<HTML>
<HEAD>
   <META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">
   <META NAME="GENERATOR" CONTENT="Mozilla/4.04 [en] (Win95; I) [Netscape]">
   <META NAME="Author" CONTENT="NiXe">
   <META NAME="Classification" CONTENT="Reverse Code Engineering">
   <META NAME="Description" CONTENT="Step by step guide to cracking ACDSee 32 2.4">
   <META NAME="KeyWords" CONTENT="How to crack ACDSee 32 2.4">
   <TITLE>ACDSee 32 2.4</TITLE>
<STYLE> <!-- A:HOVER {font-weight:bold;color:#3399FF} --> </STYLE>
</HEAD>
<BODY TEXT="#E0E0E0" BGCOLOR="#000000" LINK="#D0D0FF" VLINK="#FFD0D0" leftmargin="30">
&nbsp;
<CENTER><TABLE BORDER CELLSPACING=0 WIDTH="100%" bordercolor="#AAAAAA" >
<TR BGCOLOR="#102030">
<TD WIDTH="15%">
<CENTER><B><FONT COLOR="#0B7FC1">January 1999</FONT></B></CENTER>
</TD>

<TD WIDTH="70%">
<CENTER><FONT COLOR="#0B7FC1"><FONT SIZE=+2>"ACDSee 32 2.4"</FONT></FONT></CENTER>

<CENTER>'Patching'&nbsp;</CENTER>
</TD>

<TD WIDTH="15%">
<CENTER><B><FONT COLOR="#0B7FC1">W32 PROGRAM</FONT></B> Code Reversing</CENTER>
</TD>
</TR>

<TR BGCOLOR="#000000">
<TD WIDTH="15%"></TD>

<TD WIDTH="15%" BGCOLOR="#102030">
<CENTER>by&nbsp;&nbsp; <FONT SIZE=+3><FONT COLOR="#F2F2FF">N</FONT> <FONT COLOR="#E4E4FF">i</FONT>
<FONT COLOR="#D7D7FF">X</FONT> <FONT COLOR="#C9C9FF">e</FONT>&nbsp;</FONT></CENTER>
</TD>

<TD WIDTH="15%"></TD>
</TR>

<TR BGCOLOR="#000000">
<TD WIDTH="15%"></TD>

<TD BGCOLOR="#102030">
<CENTER>Code Reversing For Beginners&nbsp;</CENTER>
</TD>

<TD WIDTH="15%"></TD>
</TR>

<TR BGCOLOR="#000000">
<TD WIDTH="15%"></TD>

<TD ALIGN=CENTER BGCOLOR="#102030">

<P><B>Program Details</B>
<BR><B>Program Name:</B> acdc3224.exe
<BR><B>Program Type:</B> Image viewer
<BR><B>Program Location:</B> <A HREF="http://www.acdsystems.com">Here</A>
<BR><B>Program Size: </B>1899 Kb</TD>

<TD WIDTH="15%"></TD>
</TR>

<TR BGCOLOR="#000000">
<TD WIDTH="15%"></TD>

<TD BGCOLOR="#102030">
<CENTER></CENTER>

<CENTER><B>Tools Used:</B></CENTER>

<CENTER>Softice - Win'95 Debugger</CENTER>

<CENTER>W32Dasm - Win'95 Disassembler</CENTER>
&nbsp;</TD>

<TD WIDTH="15%"></TD>
</TR>

<TR BGCOLOR="#102030">
<TD ALIGN=CENTER><B><FONT COLOR="#0B7FC1">Rating</FONT></B>&nbsp;</TD>

<TD ALIGN=CENTER><B><FONT COLOR="#0B7FC1"><FONT SIZE=-1>Easy ( X )&nbsp;
Medium ( )&nbsp; Hard ( )&nbsp; Pro ( )</FONT></FONT></B>&nbsp;</TD>

<TD>
<CENTER></CENTER>

<CENTER><B><FONT COLOR="#0B7FC1"><FONT SIZE=-1>Solving the puzzle</FONT></FONT></B></CENTER>
&nbsp;</TD>
</TR>
</TABLE></CENTER>

