<HTML>
<HEAD>
   <META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">
   <META NAME="GENERATOR" CONTENT="Mozilla/4.04 [en] (Win95; I) [Netscape]">
   <META NAME="Author" CONTENT="The Sandman">
   <META NAME="Classification" CONTENT="Reverse Code Engineering">
   <META NAME="Description" CONTENT="Step by step guide to cracking The File Chopper V2">
   <META NAME="KeyWords" CONTENT="How to crack The File Chopper V2">
   <TITLE>The File Chopper V2</TITLE>
</HEAD>
<BODY TEXT="#001010" BGCOLOR="#C0C0C0" LINK="#FF0000" VLINK="#CC0000" ALINK="#FFFFFF">
<FONT FACE="Arial,Helvetica">&nbsp;</FONT>
<TABLE BORDER CELLSPACING=2 WIDTH="100%" 22" >
<TR BGCOLOR="#FFFFFF">
<TD WIDTH="15%">
<CENTER><B><FONT FACE="Arial,Helvetica">Nov 1998</FONT></B></CENTER>
</TD>

<TD WIDTH="100%">
<CENTER><B><FONT FACE="Arial,Helvetica"><FONT SIZE=+1>"</FONT><FONT SIZE=+2>The
File Chopper V2</FONT><FONT SIZE=+1>"</FONT></FONT></B></CENTER>

<CENTER><FONT FACE="Arial,Helvetica">( 'How to *think* like a cracker'&nbsp;
)</FONT></CENTER>
</TD>

<TD WIDTH="30%">
<CENTER><B><FONT FACE="Arial,Helvetica">Win '95 PROGRAM</FONT></B></CENTER>

<CENTER><FONT FACE="Arial,Helvetica"><FONT COLOR="#808080">Win Code Reversing</FONT></FONT></CENTER>

<CENTER><FONT FACE="Arial,Helvetica"><FONT COLOR="#808080">&nbsp;</FONT></FONT></CENTER>
</TD>
</TR>

<TR BGCOLOR="#FFFF99">
<TD WIDTH="15%">
<CENTER><FONT FACE="Arial,Helvetica"><FONT COLOR="#890000">&nbsp;</FONT></FONT></CENTER>
</TD>

<TD>
<CENTER><FONT FACE="Arial,Helvetica">by <FONT SIZE=+3>The Sandman&nbsp;</FONT></FONT></CENTER>
</TD>

<TD VALIGN=CENTER WIDTH="30%"><FONT FACE="Arial,Helvetica">&nbsp;</FONT></TD>
</TR>

<TR BGCOLOR="#999900">
<TD WIDTH="15%">
<CENTER><FONT FACE="Arial,Helvetica">&nbsp;</FONT></CENTER>
</TD>

<TD>
<CENTER><FONT FACE="Arial,Helvetica">Code Reversing For Beginners&nbsp;</FONT></CENTER>
</TD>

<TD WIDTH="30%">
<CENTER><FONT FACE="Arial,Helvetica">&nbsp;</FONT></CENTER>

<CENTER><FONT FACE="Arial,Helvetica">&nbsp;</FONT></CENTER>
</TD>
</TR>

<TR BGCOLOR="#C0C0C0">
<TD WIDTH="15%"></TD>

<TD ALIGN=LEFT>
<CENTER><FONT FACE="Arial,Helvetica">&nbsp;</FONT></CENTER>

<CENTER><B><FONT FACE="Arial,Helvetica">Program Details</FONT></B></CENTER>

<CENTER><FONT FACE="Arial,Helvetica"><B>Program Name:</B> TheFileChopper.exe</FONT></CENTER>

<CENTER><FONT FACE="Arial,Helvetica"><B>Program Type:</B> File Splitting
Utility</FONT></CENTER>

<CENTER><FONT FACE="Arial,Helvetica"><B>Program Location:</B> <A HREF="Files/TheFileChopper.exe">Here</A>&nbsp;</FONT></CENTER>

<CENTER><FONT FACE="Arial,Helvetica"><B>Program Size: </B>770K&nbsp;</FONT></CENTER>
<FONT FACE="Arial,Helvetica">&nbsp;</FONT></TD>

<TD WIDTH="30%"></TD>
</TR>

<TR BGCOLOR="#C0C0C0">
<TD WIDTH="15%"></TD>

<TD><FONT FACE="Arial,Helvetica"><B>&nbsp;</B>&nbsp;&nbsp;&nbsp;&nbsp;</FONT>&nbsp;
<CENTER><B><FONT FACE="Arial,Helvetica">Tools Used:</FONT></B></CENTER>

<CENTER><FONT FACE="Arial,Helvetica">&nbsp;Softice V3.24 - Win'95 Debugger</FONT></CENTER>

<CENTER><FONT FACE="Arial,Helvetica">W32Dasm V8.93 - Disassembler</FONT></CENTER>

<CENTER><FONT FACE="Arial,Helvetica"><A HREF="winice.dat">Winice.Dat</A>
- Softice settings I used</FONT></CENTER>

<CENTER><FONT FACE="Arial,Helvetica">&nbsp;</FONT></CENTER>
</TD>

<TD WIDTH="30%"></TD>
</TR>

<TR>
<TD VALIGN=CENTER BGCOLOR="#C6E7C6">
<CENTER><B><FONT FACE="Arial,Helvetica"><FONT COLOR="#0000FF">Rating</FONT></FONT></B></CENTER>
</TD>

<TD VALIGN=CENTER BGCOLOR="#C6E7C6">
<CENTER><B><FONT FACE="Arial,Helvetica"><FONT COLOR="#0000FF">Easy ( X
)&nbsp; Medium (X )&nbsp; Hard ( )</FONT></FONT></B></CENTER>
</TD>

<TD WIDTH="30%" BGCOLOR="#999900"><B><FONT FACE="Arial,Helvetica"><FONT SIZE=-1>There
is a crack, a crack in everything. That's how the light gets in.</FONT></FONT></B></TD>
</TR>
</TABLE>

<CENTER><FONT FACE="Arial,Helvetica"><FONT SIZE=-1>&nbsp;</FONT></FONT></CENTER>

<CENTER><FONT FACE="Arial,Helvetica">&nbsp;&nbsp;&nbsp;&nbsp;</FONT>&nbsp;
<HR></CENTER>

<CENTER><FONT FACE="Arial,Helvetica">&nbsp;</FONT></CENTER>

<CENTER><FONT FACE="Arial,Helvetica"><FONT SIZE=+3>The File Chopper V2</FONT></FONT></CENTER>

<CENTER><FONT FACE="Arial,Helvetica"><FONT SIZE=+2>( 'How to *think* like
a cracker...'</FONT><B>&nbsp;</B><FONT SIZE=+2> )</FONT></FONT></CENTER>

<CENTER><FONT FACE="Arial,Helvetica"><FONT COLOR="#0B7FC1">Written by The
Sandman</FONT></FONT></CENTER>
<FONT FACE="Arial,Helvetica">&nbsp;</FONT>
<BR><FONT FACE="Arial,Helvetica">&nbsp;</FONT>
<TABLE BORDER CELLSPACING=2 WIDTH="100%" HEIGHT="22" >
<TR>
<TD BGCOLOR="#C6E7C6">
<CENTER><FONT FACE="Arial,Helvetica"><FONT COLOR="#0000FF"><FONT SIZE=+2>Introduction</FONT></FONT></FONT></CENTER>
</TD>
</TR>
</TABLE>
<FONT FACE="Arial,Helvetica">&nbsp;</FONT>
<BR><FONT FACE="Arial,Helvetica">The author of <A HREF="http://home3.swipnet.se/~w-38905/">The
File Chopper</A>&nbsp; says:-</FONT>
<BR><FONT FACE="Arial,Helvetica">&nbsp;</FONT>
<BR><FONT FACE="Arial,Helvetica"><FONT SIZE=-1>"1. Splits a big file into
smaller files of desired sizes. These&nbsp; sizes may be chosen either
from a fully editable list of Base Sizes, or calculated from within the
program.</FONT></FONT>

<P><FONT FACE="Arial,Helvetica"><FONT SIZE=-1>2.&nbsp; Restores the big
file from the smaller ones."</FONT></FONT>
<BR><B><FONT FACE="Arial,Helvetica"><FONT COLOR="#993366"><FONT SIZE=-1>&nbsp;</FONT></FONT></FONT></B>
<TABLE BORDER CELLSPACING=2 WIDTH="100%" HEIGHT="22" >
<TR>
<TD BGCOLOR="#C6E7C6">
<CENTER><FONT FACE="Arial,Helvetica"><FONT COLOR="#3333FF"><FONT SIZE=+2>About
this protection system</FONT></FONT></FONT></CENTER>
</TD>
</TR>
</TABLE>
<FONT FACE="Arial,Helvetica">&nbsp;</FONT>
<BR><FONT FACE="Arial,Helvetica">This program has a 30 day, 5mb file handling
restriction and a simple Nag Screen associated with it and is 'protected'
by a serial registration code to prevent this program from be pirated.</FONT>

<P><FONT FACE="Arial,Helvetica">On first running this program the following
key is created in your System Registry File.</FONT>

