<HTML>
<HEAD>
   <META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">
   <META NAME="GENERATOR" CONTENT="Mozilla/4.04 [en] (Win95; I) [Netscape]">
   <META NAME="Author" CONTENT="The Sandman">
   <META NAME="Classification" CONTENT="Reverse Code Engineering">
   <META NAME="Description" CONTENT="Step by step guide to cracking Add/Remove Cleaner">
   <META NAME="KeyWords" CONTENT="How to Add/Remove Cleaner">
   <TITLE>Add / Remove Cleaner V2.01</TITLE>
</HEAD>
<BODY TEXT="#001010" BGCOLOR="#C0C0C0" LINK="#FF0000" VLINK="#000099" ALINK="#FFFF00">
&nbsp;
<TABLE BORDER CELLSPACING=2 WIDTH="100%" 22" >
<TR BGCOLOR="#FFFFFF">
<TD WIDTH="15%">
<CENTER><B><FONT FACE="Arial,Helvetica">May 1998</FONT></B></CENTER>
</TD>

<TD WIDTH="100%">
<CENTER><FONT FACE="Arial,Helvetica"><FONT SIZE=+2>"Add/Remove Cleaner
V2.01"</FONT></FONT></CENTER>

<CENTER><FONT FACE="Arial,Helvetica">( And Page Host V1.0&nbsp; )</FONT></CENTER>
</TD>

<TD WIDTH="30%">
<CENTER><B><FONT FACE="Arial,Helvetica">Win '95 PROGRAM</FONT></B></CENTER>

<CENTER><FONT FACE="Arial,Helvetica"><FONT COLOR="#808080">Win Code Reversing</FONT></FONT></CENTER>

<CENTER><FONT FACE="Arial,Helvetica"><FONT COLOR="#808080">&nbsp;</FONT></FONT></CENTER>
</TD>
</TR>

<TR BGCOLOR="#FFFF99">
<TD WIDTH="15%">
<CENTER><FONT FACE="Arial,Helvetica"><FONT COLOR="#890000">&nbsp;</FONT></FONT></CENTER>
</TD>

<TD>
<CENTER><FONT FACE="Arial,Helvetica">by <FONT SIZE=+3>The Sandman&nbsp;</FONT></FONT></CENTER>
</TD>

<TD VALIGN=CENTER WIDTH="30%"><FONT FACE="Arial,Helvetica">&nbsp;</FONT></TD>
</TR>

<TR BGCOLOR="#999900">
<TD WIDTH="15%">
<CENTER><FONT FACE="Arial,Helvetica">&nbsp;</FONT></CENTER>
</TD>

<TD>
<CENTER><FONT FACE="Arial,Helvetica">Code Reversing For Beginners&nbsp;</FONT></CENTER>
</TD>

<TD WIDTH="30%">
<CENTER><FONT FACE="Arial,Helvetica">&nbsp;</FONT></CENTER>

<CENTER><FONT FACE="Arial,Helvetica">&nbsp;</FONT></CENTER>
</TD>
</TR>

<TR BGCOLOR="#C0C0C0">
<TD WIDTH="15%"></TD>

<TD ALIGN=LEFT>
<CENTER><FONT FACE="Arial,Helvetica">&nbsp;</FONT></CENTER>

<CENTER><B><FONT FACE="Arial,Helvetica">Program Details</FONT></B></CENTER>

<CENTER><FONT FACE="Arial,Helvetica"><B>Program Name:</B> Addrmclr.exe</FONT></CENTER>

<CENTER><FONT FACE="Arial,Helvetica"><B>Program Type:</B> Win'95 Utility</FONT></CENTER>

<CENTER><FONT FACE="Arial,Helvetica"><B>Program Location:</B> <A HREF="http://www.distortions.com">Here</A>
or&nbsp; <A HREF="http://ftpsearch.ntnu.no/cgi-bin/search?query=addrmclr.exe&doit=Search&type=Case+insensitive+substring+search&doexact=on&hits=50&matches=&hitsprmatch=&limdom=&limpath=&f1=Count&f2=Mode&f3=Size&f4=Date&f5=Host&f6=Path&header=none&sort=none&trlen=20">Here</A></FONT></CENTER>

<CENTER><FONT FACE="Arial,Helvetica"><B>Program Size: </B>271K&nbsp;</FONT></CENTER>
<FONT FACE="Arial,Helvetica">&nbsp;</FONT></TD>

<TD WIDTH="30%"></TD>
</TR>

<TR BGCOLOR="#C0C0C0">
<TD WIDTH="15%"></TD>

<TD><FONT FACE="Arial,Helvetica"><B>&nbsp;</B>&nbsp;</FONT>&nbsp;
<CENTER><B><FONT FACE="Arial,Helvetica">Tools Used:</FONT></B></CENTER>

<CENTER><A HREF="http://swlink.net/~lachcik/insaine/si95w320.zip">Softice
3.2 - Debugger</A></CENTER>

<CENTER><FONT FACE="Arial,Helvetica"><A HREF="http://www.fortunecity.com/bally/waterford/18/w32dsm89.zip">W32Dasm
V8.9 - Disassembler</A></FONT></CENTER>

<CENTER><FONT FACE="Arial,Helvetica">&nbsp;</FONT></CENTER>
</TD>

<TD WIDTH="30%"></TD>
</TR>

<TR>
<TD VALIGN=CENTER BGCOLOR="#C6E7C6">
<CENTER><B><FONT FACE="Arial,Helvetica"><FONT COLOR="#0000FF">Rating</FONT></FONT></B></CENTER>
</TD>

<TD VALIGN=CENTER BGCOLOR="#C6E7C6">
<CENTER><B><FONT FACE="Arial,Helvetica"><FONT SIZE=-1><FONT COLOR="#0000FF">Easy
( X )&nbsp; Medium (&nbsp;&nbsp; )&nbsp; Hard (&nbsp;&nbsp;&nbsp; )&nbsp;
Pro (&nbsp;&nbsp;&nbsp; )</FONT>&nbsp;</FONT></FONT></B></CENTER>
</TD>

<TD WIDTH="30%" BGCOLOR="#999900"><B><FONT FACE="Arial,Helvetica"><FONT SIZE=-1>There
is a crack, a crack in everything. That's how the light gets in.</FONT></FONT></B></TD>
</TR>
</TABLE>

<CENTER><FONT FACE="Arial,Helvetica"><FONT SIZE=-1>&nbsp;</FONT></FONT></CENTER>

<CENTER><FONT FACE="Arial,Helvetica">&nbsp;</FONT>&nbsp;
<HR></CENTER>

<CENTER><FONT FACE="Arial,Helvetica">&nbsp;</FONT></CENTER>

<CENTER><FONT FACE="Arial,Helvetica"><FONT SIZE=+2>Add/remove Cleaner V2.01</FONT></FONT></CENTER>

