is shareware that will expire after 10 days. Date Released: 09/25/00 File Size: 812k WHERE TO DOWNLOAD Author : North Star Studios Homepage : http://www.NorthStarStudios.com URL : http://www.northstarstudios.com/downloads/ss/ BubblesInstaller.exe Size : 812 KB as of October 17,2000 HOW TO GET VALID SERIAL NUMBER by using SoftIce 1. Open your Display Properties ( in the Control Panel or HighRes icon in the traybar ). Choose "BUBBLES" as your screen saver, click SETTINGS button, then you'll see program's opening windows. Click on the key icon, and in the registration dialog box type these below informations : User Name : Pirates Order Serial Number : 73881050 Do not click OK button yet 2. Fire up SoftIce by pressing [ CTRL + D ], put a new breakpoint in this regard is HMEMCPY : BPX HMEMCPY [enter] and F5 to return to the main program 3. Click OK button... you'll return back into SoftIce. In within SoftIce press F11, F5, F11, then press F12 several times until you see and landed at : _____________________________________________________________ 015F:0048F7A0 E84FFEFAFF CALL 0043F5F4 015F:0048F7A5 8B45F8 MOV EAX,[EBP-08] 015F:0048F7A8 5A POP EDX 015F:0048F7A9 E8DE020000 CALL 0048FA8C 015F:0048F7AE 84C0 TEST AL,AL ... ... ______________________BUBBLES!CODE+0008E798_____________________ Disable previous breakpoint, and set a new one as follow : bd* [enter] bpx 015F:0048F7A0 [enter] 4. Press F10 3 times and stop at 015F:0048F7A9 , dump/display EDX register by typing : D EDX [enter] your fake code appear in the Data Window at the virtual address 0167:00C33280. Disable previous breakpoint ( BD * or BD 00 ), and create a new breakpoint as follow bpr 0167:00C33280 0167:00C33280+10 RW [enter] Press F5 or X, to let SoftIce break in this location 5. If nothing goes wrong, soon you'll break and face these below snippet codes : ______________________________________________________________ 015F:00403F67 7426 JZ 00403F8F <== you land here 015F:00403F69 8B0E MOV ECX,[ESI] 015F:00403F6B 8B1F MOV EBX,[EDI] 015F:00403F6D 39D9 CMP ECX,EBX <== D EDI or ESI 015F:00403F6F 7558 JNZ 00403FC9 ________________________BUBBLES!CODE+2F67______________________ Press F10 2 times and stop at 015F:00403F6D, ouchhh ..it's CMP instruction. Let's display what are the contents on those two registers. In the command Line type these : ? ecx [enter] SoftIce will response : 38383337 0943207223 "8837" <== fake S/N in reverse order ? ebx [enter] SoftIce will response : 31433231 0826487345 "1C21" <== hmmm.. what the heck is this also in reverse order Upto this step you may ask what and where are your complete serial number ... wasn't it they're just first four digits ? Okay, don't be panic ... all you have to do are like this : D EDI [enter] Look at the Data Window - at virtual address 0167:00C3A2B8 - did you see 12C1097F ? D ESI [enter] Look at the Data Window - at virtual address 0167:00C33280 - hehe... it's your fake 73881050. 6. Now, you can guess that 12C1097F is your potential valid serial number. Do you remember the CMP ECX,EBX instruction as described in the above paragraph. Disable all breakponit, press F5 to return to the main program. 7. Repeat registration procedure. Keyed-in 12C1097F as your serial number, then click OK button. The classic " thank you for registering " pops up on your screen. Hell... you're registered now, but it's ILLEGAL! 8. Where the hell is my registration info is stored ?? - The correct registration code is stored in the registry as follow : 8. How can I practise with another registration key ? - I strongly recommended you not to do this! END NOTES This program is sold as shareware, so you can try before you buy. This is convenient for you, saves expenses by dispensing with all that packaging, and cuts out the middle person. So it is cheap, but it is not free. If you like the program, and you will, be sure to register and pay. To keep shareware prices low, users must do the right thing: Register, pay up, and smile/grin at yourself in the mirror. Do not distribute your crack release based on this tutorial, because you become a LAMER(s)! ( tHATDUDE (PC97) defined LAMER(s) is the guy who sits in front of personal computer, using Hex Editor, ripping off other group(s) crack release, repacking (distro) them under his name. Adopted from newsgroup alt.cracks, alt.crackers - February 1997 ) More about LAMER(s): lamer /n./ [prob. originated in skateboarder slang] Synonym for luser, not used much by hackers but common among warez d00dz, crackers, and phreakers. Oppose