DawnRun
Task 2
Thu Dec 17 07:02:01 1998


hi everyone,

*smile* , this one really had me on the brink of $%&(/'#.
So i'll just outline the simplest way of unregging CYT.
First i installed NS since i only use OPERA which this babe
doesn't provide for:(. Running CYT twice unregged to obtain
a filemon and regmon listing as well as getting a WDASM dead
listing of CYT.exe. The same i did with the regged version.
The following files turned out to be of interest:
win64os.cpl, msffs.dll and cyt31.ini (the logfile in applog
i didn't bother with, since as Princess points out:all(or most) prg's
do make an entry).
Deleting these files of the regged version and running CYT
again brings up that annoying: "You have attempted to crack....",
although regging is still possible.
Hhmmm, so there must be a check of the registry somewhere, for even
replacing these files with the unregged ones churned out the same
result.
Now looking at the dead listing i found a suspicious "cythid.reg"
entry. Searched it in the registry and deleted it, then repeated
above mentioned steps. Grrr still that nag.
Rummaging through the HKCRCLSID didn't get me further and thanks to
Volatility's advice i had a close look again at first the Regmon
and then the Filemon listings. Apart from several checks to NS files
there was nothing else for me to work on, and i took up WDASM's
listing to check out those. Right among NS's data strings i found
"ialize" followed by a "too long" routine which smelled fishy.
Couldn't find "ialize" in the registry of NS entries, but "initialize"
was one folder that 'sounds like' *grin*. Deleting it's content didn't
change the behaviour of CYT, but del the whole folder did restore CYT
to it's unregistered state. (Have to delete msffs.dll too,of course)
Well, i havn't figured out how the prg calculates the first 4 letters
(init), but the routine in the DASM listing after "ialize" seems to
point towards such a check. Does anybody know?
Best wishes
DawnRun