Hello,welcome to my tutorial. I am ManKind, a newbie in cracking who want to share my cracking skills with other newbies. Contact me at firstname.lastname@example.org
Well, this is another successful serial fishing using memory echo method, thanks again to the Legendary +ORC. Not a reliable way, but certainly good enough for newbies. After installing Visual Multitool 3.4, load SoftIce, run it, the first screen asks you to register. Good, since our purpose is not to use the program(will you use another word editor when you have a perfect one ready for you?) but to make it our target to crack. Note that there is only one space for you to fill in your registration code. This indicates that Visual Multitool will most probably have only one valid registration code. I like this cause it will certainly reduce the amount of work required. Now, just fill in any numbers or alphabets that you feel like entering, like for example mine as follow:
I prefer it long since the space for the registration code is quite long. Press the OK button, nothing will happen except that your speaker will beep, press the OK button few times(say 5 times) some more so that the program will generate the correct registration code(since we want to use the memory echo method). If you have read my other tutorial such as the WindowBlinds one, you should know what to do. If you don't know then I will tell you now, don't close the current screen and don't erase the registration code you entered earlier instead go into SoftIce by pressing Ctrl+D and set a breakpoint on GetWindowTextA. The command will look like this:
Go out of SoftIce by pressing Ctrl+D again and press the OK button. SoftIce will pop out, press F11 once and you are now in the Visual Multitool's codes. Next, search for the registration code we just entered like this:
s 0 l ffffffff '2319998ABCDEFGHI1999'
Then the first thing I see in the Data Window of SoftIce looks like this:
If the above are of correct memory location, then by pressing Alt+Down for 2-3 seconds, you will see something special like this in the Data Window:
Use the command below in SoftIce to search again right after the first search command until you get to the correct memory location(that is if you can't see something like above):
Wait, don't exit yet, I know you that you are very eager to try that registration code but, please wait for a while some more. Press Alt+Down again until you see this:
Oh, don't be shocked though you have seen two sets of code that will probably be the registration code, now do you know why I ask you to stay back? The best way to know which is the valid registration code, is to try the codes on Visual Multitool. Disable or clear the breakpoints you have set, go out of SoftIce, try the first number, the first starting screen of Visual Multitool will disappear without any sign and the Visual Multitool program started like normal. Does this indicate that we entered the correct registration code? To know, close Visual Multitool and restart it again, the registration screen is gone. Now that we already have the correct registration code, the process part of this tutorial will have to end now.
Additional/Extra Part(s) or Stuff(s):
Another registration code(2046A5D2) is of no use(I tried already) but I am sure that you will notice that the registration code(2046A5D2) is part of the correct registration code. Probably part of the correct registration code is generated first by the program while later it generate another half of it. That is a logic explanation that I can think of now. Tell me if you have other opinions.
Thanks to:+ORC, Sandman, HarvestR, tKC, ytc_, Punisher, Kwai_Lo, TORN@DO, Crackz and other crackers and individuals who provide me with their tutorials and tools.
Greetz to:HarvestR, tKC, ytc_, Kwai_Lo, Punisher, TORN@Do, CiA, Phrozen Crew, other cracking groups and all crackers.
Service for ManKind
filled my WINDOWS REGISTRATION information in automatically. Now we only have
to fill in a Product Number. The product number already filled in looks like WDx.x-xxxxx-xxxxx. So the author gave us the information how the
good code must look like. Well I also noticed the information Product
Number is valid for any future versions of this program!
Well the version is 4.2 so I assumed the Product Number should be WD4.2-xxxxx-xxxxx ... and as you can find out on your own this is true. If it isn't 4.2, then you're just registered for a LIMITED TIME and the NAG at startup still pops up. However the good code is still the same - you just have to replace the number and version (x.x) with 4.2!
I enterd WD4.2-12345-67890 as fake registration code and set a BPX to HMEMCPY. Then I pressed OK. SoftICE popped up. Since there were 3 input fields, I skipped the first two pop ups. Then I pressed F12 until I reached the following code snippet:
| :0040797E LEA EDX,[EBP-10]
:00407981 MOV EAX,0045E40C
:00407986 CALL 00450B94
:0040798B DEC DWORD PTR [ESI+1C]
:0040798E LEA EAX,[EBP-10]
:00407991 MOV EDX,00000002
:00407996 CALL 00450B64
:0040799B CALL 00407608
:004079A0 TEST EAX,EAX ; is serial ok?