elite. Has the same connota tions of self-conscious elitism that use of luser does among hackers. < SOURCE: http://sagan.earthspace.net/jargon/jargon_27.html > _ Never attribute to malice that which is adequately explained by stupidity _ ASTAGA [D4C/C4A] tute-bubblescrsvr.zip [EOF] 10/17/00 1:13:15 PM WHY PATCHING WHILE SERIAL NUMBER IS FISHY CoolZip v2.0 A Cracking Tutorial by ASTAGA [D4C/C4A] DISCLAIMER This reading material is not intended to violate Copyrights and/or it is law, but educational purposes only. I hold no responsibility ( by all means and in any shape whatsoever ) of the mis-used of this material. ABOUT THE PROGRAM CoolZip is a file compression/decompression utility. It's purpose is to create/extract archives. If you ever downloaded files from the internet, you know the most common used compression format is zip. CoolZip can create and extract zip files (among many others) in a very easy to use intuitive interface. What's so cool about it ?  Coolzip supports many compression and encoding formats like zip, cab, rar, lha, ace, jar, uue, xxe and many more.  Password support  Office2000 interface  Full intelligent drag and drop support  Can read and write self-extracting zip files (compressed .exe files)  Integrates with Windows 95/98/NT/2000 shell (context menu)  Has an advanced drag and drop interface  Can use different icons for each associated file type. You can even use your own icons.  supports disk spanning  Is extremely easy to use  Runs without the need for external programs WHERE TO DOWNLOAD Author : Innersky Software Homepage : http://www.innersky.com/coolzip URL : http://www.innersky.com/download.php?file=coolzip Size : KB as of ,2000 HOW TO GET VALID SERIAL NUMBER by using SoftIce 1. Run CLEANREG.EXE, click OPTIONS/ENTER REG CODE submenu, in the registration dialog box type these below informations : Name : Chavit 'Jueteng' Singson Code : 73881050 Do not click OK button yet 2. Fire up SoftIce by pressing [ CTRL + D ], set a breakpoint as follow : BPX hmemcpy [enter] and F5 to return to the main program 3. Now it's time to click OK button... you'll return back into SoftIce! In within SoftIce press F11, F5, F11, then F12 11 times until you see and break at : ______________________________________________________________ 015F:004E98B1 E83E90F4FF CALL 004328F4 <=== break here 015F:004E98B6 8B55F4 MOV EDX,[EBP-0C] 015F:004E98B9 58 POP EAX <=== D EDX here 015F:004E98BA E8BDA7F1FF CALL 0040407C <=== D EAX here 015F:004E98BF 740F JZ 004E98D0 ___________________COOLZIP!CODE+000E88B1______________________ Now, clear/disable previous breakpoint by typing : bc 00 [enter] Create a new breakpoint by typing : bpx 015F:004E98B1 [enter] 5. Press F10 2 times and display EDX register : d edx [enter] ==> your fake code appear in the Data Window Press F10 once and display EAX register : d eax [enter] look at the Data Window, did you see unique numeric character 58F80E001AF905401E0BEF3AC252AB76E466D62FF123FD080F at the vir tual address 0167:00D0F258 ?? aren't they look like a registration code ? just write down! 6. Disable all breakpoints by typing BC * [enter] Press F5 or X to return to the main program 8. Repeat registration procedure and keyed-in the above posible registration code followed with clicking OK button. The classic message "CoolZip was registered correctly..." pops up on your screen, click OK to restart the application. Simply, YOU'RE REGISTERED now... as a matter of fact it's ILLEGAL REGISTRATION! END NOTES This program is sold as shareware, so you can try before you buy. This is convenient for you, saves expenses by dispensing with all that packaging, and cuts out the middle person. So it is cheap, but it is not free. If you like the program, and you will, be sure to register and pay. To keep shareware prices low, users must do the right thing: Register, pay up, and smile/grin at yourself in the mirror. Do not distribute your crack release based on this tutorial, because you become a LAMER(s)! ( tHATDUDE (PC97) defined LAMER(s) is the guy who sits in front of personal computer, using Hex Editor, ripping off other group(s) crack release, repacking (distro) them under his name. Adopted from newsgroup alt.cracks, alt.crackers - February 1997 ) More about LAMER(s): lamer /n./ [prob. originated in skateboarder slang] Synonym for luser, not used much by hackers but common among warez d00dz, crackers, and phreakers. Oppose elite. Has the same connota tions of self-conscious elitism that use of luser does among hackers. < SOURCE: