Please Read The Disclaimer Before Continuing.

Prepare To Crack:

Run the program (swapper.exe), and you'll notice a nag screen telling you how many uses you have (only 15! this thing NEEDS to be cracked!), and a text box to enter a serial number.

Let's see if we can "fish" our valid serial number in Soft-Ice.  The most common breakpoints for 32-bit programs are "GetDlgItemTextA" and "GetWindowTextA".  To save you time, GetWindowTextA is the breakpoint we need.

Making The Crack:

Enter a dummy serial number, and press Cntrl+D to enter Soft-Ice.  Set a breakpoint on GetWindowTextA (BPX GETWINDOWTEXTA).  Press Cntrl+D or X to exit back to the program, and click the "Register" button.  Soft-Ice pops up.  Press F11 once to exit from the code, and you should be here:
 

0137:0041FA29  FF15507A4400     CALL    [USER32!GetWindowTextA] 0137:0041FA2F  8B4C2408         MOV     ECX,[ESP+08] 0137:0041FA33  6AFF             PUSH    FF 0137:0041FA35  E8252F0000       CALL    0042295F 0137:0041FA3A  EB0C             JMP     0041FA48 0137:0041FA3C  8B01             MOV     EAX,[ECX] 0137:0041FA3E  FF742408         PUSH    DWORD PTR [ESP+08] 0137:0041FA42  FF9090000000     CALL    [EAX+00000090]

Now we need to step through the code using F10, until we see something interesting.  Stop at the following piece of code:
 

0137:004012F5  6A40             PUSH    40 0137:004012F7  6854E14300       PUSH    0043E154     :interesting PUSH 0137:004012FC  680CE14300       PUSH    0043E10C     :interesting PUSH 0137:00401301  8BCE             MOV     ECX,ESI 0137:00401303  E8B2630200       CALL    004276BA 0137:00401308  5E               POP     ESI 0137:00401309  C3               RET 0137:0040130A  90               NOP

Step through the line "PUSH    0043E154".  Now let's see what this location holds.  Display the location by typing: d 0043E154.  Now use your Alt+Down Arrow keys to scroll down just a few times, and you'll see the following in the data window:
 

re..Successful R egistration!.... 0492710223..Prox yOverride...Prox yServer.ProxyEna ble.\Software\Mi

Could the highlighted number above possibly be our serial number?  Disable your breakpoint by typing bc * and write this number down.  Press Cntrl+D or X to exit back out the program.  Press "OK" on the invalid serial number dialog box, and enter the number into the text box... press "Register", and voila! registered!

Now, due to the strange location of this serial number, we assume that this must be a hardcoded serial number (coded directly into the program - stupid!).  To confirm our suspicions, let's disassemble swapper.exe with Wdasm.

Once disassembled, look at the string references ("Refs", "String Data References").  After scrolling down for just a bit, you'll find the number.  Double click on it, and you'll land at the following piece of code:
 

* Possible StringData Ref from Data Obj ->"0492710223"                                   | :0040139B 68F4E14300              push 0043E1F4 :004013A0 51                      push ecx :004013A1 E8FAF10000              call 004105A0 :004013A6 83C408                  add esp, 00000008 :004013A9 85C0                    test eax, eax :004013AB 0F8587000000            jne 00401438 :004013B1 6A40                    push 00000040 * Possible StringData Ref from Data Obj ->"Successful Registration!"                                   | :004013B3 68D8E14300              push 0043E1D8 * Possible StringData Ref from Data Obj ->"You now have unlimited access "                                         ->"to"                                   | :004013B8 6878E14300              push 0043E178

There's the routine that checks our serial number!  Hardcoded, and ready for anyone to use.