SERIAL NUMBER IS FISHY - DECLINE YOUR PATCH'ITCH'ING AnonMail v1.3 A Cracking Tutorial by ASTAGA [D4C/C4A] DISCLAIMER This reading material is not intended to violate Copyrights and/or it is law, but educational purposes only. I hold no responsibility ( by all means and in any shape whatsoever ) of the mis-used of this material. Read END NOTES section at the end of this file. ABOUT THE PROGRAM AnonMail allows you to send email to friends and enemies anonymously. The person receiving the message can not identify you as the original sender. This program is very easy to use. Simply type in the email address of the person you wish to send to, choose a subject, then type your message and click send. WHERE TO DOWNLOAD Author : Mark Leary Copyright : PNut Software Homepage : http://www.pnutsoftware.com URL : http://home.sol.se/znakebite/ftp/amail13.exe Size : 2.7MB as of 12/11/00 Rel Date : August 22, 1997 !!!!! HOW TO GET VALID SERIAL NUMBER by using SoftIce This paper is dedicated to my 'bro' Fat[Bit], where ever you are keep da good work. Also you ...LOMAX ...my good ol' pal. The reason I choose this program are : * it's VB5 based program where Razzia's approach cannot be applied * try hard to not depend on Numega's SmartCheck and WDASM * suitable for NB's algo maniacs ... sniff that coc'codes'caine * this prog is almost reliable to tease/threat your enemies without bombing/flooding his/her e-mail account. * the author's homepage already dead, so I consider this one become a public domain software. 1. Run ANONMAIL.EXE, click TOOLS/REGISTER submenu, in the registration dialog box type these below informations : Name : Pirates Order or Luti da Khuntsa Code : 73881050 Do not click OK button yet 2. Load SoftIce by pressing [ CTRL + D ], set a breakpoint as follow : BPX __vbaStrVarVal or __VBAR8STR [enter] and F5 to return to the main program 3. Now, click OK button... you'll return back into SoftIce! In within SoftIce press F11 once, and you'll see and break at : ______________________________________________________________ 015F:00414C89 FF15D0E24100 CALL [MSVBVM50!__vbaStrVarVal] 015F:00414C8F 50 PUSH EAX 015F:00414C90 FF1504E24100 CALL [MSVBVM50!rtcAnsiValueBstr] 015F:00414C96 666BC007 IMUL AX,AX,07 ==> ? EAX HERE 015F:00414C9A 0F80FA000000 JO 00414D9A 015F:00414CA0 0FBFC8 MOVSX ECX,AX 015F:00414CA3 03CF ADD ECX,EDI 015F:00414CA5 0F80EF000000 JO 00414D9A 015F:00414CAB 8BF9 MOV EDI,ECX 015F:00414CAD 8D4DD4 LEA ECX,[EBP-2C] 015F:00414CB0 FF1560E34100 CALL [MSVBVM50!__vbaFreeStr] 015F:00414CB6 8D55B4 LEA EDX,[EBP-4C] 015F:00414CB9 52 PUSH EDX 015F:00414CBA 8D45C4 LEA EAX,[EBP-3C] 015F:00414CBD 50 PUSH EAX 015F:00414CBE 6A02 PUSH 02 015F:00414CC0 FF15F0E14100 CALL [MSVBVM50!__vbaFreeVarList] 015F:00414CC6 83C40C ADD ESP,0C 015F:00414CC9 B801000000 MOV EAX,00000001 015F:00414CCE 6603C6 ADD AX,SI 015F:00414CD1 0F80C3000000 JO 00414D9A 015F:00414CD7 8BF0 MOV ESI,EAX 015F:00414CD9 E96BFFFFFF JMP 00414C49 (JUMP ^) !!!!! ______________________ ANONMAIL!.text+00013C89 ___________________ Break due to BPX MSVBVM50!