Eternal Bliss
my answers
Wed Dec 16 15:55:05 1998


> Question 2. Explain as best you can, how we can unregister this
> program so that when run, this program believes it has never been
> run on our computer before. What steps would we need to take to
> achieve this?. What System Registry entries/Files are involved in
> this process.

Hi,
I thought that deleting the whole folder will do the trick but I was wrong.
It won't be so easy else Sandman won't let this be a project... Here
are my observations.


General observations:
About box: It doesn't say who it is registered to, just "registered"
and "version 3.1"
Options: Advanced Options (registered users only)

-------------------------------------------

Using Registry Crawler:
I checked for cover, tracks, fat-free software - no results

-------------------------------------------

Using Reg Editor:
Look through registry for any relevant info under
HKEY_CURRENT_USERSoftware
HKEY_LOCAL_MACHINESoftware
no results.

-------------------------------------------

Using Registry Monitor:
QueryValueEx 0xC18987F0C:WINDOWScyt31.ini NOTFOUND
OpenKey CURRENTSoftwareNetscapeNetscape NavigatorUsersiffusers NOTFOUND
OpenKey CURRENTSoftwareMicrosoftInternet ExplorerTypedURLs
And a few query to Netscape which I thought was not important...
*But I was wrong. I missed a *subtle* query

-------------------------------------------

Using File Monitor:
The following results appear:
Win.ini
c: estCyt.enu NOTFOUND
c: estcyt.enu.dll NOTFOUND
c: estcyt.en NOTFOUND
c: estcyt.en.dll NOTFOUND
c:windowscyt31.ini <------- NOTE
c:windowsmsffs.dll <------- NOTE

When I go under "options":
c:windowscyt31.ini is reported by File Monitor

-------------------------------------------

So, I looked at all the files of interest:

cyt31.ini:
[Register]
Date=12/14/98 <------- NOTE

[Options]
UserIndex=0
Cookie=yes
History=no
Cache=yes
Docs=no
Auto=yes <---------- when enabled. no when disabled. That explained
why cyt31.ini was opened when I went to "options" settings...
Newsgroups=no

-------------------------------------------

c:windowsmsffs.dll:
attribute: hidden, readonly.
I opened it up using NotePad.
A funny message is in it:

This is a generated file. Any attempt to edit will result in a
disfunctional program. YOU HAVE BEEN WARNED!!!
100000101001001010110011001010010100010101000100
pΨÎW|^>2-28xGd$%)@ޞY
U4(*bD&7<֬Rvgg431
17119272391983421430987349287201987219
28371203981723987213498294710716141638
59372811718314267409183740192384712349
08713249081723481903481902340798098712
08794390782190732101290871248217216151
57519883439502983712198128388712982873
17832847128793498712364871348112740-01
01 <------- NOTE
uses
----010203040506070809101112131415
[self-destruct]=false

-------------------------------------------

Then I went into action... (I copied cyt31.ini and msffs.dll to a safe place first)

cyt31.ini:
I deleted [Register] but nothing changes

-------------------------------------------

msffs.dll:
When deleted, this stern message appeared:
You have attempted to crack this program. The program will not longer function.
I press OK button.
The same window asking me to register like 1st time except with BIG RED words "Access Denied!"
I pressed OK without registering.
In the "About" box, it is now "Unregistered".
All functions were disabled except for exit and everything under "Help".

Then, I close the program. I started File Monitor again and then the program.

Under filemon:
a new file "win64os.cpl" appears to be used.
*when the program is in its unregistered form, it will look for this file when it runs but will not do so after it is registered.*

So, I opened up win64os.cpl and saw:
1
False

-------------------------------------------

I replace msffs.dll and everything is back to normal (Registered).
I opened up win64os.cpl again.
Still:
1
False

-------------------------------------------

When I deleted win64os.cpl, nothing changed. (Before I delete, I copied it as well.)

-------------------------------------------

Deleting win64os.dll, msffs.dll and cyt31.ini resulted in the same stern remarks.
Running the program under File Monitor, I saw that no other new files appear.
I was prompted to choose browser like first use. cyt31.ini added with date of today.
When I replace them, it is back to normal.

-------------------------------------------

So... there must be something else... I triple check on File Monitor, Registry Monitor but nothing caught my eye...

-------------------------------------------

I had to resort to W32Dasm.

Using W32DASM:
I saw this interesting string:
"ialize"
and a few other strings that I thought I saw in Registry Monitor
Anyway, to cut the story short...

Using Registry Monitor, I found this string:
HKEY_CURRENT_USERSoftwareNetscapeNetscape NavigatorInitialize

I deleted it (*back up first*). There was no effects and the string was not replaced. I thought I was wrong.
But I started Netscape and found that it worked alright. I went back to check the string. It was still not there. So it has got nothing to do with Netscape!!

-------------------------------------------

At 3 am in the morning, I was frustrated, so I deleted win64os.cpl, msffs.dll as well.
It worked!!! I restarted the program in trial mode counting from 1st use. No nasty messages whateverso.

-------------------------------------------

I deleted some of my findings for fear that it might be asked in the next few questions.

Bye!


PS. Isn't it a bit risky for the program to put the check in Netscape registry? What if we don't use Netscape at all? Then it will stick out like a sore thumb right??