Cracking "Second Copy 97 v 5.31 (build96)"
Date: June 27, 1999
Author : +ViPeR+

Program Name : Second Copy 97 ver 5.31 (build 96)
Location     : http://www.centered.com


Cracking method : ECHO
-------------------------------------------------------------------------------
Your first job is to find the place to enter the registration key. (try it,
it is not hard at all) Ok, you found it, enter the info your like.

I enter the following info:

Name : evc_viper
Reg. Key : 123456789ABCDE

<<Note : the length of the reg. key is 14(dec) = E (hex). You will see why>>

Fire-up Soft-Ice and set a breakpoint by 'bpx hmemcpy'.
Press 'x Enter x Enter'. (you can type x again and still go back to Soft-Ice
but you won't see the code below.) Then, F11 one time, F12 6 tims and F10
22 times and you will find yourself land at 00461DC5.

:
:00461DC0 E863A5FCFF              call 0042C328
:00461DC5 8B45F4                  mov eax, dword ptr [ebp-0C] ; we land here
:00461DC8 5A                      pop edx
:00461DC9 E8D2F3FFFF              call 004611A0
:

F8 into the above call at 00461DC9. Press F10 until you reach

:
:004611C8 E86F2AFAFF              call 00403C3C
:

The above call calculates the length of your fake reg. key. And then compare it 
with E(hex)

:004611CD 83F80E                  cmp eax, 0000000E
:004611D0 0F8599000000            jne 0046126F

That is why the length of your reg. key should be of length E(hex)=14(dec). 

Ok, let's keep moving down and see what is going on.

:004611D6 8D45F8                  lea eax, dword ptr [ebp-08]
:004611D9 50                      push eax
:004611DA B904000000              mov ecx, 00000004
:004611DF BA01000000              mov edx, 00000001
:004611E4 8BC3                    mov eax, ebx
:004611E6 E8552CFAFF              call 00403E40

The above call fetch the first 4 characters out of your reg. key.
In our case, it is '1234'. If you want to know where are them, notice that 
at 004611D6, there is 'lea eax, dword ptr [ebp-08]', when you trace to this
line, do a 'd eax' and you will see the following pattern on your data window.

00 00 00 00 ** ** ** ** ...

and after the above call (at 004611E6), those 8 zeros with be replaced by some
address location and that is where your first 4 characters stored. 

<< Note : the above pattern keeps using in the following paragraphic >>

Keep going,

:004611EB 8D45F4                  lea eax, dword ptr [ebp-0C]
:004611EE 50                      push eax
:004611EF B909000000              mov ecx, 00000009
:004611F4 BA06000000              mov edx, 00000006
:004611F9 8BC3                    mov eax, ebx
:004611FB E8402CFAFF              call 00403E40

The above call takes the last 9 characters of your fake registration key and
store them in some memory address. In our case, it is '6789ABCD'.

:00461200 8D45FC                  lea eax, dword ptr [ebp-04]
:00461203 8BCE                    mov ecx, esi
:00461205 8B55F8                  mov edx, dword ptr [ebp-08]
:00461208 E87B2AFAFF              call 00403C88

The above call glue the first 4 characters and your name together and store 
them in memory. (use the above trick to see where are they.) In our case,
it is '1234evc_viper'.

:0046120D 8D55F0                  lea edx, dword ptr [ebp-10]

type 'd edx' and you will see 

00 00 00 00 ** ** ** ** .....

on your data window.


:00461210 8B45FC                  mov eax, dword ptr [ebp-04]
:00461213 E898010000              call 004613B0

After the above call, those 8 zero has been replaced by some memory address.
In my case, it is

54 62 C3 00 ** ** ** ** .....

type 'd c36254' and I see 'CAFC-D202' in my data window.

Ok, keep going.

:00461218 8B55F0                  mov edx, dword ptr [ebp-10]
:0046121B 8B45F4                  mov eax, dword ptr [ebp-0C]

If you 'd edx', you will see 'CAFC-D202' and if you 'd eax', it shows
'6789ABCD'. Ha, you see what we are getting at. The rest of the code 
is not really interesting.

:0046121E E8292BFAFF              call 00403D4C
:00461223 7546                    jne 0046126B
:

Our correct registration key should be : '12345CAFC-D202'

x out of Soft-Ice and re-enter

Name: evc_viper
Reg. key : 12345CAFC-D202

You are registered. (by the way, you are registered 4093 user license. 
What a cool way to beat the program.)


+ViPeR+
[E]bola [V]irus [C]rew
June 27, 1999