__vbaStrVarVal Press F11 once and be ready to have real pain of fishing serial number : Press F10 2 times - stop at 015F:00414C96 - dump EAX register as follow : EAX=00000050 ....... ESI=00000001 <<== LOOK AT EAX register EDI=00000000 ....... EBP=0065EFDC CS=015F DS=0167 SS=0167 ES=0167 ------------------------------------- :? EAX [enter] 00000050 0000000080 "P" ==> First letter of your User Name Keep continue pressing F10 around 42 times until you return again at 015F:00414C96 and dump again EAX register as described above. Do this kind of tracing until loop process is finished, and you should have like these : :? EAX 00000069 0000000105 "i" :? EAX 00000072 0000000114 "r" :? EAX 00000061 0000000097 "a" :? EAX 00000074 0000000116 "t" :? EAX 00000065 0000000101 "e" :? EAX 00000073 0000000115 "s" :? EAX 00000020 0000000032 " " trailing space between 's' and 'O' :? EAX 0000004F 0000000079 "O" :? EAX 00000072 0000000114 "r" :? EAX 00000064 0000000100 "d" :? EAX 00000065 0000000101 "e" :? EAX 00000072 0000000114 "r" In real practise you'll break / jump at several location i.e 015F:00414CD9 ===> where the looping process just begin, 015F:00414C49 ===> ret jump from 015F:00414CD9 015F:00414C4D ===> jump to 00414CDE 015F:00414CDE ===> cont your tracing ( traced code listing provided in the FAR end of this file ) As I told you, keep on going pressing F10 and stop at the location as described on step #5. 5. Here is the end of your tracing : EAX=0000000E .............. ESI=0000000E EDI=00006804 <====== TAKE THIS VALUE !!!!! -------------------------------------------------------------- 015F:00414CD9 E96BFFFFFF JMP 00414C49 <== no jmp indicator 015F:00414CDE 6BFF03 IMUL EDI,EDI,03 015F:00414CE1 0F80B3000000 JO 00414D9A (NO JUMP) ? EDI 015F:00414CE7 897DD8 MOV [EBP-28],EDI .... .... 015F:00414D00 52 PUSH EDX 015F:00414D01 FF15E8E24100 CALL [MSVBVM50!__vbaR8Str] 015F:00414D07 DC9D74FFFFFF FCOMP REAL8 PTR [EBP-008C] _____________________ ANONMAIL!.text+00013CD9 ________________ Stop at 015F:00414CE1 - check the content of EDI register : :? EDI [enter] 00006804 0000026628 "h " ==> write down this ' 26628 ' . :? EAX or ? ESI [enter] 0000000E 0000000014 " " ==> character length of your user name. Strange .. eh ... this shoud be 13 !! In order to prove 26628 is your valid reg code, do these below step : Press F10 8 times - stop at 015F:00414D00 - display EDX register: : D EDX [enter] ==> see this 7.3.8.8.1.0.5.0. your fake code ( in wide format ) at 0167:0043C388 ?? Press F10 2 times - stop at 015F:00414D07 - check the content of EDI register and you'll have 26628 . That's all folk. 7. Disable all breakpoints by typing BC * [enter] Press F5 or X to return to the main program 8. Repeat registration procedure and keyed-in 26628 as your S/N Click OK/REGISTER button ..... ouchh! the screen splash and there is no classic message " thank you .... " ?? . Just quit the application, re-run again the program, did you see your name in the opening window ? 9. Where the hell is my registration code is stored ?? The correct registration code is stored in the registry as follows : REGEDIT4 [HKEY_CURRENT_USER\Software\VB and VBA Program Settings\ AnonMail\Registration] "Name"="Luti da Khuntsa" "RegNum"="29589" 10. How can I practise with my own user name ? - I strongly recommended you not to do this ! 