http://sagan.earthspace.net/jargon/jargon_27.html > _ Never attribute to malice that which is adequately explained by stupidity _ ASTAGA [D4C/C4A] tute-CoolZip20.zip [EOF] 10/29/00 5:49:01 PM WHY PATCHING WHILE SERIAL NUMBER IS FISHY KeyPack 2000 v1.5 A Cracking Tutorial by ASTAGA [D4C/C4A] DISCLAIMER This reading material is not intended to violate Copyrights and/or it is law, but educational purposes only. I hold no responsibility ( by all means and in any shape whatsoever ) of the mis-used of this material. ABOUT THE PROGRAM KeyPack 2000 is a special utility designed to manage and keep track all kind of passwords, including web site acces codes, software serial numbers and other secret numbers you may have. Using easy to use interface you can quickly and safely store, edit, search, create backup, print, or generate new password. WHERE TO DOWNLOAD Author : Magellass Corp Homepage : http://www.magellass.com URL : http://www.magellass.com/kp2000.zip Size : 706 KB - as of August 8, 2000 HOW TO GET VALID SERIAL NUMBER by using SoftIce This is my last series of the Magellass' program crack tutorial. In fact, by reading my earlier tutorial ( InternetTweak, MemMonster and DesktopCycler ) you can easily found the correct reg.code because the protection are remain the same. Before you continue I remain you again that posibly this program is packed and developed with anti debugging tricks, so, be prepared to face unexpected occurances. LASTLY, I personally expressed my sincere salutation to the Author at Magellass Corp. You guys ... Indonesian and Bandung people do the great job since you released Win Boost in the mid 1997. You never gave up fighting against the crackers all over the Net. KANG DANI TEH HEBAT NYA ....EUY ??? Nice play with your CLSID .... Teuing atuh urang mah. HOW TO GET VALID SERIAL NUMBER by using SoftIce 1. Run KP2000.EXE, in the opening nag screen click that REGISTER button; In the registration dialog box type these below informations : User Name : DANI TEA HEBAT EUY Key : 73881050 Do not click OK button yet 2. Fire up SoftIce by pressing [ CTRL + D ], create a new breakpoint as follow : BPX HMEMCPY [enter] and F5 to return to the main program 3. Now click OK button... you'll return back into SoftIce. In within SoftIce press F11, F5,and F11 once again. Press F12 several times until you reach the main program's code as follow : _________________________________________________________________ 015F:0048FEF9 E80ECDF9FF CALL 0042CC0C 015F:0048FEFE 8B55F4 MOV EDX,[EBP-0C] <== break here 015F:0048FF01 B8C8AD4900 MOV EAX,0049ADC8 <== d EDX 015F:0048FF06 E8DD3BF7FF CALL 00403AE8 015F:0048FF0B 33C0 XOR EAX,EAX 015F:0048FF0D 5A POP EDX 015F:0048FF0E 59 POP ECX 015F:0048FF0F 59 POP ECX 015F:0048FF10 648910 MOV FS:[EAX],EDX 015F:0048FF13 6893014900 PUSH 00490193 015F:0048FF18 8B45FC MOV EAX,[EBP-04] 015F:0048FF1B E8BCFEFFFF CALL 0048FDDC 015F:0048FF20 A1C0AD4900 MOV EAX,[0049ADC0] <== d EDX 015F:0048FF25 F7D8 NEG EAX ...... ...... ______________________KP2000!CODE+0008EEF9_______________________ Disable previous breakpoint and create a new one as follow : BC * [enter] BPX #015F:0048FEF9 [enter] Press F10 once and display EDX register : d edx [enter] ==> your fake code appear in the Data Window Press F10 again and stop at 015F:0048FF20, and display EDX register : d edx [enter] ==> your name and fake code ( in different virtual address ) appear in the DAta Window. Create a new breakpoint as follow : bpm 0167:00C833C8 [enter] 4. Press X or F5 , you'll break at these below snippet codes : ______________________________________________________________ 17D7:0929 26800F00 OR BYTE PTR ES:[BX],00 17D7:092D C3 RET 17D7:092E 0BC0 OR AX,AX 17D7:0930 7502 JNZ 0934 17D7:0932 E30E JCXZ 0942 ... ... ___________________________ USER(03)__________________________ :Break due to BPMB #0167:00C833C8 RW DR3 I know this not the location that we want to break ... right ? Let's press F5 again ( 2 times ) until you break at : 015F:00403E49 8B0E MOV ECX,[ESI] 015F:00403E4B 8B1F MOV EBX,[EDI] <== break here 015F:00403E4D 39D9 CMP ECX,EBX 015F:00403E4F 7558 JNZ 00403EA9 ..... ..... _______________________ KP2000!CODE+2E49 ______________________ Did you see an interesting CMP instruction at 015F:00403E4D ? Press F10 once then let's check what are the contents of those registers : ? ecx [enter] SoftIce will response : 38383337 0943207223 "8837" <== your fake code in reverse order ? ebx [enter] SoftIce will response : 43364841 1127630913 "C6HA" <== potential real code in reverse order So, where the heck is your valid registration code then .... Don't be panic, just do these following steps : d esi [enter] ==> yeah fake code at 0167:00C833C8 d edi [enter] ==> look at the DAta Window, did you see AH6C8-N256-YA66-5M5F at virtual address of 0167:00C60138 ???? WRITE IT DOWN! Observe further several line below of your potential reg code, either you can scroll down/up there would be a lot of interesting numeric characters which also suspicious to be as valid reg.codes. I'll show you what I got from the Data Window : ( this is only a part of them ) 0167:00C60138 41 48 ............ 