Cracking "Customizer 2000 for w9x/me ver. 6.5.3"


New Tutorial
Cracking "Customizer 2000 for w9x/me ver. 6.5.3"

skill: novice
standing: basics built in serial no.
toolz: SoftICE any version and intuition:)
dld: http://www.tweaknow.com

The Program

Config.dat | 20 bytes
Customizer.exe | 773.120 bytes - our target
Logon.exe | 302.248 bytes
Readme.html | 8.820 bytes
Unins000.dat | 1.588 bytes
Unins000.exe | 72.298 bytes
Uninstall.lnk | 398 bytes

1. Short story
--------------
-hmmm a long time past since i've wrote my first tutorial and it's time for
another one eh don't u think? and i've dropped my attention on this simple
program named "Customizer" it's a very good windoze tweaker and personally i
recommend it because i use it allot and it's OK. Let's see, well u wonder
what that "built in thing" stands for, well let me tell u that the good
serial that we have to input in order to reg it it's written in the program
and when the compare function appears the bad serial compares with the good
one.The good one is simply loaded to a special registry (eax, edx...) and
this is what we will use on our next approach. Of course there are many
approaches like destroying the time function to reg it in such way that he
will never expire but this is for another time:)

2. The cracking
---------------
1. we will use the elegant way to discover the good serial number.
2. so let's see what bpx (breakpoint on execution) we will use. Hmmm
GetDlgItemTextA and GetWindowTextA aren't good so i think we will use
Hmemcpy. Start the program and write any serial then Ctrl-D, type in Sice
"bpx hmemcpy" (without quota) and Ctrl-D again and after all of this press
OK.
3. softice must come up after u pressed the button. Press F11 once and then
trace with F10, carefully and be aware that customizer.exe must appear any
second now. Did it appeared, good if not pleaz go back on the stage 1. Ok
here are some loading instructions, loads the length of our serial no it
will look like this:

:E8F133FDFF CALL USER32!CallWindowProcA
:89430C MOV [EBX+0C],EAX
:8B03 MOV EAX,[EBX] <-- returns the length of your
serail no.
:751B CMP EAX,0CA <-- compares your length with 12
...... nothing important here.... just detective work:)..trace for about 32
steps carefully until u will arrive here....
what is following is very important pay attention!

:E89AA8FCFF CALL 0042F8C4 <-- a CALL procedure not important
:8B45FC MOV EAX,[EBP-04] <-- MOVE YOUR SERIAL NUMBER THAT IS
STORED IN ADDRESS [EBP-04] TO EAX SO EAX WILL HAVE THE ADDRESS
VALUE SO U CAN SIMPLY TYPE "D EAX" (without quotas) IN SOFTICE
AND IT WILL APPEAR SOMETHING LIKE THIS (i
used as bad serial 4355 a random one
first that flew my mind):
31 38 31 32 31 39 38 31 - 00 00 00 00 FF FF FF FF 4355..H.x.H <-- so here
it stores my serial no. it's something like a builting in
procedure but in reverse what i spoked earlyer

BA58514600 MOV EDX, 00465158 <-- AND THIS IS THE FINAL IMPORTANT
NOTICE WHERE IN EDX IS LOADED THIS ADDRESS 00465158 THA LOGICAL HAS
OUR GOOD SERIAL NUMBER SIMPLY TYPE D EDX AND 18121981 WILL
APPEAR IN THE DATA WINDOW IN THE UPPER LEFT CORNER
EBF5ECF5FF CALL 00403D2C <-- this will compare our bad serial
number with the real one and don't think that yours will be
right:)

3. Final words
--------------
-so tell me it was hard?? i don't think it was, that dumb programmer should
make the security scheme a little more complicated but despite all of this
we will crack it togheter. Bye and have fun with this one and expect more
tutorials signed by
tracer_v

Credits


By - tracer_v
mail: tracer_v@hotmail.com
25/03/02