About this tutorial:
Tutorial:Visual Multitool 3.4-Another successful memory echo serial fishing
Target:Visual Multitool 3.4(http://www.papyrussoftware.com)
Author:ManKind
Tools:SoftICE 3.24(this is a good software, worth buying)
Date:31th of October 1999(Last updated on 25th of December 1999)
Descriptions&Comments:A word editor, good but still no match for EditPad. Its protection and status(shareware) have already lost to EditPad, not to mention its function and uses. It is quite expensive too.
Copyright information:This tutorial is copyright © 1999 ManKind

Starting words:
Hello,welcome to my tutorial. I am ManKind, a newbie in cracking who want to share my cracking skills with other newbies. Contact me at mankind001@bigfoot.com


The process:
Well, this is another successful serial fishing using memory echo method, thanks again to the Legendary +ORC. Not a reliable way, but certainly good enough for newbies. After installing Visual Multitool 3.4, load SoftIce, run it, the first screen asks you to register. Good, since our purpose is not to use the program(will you use another word editor when you have a perfect one ready for you?) but to make it our target to crack. Note that there is only one space for you to fill in your registration code. This indicates that Visual Multitool will most probably have only one valid registration code. I like this cause it will certainly reduce the amount of work required. Now, just fill in any numbers or alphabets that you feel like entering, like for example mine as follow:

23199998ABCDEFGHI1999

I prefer it long since the space for the registration code is quite long. Press the OK button, nothing will happen except that your speaker will beep, press the OK button few times(say 5 times) some more so that the program will generate the correct registration code(since we want to use the memory echo method). If you have read my other tutorial such as the WindowBlinds one, you should know what to do. If you don't know then I will tell you now, don't close the current screen and don't erase the registration code you entered earlier instead go into SoftIce by pressing Ctrl+D and set a breakpoint on GetWindowTextA. The command will look like this:

bpx getwindowtexta

Go out of SoftIce by pressing Ctrl+D again and press the OK button. SoftIce will pop out, press F11 once and you are now in the Visual Multitool's codes. Next, search for the registration code we just entered like this:

s 0 l ffffffff '2319998ABCDEFGHI1999'

Then the first thing I see in the Data Window of SoftIce looks like this:

2319998ABCDEFGHI
1999............
................

If the above are of correct memory location, then by pressing Alt+Down for 2-3 seconds, you will see something special like this in the Data Window:

2046A5D29A00454E

Use the command below in SoftIce to search again right after the first search command until you get to the correct memory location(that is if you can't see something like above):

s

Wait, don't exit yet, I know you that you are very eager to try that registration code but, please wait for a while some more. Press Alt+Down again until you see this:

2046A5D2

Oh, don't be shocked though you have seen two sets of code that will probably be the registration code, now do you know why I ask you to stay back? The best way to know which is the valid registration code, is to try the codes on Visual Multitool. Disable or clear the breakpoints you have set, go out of SoftIce, try the first number, the first starting screen of Visual Multitool will disappear without any sign and the Visual Multitool program started like normal. Does this indicate that we entered the correct registration code? To know, close Visual Multitool and restart it again, the registration screen is gone. Now that we already have the correct registration code, the process part of this tutorial will have to end now.

Additional/Extra Part(s) or Stuff(s):
Another registration code(2046A5D2) is of no use(I tried already) but I am sure that you will notice that the registration code(2046A5D2) is part of the correct registration code. Probably part of the correct registration code is generated first by the program while later it generate another half of it. That is a logic explanation that I can think of now. Tell me if you have other opinions.


Ending:
Thanks to:+ORC, Sandman, HarvestR, tKC, ytc_, Punisher, Kwai_Lo, TORN@DO, Crackz and other crackers and individuals who provide me with their tutorials and tools.
Greetz to:HarvestR, tKC, ytc_, Kwai_Lo, Punisher, TORN@Do, CiA, Phrozen Crew, other cracking groups and all crackers.

Service for ManKind
ManKind
mankind001@bigfoot.com
http://surf.to/mrep

filled my WINDOWS REGISTRATION information in automatically. Now we only have to fill in a Product Number. The product number already filled in looks like WDx.x-xxxxx-xxxxx. So the author gave us the information how the good code must look like. Well I also noticed the information Product Number is valid for any future versions of this program!

Well the version is 4.2 so I assumed the Product Number should be WD4.2-xxxxx-xxxxx ... and as you can find out on your own this is true. If it isn't 4.2, then you're just registered for a LIMITED TIME and the NAG at startup still pops up. However the good code is still the same - you just have to replace the number and version (x.x) with 4.2!

