Software Reverse Engineering - CPUKiller v1.2b - Serial Fishing With Soft-Ice
Copyright (c) 1998 Volatility
Document Courtesy of The Immortal Descendants - http://pages.prodigy.net/volatility

	This program is a good buy for $7.00.  If you want to continue to use this program,
please buy it and support shareware!

	I decided to crack this program, because of the interesting registration routine.
The serial number is calculated from your user name (which you cannot change).  Your user
name comes directly from your system.

---------------------------------------------------------------------------------------------
Target:  NeatPad v1.06 - (np.exe) approximately 500,000 bytes.  Download this at:

                          http://neatpad.hypermart.net

Tools Needed:  Soft-Ice v3.2 (earlier versions will work just fine)
---------------------------------------------------------------------------------------------

Prepare To Crack:

	I first saw that this program was a Visual Basic program (vbrun300.dll is included), 
so disassembling this program to patch it is out of the question.  The route to go is to find 
our serial number!

	The best method for trapping serial numbers in Visual Basic programs is by using the
HMEMCPY function.  This function puts the serial you entered into memory, then compares it
with the real one, which is also put into memory.

	You'll find the registration screen under "File", "Preferences".  This registration
is different from most others, in that the program stores your name, which you cannot edit.
So... now we know our serial number will most likely be calculated from our name.

Making The Crack:

	Enter a test code for your serial number, and press Cntrl+D to enter Soft-Ice.  Set
a breakpoint on HMEMCPY (BPX HMEMCPY).  Press again Cntrl+D to exit to NeatPad.  Press the
"Ok" button with your test code entered, and Soft-Ice will break.

	Press F11 to enter the routine.  You'll see the string "USER(0A)" on the line right
above the command window.  This isn't where we want to be... we want to be in the NeatPad
code, so press F10 many times (79 to be exact) until you see the string "NEATPAD" plus some
numbers on the line.  You should now be here:

---------------------------------------------------------------------------------------------
CALL     USER32!CallWindowProcA
MOV      [ESI+0C],EAX
JMP      00421267
MOV      EDX,ESI
MOV      EAX,EBX
CALL     0041F850
POP      EBP
POP      EDI
POP      ESI
POP      EBX
RET
---------------------------------------------------------------------------------------------

	Now we need to look for the code where our serial is compared with the correct one,
so we're looking for a compare (CMP or TEST) or a jump (JZ, JNZ, etc).  After stepping with
F10 for a bit (30 times to be exact), you should land here:

---------------------------------------------------------------------------------------------
CALL     0041EF84
MOV      EAX,[EBP-14]     <the serial we entered stored in EAX
MOV      EDX,[004738D4]   <the correct serial stored in EDX
CALL     00403D8C         <call the routine to compare the serials
JNZ      00466E39         <jump to registered if good (not zero)
MOV      EAX,00466F34
CALL     0043C650        
JMP      00466EA2         
MOV      EAX,004738D4
MOV      EDX,00466F7C
CALL     00403A54
---------------------------------------------------------------------------------------------

	press F10 to step through the code where our serial number is stored (line
"MOV      EDX,[004738D4]" should be highlighted).  We can now see the serial number we entered
by displaying the EAX register (d EAX).  Press F10 once more to step through the code where 
our correct serial is stored (line "CALL     00403D8C" should be highlighted).  We can now 
display our correct serial number by displaying EDX (d EDX).

	I'm not going to give you the serial number I got, because it won't work since it's
calculated from your user name, but the format is like this: NP-0000000000000000000 
NP obviously means "NeatPad", a dash, then 19 numbers.  The last character for mine was an R.

-Volatility-