//**cracking tut by alpine**//
       //*****and******//
//**the immortal descendants**//

#4 05.1999

hello and welcome to a new adventure....
Target today is powerzip with its lazy protection scheme.For expirienced crackers,this protection scheme wouldn't make a lot of troubles.Therefore this essay is for beginners.

what we need:

pzip  //download it from www.cnet.com or www.powerzip.lco.net
softice
wdasm or pc_offset to get the opcodes.
hex editor of your choice.

lets fetz(g.l.)

Regarding our target we can find a box to register the program,when we click on about/register.Probably you have noticed the time trail protection,but i'm not cracking it today,because using the program longer than 30 days doesn't cause anything.
Now enter a name and a fake serial, i used alpine and 1234565.
Press register and you get a messagebox telling you to f**k off.
Click on okay and then enter softice.Set a breakpoint on hmemcpy.

//i almost always use hmemcpy,because it works for nearly every target//

Exit softice and press register,you will be kicked back to softice.
Now you have to press f12 till you reach the main exe file.By pressing 
f12 once again you will be in a windows dll,therefore press f12 once again and you will find yourself back to the main exe.
Now we are close to our protection scheme.
what i do, to find  the compare routine is to press f10, till i get the 
annoying messagebox,telling me: wrong serial.
You did it? you wrote down the call,which triggered the messagebox?
Ok, then set a bpx on hmemcpy again and trace till 
are at the following adress,marked with *1


:0041211D E830020100              Call 00422352
:00412122 3D14513035              cmp eax, 35305114 *1
:00412127 7507                    jne 00412130
:00412129 B81E513035              mov eax, 3530511E
:0041212E EB0C                    jmp 0041213C
:00412130 3D8883FF1F              cmp eax, 1FFF8388
:00412135 7505                    jne 0041213C
:00412137 B89283FF1F              mov eax, 1FFF8392
:0041213C 8B4F64                  mov ecx, dword ptr [edi+64] *2
:0041213F 81F914513035            cmp ecx, 35305114 *3
:00412145 741C                    je 00412163
:00412147 81F98883FF1F            cmp ecx, 1FFF8388 *4
:0041214D 7414                    je 00412163
:0041214F 3BC8                    cmp ecx, eax *5
:00412151 7410                    je 00412163
:00412153 6A00                    push 00000000
:00412155 6A10                    push 00000010
:00412157 686C274300              push 0043276C *6 
:0041215C E861F90000              Call 00421AC2 *7



Now what happens?:

*2 our fake serial number is moved to ecx.
*3 our number is compared to a real "static" serial number.
*4 the same as above.
*5 it is compared to eax.In eax the real serial number,generated on our name, is stored.

Now you will say,by typing d ecx i can't see my serial.
Try to do a ? ecx and you will get your fake serial.Since our number is
compared to two serial numbers which are always the same (*3,*4),you will have to do the same to see the two serial.For example at *3 do
a ? 35305114 and you will get one right serial.At *5 do a ?eax and you will get the real serial based upon our name.

That's it.....

alpine 
alpine@gmx.at	

thanks to the immortal descendants



















ft-Ice.  Set a breakpoint on GetDlgItemTextA (BPX GETDLGITEMTEXTA).
Press Cntrl+D to exit back to DocMan and click the "Unlock" button.  Soft-Ice will pop up on the 
breakpoint.  Press F-11 once to get into the routine, and you'll land in the following code:

---------------------------------------------------------------------------------------------
0137:00402B3B  CALL     [USER32!GetDlgItemTextA]   <import we broke in on
0137:00402B41  MOV      EAX,0040EDB0               <
0137:00402B46  PUSH     EAX                        <various functions to put the correct
0137:00402B47  CALL     004067CC                   <key and our key in memory
0137:00402B4C  ADD      ESP,04                     <
0137:00402B4F  TEST     EAX,EAX                    <compare our key with the correct one
0137:00402B51  JNZ      00402B68                   <jump to registered if not zero
0137:00402B53  PUSH     0040B61B                   <hmm....what is this? :)
0137:00402B58  PUSH     64
0137:00402B5A  PUSH     EBX
0137:00402B5B  CALL     00402133
---------------------------------------------------------------------------------------------

	The PUSH location I commented above looks interesting to us, so let's step through
the code by pressing F10 until we get to that line.  display it by typing d 40B61B ... and 
what do we see in the registers window?  a code!

