One of the main reasons I choose this program to *crack* was because I recently downloaded it with a tutorial on how to crack this program already attached to it so I knew I could check my results with it once I had finished cracking it ( instant feedback! ).

I can assure you I didn't peek at this tutorial UNTIL I was satisfied that I had cracked this program..:)

On Successful registration Start Clean creates the following entries in your System Registry file:-

HKEY_CURRENT_USER\Software\Start Clean\Configuration

Name=
Code=
 

The Essay

 
Run Start Clean and you will immediately notice it starts with a little nag-screen asking you to register it if you use it for more than 30 days. Please register it properly if you decide to keep it after the 30 days.

Press the 'REGISTER' button and a small registration window will pop-up asking you to enter your name and the registration code associated with your name.

For the name I typed: The Sandman
For the registration code I type: 7777777

If you press the OK button you will be told that is code was incorrect.

Right, once you have entered a name and fake registration code press Ctl-D to start up Softice.  We have a choice of possible breakpoints we can use, ranging from BPX hmemcpy to BPX lstrcmpA but I choose instead to use:-

BPX getdlgitemtexta because I wanted to see where in the program the 'Incorrect Code' pop-up box appeared so that I could then back-trace a little to see if there was a un-conditional jump of some sort close by.

OK, you've typed BPX getdlgitemtextA into Softice so now all you do is type: x to leave softice and continue running Start Clean. Now press the OK button and wham, were back into Softice where it has encountered our breakpoint at the beginning of the USER32.DLL getdlgitemtexta function.

Press F11 to have Softice finish executing this function and return us to where in Start Clean where this function was originally called from.

Take a look at the following snippet of code, it's a goldmine for a number of patches,cracks we can do to this program.
 

:004011A7 6805040000   :004011AC 57    :004011AD 8B35D8924000   :004011B3 FFD6   :004011B5 8D442410   :004011B9 6800010000    :004011BE 50   :004011BF 6806040000   :004011C4 57   :004011C5 FFD6    :004011C7 6830604000   :004011CC 6830614000   :004011D1 E8AA000000   :004011D6 8D442418   :004011DA 83C408   :004011DD 50   :004011DE 6830604000   :004011E3 FF1520924000   :004011E9 85C0   :004011EB 0F8580000000

push 00000405   push edi   mov esi, dword ptr [004092D8]   call esi ; We land here!   lea eax, dword ptr [esp+10]   push 00000100   push eax   push 00000406   push ed   call esi   push 00406030;Stores the real RegKey  push 00406130 ;Stores your name   call 00401280   lea eax, dword ptr [esp+18]   add esp, 00000008   push eax   push 00406030   Call dword ptr [00409220]   test eax, eax   jne 00401271

 
 
 
Contained within the above code is all we need to know about this program from a crackers point of view.

When we return from our BPX getdlgitemtexta function we land on this line:

:004011B5 8D442410                lea eax, dword ptr [esp+10]

If we now press F4 we can see that we have stopped before the 'Incorrect code' window box has been shown but at this point we can't be sure if the actual registration of our fake code has been processed yet, so press F4 once more to return to Softice and lets process a few more lines to see what happens next.

Now press F10 nine times so that we land on this line:-

:004011D6      lea eax, dword ptr [esp+18]

lets type: d 406030 or D eax
 
Bingo!, here's what our fake registration should look like, in our example it shows: 2160-20646-2421-469 (Please don't register this program using this registration code, use one of your own).

If we now type: d 40630 this should show the name we typed into the registration screen in Start Clean, which was 'The Sandman'.

We can now type in Softice: bc * which will clear our Breakpoints then type: x to exit Softice and re-run the Registration Screen with our correct registration code.

Remember earlier I mentioned that the above code snippet was a goldmine for patches and cracks and that this program came with a cracking tutorial made by someone else?, well, if you go here you will see the approach taken by this author ( Qapla ) where he cracks this program using the lstrcmpA function and which, is also shown in the above code snippet.
 
 

Crack Loader

 
Registration cracks don't usually use Crack Loaders, true crackers use instead 'Key generators'. These 'Key Generators' are usually created by simply ripping out the code from the target program that actually deals with generating the 'valid' registration code then altering it so that it displays the registration code to the screen. Time permitting I will add a key Generator here, until then why not see if you can create one for this program!.
 
 

Final Notes

 
 
This was an easy crack for a window's program and didn't take me too much time to work out what routine did what and how it fitted into the protection system. While I could have used the API function lstrcmpA to find the protection system instead of getdlgitemtexta the latter was, I believe, the best choice for this program.
 
 

Ob Duh

 
Do I really have to remind you all that by buying and NOT stealing the software you use will ensure that these software houses will continue to produce even *better* software for us to use and more importantly, to continue offering even more challenges to breaking their often weak protection systems.

If your looking for cracks or serial numbers from these pages then your wasting your time, try searching elsewhere on the Web under Warze, Cracks etc.