SERIAL NUMBER IS FISHY - DECLINE YOUR PATCH'ITCH'ING FitToDisk v2.2 A Cracking Tutorial by ASTAGA [D4C/C4A] DISCLAIMER This reading material is not intended to violate Copyrights and/or it is law, but educational purposes only. I hold no responsibility ( by all means and in any shape whatsoever ) of the mis-used of this material. Read END NOTES section at the end of this file. ABOUT THE PROGRAM It is a nice tool for you to split a large file, including MP3, Zip, Wave File, EXE file, in fact, any type file, into several pieces to fit into floppy disks for copy or backup purpose or split into hard disk for later use. It will make it easy to send large files by email through Internet. FitToDisk is designed thoughtfully. It is of convient use and nice interface. You can split or restore files smoothly and reliably, without any troublesome configrations. WHERE TO DOWNLOAD Author : Richard Zhang Copyright : ASB Software Studio Homepage : http://download.dnttm.ro/simtel.net/win95/fileutl-pre.html URL : ftp.dnttm.ro/pub/simtelnet/win95/fileutl/ftdisk22.zip Size : 623 kb as of 12/23/00 Rel Date : December 12, 2000 HOW TO GET VALID SERIAL NUMBER by using SoftIce I remind you that this program is packed with UPX. There is no unpacking procedure in this tute, so, unexpected occurence(s) might happen in your PC. 1. Run FITTODISK.EXE, in the registration dialog box type these below informations : Serial Number : 1D2915D2 ( may differ ) User Name : Pirates Order Reg Code : 73881050 Do not click REGISTER button yet 2. Load SoftIce by pressing [ CTRL + D ], set a breakpoint as follow : BPX HMEMCPY [enter] and F5 to return to the main program 3. Now, click OK button... you'll return back into SoftIce! In within SoftIce press F11, F5, F11, then F12 11 times until you see and break at : _________________________________________________________________ 015F:004872F4 E80378FAFF CALL 0042EAFC 015F:004872F9 8D45E0 LEA EAX,[EBP-20] <== BREAK HERE 015F:004872FC 8B55F8 MOV EDX,[EBP-08] 015F:004872FF E8ACC7F7FF CALL 00403AB0 ==> D EDX _________________________ FITTODISK!UPX1+000132EE _______________ : bc 00 [enter] ==> no longer needed : 015F:004872F4 [enter] Press X 2 times to let SoftIce break into this new location. ( note : confirm REGISTER button when you pressed X for the second time ) Press F10 2 times - stop at 015F:004872FF - display EDX register : d edx [enter] see that fake code at virtual address 0167:00D243E4 ??? One line below there is A4631711AE71. Write it down this potential reg. code. 4. Actually iam not so interested upon succession finding correct S/N as described in the above mentioned matter. Iam too curious where are the routine which calculate / generate that reg code. WARNING : YOU LAMER(Z) DO NOT KEYGEN BASED ON THESE TRACED SNIPPET CODES. YOU WILL BE CAUGHT IN THE ACT EVEN YOU BACKDATED YOUR COMPILED XXXXX-KG.EXE FILE. AN OLD PCTOOLS (DOS) AND WINCRC WILL EASILY RECOGNIZED IT WHEN DID ACTUALLY YOU CREATE YOUR KEYGEN !!!!!! Let's disable all breakpoints. Do not register yet the prog. Create a new breakpoint as follow : : bpx 015F:00487406 [enter] : G 015F:00487406 [enter] Note : if you can't/not break at this location do a search string ( when you break 015F:004872F4 or anywhere as long as you're in the main prog's code ) as follow : : s 0 l fffffffffffff E8 E9 0F F8 FF 8B 55 [enter] Pattern found at 0167:00487406 <== what ever it is just BPX this memory location ) If nothing goes wrong you'll break again at these below snippet codes : _____________________________________________________________ ***015F:004873F6 8B45F0 MOV EAX,[EBP-10] 015F:004873F9 0FB64438FF MOVZX EAX,BYTE PTR [EDI+EAX-01] 015F:004873FE 8D4DDC LEA ECX,[EBP-24] 015F:00487401 BA02000000 MOV EDX,00000002 015F:00487406 E8E90FF8FF CALL 004083F4 <== break here 015F:0048740B 8B55DC MOV EDX,[EBP-24] 015F:0048740E 8D45EC LEA EAX,[EBP-14] ==> d edx 015F:00487411 E886C8F7FF CALL 00403C9C 015F:00487416 47 INC