<CENTER>&nbsp;</CENTER>

<CENTER></CENTER>
<!C---------------------------------------------------------------------------!>
<TABLE BORDER CELLSPACING=0 CELLPADDING=2 WIDTH="100%" BGCOLOR="#102030" bordercolor="#AAAAAA" >
<TR>
<TD WIDTH="100%">
<CENTER><FONT COLOR="#0B7FC1"><FONT SIZE=+2>Introduction</FONT></FONT></CENTER>
</TD>
</TR>
</TABLE>
&nbsp;

<P><FONT FACE="Arial,Helvetica">The fastest and easiest-to-use image viewer
available for Windows 95, Windows 98, and Windows NT! ACDSee is several
tools in one.</FONT>
<BR><FONT FACE="Arial,Helvetica">A full-featured image viewer quickly displays
your images in high quality.</FONT>
<BR><FONT FACE="Arial,Helvetica">The image browser lets you efficiently
find and organize your images.</FONT>
<BR><FONT FACE="Arial,Helvetica">ACDSee also provides several image manipulation
functions.</FONT>
<BR>&nbsp;
<TABLE BORDER CELLSPACING=0 CELLPADDING=2 WIDTH="100%" BGCOLOR="#102030" bordercolor="#AAAAAA" >
<TR>
<TD WIDTH="100%">
<CENTER><FONT COLOR="#0B7FC1"><FONT SIZE=+2>About this protection system</FONT></FONT></CENTER>
</TD>
</TR>
</TABLE>
&nbsp;

<P><FONT FACE="Arial,Helvetica">This shareware will end up registered if
you enter your "Full Name:" and the correct "Registration Code:". But as
you know by now, there are other ways to get registered;-)</FONT>

<P><FONT FACE="Arial,Helvetica">The following entries are created in the
registry:</FONT>
<LI>
<FONT FACE="Arial,Helvetica">HKEY_LOCAL_MACHINE\Software\ACD Systems\ACS
See32\Evaluation</FONT></LI>

<LI>
<FONT FACE="Arial,Helvetica">HKEY_LOCAL_MACHINE\Software\ACD Systems\ACS
See32\RegCode</FONT></LI>

<LI>
<FONT FACE="Arial,Helvetica">HKEY_LOCAL_MACHINE\Software\ACD Systems\ACS
See32\RegName</FONT></LI>


<P><FONT FACE="Arial,Helvetica"><FONT SIZE=-1>Note: Use Regmon to find
out what is written to/read from the Windows Registry.</FONT></FONT>
<BR>&nbsp;
<TABLE BORDER CELLSPACING=0 CELLPADDING=2 WIDTH="100%" BGCOLOR="#102030" bordercolor="#AAAAAA" >
<TR>
<TD WIDTH="100%">
<CENTER><FONT COLOR="#0B7FC1"><FONT SIZE=+2>The Essay</FONT></FONT></CENTER>
</TD>
</TR>
</TABLE>
&nbsp;

<P><FONT FACE="Arial,Helvetica">First run ACDsee a few times and enter
whatever in the registration screen. You will probably get the same message
I got: ''Your name and registration code do not match'. Write the string
on a piece of paper and disassemble ACDSee32.exe with W32Dasm. Look for
the string that we get when entering an invalid registration code: 'Your
name and registration code do not match'.</FONT>

