Software Reverse Engineering - CPUKiller v1.2b - Serial Fishing With Soft-Ice Copyright (c) 1998 Volatility Document Courtesy of The Immortal Descendants - http://pages.prodigy.net/volatility This program is a good buy for $7.00. If you want to continue to use this program, please buy it and support shareware! I decided to crack this program, because of the interesting registration routine. The serial number is calculated from your user name (which you cannot change). Your user name comes directly from your system. --------------------------------------------------------------------------------------------- Target: NeatPad v1.06 - (np.exe) approximately 500,000 bytes. Download this at: http://neatpad.hypermart.net Tools Needed: Soft-Ice v3.2 (earlier versions will work just fine) --------------------------------------------------------------------------------------------- Prepare To Crack: I first saw that this program was a Visual Basic program (vbrun300.dll is included), so disassembling this program to patch it is out of the question. The route to go is to find our serial number! The best method for trapping serial numbers in Visual Basic programs is by using the HMEMCPY function. This function puts the serial you entered into memory, then compares it with the real one, which is also put into memory. You'll find the registration screen under "File", "Preferences". This registration is different from most others, in that the program stores your name, which you cannot edit. So... now we know our serial number will most likely be calculated from our name. Making The Crack: Enter a test code for your serial number, and press Cntrl+D to enter Soft-Ice. Set a breakpoint on HMEMCPY (BPX HMEMCPY). Press again Cntrl+D to exit to NeatPad. Press the "Ok" button with your test code entered, and Soft-Ice will break. Press F11 to enter the routine. You'll see the string "USER(0A)" on the line right above the command window. This isn't where we want to be... we want to be in the NeatPad code, so press F10 many times (79 to be exact) until you see the string "NEATPAD" plus some numbers on the line. You should now be here: --------------------------------------------------------------------------------------------- CALL USER32!CallWindowProcA MOV [ESI+0C],EAX JMP 00421267 MOV EDX,ESI MOV EAX,EBX CALL 0041F850 POP EBP POP EDI POP ESI POP EBX RET --------------------------------------------------------------------------------------------- Now we need to look for the code where our serial is compared with the correct one, so we're looking for a compare (CMP or TEST) or a jump (JZ, JNZ, etc). After stepping with F10 for a bit (30 times to be exact), you should land here: --------------------------------------------------------------------------------------------- CALL 0041EF84 MOV EAX,[EBP-14]