Software Reverse Engineering - Safety Scan v2.5b - Serial Fishing With Soft-Ice
Copyright (c) 1998 Volatility
Document Courtesy of The Immortal Descendants - http://pages.prodigy.net/volatility

---------------------------------------------------------------------------------------------
Target:  Safety Scan v2.5b - (safetyscan.exe) 366,688 bytes.  Download this at:

                   http://ftp.loop.com/~unisyn/safescan.zip

Tools Needed:  Soft-Ice v3.2 (earlier versions will work just fine)
---------------------------------------------------------------------------------------------

Prepare To Crack:

	Run the program (safescan.exe).  The first thing that pops up is an ugly nag screen.
Click on the "Register Now" button.  Only a serial number needs to be entered.  These
registrations are the easiest!

	We need to set up a breakpoint in Soft-Ice to trap the valid serial number.  The most
common API calls are "GetDlgItemTextA" and "GetWindowTextA".  To save you time, the correct
one is "GetWindowTextA"

Making The Crack:

	Enter some test data at the registration screen.  Press Cntrl+D to enter Soft-Ice.
Set a breakpoint on "GetWindowTextA" - BPX GetWindowTextA.  Press Cntrl+D again to exit back
to the program.  Press the "Ok" button, and Soft-Ice will break.  Press F11 once to get into
the routine, and you should be here:

---------------------------------------------------------------------------------------------
CALL     USER32!GetWindowTextA
MOV      ECX,EAX
MOV      EDX,ESP
MOV      EAX,ESI
CALL     00403A54
JMP      0042F6FB
MOV      EAX,ESI
MOV      EDX,[EBX+6C]
CALL     00403A08
ADD      ESP,00000100
POP      ESI
---------------------------------------------------------------------------------------------

	Now we need to look for a compare (CMP, TEST) and/or a jump (JZ, JNZ, JE, JNE etc.)
where our serial number is compared with the correct one.  Press F10 to step through the code
(12 times) until you get here:

---------------------------------------------------------------------------------------------
CALL     0042F6BC
MOV      EDX,[EBP-64]
MOV      EAX,ESI        <the serial number
CALL     004201BC       <call the function to compare
TEST     EDI,EDI        <compare the serials
JZ       0043898A
MOV      ECX,ESI
MOV      DL,01
MOV      EAX,[00437848]
CALL     00437D80
MOV      [EBP-40],EAX
---------------------------------------------------------------------------------------------

	The line "CALL     004201BC" looks interesting, so press F10 until it's highlighted.
From the line "MOV      EAX,ESI", we know our serial number is stored in EAX.  Display EAX
(d EAX), press Alt+up arrow just a couple times, and there it is!  Mine was 6697853.

	If you want to try this again for practice, you can unregister the program by deleting
the "Ioio" key under "HKEY_CURRENT_USER", "software".

-Volatility-