36 36 2D AH6C8-N256-YA66- 0167:00C60148 35 4D ............ 00 00 00 5M5F....&....... 0167:00C60158 14 00 ............ 36 2D 41 ....7VAS4-LC76-A 0167:00C60168 4D 35 ............ 00 00 00 M52-3SAB.86c&... 0167:00C60178 01 00 ............ 2D 4A 35 ........7D9ZC-J5 0167:00C60188 32 32 ............ 38 37 34 22-RM73-6H9H.874 0167:00C60198 16 00 ............ 43 41 4C .....G......6CAL 0167:00C601A8 14 00 ............ 00 00 00 ....&........... 0167:00C601B8 34 5A ............ 38 33 2D 4ZAF6-P265-AL83- 0167:00C601C8 32 5A ............ 00 00 00 2Z7P.874........ 0167:00C601D8 14 00 ............ 33 2D 4C ....2EAF3-BA63-L 0167:00C601E8 44 32 ............ 2D 55 36 D23-5J5E.Q9X5-U6 0167:00C601F8 2C 00 ............ 00 00 00 ,...&........... 0167:00C60208 34 4C ............ 36 34 2D 4L2P7-H327-LX64- ... ... 5. Disable current existing breakpoint, press F5 to return to the registration dialog box. bd * [enter] Press F5 to return to the registration dialog box 6. Re-type your user name and keyed-in AH6C8-N256-YA66-5M5F as your registration code. Ouch ... " KeyPack 2000 has been registered successfully " appear on your screen. Note : In actual practise iam using 2BAK8-H338-QU66-3X6U which I found several line above from the virtual address of 0167:00C60138,as my registration code. I suggest you to write down all suspicious regis tration codes you'd found around 0167:00C60138 to avoid Author's temporary reg. code. 7. Where the hell is my registration code is stored ?? Hahaha gotcha! .... how hard you're using WXIR/WXIO and REGMON ... you'll never found anywhere in your harddisk. Read my preface in the above ... if you have enough time try search suspected \CLSID\{C03F02C5-F728-11D1-87D5-134940 70a7c98}. Nice try Kang Dani anu kasep tea lah .... again and again. Beside, once you're registered they're registered forever, one strange occurances is that if you manually edited registry key and value in the "RegisteredOwner" with your own desired name ..... the prog still registered! REGEDIT4 [HKEY_LOCAL_MACHINE\Software\Magellass\KeyPack 2000] "RegisteredOwner"="DANI TEA HEBAT EUY" This below registry entry ... IT IS JUST COSMETIC! [HKEY_LOCAL_MACHINE\Software\Magellass\KeyPack 2000\1.50] "Name"="" "Company"="" 9. How can I practise with my own user name ? - I strongly recommended you not to do this! END NOTES This program is sold as shareware, so you can try before you buy. This is convenient for you, saves expenses by dispensing with all that packaging, and cuts out the middle person. So it is cheap, but it is not free. If you like the program, and you will, be sure to register and pay. To keep shareware prices low, users must do the right thing: Register, pay up, and smile/grin at yourself in the mirror. Do not distribute your crack release based on this tutorial, because you become a LAMER(s)! ( tHATDUDE (PC97) defined LAMER(s) is the guy who sits in front of personal computer, using Hex Editor, ripping off other group(s) crack release, repacking (distro) them under his name. Adopted from newsgroup alt.cracks, alt.crackers - February 1997 ) More about LAMER(s): lamer /n./ [prob. originated in skateboarder slang] Synonym for luser, not used much by hackers but common among warez d00dz, crackers, and phreakers. Oppose elite. Has the same connota tions of self-conscious elitism that use of luser does among hackers. < SOURCE: http://sagan.earthspace.net/jargon/jargon_27.html > _ Never attribute to malice that which is adequately explained by stupidity _ ASTAGA [D4C/C4A] tute-keypack2000.zip [EOF] 10/29/00 1:57:46 PM WHY PATCHING WHILE SERIAL NUMBER IS FISHY Spirals Screensaver A Cracking Tutorial by ASTAGA [D4C/C4A] DISCLAIMER This reading material is not intended to violate Copyrights and/or it is law, but educational purposes only. I hold no responsibility ( by all means and in any shape whatsoever ) of the mis-used of this material. ABOUT THE PROGRAM This screensaver can