This time we are going to find out a real serials for mIRC V5.7 according to our name entered. Why should we sill do that? Yes I know from the previous tut I discuss how to patch the program and I am sure you all can do it, but I need to say patching is just a simple way to bypass the protection, you just force the program to register you, instead of doing this, we are all interesting to know the exact registration routines of the program, and even more, to find out a REAL serials, yes, this serials are the same as you get when you pay for the program! Attractive? I think this one is more valuable. Also, on the way to trace the registraton routines, we will quickly and sharply increase our knowledge of cracking and programming, that's the most important and valuable things we can get, the only purpose for us is learnning. Knowledges is power!

General speaking, to find a correct serials is a bit more difficult than patching, for patching, most of the times we just need to change few bytes and then the work finish, but to find a correct serials, we need to trace the code line by line and note down lots of register value changes, these works require more knowledges of Assembly Language, I think it is a bit hard work for newbies to begin, fortunitily, this time our target mIRC V5.7 give us a good start, a good start does'n means that it is easy, it just means not difficult, but we still need to spend lots of time on it, remember, always BE PATIENT!

Quick Introduce To Debugger/SoftIce :

The following lines is a short introduce to debugger and SoftIce, if you already familiar with it please jump over it.

To monitor each line the program does, the best way is load the program into a live time debugger, debugger is quite useful for cracking especially you are newbies, what is the different between a live time debugger and the diassembler? A diassembler just show us the source code of the program( In assembly of course), but a live time dubugger can run and trace the program line by line, thus we can easily to know what the program really does and how the program use our information to produce its own serials. A debugger is a software to find out and correct bugs(a bug is wrong code or error in the program)in programs, normally it use by programmer to make their program perfectly, since a debugger can provide me to trace the program line by line so that it is quite useful for cracking, let me say this way, a diassembler only show us the source code but a debugger run the source code line by line.

Since we introduce something about debugger, now it's time to tell you which debugger we should use for our work, the most famous debugger on cracking world is SoftIce, almost 99% of cracking people own a copy of it, although there are lots of other debuggers you can choose, but as the result of the powerful function of SoftIce, we should better use it for our work, yes, SoftIce is the best! Here I assume you have already installed it and can run it with no problems, if you sill can't handle it or never install it, please go to "http://zor.org/krobar/", check the links in tools section, download SoftIce and grab some tuts about it.

Welcome back, are your SoftIce all ready? By the way, not many people know what SoftIce means, ice for "in-circuit emulator", this is parts of hardware debugger, a hardware debugger is similar to software debugger but with more powerful function and more expensive, it usually inculd both of hardware card and its own software program. So SoftIce means use the software method to similate the hardware debugger, the company of SoftIce mention that SoftIce is powrful as same as other hardware debugger, so it is the best software debugger and we all choose it.

Start Our Work :

At the end of my last tut, I mention an important call that calculate and compare our name/serials, let's take a quick review on that, please follow the call covered with red bar :

* Reference To:User32.SendDlgItemMessageA,Ord:0000h			<----W32 API that will show us registration window
:00498A8B	E841800500	call  004F0AD1	<----Call API that show us the registration window
:00498A90	68334A5000	push 00504A33	<----Accept entered Name/Serial
:00498A95	684C465000	push 0050464C	<----Accept entered Serial/Name
:00498A9A	E8E5FBFFFF	call  00498684	<----Call a funtion to calculate and check Name/Serial
:00498A9F	85C0	test eax, eax	<----Test registration success or not
:00498AA1	0F849B000000	je   00498B42	<----If name and serial don't match, jump to fail window
:00498AA7	BE3C9D4F00	mov esi, 004F9D3C
:00498AAC	BF4C465000	mov edi, 0050464C

We step into the call at address "00498A9A", and see the following lines :

:00498684	55	push ebp	<----Starting of the call
:00498685	8BEC	mov ebp, esp
:
:			<----Scroll down until you see the following lines
:
:004986DC	68204A5100	push 00514A20	<----push our serial number to stack
:004986E1	6820495100	push 00514920	<----push our name string to stack
:004986E6	E8A1FEFFFF	call 0049858C	<----Another important call to calculate real serial
:004986EB	85C0	test eax, eax	<----test eax=0 or not
:004986ED	7407	je 004986F6	<----jump to address "004986F6" if eax=0
:004986EF	B801000000	mov eax, 00000001	<----move 1 to eax(registration success)
:004986F4	EB74	jmp 0049876A	<----jump to return call, will back to "00498A9F"
:
:
:
:0049876A	5F	pop edi
:0049876B	5E	pop esi
:0049876C	5B	pop ebx
:0049876D	5E	pop ebp
:0049876E	C20800	ret 0008	<----Return to address "00498A9F"

