Tutorials by L!M!T (The Exterminators)

Apx_Reveal v1.0 - Integrity Software
IXLA Explorer, IXLA Web Easy
MultiSMS Express v6.0.9
Recette 99 v3.1.1

Apx_Reveal is an Internet detection application. In short, the program scans the HD for images, history files and so on. This program is suited for parents, who are anxious about what their children 'do' on the Internet. This tutorial will not contain so much of the explanations of any assembler language, patching or programming, so this one is really suited for newbies that might be scared of such 'advanced' stuff. I consider the difficulty of this tutorial to be VERY easy.

Tool Used :- W32Dasm v8.93.

Download the program at http://www.protectyourfamily.net and install it. This first thing that hits you when you run the program is a nice warm welcoming splash screen, telling you that if you want to use the program to it's full extent you got to pay, as always. If you want to, you can always try to fish a serial for it, using SoftICE. But, as you will see further down, we will register it with any name and number without modifying a single byte of code. Let's continue ;

Choose 'OK' and let the messagebox hit you with the 'greatly limited' message. Take a look at the program, note the 'Unregistered version' and so on, get familiar with it. When you are done, close the program and fire up good old W32Dasm. Open the file 'apx_reveal.exe' in W32Dasm. Click the 'Strn ref' button in W32Dasm's toolbar and you will get a list of strings that exist in 'apx_reveal.exe'. If you double click on any string in this list, W32Dasm will go to the address where the string appears in the disassembly listing, but I guess you already knew that.

Double click some of the strings and take a look around. You will find some very interesting strings that you normally would find useful when reversing a program. You might want to go and take a look at the code that resides near the 'Application Already Registered' or 'Registration number was invalid!' and start patching high and low. But the strings that caught my interest were the GUID's that are in the string list. These two;

{4E3E4954-F9B5-11d2-A085-00500402F30B} and {D47C2BCE-3C52-11F0-9210-848C1D0FE000}

Double click the first one (in W32Dasm's string list). You will end up here;

:004036E3 PUSH EDX

* Reference To: _ISource._ISGetDLLVersion, Ord:0036h
:004036E4 CALL 00425D36

* Possible StringData Ref from Data Obj ->"{4E3E4954-F9B5-11d2-A085-00500402F30B}"
:004036E9 PUSH 00469F08

* Reference To: _ISource._ISInitialize, Ord:005Eh
:004036EE CALL 00425D30

* Possible StringData Ref from Data Obj ->"Creating the matte."
:004036F3 PUSH 00469EF4
:004036F8 PUSH ESI

Hmm.. Not so interesting as the second one;

* Possible StringData Ref from Data Obj ->"{D47C2BCE-3C52-11F0-9210-848C1D0FE000}"
:004175D6 PUSH 0046DB00

* Possible StringData Ref from Data Obj ->"System Settings"
:004175DB PUSH 0046D8FC

* Possible StringData Ref from Data Obj ->"Software\Active\ActiveY"
:004175E0 PUSH 0046D8E4

* Possible StringData Ref from Data Obj ->"HKEY_LOCAL_MACHINE"
:004175E5 PUSH 0046BA70
:004175EA CALL 0040C360
:004175EF MOV EDX, DWORD PTR [ESP+108]
:004175FC PUSH EDX

* Possible StringData Ref from Data Obj ->"Registered User: "%s"."
:004175FD PUSH 0046DAA8
:00417602 PUSH EAX
:00417603 CALL 0043CD56
:00417608 MOV EAX, DWORD PTR [ESP+30]
:0041760C ADD ESP, 20
:0041760F MOV BYTE PTR [ESI+875], 01
:00417616 JMP 0041764C

This is much more interesting!. If you take a look at the code preceeding the GUID you will see this;

