WHY PATCHING WHILE SERIAL NUMBER IS FISHY HardCopy Pro v1.6 A Cracking Tutorial by ASTAGA [D4C/C4A] DISCLAIMER This reading material is not intended to violate Copyrights and/or it is law, but educational purposes only. I hold no responsibility ( by all means and in any shape whatsoever ) of the mis-used of this material. ABOUT THE PROGRAM HardCopy Pro, the professional, easy to use screen capture utility for Windows 95 / 98 and NT 4.0 or higher. It can capture rectangular screen areas and whole windows. The captured images can be cropped very easily and the color depth can be changed to any desired value from monochrome to true color. Images can be saved, copied to the clipboard, edited with any image editing program or printed. Many options allow the customization of all these actions to individual user needs. WHERE TO DOWNLOAD URL : http://www.desksoft.com/Download/HCSetup.zip Size : 124 KB HOW TO GET VALID SERIAL NUMBER by using SoftIce 1. I told you that this tute IS NOT THE BEST way of getting valid S/N, it's most likely trial and error method.... yeah I called it THE UNUSUAL WAY, that's it. So, I will not get you to where the fish is being compared! 2. Run the program (HARDCOPY.EXE - 106,496 Bytes ), click !DEMO tab, click REGISTER NOW button, then you'll see the registration window that required your name and code. 3. Type our fake codes i.e : Name : Mahiwal Pisan Code : 9073884665 DO NOT CLICK OK button Yet ! 4. Fire up SoftIce by pressing [ Ctrl + D ], set new breakpoint, in this regard iam using GETDLGITEMTEXTA : bpx getdlgitemtexta [enter] then press F5 to return to the main program. Now you can click OK button which brings you back into SoftIce. 5. You're in SoftIce now. All you have to do is to reach the main prog codes, press F11 once until you see : _____________________________________________________________ .00404410: FF15E0124100 call GetDlgItemTextA <==== You .00404416: FF7510 push d,[ebp][00010] land Here .00404419: 8D8610010000 lea eax,[esi][000000110] .0040441F: 50 push eax .00404420: E88B5B0000 call 000409FB0 .00404425: 59 pop ecx .00404426: 897E08 mov [esi][00008],edi .00404429: 59 pop ecx .0040442A: FF750C push d,[ebp][0000C] .0040442D: 57 push edi .0040442E: FF151C134100 call GetDlgItem .00404434: 8DBE1C020000 lea edi,[esi][00000021C] .0040443A: 894604 mov [esi][00004],eax .0040443D: 57 push edi .0040443E: 50 push eax .0040443F: FF15FC114100 call GetClientRect ;USER32.dll .00404445: 6A01 push 001 .00404447: 57 push edi _____________________HARDCOPY!.TEXT+3410____________________ 6. Press F10 2 (two) times - stop the highlight bar at 0040441F , and type : d eax [enter] in the Data Window you'll see that your Name and fake code are copied to memory address around 013F:00418978 upto 013F:004189C8. 7. Press F10 2 (two) times - stop the highlight bar at 00404425 , and type : d ecx [enter] in the Data Window you'll see several codes that looks like a serial number i.e "suXbZhFhuk", "i8KZXo3IiW", etc. However, you can't register the program using that serial numbers. At this stage, you know that those serial numbers has already been blacklisted by the Author, and the correct /valid serial number must contain 10 characters long. 8. Let's continue tracing the code, press F10 6 (six) times and stop at 013F:40443D then type : d edi [enter] the Data Window showed us again of the name and fake s/n at the memory address 013F:4189C4 . 9. Now, create a new breakpoints by typing : bpx 013F:4189C4 [enter] bpm 013F:4189C4 [enter] 10. Press F5 , click OK, and you'll break within SoftIce again, at this stage press F5 4 (four) times and landed at : .00409BFD: 8A1431 mov dl,[ecx][esi] <=== Here .00409C00: 80FA49 cmp dl,049 ;"I" .00409C03: 7405 je 000409C0A .00409C05: 80FA31 cmp dl,031 ;"1" .00409C08: 7504 jne 000409C0E .00409C0A: C604316C mov b,[ecx][esi],06C ;"l" .00409C0E: 41 inc ecx .00409C0F: 3BC8 cmp ecx,eax .00409C11: 7CEA jl 000409BFD .00409C13: 5E pop esi .00409C14: C3 retn <===== jump pass here Press F10 82 (eighty two) times ! ( you'll be cycled several times between the memory address 00409BFD and 00409C11 ) until you get passed RET instruction at 00409C14 . 11. Finally, you'll reach the moment of truth .00409E15: E8D1FDFFFF call 000409BEB <== land here .00409E1A: 83C410 add esp,010 .00409E1D: 807D0800 cmp b,[ebp][00008],000 .00409E21: 7444 je 000409E67 <== jump HERE .00409E23: BF60434100 mov edi,000414360 ....... ....... Press F10 2 (two) times and jump at 00409E21 ....... ....... .00409E67: 6A0A push 00A <== ret jump here .00409E69: 8D45F4 lea eax,[ebp][-000C] .00409E6C: 56 push esi <== d esi here or .00409E6D: 50 push eax <== d eax keep continue pressing F10 until you reach 00409E6C and dump/ display the contents of ESI and/or EAX by typing : d esi ----> your fake s/n appear in Data Window d eax ----> did you see "hQlhv3TSUl" at the memory address 0064F938 ?? YES, that's the REAL CODE you're looking for!! 12. Write down the serial number, disable all breakpoints by typing bd * , F5 , and repeat the registration procedure ..... badass ... the classic "thank you for registering" appear in your screen. END NOTES This program is sold as shareware, so you can try before you buy. This is convenient for you, saves expenses by dispensing with all that packaging, and cuts out the middle person. So it is cheap, but it is not free. If you like the program, and you will, be sure to register and pay. To keep shareware prices low, users must do the right thing: Register, pay up, and smile/grin at yourself in the mirror. Do not distribute your crack release based on this tutorial, because you become a LAMER(s)!!!!!!!! ( tHATDUDE (PC97) defined LAMER(s) is the guy who sits in front of personal computer, using Hex Editor, ripping off other group(s) crack release, repacking (distro) them under his name. Adopted from newsgroup alt.cracks, alt.crackers - February 1997 ) _ Never attribute to malice that which is adequately explained by stupidity _ ASTAGA [D4C/C4A] tute-hardcopy16.zip or c4a_hc16.zip [EOF] p;    CALL    004276BA