
----------------------------------------------------------------------------------------------
How to find a serial for The Psychedelic Screen Saver 2000
----------------------------------------------------------------------------------------------

Cracker: iNFiNiTY 

Target: The Psychedelic Screen Saver 2000
Tools: SoftIce
           Brain

Where: http://www.synthesoft.com

Sorry for my english, its not my mother language.

-----------
Step 1:
-----------

Go to registration information, push "Enter Code" list
and enter any s/n ( I entered 1234-5678, because the 
program is looking for "-"). Go to SoftIce, set breakpoint on 
HMEMCPY (bpx hmemcpy) and go back. Push "Submit" button.
Boom. We are in SI, "F11" to caller and 8x "F12" to get to 
the 32-bit code. We are here:

00401D32	CALL [USER!GetDlgItemTextaA]
00401D38	LEA EAX, [EBP-40]		<--- we are here
00401D3B	PUSH EAX		<--- D EAX - fake s/n
00401D3C	CALL 00403644	
00401D41	MOV DWORD PTR [ESP] 00409FE0
00401D48	PUSH ESI
00401D49	PUSH EDI
00401D4A	MOV EBX, EAX
00401D4C	CALL [USER!GetDlgItemTextaA]
00401D52	PUSH EBX
00401D53	CALL 004030BF		<--- "F8" to trace in CALL
00401D58	POP ECX
00401D59	POP EBX


On 00401D53 press "F8" to trace in the CALL.
Here we are:

004030BF	PUSH ESI
004030C0	MOV ESI, [ESP+08]
004030C4	PUSH EDI
004030C5	PUSH 04
004030C7	PUSH ESI
004030C8	CALL 00402D48		<--- "F8" to trace in CALL


On 004030C8 press "F8" to trace in the CALL
Here we are:

00402D48	PUSH EBP
00402D49	MOV EBP, ESP
00402D4B	PUSH ESI
00402D4C	PUSH EDI
00402D4D	MOV EDI, [EBP+08]
00402D50	MOV EAX 0000C797
00402D55	CMP EDI, EAX		<--- this is what we want


On 00402D55 you will see a compare of the first part of our serial.
If you type "? EDI" - our 1st part of s/n.
And if you type "? EAX" - our 1st part of the REAL CODE. Write this # down.


And keep tracing by pressing "F10" here:

00402D55	CMP EDI, EAX		<--- last compare
00402D57	JA 00402E46		
00402D5D	JZ 00402E8C		<--- jump
00402D63	MOV EAX, 00004FAD		
00402D68	CMP EDI, EAX		<--- shit what is it???
00402D6A	JA 00402DE0	
00402D6C	JZ 00402E26
00402D72	CMP EDI, 00002BAD	<--- BUT???
00402D78	JZ 00402DC0
:
:

On line 00402D68 you see a 2nd compare
When you are on this line type ? EDI - it will show you 1234 and
this is first part of our fake s/n. Never mind. Write this number down. 
Whole s/n is: 51095-20397

!!!BUT!!! If you trace down you will see a lot of compares.
For example: CMP EDI, 00002BAD
Everytime  you are on comparing line you can write down 
number you get by typing "?" and the number that is behind 
the "CMP EDI, ????????" 
You will get these numbers: 11181, 12181, 13181, 15677
			16677, 17677

Now you can type as real code this: 51095-20397,
				51095-11181,
				51095-12181.

The only one condition is that the first part of REAL CODE 
must be " 51095".


So, go to reg. screen type your s/n. 
Yes one of our products are registered.				

=============================
If i make a mistake, please e-mail me 
to algo.rhythm@worldonline.cz.
I´m a newbie so if you can help me or
if you want to advise me please 
contact me.
=============================
=============================
Thanks to all crackers on the web !!!
=============================