<P><FONT FACE="Arial,Helvetica">HKEY_USERS\.Default\Software\Matex Data
HB\The File Chopper\</FONT>

<P><FONT FACE="Arial,Helvetica">If you use REGMON or REGVIEW then you will
discover the following entries that are of interest to us..</FONT>

<P><FONT FACE="Arial,Helvetica">HKEY_USERS\.Default\Software\Matex Data
HB\The File Chopper\License</FONT>

<P><FONT FACE="Arial,Helvetica">ExpireDay&nbsp;&nbsp;&nbsp;&nbsp; = 00008D37
(36151 Decimal)&nbsp; DWORD</FONT>
<BR><FONT FACE="Arial,Helvetica">LicenseCode=""</FONT>
<BR><FONT FACE="Arial,Helvetica">UserName&nbsp;&nbsp;&nbsp;&nbsp; =""</FONT>

<P><FONT FACE="Arial,Helvetica">The program is able to detect any tampering
you may make to the <B><FONT COLOR="#993366">ExpireDate</FONT></B> value,
in which case it will set the 'ExpireDate' so that you have just 1 day
left to evaluate this program if you try and increase this value.. It's
a simple job to do and is a somewhat wasted effort on behalf of the programmer(s)
since if you delete the whole Key then the program then *thinks* it's never
been run before and gives you yet another 30 free days to evaluate this
program with. Obviously they hope you don't think of this simple trick
*grin*</FONT>
<BR>&nbsp;
<BR>&nbsp;
<TABLE BORDER CELLSPACING=2 WIDTH="100%" HEIGHT="22" >
<TR>
<TD BGCOLOR="#C6E7C6">
<CENTER><FONT FACE="Arial,Helvetica"><FONT SIZE=+2><FONT COLOR="#0000FF">The
Essay</FONT>&nbsp;</FONT></FONT></CENTER>
</TD>
</TR>
</TABLE>
<FONT FACE="Arial,Helvetica">&nbsp;</FONT>
<BR><FONT FACE="Arial,Helvetica">On october 23rd 1998 I opened up a new
'live' Cracking Forum called '<B><A HREF="http://disc.server.com/discussion.cgi?id=33330">Cracking
Challenges For All</A></B>'&nbsp; that is aimed at helping newbies learn
how to crack in ways that tutorials and essay cannot teach you. This forum
will perhaps for the FIRST time, open your eyes to the *real* world of
cracking, forget about diving into a program and finding the 'crack', that's
not what cracking is all about. Instead, here you will find out <B><U>exactly</U></B>
what tuts and essay fail to show you, the inner workings of protection
systems examined in a much greater detail than you thought possible.</FONT>

<P><FONT FACE="Arial,Helvetica">This essay is the <B><FONT COLOR="#000000">Third</FONT></B>
in a series of tuts based on a program that was featured in the '<B><FONT COLOR="#000099">Cracking
Challengers For All</FONT></B>' forum that shows what can be achieved if
people join together to crack the same program.</FONT>
<BR><FONT FACE="Arial,Helvetica">&nbsp;</FONT>

<P><FONT FACE="Arial,Helvetica">OK, lets crack on with this essay...</FONT>

<P><FONT FACE="Arial,Helvetica"><FONT COLOR="#000000">On running this program
you'll see a simple dialog box (a nag screen) showing you how many days
you have left to evaluate this program, click <B>OK</B> to this message
box.&nbsp; Your now in the main program.. The Registration screen is found
by selecting the <B>Help</B> then <B>License Information</B> option.</FONT></FONT>

<P><FONT FACE="Arial,Helvetica"><FONT COLOR="#000000">There's no Cancel
button for this screen, so to quit it you need to either enter a valid
serial number or click on the '<B>X</B>' button found at the top right
hand corner of the Registration Screen..</FONT></FONT>

<P><FONT FACE="Arial,Helvetica"><FONT COLOR="#000000">The program expects
you, the User, to enter a User Name/Handle and a valid License Code.. One
of the best ways to see if a programs expects an integer number or a alpha-numeric
code is to type in a series of letters for the serial number.. That way,
if the program expects just numbers then it will either crash or give you
an error message stating that the serial number must be within the ranges
of an Integer or words to this effect.. In our particular case, clicking
on the '<B>Check The Code</B>' button results in the message "</FONT><B><FONT COLOR="#993366">Sorry,
the license Code Entered Is Wrong!</FONT></B><FONT COLOR="#000000">".</FONT>&nbsp;
The program uses an Alpha-numeric serial number.</FONT>
<BR><FONT FACE="Arial,Helvetica">&nbsp;</FONT>
<BR><FONT FACE="Arial,Helvetica">When you try and register this program
you'll see a standard messagebox appear informing you that '<B><FONT COLOR="#993366">The
license code entered is wrong!</FONT></B>" which is ok because we can easily
get softice to break on this function when we fire up Softice a little
later on..</FONT>

<P><FONT FACE="Arial,Helvetica">Lets create a Dead Listing of this program
using W32Dasm, you can use IDA Pro if you wish but unless your an experienced
cracker you might find the output a little hard to follow.</FONT>

<P><FONT FACE="Arial,Helvetica">A quick look in our dead listing at the
<B><FONT COLOR="#993366">String Data Resources</FONT></B> shows that there
is a lot of text in both English &amp; German, but lets carry on..</FONT>

<P><FONT FACE="Arial,Helvetica">Having viewed the String Data Resources,
I&nbsp; tend to then perform a Search for my two favourite text strings:-</FONT>

<P><FONT FACE="Arial,Helvetica">The Good Guy Message</FONT>
<BR><FONT FACE="Arial,Helvetica">The Bad Guy Message</FONT>

<P><FONT FACE="Arial,Helvetica">Ok, lets search for the 'Good Guy' text
"<B>Thank you</B>"</FONT>

<P>Remember, we're still in our Dead Listing... You should now see this
section of code..:-

<P><FONT FACE="Courier New,Courier">*StringData Ref from Data Obj ->"<B><FONT COLOR="#993366">Correct
license code entered. </FONT></B>"</FONT>
<BR><FONT FACE="Courier New,Courier">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
->"<B><FONT COLOR="#993366">Thank you for buying this program.</FONT></B>"</FONT>

<P><FONT FACE="Courier New,Courier">:00412964 BAA33B4800&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
mov edx, 00483BA3</FONT>
<BR><FONT FACE="Courier New,Courier">:00412969 8D85E0FAFFFF&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
lea eax, dword ptr [ebp+FFFFFAE0]</FONT>
<BR><FONT FACE="Courier New,Courier">:0041296F E8288D0600&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
call 0047B69C</FONT>
<BR><FONT FACE="Courier New,Courier">:00412974 FF431C&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
inc [ebx+1C]</FONT>

<P><FONT FACE="Courier New,Courier">&lt;--------Snip, Snip------------></FONT>

<P><FONT FACE="Courier New,Courier">:00412A08 BA02000000&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
mov edx, 00000002</FONT>
<BR><FONT FACE="Courier New,Courier">:00412A0D E8E28D0600&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
call 0047B7F4</FONT>
<BR><FONT FACE="Courier New,Courier">:00412A12 66C74310980C&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
mov [ebx+10], 0C98</FONT>

<P><FONT FACE="Courier New,Courier">*StringData Ref from Data Obj ->"<B><FONT COLOR="#993366">Sorry,
the license code entered is wrong!</FONT></B>"</FONT>

<P><FONT FACE="Courier New,Courier">:00412A18 BA723C4800&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
mov edx, 00483C72</FONT>
<BR><FONT FACE="Courier New,Courier">:00412A1D 8D85D4FAFFFF&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
lea eax, dword ptr [ebp+FFFFFAD4]</FONT>
<BR><FONT FACE="Courier New,Courier">:00412A23 E8748C0600&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
call 0047B69C</FONT>

<P>&nbsp;
<BR>&nbsp;
<BR><FONT FACE="Arial,Helvetica">OK, we've found the Good Guy &amp; Bad
Guy messages very close to each other, so no need to do any more searches..&nbsp;
Normally from here we would be able to back-track our way through the code
to the conditional jump statement that would then decide which of these
messages to display but 'The File Chopper' uses a different method of accessing
routines to ones we're normally used to....</FONT>

<P><FONT FACE="Arial,Helvetica">A quick look at the dead listing tells
me that this program relies heavily on Memory Address Pointers which means
W32Dasm is unable to work out where certain calls to routines are made
from.</FONT>

<P><FONT FACE="Arial,Helvetica">One of the main reasons for selecting 'The
File Chopper' for this project was because of it's use of pointers to locate
and execute many of it's internal routines, as well as some German text
strings thrown in for good measure.&nbsp; So often we read about and rely
on Text strings to guide us around unfamiliar code, that when a program
such 'The File Chopper' uses a different method of executing the code then
we too must adopt a new perspective to this problem. For many of you, this
is perhaps the first time you've come across a program that uses pointer
addresses to move around the code with.</FONT>