<CENTER><FONT FACE="Arial,Helvetica"><FONT SIZE=+2>( </FONT><FONT SIZE=+1>And
Page Host V1.0</FONT><B>&nbsp;</B><FONT SIZE=+2> )</FONT></FONT></CENTER>

<CENTER><FONT FACE="Arial,Helvetica"><FONT COLOR="#0B7FC1">Written by The
Sandman</FONT></FONT></CENTER>
<FONT FACE="Arial Black">&nbsp;</FONT>
<BR>&nbsp;
<BR>&nbsp;
<TABLE BORDER CELLSPACING=2 WIDTH="100%" HEIGHT="22" >
<TR>
<TD BGCOLOR="#C6E7C6">
<CENTER><FONT COLOR="#0000FF"><FONT SIZE=+2>Introduction</FONT></FONT></CENTER>
</TD>
</TR>
</TABLE>
&nbsp;
<BR>We're going to crack two programs in this essay. I'll&nbsp; explaining
how to crack <B><U>Add/remover Cleaner</U></B> and since the code is almost
identical in their other program <B><U>Page Host</U></B> we can crack that
too...:)
<BR>&nbsp;
<BR>&nbsp;

<P><FONT FACE="Arial,Helvetica">The author(s) of this utility can be found
at:&nbsp;</FONT> <A HREF="http://www.distortions.com">http://www.distortions.com</A>
<BR><FONT FACE="Arial,Helvetica">&nbsp;</FONT>
<BR><FONT FACE="Arial,Helvetica">The author says:</FONT>

<P><FONT FACE="Arial,Helvetica">"This program was created in Delphi 3.0,
version 1.0 was released on 6/15/97. It only took about 30 minutes to&nbsp;
complete. It was created after I realized I had about 50-70 bad entries
to uninstallers in my Add/Remove Programs&nbsp; Window. Version 2.0 was
released on 2/1/98."</FONT>
<BR><FONT FACE="Arial,Helvetica">&nbsp;</FONT>
<TABLE BORDER CELLSPACING=2 WIDTH="100%" HEIGHT="22" >
<TR>
<TD BGCOLOR="#C6E7C6">
<CENTER><FONT COLOR="#3333FF"><FONT SIZE=+2>About this protection system</FONT></FONT></CENTER>
</TD>
</TR>
</TABLE>
<FONT FACE="Arial,Helvetica">&nbsp;</FONT>
<BR><FONT FACE="Arial,Helvetica">Registration is via selecting the '<B>Register</B>'
button once you've by passed the initial nag screen box that show's each
time this program is run while unregistered.</FONT>
<BR><FONT FACE="Arial,Helvetica">&nbsp;</FONT>
<BR><FONT FACE="Arial,Helvetica">Here you will be asked to enter:-</FONT>

<P><B><FONT FACE="Arial,Helvetica">Registration&nbsp; Name&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
:</FONT></B>
<BR><B><FONT FACE="Arial,Helvetica">Serial Number:</FONT></B>
<BR>&nbsp;
<BR>Once registered, the program saves the registration info within your
System Registry file, at:
<BR>&nbsp;
<BR><B><FONT COLOR="#993366">HKEY_CURRENT_USER\Software\ChemicalDistortions\Add
Remove Cleaner</FONT></B>
<BR>&nbsp;
<BR><B><FONT COLOR="#993366">RegName&nbsp; "The Sandman"</FONT></B>
<BR><B><FONT COLOR="#993366">SerNum:&nbsp;&nbsp;&nbsp; "T11132TE"</FONT></B>
<BR><FONT FACE="Arial,Helvetica">&nbsp;</FONT>
<BR><FONT FACE="Arial,Helvetica">Don't be lame and use my registration
serial number, read this essay and learn to create your own!</FONT>
<BR><FONT FACE="Arial,Helvetica">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;</FONT>
<TABLE BORDER CELLSPACING=2 WIDTH="100%" HEIGHT="22" >
<TR>
<TD BGCOLOR="#C6E7C6">
<CENTER><FONT SIZE=+2><FONT COLOR="#0000FF">The Essay</FONT>&nbsp;</FONT></CENTER>
</TD>
</TR>
</TABLE>
<FONT FACE="Arial,Helvetica">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;</FONT>
<BR><FONT FACE="Arial,Helvetica">First things first, lets get a dead listing
of this program,&nbsp; we want to see where we're going and how best to
get there.&nbsp; Use W32Dasm to create our dead listing and when that's
done lets check out the String Data Resources within this babe, you never
know, it might have a single hard coded serial number for us to use..</FONT>

<P><FONT FACE="Arial,Helvetica">OK, if you've checked the String Resources
then you'll see there wasn't any likely serial numbers for us to use, never
mind, it just means we will go onto plan 'B'.</FONT>
<BR><FONT FACE="Arial,Helvetica">&nbsp;</FONT>
<BR><FONT FACE="Arial,Helvetica">Plan 'B' requires us to locate the 'Beggar
off Cracker' routine, the one that tells us our serial no was invalid..</FONT>

<P><FONT FACE="Arial,Helvetica">Did you find it?, it's located at:</FONT>
<BR><FONT FACE="Arial,Helvetica">&nbsp;</FONT>
<BR><FONT FACE="Courier New,Courier"><FONT SIZE=-1>:00434FE8 E9EBE1FCFF&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
jmp 004031D8</FONT></FONT>
<BR><FONT FACE="Courier New,Courier"><FONT SIZE=-1>:00434FED EBF0&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
jmp 00434FDF</FONT></FONT>

<P><FONT FACE="Courier New,Courier"><FONT SIZE=-1>* StringData Ref from
Code Obj ->"<B><FONT COLOR="#993366">Thank you for registering!</FONT></B>"</FONT></FONT>
<BR><FONT FACE="Courier New,Courier"><FONT SIZE=-1>&nbsp;</FONT></FONT>
<BR><FONT FACE="Courier New,Courier"><FONT SIZE=-1>:00434FEF B8BC504300&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
mov eax, 004350BC</FONT></FONT>
<BR><FONT FACE="Courier New,Courier"><FONT SIZE=-1>:00434FF4 E8D7CFFFFF&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
call 00431FD0</FONT></FONT>
<BR><FONT FACE="Courier New,Courier"><FONT SIZE=-1>:00434FF9 EB0A&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
jmp 00435005</FONT></FONT>