I enterd WD4.2-12345-67890 as fake registration code and set a BPX to HMEMCPY. Then I pressed OK. SoftICE popped up. Since there were 3 input fields, I skipped the first two pop ups. Then I pressed F12 until I reached the following code snippet:
 
  :0040797E    LEA     EDX,[EBP-10]
  :00407981    MOV     EAX,0045E40C
  :00407986    CALL    00450B94
  :0040798B    DEC     DWORD PTR [ESI+1C]
  :0040798E    LEA     EAX,[EBP-10]
  :00407991    MOV     EDX,00000002
  :00407996    CALL    00450B64
  :0040799B    CALL    00407608
  :004079A0    TEST    EAX,EAX                        ; is serial ok?
  :004079A2    JNZ     00407AE0                       ; if not => JMP

A scheme like this is very common. Some CALLs and then a JZ/JNZ instruction. To find the good serial you normally just have to trace into the CALL before the JZ/JNZ instruction - and that was it. And in this program that's also the case. Tracing in the CALL, you'll get the following code snippet:

  :00407608    PUSH    EBX
               ...
  :00407618    CALL    00450CE8                      ; get length of serial
  :0040761D    CMP     EAX,06                        ; serial 6 chars long
  :00407620    JLE     00407665
               ...
  :0040666A    CALL    00450CE8                      ; get length of name
  :0040766F    CMP     EAX,02                        ; name 2 chars long
  :00407672    JLE     004076B2
               ...
  :004076BC    MOVSX   EAX,BYTE PTR [ESI]            ; move char[counter] in EAX
               ...
  :004076CB    MOVSX   EDX,BYTE PTR [ESI]            ; move char[counter] in EDX
  :004076CE    PUSH    EDX
  :004076CF    CALL    004499C4                      ; convert to lower case
  :004076D4    POP     ECX
  :004076D5    MOVZX   ECX,DI
  :004076D8    IMUL    ECX,[004551D4]                ; DI * 15h
  :004076DF    MOVZX   EDX,DI
  :004076E2    IMUL    ECX,EDX                       ; ECX * EDX
  :004076E5    ADD     AX,CX                         ; add result to AX
  :004076E8    ADD     DI,AX                         ; add result of this loop to DI
  :004076EB    INC     EBX                           ; chars done + 1
  :004076EC    INC     ESI                           ; counter + 1
  :004076ED    PUSH    ESP
  :004076EE    CALL    00444C00
  :004076F3    POP     ECX
  :004076F4    CMP     EBX,EAX                       ; did all chars?
  :004076F6    JB      004077BC                      ; if not => JMP
  :004076F8    MOV     EAX,0045E408
  :004076FD    CALL    00450CE8                      ; get length of company
  :00407702    TEST    EAX,EAX                       ; no company enterd?
  :00407704    JZ      00407744                      ; if so => JMP
               ...
  :0040774E    MOVSX   EAX,BYTE PTR [ESI]            ; move char[counter] in EAX
               ...
  :0040775D    MOVSX   EDX,BYTE PTR [ESI]            ; move char[counter] in EDX
  :00407760    PUSH    EDX
  :00407761    CALL    004499C4
  :00407766    POP     ECX
  :00407767    MOVZX   ECX,BP
  :0040776A    IMUL    ECX,[004551D4]                ; ECX * 15h
  :00407771    MOVZX   EDX,BP
  :00407774    IMUL    ECX,EDX                       ; ECX * EDX
  :00407777    SUB     AX,CX                         ; substract result from AX
  :0040777A    ADD     BP,AX                         ; add result of this loop to BP
  :0040777D    INC     EBX                           ; chars done + 1
  :0040777E    INC     ESI                           ; counter + 1
  :0040777F    PUSH    ESP
  :00407780    CALL    00444C00
  :00407785    POP     ECX
  :00407786    CMP     EBX,EAX                       ; did all chars?
  :00407788    JB      0040784E                      ; if not => JMP
  :0040778A    MOVZX   EAX,BP                        ; get result for company in EAX (NR)
  :0040778D    MOVZX   ECX,DI                        ; get result for name in ECX    (CR)
  :00407790    PUSH    EAX
  :00407791    PUSH    ECX
  :00407792    PUSH    00455288
  :00407797    LEA     EAX,[ESP+0C]
  :0040779B    PUSH    EAX
  :0040779C    CALL    0044809C                      ; format serial: NR-CR
  :004077A1    ADD     ESP,10
  :004077A4    LEA     EAX,[ESP+40]                  ; get enterd serial
  :004077A8    MOV     EDX,ESP                       ; get real serial
  :004077AA    MOV     CL,[EAX]                      ; get part of fake serial
  :004077AC    CMP     CL,[EDX]                      ; part of serial correct?
  :004077AE    JNZ     004077C6                      ; if not => JMP
  :004077B0    TEST    CL,CL
  :004077B2    JZ      004077C6
  :004077B4    MOV     CL,[EAX+01]                   ; get part of fake serial
  :004077B7    CMP     CL,[EDX+01]                   ; part of serial correct?
  :004077BA    JNZ     004077C6                      ; if not => JMP
  :004077BC    ADD     EAX,02
  :004077BF    ADD     EDX,02
  :004077C2    TEST    CL,CL                         ; checked complete serial?
  :004077C4    JNZ     004078AA                      ; if not => JMP
  :004077C6    SETNZ   DL                            ; set flag

With the help of the comments in the code snippet you can understand the calculations for your serial. You can use this knowledge to code a KeyGEN if you have enough free time. The serial for the name PIRATED COPY and the company name CR@CKING TUTORI@L is WD4.2-16337-50000 - just for you to check your KeyGEN!

Another target has been Reverse Engineerd. Any questions (no crack requests)?

 
If you're USING Dictionary for Windows BEYOND it's FREE TRIAL PERIOD, then please BUY IT.


Copyright © 1999 by TORN@DO and The Immortal Descendants. All Rights Reserved. s set the