definitely make you dizzy! Overlapping spirals spin and change color. This screensaver is shareware that will expire after 10days. WHERE TO DOWNLOAD Author : North Star Studios Homepage : http://www.NorthStarStudios.com URL : http://www.northstarstudios.com/downloads/ss/ SpiralsInstaller.exe Size : 826 KB as of October 17,2000 HOW TO GET VALID SERIAL NUMBER by using SoftIce 1. Open your Display Properties ( in the Control Panel or HighRes icon in the traybar ). Choose "SPIRAL" as your screen saver, click SETTINGS button, then you'll see program's opening windows. Click on the key icon, and in the registration dialog box type these below informations : User Name : Pirates Order Serial Number : 73881050 Do not click OK button yet 2. Fire up SoftIce by pressing [ CTRL + D ], put a new breakpoint in this regard is HMEMCPY : BPX HMEMCPY [enter] and F5 to return to the main program 3. Click OK button... you'll return back into SoftIce. In within SoftIce press F11, F5, F11, then press F12 several times until you see and landed at : _____________________________________________________________ 015F:0048F7A0 E84FFEFAFF CALL 0043F5F4 015F:0048F7A5 8B45F8 MOV EAX,[EBP-08] 015F:0048F7A8 5A POP EDX 015F:0048F7A9 E8DE020000 CALL 0048FA8C 015F:0048F7AE 84C0 TEST AL,AL ... ... ______________________SPIRALS!CODE+0008E79______________________ Disable previous breakpoint, and set a new one as follow : bd* [enter] bpx 015F:0048F7A0 [enter] 4. Press F10 3 times and stop at 015F:0048F7A9 , dump/display EDX register by typing : D EDX [enter] your fake code appear in the Data Window at the virtual address 0167:00C35BF8. Disable previous breakpoint ( BD * or BD 00 ), and create a new breakpoint as follow bpr 0167:00C35BF8 0167:00C35BF8+10 RW [enter] Press F5 or X , to let SoftIce break in this location 5. If nothing goes wrong, soon you'll break and face these below snippet codes : ______________________________________________________________ 015F:00403F69 8B0E MOV ECX,[ESI] <== you land here 015F:00403F6B 8B1F MOV EBX,[EDI] 015F:00403F6D 39D9 CMP ECX,EBX <== D EDI or ESI 015F:00403F6F 7558 JNZ 00403FC9 ________________________SPIRALS!CODE+2F67______________________ Press F10 2 times and stop at 015F:00403F6D, ouchhh ..it's CMP instruction. Let's display what are the contents on those two registers. In the command Line type these : ? ecx [enter] SoftIce will response : 38383337 0943207223 "8837" <== fake S/N in reverse order ? ebx [enter] SoftIce will response : 46444633 1178879539 "FDF3" <== hmmm.. what the heck is this also in reverse order Upto this step you may ask what and where are your complete serial number ... wasn't it they're just first four digits ? Okay, don't be panic ... all you have to do are like this : D EDI [enter] Look at the Data Window - at virtual address 0167:00C3A17C - did you see 3FDFCC9F ? D ESI [enter] Look at the Data Window - at virtual address 0167:00C35BF8 - hehe.... it's your fake 73881050. 6. Now, you can guess that 3FDFCC9F is your potential valid serial number. Do you remember the CMP ECX,EBX instruction as described in the above paragraph. Disable all breakponit, press F5 to return to the main program. 7. Repeat registration procedure. Keyed-in 3FDFCC9F as your serial number, then click OK button. The classic " thank you for registering " pops up on your screen. Hell... you're registered now, but it's ILLEGAL! 8. Where the hell is my registration info is stored ?? - The correct registration code is stored in the registry as follow : 8. How can I practise with another registration key ? - I strongly recommended you not to do this! END NOTES This program is sold as shareware, so you can try before you buy. This is convenient for you, saves expenses by dispensing with all that packaging, and cuts out the middle person. So it is cheap, but it is not free. If you like the program, and you will, be sure to register and pay. To keep shareware prices low, users must do the right thing: Register, pay up, and smile/grin at yourself in the mirror. Do not distribute your crack release based on this tutorial, because you become a LAMER(s)! ( tHATDUDE (PC97) defined LAMER(s) is the guy who sits in front of personal computer, using Hex Editor, ripping off other group(s) crack release, repacking (distro) them under his name. Adopted from newsgroup alt.cracks, alt.crackers - February 1997 ) More about LAMER(s): lamer /n./ [prob. originated in skateboarder slang] Synonym for luser, not used much by hackers but common among warez d00dz, crackers, and