:004079A2 JNZ 00407AE0 ; if not => JMP
A scheme like this is very common. Some CALLs and then a JZ/JNZ instruction. To find the good serial you normally just have to trace into the CALL before the JZ/JNZ instruction - and that was it. And in this program that's also the case. Tracing in the CALL, you'll get the following code snippet:
| :00407608 PUSH EBX
:00407618 CALL 00450CE8 ; get length of serial
:0040761D CMP EAX,06 ; serial 6 chars long
:00407620 JLE 00407665
:0040666A CALL 00450CE8 ; get length of name
:0040766F CMP EAX,02 ; name 2 chars long
:00407672 JLE 004076B2
:004076BC MOVSX EAX,BYTE PTR [ESI] ; move char[counter] in EAX
:004076CB MOVSX EDX,BYTE PTR [ESI] ; move char[counter] in EDX
:004076CE PUSH EDX
:004076CF CALL 004499C4 ; convert to lower case
:004076D4 POP ECX
:004076D5 MOVZX ECX,DI
:004076D8 IMUL ECX,[004551D4] ; DI * 15h
:004076DF MOVZX EDX,DI
:004076E2 IMUL ECX,EDX ; ECX * EDX
:004076E5 ADD AX,CX ; add result to AX
:004076E8 ADD DI,AX ; add result of this loop to DI
:004076EB INC EBX ; chars done + 1
:004076EC INC ESI ; counter + 1
:004076ED PUSH ESP
:004076EE CALL 00444C00
:004076F3 POP ECX
:004076F4 CMP EBX,EAX ; did all chars?
:004076F6 JB 004077BC ; if not => JMP
:004076F8 MOV EAX,0045E408
:004076FD CALL 00450CE8 ; get length of company
:00407702 TEST EAX,EAX ; no company enterd?
:00407704 JZ 00407744 ; if so => JMP
:0040774E MOVSX EAX,BYTE PTR [ESI] ; move char[counter] in EAX
:0040775D MOVSX EDX,BYTE PTR [ESI] ; move char[counter] in EDX
:00407760 PUSH EDX
:00407761 CALL 004499C4
:00407766 POP ECX
:00407767 MOVZX ECX,BP
:0040776A IMUL ECX,[004551D4] ; ECX * 15h
:00407771 MOVZX EDX,BP
:00407774 IMUL ECX,EDX ; ECX * EDX
:00407777 SUB AX,CX ; substract result from AX
:0040777A ADD BP,AX ; add result of this loop to BP
:0040777D INC EBX ; chars done + 1
:0040777E INC ESI ; counter + 1
:0040777F PUSH ESP
:00407780 CALL 00444C00
:00407785 POP ECX
:00407786 CMP EBX,EAX ; did all chars?
:00407788 JB 0040784E ; if not => JMP
:0040778A MOVZX EAX,BP ; get result for company in EAX (NR)
:0040778D MOVZX ECX,DI ; get result for name in ECX (CR)
:00407790 PUSH EAX
:00407791 PUSH ECX
:00407792 PUSH 00455288
:00407797 LEA EAX,[ESP+0C]
:0040779B PUSH EAX
:0040779C CALL 0044809C ; format serial: NR-CR
:004077A1 ADD ESP,10
:004077A4 LEA EAX,[ESP+40] ; get enterd serial
:004077A8 MOV EDX,ESP ; get real serial
:004077AA MOV CL,[EAX] ; get part of fake serial
:004077AC CMP CL,[EDX] ; part of serial correct?
:004077AE JNZ 004077C6 ; if not => JMP
:004077B0 TEST CL,CL
:004077B2 JZ 004077C6
:004077B4 MOV CL,[EAX+01] ; get part of fake serial
:004077B7 CMP CL,[EDX+01] ; part of serial correct?
:004077BA JNZ 004077C6 ; if not => JMP
:004077BC ADD EAX,02
:004077BF ADD EDX,02
:004077C2 TEST CL,CL ; checked complete serial?
:004077C4 JNZ 004078AA ; if not => JMP
:004077C6 SETNZ DL ; set flag
With the help of the
comments in the code snippet you can understand the calculations for your serial. You can
use this knowledge to code a KeyGEN if you have enough free time. The serial for the name PIRATED COPY and the company name CR@CKING
TUTORI@L is WD4.2-16337-50000 - just for you to check
Another target has been Reverse Engineerd. Any questions (no crack requests)?
If you're USING Dictionary for Windows BEYOND it's FREE TRIAL PERIOD, then please BUY IT.
Copyright © 1999 by TORN@DO and The Immortal Descendants. All Rights Reserved.
s set the