:00417567 MOV EDX, DWORD PTR [ESP+000000F4]
:0041756E PUSH EBP
:0041756F PUSH EDX

* Possible StringData Ref from Data Obj ->"Name"
:00417570 PUSH 00467128

* Possible StringData Ref from Data Obj ->"Software\Integrity Software\Apx_Reveal"
:00417575 PUSH 00467100

* Possible StringData Ref from Data Obj ->"HKEY_LOCAL_MACHINE"
:0041757A PUSH 0046BA70
:0041757F CALL 0040C360
:00417584 MOV EAX, DWORD PTR [ESP+20]
:00417588 PUSH EBP
:00417589 PUSH EAX

* Possible StringData Ref from Data Obj ->"Number"
:0041758A PUSH 004670E0

* Possible StringData Ref from Data Obj ->"Software\Integrity Software\Apx_Reveal"
:0041758F PUSH 00467100

* Possible StringData Ref from Data Obj ->"HKEY_LOCAL_MACHINE"
:00417594 PUSH 0046BA70
:00417599 CALL 0040C360
:0041759E MOV ECX, DWORD PTR [ESP+44]
:004175A2 PUSH EBP
:004175A3 PUSH ECX

* Possible StringData Ref from Data Obj ->"Version"
:004175A4 PUSH 0046D90C

* Possible StringData Ref from Data Obj ->"Software\Integrity Software\Apx_Reveal"
:004175A9 PUSH 00467100

* Possible StringData Ref from Data Obj ->"HKEY_LOCAL_MACHINE"
:004175AE PUSH 0046BA70
:004175B3 CALL 0040C360
:004175B8 PUSH EBP

* Possible StringData Ref from Data Obj ->"YES"
:004175B9 PUSH 0046D93C

* Possible StringData Ref from Data Obj ->"Registered"
:004175BE PUSH 0046DB28

* Possible StringData Ref from Data Obj ->"Software\Integrity Software\Apx_Reveal"
:004175C3 PUSH 00467100

* Possible StringData Ref from Data Obj ->"HKEY_LOCAL_MACHINE"
:004175C8 PUSH 0046BA70
:004175CD CALL 0040C360
:004175D2 ADD ESP, 50
:004175D5 PUSH EBP

What we have here is an addition (or a check) made in the registry for the following things;

At the 'HKEY_LOCAL_MACHINE' 'Software\Integrity Software\Apx_Reveal' position the program retrieves the following information; (starting at the top of the code snippet above);

'Name' - (Registered) Username.
'Number' - The serial number.
'Version' - Program version.
'Registered' - 'YES'.

And at the code snippet above this one;

At the 'HKEY_LOCAL_MACHINE' 'Software\Active\ActiveY' position the program retrieves the 'System Settings' information.

Directly after this, the GUID appears; {D47C2BCE-3C52-11F0-9210-848C1D0FE000}.

And the last line in the WDasm listing says "Registered User: "%s"."?. This looks very interesting!.

If you start Regedit and look at the positions above (HKEY_LOCAL_MACHINE\Software\Integrity Software\Apx_Reveal) you will see that the information we see in the code snippet and the WDasm listing isn't there. Instead of 'Name' there is a '~Name' and the other information is non-existent. And if you look for '\Active\ActiveY' you will not find it. The reason I found the GUID's interesting was because of another program I reversed by adding a GUID found inside it (TakeMe, graphic browser. Remember that one, Chafe?). So I figured that maybe a similar registration check were made here as well, when I spotted them in the string ref's.

So, when the information that the program might add or look for is non-existent, try adding it and see what happens. Let's start with the information in the 'Integrity Software\Apx_Reveal' part. First, rename the '~Name' to 'Name' and add your name. Then, add a string value named 'Number' and type something like this '12-34567890'. Add a string value named 'Registered' and enter 'YES' as value. Now, start Apx_Reveal and see if something has happened!. Damn, the 'Unregistered..' box pops up. So, entering this information didn't do the trick. Let's add the 'Active\ActiveY' part as well.