<P><FONT FACE="Arial,Helvetica">While our dead listing may at first seem
somewhat hard to understand, we mustn't forget that the information we
want is still being shown to us and we can still see some *possible* places
to use some softice BPX's on. With programs that use pointers we will come
to rely more and more on Softice's ability to show us where the program
reads the pointer addresses from and where the program goes once it has
read a pointer address. Our dead listing shows us possible places to place
a bpx so make as many as you feel is necessary.&nbsp; I find that the 'RET'
instruction at the end of routines are extremely helpful, since they will
automatically help us to 'back-track' through the code without worrying
about where to Jump/Call the previous routine.</FONT>
<BR><FONT FACE="Arial,Helvetica">&nbsp;</FONT>

<P><FONT FACE="Arial,Helvetica">Using Memory pointers is a simply way to
make life hard for newbie crackers when they try and follow the program's
flow in their dead listings.&nbsp; They are also very useful from the programmer's
point of view because it's quite easy to perform 'self modifying' code
techniques on the program itself,&nbsp; now that would make things very
interesting indeed but that's a totally different story!.</FONT>

<P><FONT FACE="Arial,Helvetica">Here's a simple overview how Memory Address
Pointers work..</FONT>

<P><FONT FACE="Arial,Helvetica">The programmer sets aside an area of memory
that he will use to hold the locations where some of his routines can be
found. Lets call this area <B><FONT COLOR="#000099">Table 1</FONT></B>.</FONT>

<P><FONT FACE="Arial,Helvetica">These memory addresses will be stored side-by-side
and don't contain any assembler instructions such as jmp, jnz etc.</FONT>

<P><FONT FACE="Arial,Helvetica">Suppose the target program has three routines,
<B><FONT COLOR="#993366">Routine 1</FONT></B>, <B><FONT COLOR="#993366">Routine
2</FONT></B>, <B><FONT COLOR="#993366">Routine 3</FONT></B> which the programmer
wants to place their memory locations in a <B><FONT COLOR="#000099">Table
1</FONT></B> then here's how it could be achieved..</FONT>

<P><FONT FACE="Courier New,Courier"><B><FONT COLOR="#993366">Routine 1.
</FONT></B>Begins at memory address 4703ED32</FONT>
<BR><FONT FACE="Courier New,Courier"><B><FONT COLOR="#993366">Routine 2.</FONT></B>
Begins at memory address 416EDD00</FONT>
<BR><FONT FACE="Courier New,Courier"><B><FONT COLOR="#993366">Routine 3.
</FONT></B>Begins at memory address 445F3400</FONT>

<P><FONT FACE="Arial,Helvetica">OK, we have three routine and we know where
the begin, normally a program would use CALL 4703ED32 to execute the first
routine or perhaps use a JNZ 4703ED32 which we all should be familiar with
by now..&nbsp; However, the programmer doesn't want you to see this in
your dead listing so he will replace the normal Call and JNZ statements
with ones that cannot be calculated easily by W32Dasm.</FONT>

<P><FONT FACE="Arial,Helvetica">The programmer will 'take' the memory address
of the above three routines and store them in an area within the program
which we've called <B><FONT COLOR="#000099">Table 1</FONT></B>.</FONT>

<P><B><FONT COLOR="#000099">TABLE 1.</FONT></B>

<P>32ED0347&nbsp; 00DD6E41&nbsp;&nbsp; 00345F44
<BR>&nbsp;&nbsp;&nbsp;&nbsp; :&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
:
<BR>&nbsp;&nbsp;&nbsp;&nbsp; :&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
:------------<B><FONT COLOR="#993366">Routine 3</FONT></B>
<BR>&nbsp;&nbsp;&nbsp;&nbsp; :&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
:-----------------------------<B><FONT COLOR="#993366">Routine 2</FONT></B>
<BR>&nbsp;&nbsp;&nbsp;&nbsp; :---------------------------------------------<B><FONT COLOR="#993366">Routine
1</FONT></B>

<P><FONT FACE="Arial,Helvetica">Notice how the routine addresses are 'reversed',
that's how they are stored in PC's and other computer systems and dates
back to the early days of computers..</FONT>
<BR><FONT FACE="Arial,Helvetica">&nbsp;</FONT>

<P><FONT FACE="Arial,Helvetica">OK, now the programmer has created a kind
of look-up table but the rest of his program now need to be told WHERE
and HOW to 'find' the addresses for <B><FONT COLOR="#993366">Routine 1</FONT></B>,
<B><FONT COLOR="#993366">Routine 2</FONT></B>, <B><FONT COLOR="#993366">Routine
3</FONT></B></FONT>
<BR><FONT FACE="Arial,Helvetica">&nbsp;</FONT>

<P><FONT FACE="Arial,Helvetica">First, the programmer will use one of the
PC's internal registers to 'point' to <B><FONT COLOR="#000099">Table 1</FONT></B>.</FONT>

<P><FONT FACE="Arial,Helvetica">Mov&nbsp; EAX,40100000&nbsp;&nbsp;&nbsp;
&lt;-------&nbsp; Set Register EAX to point to <B><FONT COLOR="#000099">Table
1</FONT></B></FONT>

<P><FONT FACE="Arial,Helvetica">If you type d EAX then you'll see this:-</FONT>
<BR><FONT FACE="Arial,Helvetica">&nbsp;</FONT>

<P><FONT FACE="Arial,Helvetica">XXXXXXXX:40100000&nbsp;&nbsp;&nbsp; 32ED034700DD6E4100345F44</FONT>
<BR><FONT FACE="Arial,Helvetica">&nbsp;</FONT>

<P><FONT FACE="Arial,Helvetica">EAX is 'Pointing' to <B><FONT COLOR="#000099">Table
1</FONT></B></FONT>

<P><FONT FACE="Courier New,Courier">XXXXXXXX:40100000&nbsp; 32</FONT>
<BR><FONT FACE="Courier New,Courier">XXXXXXXX:40100000&nbsp; ED</FONT>
<BR><FONT FACE="Courier New,Courier">XXXXXXXX:40100000&nbsp; 03</FONT>
<BR><FONT FACE="Courier New,Courier">XXXXXXXX:40100000&nbsp; 47</FONT>
<BR><FONT FACE="Courier New,Courier">XXXXXXXX:40100000&nbsp; 00</FONT>
<BR><FONT FACE="Courier New,Courier">XXXXXXXX:40100000&nbsp; DD</FONT>
<BR><FONT FACE="Courier New,Courier">XXXXXXXX:40100000&nbsp; 6E</FONT>
<BR><FONT FACE="Courier New,Courier">XXXXXXXX:40100000&nbsp; 41</FONT>
<BR>....&lt;Snip>....
<BR>&nbsp;

<P><FONT FACE="Arial,Helvetica">Now in order for the program to execute
say, <B><FONT COLOR="#993366">Routine 2</FONT></B> then it has to give
the computer a little math's sum to tell it where to find the start of
<B><FONT COLOR="#993366">Routine 2</FONT></B>.</FONT>
<BR><FONT FACE="Arial,Helvetica">&nbsp;</FONT>

<P><FONT FACE="Courier New,Courier">CALL ptr [EAX+00000004]</FONT>
<BR><FONT FACE="Courier New,Courier">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
|---||-------|</FONT>
<BR><FONT FACE="Courier New,Courier">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; :</FONT>
<BR><FONT FACE="Courier New,Courier">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; :--------Memory offset =<B><FONT COLOR="#993366">Routine
2 Address</FONT></B></FONT>
<BR><FONT FACE="Courier New,Courier">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
:---------------EAX&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
=<B><FONT COLOR="#993366">Table 1</FONT></B></FONT>
<BR>&nbsp;

<P><B><FONT COLOR="#000099">Table 1</FONT></B>.

<P><FONT FACE="Courier New,Courier"><FONT SIZE=-1>XXXXXXXX:40100000&nbsp;
00 ---&nbsp; First Memory address at 40100000 offset 00 - <B><FONT COLOR="#993366">Routine
1</FONT></B></FONT></FONT>
<BR><FONT FACE="Courier New,Courier"><FONT SIZE=-1>XXXXXXXX:40100001&nbsp;
CD :</FONT></FONT>
<BR><FONT FACE="Courier New,Courier"><FONT SIZE=-1>XXXXXXXX:40100002&nbsp;
67 :</FONT></FONT>
<BR><FONT FACE="Courier New,Courier"><FONT SIZE=-1>XXXXXXXX:40100003&nbsp;
46 ------------</FONT></FONT>

<P><FONT FACE="Courier New,Courier"><FONT SIZE=-1>XXXXXXXX:40100004&nbsp;
56 --- Second Memory address at 40100004 offset 04 - <B><FONT COLOR="#993366">Routine
2</FONT></B></FONT></FONT>
<BR><FONT FACE="Courier New,Courier"><FONT SIZE=-1>XXXXXXXX:40100005&nbsp;
EF :</FONT></FONT>
<BR><FONT FACE="Courier New,Courier"><FONT SIZE=-1>XXXXXXXX:40100006&nbsp;
32 :</FONT></FONT>
<BR><FONT FACE="Courier New,Courier"><FONT SIZE=-1>XXXXXXXX:40100007&nbsp;
41 -----------</FONT></FONT>
<BR>....&lt;Snip>....
<BR>&nbsp;

<P><FONT FACE="Arial,Helvetica">Looking at the above Call ptr [EAX+00000004]
instruction we can see that the program will take the address of<B><FONT COLOR="#993366">
Routine 2</FONT></B> out of <B><FONT COLOR="#000099">Table 1</FONT></B></FONT>
by adding the offset value [00000002] in order to retrieve the memory address
stored in this table.

