On successful installation the following System Registry entries are created:
 
HKEY_CURRENT_USER\Software\Kg\filewatch\settings
HKEY_CURRENT_USER\Software\Kg\filewatch\license

Code = "0"                       ;Default Serial Number
Days = "6"                       ;Number of days so far evaluated
User = "Unregistered"      ;Default User Name
 

The Essay

     
When run, this program displays a nag screen informing you that this program is Shareware.  If you look at the extreme bottom right of this nag screen you'll see a small number, which if you've just downloaded this program will be a '0', this is your 'no of days evaluated' counter.

I've often said that it's pays to run your target program several times before attempting to *crack* it because this can often save you a lot of wasted time and effort trying to crack it later.

After trying to find the 'Registration Screen' I then started to left click on all pictures/icons and text within this program looking for any 'hidden' Easter-Eggs and in this case, a hidden Registration Screen.  It wasn't hard to find the Registration Screen, its found on the main 'Settings' page, which is shown first as default each time you run this program.  If you click on the text Kg '98 then the hidden registration dialog pops up asking you for your User Name, then after clicking on the 'OK' button another dialog box pops up asking you for your registration number.  If the registration number is incorrect then the program displays a help topic telling you how to register this program
The normal Softice breakpoints like bpx messageboxa   bpx getwindowtexta didn't work at this point so out comes W32Dasm.

Create a Dead Listing for this program.

In my case while in W32Dasm I searched through the program's String Data Resources and quickly located the text "Enter Name" .

Now if you had made your notes correctly then you'll already know that once you've activated the hidden Registration Screen a dialog box appears titled "Register" with the text "Enter Name" on it and which ALSO had the default name already typed in for you using "John Doe".  These are great sign posts to look for..:)

hen the next dialog box that appears asking you for your registration number is also titled "Register" and this time the text in it says "Enter Code" so it's logical to assume that this sequence of text will also appear in the program's code next to each other and in the same sequence...

In side the program's code you should find this snippet of code:-
 
:004500D2 B96C014500      mov ecx, 0045016C ;Default Name "John Doe"
:004500D7 BA80014500      mov edx, 00450180 ;MsgBox Title "Register"
:004500DC B894014500      mov eax, 00450194 ;Default text "Enter Name: "
:004500E1 E8FA9CFEFF      call 00439DE0     ;Get new User Name/Handle
:004500E6 8D45F8          lea eax, dword ptr [ebp-08]
:004500E9 50              push eax
:004500EA B9AC014500      mov ecx, 004501AC ;Get default value '0'
:004500EF BA80014500      mov edx, 00450180 ;MsgBox Title "Register"
:004500F4 B8B8014500      mov eax, 004501B8 ;Default text "Enter Code: "
:004500F9 E8E29CFEFF      call 00439DE0     ;Get new User Registration Code
:004500FE 8D55F4          lea edx, dword ptr [ebp-0C];Location of where
                                                     ;the Real serial will
                                                     ;be placed.
:00450101 8B45FC          mov eax, dword ptr [ebp-04];Your User Name
:00450104 E84BD4FFFF      call 0044D554              ;Create Real Serial #
:00450109 8B45F4          mov eax, dword ptr [ebp-0C];eax = *REAL* SERIAL!
:0045010C 8B55F8          mov edx, dword ptr [ebp-08];edx = *FAKE* SERIAL!

OK, we've located the area within the program's code where the registration code is, so now we want to get Softice to execute these code instructions one by one so that we can see exactly what the program is doing and what information is being passed around in the pc's internal registers.

Notice that we DON'T need to get Softice to break anywhere near these routines now, all we want is to get Softice to break ANYWHERE within the program, we know where we want to go.

Before running FileWatch press Ctr-D to fire up Softice.

Type bpx getlocaltime  this is a common function used in many programs to help find how many days you've been using the software in question.

Now type X to leave Softice.

Now Fire up FileWatch and after the initial Nag Screen has been displayed Softice will break at the beginning of the GetLocalTime system function.  You should press the 'F11' once.

We're now in the program's code, good, now type: u 4500D2 which will get Softice to display the section of code we're interested.  The same section of code is displayed above.

Now we want to tell Softice to clear away our previous breakpoint which we do by typing:  bc *

Now type bpx 4500D2 which now creates a new Softice breakpoint, exactly where the program will begin collecting the User details from us when we activate the 'Registration Screens'.

OK, now type x to leave softice and click on the text  Kg '98 which is found in the 'Settings' screen, near the bottom of the screen.

Now the fun begins...