phreakers. Oppose elite. Has the same connota tions of self-conscious elitism that use of luser does among hackers. < SOURCE: http://sagan.earthspace.net/jargon/jargon_27.html > _ Never attribute to malice that which is adequately explained by stupidity _ ASTAGA [D4C/C4A] tute-spiralscrsvr.zip [EOF] 10/17/00 1:13:15 PM WHY PATCHING WHILE SERIAL NUMBER IS FISHY WinBoost 2001 Standard Edition A Cracking Tutorial by ASTAGA [D4C/C4A] DISCLAIMER This reading material is not intended to violate Copyrights and/or it is law, but educational purposes only. I hold no responsibility ( by all means and in any shape whatsoever ) of the mis-used of this material. ABOUT THE PROGRAM WINBOOST 2001 Expose all mysteries and reveal all secrets of Windows ME/98/95! WinBoost is a special utility to configure and personalize Windows ME/9X (98/98SE/95) looks and feels. Using easy to use graphical user interface you can configure hundreds of Windows ME/9X hidden settings, from the Start Menu, Desktop, Accessories, Windows Explorer, to Internet Explorer. This is something that you cannot do on the regular operations. In addition, you will get hundreds of selected Windows ME/9X Tips & Tricks to boost your Windows performance. WHERE TO DOWNLOAD Author : Magellass Corp Homepage : http://www.magellass.com URL : http://www.winboost.com/wb2001s.zip http://www.simtel.net/pub/simtelnet/win95/winme/ wb2001s.zip Size : 1.3 MB - as of October 23, 2000 HOW TO GET VALID SERIAL NUMBER by using SoftIce This is my last series of the Magellass' program crack tutorial. In fact, by reading my earlier tutorial ( InternetTweak, MemMonster , KeyPack and DesktopCycler ) you can easily found the correct reg. code because the protection are remain the same, at least they're similar. Before you continue I remain you again that posibly this program is packed and developed with anti debugging tricks, so, be prepared to face unexpected occurances. LASTLY, I personally expressed my sincere salutation to the Author at Magellass Corporation : Dani Okianto, Diki Septanto, Sandi Yulianto and Irma Aryani - the " barudak Bandung " - " juragan bakso " - " juragan kurupuk " - you guys do the great job since you released WinBoost mid 1998. You never gave up fighting against the crackers all over the Net. Keep da GOOD WORK. KANG DANI TEH HEBAT NYA ....EUY ??? Nice try with your CLSID .... kajeun disumputkeun oge kapanggih euy ... hampura uing. However, the secret that you keep has been revealed. HOW TO GET VALID SERIAL NUMBER by using SoftIce 1. Run WB2K1S.EXE, in the opening nag screen click that REGISTER button; In the registration dialog box type these below informations : User Name : Pirates Order Key : 73881050 Do not click OK button yet 2. Fire up SoftIce by pressing [ CTRL + D ], create a new breakpoint as follow : BPX HMEMCPY [enter] and F5 to return to the main program 3. Now click OK button... you'll return back into SoftIce. In within SoftIce press F11, F5,and F11 once again. Press F12 several times until you reach the main program's code as follow : _________________________________________________________________ 015F:004BED96 E8F1F4F6FF CALL 0042E28C <===== break here 015F:004BED9B 8B55F8 MOV EDX,[EBP-08] 015F:004BED9E 8B45FC MOV EAX,[EBP-04] <== d edx 015F:004BEDA1 E82AFDFFFF CALL 004BEAD0 015F:004BEDA6 8D55F0 LEA EDX,[EBP-10] <== ? eax 015F:004BEDA9 E85294F4FF CALL 00408200 015F:004BEDAE 33C0 XOR EAX,EAX <====== ? ecx 015F:004BEDB0 5A POP EDX 015F:004BEDB1 59 POP ECX 015F:004BEDB2 59 POP ECX <========== d ecx 015F:004BEDB3 648910 MOV FS:[EAX],EDX 015F:004BEDB6 6894FA4B00 PUSH 004BFA94 015F:004BEDBB 8B45F4 MOV EAX,[EBP-0C] 015F:004BEDBE 8B55F0 MOV EDX,[EBP-10] <== d eax 015F:004BEDC1 E8D24FF4FF CALL 00403D98 <====== d edx 015F:004BEDC6 0F851F0100 JNZ 004BEEEB 015F:004BEDCC 8B45F0 MOV EAX,[EBP-10] 015F:004BEDCF BA04FB4B00 MOV EDX,004BFB04 015F:004BEDD4 E8BF4FF4FF CALL 00403D98 ...... ...... ______________________WB2K1S!+000BDD90_______________________ Disable previous breakpoint and create a new one as follow : BC * [enter] BPX 015F:004BED96 [enter] 4. Let's trace the above snippet codes. Press F10 2 times - stop at 015F:004BED9E - and display EDX register : d edx [enter] ==> your name appear in the Data Window at virtual address 0167:01282654 . 5. Press F10 - stop at 015F:004BEDA6 - watch the Register Window did you see that now EAX=26380694 . Check the contents of EAX register : ? EAX [enter ] SoftIce will response : 26380694 0641205908 "&8 " ==> pay attention ..... The same value will be moved to ECX register, you can check it out when you're at the memory address 015F:004BEDAE. 