SERIAL NUMBER IS FISHY - DECLINE YOUR PATCH'ITCH'ING
AnonMail v1.3
A Cracking Tutorial
by ASTAGA [D4C/C4A]
DISCLAIMER
This reading material is not intended to violate Copyrights
and/or it is law, but educational purposes only. I hold no
responsibility ( by all means and in any shape whatsoever )
of the mis-used of this material.
Read END NOTES section at the end of this file.
ABOUT THE PROGRAM
AnonMail allows you to send email to friends and enemies
anonymously.
The person receiving the message can not identify you as
the original sender.
This program is very easy to use. Simply type in the email
address of the person you wish to send to, choose a subject,
then type your message and click send.
WHERE TO DOWNLOAD
Author : Mark Leary
Copyright : PNut Software
Homepage : http://www.pnutsoftware.com
URL : http://home.sol.se/znakebite/ftp/amail13.exe
Size : 2.7MB as of 12/11/00
Rel Date : August 22, 1997 !!!!!
HOW TO GET VALID SERIAL NUMBER by using SoftIce
This paper is dedicated to my 'bro' Fat[Bit], where ever you
are keep da good work. Also you ...LOMAX ...my good ol' pal.
The reason I choose this program are :
* it's VB5 based program where Razzia's approach cannot be applied
* try hard to not depend on Numega's SmartCheck and WDASM
* suitable for NB's algo maniacs ... sniff that coc'codes'caine
* this prog is almost reliable to tease/threat your enemies without
bombing/flooding his/her e-mail account.
* the author's homepage already dead, so I consider this one become
a public domain software.
1. Run ANONMAIL.EXE, click TOOLS/REGISTER submenu, in the
registration dialog box type these below informations :
Name : Pirates Order or Luti da Khuntsa
Code : 73881050
Do not click OK button yet
2. Load SoftIce by pressing [ CTRL + D ], set a breakpoint as follow :
BPX __vbaStrVarVal or __VBAR8STR [enter] and
F5 to return to the main program
3. Now, click OK button... you'll return back into SoftIce!
In within SoftIce press F11 once, and you'll see and break
at :
______________________________________________________________
015F:00414C89 FF15D0E24100 CALL [MSVBVM50!__vbaStrVarVal]
015F:00414C8F 50 PUSH EAX
015F:00414C90 FF1504E24100 CALL [MSVBVM50!rtcAnsiValueBstr]
015F:00414C96 666BC007 IMUL AX,AX,07 ==> ? EAX HERE
015F:00414C9A 0F80FA000000 JO 00414D9A
015F:00414CA0 0FBFC8 MOVSX ECX,AX
015F:00414CA3 03CF ADD ECX,EDI
015F:00414CA5 0F80EF000000 JO 00414D9A
015F:00414CAB 8BF9 MOV EDI,ECX
015F:00414CAD 8D4DD4 LEA ECX,[EBP-2C]
015F:00414CB0 FF1560E34100 CALL [MSVBVM50!__vbaFreeStr]
015F:00414CB6 8D55B4 LEA EDX,[EBP-4C]
015F:00414CB9 52 PUSH EDX
015F:00414CBA 8D45C4 LEA EAX,[EBP-3C]
015F:00414CBD 50 PUSH EAX
015F:00414CBE 6A02 PUSH 02
015F:00414CC0 FF15F0E14100 CALL [MSVBVM50!__vbaFreeVarList]
015F:00414CC6 83C40C ADD ESP,0C
015F:00414CC9 B801000000 MOV EAX,00000001
015F:00414CCE 6603C6 ADD AX,SI
015F:00414CD1 0F80C3000000 JO 00414D9A
015F:00414CD7 8BF0 MOV ESI,EAX
015F:00414CD9 E96BFFFFFF JMP 00414C49 (JUMP ^) !!!!!
______________________ ANONMAIL!.text+00013C89 ___________________
Break due to BPX MSVBVM50!__vbaStrVarVal
Press F11 once and be ready to have real pain of fishing serial
number :
Press F10 2 times - stop at 015F:00414C96 - dump EAX register as
follow :
EAX=00000050 ....... ESI=00000001 <<== LOOK AT EAX register
EDI=00000000 ....... EBP=0065EFDC
CS=015F DS=0167 SS=0167 ES=0167
-------------------------------------
:? EAX [enter]
00000050 0000000080 "P" ==> First letter of your User Name
Keep continue pressing F10 around 42 times until you return again
at 015F:00414C96 and dump again EAX register as described above.