In the 'HKEY_LOCAL_MACHINE\Software' branch, add a new key named 'Active'. Right-click 'Active' and add a new key named 'ActiveY'. At this position (ActiveY), add a string value named 'System Settings'. Enter the GUID as value '{D47C2BCE-3C52-11F0-9210-848C1D0FE000}'. Start Apx_Reveal again and we'll see if we are right. Yes! No splash nag, no annoying message box and there the name you entered is displayed as a registered user!. Great! Work done!

IXLA Explorer, IXLA Web Easy

Available @ : http://www.ixla.com
Size : 4.46 Mb (IXLA Explorer v1.2).
7.47 Mb (IXLA Web Easy v1.30, International Version).
7.48 Mb (IXLA Web Easy v1.30, U.S Only Version).

Tool used :- SoftICE v3.2x.

First I want to say that the protection in these programs are ridiculously easy. All of the targets are protected the exact same way and you can use the same procedure on all three of them. We'll get the unlock code so easily that it would have been
quite similar to reading it in the local newspaper. OK, I assume you have SoftICE installed and configured properly. If you don't, go get it, install it and set it up.

Install the program you downloaded, either IXLA Explorer or any of the Web Easy versions. Run it and the first window created will be a 'Try before you buy' window telling us how many tries we have left, a 'Try now' button, a 'Buy now' button and a 'Quit' button. There is also a textbox where you can enter the unlock code provided by IXLA after you pay. Enter a bogus unlock code in the text box and press the 'Buy now' button. A messagebox pops up, telling us that the code we entered
was invalid and we should contact IXLA Ltd. to sort this problem out.

Or we could try again and instead of calling IXLA, we could ask our friend SoftICE to help us. Click that messagebox away if you haven't done that already. Now, press CTRL - D to enter SoftICE. Type 'bpx GetDlgItemTextA' (without the quotes) and press Enter. What you just did, was tell SoftICE to break on the execution of the Windows GetDlgItemTextA API call (bpx=BreakPoint on eXecution). This API retrieves text and other similar information from dialog items, such as text boxes.

OK, now press CTRL - D again to get out of SoftICE. Enter your bogus unlock code again and press the 'Buy now' button.
*B00M* SoftICE breaks and you are in the GetDlgItemTextA code. Press F12 once to leave that code and return to the calling program. The code screen should look something like this;

:005934E6 CALL[USER32!GetDlgItemTextA] (1)
:005934EC PUSH 005973C0 (2)
:005934F1 LEA EAX,[EBP+FFFFF6D8] (3)
:005934F7 PUSH EAX (4)

The addresses may look different on your computer but the code looks the same. Now type 'D 5973C0' and press enter. In your data window the following word should be displayed: 'TKL'. If you press F8 twice and type 'D EAX' you should see your
bogus unlock code you entered in the data window. Those are later on compared to each other to see if they match. This unlock code is used to unlock the IXLA Explorer, not the WebEasy packages. If you need the WebEasy packages unlock codes, just do the same procedure as you did with the IXLA Explorer package.

Your fake unlock code is retrieved by GetDlgItemTextA (1).
The real unlock code is pushed on to the stack for later use (2).
Your fake unlock code is placed in EAX. (3).
Your fake unlock code (in EAX) is pushed on to the stack for later use. (4).

This procedure is applicable to IXLA Explorer, IXLA Web Easy (both Int. Version and the U.S Only Version) and IXLA Explorer to retrieve the unlock code.

That's it.

MultiSMS Express v6.0.9

Program info for MultiSMS Express v6.0.9.

Available @ : http://www.tele-servizi.com/multisms/new/Download.html
Size : 2.73 Mb
Language : Italian

Get the VB6IT.dll too just in case.

Tool used :- SmartCheck v6.01.