<P><FONT FACE="Courier New,Courier"><FONT SIZE=-1>* Referenced by a (C)onditional
Jump at Address: :00434F42(C)</FONT></FONT>
<BR><FONT FACE="Courier New,Courier"><FONT SIZE=-1>&nbsp;</FONT></FONT>
<BR><B><FONT FACE="Courier New,Courier"><FONT COLOR="#993366"><FONT SIZE=-1>*
StringData Ref from Code Obj ->"Invalid registration information"</FONT></FONT></FONT></B>
<BR><FONT FACE="Courier New,Courier"><FONT SIZE=-1>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
|</FONT></FONT>
<BR><FONT FACE="Courier New,Courier"><FONT SIZE=-1>:00434FFB B8E0504300&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
mov eax, 004350E0</FONT></FONT>
<BR><FONT FACE="Courier New,Courier"><FONT SIZE=-1>:00435000 E8CBCFFFFF&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
call 00431FD0</FONT></FONT>
<BR>&nbsp;

<P><FONT FACE="Arial,Helvetica">Look at this, our 'Thank you for registering'
routine is here as well.&nbsp; Now take a look at the above code snippet,
lets see what information we can get from these two routines, starting
with the:</FONT>
<BR><FONT FACE="Arial,Helvetica">&nbsp;</FONT>
<BR><B><FONT FACE="Arial,Helvetica"><FONT COLOR="#000099">'Thank for registering'
message.</FONT></FONT></B>
<BR><FONT FACE="Arial,Helvetica">&nbsp;</FONT>

<P><B><FONT COLOR="#CC0000">1.&nbsp;</FONT></B> There is no information
available to us that tells us where in the program, this routine gets called!.&nbsp;
This tells us that it's highly likely that the program will use an 'indirect'
address method, it will calculate the address by using a register with
a known value then
<BR>adding a displacement value to get the final address.&nbsp; In plain
English this can be explained by this example:-

<P>Suppose the <B><U><FONT COLOR="#990000">eax register</FONT></U></B>
represents a letter that someone sent you, and that inside this letter
is the full postal address of where you can collect your 1st prize of &pound;100,000
for winning the lottery.

<P><FONT FACE="Courier New,Courier">mov ecx, dword ptr [eax] ;First we
'take' the letter,</FONT>
<BR><FONT FACE="Courier New,Courier">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
;this is the mov part of this</FONT>
<BR><FONT FACE="Courier New,Courier">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
;instruction.</FONT>

<P><FONT FACE="Courier New,Courier">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
;We 'open' this letter, this is the</FONT>
<BR><FONT FACE="Courier New,Courier">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
;ecx part of this instruction.</FONT>
<BR><FONT FACE="Courier New,Courier">&nbsp;</FONT>
<BR><FONT FACE="Courier New,Courier">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
;We then 'read' what the letter to</FONT>
<BR><FONT FACE="Courier New,Courier">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
;to see what kind of letter it is,</FONT>
<BR><FONT FACE="Courier New,Courier">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
;this is the dword ptr part of this</FONT>
<BR><FONT FACE="Courier New,Courier">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
;instruction.</FONT>
<BR><FONT FACE="Courier New,Courier">&nbsp;</FONT>
<BR><FONT FACE="Courier New,Courier">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
;'Inside' this letter is the</FONT>
<BR><FONT FACE="Courier New,Courier">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
;telephone number of the person</FONT>
<BR><FONT FACE="Courier New,Courier">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
;who will give us our cheque.</FONT>
<BR><FONT FACE="Courier New,Courier">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
;This is the [eax] part of our</FONT>
<BR><FONT FACE="Courier New,Courier">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
;instruction.</FONT>
<BR><FONT FACE="Courier New,Courier">&nbsp;</FONT>
<BR>&nbsp;

<P><FONT FACE="Courier New,Courier">call [ecx+44]&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
;Dial the telephone number by first</FONT>
<BR><FONT FACE="Courier New,Courier">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
;adding 44h (the dialing code to</FONT>
<BR><FONT FACE="Courier New,Courier">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
;the telephone number we've just</FONT>
<BR><FONT FACE="Courier New,Courier">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
;'read' from our letter.</FONT>

<P><B><FONT COLOR="#CC0000">2.</FONT></B> From the <FONT FACE="Arial,Helvetica"><B><FONT COLOR="#993366">mov
eax, 004350BC</FONT></B><FONT COLOR="#000000"> instruction we know where
this message is stored in the computer's memory while the program is running.</FONT></FONT>
<BR><FONT FACE="Arial,Helvetica"><FONT COLOR="#000000">&nbsp;</FONT></FONT>
<BR><FONT FACE="Arial,Helvetica"><FONT COLOR="#000000">&nbsp;</FONT></FONT>

<P><B><FONT FACE="Arial,Helvetica"><FONT COLOR="#000099">'Invalid registration
information' message</FONT></FONT></B>
<BR><B><FONT FACE="Arial,Helvetica"><FONT COLOR="#000099">&nbsp;</FONT></FONT></B>
<BR><FONT FACE="Arial,Helvetica"><B><FONT COLOR="#CC0000">1.</FONT></B><FONT COLOR="#000000">
We can find out where within the program this routine is called from, in
this particular case if we examine the dead listing at<B>: 00434F42</B></FONT>
we should see this line:-</FONT>
<BR><FONT FACE="Arial,Helvetica">&nbsp;</FONT>
<BR><B><FONT FACE="Arial,Helvetica"><FONT COLOR="#663366">:00434F42 0F85B3000000&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
jne 00434FFB ;If serial No is wrong then jump</FONT></FONT></B>
<BR><B><FONT FACE="Arial,Helvetica"><FONT COLOR="#663366">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
;to the routine at memory loc</FONT></FONT></B>
<BR><B><FONT FACE="Arial,Helvetica"><FONT COLOR="#663366">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
;00434FFB&nbsp; and show the</FONT></FONT></B>
<BR><B><FONT FACE="Arial,Helvetica"><FONT COLOR="#663366">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
;Beggar off cracker' message.</FONT></FONT></B>
<BR><B><FONT FACE="Arial,Helvetica"><FONT COLOR="#663366">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
;else</FONT></FONT></B>
<BR><B><FONT FACE="Arial,Helvetica"><FONT COLOR="#663366">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
;continue with the next</FONT></FONT></B>
<BR><B><FONT FACE="Arial,Helvetica"><FONT COLOR="#663366">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
;instructions and update the</FONT></FONT></B>
<BR><B><FONT FACE="Arial,Helvetica"><FONT COLOR="#663366">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
;Registry file with user Name &amp;</FONT></FONT></B>
<BR><B><FONT FACE="Arial,Helvetica"><FONT COLOR="#663366">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
;Serial Number.</FONT></FONT></B>

