Eternal Blissmy answersWed Dec 16 15:55:05 1998 > Question 2. Explain as best you can, how we can unregister this> program so that when run, this program believes it has never been> run on our computer before. What steps would we need to take to> achieve this?. What System Registry entries/Files are involved in> this process.Hi,I thought that deleting the whole folder will do the trick but I was wrong.It won't be so easy else Sandman won't let this be a project... Here are my observations.General observations:About box: It doesn't say who it is registered to, just "registered" and "version 3.1"Options: Advanced Options (registered users only)-------------------------------------------Using Registry Crawler:I checked for cover, tracks, fat-free software - no results-------------------------------------------Using Reg Editor:Look through registry for any relevant info under HKEY_CURRENT_USERSoftwareHKEY_LOCAL_MACHINESoftwareno results.-------------------------------------------Using Registry Monitor:QueryValueEx 0xC18987F0C:WINDOWScyt31.ini NOTFOUNDOpenKey CURRENTSoftwareNetscapeNetscape NavigatorUsersiffusers NOTFOUNDOpenKey CURRENTSoftwareMicrosoftInternet ExplorerTypedURLsAnd a few query to Netscape which I thought was not important...*But I was wrong. I missed a *subtle* query-------------------------------------------Using File Monitor:The following results appear:Win.inic: estCyt.enu NOTFOUNDc: estcyt.enu.dll NOTFOUNDc: estcyt.en NOTFOUNDc: estcyt.en.dll NOTFOUNDc:windowscyt31.ini <------- NOTEc:windowsmsffs.dll <------- NOTEWhen I go under "options":c:windowscyt31.ini is reported by File Monitor-------------------------------------------So, I looked at all the files of interest:cyt31.ini:[Register]Date=12/14/98 <------- NOTE[Options]UserIndex=0Cookie=yesHistory=noCache=yesDocs=noAuto=yes <---------- when enabled. no when disabled. That explained why cyt31.ini was opened when I went to "options" settings...Newsgroups=no-------------------------------------------c:windowsmsffs.dll:attribute: hidden, readonly.I opened it up using NotePad.A funny message is in it:This is a generated file. Any attempt to edit will result in a disfunctional program. YOU HAVE BEEN WARNED!!!100000101001001010110011001010010100010101000100pΨÎW|^>2-28xGd$%)@ޞYU4(*bD&7<֬Rvgg43117119272391983421430987349287201987219283712039817239872134982947107161416385937281171831426740918374019238471234908713249081723481903481902340798098712087943907821907321012908712482172161515751988343950298371219812838871298287317832847128793498712364871348112740-0101 <------- NOTEuses----010203040506070809101112131415[self-destruct]=false-------------------------------------------Then I went into action... (I copied cyt31.ini and msffs.dll to a safe place first)cyt31.ini:I deleted [Register] but nothing changes------------------------------------------- msffs.dll:When deleted, this stern message appeared:You have attempted to crack this program. The program will not longer function.I press OK button. The same window asking me to register like 1st time except with BIG RED words "Access Denied!"I pressed OK without registering.In the "About" box, it is now "Unregistered".All functions were disabled except for exit and everything under "Help".Then, I close the program. I started File Monitor again and then the program.Under filemon:a new file "win64os.cpl" appears to be used.*when the program is in its unregistered form, it will look for this file when it runs but will not do so after it is registered.*So, I opened up win64os.cpl and saw:1False-------------------------------------------I replace msffs.dll and everything is back to normal (Registered).I opened up win64os.cpl again. Still:1False-------------------------------------------When I deleted win64os.cpl, nothing changed. (Before I delete, I copied it as well.)-------------------------------------------Deleting win64os.dll, msffs.dll and cyt31.ini resulted in the same stern remarks.Running the program under File Monitor, I saw that no other new files appear.I was prompted to choose browser like first use. cyt31.ini added with date of today.When I replace them, it is back to normal.-------------------------------------------So... there must be something else... I triple check on File Monitor, Registry Monitor but nothing caught my eye...-------------------------------------------I had to resort to W32Dasm.Using W32DASM:I saw this interesting string:"ialize"and a few other strings that I thought I saw in Registry MonitorAnyway, to cut the story short...Using Registry Monitor, I found this string:HKEY_CURRENT_USERSoftwareNetscapeNetscape NavigatorInitializeI deleted it (*back up first*). There was no effects and the string was not replaced. I thought I was wrong. But I started Netscape and found that it worked alright. I went back to check the string. It was still not there. So it has got nothing to do with Netscape!!-------------------------------------------At 3 am in the morning, I was frustrated, so I deleted win64os.cpl, msffs.dll as well.It worked!!! I restarted the program in trial mode counting from 1st use. No nasty messages whateverso.-------------------------------------------I deleted some of my findings for fear that it might be asked in the next few questions.Bye!PS. Isn't it a bit risky for the program to put the check in Netscape registry? What if we don't use Netscape at all? Then it will stick out like a sore thumb right??Ergh! I feel stupid! by Craftie , Thu Dec 17 16:36 Ditto by Bill , Thu Dec 17 16:40