Last time, we patch the jump at address "004986ED" so that we can enter any serials. This time, we mainly study the call at address "004986E6", all calculation and comparing are inside the call, before we monitor our program by the powerful tools SoftIce, we take a look at the assembly code first, the explanation in the right columns will guide you to trace your program in SoftIce. When we step into the call, we see the following :

:0049858C	55	push ebp	<----Starting of the call
:0049858D	8BEC	mov ebp, esp
:
:00498598	8B4508	mov eax, dword ptr [ebp+08]	<----Address "ebp+08" contain address of our name
:
:004985A2	83F805	cmp eax, 00000005	<----Compare lenght of our name to 5
:004985A5	7307	jnb 004985AE	<----Jump if lenght>=5
:004985A7	33C0	xor eax, eax	<----If lenght<5 then store 0 to eax
:004985A9	E9CA000000	jmp 00498678	<----Jump to address "00498678"
:004985AE	6A2D	push 0000002D	<----Push 2Dh to stack, 2Dh equal to "-"
:004985B0	56	push esi
:004985B1	E8C28CF6FF	call 00401278	<----Check our serial contain "-" or not
:			<----Character "-" separate our serials into two part
:
:
:004985C6	C60300	mov byte ptr [ebx], 00
:004985C9	56	push esi
:004985CA	E84514F7FF	call 00409A14
:004985CF	59	pop ecx
:004985D0	8945FC	mov dword ptr [ebp-04], eax	<----Store our first part of serial into [ebp-04]
:
:
:
:004985E3	53	push ebx
:004985E4	E82B14F7FF	call 00409A14
:004985E9	59	pop ecx
:004985EA	8945F8	mov dword ptr [ebp-08], eax	<----Store our second part of serial into [ebp-08]
:
:004985F7	8945F4	mov dword ptr [ebp-0C], eax	<----Store the lenght of our name into [ebp-0C]
:
:
:
:0049860E	0FB631	movzx esi, byte ptr [ecx]	<----Starting the loop of first part serial calculation
:			<----We will study them in part 3-make KeyGen
:00498628	7CE4	jl 004986E0	<----Ending the loop of first part serial calculation
:0049862A	3B5DFC	cmp ebx, dword ptr [ebp-04]	<----Compare the first part serial
:0049862D	7404	je 00498633	<----If first part success, go on to the second part
:0049862F	33C0	xor eax, eax	<----If first part don't match, eax=0(fail register)
:00498631	EB45	jmp 00498678	<----Jump to return call
:
:
:
:00498647	0FB631	movzx esi, byte ptr [ecx]	<----Starting the loop of second part serial calculation
:			<----We will study them in part 3-make KeyGen
:00498668	7CDD	jl 00498647	<----Ending the loop of second part serial calculation
:0049866A	3B5DF8	cmp ebx, dword ptr [ebp-08]	<----Compare the second part serial
:0049866D	7404	je 00498673	<----If second part success too, jump to 00498673
:0049866F	33c0	xor eax, eax	<----If second part don't match, eax=0(fail register)
:00498671	EB05	jmp 00498678	<----Jump to return call
:
:00498673	B801000000	mov eax, 00000001	<----Store 1 into eax(register success)
:
:0049867E	C20800	ret 0008	<----Return call, will back to address 004986EB

Althouh it is just a quick preview of the code, but they are still quite long, but I just try to explain more details so that all rookies like you will understand them more clearly, actually, if you can spend more time on tracing each line, you will learn lots of Assembly, it is not too difficult to understand them especially by the help of some powerful tools like SoftIce, when each time I trace the program in SoftIce, I use a pen to note down lots of important informations on a paper, that's why I can point out lots of explanation above, yes, they all come from my notes when first time I trace them in SoftIce. My tutorial is not limited on just find out the real serials, instead of that, I also hope you can learn more Cracking and programming experience from my tuts, so I always telling you lots of my cracking experiences. Method is important and knowledge is power!

There is a quite important call at address 004985B1(covered with blue bar), this call is not about the calculation of serials, it just check our entered serial number contain character "-" or not, this call search each digit of the serial, when it found character "-", it will store the address that contain "-" into eax, if character "-" can't found, it will store 0 into eax, and then the program will bypass all calculation and comparison, finally register fail. I am not going to show you the codes, if you feel interesting about that and want to learn more, try to trace yourself, it's very easy to understand. So our serial must contain character "-".