6. Press F10 - stop at 015F:004BEDB2 - display ECX and EDX register : d ecx or d edx [enter] ==> look in the Data Window between virtual address 0167:004BFB0A upto 0167:004BFC3A ... they're looks like a serial number right ? but, who knows that's bogus or blacklisted reg code by the Author. However, write it down those suspicious reg.codes! I'll show you how they're looks like : _____ WB2K1S!+000BEA8A____________byte__________PROT__________ 0167:004BFA8A E9 3D 3A ...... 59 59 64 .=:...'...3.ZYYd 0167:004BFA9A 89 10 EB ...... 8C 79 40 ......8.......y@ 0167:004BFAAA 00 AF FA ...... E8 B8 3A ...K..E..a.....: 0167:004BFABA F4 FF 33 ...... 4B 00 8D ..3.ZYYd..h..K.. 0167:004BFACA 85 8C FE ...... FE FF FF ......8?........ 0167:004BFADA E8 2D 3F ...... E8 44 3F .-?...E.......D? 0167:004BFAEA F4 FF C3 ...... 8B E5 5D .....9...._^[..] 0167:004BFAFA C3 00 FF ...... 00 FF FF ..........0..... 0167:004BFB0A FF FF 09 ...... 39 32 00 ......417478292. <=== 0167:004BFB1A 00 00 FF ...... 32 38 37 ..........684287 0167:004BFB2A 37 36 35 ...... 00 37 35 765...........75 0167:004BFB3A 37 39 38 ...... FF 09 00 7989533......... 0167:004BFB4A 00 00 34 ...... 00 FF FF ..426952673..... 0167:004BFB5A FF FF 09 ...... 37 38 00 ......423946978. 0167:004BFB6A 00 00 FF ...... 33 37 30 ..........800370 0167:004BFB7A 33 34 30 ...... 00 36 39 340...........69 0167:004BFB8A 30 39 35 ...... FF 09 00 0959612......... 0167:004BFB9A 00 00 34 ...... 00 FF FF ..423925943..... 0167:004BFBAA FF FF 09 ...... 32 37 00 ......409496927. 0167:004BFBBA 00 00 FF ...... 35 39 33 ..........291593 0167:004BFBCA 34 32 38 ...... 00 37 39 428...........79 0167:004BFBDA 33 34 35 ...... FF 09 00 3459583......... 0167:004BFBEA 00 00 39 ...... 00 FF FF ..960946252..... 0167:004BFBFA FF FF 09 ...... 34 30 00 ......744779840. 0167:004BFC0A 00 00 FF ...... 39 32 30 ..........866920 0167:004BFC1A 33 39 37 ...... 00 37 36 397...........76 0167:004BFC2A 30 37 38 ...... FF 09 00 0783478......... 0167:004BFC3A 00 00 36 ...... 00 FF FF ..685275290..... <=== 0167:004BFC4A FF FF 2F ...... 74 20 32 ../...WinBoost 2 0167:004BFC5A 30 30 31 ...... 72 65 67 001 has been reg 0167:004BFC6A 69 73 74 ...... 73 73 66 istered successf 0167:004BFC7A 75 6C 6C ...... 00 5C 77 ully..........\w 0167:004BFC8A 69 6E 2E ...... FF 05 00 in.ini.......... ..... ..... _______________________________________________________________ 7. Press F10 - stop at 015F:004BEDBE - display EAX register : d eax [enter] ==> your fake code appear at virtual address 0167:01243B48 8. Press F10 - stop at 015F:004BEDC1 - display EDX register : d edx [enter] ==> did you see 641205908 appear at virtual address 0167:01481E08 ??? Do you remember what I told you in the Step #5 above ?? Don't you think this one is the real reg code ? Write it down! 9. Disable current existing breakpoint, press F5 to return to the registration dialog box. bd * [enter] Press F5 to return to the registration dialog box 10. Re-type your user name and keyed-in 641205908 as your registra tion code. Ouch .... did you get " WinBoost 2001 has been regis tered successfully " appear on your screen. 11. Noooooooooo ?? hehehe .... there must be something wrong here. Let's get back tracing the codes again ... repeat step #8! Starting from 015F:004BEDC1 , press F10 until you reach these below snippet codes : 015F:004BF654 E8D345F4FF CALL 00403C2C 015F:004BF659 33DB XOR EBX,EBX 015F:004BF65B 8D8D90FEFF LEA ECX,[EBP-0170] 015F:004BF661 0FBFD3 MOVSX EDX,BX 015F:004BF664 A17C1E4C00 MOV EAX,[004C1E7C] 015F:004BF669 8B00 MOV EAX,[EAX] 015F:004BF66B 8B4048 MOV EAX,[EAX+48] 015F:004BF66E 8B4024 MOV EAX,[EAX+24] 015F:004BF671 8B30 MOV ESI,[EAX] 015F:004BF673 FF560C CALL [ESI+0C] 015F:004BF676 8B9590FEFF MOV EDX,[EBP-0170] 015F:004BF67C 8B45E8 MOV EAX,[EBP-18] <== D EDX 015F:004BF67F E81447F4FF CALL 00403D98 .... .... ______________________WB2K1S!+000BE654_______________________ at the 26th of pressing F10 - stop at 015F:004BF67C - and display EDX register : d edx [enter] ==> did you see 9M2R4-U974H-YE07H-1Y1P6 appear at virtual address 0167:013255A0 ??? Again, several lines below there are a lot of interesting unique codes. WRITE IT DOWN again! Here's what I got from my screen ( only a part of them ) : 0167:013255A0 39 4D 32 45 30 37 9M2R4-U974H-YE07 0167:013255B0 48 2D 31 00 00 00 H-1Y1P6.&....... 0167:013255C0 14 00 00 35 2D 44 ....7W4Z4-O105-D 0167:013255D0 5A 32 34 00 00 00 Z24-8U8J.U2..... 