<P><FONT FACE="Arial,Helvetica">Here is the W32Dasm listing from "..code
do not match." and some lines up (we have a lot of jumps here):</FONT>
<PRE><FONT FACE="Arial,Helvetica"><FONT COLOR="#0B7FC1">:00406DC3 6882000000&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; push 00000082
:00406DC8 57&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; push edi
:00406DC9 FFD6&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; call esi
:00406DCB 33DB&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; xor ebx, ebx
:00406DCD C70540004E0000000000&nbsp;&nbsp;&nbsp; mov dword ptr [004E0040], 00000000
:00406DD7 8A44241C&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; mov al, byte ptr [esp+1C]
:00406DDB 8D74241C&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; lea esi, dword ptr [esp+1C]
:00406DDF 84C0&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; test al, al
:00406DE1 0F844C010000&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; je 00406F33
* Referenced by a (U)nconditional or (C)onditional Jump at Address: 00406DFE(C)
:00406DE7 0FBE16&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; movsx edx, byte ptr [esi]
:00406DEA 52&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; push edx
:00406DEB E87E840B00&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; call 004BF26E
:00406DF0 83C404&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; add esp, 00000004
:00406DF3 85C0&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; test eax, eax
:00406DF5 7401&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; je 00406DF8
:00406DF7 43&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; inc ebx&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </FONT>; no of chars in name
<FONT COLOR="#0B7FC1">* Referenced by a (U)nconditional or (C)onditional Jump at Address :00406DF5(C)
:00406DF8 8A4601&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; mov al, byte ptr [esi+01]
:00406DFB 46&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; inc esi
:00406DFC 84C0&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; test al, al&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </FONT>; is next char zero?
<FONT COLOR="#0B7FC1">:00406DFE 75E7&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; jne 00406DE7
:00406E00 6683FB05&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; cmp bx, 0005&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </FONT>; is no of chars 5
<FONT COLOR="#0B7FC1">:00406E04 0F8C29010000&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; jl 00406F33&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </FONT>; if less than 5 jump to
<FONT COLOR="#0B7FC1">:00406E0A 8D44247C&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; lea eax, dword ptr [esp+7C]&nbsp;&nbsp; </FONT>; our serial
<FONT COLOR="#0B7FC1">:00406E0E 6A00&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; push 00000000
:00406E10 8D4C2420&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; lea ecx, dword ptr [esp+20]&nbsp;&nbsp; </FONT>; our name
<FONT COLOR="#0B7FC1">:00406E14 50&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; push eax&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </FONT>; save serial on stack
<FONT COLOR="#0B7FC1">:00406E15 51&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; push ecx&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </FONT>; save name on stack
<FONT COLOR="#0B7FC1">* Possible StringData Ref from Data Obj ->"-314159265"
:00406E16 6888034E00&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; push 004E0388&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </FONT>; push -314159265
<FONT COLOR="#0B7FC1">:00406E1B E8701C0500&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; call 00458A90&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </FONT>; the magic call!?!?!
<FONT COLOR="#0B7FC1">:00406E20 83C410&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; add esp, 00000010
:00406E23 F7D8&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; neg eax
:00406E25 1BC0&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; sbb eax, eax
:00406E27 F7D8&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; neg eax
:00406E29 85C0&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; test eax, eax
:00406E2B A340004E00&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; mov dword ptr [004E0040], eax
:00406E30 0F8EFD000000&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; jle 00406F33
.
.
.
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses: 00406DE1(C), :00406E04(C), :00406E30(C)
:00406F33 8A44241C&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; mov al, byte ptr [esp+1C]
:00406F37 33DB&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; xor ebx, ebx
:00406F39 84C0&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; test al, al
:00406F3B 8D74241C&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; lea esi, dword ptr [esp+1C]
:00406F3F 745B&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; je 00406F9C
.
.
.
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses: 00406F3F(C), :00406F5E(C), :00406F7B(C)
:00406F9C 6AFA&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; push FFFFFFFA
:00406F9E 57&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; push edi
* Reference To: USER32.GetWindowLongA, Ord:0156h
:00406F9F FF1514C64C00&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Call dword ptr [004CC614]
* Possible StringData Ref from Data Obj ->"ACDSee 32"
:00406FA5 8B15F0014E00&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; mov edx, dword ptr [004E01F0]
:00406FAB 6A00&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; push 00000000
:00406FAD 52&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; push edx
* Possible Reference to String Resource ID=00566: "Your name and registration code do not match.
Please check y"</FONT></FONT></PRE>


<P><FONT FACE="Arial,Helvetica">After some debugging in SoftIce you can
see that the call to 00458A90 returns eax=0 if invalid reg code!</FONT>
<BR><FONT FACE="Arial,Helvetica">Well, that sounds like the usual 'is valid
password' function. We better take at look at it instead of just reversing
the jump after - the 'is valid password' function could be called from
several places!</FONT>
<PRE><FONT FACE="Arial,Helvetica"><FONT COLOR="#0B7FC1">* Referenced by a CALL at Addresses: 00406772, :004068A9, :00406E1B, :00406F71, :0040734A
:00458A90 8B4C2408&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; mov ecx, dword ptr [esp+08] ; mov eax,406f9c
:00458A94 81EC84000000&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; sub esp, 00000084
:00458A9A 8D442400&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; lea eax, dword ptr [esp]
:00458A9E 56&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; push esi
:00458A9F 57&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; push edi
:00458AA0 50&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; push eax
:00458AA1 51&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; push ecx
.
.
.
:00458B18 C3&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ret</FONT></FONT></PRE>


