Finding A Valid Serial For Quick3270 v2.63

URL 4 Target: http://members.aol.com/dneuhart/Quick3270.html
Tools : SoftICE

Howdy, a short tutorial on the bpm method of finding a valid serial in SoftICE.

Enter your false details, the maximum serial length is twenty chars, so I entered:

Name/Company: Educational Only
Registration: 01234567898765432100

Now enter SoftICE [Ctrl + D], and set a breakpoint on GetWindowTextA, bpx GetWindowTextA. Press [F5], and hit the [OK] button. SoftICE will break, however there are two edit boxes and the app has only read one of them, so press [F5] again, now press [F11] to return to the calling code. You can now disable this breakpoint (bd * or bc * to clear).

We now need to search for the serial we entered to find where it is stored in memory, so do: s 0 l ffffffff "01234567898765432100". You may find more than one occurrence ( by pressing s ) but it is the first occurrence we are interested in. I find the following:

Pattern found at XXXX:0065F898 (0065F898)

So do a bpm 0065F898, to set a breakpoint on memory on your serial, now press [F5] again. SoftICE should break again, and you should land here:

/ / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / /

SoftICE Listing

/ / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / /

Address

Machine Code

Assembler Instructions

41A559	7427	jz	0041A582	; you should land here (or line above)
41A55B	8B4EFC	mov	ecx, [esi-04]	; move 4 chars of your serial into ecx
41A55E	8B57FC	mov	edx, [edi-04]	; move 4 chars of the real serial into edx

/ / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / /

SoftICE Listing

/ / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / /

Press [F10] three times and do a ? ecx, and a ? edx. You should see the following:

? ecx = "3210" , "3210" = "0123", the first 4 chars of your serial reversed
? ecx = "9ME@" , "9ME@" = "@EM9", the first 4 chars of the real serial reversed

So disable your memory breakpoint, set a breakpoint on 41A55E ( bpx 41A55E) and replace the first four chars of your serial with the first four chars of the real serial, "0123", with "@EM9". Click [OK] and when SoftICE breaks, get the next four chars, and replace the relevant chars in your fake serial. For example I would replace "4567". Basically, you just repeat this method until you have a full serial, you could just disable and reenable the memory breakpoint, but you will create more unnecessary breaks, although doing that may suit you more :) This is not the only method either, but I wanted to show you this method, as it may save you some tracing. And I'm not going to give you a full serial either, that's for you to do :)

Cya l8r,
Eddie

Greetz: Acid_Cool_178, Blind Angel, Cardenal Mendoza, Duelist, Eternal Bliss, Gizmo, Intern, LaZaRuS, Lord Soth, Nitrus, Quantico, TeChNiCh, Videk. And of course everyone in c.uk.