<P><FONT FACE="Arial,Helvetica">Since memory addresses are stored in REVERSE
order we need to reverse the order of these four bytes to get the correct
address.</FONT>

<P><FONT FACE="Arial,Helvetica">Does this make any sense?</FONT>&nbsp;
<FONT FACE="Arial,Helvetica">Don't worry too much if it doesn't yet,&nbsp;</FONT>
it will one day when your ready..:)
<BR>&nbsp;
<BR><FONT FACE="Arial,Helvetica">OK, back to cracking File Chopper....</FONT>
<BR>&nbsp;
<BR>We're going to crack this babe via two different methods, the first
method we will choose is the nop'ing of a conditional jump, a classic newbie
crack and the other way we shall sniff out the *real* serial number so
that we can *register* this program with whatever Name/Handle we choose..
Interestingly, when we come to sniffing out the serial number we will come
across an interesting 'bug' in the program, more of this later...

<P>&nbsp;
<BR><B><U><FONT FACE="Arial,Helvetica"><FONT COLOR="#663366"><FONT SIZE=+2>CRACK
METHOD ONE - A Classic Newbie Patch</FONT></FONT></FONT></U></B>

<P>One of the most popular methods a program can use to determine how many
days you have left to evaluate the program is to read the PC's internal
clock and then take this date from the date of the file itself..&nbsp;
In fact, the program could use an entry in your System Registry file but
it doesn't matter what it uses, for us all we need to know right now is
that we can get Softice to trap this process using the function found in&nbsp;
Kernel32!<B><FONT COLOR="#000099">GetLocalTime.</FONT></B>
<BR>&nbsp;
<BR>Why would we use <B><FONT COLOR="#000099">GetlocalTime</FONT></B> and
how does this help us?..&nbsp; Well, before a program is able to determine
if it's been 'registered' or not or that you've 'run of of time' for evaluating
the software with the program must carry a set of steps that we can make
use of.. This knowledge comes from experience and a dash of logic..

<P><FONT FACE="Arial,Helvetica">Here's a simple overview of what I mean..</FONT>

<P><FONT FACE="Arial,Helvetica">On start-up the program obtains the pc's
internal date.&nbsp; It then checks this date against an entry stored in
your System Registry File or with the program's .EXE file itself. If, by
subtracting the 'current' pc's date by the date stored in your system registry
file or from the date assigned to the program's .EXE file produces a 'negative'
number then the program will now check to see if it has been 'Registered'
or not.&nbsp; It does this by trying to retrieve the user's details from
the System Registry file, or even from a hidden file stored someone on
the User's hard disk. If this checks out ok then the program will insert
a value of '1' into a memory location that signifies to to the rest of
the program that it has been registered, if not then a value of '0' will
be inserted into this same memory location..</FONT>

<P><FONT FACE="Arial,Helvetica">At this point if the program has not been
registered and the User has 'run out of' credit then a messagebox, the
first sign of any activity from the program appears,&nbsp; informing the
User they have no more 'free' time, after which the program will exit back
to windows.&nbsp;&nbsp; If the User does have some 'free' time left and
the program has not been registered then a 'Nag Screen' appears before
the main program has had chance to be displayed.</FONT>

<P><FONT FACE="Arial,Helvetica">If the program has been registered then
the Nag Screen is bypassed and the main program is executed...</FONT>

<P><FONT FACE="Arial,Helvetica">All this sounds very complicated but in
reality it's just a set of logical steps that makes sense if you give this
matter some further thought...</FONT>

<P><FONT FACE="Arial,Helvetica">OK, we have a general idea of the processes
involved before the Nag Screen is displayed, so lets see how this looks
in 'The File Chopper'...</FONT>

<P><FONT FACE="Arial,Helvetica">Before running The File Chopper, lets fire
up Softice (<B>Ctrl &amp; D keys together</B>) and type: <B>bpx getlocaltime</B>
then <B>x </B>to exit Softice..</FONT>

<P><FONT FACE="Arial,Helvetica">Now start up File Chopper..</FONT>

<P><FONT FACE="Arial,Helvetica">Softice breaks at: <B><FONT COLOR="#663366">KERNEL32!SetFileTime
:BFF7717D</FONT></B></FONT>

<P><FONT FACE="Arial,Helvetica">Type: <B>bd 00</B> to disable the <B><FONT COLOR="#000099">GetLocalTime</FONT></B>
breakpoint, it's done it's job so we don't need it anymore.</FONT>

<P><FONT FACE="Arial,Helvetica">Press <B>F11</B> once to allow Softice
to finish executing this function and break once again at the point where
File Chopper originally called this function,,</FONT>

<P><FONT FACE="Arial,Helvetica">We should now see this snippet of code...</FONT>

<P><FONT FACE="Courier New,Courier">:00467905 668B4C240E&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
mov cx, word ptr [esp+0E]&nbsp; ;<B><FONT COLOR="#993366">cx= current day</FONT></B></FONT>
<BR><FONT FACE="Courier New,Courier">:0046790A 668B54240A&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
mov dx, word ptr [esp+0A]&nbsp; ;<B><FONT COLOR="#993366">dx= current month</FONT></B></FONT>
<BR><FONT FACE="Courier New,Courier">:0046790F 668B442408&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
mov ax, word ptr [esp+08]&nbsp; ;<B><FONT COLOR="#993366">ax= current year</FONT></B></FONT>
<BR><FONT FACE="Courier New,Courier">:00467914 E81FFEFFFF&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
call 00467738</FONT>
<BR><FONT FACE="Courier New,Courier">:00467919 DD1C24&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
fstp qword ptr [esp]&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ;<B><FONT COLOR="#993366">esp=036134h</FONT></B></FONT>
<BR><FONT FACE="Courier New,Courier">:0046791C 9B&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
wait</FONT>
<BR><FONT FACE="Courier New,Courier">:0046791D DD0424&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
fld qword ptr [esp]</FONT>
<BR><FONT FACE="Courier New,Courier">:00467920 83C418&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
add esp, 00000018</FONT>
<BR><FONT FACE="Courier New,Courier">:00467923 C3&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
ret&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
;<B><FONT COLOR="#993366">this RETurns us to 0047BD30</FONT></B></FONT>
<BR>&nbsp;

<P><FONT FACE="Arial,Helvetica">OK, the above code snippet simply assigns
the cx,dx,ax registers with the current date from our PC's local clock,
which is stored at ESP+0E,ESP+)A, and ESP+08 respectively.. F10 through
this code and you will be RETurned to this code block:-</FONT>

<P><FONT FACE="Courier New,Courier">:0047BD30 5D&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
pop ebp ;<B><FONT COLOR="#993366">F10 through these two instructions.</FONT></B></FONT>
<BR><FONT FACE="Courier New,Courier">:0047BD31 C3&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
ret&nbsp;&nbsp;&nbsp;&nbsp; ;<B><FONT COLOR="#993366">this RETurns us to
00403E2E</FONT></B></FONT>
<BR>&nbsp;

<P>Once you <B>F10</B> on the RET instruction we are now taken to this
large code block... Now some of you have commented on some of my tuts that
they don't always show the 'thinking' behind the tracing of code blocks
so here's what I did..
<BR>&nbsp;