	You'll see three more routines just like the one above if you step through the code
using F10.  At each PUSH location, display it like above, and you'll find more codes.

-Volatility-

 <td width="100%"><font face="Arial,Helvetica,Verdana"><small>Someone had real problems
    cracking this program and as the file size of the program was OK, I decided to have a
    quick look at it. I didn't think getting the serial number should be a big problem. Coding
    a KeyGEN for this should also be no problem. This *isn't* a KeyGEN tutorial, since I'm
    very VERY BUSY at the moment.<br>
    <br>
    Well, first of all we need to enter some fake registration details. The program was
    soo good and filled my WINDOWS REGISTRATION information in automatically. Now we only have
    to fill in a Product Number. The product number already filled in looks like <font
    color="#000080">WDx.x-xxxxx-xxxxx</font>. So the author gave us the information how the
    good code must look like. Well I also noticed the information <font color="#800000"><strong>Product
    Number is valid for any future versions of this program!</strong></font><br>
    <br>
    Well the version is 4.2 so I assumed the Product Number should be <font color="#000080">WD4.2-xxxxx-xxxxx</font>
    ... and as you can find out on your own this is true. If it isn't 4.2, then you're just
    registered for a LIMITED TIME and the NAG at startup still pops up. However the good code
    is still the same - you just have to replace the number and version (x.x) with 4.2!<br>
    <br>
    I enterd WD4.2-12345-67890 as fake registration code and set a BPX to HMEMCPY. Then I
    pressed OK. SoftICE popped up. Since there were 3 input fields, I skipped the first two
    pop ups. Then I pressed F12 until I reached the following code snippet:</small></font><br>&nbsp;<br>
    <div align="center"><center><table border="0" width="95%" cellpadding="0"
    cellspacing="0">
      <tr>
        <td width="100%" bgcolor="#FFFFB4"><tt>&nbsp;&nbsp;:0040797E&nbsp;&nbsp;&nbsp;&nbsp;LEA&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;EDX,[EBP-10]<br>
        &nbsp;&nbsp;:00407981&nbsp;&nbsp;&nbsp;&nbsp;MOV&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;EAX,0045E40C<br>
        &nbsp;&nbsp;:00407986&nbsp;&nbsp;&nbsp;&nbsp;CALL&nbsp;&nbsp;&nbsp;&nbsp;00450B94<br>
        &nbsp;&nbsp;:0040798B&nbsp;&nbsp;&nbsp;&nbsp;DEC&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;DWORD&nbsp;PTR&nbsp;[ESI+1C]<br>
        &nbsp;&nbsp;:0040798E&nbsp;&nbsp;&nbsp;&nbsp;LEA&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;EAX,[EBP-10]<br>
        &nbsp;&nbsp;:00407991&nbsp;&nbsp;&nbsp;&nbsp;MOV&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;EDX,00000002<br>
        &nbsp;&nbsp;:00407996&nbsp;&nbsp;&nbsp;&nbsp;CALL&nbsp;&nbsp;&nbsp;&nbsp;00450B64<br>
        &nbsp;&nbsp;:0040799B&nbsp;&nbsp;&nbsp;&nbsp;CALL&nbsp;&nbsp;&nbsp;&nbsp;00407608<br>
        &nbsp;&nbsp;:004079A0&nbsp;&nbsp;&nbsp;&nbsp;TEST&nbsp;&nbsp;&nbsp;&nbsp;EAX,EAX
        &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
        ; is serial ok?<br>
        &nbsp;&nbsp;:004079A2&nbsp;&nbsp;&nbsp;&nbsp;JNZ&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;00407AE0
        &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
        ; if not =&gt; JMP</tt></td>
      </tr>
    </table>
    </center></div><p><small><font face="Arial,Helvetica,Verdana">A scheme like this is very
