*************************************************************************************************TITLE: Cracking tutorial for SuperCleaner 2.67.0.0 ************************************************************************************************* BEST VIEWED: Notepad with word wrap enabled, and in restored window mode ************************************************************************************************* TOOLS USED: Ollydbg v1.09d *************************************************************************************************TARGET: SuperCleaner.exe *************************************************************************************************LOCATION OF TOOLS AND PROGRAM: Ollydbg v1.09d http://www.grinders.withernsea.com/tools/Ollydbg/odbg109d.rar SuperCleaner 2.67.0.0 http://www.grinders.withernsea.com/tools/CleanSetup.rar ************************************************************************************************* CONTACT INFORMATION: vinceandjane@hotmail.com ************************************************************************************************* TUTORIAL WRITTEN: 24/03/2004 ************************************************************************************************* AUTHOR: Pompeyfan ************************************************************************************************* Okay,lets attack our target, open Olly, and if you haven't done so already, to make things easier for yourself, right click, select appearance/highlighting/jumps'n'calls, makes things so much easier to follow. Okay, lets open the program in Olly, and you land here: 0041FEC9 >/$ 55 PUSH EBP Press F9 run, and you get a dialogue box giving you the option to enter registration details amongst other things, so enter your fake details, I used Pompeyfan and 47806, and you get the message "Sorry, you have entered an incorrect registration code". No matter, left click once on the Olly cpu screen, then press F12 (pause), then Alt & K to bring up the call stack window, and you get this: Call stack of main thread Address Stack Procedure / arguments Called from Frame 0012DFF8 77D43C53 Includes 7FFE0304 USER32.77D43C51 0012E02C 0012DFFC 77D4B3F2 USER32.WaitMessage USER32.77D4B3ED 0012E02C 0012E030 77D4D9A0 USER32.77D4B265 USER32.77D4D99B 0012E02C 0012E058 77D6AE8E USER32.77D4D8EC USER32.77D6AE89 0012E054 0012E310 77D6A911 ? USER32.SoftModalMessageBox USER32.77D6A90C 0012E298 0012E458 77D6AFD5 ? USER32.77D6A7D7 USER32.77D6AFD0 0012E3E0 0012E4B0 77D6B0BD USER32.MessageBoxTimeoutW USER32.77D6B0B8 0012E4AC 0012E4E4 77D6B04A ? USER32.MessageBoxTimeoutA USER32.77D6B045 0012E4E0 0012E504 77D6B02E ? USER32.MessageBoxExA USER32.77D6B029 0012E500 0012E508 0022013C hOwner = 0022013C ('Register',clas 0012E50C 0012E530 Text = "Sorry, you have entered an 0012E510 0042D1AC Title = "SuperCleaner" 0012E514 00000000 Style = MB_OK|MB_APPLMODAL 0012E518 00000000 LanguageID = 0 (LANG_NEUTRAL) 0012E51C 0040DC08 ? USER32.MessageBoxA SuperCle.0040DC02 0012E520 0022013C hOwner = 0022013C ('Register',clas 0012E524 0012E530 Text = "Sorry, you have entered an 0012E528 0042D1AC Title = "SuperCleaner" 0012E52C 00000000 Style = MB_OK|MB_APPLMODAL 0012E630 004191D0 ? SuperCle.0040DBC0 SuperCle.004191CB 0012E848 77D43A50 Includes SuperCle.004191D0 USER32.77D43A4D 0012E874 77D4C675 ? USER32.77D43A35 USER32.77D4C670 0012E8E0 77D4C4E4 ? USER32.77D4C5C0 USER32.77D4C4DF 0012E8DC 0012E928 77D4C6D1 USER32.77D4C467 USER32.77D4C6CC 0012E924 0012E940 77D43A50 Includes USER32.77D4C6D1 USER32.77D43A4D 0012E968 0012E96C 77D43B1F ? USER32.77D43A35 USER32.77D43B1A 0012E968 0012E9D4 77D45453 ? USER32.77D43A68 USER32.77D4544E 0012E9D0 0012EA10 77D454B4 USER32.77D45383 USER32.77D454AF 0012EA0C 0012EA30 71981492 USER32.SendMessageW COMCTL32.7198148C 0012EA2C 0012EA34 0022013C hWnd = 22013C 0012EA38 00000111 Message = WM_COMMAND 0012EA3C 00000001 age = Notify = MENU/BN_CLICKED... 