Cracking / password bypassing of
"Security Setup II - Light"
by zouzouni
zouzouni's cracking gallery
This tutorial is made for newbies


Cracking / password bypassing of "Security Setup II - Light"


This tutorial doesn't have to with bypassing the security of computers using "Security Setup II - Light".

Authors words :" Security SetUp will simply disable the user's ability to access the settings (selected by you), you will be put in charge of what areas of the Windows 9X / NT setup the user can access. You decide the level of control, you can go from the extreme (E.g.. deciding thatthe user can change nothing and only access a list of specified programs / files) to the lighter levels (E.g.. the user cannot changethe desktop resolution)... "

Tools required

Softice 3.25 .Read here how you can find any tool you like
Hiew or other hex editor

Inctrl4 a great utility of the PC Magazine

Target's location


When you run the program a nag sreen is appearing ,nag screen are so bad none of tha developers should use them the result is only annoying the customer and making him enemy not friend of the product.
Lets set our password but before that run the InCtrl4 utility (you may find this using a search engine) .This will scan the hard disk defore and after you set the password and will tell you the differences .So for the password "malakas" we have the following changes :

HKEY_LOCAL_MACHINE\Software\idp\PASS\SSU20 0=4603315061071513061322
HKEY_LOCAL_MACHINE\Software\idp\SSU20 EXE1P=-1031061585
HKEY_LOCAL_MACHINE\Software\Microsoft\Sdate P1EXE=RUN


Now imagine what will happent if we will erase the SSU20 ,EXE1P and P1EXE ,( I prefer to rename them) our system will not be anymore password protected .

2nd way of bypassing the password check :

When you enter a wrong password the message "Invalid password" is appearing .Open SECURITYSETUP2.EXE with w32asm and search for that string ,Invalid password is at two places at 44C6CE and 44C716 lets take a look what is bringing as there at those adresses ? Few lines up it says :"Referanced by a (U)nconditiolal or (C)ontitional Jump at Address 0044C667" and "Referanced by a (U)nconditional or (C)ontitional Jump at Address 0044C6C1" Those are the places where we have to set our breakpoints in softice write them in a paper 0044C667 ,0044C6C1

So start the program enter a invalid password and press Ctrl-D to enter softice set breakpoint at hmemcpy "bpx hmemcpy" this brakpoint will make as to enter in the code of the SECURITYSETUP2.EXE ,press F5 to exit softice and the OK button .Softice will break press F12 till you are in the SECURITYSETUP2.EXE code .

Now disable the breakpoint that you set "BD*" or cancer it "BC*" and set 2 new breapoints "bpx 0044C667" and "bpx 0044C6C1" and press "x" ,softice will break again at one of the 2 breakpoints is a jz (jump if no zero) at the bad message so reverse it with "r fl z" (reverse flag zero) and the program will continue like you put the correct serial . This is the correct place to patch it but the program is checking its self integrity and this is making it very difficult to patch we mast find first where the check is taking place ,but this is taking alot of time maybe one time I'll try to do it .Alteratively you may use an memory patcher.


The only way exept if you are a cracker )

Final Notes

This was an easy to crack target security systems should be more safe than this.

Oh Duh
I wont even bother explaining you that you should BUY this target program if you intend to use it for a longer period than the allowed one. Should you want to STEAL this software instead, you don't need to crack its protection scheme at all: you'll find it on most Warez sites, complete and already regged, farewell, don't come back.


zouzouni's cracking gallery

  art gallery main section disclaimer message-boards contact

< CurrentVersion\App "