    common. Some CALLs and then a JZ/JNZ instruction. To find the good serial you normally
    just have to trace into the CALL before the JZ/JNZ instruction - and that was it. And in
    this program that's also the case. Tracing in the CALL, you'll get the following code
    snippet: </font></small></p>
    <div align="center"><center><table border="0" width="95%" cellpadding="0" cellspacing="0">
      <tr>
        <td width="100%" bgcolor="#FFFFB4"><tt>&nbsp;&nbsp;:00407608&nbsp;&nbsp;&nbsp;&nbsp;PUSH&nbsp;&nbsp;&nbsp;&nbsp;EBX<br>
        &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;...<br>
        &nbsp;&nbsp;:00407618&nbsp;&nbsp;&nbsp;&nbsp;CALL&nbsp;&nbsp;&nbsp;&nbsp;00450CE8&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;;&nbsp;get&nbsp;length&nbsp;of&nbsp;serial<br>
        &nbsp;&nbsp;:0040761D&nbsp;&nbsp;&nbsp;&nbsp;CMP&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;EAX,06&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;;&nbsp;serial&nbsp;6&nbsp;chars&nbsp;long<br>
        &nbsp;&nbsp;:00407620&nbsp;&nbsp;&nbsp;&nbsp;JLE&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;00407665<br>
        &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;...<br>
        &nbsp;&nbsp;:0040666A&nbsp;&nbsp;&nbsp;&nbsp;CALL&nbsp;&nbsp;&nbsp;&nbsp;00450CE8&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;;&nbsp;get&nbsp;length&nbsp;of&nbsp;name<br>
        &nbsp;&nbsp;:0040766F&nbsp;&nbsp;&nbsp;&nbsp;CMP&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;EAX,02&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;;&nbsp;name&nbsp;2&nbsp;chars&nbsp;long<br>
        &nbsp;&nbsp;:00407672&nbsp;&nbsp;&nbsp;&nbsp;JLE&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;004076B2<br>
        &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;...<br>
        &nbsp;&nbsp;:004076BC&nbsp;&nbsp;&nbsp;&nbsp;MOVSX&nbsp;&nbsp;&nbsp;EAX,BYTE&nbsp;PTR&nbsp;[ESI]&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;;&nbsp;move&nbsp;char[counter]&nbsp;in&nbsp;EAX<br>
        &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;...<br>
        &nbsp;&nbsp;:004076CB&nbsp;&nbsp;&nbsp;&nbsp;MOVSX&nbsp;&nbsp;&nbsp;EDX,BYTE&nbsp;PTR&nbsp;[ESI]&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;;&nbsp;move&nbsp;char[counter]&nbsp;in&nbsp;EDX<br>
        &nbsp;&nbsp;:004076CE&nbsp;&nbsp;&nbsp;&nbsp;PUSH&nbsp;&nbsp;&nbsp;&nbsp;EDX<br>
        &nbsp;&nbsp;:004076CF&nbsp;&nbsp;&nbsp;&nbsp;CALL&nbsp;&nbsp;&nbsp;&nbsp;004499C4&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;;&nbsp;convert&nbsp;to&nbsp;lower&nbsp;case<br>
        &nbsp;&nbsp;:004076D4&nbsp;&nbsp;&nbsp;&nbsp;POP&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;ECX<br>
        &nbsp;&nbsp;:004076D5&nbsp;&nbsp;&nbsp;&nbsp;MOVZX&nbsp;&nbsp;&nbsp;ECX,DI<br>
        &nbsp;&nbsp;:004076D8&nbsp;&nbsp;&nbsp;&nbsp;IMUL&nbsp;&nbsp;&nbsp;&nbsp;ECX,[004551D4]&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;;&nbsp;DI&nbsp;*&nbsp;15h<br>
        &nbsp;&nbsp;:004076DF&nbsp;&nbsp;&nbsp;&nbsp;MOVZX&nbsp;&nbsp;&nbsp;EDX,DI<br>
        &nbsp;&nbsp;:004076E2&nbsp;&nbsp;&nbsp;&nbsp;IMUL&nbsp;&nbsp;&nbsp;&nbsp;ECX,EDX&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;;&nbsp;ECX&nbsp;*&nbsp;EDX<br>
        &nbsp;&nbsp;:004076E5&nbsp;&nbsp;&nbsp;&nbsp;ADD&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;AX,CX&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;;&nbsp;add&nbsp;result&nbsp;to&nbsp;AX<br>