<P><FONT FACE="Courier New,Courier">:00403E2E DD9D28FFFFFF&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
fstp qword ptr [ebp+FFFFFF28] ;<B><FONT COLOR="#993366">We land here...</FONT></B></FONT>
<BR><FONT FACE="Courier New,Courier">:00403E34 DD8528FFFFFF&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
fld qword ptr [ebp+FFFFFF28]</FONT>
<BR><FONT FACE="Courier New,Courier">:00403E3A E841000700&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
call 00473E80</FONT>
<BR><FONT FACE="Courier New,Courier">:00403E3F 898530FFFFFF&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
mov dword ptr [ebp+FFFFFF30], eax</FONT>
<BR><FONT FACE="Courier New,Courier">:00403E45 8D5720&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
lea edx, dword ptr [edi+20]</FONT>
<BR><FONT FACE="Courier New,Courier">:00403E48 8D8314030000&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
lea eax, dword ptr [ebx+00000314]</FONT>
<BR><FONT FACE="Courier New,Courier">:00403E4E E8D1790700&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
call 0047B824</FONT>
<BR><FONT FACE="Courier New,Courier">:00403E53 8B55FC&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
mov edx, dword ptr [ebp-04]</FONT>
<BR><FONT FACE="Courier New,Courier">:00403E56 8D4DFC&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
lea ecx, dword ptr [ebp-04]</FONT>
<BR><FONT FACE="Courier New,Courier">:00403E59 52&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
push edx</FONT>
<BR><FONT FACE="Courier New,Courier">:00403E5A 51&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
push ecx</FONT>
<BR><FONT FACE="Courier New,Courier">:00403E5B 66C74610A400&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
mov [esi+10], 00A4</FONT>
<BR><FONT FACE="Courier New,Courier">:00403E61 BA0BD64700&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
mov edx, 0047D60B&nbsp;</FONT>
<BR><FONT FACE="Courier New,Courier">:00403E66 8D45C0&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
lea eax, dword ptr [ebp-40] ;<B><FONT COLOR="#993366">Type: edx = UserName</FONT></B></FONT>
<BR><FONT FACE="Courier New,Courier">:00403E69 E82E780700&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
call 0047B69C</FONT>
<BR><FONT FACE="Courier New,Courier">:00403E6E FF461C&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
inc [esi+1C]</FONT>
<BR><FONT FACE="Courier New,Courier">:00403E71 8B08&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
mov ecx, dword ptr [eax]</FONT>
<BR><FONT FACE="Courier New,Courier">:00403E73 51&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
push ecx&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
;<B><FONT COLOR="#993366">Type: ecx = UserName</FONT></B></FONT>
<BR><FONT FACE="Courier New,Courier">:00403E74 8B8314030000&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
mov eax, dword ptr [ebx+00000314]</FONT>
<BR><FONT FACE="Courier New,Courier">:00403E7A 50&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
push eax&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
<FONT COLOR="#000000">;</FONT><B><FONT COLOR="#993366">Type: eax = License</FONT></B></FONT>
<BR><FONT FACE="Courier New,Courier">:00403E7B 57&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
push edi</FONT>
<BR><FONT FACE="Courier New,Courier">:00403E7C E84FC50100&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
call 004203D0</FONT>
<BR><FONT FACE="Courier New,Courier">:00403E81 83C414&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
add esp, 00000014</FONT>
<BR><FONT FACE="Courier New,Courier">:00403E84 FF4E1C&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
dec [esi+1C]</FONT>
<BR><FONT FACE="Courier New,Courier">:00403E87 8D45C0&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
lea eax, dword ptr [ebp-40]</FONT>
<BR><FONT FACE="Courier New,Courier">:00403E8A BA02000000&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
mov edx, 00000002</FONT>
<BR><FONT FACE="Courier New,Courier">:00403E8F E860790700&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
call 0047B7F4</FONT>
<BR><FONT FACE="Courier New,Courier">:00403E94 66C74610B000&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
mov [esi+10], 00B0</FONT>
<BR><FONT FACE="Courier New,Courier">:00403E9A BA20D64700&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
mov edx, 0047D620</FONT>
<BR><FONT FACE="Courier New,Courier">:00403E9F 8D45BC&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
lea eax, dword ptr [ebp-44]&nbsp; ;<B><FONT COLOR="#993366">Type: edx =
ExpireDay</FONT></B></FONT>
<BR><FONT FACE="Courier New,Courier">:00403EA2 E8F5770700&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
call 0047B69C</FONT>
<BR><FONT FACE="Courier New,Courier">:00403EA7 FF461C&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
inc [esi+1C]</FONT>
<BR><FONT FACE="Courier New,Courier">:00403EAA BA14D64700&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
mov edx, 0047D614</FONT>
<BR><FONT FACE="Courier New,Courier">:00403EAF 8B08&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
mov ecx, dword ptr [eax]&nbsp;&nbsp;&nbsp;&nbsp; ;<B><FONT COLOR="#993366">Type:</FONT></B>
<B><FONT COLOR="#993366">edx = LicenseCode</FONT></B></FONT>
<BR><FONT FACE="Courier New,Courier">:00403EB1 8D45F8&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
lea eax, dword ptr [ebp-08]</FONT>
<BR><FONT FACE="Courier New,Courier">:00403EB4 51&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
push ecx</FONT>
<BR><FONT FACE="Courier New,Courier">:00403EB5 50&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
push eax</FONT>
<BR><FONT FACE="Courier New,Courier">:00403EB6 8D45B8&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
lea eax, dword ptr [ebp-48]</FONT>
<BR><FONT FACE="Courier New,Courier">:00403EB9 E8DE770700&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
call 0047B69C</FONT>
<BR><FONT FACE="Courier New,Courier">:00403EBE FF461C&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
inc [esi+1C]</FONT>
<BR><FONT FACE="Courier New,Courier">:00403EC1 8B10&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
mov edx, dword ptr [eax]</FONT>
<BR><FONT FACE="Courier New,Courier">:00403EC3 52&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
push edx</FONT>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
<FONT FACE="Courier New,Courier">;<B><FONT COLOR="#993366">Type: edx =
LicenseCode</FONT></B></FONT>
<BR><FONT FACE="Courier New,Courier">:00403EC4 8B8B14030000&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
mov ecx, dword ptr [ebx+00000314]</FONT>
<BR><FONT FACE="Courier New,Courier">:00403ECA 51&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
push ecx</FONT>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
<FONT FACE="Courier New,Courier">;<B><FONT COLOR="#993366">Type: ecx =
License</FONT></B></FONT>
<BR><FONT FACE="Courier New,Courier">:00403ECB 57&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
push edi</FONT>
<BR><FONT FACE="Courier New,Courier">:00403ECC E8FFC40100&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
call 004203D0</FONT>
<BR><FONT FACE="Courier New,Courier">:00403ED1 83C414&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
add esp, 00000014</FONT>
<BR><FONT FACE="Courier New,Courier">:00403ED4 FF4E1C&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
dec [esi+1C]</FONT>
<BR><FONT FACE="Courier New,Courier">:00403ED7 8D45B8&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
lea eax, dword ptr [ebp-48]</FONT>
<BR><FONT FACE="Courier New,Courier">:00403EDA BA02000000&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
mov edx, 00000002</FONT>
<BR><FONT FACE="Courier New,Courier">:00403EDF E810790700&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
call 0047B7F4</FONT>
<BR><FONT FACE="Courier New,Courier">:00403EE4 FF4E1C&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
dec [esi+1C]</FONT>
<BR><FONT FACE="Courier New,Courier">:00403EE7 8D45BC&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
lea eax, dword ptr [ebp-44]</FONT>
<BR><FONT FACE="Courier New,Courier">:00403EEA BA02000000&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
mov edx, 00000002</FONT>
<BR><FONT FACE="Courier New,Courier">:00403EEF E800790700&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
call 0047B7F4</FONT>
<BR><FONT FACE="Courier New,Courier">:00403EF4 8D8D3CFFFFFF&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
lea ecx, dword ptr [ebp+FFFFFF3C]</FONT>
<BR><FONT FACE="Courier New,Courier">:00403EFA 6A00&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
push 00000000</FONT>
<BR><FONT FACE="Courier New,Courier">:00403EFC 51&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
push ecx</FONT>
<BR><FONT FACE="Courier New,Courier">:00403EFD BA21D64700&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
mov edx, 0047D621</FONT>
<BR><FONT FACE="Courier New,Courier">:00403F02 66C74610BC00&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
mov [esi+10], 00BC</FONT>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
<FONT FACE="Courier New,Courier">;<B><FONT COLOR="#993366">Type: edx =
ExpireDay</FONT></B></FONT>
<BR><FONT FACE="Courier New,Courier">:00403F08 8D45B4&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
lea eax, dword ptr [ebp-4C]</FONT>
<BR><FONT FACE="Courier New,Courier">:00403F0B E88C770700&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
call 0047B69C</FONT>
<BR><FONT FACE="Courier New,Courier">:00403F10 FF461C&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
inc [esi+1C]</FONT>
<BR><FONT FACE="Courier New,Courier">:00403F13 8B08&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
mov ecx, dword ptr [eax]</FONT>
<BR><FONT FACE="Courier New,Courier">:00403F15 51&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
push ecx</FONT>
<BR><FONT FACE="Courier New,Courier">:00403F16 8B8314030000&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
mov eax, dword ptr [ebx+00000314]</FONT>
<BR><FONT FACE="Courier New,Courier">:00403F1C 50&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
push eax</FONT>
<BR><FONT FACE="Courier New,Courier">:00403F1D 57&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
push edi</FONT>
<BR><FONT FACE="Courier New,Courier">:00403F1E E811C70100&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
call 00420634</FONT>
<BR><FONT FACE="Courier New,Courier">:00403F23 83C414&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
add esp, 00000014</FONT>
<BR><FONT FACE="Courier New,Courier">:00403F26 FF4E1C&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
dec [esi+1C]</FONT>
<BR><FONT FACE="Courier New,Courier">:00403F29 8D45B4&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
lea eax, dword ptr [ebp-4C]</FONT>
<BR><FONT FACE="Courier New,Courier">:00403F2C BA02000000&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
mov edx, 00000002</FONT>
<BR><FONT FACE="Courier New,Courier">:00403F31 E8BE780700&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
call 0047B7F4 ;<B><FONT COLOR="#993366">Check if this is the first time
we are running</FONT></B></FONT>
<BR><FONT FACE="Courier New,Courier">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
;<B><FONT COLOR="#993366">this program for the first time.</FONT></B></FONT>

