WHY PATCHING WHILE SERIAL NUMBER IS FISHY

ButtonWiz v7.6
A Cracking Tutorial 
by ASTAGA [D4C/C4A]


DISCLAIMER 

This reading material is not intended to violate Copyrights 
and/or it is law, but educational purposes only. I hold no 
responsibility ( by all means and in any shape whatsoever ) 
of the mis-used of this material.


ABOUT THE PROGRAM 

ButtonWiz was designed to help you easily create stylish buttons for your web 
pages. It includes hundreds of pre-made styles and you can create your own in 
your favorite graphics program.


WHERE TO DOWNLOAD


Author   	: Joel Ryan Joel Ryan Software
Homepage 	: http://www.joelryan.com
URL		: 
Size 		:  KB  as of ,2000


HOW TO GET VALID SERIAL NUMBER by using SoftIce


At first sight ( during installation ) I didn't noticed that 
this is a VB6 based program. I just realized within SoftICe,
but, hell .... it's VB! and I got lazy to edit my WINICE.DAT
to enable exporting msvbvm60.dll.  I remind you that not to
follow my experience, you betta quit and edit your WINICE.DAT
first before continuing cracking this program.

Secondly, I have a feeling that serial number will be genera
ted based on installation date ( mine is Nov 03,2000 ).
So, different result in serial number may occur on your side.


1.  Run BUTTONWIZ.EXE, click ENTER LICENSE button, in the 
    registration dialog box type these below informations :

	Lic. Number   : 73881050

    Do not click OK button yet
    

2.  Fire up SoftIce by pressing [ CTRL + D ], set a breakpoint as follow :
    

	BPX MultiByteToWideChar     [enter]   and
   	F5  to return to the main program

3.  Now it's time to click OK button... you'll return back into SoftIce!
    In within SoftIce press F11 once until you see and break at :

	______________________________________________________________

	015F:6607CD84  FFD7              CALL      EDI <== break here
	015F:6607CD86  8BF0              MOV       ESI,EAX
	015F:6607CD88  4E                DEC       ESI
	015F:6607CD89  56                PUSH      ESI 
	015F:6607CD8A  53                PUSH      EBX 
	015F:6607CD8B  FF15E8190066      CALL      [660019E8]
	015F:6607CD91  8B4D0C            MOV       ECX,[EBP+0C]
	015F:6607CD94  3BC3              CMP       EAX,EBX 	

	_____________________MSVBVM60!.text+0007BD84___________________

	Break due to BPX KERNEL32!MultiByteToWideChar  
	Break due to G (ET=416.17 microseconds)
	Press F10 5 times - stop at 015F:6607CD91 - and display EAX
	register : 

	: d eax  [enter] ==> your fake code appear in the Data Window
				@0167:00426940.  Remember they're in wide
				format like this :

				0167:00426940 37 ...   7.3.8.8.1.0.5.0.
				0167:00426950 00 ...   ..p.............

	Create a new breakpoint as follow :

	: bpm 0167:00426940  [enter]
	
	Press F5 3 times , if nothing goes wrong you'll break at these
	below snippet codes : 
	______________________________________________________________

	015F:653C045E  F366A7      REPZ CMPSW
	015F:653C0461  7405        JZ        653C0468 <== break here
	015F:653C0463  1BC0        SBB       EAX,EAX                            
	015F:653C0465  83D8FF      SBB       EAX,-01                            
	015F:653C0468  85C0        TEST      EAX,EAX                            
	015F:653C046A  7F45        JG        653C04B1

	____________________OLEAUT32!.text+0007F45E___________________

	Break due to BPX KERNEL32!MultiByteToWideChar
	Break due to BPMB #0167:00426940 RW DR3
	Break due to BPMB #0167:00426940 RW DR3
	Display EDI register now :

	: D EDI  [enter] ==> look at the data window, did you see 5725
			   at virtual address 0167:00425592 ?
			   Write down !
			   One/two lines below is your installation date
			   information.

			0167:00425582 00 00 ..  00 35 00  ..............5.
			0167:00425592 37 00 ..  A0 14 00  7.2.5.....$.....
			0167:004255A2 00 00 ..  00 32 00  ..1.1.-.0.3.-.2.
			0167:004255B2 30 00 ..  00 14 00  0.0.0...........


4.  Disable all breakpoints by typing 

	BC *   [enter]
	Press F5 or X to return to the main program
     

5.  Repeat registration procedure and keyed-in  5725  as your S/N 
    Click OK/REGISTER button .....  ouchh! the screen splash and 
    classic message " thank you .... " .




END NOTES

   This program is sold as shareware, so you can try before you buy.  
   This is convenient for you, saves expenses by dispensing with all 
   that packaging, and cuts out the middle person.  So it is cheap, 
   but it is not free.  
   If you like the program, and you will, be sure to register and pay.
   To keep shareware prices low,  users must do the right thing: 
   Register, pay up, and smile/grin at yourself in the mirror.

   Do not distribute your crack release based on this tutorial, because
   you become a LAMER(s)!!!!!!!!
   ( tHATDUDE (PC97) defined LAMER(s) is the guy who sits in front of
   personal computer, using Hex Editor, ripping off other group(s)
   crack release, repacking (distro) them under his name. 
   Adopted from newsgroup alt.cracks, alt.crackers - February 1997 ) 

    More about LAMER(s):
	lamer /n./ [prob. originated in skateboarder slang]
	Synonym for luser, not used much by hackers but common among warez 
	d00dz, crackers, and phreakers. Oppose elite. Has the same connota
	tions of self-conscious elitism that use of luser does among 
	hackers.
    < SOURCE: http://sagan.earthspace.net/jargon/jargon_27.html >


 _ Never attribute to malice that which is adequately explained by stupidity _


ASTAGA [D4C/C4A] tute-buttonwiz76.zip
[EOF] 11/3/00 5:33:03 PM