        &nbsp;&nbsp;:004076E8&nbsp;&nbsp;&nbsp;&nbsp;ADD&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;DI,AX&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;;&nbsp;add&nbsp;result&nbsp;of&nbsp;this&nbsp;loop&nbsp;to&nbsp;DI<br>
        &nbsp;&nbsp;:004076EB&nbsp;&nbsp;&nbsp;&nbsp;INC&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;EBX&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;;&nbsp;chars&nbsp;done&nbsp;+&nbsp;1<br>
        &nbsp;&nbsp;:004076EC&nbsp;&nbsp;&nbsp;&nbsp;INC&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;ESI&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;;&nbsp;counter&nbsp;+&nbsp;1<br>
        &nbsp;&nbsp;:004076ED&nbsp;&nbsp;&nbsp;&nbsp;PUSH&nbsp;&nbsp;&nbsp;&nbsp;ESP<br>
        &nbsp;&nbsp;:004076EE&nbsp;&nbsp;&nbsp;&nbsp;CALL&nbsp;&nbsp;&nbsp;&nbsp;00444C00<br>
        &nbsp;&nbsp;:004076F3&nbsp;&nbsp;&nbsp;&nbsp;POP&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;ECX<br>
        &nbsp;&nbsp;:004076F4&nbsp;&nbsp;&nbsp;&nbsp;CMP&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;EBX,EAX&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;;&nbsp;did&nbsp;all&nbsp;chars?<br>
        &nbsp;&nbsp;:004076F6&nbsp;&nbsp;&nbsp;&nbsp;JB&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;004077BC&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;;&nbsp;if&nbsp;not&nbsp;=&gt;&nbsp;JMP<br>
        &nbsp;&nbsp;:004076F8&nbsp;&nbsp;&nbsp;&nbsp;MOV&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;EAX,0045E408<br>
        &nbsp;&nbsp;:004076FD&nbsp;&nbsp;&nbsp;&nbsp;CALL&nbsp;&nbsp;&nbsp;&nbsp;00450CE8&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;;&nbsp;get&nbsp;length&nbsp;of&nbsp;company<br>
        &nbsp;&nbsp;:00407702&nbsp;&nbsp;&nbsp;&nbsp;TEST&nbsp;&nbsp;&nbsp;&nbsp;EAX,EAX&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;;&nbsp;no&nbsp;company&nbsp;enterd?<br>
        &nbsp;&nbsp;:00407704&nbsp;&nbsp;&nbsp;&nbsp;JZ&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;00407744&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;;&nbsp;if&nbsp;so&nbsp;=&gt;&nbsp;JMP<br>
        &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;...<br>
        &nbsp;&nbsp;:0040774E&nbsp;&nbsp;&nbsp;&nbsp;MOVSX&nbsp;&nbsp;&nbsp;EAX,BYTE&nbsp;PTR&nbsp;[ESI]&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;;&nbsp;move&nbsp;char[counter]&nbsp;in&nbsp;EAX<br>
        &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;...<br>
        &nbsp;&nbsp;:0040775D&nbsp;&nbsp;&nbsp;&nbsp;MOVSX&nbsp;&nbsp;&nbsp;EDX,BYTE&nbsp;PTR&nbsp;[ESI]&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;;&nbsp;move&nbsp;char[counter]&nbsp;in&nbsp;EDX<br>
        &nbsp;&nbsp;:00407760&nbsp;&nbsp;&nbsp;&nbsp;PUSH&nbsp;&nbsp;&nbsp;&nbsp;EDX<br>
        &nbsp;&nbsp;:00407761&nbsp;&nbsp;&nbsp;&nbsp;CALL&nbsp;&nbsp;&nbsp;&nbsp;004499C4<br>
        &nbsp;&nbsp;:00407766&nbsp;&nbsp;&nbsp;&nbsp;POP&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;ECX<br>
        &nbsp;&nbsp;:00407767&nbsp;&nbsp;&nbsp;&nbsp;MOVZX&nbsp;&nbsp;&nbsp;ECX,BP<br>
        &nbsp;&nbsp;:0040776A&nbsp;&nbsp;&nbsp;&nbsp;IMUL&nbsp;&nbsp;&nbsp;&nbsp;ECX,[004551D4]&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;;&nbsp;ECX&nbsp;*&nbsp;15h<br>
        &nbsp;&nbsp;:00407771&nbsp;&nbsp;&nbsp;&nbsp;MOVZX&nbsp;&nbsp;&nbsp;EDX,BP<br>
        &nbsp;&nbsp;:00407774&nbsp;&nbsp;&nbsp;&nbsp;IMUL&nbsp;&nbsp;&nbsp;&nbsp;ECX,EDX&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;;&nbsp;ECX&nbsp;*&nbsp;EDX<br>