<P><FONT FACE="Arial,Helvetica">Yes, the 'is valid password' function is
called from 5 different locations. Let's us have a closer look...</FONT>
<BR><FONT FACE="Arial,Helvetica">After debugging this function for the
better of an hour whithout finding the correct reg code, I decided to go
for the brute force crack and make the 'is serial valid' function return
with eax=1 no matter what you enter as name and reg code. Here is what
I did:</FONT>
<PRE><FONT FACE="Arial,Helvetica"><FONT COLOR="#0B7FC1">:00458A90 8B4C2408&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; mov ecx, dword ptr [esp+08]&nbsp;&nbsp; </FONT>; before the fix
<FONT COLOR="#0B7FC1">:00458A94 81EC84000000&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; sub esp, 00000084
:00458A9A 8D442400&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; lea eax, dword ptr [esp]

</FONT><FONT COLOR="#C17F7F">:00458A90 B801000000&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; mov eax,1&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </FONT>; After the fix
<FONT COLOR="#C17F7F">:00458A95 C3&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ret&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </FONT>; Set eax to 1 and return to
<FONT COLOR="#C17F7F">:00458A96 90&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; nop&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </FONT>; caller while we are ahead
<FONT COLOR="#C17F7F">:00458A97 90&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; nop
:00458A98 90&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; nop
:00458A99 90&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; nop
</FONT><FONT COLOR="#0B7FC1">:00458A9A 8D442400&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; lea eax, dword ptr [esp]</FONT></FONT></PRE>


<P><FONT FACE="Arial,Helvetica">He he. We are now registered. When restarting
the program you will get a message saying that it is an old reg code but
if you click <I>"Don't show this message again'</I> - it will go away forever.</FONT>
<BR>&nbsp;
<TABLE BORDER CELLSPACING=0 CELLPADDING=2 WIDTH="100%" BGCOLOR="#102030" bordercolor="#AAAAAA" >
<TR>
<TD WIDTH="100%">
<CENTER><FONT COLOR="#0B7FC1"><FONT SIZE=+2>Final Notes</FONT></FONT></CENTER>
</TD>
</TR>
</TABLE>
&nbsp;

<P><FONT FACE="Arial,Helvetica">Maybe you could also have sniffed the password.
I'm still not good enough... maybe you are?</FONT>
<BR><FONT FACE="Arial,Helvetica">But okay, enter anything you like as "Full
Name:" (at least 5 letters) and any "Registration Code:" and it is accepted!</FONT>

<P><FONT FACE="Arial,Helvetica">This 'is serial valid' function which returns
0 if not vaild and '1 or ?' if valid was also used in mIRC. Look out for
that.</FONT>
<BR>&nbsp;

<P><FONT FACE="Arial,Helvetica"><FONT SIZE=-1>Greetings/thanks to The Sandman,
Razzia, Volatility, Eternal Bliss, and all other tutorial writers!</FONT></FONT>
<BR>&nbsp;
<TABLE BORDER CELLSPACING=0 CELLPADDING=2 WIDTH="100%" BGCOLOR="#102030" bordercolor="#AAAAAA" >
<TR>
<TD WIDTH="100%">
<CENTER><FONT COLOR="#0B7FC1"><FONT SIZE=+2>Ob Duh</FONT></FONT></CENTER>
</TD>
</TR>
</TABLE>
&nbsp;

<P><FONT FACE="Arial,Helvetica">I wont even bother explaining you that
you should BUY this target program if you intend to use it for a longer
period than the allowed one.</FONT>

<P>
<HR SIZE=3 WIDTH="100%">
<CENTER><FONT FACE="Arial,Helvetica">&nbsp;</FONT></CENTER>

<CENTER><FONT FACE="Arial,Helvetica">&nbsp;</FONT></CENTER>

<CENTER><TABLE BORDER=2 >
<TR>
<TD><FONT FACE="Arial,Helvetica">&nbsp;<B><A HREF="students.html">Return</A>&nbsp;</B></FONT></TD>
</TR>
</TABLE></CENTER>

<CENTER><B><FONT FACE="Arial,Helvetica"><FONT SIZE=+1>&nbsp;</FONT></FONT></B></CENTER>

<HR SIZE=3 WIDTH="100%">
</BODY>
</HTML>