At address 0049862A(covered with green bar), the program compare the first part of the serial, at this moment, our entered serial will store at address "ebp-04", the real serial will store at ebx, to check the content store at ebx will find the real serial, but the number are all in Hexdecimal form, you need to change the Hexdecimal number in ebx to decimal form, you may very easy to do this in SoftIce, when you trace at this address, just type "? ebx" at command window, "?" means evaluate, it will show you the corresponding decimal number of ebx immediately.

At address 0049866A(covered with green bar too), the program compare the second part of the serial, that's all same as above, check the decimal number of ebx and you will find your second part of serial. After you find out both parts of the serial, you may joint the first part and second part of serials with "-", and then you get your real serial.

Important Table :

Address	Contents	SoftIce Command Use To Check Them
00514920	Our entered name	D(Dump)
00514A20	Our entered whole serial number	D(Dump)
EBP-04	First part of serial number in Hex form	?(Evaluate)
EBP-08	Second part of serial number in Hex form	?(Evaluate)
EBP-0C	Lenght of our name entered	?(Evaluate) or just by your eye
EBP+08	Address 00514920	D(Dump)

Now I think we get all knowledge we need, it's time to find our real serials. To trace a program in SoftIce, we must make sure we are tracing the correct program code, the file that SoftIce is tracing will show between the bottom window(command window) and the second bottom window(code window), usually, we also need to set a breakpoint to get into the program code we want to trace. Make sure your mIRC V5.7 main file(mirc32.exe) have never been patched or modified, now run mirc32.exe and goto "Help"---->"Register", enter your whole name, here I use my full name "Hans Wong" as example, also enter any serial number, but please make sure your serial contain character "-", here I use "9988-7766" as example.

The follow is highly reference to my explanation on the code list above, please check them when each time you don't understand what the code does during tracing them in SoftIce.

Don't press the "Register!" button after enter all your informations, leave the registration window open, now press "Ctrl-D" to activate SoftIce, in the command window(bottom window), set a breakpoint to mirc32.exe, do you still remember that at address 00498A8B, there is a call reference to User32.SendDlgItemMessageA, this is window API that show us the registration window and accept our information, scroll up to see the codes again if you already forget, so I decide to type "bpx SendDlgItemMessageA" in SoftIce command window, press enter and then press "X" or "Ctrl-D" again to return to the program. Now press "Register!" button once and SoftIce will automatically activate again, take a quick look at the code window, we notice we are at SendDlgItemMessageA API, press F11 once to retrun from the API call, we will at adderss "00498A76" of mirc32.exe, that's great! Now we can tracing it by pressing F10(step over tracing) few times until we land at address "00498A9A", press F8 to step into the call, after pressing F8, we will land at address "00498684", continues pressing F10 to tracing the program until we land at address "004986A6", again, press F8 to step into it, and then press F10 step over tracing the program. Please reference to my explanation above in the code section to help you finish the tracing.

I assume there are no problem during tracing, we will finally land at address "0049862A", if you still remember, this is an comparison that will compare the first part of our serial to the real serial, the real serial will sotore at ebx, in the register window(type "wr" to toggle it), I found that the value store at ebx is "00001B76", I type "? ebx" to evaluate them and get my first part of real serials :

Address or register	Content	Command	Result
ebx	00001B76	? ebx	0000007030	<----First part of real serial
ebp-04	00002704	? 00002704	0000009988	<----Our entered first part of serial

Now, we get our first part of real serial, exit all program and repeat all the steps above, this time, I enter my serial as "7030-7766", we note that the first part is real, we are going to find out the second part, repeat all tracing step above, finally, we will land at address "0049866A", again, the second part of real serial store at ebx, so we just do the same thing with them :

Address or register	Content	Command	Result
ebx	00099B4E	? ebx	0000629582	<----Second part of real serial
ebp-08	00001E56	? 00001E56	0000007766	<----Our entered second part of serial

Now we get the whole real serial of my name, we just need to joint the two parts of serial by character "-" :

Name	Hans Wong
Serial number	7030-629582

That all I do with my name, I think now you may also find your own serial number, try to do that and good luck!

Last words and next part preview :

Yes, I know that is a quite long tuts, hope you can read them all, just pay more attention on the white color text and follow the instruction, I think it is not too difficult to understand, also I need to say sorry to my poor English, English is not my mother language. Very lucky, as the time I writing this tut, I became a member of Cream Cracking sites, I need to greets all members of Cream, expecially people that give me lots of help!

The next part of tuts I will still going to play with mIRC V5.7, I will discuss how to find out the mathmatical calculation of our serial and then make our own KeyGen of it, hope this tuts will finish soon.

Best wishes to all my tutorial readers!