Dedication Fly to

Intoduction & Protection

iNTROdUCTION :

Boo !!! hi there !! and welcome to another tutorial !! ...
The other day i was thinking that how we do something, then we wish that it didn't happen !! , and we try hard to fix our errors but we just can't !! that's it !! , but again who am i to talk , or change things that where ment to be !!, but again or let me say at least we try to live our lives !!

pROTECTION :

this program is like allaways, it needs a Registration Name and a Registration key , and plus it give u a Software Code that i'm sure it has something to do with the calcualtion of our code , so in this tutorial we will find our Registration key, and then i'll show u a way to patch this program to take any registration key , and still stay registered even if you run the UNPATCHED exe file ... so let's begin !!

The Essay

o.k install the program and there is no need to reboot, but if u want go ahead, i'll be waitting for u here, ahh u r back !! good, so let's run the program and take a look at it , o.k nice !! , now click on the help button then click Register NetClean , u will see a dialog that is asking for our Registration Name and our Registration key and there is something called Software Code which we can't edit it !! , now let's enter our info , in my case i wrote like this :

Registration Name : FaT[BiT] \ TNT!
Registration Key : 1234567890

o.k now hit the Register button , you will see that the prog sleeps a little bit and then give us this message :

o.k kool !! now fire up softice [ctrl + d] , and set a breakpoint like this one !! :

bpx hmemcpy

o.k now click on the button register , softice will break press F5 then press F11 to get the caller , then press F12 6 times , then trace with the F10 ( u have to press the F10 for 23 time) , then u will reach at this code :

:0045F305 8B45F8                  mov eax, dword ptr [ebp-08] <-- eax points to our name
:0045F308 8B0D6C394600            mov ecx, dword ptr [0046396C] <-- ecx points to our Software Code
:0045F30E 5A                      pop edx <-- edx points to our fake Registration Key
:0045F30F E8109EFFFF              call 00459124 <-- we step into this call
:0045F314 B201                    mov dl, 01

o.k so we now step into the call at address 0045F30F, when u are at this address press F8 and u should be at this code, and remeber NOT to bypass it , cuz the error message will hit ur face :

:00459124 55                      push ebp <-- start of the call at address 0045F30F
:00459125 8BEC                    mov ebp, esp
:00459127 83C4F0                  add esp, FFFFFFF0

trace with the F10 until you are here

:00459190 8B45F0                  mov eax, dword ptr [ebp-10] <-- eax point to our fixed code = software code + 'NC'
:00459193 8B55F8                  mov edx, dword ptr [ebp-08] <-- edx point to our FAKE CODE
:00459196 E82DF5FFFF              call 004586C8 <-- calcualte and check if our key = calcualted key
:0045919B 84C0                    test al, al <-- and put the result back in eax to check it
:0045919D 750C                    jne 004591AB <-- if it is not zero then jump to thank u message

o.k ... now we have found where we want to patch , but remeber we need first to find our valid key, so we step into the call at address 0045919B and trace with the F10 button until u reach this code :

:0045870D 8B55F8                  mov edx, dword ptr [ebp-08] <-- edx point to our fake code
:00458710 8B45F4                  mov eax, dword ptr [ebp-0C] <-- eax point to our REAL REGISTRATION KEY
:00458713 E8A4F5FAFF              call 00407CBC <-- check to see if the 2 codes match and put result in eax
:00458718 85C0                    test eax, eax <-- test the eax
:0045871A 7504                    jne 00458720 <-- jump if not zero to error message

hehehe !!! isn't this nice we have also another place to patch ....
o.k kool !! now when u are at address 00458710, write in softice "d eax" and see ur Real Registraion Key in the data window now if u want to try it !! go ahead but if u want to stick around to learn some more , then stay arround , and for those who want to try it , enter ur valid key and ...

The Patch

now as u can see we have found to places to patch the code the first one is at 0045919D and the seconed one is at 0045871A, now i have tried to patch them both and they both worked but i prefer to patch 0045871A, cuz the call before it is the call that decide if our Registration key is valid or not

o.k so make a back up copy of netc11.exe and let's open it with hiew ( i hope u know how to do that !!) , and go to address 0045871A and make the following changes :

0045871A 7504 change it to 0045871A 7404

this patch will change the jne to je, now copy back the patched file to the installed dir but remember to rename the original one to .bak and run it and try to enter any code for ur name and yes ....

Very Important NOTE

now i have showed u in this tutorial how to find the real Registration Key and also how to patch the code to make it take any Registration Key for any name , but the thing is if u want to try both methods u can't , cuz if u try one the program will be forever registered , so if u try one method and want to try the other one , before u do open the registry editor and go to this path :

[HKEY_CLASSES_ROOT\CLSID\{F806E640-54E6-11D4-9180-78E805C10700}\InstanceCn\{85B817C0-54E7-11D4-9180-78E805C10700}]

and clear the ProgID key ( make it empty ) then press F5 to refresh the registry !! and the prog will back to unregistered mode ....

Final WordZ