EDI 015F:00487417 4E DEC ESI 015F:00487418 75DC JNZ 004873F6 ( JUMP ^) *** 015F:0048741A 8D55D8 LEA EDX,[EBP-28] 015F:0048741D 8B83FC020000 MOV EAX,[EBX+000002FC] 015F:00487423 E8D476FAFF CALL 0042EAFC 015F:00487428 8B45D8 MOV EAX,[EBP-28] 015F:0048742B 8B55EC MOV EDX,[EBP-14] ==> D EAX 015F:0048742E E871C9F7FF CALL 00403DA4 ==> D EDX ... ____________________ FITTODISK!UPX1+000133ED ________________ Press F10 2 times - stop at 015F:0048740E - display EDX register : : d edx [enter] ==> you'll see " A4 " at 0167:00D26004 Press F10 4 times - stop at 015F:00487418 - you'll loop back to 015F:004873F6 . Next would be interesting to be observed, always watch SS value which moved to EAX and see the effect on EDX register. You're at 015F:004873F6, press F10 - stop at 015F:004873F9 - look at Register Window DS=00D28761=63. Press F10 once - stop at 015F:004873FE - look at EAX regis ter; now EAX=00000063. Press F10 3 times - stop at 015F:0048740B - display EDX register ==> did you see " A4 " at 0167:00D26004 ? Press F10 once - stop at 015F:0048740E - display EDX register ==> did you see " 63 " at 0167:D2B35E ? Do your tracing accordingly until you get " 5E " when displaying EDX register, and you didn't see JUMP indi cator at 015F:00487418. Let's recap a while, so far you've got A4, 63, 17, 11, AE, 71, 5E from the loop procedure. Keep in mind this sequence number !! Now you did not see JUMP indicator at 015F:00487418 ... Press F10 5 times - stop at 015F:0048742B - display EAX register ==> see that fake code "73881050" at virtual address 0167:D276AC ??? Press F10 once - stop at 015F:0048742E - display EDX register ==> did you see A4631711AE715E at virtual address 0167:00D2EE34 ???? and one line below is your fake code. Scroll up one/two lines above, you'll see your name too. Now let's compare of what did you get from 015F:0048742E with the sequence at 3rd paragraph above ? Yeah they're match, agreed , QED !!!! ! REMEMBER DO NOT KEYGEN BASED ON THIS TUTORIAL ! 5. Disable all breakpoints by typing BD * [enter] Press F5 or X to return to the main program 6. Repeat registration procedure and keyed-in A4631711AE715E as your S/N. Click REGISTER button ..... there you're registered. 7. Where the hell is my registration code is stored ?? The correct registration code is stored in the registry as follows : REGEDIT4 [HKEY_LOCAL_MACHINE\Software\FitToDisk] [HKEY_LOCAL_MACHINE\Software\FitToDisk\Register] [HKEY_LOCAL_MACHINE\Software\FitToDisk\Register\infos] "serialno2"="2D93467EB2427B22D4DBA511BDA4D41AB74BA76E86B766 6EAE5C006FC2" "username"="Pirates Order" "rgstcode"="A4631711AE715E" 8. How can I practise with my own user name ? - I strongly recommended you not to do this ! E N D N O T E S Distributing your serial number is illegal and is no different than distributing illegal copies of the registered software. Violation of this rule may result in temporary or permanent revocation of this license and cancellation of the serial number; the original licensee will also be held responsible for damages, physical and estimated. Do not distribute your crack release based on this tutorial, because you become a LAMER(s)!!!!!!!! ( tHATDUDE (PC97) defined LAMER(s) is the guy who sits in front of personal computer, using Hex Editor, ripping off other group(s) crack release, repacking (distro) them under his name. Adopted from newsgroup alt.cracks, alt.crackers - February 1997 ) More about LAMER(s): lamer /n./ [prob. originated in skateboarder slang] Synonym for luser, not used much by hackers but common among warez d00dz, crackers, and phreakers. Oppose elite. Has the same connota tions of self-conscious elitism that use of luser does among hackers. < SOURCE: http://sagan.earthspace.net/jargon/jargon_27.html > Never attribute to malice that which is adequately explained by stupidity ASTAGA [D4C/C4A] tute-FitToDisk22.zip [EOF] 12/24/00 2:01:48 AM tions of self-conscious elitism that use of luser does among