Tutorial 2 - Start Clean 1.2

Protection : Very Easy

Packed : NotFound

Language : C++

Ihtiyac Duyulan Programlar : Windasm 8.x ,Hiew 6.x , StartCln.zip (Kirilacak Program)

Selam dostlar yine bir tutorial ile karsiinizdayim... Bu seferki program Start Clean v1.2 disaridan bakildignda hicbir ise

yararmayan oollesine yazilmis bi program gibi duruyor.. ama olsun Cracker Cracker'ligini bilecek ooole hic bir programi

hafife almayacak.. Artik siz programi incelersiniz... ben sadece egomu tatmin etmek icin kirdim...Sonundada bir kiyak

gectim size okursaniz pisman olmayacaksiniz...:)

Acilista Nag Ekrani Please Register falan filan.... Okuyun bakalim bu nag nasil yokoluyormus....

Ve daha sonrasindada...

Aciklama:

Tutorial1'de anlatilan islemler yapiliyor.. once bir kopya olusturuluyor... Daha sonra kopya WinDasm'da aciliyor.. Ve daha sonra orjinal program Hiew'de aciliiyor...

Ilk olarak Windasm kodunu gosteriyorum.. Gerekli olan kiyaslamanin nerede olacagini gosterecegim... Dikkatli olun.....

* Referenced by a CALL at Address: ------> Bu StringList'in icinde ShareWare Version yazinin bulundugu Procedure demekki burda bisiler oluyor...

|:00401F07

|

:004013C0 81EC10030000 sub esp, 00000310

:004013C6 A064624000 mov al, byte ptr [00406264]

:004013CB B93F000000 mov ecx, 0000003F

:004013D0 56 push esi

:004013D1 88442410 mov byte ptr [esp+10], al

:004013D5 57 push edi

:004013D6 8D7C2415 lea edi, dword ptr [esp+15]

:004013DA 33C0 xor eax, eax

:004013DC F3 repz

:004013DD AB stosd

:004013DE 66AB stosw

:004013E0 AA stosb

:004013E1 A064624000 mov al, byte ptr [00406264]

:004013E6 8DBC2415010000 lea edi, dword ptr [esp+00000115]

:004013ED B93F000000 mov ecx, 0000003F

:004013F2 88842414010000 mov byte ptr [esp+00000114], al

:004013F9 33C0 xor eax, eax

:004013FB F3 repz

:004013FC AB stosd

:004013FD 66AB stosw

* Possible StringData Ref from Data Obj ->"Software\Start Clean\Configuration"

|

:004013FF BE40624000 mov esi, 00406240

:00401404 B908000000 mov ecx, 00000008

:00401409 AA stosb

:0040140A 8DBC2414020000 lea edi, dword ptr [esp+00000214]

:00401411 F3 repz

:00401412 A5 movsd

:00401413 66A5 movsw

:00401415 A4 movsb

:00401416 8DBC2437020000 lea edi, dword ptr [esp+00000237]

:0040141D B938000000 mov ecx, 00000038

:00401422 F3 repz

:00401423 AB stosd

:00401424 8D4C2414 lea ecx, dword ptr [esp+14]

:00401428 6864624000 push 00406264

:0040142D AA stosb

:0040142E 51 push ecx

* Reference To: USER32.wsprintfA, Ord:0249h

|

:0040142F 8B35D4924000 mov esi, dword ptr [004092D4]

:00401435 C744241404010000 mov [esp+14], 00000104

:0040143D FFD6 call esi

:0040143F 8D4C2410 lea ecx, dword ptr [esp+10]

:00401443 8D84241C020000 lea eax, dword ptr [esp+0000021C]

:0040144A 83C408 add esp, 00000008

:0040144D 51 push ecx

:0040144E 50 push eax

:0040144F 6801000080 push 80000001

* Reference To: ADVAPI32.RegOpenKeyA, Ord:00D8h ------Registry'den Biseylere bakiyor ama muhimde degil hani.....

|

:00401454 FF15F8914000 Call dword ptr [004091F8]

:0040145A 8D4C240C lea ecx, dword ptr [esp+0C]

:0040145E 8D542414 lea edx, dword ptr [esp+14]

:00401462 8D442410 lea eax, dword ptr [esp+10]

:00401466 51 push ecx

:00401467 8B4C240C mov ecx, dword ptr [esp+0C]

:0040146B 52 push edx

:0040146C 50 push eax

:0040146D 6A00 push 00000000

* Possible StringData Ref from Data Obj ->"Name" ------> Tamam demekki Registry'i kontrol ediyor.. eGer sifreyi bulursa "Shareware Version" yerine "Registered to :" yazacak..

|

:0040146F 6838624000 push 00406238

:00401474 51 push ecx

* Reference To: ADVAPI32.RegQueryValueExA, Ord:00E1h

|

:00401475 FF15F4914000 Call dword ptr [004091F4]

:0040147B 8B4C2408 mov ecx, dword ptr [esp+08]

:0040147F 51 push ecx

* Reference To: ADVAPI32.RegCloseKey, Ord:00C2h

|

:00401480 FF15F0914000 Call dword ptr [004091F0]

:00401486 8D4C2414 lea ecx, dword ptr [esp+14]

:0040148A 8D942414010000 lea edx, dword ptr [esp+00000114]

:00401491 51 push ecx

* Possible StringData Ref from Data Obj ->"Registered to %s" ---------> burada herhangi bir kiyaslama yok

|

:00401492 6878624000 push 00406278

:00401497 52 push edx

:00401498 FFD6 call esi

:0040149A 8D8C2420010000 lea ecx, dword ptr [esp+00000120]

