WHY PATCHING WHILE SERIAL NUMBER IS FISHY ESig97 v3.31 A Cracking Tutorial by ASTAGA [D4C/C4A] DISCLAIMER This reading material is not intended to violate Copyrights and/or it is law, but educational purposes only. I hold no responsibility ( by all means and in any shape whatsoever ) of the mis-used of this material. ABOUT THE PROGRAM ESig97 is designed to change signature files for most Internet e-mail clients that use an ASCII/Text file for the signature. ESig97 can be used with Eudora Lite, Eudora Pro, Nets cape, Agent, News Xpress, Microsoft Mail & News, and others. Registered users have the following benefits: * Removal of "reminder screens" and "unregistered version" from signatures. * Free upgrades regardless of version and price increases. * Notification of new versions before release. WHERE TO DOWNLOAD Author : Doesn't Byte Software Copyright : Doesn't Byte Software Homepage : http://www.dbytes.com/ URL : http://www.dbytes.com/files/esig97.zip Size : ? HOW TO GET VALID SERIAL NUMBER by using SoftIce This program is packed with SHRINK . In this tute no deshrinking procedure is performed. So, unexpected occurances may happened on yor PC. 1. Run ESIG97.EXE , click on the program's icon, choose Open Editor submenu, click Option/Register submenu. In the registration dialog box , type these below informa tions : User Name : Pirates Order Reg Number : 73881050 DO NOT CLICK OK button Yet ! 2. Load SoftIce by pressing [ Ctrl + D ], set new breakpoint as follow : bpx hmemcpy [enter] then press F5 to return to the main program. Now you can click OK button which brings you back into SoftIce. 4. You're in SoftIce now. All you have to do is to reach the main prog codes, press F11, F5, F11 and F12 eleven (11) times until you see : _____________________________________________________________ 015F:0044C26D E83623FDFF CALL 0041E5A8 <== break here 015F:0044C272 8B55F4 MOV EDX,[EBP-0C] 015F:0044C275 8D4340 LEA EAX,[EBX+40] ==> d edx 015F:0044C278 E82377FBFF CALL 004039A0 015F:0044C27D 8D4DFC LEA ECX,[EBP-04] 015F:0044C280 8B5340 MOV EDX,[EBX+40] 015F:0044C283 8B4324 MOV EAX,[EBX+24] ==> d edx 015F:0044C286 E875F9FFFF CALL 0044BC00 015F:0044C28B 837DFC00 CMP DWORD PTR [EBP-04],00 015F:0044C28F 741F JZ 0044C2B0 015F:0044C291 8B45FC MOV EAX,[EBP-04] 015F:0044C294 8B533C MOV EDX,[EBX+3C] ==> d eax 015F:0044C297 E83C7AFBFF CALL 00403CD8 ==> d edx 015F:0044C29C 7512 JNZ 0044C2B0 _____________________ESIG97!.shrink0+0004B26D_________________ Press F10 2 times - stop at 015F:0044C275 - and display EDX register : : d edx [enter] ==> your name appear in the Data Window's virtual address 0167:00BFB9E0. Press F10 4 times - stop at 015F:0044C283 - and display EDX register : : d edx [enter] ==> your name appear in the Data Window's virtual address 0167:00BFB9E0. Again ? Press F10 5 times - stop at 015F:0044C294 - and display EAX register : : d eax [enter] ==> did you see 939152959248 in the Data Window's virtual address 0167:00C01558. Write down this potential reg code. Press F10 once - stop at 015F:0044C297 - and display EDX register : : d edx [enter] ==> did you see sumthin' like these ? 0167:00C01524 37 33 38 38 ... 28 BF 00 73881050.natL(.. 0167:00C01534 38 B9 BF 00 ... 45 53 4F 8.......PIRATESO 0167:00C01544 52 44 45 52 ... 00 00 00 RDER............ 0167:00C01554 0C 00 00 00 ... 32 34 38 ....939152959248 It is very clear that 939152959248 is your real reg.code. 6. Disable all breakpoints by typing BC * [enter] Press F5 or X to return to the main program 7. Repeat registration procedure, and keyed-in 939152959248 as your reg code, click OK and .... a classic message " Thank You .... " appear on your screen. 9. We got lucky we can fish the correct serial number within shrinked (packed) executable .EXE file, while in some other program it's almost imposible unless you deshrinked first and start tracing the codes. 10. Where the hell is my registration code is stored ?? The correct registration code is stored in the registry as follows : REGEDIT4 [HKEY_CURRENT_USER\Software\Doesn't Byte Software\ESig95\ Validation] "User"="Pirates Order" "Reg No"="939152959248" 11. How can I practise with my own user name ? - I strongly recommended you not to do this ! E N D N O T E S Distributing your serial number is illegal and is no different than distributing illegal copies of the registered software. Violation of this rule may result in temporary or permanent revocation of this license and cancellation of the serial number; the original licensee will also be held responsible for damages, physical and estimated. Do not distribute your crack release based on this tutorial, because you become a LAMER(s)!!!!!!!! ( tHATDUDE (PC97) defined LAMER(s) is the guy who sits in front of personal computer, using Hex Editor, ripping off other group(s) crack release, repacking (distro) them under his name. Adopted from newsgroup alt.cracks, alt.crackers - February 1997 ) More about LAMER(s): lamer /n./ [prob. originated in skateboarder slang] Synonym for luser, not used much by hackers but common among warez d00dz, crackers, and phreakers. Oppose elite. Has the same connota tions of self-conscious elitism that use of luser does among hackers. < SOURCE: http://sagan.earthspace.net/jargon/jargon_27.html > Never attribute to malice that which is adequately explained by stupidity ASTAGA [D4C/C4A] tute-esig97v331.zip [EOF] Revised/Updated : 11/29/00 11:42:34 AM First Edited : 05/14/2000