<P><FONT FACE="Arial,Helvetica"><FONT COLOR="#000000">Some of you might
see a *possible* way to *crack* this babe with the jne instruction, by
simply Nop'ng (90h) the whole instruction so that the program will ALWAYS
continue on</FONT></FONT>
<BR><FONT FACE="Arial,Helvetica"><FONT COLOR="#000000">and update the System
Registry file with our user Name &amp; Serial No.&nbsp; If you thought
this then your beginning to think like a *cracker* but if we could understand
Assembler then a closer examination of how of the surrounding code associated
with this program's protection system *might* show you that this method
of attack won't work.&nbsp; However, as newbies we won't know this, but
while 'testing' our *crack* we shall see the beginnings of yet another
way to crack this program, one that looks very promising.</FONT></FONT>

<P><FONT FACE="Arial,Helvetica"><FONT COLOR="#000000">Enough talking, lets
do get into this program's code and place a Softice breakpoint at location:
00434F42</FONT></FONT>
<BR><FONT FACE="Arial,Helvetica"><FONT COLOR="#000000">&nbsp;</FONT></FONT>
<BR><FONT FACE="Arial,Helvetica"><FONT COLOR="#000000">Run Add/Remove Cleaner
and go into the 'Registration Screen', and type in your User Name &amp;
a fake serial number.</FONT></FONT>

<P><FONT FACE="Arial,Helvetica"><FONT COLOR="#000000"><U>Before</U> pressing
the 'Done' button press 'Ctrl-D' to re-enter softice, we want to try and
break into the program's code. Normally we can set a breakpoint on messageboxa
or messagebox system functions but it won't work in this case, so we will
use the hmemcpy function instead.&nbsp; Hmemcpy is a system function that
just about every program that I know uses and which, is used in to copy
information (such as text) from one memory location to another.</FONT></FONT>

<P><FONT FACE="Arial,Helvetica"><FONT COLOR="#000000">Type: <B>bpx hmemcpy
</B>then <B>x</B> to return back to Add/Remove Cleaner.</FONT></FONT>

<P><FONT FACE="Arial,Helvetica"><FONT COLOR="#000000">Now you can press
the '<B>Done</B>' button.</FONT></FONT>
<BR><FONT FACE="Arial,Helvetica"><FONT COLOR="#000000">&nbsp;</FONT></FONT>
<BR><FONT FACE="Arial,Helvetica"><FONT COLOR="#000000">Almost immediately
softice breaks and since we need to get Softice back into target program's
code we now press the following keys in Softice.</FONT></FONT>
<BR><FONT FACE="Arial,Helvetica"><FONT COLOR="#000000">&nbsp;</FONT></FONT>
<BR><FONT FACE="Arial,Helvetica"><FONT COLOR="#000000"><B>F11</B> then
<B>F12</B>, <B>F12</B>, <B>F12</B>, <B>F12</B>, <B>F12</B>, <B>F12</B></FONT></FONT>

<P>To locate our our <FONT FACE="Arial,Helvetica"><FONT COLOR="#663366"><B>jne
00434FFB</B> </FONT><FONT COLOR="#000000">instruction at offset </FONT><B><FONT COLOR="#663366">00434F42
</FONT></B><FONT COLOR="#000000">we now type:</FONT></FONT>
<BR><FONT FACE="Arial,Helvetica"><FONT COLOR="#000000">&nbsp;</FONT></FONT>
<BR><FONT FACE="Arial,Helvetica"><FONT COLOR="#000000"><B>u 00434F42</B>&nbsp;
this will display the code at this memory location.</FONT></FONT>

<P><FONT FACE="Arial,Helvetica"><FONT COLOR="#000000">Now we type <B>bc
*</B> to clear all of softice's breakpoints then type <B>bpx 014F:00434F42</B>
to set a new breakpoint on our</FONT><B><FONT COLOR="#993366"> jne 00434FFB</FONT></B><FONT COLOR="#000000">
instruction.&nbsp; Now type <B>x</B> to leave Softice so that the program
runs as normal and display's the 'Invalid Registration Information'.</FONT></FONT>
<BR><FONT FACE="Arial,Helvetica"><FONT COLOR="#000000">&nbsp;</FONT></FONT>
<BR><FONT FACE="Arial,Helvetica"><FONT COLOR="#000000">Click <B>'OK</B>'
to clear this messagebox then press the '<B>Done</B>' key again, we want
to re-run the program's Protection system again so that Softice can break
at the moment where the program decides to either go and print the 'Beggar
off cracker' message or to update our System Registry file with our User
details.</FONT></FONT>

<P><FONT FACE="Arial,Helvetica"><FONT COLOR="#000000">At this point Softice
is telling us that if we continue the program from here it will jump to
our 'Beggar off cracker' message routine, well we don't want that to happen,
so we will type r eip=00434F48 which in plain terms simply tells your computer
to 'ignore' this jump instruction completely and begin execution </FONT><B><U><FONT COLOR="#993366">FROM</FONT></U></B><FONT COLOR="#000000">
the next line below the jump instruction. This is almost exactly what would
happen </FONT><FONT COLOR="#993366"><B><U>IF</U></B> </FONT><FONT COLOR="#000000">we
had Nop'd (90h) this jump out.</FONT></FONT>

<P><FONT FACE="Courier New,Courier"><FONT SIZE=-1><FONT COLOR="#000000">:00434F42
0F85B3000000&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
jne 00434FFB ;</FONT><FONT COLOR="#990000">Softice 1st stopped here</FONT></FONT></FONT>
<BR><FONT FACE="Courier New,Courier"><FONT SIZE=-1>:00434F48 B201&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
mov dl, 01 ;<FONT COLOR="#990000">now we begin here</FONT></FONT></FONT>
<BR><FONT FACE="Courier New,Courier"><FONT COLOR="#990000"><FONT SIZE=-1>&nbsp;</FONT></FONT></FONT>
<BR><FONT FACE="Arial,Helvetica"><FONT COLOR="#000099">While we're here,
lets examine the important sections of code we're about to analyze, step
by step using the </FONT><B><FONT COLOR="#000000">F10</FONT></B><FONT COLOR="#000099">
key.. Begin pressing the </FONT><B><FONT COLOR="#000000">F10</FONT></B><FONT COLOR="#000099">
key <U>UNTIL</U> you get here.</FONT></FONT>

<P><FONT FACE="Courier New,Courier"><FONT SIZE=-1>:00434FBA&nbsp; mov ecx,
dword ptr [ebp-0C];<B><FONT COLOR="#993366">place in the ecx register the</FONT></B></FONT></FONT>
<BR><FONT FACE="Courier New,Courier"><FONT SIZE=-1>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
;<B><FONT COLOR="#993366">memory location of our 'fake'</FONT></B></FONT></FONT>
<BR><FONT FACE="Courier New,Courier"><FONT SIZE=-1>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
;<B><FONT COLOR="#993366">serial number</FONT></B></FONT></FONT>

<P><FONT FACE="Courier New,Courier"><FONT SIZE=-1>:00434FBD&nbsp; mov edx,
004350AC&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ;<B><FONT COLOR="#993366">place
in the edx register the</FONT></B></FONT></FONT>
<BR><FONT FACE="Courier New,Courier"><FONT SIZE=-1>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
;<B><FONT COLOR="#993366">memory location of the text 'Sernum'</FONT></B></FONT></FONT>
<BR>&nbsp;
<BR><FONT FACE="Courier New,Courier"><FONT SIZE=-1>:00434FC2&nbsp; mov
eax, dword ptr [ebp-08];</FONT></FONT>
<BR><FONT FACE="Courier New,Courier"><FONT SIZE=-1>:00434FC5&nbsp; call
0043295C&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
;<B><FONT COLOR="#993366">Update the System registry File.</FONT></B></FONT></FONT>

<P>If you were to now let the program run as normal it will display the
'Thank you for registering' message, however, the program is still unregistered.&nbsp;
All we've done is to get the program to save our User name and 'fake' serial
number to the system registry file but the program knows it's still invalid
and so will ignore this entry and proceed as though it's still unregistered.