Do this kind of tracing until loop process is finished, and you
should have like these :
:? EAX
00000069 0000000105 "i"
:? EAX
00000072 0000000114 "r"
:? EAX
00000061 0000000097 "a"
:? EAX
00000074 0000000116 "t"
:? EAX
00000065 0000000101 "e"
:? EAX
00000073 0000000115 "s"
:? EAX
00000020 0000000032 " " trailing space between 's' and 'O'
:? EAX
0000004F 0000000079 "O"
:? EAX
00000072 0000000114 "r"
:? EAX
00000064 0000000100 "d"
:? EAX
00000065 0000000101 "e"
:? EAX
00000072 0000000114 "r"
In real practise you'll break / jump at several location i.e
015F:00414CD9 ===> where the looping process just begin,
015F:00414C49 ===> ret jump from 015F:00414CD9
015F:00414C4D ===> jump to 00414CDE
015F:00414CDE ===> cont your tracing
( traced code listing provided in the FAR end of this file )
As I told you, keep on going pressing F10 and stop at the
location as described on step #5.
5. Here is the end of your tracing :
EAX=0000000E .............. ESI=0000000E
EDI=00006804 <====== TAKE THIS VALUE !!!!!
--------------------------------------------------------------
015F:00414CD9 E96BFFFFFF JMP 00414C49 <== no jmp indicator
015F:00414CDE 6BFF03 IMUL EDI,EDI,03
015F:00414CE1 0F80B3000000 JO 00414D9A (NO JUMP) ? EDI
015F:00414CE7 897DD8 MOV [EBP-28],EDI
....
....
015F:00414D00 52 PUSH EDX
015F:00414D01 FF15E8E24100 CALL [MSVBVM50!__vbaR8Str]
015F:00414D07 DC9D74FFFFFF FCOMP REAL8 PTR [EBP-008C]
_____________________ ANONMAIL!.text+00013CD9 ________________
Stop at 015F:00414CE1 - check the content of EDI register :
:? EDI [enter]
00006804 0000026628 "h " ==> write down this ' 26628 ' .
:? EAX or ? ESI [enter]
0000000E 0000000014 " " ==> character length of your
user name. Strange .. eh ...
this shoud be 13 !!
In order to prove 26628 is your valid reg code, do these
below step :
Press F10 8 times - stop at 015F:00414D00 - display EDX
register:
: D EDX [enter] ==> see this 7.3.8.8.1.0.5.0. your fake code
( in wide format ) at 0167:0043C388 ??
Press F10 2 times - stop at 015F:00414D07 - check the content
of EDI register and you'll have 26628 .
That's all folk.
7. Disable all breakpoints by typing
BC * [enter]
Press F5 or X to return to the main program
8. Repeat registration procedure and keyed-in 26628 as your S/N
Click OK/REGISTER button ..... ouchh! the screen splash and
there is no classic message " thank you .... " ?? .
Just quit the application, re-run again the program, did you
see your name in the opening window ?
9. Where the hell is my registration code is stored ??
The correct registration code is stored in the registry as
follows :
REGEDIT4
[HKEY_CURRENT_USER\Software\VB and VBA Program Settings\
AnonMail\Registration]
"Name"="Luti da Khuntsa"
"RegNum"="29589"
10. How can I practise with my own user name ?
- I strongly recommended you not to do this !
11. PSSSSTTT here is the dirty cheap trick :
Actually you can fish the S/N by only pressing F10 once.
Go back to the snippet codes at step#5, disable all break
point and create a new one at 015F:00414D07. Press X or
F5 to let SoftIce break into new location.
Do ? edi [enter] you got that 29589 as your valid reg
code. Muhahahahaha .... GOTCHA !!!
E N D N O T E S
Do not distribute your crack release based on this tutorial, because
you become a LAMER(s)!!!!!!!!
( tHATDUDE (PC97) defined LAMER(s) is the guy who sits in front of
personal computer, using Hex Editor, ripping off other group(s)
crack release, repacking (distro) them under his name.