Install MultiSMS Express v6.0.9. Just answer 'Esci' to the questions during the installation procedure, I believe it means 'OK'. Well.. from the information displayed during the install, we could see that the MSVBVM60.DLL and other Visual Basic runtime files were copied. In other words, this utility is programmed in Visual Basic, therefore we're going to use SmartCheck to try to get our serial and understand the algorithm used to calculate a valid serial. Let's go...

When the main window appears, press 'Sistema' and choose 'Registrazione programma'. Another window pops up with some kind of EULA in Italian. Press 'Accetto', and you're at the registration window. In the first field you see a 'Numero di serie:' (serial number) and in the other field you are supposed to enter your 'Numero di registrazione' (registration number). Just enter a number and hit 'Registra' (Register) and a window will bark at you in Italian saying that the number you entered was incorrect. I don't understand Italian so good, so we'll let our good friend SmartCheck do the translation for us.

Start SmartCheck, and make sure it is configured as below;

Program Settings;
Error detection - Check all boxes except 'Report errors immediately'.
Advanced - Check the 4 first boxes. Make sure that 'Suppress.
system API and OLE calls' is NOT checked.
Reporting - All boxes checked, except for 'Report MouseMove events from OCX controls'.

Load MultiSMS into SmartCheck by choosing 'File', 'Open' and choose 'MultiSMS.exe'. Start it by pressing F5. Once you can see the main window of MultiSMS, press the button with the red square (STOP) to terminate MultiSMS as we don't need to do anything more with MultiSMS. Otherwise you'll have zillion's of lines in SmartCheck with Timer1_Timer. This Timer handles the rotation of the picture in the top right corner in MultiSMS and that is not interesting.

Why we terminate MultiSMS so early in the process is, that your serial is calculated at startup. Normally (read : other VB prog's) you would have to click your way to the registration window, enter a fake serial and then terminate the program to be able to see the routines in SmartCheck. In SmartCheck again, go to 'View' and make sure that the following are 'checked'; 'Arguments', 'Sequence Numbers' (not necessary, but it adds some orientation) and 'Suppressed Errors'.

Now, go to 'View' again and choose 'Show specific errors and events' if it's not checked already. The left window of SmartCheck is the 'Thread' of the program. It's here you see what the program is doing. The right window displays arguments, values, strings and so on. Now, in the left window, look for 'MultiSMS_Load' and click the plus sign next to it. If you can't see that, make sure that 'Show specific errors and events' in the 'View' menu of SmartCheck is checked.

When you've clicked that, a huge amount of lines suddenly were added. Loads of Chr$ commands and further down, some GetPrivateProfileString commands. Then, a load of Double, DoEvents and Timer commands. Not interesting. Anyway, continue down until you see 'Registrazione_Load' and click the plus sign to expand the branch. All those 'Form1_Load', 'Registrazione_Load' and 'MultiSMS_Load' are forms (windows) that are displayed as the program loads or when you click a button and a new window appears.

The first 750 lines in this branch calculates the 'Numero di serie' by getting your ProductId, ProductIdKey of the Windows installation and the volume information from your hard drive. Since the serial number is based on the sum from this algorithm (Numero di serie), the only thing we need is the result of this calculation. That's why we're not interested in it. But feel free to take a look at it.

Almost directly after the GetVolumeInformation is a 'Str$' command, move on to the next 'Str$' further down in the branch. This should say something like x.xxxx+00e where the x's are numbers. If you click on this 'Str$' command, the value will be displayed in the right window. Do you recognize that sequence of numbers? You are absolutely correct. It's the first 10 numbers in our 'Numero di serie:'!

After this follows some 'Mid$', 'Asc$' and a few 'Val$' commands and after the last 'Val$' in this sequence there is a 'Str$' command with a 'ByRef' value. Click that line and watch the right window. There, my friend, is your 'Numero di registrazione'! Don't type the dot in the end of the number when you register. The registration number has been calculated...So, how is this done?.