<P>Take a look at this line again:-
<BR>&nbsp;
<BR><FONT FACE="Courier New,Courier"><FONT SIZE=-1>:00434FBA&nbsp; mov
ecx, dword ptr [ebp-0C];<B><FONT COLOR="#993366">place in the ecx register
the</FONT></B></FONT></FONT>
<BR><FONT FACE="Courier New,Courier"><FONT SIZE=-1>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
;<B><FONT COLOR="#993366">memory location of our 'fake'</FONT></B></FONT></FONT>
<BR><FONT FACE="Courier New,Courier"><FONT SIZE=-1>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
;<B><FONT COLOR="#993366">serial number</FONT></B></FONT></FONT>

<P><FONT FACE="Arial,Helvetica"><FONT COLOR="#000000">Here's where the
problem lies, the program is saving to the System registry file our 'fake'
serial number instead of the 'real' one.&nbsp; This is common practice
in *almost* every program that uses a serial/registration key, and is just
one of many 'little' barriers the programmer will put in our way.&nbsp;
Learn and study these barriers well, it will save you a lot of wasted time.</FONT></FONT>
<BR><FONT FACE="Arial,Helvetica"><FONT COLOR="#000000">&nbsp;</FONT></FONT>
<BR><FONT FACE="Arial,Helvetica"><FONT COLOR="#000000">What do we need
to do now?.&nbsp; We could 'patch' this line so that it 'read's the 'real'
serial number instead of the one typed in by the User, but if we do that
then we will </FONT><B><U><FONT COLOR="#993366">ALSO</FONT></U></B><FONT COLOR="#000000">
have to either Nop (90h) out the whole of the </FONT><B><FONT COLOR="#663366">jne
00434FFB</FONT></B><FONT COLOR="#000000"> at memory location </FONT><B><FONT COLOR="#993366">00434F42</FONT></B></FONT>
<BR><FONT FACE="Arial,Helvetica"><FONT COLOR="#000000"><B><U>OR</U></B>
change the jump address so that it 'jumps' to line next instruction below,
instead of to the 'Beggar off cracker' routine in order to make this *crack*
work.</FONT></FONT>

<P><FONT FACE="Arial,Helvetica"><FONT COLOR="#000000">Since 'Key Generators'
are quite popular at the moment lets crack this babe and turn it's protection
system into a useful aid to registering it..:)</FONT></FONT>

<P><FONT FACE="Arial,Helvetica"><FONT COLOR="#000000">Before we can anything
else we <U>MUST</U> locate where in memory the program creates the 'real'
serial number, this is vital if we are to *crack* this babe.</FONT></FONT>
<BR><FONT FACE="Arial,Helvetica"><FONT COLOR="#000000">&nbsp;</FONT></FONT>
<BR><FONT FACE="Arial,Helvetica"><FONT COLOR="#000000">Let us once again
think about what we have so far done.&nbsp; We located the routine that
display's our 'beggar off cracker' message and through that, we back-tracked
through the code to locate the jne 00434FFB instruction at memory location
00434F42, so far so good.&nbsp; We've established that this jne instruction
decides which message to show the User (you and me) depending on wether
the serial number we entered was valid for the User Name we chose to use.&nbsp;
So it looks clear then that we must back-track a little further through
the program's code to find out where it checks our 'fake' serial number
against the one that is generated for the User Name we used.&nbsp; In our
dead listing of this program If you look at the section of code <U>ABOVE</U>&nbsp;
the jne 00434FFB instruction you will see this section of code:-</FONT></FONT>
<BR><FONT FACE="Arial,Helvetica"><FONT COLOR="#000000">&nbsp;</FONT></FONT>
<BR><FONT FACE="Courier New,Courier"><FONT COLOR="#000000"><FONT SIZE=-1>:00434F1C&nbsp;&nbsp;&nbsp;&nbsp;
mov eax, dword ptr [ebp-14]</FONT></FONT></FONT>
<BR><FONT FACE="Courier New,Courier"><FONT SIZE=-1>:00434F1F&nbsp;&nbsp;&nbsp;&nbsp;
push eax</FONT></FONT>
<BR><FONT FACE="Courier New,Courier"><FONT SIZE=-1>:00434F20&nbsp;&nbsp;&nbsp;&nbsp;
lea edx, dword ptr [ebp-0C]</FONT></FONT>
<BR><FONT FACE="Courier New,Courier"><FONT SIZE=-1>:00434F23&nbsp;&nbsp;&nbsp;&nbsp;
mov eax, dword ptr [ebx+000001E8]</FONT></FONT>
<BR><FONT FACE="Courier New,Courier"><FONT SIZE=-1>:00434F29&nbsp;&nbsp;&nbsp;&nbsp;
call 0041AE68</FONT></FONT>
<BR><FONT FACE="Courier New,Courier"><FONT SIZE=-1>:00434F2E&nbsp;&nbsp;&nbsp;&nbsp;
mov eax, dword ptr [ebp-0C]</FONT></FONT>
<BR><FONT FACE="Courier New,Courier"><FONT SIZE=-1>:00434F31&nbsp;&nbsp;&nbsp;&nbsp;
lea edx, dword ptr [ebp-1C]</FONT></FONT>
<BR><FONT FACE="Courier New,Courier"><FONT SIZE=-1>:00434F34&nbsp;&nbsp;&nbsp;&nbsp;
call 00406698</FONT></FONT>
<BR><FONT FACE="Courier New,Courier"><FONT SIZE=-1>:00434F39&nbsp;&nbsp;&nbsp;&nbsp;
mov edx, dword ptr [ebp-1C]</FONT></FONT>
<BR><FONT FACE="Courier New,Courier"><FONT SIZE=-1>:00434F3C&nbsp;&nbsp;&nbsp;&nbsp;
pop eax</FONT></FONT>
<BR><FONT FACE="Courier New,Courier"><FONT SIZE=-1>:00434F3D&nbsp;&nbsp;&nbsp;&nbsp;
call 00403AC0</FONT></FONT>
<BR><FONT FACE="Courier New,Courier"><FONT SIZE=-1>:00434F42&nbsp;&nbsp;&nbsp;&nbsp;
jne 00434FFB</FONT></FONT>
<BR><FONT FACE="Courier New,Courier"><FONT SIZE=-1>&nbsp;</FONT></FONT>
<BR><FONT FACE="Arial,Helvetica">Since this code comes before our jne instruction
it's highly likely that we will find the location of our 'real' serial
number.</FONT>