        &nbsp;&nbsp;:00407777&nbsp;&nbsp;&nbsp;&nbsp;SUB&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;AX,CX&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;;&nbsp;substract&nbsp;result&nbsp;from&nbsp;AX<br>
        &nbsp;&nbsp;:0040777A&nbsp;&nbsp;&nbsp;&nbsp;ADD&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;BP,AX&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;;&nbsp;add&nbsp;result&nbsp;of&nbsp;this&nbsp;loop&nbsp;to&nbsp;BP<br>
        &nbsp;&nbsp;:0040777D&nbsp;&nbsp;&nbsp;&nbsp;INC&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;EBX&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;;&nbsp;chars&nbsp;done&nbsp;+&nbsp;1<br>
        &nbsp;&nbsp;:0040777E&nbsp;&nbsp;&nbsp;&nbsp;INC&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;ESI&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;;&nbsp;counter&nbsp;+&nbsp;1<br>
        &nbsp;&nbsp;:0040777F&nbsp;&nbsp;&nbsp;&nbsp;PUSH&nbsp;&nbsp;&nbsp;&nbsp;ESP<br>
        &nbsp;&nbsp;:00407780&nbsp;&nbsp;&nbsp;&nbsp;CALL&nbsp;&nbsp;&nbsp;&nbsp;00444C00<br>
        &nbsp;&nbsp;:00407785&nbsp;&nbsp;&nbsp;&nbsp;POP&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;ECX<br>
        &nbsp;&nbsp;:00407786&nbsp;&nbsp;&nbsp;&nbsp;CMP&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;EBX,EAX&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;;&nbsp;did&nbsp;all&nbsp;chars?<br>
        &nbsp;&nbsp;:00407788&nbsp;&nbsp;&nbsp;&nbsp;JB&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;0040784E&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;;&nbsp;if&nbsp;not&nbsp;=&gt;&nbsp;JMP<br>
        &nbsp;&nbsp;:0040778A&nbsp;&nbsp;&nbsp;&nbsp;MOVZX&nbsp;&nbsp;&nbsp;EAX,BP&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;;&nbsp;get&nbsp;result&nbsp;for&nbsp;company&nbsp;in&nbsp;EAX&nbsp;(NR)<br>
        &nbsp;&nbsp;:0040778D&nbsp;&nbsp;&nbsp;&nbsp;MOVZX&nbsp;&nbsp;&nbsp;ECX,DI&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;;&nbsp;get&nbsp;result&nbsp;for&nbsp;name&nbsp;in&nbsp;ECX&nbsp;&nbsp;&nbsp;&nbsp;(CR)<br>
        &nbsp;&nbsp;:00407790&nbsp;&nbsp;&nbsp;&nbsp;PUSH&nbsp;&nbsp;&nbsp;&nbsp;EAX<br>
        &nbsp;&nbsp;:00407791&nbsp;&nbsp;&nbsp;&nbsp;PUSH&nbsp;&nbsp;&nbsp;&nbsp;ECX<br>
        &nbsp;&nbsp;:00407792&nbsp;&nbsp;&nbsp;&nbsp;PUSH&nbsp;&nbsp;&nbsp;&nbsp;00455288<br>
        &nbsp;&nbsp;:00407797&nbsp;&nbsp;&nbsp;&nbsp;LEA&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;EAX,[ESP+0C]<br>
        &nbsp;&nbsp;:0040779B&nbsp;&nbsp;&nbsp;&nbsp;PUSH&nbsp;&nbsp;&nbsp;&nbsp;EAX<br>
        &nbsp;&nbsp;:0040779C&nbsp;&nbsp;&nbsp;&nbsp;CALL&nbsp;&nbsp;&nbsp;&nbsp;0044809C&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;;&nbsp;format&nbsp;serial:&nbsp;NR-CR<br>
        &nbsp;&nbsp;:004077A1&nbsp;&nbsp;&nbsp;&nbsp;ADD&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;ESP,10<br>
        &nbsp;&nbsp;:004077A4&nbsp;&nbsp;&nbsp;&nbsp;LEA&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;EAX,[ESP+40]&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;;&nbsp;get&nbsp;enterd&nbsp;serial<br>
        &nbsp;&nbsp;:004077A8&nbsp;&nbsp;&nbsp;&nbsp;MOV&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;EDX,ESP&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;;&nbsp;get&nbsp;real&nbsp;serial<br>
        &nbsp;&nbsp;:004077AA&nbsp;&nbsp;&nbsp;&nbsp;MOV&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;CL,[EAX]&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;;&nbsp;get&nbsp;part&nbsp;of&nbsp;fake&nbsp;serial<br>
