Newbies guide to cracking |   By ThrawN 
---------------------------

Tut 4
--------------------------------
SERIAL SNIFF -  using Microsoft calc

-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*
Target: Beginner Software's Delphi Tools 1.x
Website: http://solair.eunet.yu/~beginner/
Time required: Aprox 5 mins
Tools required: Softice  ( get from www.crackstore.com)
                Windows Calculator (Dam fine tool for cracking :))
-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*

I really love this software, since i use delphi it does help cut down on some coding time.
This is also the first tut i made that makes use of softice. If your a newbie this is going to seem confusing, you might even have to read it over a few times. I have included a sample winice.dat which you should probely use as a newbie. Copy winice.dat into your softice directory and overwrite the old one. Restart your system so the changes can take effect.

Now load Delphi tools and you can see its unregistered. Hmm a bug.. Scroll across the menu to the right till you get to registration. Entering any name and serial will give you a nice error :) So use the name "ThrawN" and "12345" as the serial. press CTRL+D to bring up softice and type bpx hmemcpy
Press ctrl+d again to exit sice and click the Register! button
When sice pop's up press F5 once and F12 12 times.
You should now be looking at this:

0048FB15 8B45F8                  mov eax, dword ptr [ebp-08]
0048FB18 5A                      pop edx
0048FB19 E82650FFFF              call 00484B44  <--Serial check
0048FB1E 84C0                    test al, al
0048FB20 0F84E0000000            je 0048FC06    <--Jump if bad
0048FB26 B201                    mov dl, 01
0048FB28 A1F80C4400              mov eax, dword ptr [00440CF8]

You could patch it but when you restart the program it will be unregistered. We want our serial number :).
Press F10 until the line is over the call at 0048FB19, then press F8 to trace into this call. Now your looking at this code:

00484B44 55                      push ebp
00484B45 8BEC                    mov ebp, esp
00484B47 83C4F8                  add esp, FFFFFFF8
00484B4A 53                      push ebx
00484B4B 56                      push esi
00484B4C 8955F8                  mov dword ptr [ebp-08], edx
00484B4F 8945FC                  mov dword ptr [ebp-04], eax
00484B52 8B45FC                  mov eax, dword ptr [ebp-04]
00484B55 E892F0F7FF              call 00403BEC
00484B5A 8B45F8                  mov eax, dword ptr [ebp-08]
00484B5D E88AF0F7FF              call 00403BEC
00484B62 33C0                    xor eax, eax
00484B64 55                      push ebp
00484B65 68094C4800              push 00484C09
00484B6A 64FF30                  push dword ptr fs:[eax]
00484B6D 648920                  mov dword ptr fs:[eax], esp
00484B70 33F6                    xor esi, esi
00484B72 837DFC00                cmp dword ptr [ebp-04], 00000000
00484B76 7406                    je 00484B7E     <-- Bad jump if 1st serial char is less than 1
00484B78 837DF800                cmp dword ptr [ebp-08], 00000000
00484B7C 7504                    jne 00484B82    <- Bad jump if 1st serial char is more than 9

So basicly this tells us our result serial is going to be all numbers.

Press F10 till you get to this code:

00484BC7 0FB64C01FF              movzx ecx, byte ptr [ecx+eax-01] /
00484BCC 0FAFC8                  imul ecx, eax                   /
00484BCF 8BD8                    mov ebx, eax                   /
00484BD1 03DB                    add ebx, ebx                   |
00484BD3 0FAFCB                  imul ecx, ebx                 <-| Serial algo
00484BD6 03F1                    add esi, ecx                   |
00484BD8 40                      inc eax                         \
00484BD9 4A                      dec edx                          \
00484BDA 75E8                    jne 00484BC4                      \

This isnt important for the moment, I will explain how to make a keygen in another tut.
Keep pressing F10 till you get to this line:

00484BEC 33DB                    xor ebx, ebx

Look in the ESI bar up the top right you should see a number. If you entered ThrawN as your name its going to say 0000453A. Now write this down and in sice type BC * to clear all breakpoints.
Load up windows calculator and turn the view into scienctific. Switch to hex mode and enter what you write down - 453A Now turn to Dec mode and write down the number you see there - 17722. Back into delphi tools enter ThrawN as name again and enter 17722 as the serial. Now we get a nice ThankYou message box and the program is fully registered :) Congratulations

Now try with your name. To remove the registration you can find it in the registry under
HKEY_CURRENT_USER\Software\Beginner Software\Delphi Tools\V1_01
Just remove name/serial keys and load delphi tools.

If you found this tutorial a little to hard email me and i will try to help you. 
The program was small enough to include with this tutorial so i did so.

Contact ThrawN - thrawnc@hotmail.com