What you see in the left window now, is that some 'Asc$' commands are executed. The 'Asc$' command in Visual Basic gets the ASCII value from a given character. The problem now, is that you can't 'see' what's happening with those values that are extracted from the 'Numero di serie:' To get a better view, do this; Click the SECOND 'Str$' command AFTER the GetVolumeInformation command. Yes, we're back at the first ten numbers of our 'Numero di serie:'. The line should have turned blue. Now, go to 'View' and choose 'Show all events'. The screen changes slightly and SmartCheck is working...

I hope you clicked the line, otherwise you could be lost... Really lost. Hopefully, you can still see the same numbers in the right frame and the blue line over the 'Str$' command in the left frame. The screen has changed quite much now, and what you see now is the calls to MSVBVM60.DLL and which functions that are called. The 'Numero di registrazione' calculation begins at the FIRST 'Mid$' command AFTER the 'Numero di serie' 'Str$' command.

Mid$(String:"1990944400", long:1, VARIANT:Integer:1)

(1990944400=I'm using this Numero di serie for explanation, you'll have a diff. one).

This means, what is the first (long:1) char in the String:"19909..." ?. How many chars do you want from position 1 in the string (VARIANT:Integer:1). One char from position 1, result is 1. The __vbaStrMove put's this char away for later use.

Asc$(String:"1") returns Integer:49

This means, what is the ASCII value for the string "1". The answer is 49 (returns Integer:49)

__vbaVarMove moves the result (49) for later use.
__vbaVarAdd tries to add our result to the prior one. Since this was our first char, the formula is 0 + 49 = 49 (prior char+present char).
__vbaVarMove moves the result (49) for later use.
__vbaVarForNext I believe this is a loop function (For, Next) moving to the next char in the 'Numero di serie'.
__vbaI4Var Don't know :-).

Next char;

Mid$(String:"1990944400", long:2, VARIANT:Integer:1)

What is the second (long:2) char in the String:"19909..."?. We want one char this time too (VARIANT:Integer:1). Take one char from position 2 in the String:"19909..." Result is "9".

Asc$(String:"9") returns Integer:57

The ASCII value for string "9". Result is 57. (returns Integer:57)

__vbaVarMove moves the result (57) for later use.
__vbaVarAdd adds our prior ASCII result (49) to the present (57).
__vbaVarMove moves the result (106) for later use.
__vbaVarForNext Moves to the next loop function.

This is done for the ten first numbers (chars) in the 'Numero di serie' string. It retrieves the ASCII value for each char, adding it to the next char's ASCII value, and so on, through the ten first chars in the 'Numero di serie' string. Further down, you'll come across some __vbaVarMul functions. The 'Mid$' prior to this __vbaVarMul function call takes the first NUMBER in the 'Numero di serie' (1990944400), which is 1, and moves (__vbaStrMove) it for later use. Now check the sequence of the __vbaVarMul functions and what they do;

__vbaVarMul(VARIANT:Double:1.99094+00e, VARIANT:Integer:520)
The sum of the ASCII values------------------------------^

This takes our 'Numero di serie'(1.99094+00e) and multiplies it with the sum of each char's ASCII value from 'Numero di serie', char by char (520).

__vbaVarMul(VARIANT:Double:1.03529e+012, VARIANT:Double:1)
| |
Value has changed!-------------^ |
(this is the result from the prior __vbaVarMul) | 
The first NUMBER in the 'Numero di serie'---------------^
(1990944400, The '1')

This takes the result of the prior __vbaVarMul (1.99094+00e * 520 = 1.03529e+012) and multiplies it with the first NUMBER (not ASCII value) of the 'Numero di serie' sequence. Hence the 'Mid$' prior to the first __vbaVarMul.


This takes the result from the last __vbaVarMul and multiplies it with 5.

The next 'Str$' command;

Str$(VARIANT:ByRef Double:5.17646e+009)
__vbaStrMove(String:"5176455440" ......)

Moves the result of the __vbaR8Var and saves it for further use.