<P><B><FONT FACE="Courier New,Courier"><FONT COLOR="#993366">; Check if
memory address ebp+FFFFFF3C = 0.</FONT></FONT></B>
<BR><B><FONT FACE="Courier New,Courier"><FONT COLOR="#993366">; If it does
then this is the first time this program has been run on the User's computer.</FONT></FONT></B>

<P><FONT FACE="Courier New,Courier">:00403F36 83BD3CFFFFFF00&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
cmp dword ptr [ebp+FFFFFF3C], 00000000</FONT>
<BR>&nbsp;

<P><FONT FACE="Courier New,Courier">:00403F3D 0F85CF000000&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
jne 00404012</FONT> <FONT FACE="Courier New,Courier">;<B><FONT COLOR="#993366">jump
if not equal to 0, program has already been</FONT></B></FONT>
<BR><FONT FACE="Courier New,Courier">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
;<B><FONT COLOR="#993366">run</FONT></B></FONT>
<BR>&nbsp;

<P><FONT FACE="Arial,Helvetica">At this point if the program is being run
for the FIRST time, (we can stimulate this by deleting the whole registration
entry at: <B><FONT COLOR="#993366">HKEY_CURRENT_USER\Software\Matex Data
HB</FONT></B> ) then the program WON'T jump to 0040412 but continue to
execute the code following this jump.&nbsp; In your dead listing you will
see that the program now begins to create the nessasary entries in our
System Registry file for this program to use later on.</FONT>

<P><FONT FACE="Arial,Helvetica">Since NOP'ing the jne 00404012 serves no
purpose other than giving us unlimited evaluation period with Nag Screen
we must follow the jump instead to the code block at 00404012.</FONT>

<P><FONT FACE="Arial,Helvetica">We arrive now to our final block of code,
which accesses the System Registry file and attempts to fetch and User
Registration details. I know this because as I executed each instruction
I displayed the contents of the most recently changed registers.</FONT>
<BR>&nbsp;

<P><FONT FACE="Courier New,Courier">:00404012 66C74610EC00&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
mov [esi+10], 00EC</FONT>
<BR><FONT FACE="Courier New,Courier">:00404018 33C9&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
xor ecx, ecx</FONT>
<BR><FONT FACE="Courier New,Courier">:0040401A 894DA4&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
mov dword ptr [ebp-5C], ecx</FONT>
<BR><FONT FACE="Courier New,Courier">:0040401D 8D4DA4&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
lea ecx, dword ptr [ebp-5C]</FONT>
<BR><FONT FACE="Courier New,Courier">:00404020 FF461C&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
inc [esi+1C]</FONT>
<BR><FONT FACE="Courier New,Courier">:00404023 B850A54900&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
mov eax, 0049A550</FONT>
<BR><FONT FACE="Courier New,Courier">:00404028 8B55FC&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
mov edx, dword ptr [ebp-04] ;<B><FONT COLOR="#993366">edx = User Name from
registry file</FONT></B></FONT>
<BR><FONT FACE="Courier New,Courier">:0040402B E854D50100&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
call 00421584&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
;<B><FONT COLOR="#993366">See if User Name exits</FONT></B></FONT>
<BR><FONT FACE="Courier New,Courier"><B><FONT COLOR="#993366">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
</FONT></B><FONT COLOR="#000000">;</FONT><B><FONT COLOR="#993366">If no
User Name exist, then</FONT></B></FONT>
<BR><FONT FACE="Courier New,Courier"><B><FONT COLOR="#993366">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
</FONT></B><FONT COLOR="#000000">;</FONT><B><FONT COLOR="#993366">User
Name =""</FONT></B></FONT>
<BR><FONT FACE="Courier New,Courier">:00404030 8D55A4&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
lea edx, dword ptr [ebp-5C]</FONT>
<BR><FONT FACE="Courier New,Courier">:00404033 8D45F8&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
lea eax, dword ptr [ebp-08] ;<B><FONT COLOR="#993366">eax = Serial No from
registry file</FONT></B></FONT>
<BR><FONT FACE="Courier New,Courier">:00404036 E89D780700&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
call 0047B8D8&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
;<B><FONT COLOR="#993366">See if Serial # exists</FONT></B></FONT>
<BR><FONT FACE="Courier New,Courier"><B><FONT COLOR="#993366">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
</FONT></B><FONT COLOR="#000000">;</FONT><B><FONT COLOR="#993366">If no
Serial # exists, then</FONT></B></FONT>
<BR><FONT FACE="Courier New,Courier"><B><FONT COLOR="#993366">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
</FONT></B><FONT COLOR="#000000">;</FONT><B><FONT COLOR="#993366">serial=""</FONT></B></FONT>
<BR><FONT FACE="Courier New,Courier">:0040403B 50&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
push eax</FONT>
<BR><FONT FACE="Courier New,Courier">:0040403C FF4E1C&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
dec [esi+1C]</FONT>
<BR><FONT FACE="Courier New,Courier">:0040403F 8D45A4&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
lea eax, dword ptr [ebp-5C]</FONT>
<BR><FONT FACE="Courier New,Courier">:00404042 BA02000000&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
mov edx, 00000002</FONT>
<BR><FONT FACE="Courier New,Courier">:00404047 E8A8770700&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
call 0047B7F4</FONT>
<BR><FONT FACE="Courier New,Courier">:0040404C 59&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
pop ecx</FONT>
<BR><FONT FACE="Courier New,Courier">:0040404D 84C9&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
test cl, cl&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
;<B><FONT COLOR="#993366">does cl = 0?</FONT></B></FONT>
<BR><FONT FACE="Courier New,Courier">:0040404F 740C&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
je 0040405D&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
;<B><FONT COLOR="#993366">Jump and place a '0' in the</FONT></B></FONT>
<BR><FONT FACE="Courier New,Courier"><B><FONT COLOR="#993366">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
</FONT></B><FONT COLOR="#000000">;</FONT><B><FONT COLOR="#993366">Shareware/Registration
Flag</FONT></B></FONT>
<BR>&nbsp;

<P><FONT FACE="Courier New,Courier"><FONT COLOR="#000000">;</FONT><B><FONT COLOR="#993366">If
serial from your system registry file matches the one the program has created
then place </FONT></B><FONT COLOR="#000000">;</FONT><B><FONT COLOR="#993366">the
value '1' into memory location [0047D320].</FONT></B></FONT>

<P><FONT FACE="Courier New,Courier">:00404051 C60520D3470001&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
mov byte ptr [0047D320], 01 ;<B><FONT COLOR="#993366">Our Registration
Flag!</FONT></B></FONT>
<BR><FONT FACE="Courier New,Courier">:00404058 E95C020000&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
jmp 004042B9&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
;<B><FONT COLOR="#993366">Ignore Nag Screen Reminder</FONT></B></FONT>
<BR><FONT FACE="Courier New,Courier">:0040405D C60520D3470000&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
mov byte ptr [0047D320], 00 ;<B><FONT COLOR="#993366">Our Shareware Flag!</FONT></B></FONT>

<P><FONT FACE="Arial,Helvetica">I know what your thinking, we could NOP
out the je 0040405D instruction and then the program will always be Registered
each time it is run!.. Well although it does look promising we have to
remember that once this jump is patched and run for the FIRST time then
the program WON'T come here!. Remember, this program detects if it has
not been run and then directs the program away from the above routine where
it will display that horrible "You have 30 days to evaluate this software
bla bla bla".. If you didn't want this then you would then also have to
change the:</FONT>
<BR>&nbsp;

<P><FONT FACE="Courier New,Courier">:00403F3D&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
jne 00404012</FONT>

<P><FONT FACE="Courier New,Courier">to</FONT>

<P><FONT FACE="Courier New,Courier">:00403F3D&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
jmp 00404012</FONT>

<P><FONT FACE="Arial,Helvetica">Now we are begin to patch this program
in two different places... To add to this mess, unless you now go into
the System Registry file and enter your User Name/Handle and a fake serial
directly into the System registry file then this program will show that
it's been registered by someone with no name using no registration code!.&nbsp;
It's getting to be a messy job already!..</FONT>

<P><FONT FACE="Arial,Helvetica">Is there another way we could 'crack' this
program without any patching of the code and which makes use of the knowledge
we've already gained?</FONT>

<P><FONT FACE="Arial,Helvetica">As a matter of fact this is...</FONT>

<P><FONT FACE="Arial,Helvetica">&nbsp;</FONT>
<BR><B><U><FONT FACE="Arial,Helvetica"><FONT COLOR="#663366"><FONT SIZE=+2>CRACK
METHOD TWO - Sniffing Out A Valid Serial</FONT></FONT></FONT></U></B>

<P><FONT FACE="Arial,Helvetica">Ok, where would we begin?...</FONT>

<P><FONT FACE="Arial,Helvetica">Well if you've *tried* to patch this program
and as a rule, Newbies tend to try this out first then you will already
have covered most of the ground work leaving you now to fish out the serial
number.. Easier said than done at this stage so lets see what we can do..</FONT>

<P>Lets just re-cap on what we've already covered..