11. PSSSSTTT here is the dirty cheap trick : Actually you can fish the S/N by only pressing F10 once. Go back to the snippet codes at step#5, disable all break point and create a new one at 015F:00414D07. Press X or F5 to let SoftIce break into new location. Do ? edi [enter] you got that 29589 as your valid reg code. Muhahahahaha .... GOTCHA !!! E N D N O T E S Do not distribute your crack release based on this tutorial, because you become a LAMER(s)!!!!!!!! ( tHATDUDE (PC97) defined LAMER(s) is the guy who sits in front of personal computer, using Hex Editor, ripping off other group(s) crack release, repacking (distro) them under his name. Adopted from newsgroup alt.cracks, alt.crackers - February 1997 ) More about LAMER(s): lamer /n./ [prob. originated in skateboarder slang] Synonym for luser, not used much by hackers but common among warez d00dz, crackers, and phreakers. Oppose elite. Has the same connota tions of self-conscious elitism that use of luser does among hackers. < SOURCE: http://sagan.earthspace.net/jargon/jargon_27.html > Distributing your serial number is illegal and is no different than distributing illegal copies of the registered software. Violation of this rule may result in temporary or permanent revocation of this license and cancellation of the serial number; the original licensee will also be held responsible for damages, physical and estimated. Never attribute to malice that which is adequately explained by stupidity ASTAGA [D4C/C4A] tute-anonmail13.zip [EOF] 12/11/00 2:39:10 AM HERE ARE MY TRACING CODE LISTING ===== do you wanna keygen ???? ==> A 015F:00414C49 663B758C CMP SI,[EBP-74] 015F:00414C4D 0F8F8B000000 JG 00414CDE 015F:00414C53 C745CC01000000 MOV DWORD PTR [EBP-34],00000001 015F:00414C5A C745C402000000 MOV DWORD PTR [EBP-3C],00000002 015F:00414C61 895DAC MOV [EBP-54],EBX 015F:00414C64 C745A408400000 MOV DWORD PTR [EBP-5C],00004008 015F:00414C6B 8D4DC4 LEA ECX,[EBP-3C] 015F:00414C6E 51 PUSH ECX 015F:00414C6F 0FBFD6 MOVSX EDX,SI 015F:00414C72 52 PUSH EDX 015F:00414C73 8D45A4 LEA EAX,[EBP-5C] 015F:00414C76 50 PUSH EAX 015F:00414C77 8D4DB4 LEA ECX,[EBP-4C] 015F:00414C7A 51 PUSH ECX 015F:00414C7B FF155CE24100 CALL [MSVBVM50!rtcMidCharVar] 015F:00414C81 8D55B4 LEA EDX,[EBP-4C] 015F:00414C84 52 PUSH EDX 015F:00414C85 8D45D4 LEA EAX,[EBP-2C] 015F:00414C88 50 PUSH EAX ... 015F:00414C88 50 PUSH EAX 015F:00414C89 FF15D0E24100 CALL [MSVBVM50!__vbaStrVarVal] 015F:00414C8F 50 PUSH EAX .... .... FIRST BREAK HERE 015F:00414C89 FF15D0E24100 CALL [MSVBVM50!__vbaStrVarVal] 015F:00414C8F 50 PUSH EAX 015F:00414C90 FF1504E24100 CALL [MSVBVM50!rtcAnsiValueBstr] 015F:00414C96 666BC007 IMUL AX,AX,07 015F:00414C9A 0F80FA000000 JO 00414D9A 015F:00414CA0 0FBFC8 MOVSX ECX,AX 015F:00414CA3 03CF ADD ECX,EDI 015F:00414CA5 0F80EF000000 JO 00414D9A 015F:00414CAB 8BF9 MOV EDI,ECX 015F:00414CAD 8D4DD4 LEA ECX,[EBP-2C] 015F:00414CB0 FF1560E34100 CALL [MSVBVM50!__vbaFreeStr] 015F:00414CB6 8D55B4 LEA EDX,[EBP-4C] 015F:00414CB9 52 PUSH EDX 015F:00414CBA 8D45C4 LEA EAX,[EBP-3C] 015F:00414CBD 50 PUSH EAX 015F:00414CBE 6A02 PUSH 02 015F:00414CC0 FF15F0E14100 CALL [MSVBVM50!__vbaFreeVarList] 015F:00414CC6 83C40C ADD ESP,0C 015F:00414CC9 B801000000 MOV EAX,00000001 015F:00414CCE 6603C6 ADD AX,SI 015F:00414CD1 0F80C3000000 JO 00414D9A 015F:00414CD7 8BF0 MOV ESI,EAX 015F:00414CD9 E96BFFFFFF JMP 00414C49 (JUMP ^) ==> A ...