<P><FONT FACE="Arial,Helvetica">If your not already in Softice then press
'<B>Ctrl-D</B>' then type <B>bc *</B> to clear away any previous breakpoints
in Softice then type: <B>bpx 014f:00434FC</B> to create an new breakpoint.&nbsp;
Then <B>x</B> to leave Softice.</FONT>
<BR><FONT FACE="Arial,Helvetica">&nbsp;</FONT>
<BR><FONT FACE="Arial,Helvetica">Re-run the 'Registration Screen' again,
type in a handle/name and for the serial number type in some random characters
of your choice.&nbsp; Press the '<B>Done</B>' key to finish.</FONT>
<BR><FONT FACE="Arial,Helvetica">&nbsp;</FONT>
<BR><FONT FACE="Arial,Helvetica">Wham, Softice breaks as expected at memory
location <FONT COLOR="#000000">00434F1C.</FONT></FONT>

<P><FONT FACE="Arial,Helvetica">So now use the '<B>F10</B>' to single step
through these instructions until you get to the jne 00434FFB.&nbsp; After
each line you execute type <B>D</B> followed by <B>eax</B> or <B>edx</B>
depending on which one of these registers is used.</FONT>

<P><FONT FACE="Arial,Helvetica">Example.</FONT>

<P>Once you've executed this line: <B><FONT COLOR="#000099"><FONT FACE="Courier New,Courier"><FONT SIZE=-1>:00434F1C&nbsp;&nbsp;&nbsp;&nbsp;
mov eax, dword ptr [ebp-14]</FONT></FONT><FONT FACE="Arial,Helvetica">
</FONT></FONT></B><FONT FACE="Arial,Helvetica"><FONT COLOR="#000000">you
will type: <B>d eax</B></FONT></FONT>

<P>Then when you execute this line: <B><FONT FACE="Courier New,Courier"><FONT COLOR="#000099"><FONT SIZE=-1>:00434F20&nbsp;&nbsp;&nbsp;&nbsp;
lea edx, dword ptr [ebp-0C </FONT></FONT></FONT></B><FONT FACE="Arial,Helvetica"><FONT COLOR="#000000">you
would then need to type: <B>d edx</B></FONT></FONT>

<P><FONT FACE="Arial,Helvetica"><FONT COLOR="#000000">We're looking for
something that resembles a serial number, a sequence of characters consisting
of numbers or letters or both. By typing d followed by a register name
we're 'seeing' what these registers hold as they are processed by the target
program.</FONT></FONT>
<BR><FONT FACE="Arial,Helvetica"><FONT COLOR="#000000">&nbsp;</FONT></FONT>
<BR><FONT FACE="Arial,Helvetica"><FONT COLOR="#000000">OK, if you've examined
this code (you might need to do this once or twice with DIFFERENT User
names to make sure) and taken notes, here's what you should have for this
section of code.</FONT></FONT>
<BR><FONT FACE="Arial,Helvetica"><FONT COLOR="#000000">&nbsp;</FONT></FONT>
<BR><FONT FACE="Courier New,Courier"><FONT SIZE=-1><FONT COLOR="#000000">:00434F1C&nbsp;&nbsp;&nbsp;&nbsp;
mov eax, dword ptr [ebp-14] ;</FONT><FONT COLOR="#993366">eax = the memory
location of our</FONT></FONT></FONT>
<BR><FONT FACE="Courier New,Courier"><FONT SIZE=-1><FONT COLOR="#000000">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
;</FONT><FONT COLOR="#993366">'real Serial No</FONT></FONT></FONT>
<BR>&nbsp;
<BR><FONT FACE="Courier New,Courier"><FONT SIZE=-1>:00434F1F&nbsp;&nbsp;&nbsp;&nbsp;
push eax&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
;<FONT COLOR="#993366">Save eax address for later use.</FONT></FONT></FONT>
<BR>&nbsp;
<BR><FONT FACE="Courier New,Courier"><FONT SIZE=-1>:00434F20&nbsp;&nbsp;&nbsp;&nbsp;
lea edx, dword ptr [ebp-0C]</FONT></FONT>
<BR><FONT FACE="Courier New,Courier"><FONT SIZE=-1>:00434F23&nbsp;&nbsp;&nbsp;&nbsp;
mov eax, dword ptr [ebx+000001E8];</FONT></FONT>
<BR><FONT FACE="Courier New,Courier"><FONT SIZE=-1>:00434F29&nbsp;&nbsp;&nbsp;&nbsp;
call 0041AE68&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
;<FONT COLOR="#993366">eax = length of our fake serial</FONT></FONT></FONT>
<BR><FONT FACE="Courier New,Courier"><FONT SIZE=-1>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
;<FONT COLOR="#993366">number.</FONT></FONT></FONT>

<P><FONT FACE="Courier New,Courier"><FONT SIZE=-1>:00434F2E&nbsp;&nbsp;&nbsp;&nbsp;
mov eax, dword ptr [ebp-0C] ;<FONT COLOR="#993366">eax=the memory location
of our</FONT></FONT></FONT>
<BR><FONT FACE="Courier New,Courier"><FONT SIZE=-1>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
;<FONT COLOR="#993366">fake serial number.</FONT></FONT></FONT>

<P><FONT FACE="Courier New,Courier"><FONT SIZE=-1>:00434F31&nbsp;&nbsp;&nbsp;&nbsp;
lea edx, dword ptr [ebp-1C] ;<FONT COLOR="#993366">2nd location of our
fake serial</FONT></FONT></FONT>
<BR><FONT FACE="Courier New,Courier"><FONT SIZE=-1>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
;<FONT COLOR="#993366">number</FONT></FONT></FONT>

<P><FONT FACE="Courier New,Courier"><FONT SIZE=-1>:00434F34&nbsp;&nbsp;&nbsp;&nbsp;
call 00406698&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
;<FONT COLOR="#000099">Returns with</FONT>:</FONT></FONT>
<BR><FONT FACE="Courier New,Courier"><FONT SIZE=-1>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
;<FONT COLOR="#993366">edx = end of our serial Number</FONT></FONT></FONT>