<P>The program must at least, generate a valid serial number for our User
Name at least twice, once at run time when it tries to fetch the User's
Details from the System Registry file and once when the User tries to register
the program.&nbsp; The work we've already covered concentrated on the routines
that are executed at start up time. Don't ask me why, but I always feel
that a program is at it's weakest at run-time rather than trying to go
through it once it's fully loaded into memory.. Perhaps because at run-time
we can get a lock on any of it's nag screens/dialog boxes etc..

<P>Anway...

<P><FONT FACE="Arial,Helvetica">Go back to the 'final' stage of the above
crack, just from what details we got from some of the registers and the
fact&nbsp; that if we forced Softice to skip over the <B><FONT COLOR="#993366">je
0040405D</FONT></B> instruction we could fool the program into registering
this program then we would know (feel) that the *real* serial was close
by..</FONT>&nbsp; Lets take a closer look at this routine a little more
closer, in fact just the top half of it...
<BR>&nbsp;

<P><FONT FACE="Courier New,Courier">:00404012 66C74610EC00&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
mov [esi+10], 00EC</FONT>
<BR><FONT FACE="Courier New,Courier">:00404018 33C9&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
xor ecx, ecx</FONT>

<P><B><FONT FACE="Arial,Helvetica"><FONT COLOR="#993366">;At this point
Register ECX has just been zero'd out by the XOR instruction on it's self...</FONT></FONT></B>

<P><B><FONT FACE="Arial,Helvetica"><FONT COLOR="#993366">&nbsp;</FONT></FONT></B>
<CENTER><TABLE BORDER BGCOLOR="#FFFFFF" >
<TR>
<TD><FONT FACE="Arial,Helvetica">If at this point we now type: <B>d ebp-5c</B>&nbsp;
we should see something like this in Softice's Hex/ASCII Code Window:-</FONT>&nbsp;

<P><FONT FACE="Courier New,Courier"><FONT COLOR="#000099">XXXX:006EFCC0:</FONT>
00 17 17 00 00 00 XX XX XX XX XX XX XX XX XX XX XX</FONT>&nbsp;
<BR><FONT FACE="Courier New,Courier">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX</FONT>&nbsp;
<BR><FONT FACE="Courier New,Courier">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX</FONT>&nbsp;

<P><FONT FACE="Arial,Helvetica"><FONT COLOR="#000099">*Address in blue
may be different on your computer ***</FONT></FONT>&nbsp;

<P><FONT FACE="Arial,Helvetica">These numbers don't mean much to us at
this point but if we remember that this program relies heavily on</FONT>&nbsp;
<BR><FONT FACE="Arial,Helvetica">Address Pointers then what we're looking
at is memory location that 'stores' an address to another part of the</FONT>&nbsp;
<BR><FONT FACE="Arial,Helvetica">computer's memory. All we're doing is
seeing what the significance of [EBP-5C]. it might pay us to keep a</FONT>
<BR><FONT FACE="Arial,Helvetica">closer eye on this memory location for
the next few instructions.</FONT>&nbsp;
<BR><FONT FACE="Arial,Helvetica">&nbsp;</FONT></TD>
</TR>
</TABLE></CENTER>
&nbsp;

<P><FONT FACE="Courier New,Courier">:0040401A 894DA4&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
mov dword ptr [ebp-5C], ecx</FONT>
<BR>&nbsp;
<BR>&nbsp;
<CENTER><TABLE BORDER BGCOLOR="#FFFFFF" >
<TR>
<TD><FONT FACE="Arial,Helvetica">After executing the above instruction
the bytes shown in Softice Hex/ASCII Code Window show this:-&nbsp;</FONT>&nbsp;

<P><FONT FACE="Courier New,Courier"><FONT COLOR="#000099">XXXX:006EFCC0:</FONT>
00 17 17 00 00 00 00 XX XX XX XX XX XX XX XX XX XX</FONT>&nbsp;
<BR><FONT FACE="Courier New,Courier">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX</FONT>&nbsp;
<BR><FONT FACE="Courier New,Courier">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX</FONT>&nbsp;

<P><FONT FACE="Arial,Helvetica"><FONT COLOR="#000099">*Address in blue
may be different on your computer ***</FONT></FONT>&nbsp;

<P><FONT FACE="Arial,Helvetica">The program has in effect, made sure it
starts off with a 'clean' slate. It's good programming policy</FONT>&nbsp;
<BR><FONT FACE="Arial,Helvetica">to do this sort of action especially where
this memory location may be uased for other purposes</FONT>&nbsp;
<BR><FONT FACE="Arial,Helvetica">later on in this program.&nbsp;</FONT>&nbsp;
<BR><FONT FACE="Arial,Helvetica">&nbsp;</FONT></TD>
</TR>
</TABLE></CENTER>
&nbsp;
<BR>&nbsp;

<P><FONT FACE="Courier New,Courier">:0040401D 8D4DA4&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
lea ecx, dword ptr [ebp-5C]</FONT>&nbsp; ;ecx now = <FONT FACE="Courier New,Courier"><FONT COLOR="#000099">XXXX:006EFCC0:</FONT></FONT>
<BR><FONT FACE="Courier New,Courier">:00404020 FF461C&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
inc [esi+1C]</FONT>
<BR><FONT FACE="Courier New,Courier">:00404023 B850A54900&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
mov eax, 0049A550</FONT>
<BR><FONT FACE="Courier New,Courier">:00404028 8B55FC&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
mov edx, dword ptr [ebp-04] ;<B><FONT COLOR="#993366">edx = User Name from
registry file</FONT></B></FONT>
<BR><FONT FACE="Courier New,Courier">:0040402B E854D50100&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
call 00421584&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
;<B><FONT COLOR="#993366">See if User Name exits</FONT></B></FONT>
<BR><FONT FACE="Courier New,Courier"><B><FONT COLOR="#993366">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
</FONT></B><FONT COLOR="#000000">;</FONT><B><FONT COLOR="#993366">If no
User Name exist, then</FONT></B></FONT>
<BR><FONT FACE="Courier New,Courier"><B><FONT COLOR="#993366">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
</FONT></B><FONT COLOR="#000000">;</FONT><B><FONT COLOR="#993366">User
Name =""</FONT></B></FONT>
<BR>&nbsp;
<CENTER><TABLE BORDER BGCOLOR="#FFFFFF" >
<TR>
<TD><FONT FACE="Arial,Helvetica">After executing the Call 00421584 instruction
the bytes shown in Softice Hex/ASCII Code Window show this:-&nbsp;</FONT>&nbsp;

<P><FONT FACE="Courier New,Courier"><FONT COLOR="#000099">XXXX:006EFCC0:</FONT>
B0 AA C1 00 00 00 00 XX XX XX XX XX XX XX XX XX XX</FONT>&nbsp;
<BR><FONT FACE="Courier New,Courier">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX</FONT>&nbsp;
<BR><FONT FACE="Courier New,Courier">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX</FONT>&nbsp;

<P><FONT FACE="Arial,Helvetica">OK, the Call to 00421584 has updated the
first four bytes pointed to by [EBP-5C], so lets take a look</FONT>&nbsp;
<BR><FONT FACE="Arial,Helvetica">where these 'new' four bytes point to..</FONT>&nbsp;

<P><FONT FACE="Arial,Helvetica">Type: <B>d 00C1AABO</B>&nbsp; notice I've
'reversed' their order, you must remember to do this.</FONT>&nbsp;

<P><FONT FACE="Arial,Helvetica">Hey, whats this!</FONT>&nbsp;

<P><FONT FACE="Courier New,Courier"><FONT COLOR="#000099">XXXX:00C1AABO</FONT>
34302D34312D3632-2d30332D35320000&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
40-41-62-03-52..</FONT>&nbsp;
<BR><FONT FACE="Courier New,Courier"><FONT COLOR="#000099">XXXX:XXXXXXXX</FONT>
XXXXXXXXXXXXXXXX-XXXXXXXXXXXXXXXX&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
................</FONT>&nbsp;
<BR><FONT FACE="Courier New,Courier"><FONT COLOR="#000099">XXXX:XXXXXXXX</FONT>
XXXXXXXXXXXXXXXX-XXXXXXXXXXXXXXXX&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
................</FONT>&nbsp;
<BR><FONT FACE="Courier New,Courier"><FONT COLOR="#000099">XXXX:XXXXXXXX</FONT>
XXXXXXXXXXXXXXXX-XXXXXXXXXXXXXXXX&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
................</FONT>&nbsp;

<P><FONT FACE="Arial,Helvetica">This looks like a serial number but their
isn't any User Names in the System registry file for this program</FONT>&nbsp;
<BR><FONT FACE="Arial,Helvetica">to create any serials for!. Unless, that
is, this program has generated a serial numer for a non-existant</FONT>&nbsp;
<BR><FONT FACE="Arial,Helvetica">User Name!.&nbsp; In fact this is the
case, the serial number you see is for a Blank/Empty User Name which I</FONT>&nbsp;
<BR><FONT FACE="Arial,Helvetica">consider a 'bug' in the program. What
the program should do is,&nbsp; on finding an empty User Name to abort</FONT>&nbsp;
<BR><FONT FACE="Arial,Helvetica">any further processing of the Registration
File and not bother processing a serial number..</FONT>&nbsp;