The next command;


Trims the string. Here is the 'Numero di registrazione'!.


a = ASCII value of char[1]+char[2]+char[3]......+char[10].
b = a * Numero di serie's FIRST TEN NUMBERS!.
b = b * First NUMBER in 'Numero di serie'.
code = b * 5.

You might want to remove the three last digits from [code] to get a valid 'Numero di registrazione'.

Example: 1990944400 * 520 * 1 = 5176455440000. Remove the three zero's at the end and this is a valid 'Numero di registrazione'! (for the 1990944400 Numero di serie...).

Recette 99 v3.1.1

Available @ : http://www.infradev.com/recette/ (link de-activated)
Size : 2.3 Mb
Language : Swedish

Tool used :- SmartCheck v6.01.

Recette is a recipe database program that contains 150 complete dinners together with drinks. You can search for a dinner through using the search criterias ingredients, cooking-time and name. When you start it up, we'll see a splash screen and then a screen will appear saying that this proggy is shareware, and you should register it. Anyway, push the middle button, with the text 'Jag accepterar...' and you are allowed to try it out for 20 days.

OK, now push the 'Registrera!' menu and a dialog box appears where you are supposed to enter your name and your password. Do so and press enter. Oh no... Our password was invalid! Well... We're gonna solve that one now. Close Recette down and start SmartCheck up. Once started, open Recette.exe and push F5 to get the show running. Now, do the same
thing again... press 'Jag accepterar...', push the 'Registrera!' menu and enter L!M!T [TEX] as your name and 1212 as your bogus password. Now, you should be at the messagebox telling you that is was wrong. Return to SmartCheck.

Check that 'Show Errors and specific events' are checked under the 'View' menu in Smartcheck. If it isn't, then check it. In the left pane in SmartCheck is the program thread, it's here you'll see what actions are executed. What has happened while we
were starting Recette and trying to register it? Let's see...

Draft from SmartCheck;

........ Thread 0 [thread id:4290937205 (0xFFC28175)]
........ Event reporting....
........ ............................... [snipped]
........ ............................... [snipped]
........ frmSplash (Form) created
........ [+] frmSplash_Load
........ ............................... [snipped]
........ ............................... [snipped]
........ Huvud (MDIForm) created
........ ............................... [snipped]
........ ............................... [snipped]
........ [+] Huvud_Load
........ ............................... [snipped]
........ ............................... [snipped]
........ [+] mnuREG_Click 
........ [+] Command1_Click

This is the thread, or the 'flow' of the program. We can see what happened when we clicked the 'Jag accepterar...' button, when we clicked the 'Registrera!' menu and most important, what happened when we clicked the 'Ok' button at the register
window! So... click the plus sign next to the Command1_Click procedure. Draft from Smartcheck;

........ text1.Text
........ text2.Text
........ Len(String"1212") returns LONG:4
........ text1.Text
........ (1) UCase$(String:"L!M!T [TEX]")
........ ............................... [snipped]
........ ............................... [snipped]
........ (2) Mid(VARIANT:String:"L!M!T [TEX]", long:6, long:1073741823, VARIANT:String:"A")
........ ............................... [snipped]
........ ............................... [snipped]
........ (3) Left$(String:"L!M!TA[TEX]", long:10)
........ Integer (0) --> String ("0")
........ Integer (1) --> Long (1)
........ (4) Mid$(String:"L!M!TA[TEX", long:1, VARIANT:Missing)
........ (5) Asc(String:"L!M!TA[TEX"), returns Integer:76
........ (6) Mid$(String:"L!M!TA[TEX", long:1, VARIANT:Missing)
........ (7) Asc(String:"L!M!TA[TEX"), returns Integer:76
........ ............................... [snipped]
........ (8) Double (5776) --> String ("5776")
........ Integer (2) --> Long (2)
........ (9) Mid$(String:"L!M!TA[TEX", long:2, VARIANT:Missing)
........(10) Asc(String:"!M!TA[TEX") returns Integer:33
........(11) Mid$(String:"L!M!TA[TEX", long:1, VARIANT:Missing)
........(12) Asc(String:"L!M!TA[TEX") returns Integer:76 
........(13) String ("5776") --> Double (5776)
........(14) Double (8284) --> String ("8284")
........ ............................... [snipped]
........ ............................... [snipped]
........ ............................... [snipped]

