Software Reverse Engineering - Safety Scan v2.5b - Serial Fishing With Soft-Ice Copyright (c) 1998 Volatility Document Courtesy of The Immortal Descendants - http://pages.prodigy.net/volatility --------------------------------------------------------------------------------------------- Target: Safety Scan v2.5b - (safetyscan.exe) 366,688 bytes. Download this at: http://ftp.loop.com/~unisyn/safescan.zip Tools Needed: Soft-Ice v3.2 (earlier versions will work just fine) --------------------------------------------------------------------------------------------- Prepare To Crack: Run the program (safescan.exe). The first thing that pops up is an ugly nag screen. Click on the "Register Now" button. Only a serial number needs to be entered. These registrations are the easiest! We need to set up a breakpoint in Soft-Ice to trap the valid serial number. The most common API calls are "GetDlgItemTextA" and "GetWindowTextA". To save you time, the correct one is "GetWindowTextA" Making The Crack: Enter some test data at the registration screen. Press Cntrl+D to enter Soft-Ice. Set a breakpoint on "GetWindowTextA" - BPX GetWindowTextA. Press Cntrl+D again to exit back to the program. Press the "Ok" button, and Soft-Ice will break. Press F11 once to get into the routine, and you should be here: --------------------------------------------------------------------------------------------- CALL USER32!GetWindowTextA MOV ECX,EAX MOV EDX,ESP MOV EAX,ESI CALL 00403A54 JMP 0042F6FB MOV EAX,ESI MOV EDX,[EBX+6C] CALL 00403A08 ADD ESP,00000100 POP ESI --------------------------------------------------------------------------------------------- Now we need to look for a compare (CMP, TEST) and/or a jump (JZ, JNZ, JE, JNE etc.) where our serial number is compared with the correct one. Press F10 to step through the code (12 times) until you get here: --------------------------------------------------------------------------------------------- CALL 0042F6BC MOV EDX,[EBP-64] MOV EAX,ESI