:004014A1 8B942428030000 mov edx, dword ptr [esp+00000328]

:004014A8 83C40C add esp, 0000000C

:004014AB 51 push ecx

* Possible Reference to Dialog: DialogID_0071, CONTROL_ID:040A, "Shareware Version"

|

:004014AC 680A040000 push 0000040A

:004014B1 52 push edx

* Reference To: USER32.SetDlgItemTextA, Ord:01DEh

|

:004014B2 FF15E0924000 Call dword ptr [004092E0]

:004014B8 5F pop edi

:004014B9 5E pop esi

:004014BA 81C410030000 add esp, 00000310

:004014C0 C3 ret

---------------------------------------------------------------------------------------------

* Referenced by a (U)nconditional or (C)onditional Jump at Address:

|:00401EDC(C)

|

:00401EE6 6A00 push 00000000

:00401EE8 68701F4000 push 00401F70

:00401EED 6A00 push 00000000

* Possible Reference to Dialog: DialogID_0071

|

:00401EEF 6A71 push 00000071

:00401EF1 50 push eax

* Reference To: USER32.CreateDialogParamA, Ord:0048h----> Burada pencere filan olusuyor ama biz yine koklamaya devam edelim....

|

:00401EF2 FF1514934000 Call dword ptr [00409314]

:00401EF8 833D4C72400000 cmp dword ptr [0040724C], 00000000

:00401EFF A384734000 mov dword ptr [00407384], eax

:00401F04 7409 je 00401F0F ------> Bu degil....

:00401F06 50 push eax

:00401F07 E8B4F4FFFF call 004013C0 -----> Yukardaki rutini cagiran Call fakat yine bisey bulamadik

:00401F0C 83C404 add esp, 00000004

-------------------------------------------------------------------------------------------------------------------

* Referenced by a CALL at Address:

|:00401D9A

|

:00401EA0 8B442404 mov eax, dword ptr [esp+04]

:00401EA4 A348724000 mov dword ptr [00407248], eax

* Reference To: COMCTL32.InitCommonControls, Ord:0011h

|

:00401EA9 FF1508924000 Call dword ptr [00409208]

:00401EAF E84CF1FFFF call 00401000

:00401EB4 A34C724000 mov dword ptr [0040724C], eax

:00401EB9 85C0 test eax, eax

:00401EBB 7524 jne 00401EE1

:00401EBD 6A00 push 00000000

:00401EBF A148724000 mov eax, dword ptr [00407248]

:00401EC4 68F0274000 push 004027F0

:00401EC9 6A00 push 00000000

* Possible Reference to Dialog: DialogID_006F

|

:00401ECB 6A6F push 0000006F

:00401ECD 50 push eax

* Reference To: USER32.DialogBoxParamA, Ord:008Ah

|

:00401ECE FF1510934000 Call dword ptr [00409310]

:00401ED4 83F8FF cmp eax, FFFFFFFF

:00401ED7 A148724000 mov eax, dword ptr [00407248]

:00401EDC 7508 jne 00401EE6 -----> Buda degil....

:00401EDE 33C0 xor eax, eax

:00401EE0 C3 ret

----------------------------------------------------------------------------------------------------------------------

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:

|:00401D7E(C), :00401D8B(C)

|

:00401D91 8B8424D0000000 mov eax, dword ptr [esp+000000D0]

:00401D98 50 push eax

:00401D99 56 push esi

:00401D9A E801010000 call 00401EA0 -----> iste bu herseyin basi olan sifre kontrol rutini...bunu yok edersek islem tamam demektir....

:00401D9F 83C408 add esp, 00000008

:00401DA2 85C0 test eax, eax

:00401DA4 7504 jne 00401DAA -----> buda geriye donen degere bakarak trial suresi dolmadiysa

devam ediyor...... bunuda herzaman devam et yapmak zorundayiz...

:00401DA6 33C0 xor eax, eax

:00401DA8 EB62 jmp 00401E0C -----> programdan cik....

Bu is bukadar arkadaslar.. Eger bu kodlardan bisey anlamadim diyorsaniz Tutorial1'i tekrar okuyun... vede internetten assembly hakkinda bilgi toplayin... Zamanla okadarda zor olmadigini goreceksiniz.. Peki nasil bukadar kolay buluyorsun derseniz.. Ilk zamanlarimda Yaklasik bir kac ay once bu programi kirmak icin yaklasik 2 saat ugrasmistimmm....:) Basariya ulasmanin yolu surekli tekrardan gecer....

E tabi boyle kuru kuru olmaz.. Ne oyle kabak gibi "Registered to" diyip kaliyor... e simdi bu yaziyida degistirmek lazim... Tamam ozaman.. Aciyoruz kirdigimiz programi hiew'le...Asagidaki gibi ekranimiza geliyoruz... bir kere enter'dan sonra basiyoruz. F7 tusuna ve ASCII kutusuna bitisik olarak Registered yaziyoruz.. Bakalim bu kelime programin neresinde... tamamdir bulduk...

Simdi bir duzenleme yapip buraya kendi ismimizi yazacaz... Fakat buraya oole kabak gibim yazi yazamazsiniz... Harflerin once HEX degerlerine cevirilmesi gerekir.. Bunun icinde bir Asc2Hex 'e ihtiyac var.. Ben daha cok E-minence'nin oldukca yeterli bir programi var onu kullaniyorum...Nasil kullanilacagini asagida gosterdim...Programin icine yazacaginiz numaralari buradan elde edebilirsiniz....

Simdi bu numaralari "Registered to" yazan yere gelip F3 'e bastiktan sonra sira ile giriyoruz.. Daha sonra F9 ile kaydedip F10 ilede cikiyorsunuz....