This is the calculation routine for the password. This snippet you see above is for the first two characters in your name. There are actually a lot more lines, but these are enough to explain the algorithm so to spare your eyes we'll end the calculation
routine snippets here. OK, check the positions in the code and my explanations to it. Here we go;

(1) UCase$(String:"L!M!T [TEX]").
Convert the whole string (your username) to UPPERCASE.

(2) Mid(VARIANT:String"L!M!T [TEX]", long:6...
Check the string for any spaces. If there are any, replace those with capital A. (L!M!T [TEX] = L!M!TA[TEX]).

(3) Left$(String:"L!M!TA[TEX]", long:10).
Trim the string 10 chars from the left. (L!M!TA[TEX). Trims the length of your username to 10 characters (i.e. EXTERMINATORS = EXTERMINAT).

(4) Mid$(String:"L!M!TA[TEX", long:1, VARIANT:Missing).
Take the first character (long:1) and...

(5) Asc(String:"L!M!TA[TEX") returns Integer:76.
get the ASCII value for it (returns Integer:76).

(6) Repeat step 4.
(7) Repeat step 5.

(8) Double (5776) --> String ("5776")
The result from ASCII value from char 1 * ASCII value from char 1.

(9) Mid$(String:"L!M!TA[TEX", long:2, VARIANT:Missing).
Take the second character (long:2) and...

(10) Asc("!M!TA[TEX") returns Integer:33.
get the ASCII value for it (returns Integer:33)...

(11) Mid$(String:"L!M!TA[TEX", long:1, VARIANT:Missing).
Step 4 repeated...

(12) Asc(String:"L!M!TA[TEX") returns Integer:76.
Step 5 repeated.

(13) String ("5776") --> Double (5776).
Convert string 5776 to double value.

(14) Double (8284) --> String ("8284").
Convert double value 8284 to a string.

All these steps are executed for the entire username, after it's trimmed down to 10 chars and every (if there are any) space in the username been replaced with A. The sum of every new multiplication is added to the sum of the prior multiplication, ending in the final sum, also known as our password. You can see this comparation further down in the thread listing. Your bogus password (1212) will be compared to the correct one just before the messagebox appears. Just step down to the end of the 'Command1_Click' routine and you can see the correct password being compared to our bogus one.

Here I'll explain the algorithm in words.

Take the entire username and convert it to uppercase. Replace all eventual spaces with A.

* This one is new;
If the length of the username is less than 10, copy the string to itself so it will meet this demand. I.e (MR USA = MRAUSAMRUS). We didn't see this before 'coz our username was 11 chars. The red line going through the entire algorithm is the ASCII value for char number 1 in the username. This ASCII value is multiplied with itself, then it's multiplied with the ASCII values for the other char's. Like this;

ASCII value char 1 = x
ASCII value char 2 = x2
ASCII value char 3 = x3
ASCII value char 10 = x10
Sum of x * x = Sum1
Sum of x * x2 = Sum2
Sum of x * x3 = Sum3
Sum of x * x10 = Sum10

The password calculation;

Password = Sum1 + Sum2 + Sum3 + Sum4 + Sum5 + Sum6 + Sum7 + Sum8 + Sum9 + Sum10.

Done. We've just retreived our valid serial and we've dissected the algorithm.

'Knowledge is neither given nor taken. It is earned.'


L!M!T [TEX].


© 1998, 1999, 2000 Tutorial By L!M!T, Hosted by CrackZ. 14th September 2000.