------------ HOW TO FIND REAL SERIAL NUMBER BY USING SOFTICE ---------------


Program : DrDOC Version 1.53
File Size : 504KB
Web-site : http://www.logipole.com/indexe.html
Cracked By : Ex3cutor
Email : Ex3cutor@hotmail.com


About the program :


DrDOC is an easy to use 32 bits software for Windows 9x, ME, 2000 and NT4 
which
helps you to produce documentation (or else...).
DrDOC will capture parts of screen and will copy them to the clipboard 
(several formats, several number of colours) allowing you to paste them in 
another software, word processing for example.
You can decide to let DrDOC do the paste operation; the software will ask 
you to choose in the list of the active programs where it must paste the 
capture.
You can also choose to save your captures (BMP, GIF, JPEG or TARGA)
DrDOC is seen on the screen by a tray icon; click on it to setup.


******************** START SEARCHING FOR THE REAL LICENCE KEY 
*****************************


1) Start DrDOC Version 1.53

   Show the registration box

   Key in as follows :

   Name : <TNT>
   First Name : Ex3cutor
   Key : 1234567890


2) Press 'OK' ....

   An error message will appear to say that your key is INVALID !

   This is expected as our key is FAKE !

   What we do now is to remember the error message :

   "Invalid Key
    Please enter your name and key as they have been delivered to you"


3) Now, disassemble the program and do a dead listing by W32Dasm ...

   Go to 'Refs' -> 'String Data References' and search for our error message 
"Invalid Key"

   It will lead you to the following codes :

   * Possible StringData Ref from Data Obj ->"Invalid key"
                                  |
   :0040626F 68B87B4100              push 00417BB8
   :00406274 55                      push ebp


4) Trace the codes a bit backward, and stop at

   * Referenced by a (U)nconditional or (C)onditional Jump at Address:
   |:0040621F(C)
   |
   :00406240 8B442410                mov eax, dword ptr [esp+10]
   :00406244 8D9424BC000000          lea edx, dword ptr [esp+000000BC]
   :0040624B 35F0BD6824              xor eax, 2468BDF0
   :00406250 52                      push edx
   :00406251 A3C0B24100              mov dword ptr [0041B2C0], eax
   :00406256 E8FE530000              call 0040B659
   :0040625B 8B0DC0B24100            mov ecx, dword ptr [0041B2C0]
   :00406261 83C404                  add esp, 00000004
   :00406264 3BC1                    cmp eax, ecx
   :00406266 742E                    je 00406296
   :00406268 6A10                    push 00000010

   * Possible StringData Ref from Data Obj ->"Register"
                                  |
   :0040626A 68607C4100              push 00417C60

   * Possible StringData Ref from Data Obj ->"Invalid key"
                                  |
   :0040626F 68B87B4100              push 00417BB8
   :00406274 55                      push ebp


   See the code at 00406264 ?
   It is a comparison !!! (cmp eax, ecx)

   This is a good place where we start !

   We can assume this is where the FAKE key and the REAL key are compared !

   If they are equal, it will jump directly to the code 00406296.
   Otherwise, just print out the error message !

   So, remember this code address : 00406240


5) Ok ! Let's start to fnd the REAL key by SOftIce now !

   Repeat step (1)

   However, do NOT press 'OK' this time !

   Fire up SoftIce by pressing "Ctrl D" and set a breakpoint as follow :

   bpx getdlgitemtexta [Enter]

   then press F5 to return back to the program



6) Now, click "OK" to go back to SoftIce.

   Type

   bc * [Enter] to clear our breakpoint

   Then, press F12 ONCE to reach to the following codes :

   :004060D1 85C0                    test eax, eax
   :004060D3 7538                    jne 0040610D
   :004060D5 6A10                    push 00000010

   If nothing goes wrong, you'll be stopped at

   :004060D1 85C0                    test eax, eax


7) Set another break point by typing

   bpx 00406240 [Enter]

   Press F5 ONCE !

   If nothing goes wrong, you'll stop at the following codes :


   :00406240 8B442410                mov eax, dword ptr [esp+10]
   :00406244 8D9424BC000000          lea edx, dword ptr [esp+000000BC]
   :0040624B 35F0BD6824              xor eax, 2468BDF0
   :00406250 52                      push edx
   :00406251 A3C0B24100              mov dword ptr [0041B2C0], eax
   :00406256 E8FE530000              call 0040B659
   :0040625B 8B0DC0B24100            mov ecx, dword ptr [0041B2C0]
   :00406261 83C404                  add esp, 00000004
   :00406264 3BC1                    cmp eax, ecx
   :00406266 742E                    je 00406296
   :00406268 6A10                    push 00000010


8) Press F10 twice to reach

   :0040624B 35F0BD6824              xor eax, 2468BDF0

   Type d edx [Enter]

   What did you see ?? it's our FAKE key ! (which is 1234567890 at this 
case)


9) Press F10 4 more times to reach

   :0040625B 8B0DC0B24100            mov ecx, dword ptr [0041B2C0]

   Type ? eax [Enter]

   What did you see this time ??? It's our FAKE key again !


10) Press F10 1 more time to reach

   :00406261 83C404                  add esp, 00000004

    In order to retrieve the REAL key, what we need to do is just to type

    ? ecx [Enter]

    HeHeHe .... Here we go - the REAL key ! (which is 3684123212)


11) Exit SoftIce and register again with the REAL key !

    Go to 'About'

    Wow ! This software is now registered !!!


    Enjoy :)


********************************  END  
***************************************