WHY PATCHING WHILE SERIAL NUMBER IS FISHY

HardCopy Pro v1.6
A Cracking Tutorial 
by ASTAGA [D4C/C4A]


DISCLAIMER 

This reading material is not intended to violate Copyrights 
and/or it is law, but educational purposes only. I hold no 
responsibility ( by all means and in any shape whatsoever ) 
of the mis-used of this material.


ABOUT THE PROGRAM 

HardCopy Pro, the professional, easy to use screen capture 
utility for Windows 95 / 98 and NT 4.0 or higher. 
It can capture rectangular screen areas and whole windows. 
The captured images can be cropped very easily and the color 
depth can be changed to any desired value from monochrome to 
true color. Images can be saved, copied to the clipboard, 
edited with any image editing program or printed. 
Many options allow the customization of all these actions to 
individual user needs.


WHERE TO DOWNLOAD

URL  : http://www.desksoft.com/Download/HCSetup.zip
Size : 124 KB


HOW TO GET VALID SERIAL NUMBER by using SoftIce

1.  I told you that this tute IS NOT THE BEST way of getting
    valid S/N, it's most likely trial and error method.... yeah
    I called it THE UNUSUAL WAY, that's it.
    So, I will not get you to where the fish is being compared!
    
2.  Run the program (HARDCOPY.EXE - 106,496 Bytes ), click
    !DEMO tab, click REGISTER NOW button, then you'll see the 
    registration window that required your name and code.

3.  Type our fake codes i.e :

	Name : Mahiwal Pisan
	Code : 9073884665 

	DO NOT CLICK OK button Yet !

4.  Fire up SoftIce by pressing [ Ctrl + D ], set new breakpoint, in
    this regard iam using GETDLGITEMTEXTA :

	bpx getdlgitemtexta [enter]

    then press F5 to return to the main program. Now you can click 
    OK button which brings you back into SoftIce.

5.  You're in SoftIce now. All you have to do is to reach the main
    prog codes, press F11 once until you see : 
     _____________________________________________________________

	.00404410: FF15E0124100	call	GetDlgItemTextA <==== You 
	.00404416: FF7510		push	d,[ebp][00010]  land Here
      .00404419: 8D8610010000	lea	eax,[esi][000000110]
	.0040441F: 50			push	eax
	.00404420: E88B5B0000	call	000409FB0
	.00404425: 59			pop	ecx
	.00404426: 897E08		mov	[esi][00008],edi
	.00404429: 59			pop	ecx
	.0040442A: FF750C		push	d,[ebp][0000C]
	.0040442D: 57			push	edi
	.0040442E: FF151C134100	call	GetDlgItem
	.00404434: 8DBE1C020000	lea	edi,[esi][00000021C]
	.0040443A: 894604		mov	[esi][00004],eax
	.0040443D: 57			push	edi
	.0040443E: 50			push	eax
	.0040443F: FF15FC114100	call	GetClientRect ;USER32.dll
	.00404445: 6A01		push	001
	.00404447: 57			push	edi

     _____________________HARDCOPY!.TEXT+3410____________________


6.  Press F10 2 (two) times - stop the highlight bar at 0040441F , 
    and type :

	d eax [enter]

    in the Data Window you'll see that your Name and fake code
    are copied to memory address around 013F:00418978 upto
    013F:004189C8.


7.  Press F10 2 (two) times - stop the highlight bar at 00404425 , 
    and type :

	d ecx [enter]

    in the Data Window you'll see several codes that looks like a
    serial number i.e "suXbZhFhuk", "i8KZXo3IiW", etc.
    However, you can't register the program using that serial
    numbers.  At this stage, you know that those serial numbers
    has already been blacklisted by the Author, and the correct
    /valid serial number must contain 10 characters long.


8.  Let's continue tracing the code, press F10 6 (six) times and
    stop at 013F:40443D then type : 

	d edi [enter]

    the Data Window showed us again of the name and fake s/n at 
    the memory address 013F:4189C4 .
    

9.  Now, create a new breakpoints by typing :

	bpx 013F:4189C4 [enter]
      bpm 013F:4189C4 [enter]  


10. Press F5 , click OK, and you'll break within SoftIce again,
    at this stage press F5 4 (four) times and landed at : 

	.00409BFD: 8A1431	mov	dl,[ecx][esi] <=== Here 
	.00409C00: 80FA49	cmp	dl,049 ;"I"
	.00409C03: 7405	je	000409C0A   
	.00409C05: 80FA31	cmp	dl,031 ;"1"
	.00409C08: 7504	jne	000409C0E   
	.00409C0A: C604316C	mov	b,[ecx][esi],06C ;"l"
	.00409C0E: 41		inc	ecx
	.00409C0F: 3BC8	cmp	ecx,eax
	.00409C11: 7CEA	jl	000409BFD   
	.00409C13: 5E		pop	esi
	.00409C14: C3		retn   <===== jump pass here

    Press F10 82 (eighty two) times ! ( you'll be cycled several
    times between the memory address 00409BFD and 00409C11 )
    until you get passed RET instruction at 00409C14 .

11. Finally, you'll reach the moment of truth

	.00409E15: E8D1FDFFFF	call	000409BEB <== land here
	.00409E1A: 83C410		add	esp,010
	.00409E1D: 807D0800		cmp    b,[ebp][00008],000
	.00409E21: 7444		je	000409E67 <== jump HERE
	.00409E23: BF60434100	mov	edi,000414360
	.......
	.......
    Press F10 2 (two) times and jump at 00409E21  
	.......
	.......
	.00409E67: 6A0A		push	00A <== ret jump here
	.00409E69: 8D45F4		lea	eax,[ebp][-000C]
	.00409E6C: 56			push	esi <== d esi here or 
	.00409E6D: 50			push	eax <== d eax 

    keep continue pressing F10 until you reach 00409E6C and dump/
    display the contents of ESI and/or EAX by typing :
    
	d esi ----> your fake s/n appear in Data Window
	d eax ----> did you see "hQlhv3TSUl" at the memory address
		     0064F938 ?? YES, that's the REAL CODE you're
		     looking for!!

12. Write down the serial number, disable all breakpoints by
    typing  bd * , F5 , and repeat the registration procedure
    ..... badass ... the classic "thank you for registering"
    appear in your screen.


END NOTES

   This program is sold as shareware, so you can try before you buy.  
   This is convenient for you, saves expenses by dispensing with all 
   that packaging, and cuts out the middle person.  So it is cheap, 
   but it is not free.  
   If you like the program, and you will, be sure to register and pay.
   To keep shareware prices low,  users must do the right thing: 
   Register, pay up, and smile/grin at yourself in the mirror.

   Do not distribute your crack release based on this tutorial, because
   you become a LAMER(s)!!!!!!!!
   ( tHATDUDE (PC97) defined LAMER(s) is the guy who sits in front of
   personal computer, using Hex Editor, ripping off other group(s)
   crack release, repacking (distro) them under his name. 
   Adopted from newsgroup alt.cracks, alt.crackers - February 1997 ) 


 _ Never attribute to malice that which is adequately explained by stupidity _

  

ASTAGA [D4C/C4A] tute-hardcopy16.zip  or c4a_hc16.zip
[EOF]