0012EA40 000A029E hControage = 000A029E ('&OK',class 0012EA4C 7198156B COMCTL32.71981458 COMCTL32.71981566 0012EAE4 0012EA68 7198376D COMCTL32.71981497 COMCTL32.71983768 0012EAE4 0012EAE8 77D43A50 Includes COMCTL32.7198376D USER32.77D43A4D 0012EAE4 0012EB14 77D43B1F ? USER32.77D43A35 USER32.77D43B1A 0012EB10 0012EB7C 77D43D79 ? USER32.77D43A68 USER32.77D43D74 0012EB78 0012EBDC 77D43DDF ? USER32.77D43CA1 USER32.77D43DDA 0012EBD8 0012EBE8 77D4B1F5 ? USER32.DispatchMessageW USER32.77D4B1F0 0012EBEC 0012EC24 pMsg = WM_LBUTTONUP hw = A029E ("& 0012EC0C 77D4B324 ? USER32.IsDialogMessageW USER32.77D4B31F 0012EC10 0022013C hWnd = 0022013C ('Register',class= 0012EC14 005AA6B0 pMsg = WM_DESTROY hw = A029E ("&OK 0012EC48 77D4D9A0 USER32.77D4B265 USER32.77D4D99B 0012EC44 0012EC70 77D4D9DB USER32.77D4D8EC USER32.77D4D9D6 0012EC6C 0012EC90 77D656DE USER32.DialogBoxIndirectParamAorW USER32.77D656D9 0012EC8C 0012ECBC 004193EA USER32.DialogBoxParamA SuperCle.004193E4 0012ECB8 0012ECC0 00400000 hInst = 00400000 0012ECC4 00000065 pTemplate = 65 0012ECC8 00110132 hOwner = 00110132 (class='#32770') 0012ECCC 004190D0 DlgProc = SuperCle.004190D0 0012ECD0 00000000 lParam = NULL 0012F838 77D43A50 Includes SuperCle.004193EA USER32.77D43A4D 0012F860 0012F864 77D4C675 ? USER32.77D43A35 USER32.77D4C670 0012F860 0012F8D0 77D4C4E4 ? USER32.77D4C5C0 USER32.77D4C4DF 0012F8CC 0012F918 77D4C6D1 USER32.77D4C467 USER32.77D4C6CC 0012F914 0012F930 77D43A50 Includes USER32.77D4C6D1 USER32.77D43A4D 0012F958 0012F95C 77D43B1F ? USER32.77D43A35 USER32.77D43B1A 0012F958 0012F9C4 77D45453 ? USER32.77D43A68 USER32.77D4544E 0012F9C0 0012FA00 77D454B4 USER32.77D45383 USER32.77D454AF 0012F9FC 0012FA20 71981492 USER32.SendMessageW COMCTL32.7198148C 0012FA1C 0012FA24 00110132 hWnd = 110132 0012FA28 00000111 Message = WM_COMMAND 0012FA2C 000003F1 age = Notify = MENU/BN_CLICKED... 0012FA30 001500E2 hControage = 001500E2 ('&Enter Reg 0012FA3C 7198156B COMCTL32.71981458 COMCTL32.71981566 0012FAD4 0012FA58 7198376D COMCTL32.71981497 COMCTL32.71983768 0012FAD4 0012FAD8 77D43A50 Includes COMCTL32.7198376D USER32.77D43A4D 0012FAD4 0012FB04 77D43B1F ? USER32.77D43A35 USER32.77D43B1A 0012FB00 0012FB6C 77D43D79 ? USER32.77D43A68 USER32.77D43D74 0012FB68 0012FBCC 77D43DDF ? USER32.77D43CA1 USER32.77D43DDA 0012FBC8 0012FBD8 77D4B1F5 ? USER32.DispatchMessageW USER32.77D4B1F0 0012FBDC 0012FC14 pMsg = WM_LBUTTONUP hw = 1500E2 (" 0012FBFC 77D4B324 ? USER32.IsDialogMessageW USER32.77D4B31F 0012FC00 00110132 hWnd = 00110132 (class='#32770') 0012FC04 005D6E10 pMsg = WM_DESTROY hw = 1500E2 ("&E 0012FC38 77D4D9A0 USER32.77D4B265 USER32.77D4D99B 0012FC34 0012FC60 77D4D9DB USER32.77D4D8EC USER32.77D4D9D6 0012FC5C 0012FC80 77D656DE USER32.DialogBoxIndirectParamAorW USER32.77D656D9 0012FC7C 0012FCAC 0041968C USER32.DialogBoxParamA SuperCle.00419686 0012FCA8 0012FCB0 00400000 hInst = 00400000 0012FCB4 00000066 pTemplate = 66 0012FCB8 00000000 hOwner = NULL 0012FCBC 004191F0 DlgProc = SuperCle.004191F0 0012FCC0 00000000 lParam = NULL 0012FED4 0041B3A0 SuperCle.00419550 SuperCle.0041B39B 0012FF38 0041FFA9 SuperCle.0041B1D0 SuperCle.<ModuleEntryPoint>+ 0012FF3C 00400000 Arg1 = 00400000 0012FF40 00000000 Arg2 = 00000000 0012FF44 00151F10 Arg3 = 00151F10 0012FF48 0000000A Arg4 = 0000000A Pretty lenghty call stack, but the message box seems to be called from here: Call stack of main thread, item 14 Address=0012E51C Stack=0040DC08 Procedure / arguments=? USER32.MessageBoxA Called from=SuperCle.0040DC02 So double click on this line, and you are here: 0040DC02 |. FF15 38A44200 CALL DWORD PTR DS:[<&USER32.MessageBoxA>>; \MessageBoxA Lets put a breakpoint (F2) on the start of this routine: 0040DBC0 /$ 8B4C24 08 MOV ECX,DWORD PTR SS:[ESP+8] Okay, restart Olly (Ctrl & F2), press F9 (Run), enter your fake registration details again, a...
gabriel-ak