Softice now breaks at memory location :004500D2...

1.. Press the 'F10' key once.
Softice executes: :004500D2 B96C014500      mov ecx, 0045016C
What's happening: The register ECX is being assigned the memory location 0045016C where the text "John Doe" can be found.  This is our default User name.

2.. Press the 'F10' key once.
Softice executes: :004500D7 BA80014500      mov edx, 00450180
What's happening: The register EDX is being assigned the memory location 00450180 where the text "Register" can be found.  This is the messagebox Title.

3.. Press the 'F10' key once.
Softice executes: :004500DC B894014500      mov eax, 00450194
What's happening: The register EAX is being assigned the memory location 00450194 where the text "Enter Name" can be found. This is the messagebox prompt.

4.. Press the 'F10' key once.
Softice executes: :004500E1 E8FA9CFEFF      call 00439DE0
What's happening: This call 'gets' your User Name that you've just typed in and stores it safely in memory for safe keeping.
 
5.. Press the 'F10' key once.
Softice executes: :004500E6 8D45F8         lea eax, dword ptr [ebp-08]
What's happening: The register EAX is being assigned the memory address stored at location EBP-08

6.. Press the 'F10' key once.
Softice executes: :004500E9 50              push eax
What's happening: The value stored in the EAX register is being saved onto the STACK for later use.

7.. Press the 'F10' key once.
Softice executes: :004500EA B9AC014500      mov ecx, 004501AC
What's happening: The register ECX is being assigned the memory address 004501AC. This memory location holds the default value '0' that is shown in the 'Enter Code' input box.
 
8.. Press the 'F10' key once.
Softice executes: :004500EF BA80014500      mov edx, 00450180
What's happening: The register EDX is being assigned the memory location 00450180 where the text "Register" can be found.  This is the messagebox Title.

9.. Press the 'F10' key once.
Softice executes: :004500F4 B8B8014500      mov eax, 004501B8
What's happening: The register EAX is being assigned the memory location 004501B8 where the text "Enter Code: " can be found. This is the messagebox prompt.
 
10.. Press the 'F10' key once.
Softice executes: :004500F9 E8E29CFEFF      call 00439DE0
What's happening: The register ECX is being assigned the memory location 0045016C where the text "John Doe" can be found.

11.. Press the 'F10' key once.
Softice executes: :004500FE 8D55F4          lea edx, dword ptr [ebp-0C]
What's happening: The register edx is assigned the memory address of  where the *real* serial number will be placed.

12.. Press the 'F10' key once.
Softice executes: :00450101 8B45FC          mov eax, dword ptr [ebp-04]
What's happening: The register eax is now assigned with the memory address where your User Name/Handle is stored.

13.. Press the 'F10' key once.
Softice executes: :00450104 E84BD4FFFF      call 0044D554
What's happening: This call now creates a *REAL* serial number based on the name/handle you've just typed in.
 
14.. Press the 'F10' key once.
Softice executes: :00450109 8B45F4          mov eax, dword ptr [ebp-0C]
What's happening: The eax register is now assigned to the memory location pointed to by the memory address  stored at [ebp-0C). In other words register eax now has your *real* serial number!.  If you now type: d eax then you will see TWO serial numbers, the FIRST one is the one you want to register this program.. Forget the second serial you see underneath.

Can you see that with careful preparation and observation you can save yourself a lot of wasted effort. As in this example we've seen that we were able to find a hidden Registration Screen, which then gave us valuable clues in our dead listing to where we should start examining the program's code.  From our notes we we're able to find the 'sign posts' that lead us correctly to the exact spot where we could sniff out the serial registration codes, without having to touch the serial generating routines themselves.
 
I mentioned somewhere near the start of this essay about the 'nag screen' that shows that this program is Shareware which is shown at start-up, well, it still remains!, even after you register this program!. A bug no doubt...

Also, if you now go into the 'About' Screen you'll see that your name/handle is displayed as the *legal* registered owner but now the 'days used to evaluate this software' (shown in the extreme bottom right corner) now displays '666'.

A quick look in the System Registry File at:
HKEY_CURRENT_USER\Software\Kg\filewatch\license

Shows the following info:-

Code = 474-S850-1757-3
Days = 666
User = The Sandman

*Please don't use my reg info to register this program with. *
 

Job Done.
 

The Crack

     
None required.
 

Ripping off software through serials and cracks is for lamers..
 
If your looking for cracks or serial numbers from these pages then your wasting your time, try searching elsewhere on the Web under Warze, Cracks etc.