0167:013255E0 01 00 00 6E 61 6C ........BO11.nal 0167:013255F0 18 00 00 00 00 00 ....&........... 0167:01325600 31 58 32 4F 38 37 1X2K1-T562F-UO87 0167:01325610 43 2D 36 00 00 00 C-6R4U8.&....... 0167:01325620 17 00 00 33 55 2D ....5E3D1-E283U- 0167:01325630 50 57 32 00 00 00 PW23X-3R6H7.&... 0167:01325640 01 00 00 2D 4E 39 ........7Z2H3-N9 0167:01325650 36 35 51 53 35 00 65Q-OV65T-3M0S5. 0167:01325660 26 00 00 4A 32 59 &...........7J2Y 0167:01325670 36 2D 52 2D 35 42 6-R718G-HG36K-5B 0167:01325680 35 53 32 00 00 00 5S2.&........... 0167:01325690 35 48 31 4B 37 36 5H1K3-Q604V-JK76 0167:013256A0 59 2D 38 00 00 00 Y-8L2V1.&....... 0167:013256B0 17 00 00 36 4E 2D ....8W1T6-H236N- 0167:013256C0 49 4E 31 00 00 00 IN19W-2W5T6.&... 0167:013256D0 01 00 00 2D 50 31 ........4R2W1-P1 You can see another potential reg codes in different location i.e 0167:013256D0 upto 0167:013262C0 ; 0167:01326970 upto 0167:013276C0 ...etc., just scroll up and down from the virtual address 0167:013255A0 . Iam not sure whether the Author genius or sick of mind .... during scrolling up/down you'll see weirdo sticky notes like " Si Brinos " ( means his dog name ), " Dani nu ganteng tea " ( means Dani the handsome guy ), " Juragan krupuk " ( means fried chips master ), " juragan bakso " ( means meatballs master ) .... etc. 12. Enough zenough .... disable all breakpoints ( wait, dont forget to set a new breakpoint at 015F:004BF673 for further usage ). Repeat/retype user name and keyed-in 9M2R4-U974H-YE07H-1Y1P6 as your registration code. Click OK/REGISTER button .... this time you get " WinBoost 2001 has been registered successfully " . 13. Where the hell is my registration code is stored ?? The registration info is stored in the WIN.INI under this below statement : [WB] Owner=Pirates Order Registered=True ( deleting this statement will return this program unregis tered ) Also check this registry entry : REGEDIT4 [HKEY_LOCAL_MACHINE\Software\Magellass\WinBoost 2001] "CDROM"="" "Welcome"="1" "StartText"="Start" "FavoritesText"="F&avorites" "DocumentsText"="&Documents" "FindText"="&Find" "SettingsText"="&Settings" "HelpText"="&Help" "LogOffText"="&Log Off" "ShutDownText"="Sh&ut Down..." "RunText"="&Run..." "InfoTip"="Click here to begin." "ProgramsText"="&Programs" "Dir"="C:\\Program Files\\WinBoost 2001" "Registered"="True" This below registry entry ... IT IS JUST COSMETIC! [HKEY_LOCAL_MACHINE\Software\Magellass\WinBoost 2001\Standard Edition] "Name"="" "Company"="" 14. How can I practise with my own user name ? - I strongly recommended you not to do this! END NOTES This program is sold as shareware, so you can try before you buy. This is convenient for you, saves expenses by dispensing with all that packaging, and cuts out the middle person. So it is cheap, but it is not free. If you like the program, and you will, be sure to register and pay. To keep shareware prices low, users must do the right thing: Register, pay up, and smile/grin at yourself in the mirror. Do not distribute your crack release based on this tutorial, because you become a LAMER(s)! ( tHATDUDE (PC97) defined LAMER(s) is the guy who sits in front of personal computer, using Hex Editor, ripping off other group(s) crack release, repacking (distro) them under his name. Adopted from newsgroup alt.cracks, alt.crackers - February 1997 ) More about LAMER(s): lamer /n./ [prob. originated in skateboarder slang] Synonym for luser, not used much by hackers but common among warez d00dz, crackers, and phreakers. Oppose elite. Has the same connota tions of self-conscious elitism that use of luser does among hackers. < SOURCE: http://sagan.earthspace.net/jargon/jargon_27.html > _ Never attribute to malice that which is adequately explained by stupidity _ ASTAGA [D4C/C4A] tute-winboost2001.zip [EOF] 10/30/00 6:32:09 PM I really hope you've enjoyed this tutorial as much as I did! Don't miss Tutor #111 soon! ;) Credits goto: IC_666 for Splash Logo. ASTAGA for providing 5 tuts in this version. To ALL the crackers: You are welcome to send me your tutors to publish them .. see below for my email address! *** 95 chars per line in textfile please! *** And all the tutors can be found at: http://www.crackersinaction.com (or on IRC, ask CiA ops for urls!) Greetz goto all my friends! You can find me on IRC or email me at tkc@reaper.org Coded by The Keyboard Caper - tKC The Founder of PhRoZeN CReW/Crackers in Action 2000 Compiled with Delphi 5 on 12 November 2000 Cracking Tutorial #110 is dedicated to CiA all new and old members for the support they gave me all the years!