<P><FONT FACE="Courier New,Courier"><FONT SIZE=-1>:00434F39&nbsp;&nbsp;&nbsp;&nbsp;
mov edx, dword ptr [ebp-1C] ;<FONT COLOR="#993366">reset edx to start of
our fake</FONT></FONT></FONT>
<BR><FONT FACE="Courier New,Courier"><FONT SIZE=-1>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
;<FONT COLOR="#993366">serial number.</FONT></FONT></FONT>

<P><FONT FACE="Courier New,Courier"><FONT SIZE=-1>:00434F3C&nbsp;&nbsp;&nbsp;&nbsp;
pop eax&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
;<FONT COLOR="#993366">Restore eax so now points to</FONT></FONT></FONT>
<BR><FONT FACE="Courier New,Courier"><FONT SIZE=-1>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
;<FONT COLOR="#993366">back to the memory location of</FONT></FONT></FONT>
<BR><FONT FACE="Courier New,Courier"><FONT SIZE=-1>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
;<FONT COLOR="#993366">of our 'real' serial number.</FONT></FONT></FONT>

<P><FONT FACE="Courier New,Courier"><FONT SIZE=-1>:00434F3D&nbsp;&nbsp;&nbsp;&nbsp;
call 00403AC0&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
;<FONT COLOR="#993366">Now check both the fake &amp; real</FONT></FONT></FONT>
<BR><FONT FACE="Courier New,Courier"><FONT SIZE=-1>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
;<FONT COLOR="#993366">serial numbers.</FONT></FONT></FONT>
<BR><FONT FACE="Courier New,Courier"><FONT SIZE=-1>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
;<FONT COLOR="#000099">Returns with:</FONT></FONT></FONT>
<BR><FONT FACE="Courier New,Courier"><FONT SIZE=-1>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
;<FONT COLOR="#993366">edx=Length of our fake serial No</FONT></FONT></FONT>
<BR><FONT FACE="Courier New,Courier"><FONT SIZE=-1>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
;<FONT COLOR="#993366">eax=Length of our real serial No</FONT></FONT></FONT>

<P><FONT FACE="Courier New,Courier"><FONT SIZE=-1>:00434F42&nbsp;&nbsp;&nbsp;&nbsp;
jne 00434FFB&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
;<B><FONT COLOR="#990000">jump if serial No's not equal.</FONT></B></FONT></FONT>
<BR><FONT FACE="Courier New,Courier"><FONT SIZE=-1>&nbsp;</FONT></FONT>
<BR><FONT FACE="Courier New,Courier"><FONT SIZE=-1>&nbsp;</FONT></FONT>
<BR><FONT FACE="Arial,Helvetica">Right, we found out where our real serial
No can be found, but more importantly than this we know HOW the program
is able to retrieve this regardless of where in memory it is. It uses the
<B><FONT COLOR="#CC0000">mov eax, dword ptr [ebp-14] </FONT></B><FONT COLOR="#000000">instruction
to locate the serial No so why don't we use this instruction as well for
our *crack*.</FONT></FONT>
<BR><FONT FACE="Arial,Helvetica"><FONT COLOR="#000000">&nbsp;</FONT></FONT>
<BR><FONT FACE="Arial,Helvetica"><FONT COLOR="#000000">Where shall we use
this instruction?, well, if we deiced to Nop (90h) out the jne 00434FFB
instruction at memory location 00434F2 we could then make the program save
our 'Real' serial number when it updates our System Registry file, instead
of it saving our 'fake' serial number by default.</FONT></FONT>
<BR><FONT FACE="Arial,Helvetica"><FONT COLOR="#000000">&nbsp;</FONT></FONT>
<BR><FONT FACE="Arial,Helvetica"><FONT COLOR="#000000">Or, we can turn
this babe into our own Serial Number Generator when the User gets the serial
number wrong. It will then churn out 1000's of valid serial numbers for
us to use..:)</FONT></FONT>
<BR><FONT FACE="Arial,Helvetica"><FONT COLOR="#000000">&nbsp;</FONT></FONT>
<BR><FONT FACE="Arial,Helvetica"><FONT COLOR="#000000">It's settled then,
that's what we're going to do..</FONT></FONT>

<P><FONT FACE="Arial,Helvetica"><FONT COLOR="#000000">Locate the 'Invalid
registration Information' routine.</FONT></FONT>
<BR><FONT FACE="Arial,Helvetica"><FONT COLOR="#333333">&nbsp;</FONT></FONT>
<BR><B><FONT FACE="Courier New,Courier"><FONT COLOR="#993366"><FONT SIZE=-1>*
StringData Ref from Code Obj ->"Invalid registration information"</FONT></FONT></FONT></B>
<BR><FONT FACE="Courier New,Courier"><FONT SIZE=-1>&nbsp;</FONT></FONT>
<BR><FONT FACE="Courier New,Courier"><FONT SIZE=-1>:00434FFB B8E0504300&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
mov eax, 004350E0</FONT></FONT>
<BR><FONT FACE="Courier New,Courier"><FONT SIZE=-1>:00435000 E8CBCFFFFF&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
call 00431FD0</FONT></FONT>

<P>You see that mov eax,004350E0 instruction, well as explained earlier
it 'points' to that 'beggar off cracker' message, so lets change it so
it prints the 'real' serial number instead.

<P>Our new routine now looks like this:-
<BR>&nbsp;
<BR><B><FONT FACE="Courier New,Courier"><FONT COLOR="#993366"><FONT SIZE=-1>*
StringData Ref from Code Obj ->"Invalid registration information"</FONT></FONT></FONT></B>
<BR><FONT FACE="Courier New,Courier"><FONT SIZE=-1>&nbsp;</FONT></FONT>
<BR><FONT FACE="Courier New,Courier"><FONT SIZE=-1>:00434FFB 8B45EC&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
mov eax, dword ptr [ebp-14]</FONT></FONT>
<BR><FONT FACE="Courier New,Courier"><FONT SIZE=-1>:00434FFE 90&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
Nop ;<FONT COLOR="#993366">Spare empty byte</FONT></FONT></FONT>
<BR><FONT FACE="Courier New,Courier"><FONT SIZE=-1>:00434FFF 90&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
Nop ;<FONT COLOR="#993366">Spare empty byte</FONT></FONT></FONT>
<BR><FONT FACE="Courier New,Courier"><FONT SIZE=-1>:00435000 E8CBCFFFFF&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
call 00431FD0</FONT></FONT>