        &nbsp;&nbsp;:004077AC&nbsp;&nbsp;&nbsp;&nbsp;CMP&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;CL,[EDX]&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;;&nbsp;part&nbsp;of&nbsp;serial&nbsp;correct?<br>
        &nbsp;&nbsp;:004077AE&nbsp;&nbsp;&nbsp;&nbsp;JNZ&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;004077C6&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;;&nbsp;if&nbsp;not&nbsp;=&gt;&nbsp;JMP<br>
        &nbsp;&nbsp;:004077B0&nbsp;&nbsp;&nbsp;&nbsp;TEST&nbsp;&nbsp;&nbsp;&nbsp;CL,CL<br>
        &nbsp;&nbsp;:004077B2&nbsp;&nbsp;&nbsp;&nbsp;JZ&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;004077C6<br>
        &nbsp;&nbsp;:004077B4&nbsp;&nbsp;&nbsp;&nbsp;MOV&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;CL,[EAX+01]&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;;&nbsp;get&nbsp;part&nbsp;of&nbsp;fake&nbsp;serial<br>
        &nbsp;&nbsp;:004077B7&nbsp;&nbsp;&nbsp;&nbsp;CMP&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;CL,[EDX+01]&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;;&nbsp;part&nbsp;of&nbsp;serial&nbsp;correct?<br>
        &nbsp;&nbsp;:004077BA&nbsp;&nbsp;&nbsp;&nbsp;JNZ&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;004077C6&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;;&nbsp;if&nbsp;not&nbsp;=&gt;&nbsp;JMP<br>
        &nbsp;&nbsp;:004077BC&nbsp;&nbsp;&nbsp;&nbsp;ADD&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;EAX,02<br>
        &nbsp;&nbsp;:004077BF&nbsp;&nbsp;&nbsp;&nbsp;ADD&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;EDX,02<br>
        &nbsp;&nbsp;:004077C2&nbsp;&nbsp;&nbsp;&nbsp;TEST&nbsp;&nbsp;&nbsp;&nbsp;CL,CL&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;;&nbsp;checked&nbsp;complete&nbsp;serial?<br>
        &nbsp;&nbsp;:004077C4&nbsp;&nbsp;&nbsp;&nbsp;JNZ&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;004078AA&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;;&nbsp;if&nbsp;not&nbsp;=&gt;&nbsp;JMP<br>
        &nbsp;&nbsp;:004077C6&nbsp;&nbsp;&nbsp;&nbsp;SETNZ&nbsp;&nbsp;&nbsp;DL&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;;&nbsp;set&nbsp;flag
        </tt></td>
      </tr>
    </table>
    </center></div><p><font face="Arial,Helvetica,Verdana"><small>With the help of the
    comments in the code snippet you can understand the calculations for your serial. You can
    use this knowledge to code a KeyGEN if you have enough free time. The serial for the name <font
    color="#008000">PIRATED COPY</font> and the company name <font color="#008000">CR@CKING
    TUTORI@L</font> is <font color="#008000">WD4.2-16337-50000</font> - just for you to check
    your KeyGEN!</small><br>
    <br>
    <small>Another target has been Reverse Engineerd. <a
    href="http://disc.server.com/discussion.cgi?id=42877">Any questions</a> <font
    color="#FF0000"><em>(no crack requests)</em></font>?</small><br>
    </font></td>
  </tr>
  <tr>
    <td width="100%"><p align="center">&nbsp;<br>
    <small><font face="Arial,Helvetica,Verdana" color="#800000"><strong>If you're USING Dictionary
    for Windows BEYOND it's FREE TRIAL PERIOD, then please BUY IT.</strong></font></small></td>
  </tr>
  <tr>
    <td width="100%"><hr noshade size="1" color="#000000">
    </td>
  </tr>
  <tr>
    <td width="100%"><font face="Arial,Helvetica,Verdana" color="#000000"><strong><small><p
    align="center">Copyright &copy; 1999 by TORN@DO and The Immortal Descendants. All Rights
    Reserved.</small></strong></font></td>
  </tr>
</table>
</div>
<!--VirtualAvenueBanner-->
</body>
</html>
s set the</font>