Cracking "Customizer 2000 for w9x/me ver. 6.5.3"

<<< Back

New Tutorial

skill: novice

standing: basics built in serial no.

toolz: SoftICE any version and intuition:)

dld: http://www.tweaknow.com

The Program

Config.dat | 20 bytes

Customizer.exe | 773.120 bytes - our target

Logon.exe | 302.248 bytes

Readme.html | 8.820 bytes

Unins000.dat | 1.588 bytes

Unins000.exe | 72.298 bytes

Uninstall.lnk | 398 bytes

1. Short story

--------------

-hmmm a long time past since i've wrote my first tutorial and it's time for another one eh don't u think? and i've dropped my attention on this simple program named "Customizer" it's a very good windoze tweaker and personally i recommend it because i use it allot and it's OK. Let's see, well u wonder what that "built in thing" stands for, well let me tell u that the good serial that we have to input in order to reg it it's written in the program and when the compare function appears the bad serial compares with the good one.The good one is simply loaded to a special registry (eax, edx...) and this is what we will use on our next approach. Of course there are many approaches like destroying the time function to reg it in such way that he will never expire but this is for another time:)

2. The cracking

---------------

1. we will use the elegant way to discover the good serial number.

2. so let's see what bpx (breakpoint on execution) we will use. Hmmm... GetDlgItemTextA and GetWindowTextA aren't good so i think we will use Hmemcpy. Start the program and write any serial then Ctrl-D, type in Sice "bpx hmemcpy" (without quota) and Ctrl-D again and after all of this press OK.

3. softice must come up after u pressed the button. Press F11 once and then trace with F10, carefully and be aware that customizer.exe must appear any second now. Did it appeared, good if not pleaz go back on the stage 1. Ok here are some loading instructions, loads the length of our serial no it will look like this:

:E8F133FDFF CALL USER32!CallWindowProcA

:89430C MOV [EBX+0C],EAX

:8B03 MOV EAX,[EBX] <-- returns the length of your

serail no.

:751B CMP EAX,0CA <-- compares your length with 12

...... nothing important here.... just detective work:)..trace for about 32

steps carefully until u will arrive here....

what is following is very important pay attention!

:E89AA8FCFF CALL 0042F8C4 <-- a CALL procedure not important

:8B45FC MOV EAX,[EBP-04] <-- MOVE YOUR SERIAL NUMBER THAT IS

STORED IN ADDRESS [EBP-04] TO EAX SO EAX WILL HAVE THE ADDRESS

VALUE SO U CAN SIMPLY TYPE "D EAX" (without quotas) IN SOFTICE

AND IT WILL APPEAR SOMETHING LIKE THIS (i

used as bad serial 4355 a random one

first that flew my mind):

31 38 31 32 31 39 38 31 - 00 00 00 00 FF FF FF FF 4355..H.x.H <-- so here

it stores my serial no. it's something like a builting in

procedure but in reverse what i spoked earlyer

BA58514600 MOV EDX, 00465158 <-- AND THIS IS THE FINAL IMPORTANT

NOTICE WHERE IN EDX IS LOADED THIS ADDRESS 00465158 THA LOGICAL HAS

OUR GOOD SERIAL NUMBER SIMPLY TYPE D EDX AND 18121981 WILL

APPEAR IN THE DATA WINDOW IN THE UPPER LEFT CORNER

EBF5ECF5FF CALL 00403D2C <-- this will compare our bad serial

number with the real one and don't think that yours will be

right:)

3. Final words

--------------

-so tell me it was hard?? i don't think it was, that dumb programmer should make the security scheme a little more complicated but despite all of this we will crack it togheter. Bye and have fun with this one and expect more tutorials signed by tracer_v

Credits

By - tracer_v

mail: tracer_v@hotmail.com

25/03/02

<<< Back