<P><FONT FACE="Arial,Helvetica"><FONT COLOR="#333333">Job Done.....</FONT></FONT>
<BR>&nbsp;
<TABLE BORDER CELLSPACING=2 WIDTH="100%" HEIGHT="22" >
<TR>
<TD BGCOLOR="#C6E7C6">
<CENTER><FONT SIZE=+2><FONT COLOR="#0000FF">The 'Crack'</FONT>&nbsp;</FONT></CENTER>
</TD>
</TR>
</TABLE>
<FONT FACE="Arial,Helvetica">&nbsp;</FONT>
<BR>Load up addrmclr.exe into your favorite hex editor and <B><U>SEARCH</U></B>
for the hex string: "<B><FONT FACE="Arial,Helvetica"><FONT COLOR="#333333">FFEB0AB8E0504300</FONT></FONT></B>"

<P><FONT FACE="Courier New,Courier"><FONT SIZE=-1>000343E0 45F8E879 DCFCFFC3
E9EBE1FC FFEBF0B8 E..y............</FONT></FONT>
<BR><FONT FACE="Courier New,Courier"><FONT SIZE=-1>000343F0 BC504300 E8D7CFFF
<B>FFEB0AB8 E0504300</B> .PC..........PC.</FONT></FONT>
<BR><FONT FACE="Courier New,Courier"><FONT SIZE=-1>00034400 E8CBCFFF FF33C05A
59596489 10684750 .....3.ZYYd..hG</FONT></FONT>
<BR>&nbsp;

<P>Now <B><U>REPLACE</U></B> the following <B><FONT COLOR="#CC0000">HIGHLIGHTED</FONT></B>
bytes with:
<BR>&nbsp;
<BR><FONT FACE="Courier New,Courier"><FONT SIZE=-1>000343E0 45F8E879 DCFCFFC3
E9EBE1FC FFEBF0B8 E..y............</FONT></FONT>
<BR><FONT FACE="Courier New,Courier"><FONT SIZE=-1>000343F0 BC504300 E8D7CFFF
FFE<B><FONT COLOR="#990000">B0A8B 45EC9090</FONT></B> .PC.........E...</FONT></FONT>
<BR><FONT FACE="Courier New,Courier"><FONT SIZE=-1>00034400 E8CBCFFF FF33C05A
59596489 10684750 .....3.ZYYd..hG</FONT></FONT>
<BR>&nbsp;
<TABLE BORDER CELLSPACING=2 WIDTH="100%" HEIGHT="22" >
<TR>
<TD BGCOLOR="#C6E7C6">
<CENTER><FONT SIZE=+2><FONT COLOR="#0000FF">Final Notes</FONT>&nbsp;</FONT></CENTER>
</TD>
</TR>
</TABLE>
<FONT FACE="Arial,Helvetica"><FONT COLOR="#333333">&nbsp;</FONT></FONT>
<BR>I found this program quite interesting to follow, I know I've only
scratched the the surface in what *cracks* can be applied to it so I'll
leave it to you to see if you can find some more.&nbsp; Hint, you could
try examine the code that runs at the beginning when the program is first
run, perhaps where it checks to see if there is a valid serial number for
it to read?.
<BR>&nbsp;
<BR>One last item of news... The same author has another product called
<B><U>Page Host V1.0</U></B> which allows you to use your computer as a
server, so anyone knowing your IP address can access your computer online
just as though it was a normal web server.
<BR>&nbsp;
<BR>They use almost an identical protection system as Add/Remove Cleaner
so cracking it is a doddle.
<BR>&nbsp;

<P>Load Pagehost into your&nbsp; hexeditor.
<BR>&nbsp;
<BR><FONT FACE="Courier New,Courier"><B>Search for</B>:= 'FFEB0AB8E0624400"
then</FONT>
<BR><FONT FACE="Courier New,Courier"><B><FONT COLOR="#990000">Replace</FONT></B>&nbsp;&nbsp;
:= 'FFEB0A<B><FONT COLOR="#990000">8B45E89090</FONT></B>"</FONT>
<BR><FONT FACE="Arial,Helvetica">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;</FONT>
<BR><FONT FACE="Arial,Helvetica">My thanks and gratitude goes to:</FONT>

<P><FONT FACE="Arial,Helvetica">Fravia+ for providing possibly the greatest
source of Reverse Engineering</FONT>
<BR><FONT FACE="Arial,Helvetica">knowledge on the Web.</FONT>
<BR><FONT FACE="Arial,Helvetica">&nbsp;</FONT>
<BR><FONT FACE="Arial,Helvetica">+ORC for showing me the light at the end
of the tunnel.</FONT>

<P>&nbsp;
<TABLE BORDER CELLSPACING=2 WIDTH="100%" HEIGHT="22" >
<TR>
<TD BGCOLOR="#C6E7C6">
<CENTER><FONT COLOR="#0000FF"><FONT SIZE=+2>Ob Duh</FONT></FONT>&nbsp;</CENTER>
</TD>
</TR>
</TABLE>
<I><FONT FACE="Arial,Helvetica">&nbsp;</FONT></I>
<BR><I><FONT FACE="Arial,Helvetica">Do I really have to remind you all
that by buying and NOT stealing the software you use will ensure that these
software houses will continue to&nbsp; produce even *better* software for
us to use and more importantly, to continue offering even more challenges
to breaking their often weak protection systems.</FONT></I>
<BR><FONT FACE="Arial,Helvetica">&nbsp;</FONT>
<BR><I><FONT FACE="Arial,Helvetica">If your looking for cracks or serial
numbers from these pages then your wasting your time, try searching elsewhere
on the Web under Warze, Cracks etc.</FONT></I>
<BR>&nbsp;
<BR>
<HR SIZE=3 WIDTH="100%">
<CENTER>&nbsp;</CENTER>

<CENTER>&nbsp;</CENTER>

<CENTER><TABLE BORDER=2 >
<TR>
<TD>&nbsp;<B><A HREF="Es19.html">Next</A></B>&nbsp;</TD>

<TD>&nbsp;<B><A HREF="Tindex.html">Return to Essay Index</A></B>&nbsp;</TD>

<TD>&nbsp;<B><A HREF="Es17.html">Previous</A></B>&nbsp;</TD>
</TR>
</TABLE></CENTER>

<CENTER><B><FONT SIZE=+1>&nbsp;</FONT></B></CENTER>

<HR SIZE=3 WIDTH="100%"><FONT FACE="Arial,Helvetica"><FONT SIZE=-2>Essay
by:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <A HREF="mailto:The Sandman<greenway@proweb.co.uk>">The
Sandman</A></FONT></FONT>
<BR><FONT FACE="Arial,Helvetica"><FONT SIZE=-2>Page Created: 28th May 1998</FONT></FONT>
<BR><SCRIPT LANGUAGE="JavaScript">
<!--- hide script from old browsers
update= new Date(document.lastModified)
document.writeln("<FONT SIZE=-1>Last Updated: <EM>" + update.toLocaleString(update) + "</EM></FONT><BR>")
// end hiding --->
</SCRIPT>

</BODY>
</HTML>