Adopted from newsgroup alt.cracks, alt.crackers - February 1997 )
More about LAMER(s):
lamer /n./ [prob. originated in skateboarder slang]
Synonym for luser, not used much by hackers but common among warez
d00dz, crackers, and phreakers. Oppose elite. Has the same connota
tions of self-conscious elitism that use of luser does among
hackers.
< SOURCE: http://sagan.earthspace.net/jargon/jargon_27.html >
Distributing your serial number is illegal and is no
different than distributing illegal
copies of the registered
software. Violation of
this rule may
result in
temporary or permanent revocation of this
license and cancellation of the
serial number;
the original licensee
will also be held responsible for
damages, physical and estimated.
Never attribute to malice that which is adequately
explained by stupidity
ASTAGA [D4C/C4A] tute-anonmail13.zip
[EOF] 12/11/00 2:39:10 AM
HERE ARE MY TRACING CODE LISTING ===== do you wanna keygen ????
==> A 015F:00414C49 663B758C CMP SI,[EBP-74]
015F:00414C4D 0F8F8B000000 JG 00414CDE
015F:00414C53 C745CC01000000 MOV DWORD PTR [EBP-34],00000001
015F:00414C5A C745C402000000 MOV DWORD PTR [EBP-3C],00000002
015F:00414C61 895DAC MOV [EBP-54],EBX
015F:00414C64 C745A408400000 MOV DWORD PTR [EBP-5C],00004008
015F:00414C6B 8D4DC4 LEA ECX,[EBP-3C]
015F:00414C6E 51 PUSH ECX
015F:00414C6F 0FBFD6 MOVSX EDX,SI
015F:00414C72 52 PUSH EDX
015F:00414C73 8D45A4 LEA EAX,[EBP-5C]
015F:00414C76 50 PUSH EAX
015F:00414C77 8D4DB4 LEA ECX,[EBP-4C]
015F:00414C7A 51 PUSH ECX
015F:00414C7B FF155CE24100 CALL [MSVBVM50!rtcMidCharVar]
015F:00414C81 8D55B4 LEA EDX,[EBP-4C]
015F:00414C84 52 PUSH EDX
015F:00414C85 8D45D4 LEA EAX,[EBP-2C]
015F:00414C88 50 PUSH EAX
...
015F:00414C88 50 PUSH EAX
015F:00414C89 FF15D0E24100 CALL [MSVBVM50!__vbaStrVarVal]
015F:00414C8F 50 PUSH EAX
....
....
FIRST
BREAK HERE 015F:00414C89 FF15D0E24100 CALL [MSVBVM50!__vbaStrVarVal]
015F:00414C8F 50 PUSH EAX
015F:00414C90 FF1504E24100 CALL [MSVBVM50!rtcAnsiValueBstr]
015F:00414C96 666BC007 IMUL AX,AX,07
015F:00414C9A 0F80FA000000 JO 00414D9A
015F:00414CA0 0FBFC8 MOVSX ECX,AX
015F:00414CA3 03CF ADD ECX,EDI
015F:00414CA5 0F80EF000000 JO 00414D9A
015F:00414CAB 8BF9 MOV EDI,ECX
015F:00414CAD 8D4DD4 LEA ECX,[EBP-2C]
015F:00414CB0 FF1560E34100 CALL [MSVBVM50!__vbaFreeStr]
015F:00414CB6 8D55B4 LEA EDX,[EBP-4C]
015F:00414CB9 52 PUSH EDX
015F:00414CBA 8D45C4 LEA EAX,[EBP-3C]
015F:00414CBD 50 PUSH EAX
015F:00414CBE 6A02 PUSH 02
015F:00414CC0 FF15F0E14100 CALL [MSVBVM50!__vbaFreeVarList]
015F:00414CC6 83C40C ADD ESP,0C
015F:00414CC9 B801000000 MOV EAX,00000001
015F:00414CCE 6603C6 ADD AX,SI
015F:00414CD1 0F80C3000000 JO 00414D9A
015F:00414CD7 8BF0 MOV ESI,EAX
015F:00414CD9 E96BFFFFFF JMP 00414C49 (JUMP ^) ==> A
...