
    
        ____                     __       __           
       /  _/_ _  __ _  ___  ____/ /____ _/ /            
      _/ //  ' \/  ' \/ _ \/ __/ __/ _ `/ /              
     /___/_/_/_/_/_/_/\___/_/  \__/\_,_/_/               
       ____                          __          __           
      / __ \___ ___ _______ ___  ___/ /__ ____  / /____   
     / /_/ / -_|_-</ __/ -_) _ \/ _  / _ `/ _ \/ __(_-<  
    /_____/\__/___/\__/\__/_//_/\_,_/\_,_/_//_/\__/___/  
                                                         
          Web: http://www.ImmortalDescendants.com        
                    Author: Volatility                   
                      Date: 04/29/99                     
                                                         
      
       
        

	Upon disassembling this program, I noticed the registration routine accessed the
registry, where it stores the user name and code.  I dislike trying to patch routines which
access the registry, so we'll just find our correct code instead.

---------------------------------------------------------------------------------------------
Target:  CPUKiller v1.2b - (cpukille.zip) 159,435 bytes.  Download this at:

   http://hotfiles.zdnet.com/cgi-bin/texis/swlib/hotfiles/getit.bin?fcode=000RYD

Crack Requested By: "Juan Pedro Gonzales" (r_alliance@hotmail.com)

Tools Needed:  Soft-Ice v3.2 (earlier versions will work just fine)
---------------------------------------------------------------------------------------------

Prepare To Crack:

	Run the program (cpukiller.exe) and locate the registration screen.  You'll find it
under "Help", "About".  Enter some test data ("Cracked By Volatility [ID]", "272727" for mine),
and click the "Ok" button.  No error message, so this is a good sign that this may be a 
program written in Delphi.

	With Delphi programs, the best way to trap a serial number is by using the HMEMCPY
function.  So, Cntrl+D to enter Soft-Ice, and set your breakpoint (BPX HMEMCPY).  Press
Cntrl+D to exit back to the program, and click the "Ok" button.

Making The Crack:

	Once you click the "Ok" button, Soft-Ice will break.  Press F11 to get into the code.
You'll see USER(0A) on the line above the command window.  We want to be in the CPUKiller
code... so press F10 to step through the code (79 times to be exact) until you see 
"CPUKILLER!CODE" on the line.

	After looking through the code a bit, we can determine that this routine is where our
user name is manipulated and stored.  We need to be where our serial number is manipulated  
and stored.  So, start stepping through the code again with F10.  You'll go through all the
same functions again, and you need to stop when you see "CPUKILLER!CODE" on the line again.
You should now be here:

---------------------------------------------------------------------------------------------
CALL     USER32!CallWinowProcA
MOV      [ESI+0C],EAX
JMP      0041DAEB
MOV      EDX,ESI
MOV      EAX,EBX
CALL     0041C0D4
POP      EBP
POP      EDI
POP      ESI
POP      EBX
RET
---------------------------------------------------------------------------------------------

	Now we need to look for the code where our serial is compared with the correct one,
so we're looking for a compare (CMP or TEST) or a jump (JZ, JNZ, etc).  After stepping with
F10 for a bit, you should land here:

---------------------------------------------------------------------------------------------
CALL     0041B808
MOV      EDX,[EBP-08]
POP      EAX              <the serial we entered
CALL     00403BA8         <hmm, what could this be?
JNZ      0043AA14         <give us a "1" for bad code, and jump to unregistered
MOV      DL,01            -----.
MOV      EAX,[00437B60]        |
CALL     00437C94              |- otherwise save our info, and we're registered
MOV      ESI,EAX               |
MOV      CL,01                 |
MOV      EDX,0043AA48     -----'
---------------------------------------------------------------------------------------------

	We can see the serial number we entered by pressing F10 until we get on the line
"POP      EAX".  Once we're their, display EAX by typing: d EAX.  Press F10 once, and we'll be 
on the line with some goofy call.  What could it be?  Display EAX again, and you'll see a 
strange string (ZUAJESBODLCO for mine).  What else could it be?  You're serial!

	If you want to try this again for practice, you can unregister the program by deleting
the "Robyrobo" key under "HKEY_CURRENT_USER", "software".

-Volatility-

