<pre>
---------------------------------------------------
These informations are for educative purpose only!|
---------------------------------------------------

WHY PATCHING WHILE SERIAL NUMBER IS FISHY

CleanReg v3.25/3.26
A Cracking Tutorial
by ASTAGA [D4C/C4A]


DISCLAIMER

This reading material is not intended to violate Copyrights
and/or it is law, but educational purposes only. I hold no
responsibility ( by all means and in any shape whatsoever )
of the mis-used of this material.


ABOUT THE PROGRAM

	CleanReg is best used as a registry monitor program.
	Running CleanReg can alert you to registry intrusions
	and help clean up after uninstalling programs or systems.
	Normally when something is installed on the computer,
	it is associated with one or more files on a disk.
	These files usually have the extension EXE or DLL.
	Also, files used by the program are added to the
	registry and can have have any extension.  Files are
	added to the registry by the programs that use them and
	the use is defined by that program.  So only the developer
	of the program knows if the reference is required for
	proper operation or was added for another reason and is
	not required.  The excellent program ICQ is an example of
	a program that adds many files to the registry and I have
	know idea why so I to leave them alone.

	CleanReg scans for the files referenced in the registry
	and provides and easy method to eliminate the reference.
	In some cases just the reference should be removed by
	zapping the name, and in other cases an entire high level
	key needs to be deleted.  In other cases the file reference
	should not be changed.  File names that have the extension
	DLL or EXE are located by testing the system directories
	and the system PATH environment variable.  Not all files,
	especially DLL's and EXE's need to be in a system defined
	path, they may located by the using program with the using
	programs search criteria.


WHERE TO DOWNLOAD


Author   	: Armstrong Systems House, Inc
Homepage 	: http://www.CleanReg.com
URL		: http://www.armstrongsystems.bizland.com/free/CleanReg3.exe
Size 		: 1.5 MB  as of August 08,2000


HOW TO GET VALID SERIAL NUMBER by using SoftIce

This program is packed with UPX. I suggest you to unpack the .exe
file before you practise by yourself.
In this tute I didn't unpack them att all, so, unexpected occurance
(s) might be happened on your PC.


1.  Run CLEANREG.EXE, click OPTIONS/ENTER REG CODE submenu, in the
    registration dialog box type these below informations :

	Name	: Chavit 'Jueteng' Singson
	Code   : 73881050

    Do not click OK button yet


2.  Fire up SoftIce by pressing [ CTRL + D ], set a breakpoint as follow :

	BPX hmemcpy     [enter]   and
   	F5  to return to the main program

3.  Now it's time to click OK button... you'll return back into SoftIce!
    In within SoftIce press F11, F5, F11, then F12 11 times until you
    see and break at :

	______________________________________________________________

	015F:004062E7  E8D0B90000          CALL      00411CBC
	015F:004062EC  8BF8                MOV       EDI,EAX
	015F:004062EE  85FF                TEST      EDI,EDI
	015F:004062F0  745C                JZ        0040634E
	015F:004062F2  8B4C2408            MOV       ECX,[ESP+08]
	015F:004062F6  8B41F8              MOV       EAX,[ECX-08]
	015F:004062F9  85C0                TEST      EAX,EAX
	015F:004062FB  7E51                JLE       0040634E
	015F:004062FD  8D542410            LEA       EDX,[ESP+10]
	015F:00406301  8D44240C            LEA       EAX,[ESP+0C]
	015F:00406305  52                  PUSH      EDX
	015F:00406306  8D4C240C            LEA       ECX,[ESP+0C]
	015F:0040630A  50                  PUSH      EAX
	015F:0040630B  51                  PUSH      ECX
	015F:0040630C  E83FB20000          CALL      00411550
	015F:00406311  83C40C              ADD       ESP,0C
	015F:00406314  85C0                TEST      EAX,EAX
	015F:00406316  7436                JZ        0040634E
	015F:00406318  397C2410            CMP       [ESP+10],EDI
	015F:0040631C  7530                JNZ       0040634E

	_________________________CLEANREG3!UPX0+52E7___________________


    Now, clear/disable previous breakpoint by typing :

	bc 00   [enter]

    Create a new breakpoint by typing :

	bpx 015F:004062E7  [enter]
	u 015F:004062E7    [enter]


4.  Press F10 once - stop at 015F:004062EE - look at the REgister
    Window don't you think strange that the contents of EAX and
    EDI register are remain the same ?
    Let's check it out what was in there ....