<P><FONT FACE="Arial,Helvetica">If the abov serial number you can now go
into the Registration Screen and simply type in this serial</FONT>&nbsp;
<BR><FONT FACE="Arial,Helvetica">number, leaving the User Name BLANK and
the program will become Fully Registered..:)</FONT>&nbsp;

<P><FONT FACE="Arial,Helvetica">Having a Registered Program that does not
have our User Name/Handle feels like we've only done half</FONT>&nbsp;
<BR><FONT FACE="Arial,Helvetica">a job on this program, so lets finish
it properly..</FONT>&nbsp;

<P><FONT FACE="Arial,Helvetica">Fire up REGEDIT and go to this entry:-</FONT>&nbsp;

<P><B><FONT FACE="Arial,Helvetica"><FONT COLOR="#993366">HKEY_CURRENT_USER\Software\Matex
Data HB\The File Chopper\License</FONT></FONT></B>&nbsp;

<P><FONT FACE="Arial,Helvetica">For the <B><FONT COLOR="#993366">UserName</FONT></B>
type in: <B>Pirate Copy</B></FONT>&nbsp;

<P><FONT FACE="Arial,Helvetica"><B>Close</B> REGEDIT</FONT>&nbsp;

<P><FONT FACE="Arial,Helvetica">Create a Softice breakpoint: Type: <B>BPX
getlocaltime</B> then<B> x </B>to leave Softice</FONT>&nbsp;

<P><FONT FACE="Arial,Helvetica"><B>Run</B> 'The File Chopper'</FONT>&nbsp;

<P><FONT FACE="Arial,Helvetica"><FONT COLOR="#000099">Softice Breaks at
the start of the GetLocalTime system function....</FONT></FONT>&nbsp;

<P><FONT FACE="Arial,Helvetica">Press <B>F11</B> once..</FONT>&nbsp;

<P><FONT FACE="Arial,Helvetica">Keep pressing <B>F10</B> <B><I><U>UNTIL
</U></I></B>you land here:-</FONT>&nbsp;

<P><B><FONT FACE="Courier New,Courier"><FONT COLOR="#993366">:00404030
8D55A4&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
lea edx, dword ptr [ebp-5C]</FONT></FONT></B>&nbsp;

<P><FONT FACE="Arial,Helvetica">Type: <B>d ebp-5c</B></FONT>&nbsp;

<P><FONT FACE="Arial,Helvetica">Take the first four bytes you see in Softice's
Hex/ASCII Code Window in reverse order and type: <B>D XXXXXXXX</B></FONT>&nbsp;

<P><FONT FACE="Arial,Helvetica">We should see something like this:-</FONT>&nbsp;

<P><FONT FACE="Courier New,Courier"><FONT COLOR="#000099">XXXX:00C1AABO</FONT>
39382D31312D3335-2D30302D31360000&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
98-11-35-00-16..</FONT>&nbsp;
<BR><FONT FACE="Courier New,Courier"><FONT COLOR="#000099">XXXX:XXXXXXXX</FONT>
XXXXXXXXXXXXXXXX-XXXXXXXXXXXXXXXX&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
................</FONT>&nbsp;
<BR><FONT FACE="Courier New,Courier"><FONT COLOR="#000099">XXXX:XXXXXXXX</FONT>
XXXXXXXXXXXXXXXX-XXXXXXXXXXXXXXXX&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
................</FONT>&nbsp;
<BR><FONT FACE="Courier New,Courier"><FONT COLOR="#000099">XXXX:XXXXXXXX</FONT>
XXXXXXXXXXXXXXXX-XXXXXXXXXXXXXXXX&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
................</FONT>&nbsp;

<P><FONT FACE="Arial,Helvetica">Now we can fully register File Chopper
with our User Name of 'Pirate Copy' using the serial of: 98-11-35-00-16</FONT></TD>
</TR>
</TABLE></CENTER>
&nbsp;
<BR>&nbsp;

<P><FONT FACE="Arial,Helvetica"><FONT COLOR="#000000">Job Done.</FONT></FONT>
<BR><FONT FACE="Arial,Helvetica"><FONT COLOR="#000000">&nbsp;</FONT></FONT>
<TABLE BORDER CELLSPACING=2 WIDTH="100%" HEIGHT="22" >
<TR>
<TD BGCOLOR="#C6E7C6">
<CENTER><FONT FACE="Arial,Helvetica"><FONT COLOR="#0000FF"><FONT SIZE=+2>The
Crack</FONT></FONT></FONT></CENTER>
</TD>
</TR>
</TABLE>
<FONT FACE="Arial,Helvetica"><FONT COLOR="#000000">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;</FONT></FONT>
<BR><FONT FACE="Arial,Helvetica">None is required nor needed.&nbsp;</FONT>
<BR><FONT FACE="Arial,Helvetica">&nbsp;</FONT>
<TABLE BORDER CELLSPACING=2 WIDTH="100%" HEIGHT="22" >
<TR>
<TD BGCOLOR="#C6E7C6">
<CENTER><FONT FACE="Arial,Helvetica"><FONT SIZE=+2><FONT COLOR="#0000FF">Final
Notes</FONT>&nbsp;</FONT></FONT></CENTER>
</TD>
</TR>
</TABLE>
<FONT FACE="Arial,Helvetica"><FONT COLOR="#333333">&nbsp;&nbsp;&nbsp;&nbsp;</FONT></FONT>

<P><FONT FACE="Arial,Helvetica">&nbsp;</FONT>
<BR><FONT FACE="Arial,Helvetica">My thanks and gratitude goes to:-</FONT>
<BR><FONT FACE="Arial,Helvetica">&nbsp;</FONT>
<BR><FONT FACE="Arial,Helvetica">Fravia+ for providing possibly the greatest
source of Reverse Engineering</FONT>
<BR><FONT FACE="Arial,Helvetica">knowledge on the Web.</FONT>
<BR><FONT FACE="Arial,Helvetica">&nbsp;</FONT>
<BR><FONT FACE="Arial,Helvetica">+ORC for showing me the light at the end
of the tunnel.</FONT>

<P>Everyone who took part in the 'Cracking Challenges For All' forum.
<BR><FONT FACE="Arial,Helvetica">&nbsp;</FONT>
<TABLE BORDER CELLSPACING=2 WIDTH="100%" HEIGHT="22" >
<TR>
<TD BGCOLOR="#C6E7C6">
<CENTER><FONT FACE="Arial,Helvetica"><FONT COLOR="#0000FF"><FONT SIZE=+2>Ob
Duh</FONT></FONT>&nbsp;</FONT></CENTER>
</TD>
</TR>
</TABLE>
<I><FONT FACE="Arial,Helvetica">&nbsp;</FONT></I>
<BR><I><FONT FACE="Arial,Helvetica">Do I really have to remind you all
that by buying and NOT stealing the software you use will ensure that these
software houses will be encouraged to producing even *better* software
for us to use and enjoy.</FONT></I>

<P><I><FONT FACE="Arial,Helvetica">Ripping off software through serials
and cracks is for lamers..</FONT></I>
<BR><FONT FACE="Arial,Helvetica">&nbsp;</FONT>
<BR><I><FONT FACE="Arial,Helvetica">If your looking for cracks or serial
numbers from these pages then your wasting your time, try searching elsewhere
on the Web under Warze, Cracks etc.</FONT></I>
<BR><FONT FACE="Arial,Helvetica">&nbsp;</FONT>
<BR>
<HR SIZE=3 WIDTH="100%">
<CENTER><FONT FACE="Arial,Helvetica">&nbsp;</FONT></CENTER>

<CENTER><FONT FACE="Arial,Helvetica">&nbsp;</FONT></CENTER>

<CENTER><TABLE BORDER=2 >
<TR>
<TD><FONT FACE="Arial,Helvetica">&nbsp;<A HREF="Es67.html"><B>Next</B>&nbsp;</A></FONT></TD>

<TD><FONT FACE="Arial,Helvetica">&nbsp;</FONT><B><A HREF="Tindex.html">Return
to Essay Index</A></B><FONT FACE="Arial,Helvetica">&nbsp;</FONT></TD>

<TD><FONT FACE="Arial,Helvetica">&nbsp;<B><A HREF="Es65.html">Previous</A></B>&nbsp;</FONT></TD>
</TR>
</TABLE></CENTER>

<CENTER><B><FONT FACE="Arial,Helvetica"><FONT SIZE=+1>&nbsp;</FONT></FONT></B></CENTER>

<HR SIZE=3 WIDTH="100%"><FONT FACE="Arial,Helvetica"><FONT SIZE=-2>Essay
by:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <A HREF="mailto:The Sandman<greenway@proweb.co.uk>">The
Sandman</A></FONT></FONT>
<BR><FONT FACE="Arial,Helvetica"><FONT SIZE=-2>Page Created: 06th December
1998</FONT></FONT>
<BR><SCRIPT LANGUAGE="JavaScript">
<!--- hide script from old browsers
update= new Date(document.lastModified)
document.writeln("<FONT SIZE=-1>Last Updated: <EM>" + update.toLocaleString(update) + "</EM></FONT><BR>")
// end hiding --->
</SCRIPT>

</BODY>
</HTML>