	? EAX  [enter]  and/or  ? EDI
	SoftIce will response :
	046755DA  0073881050  " gU " ... that's your fake reg code

    Here you can pressume that if your fake code more than 10
    characters length, you'll be throw into another location as
    instructed by JZ instruction at 015F:004062F0.

5.  Press F10 4 times - stop at 015F:004062F6 - display ECX regis
    ter by typing :

	D ECX  [enter]
	Did you see your user name appear in the Data Window ?


6.  Keep continue pressing F10 and stop at 015F:00406318 , then look
    at the Register Window ... in my case SS register are looks like
    as follow :

     ....... FS=35E7  GS=0000 	 SS:0066F3E0=0FC7E2B4

	Let's check the contents of SS register :

	? 0FC7E2B4  [enter]
	SoftIce will response :
	0FC7E2B4  0264757940  "    "

	Write down 0264757940 as your suspicious reg code, because if
	you press F10 once again you'll jump pass JNZ instruction at
	015F:0040631C and get the beggar-off message.  During this
	step you will not see the SS contents load into any register
	flags ... that's the reason i called this number suspicious.
	To prove this situation, try your fake reg code in 10 charac
	ters length, right after JZ instruction at 015F:004062F0
	you'll throw into 015F:0040634E rather than continue to the
	next memory address.  Later you'll find again the same JZ
	instruction at 015F:00406316.


7.  Disable all breakpoints by typing

	BC *   [enter]
	Press F5 or X to return to the main program


8.  Repeat registration procedure and keyed-in 0264757940 as your S/N
    Click OK/REGISTER button .....  ouchh! the screen splash and
    there is no classic message " thank you .... " ?? .
    Just quit the application, re-run again the program, did you see
    your name in the opening window ?
    Simply, YOU'RE REGISTERED now... as a matter of fact it's
    ILLEGAL REGISTRATION!!!!!


10.	Where the hell is my registration info is stored ??

	-  The correct registration code is stored in the registry
	   as follows :
	   REGEDIT4

	   [HKEY_CURRENT_USER\Software\ArmstrongSystems\CleanReg3\
	   Registered]
	   "CodeB"=hex:14,00,00,00,03,02,05,00,c1,e2,d4,0f,60,f5,
	   4c,4c,05,40,c0,01
	   "User"="Chavit 'Jueteng' Singson"


11.  	How can I practise with another registration key ?

	-  I strongly recommended you not to do this !


END NOTES

   This program is sold as shareware, so you can try before you buy.
   This is convenient for you, saves expenses by dispensing with all
   that packaging, and cuts out the middle person.  So it is cheap,
   but it is not free.
   If you like the program, and you will, be sure to register and pay.
   To keep shareware prices low,  users must do the right thing:
   Register, pay up, and smile/grin at yourself in the mirror.

   Do not distribute your crack release based on this tutorial, because
   you become a LAMER(s)!!!!!!!!
   ( tHATDUDE (PC97) defined LAMER(s) is the guy who sits in front of
   personal computer, using Hex Editor, ripping off other group(s)
   crack release, repacking (distro) them under his name.
   Adopted from newsgroup alt.cracks, alt.crackers - February 1997 )

    More about LAMER(s):
	lamer /n./ [prob. originated in skateboarder slang]
	Synonym for luser, not used much by hackers but common among warez
	d00dz, crackers, and phreakers. Oppose elite. Has the same connota
	tions of self-conscious elitism that use of luser does among
	hackers.
    < SOURCE: http://sagan.earthspace.net/jargon/jargon_27.html >


 _ Never attribute to malice that which is adequately explained by stupidity _


ASTAGA [D4C/C4A] tute-CleanReg325.zip
[EOF] 10/27/00 6:27:09 PM