WHY PATCHING WHILE SERIAL NUMBER IS FISHY
ESig97 v3.31
A Cracking Tutorial
by ASTAGA [D4C/C4A]
DISCLAIMER
This reading material is not intended to violate Copyrights
and/or it is law, but educational purposes only. I hold no
responsibility ( by all means and in any shape whatsoever )
of the mis-used of this material.
ABOUT THE PROGRAM
ESig97 is designed to change signature files for most
Internet e-mail clients that use an ASCII/Text file
for the signature.
ESig97 can be used with Eudora Lite, Eudora Pro, Nets
cape, Agent, News Xpress, Microsoft Mail & News, and
others.
Registered users have the following benefits:
* Removal of "reminder screens" and "unregistered
version" from signatures.
* Free upgrades regardless of version and price
increases.
* Notification of new versions before release.
WHERE TO DOWNLOAD
Author : Doesn't Byte Software
Copyright : Doesn't Byte Software
Homepage : http://www.dbytes.com/
URL : http://www.dbytes.com/files/esig97.zip
Size : ?
HOW TO GET VALID SERIAL NUMBER by using SoftIce
This program is packed with SHRINK . In this tute no deshrinking
procedure is performed. So, unexpected occurances may happened
on yor PC.
1. Run ESIG97.EXE , click on the program's icon, choose Open
Editor submenu, click Option/Register submenu.
In the registration dialog box , type these below informa
tions :
User Name : Pirates Order
Reg Number : 73881050
DO NOT CLICK OK button Yet !
2. Load SoftIce by pressing [ Ctrl + D ], set new breakpoint as
follow :
bpx hmemcpy [enter]
then press F5 to return to the main program.
Now you can click OK button which brings you back into
SoftIce.
4. You're in SoftIce now. All you have to do is to reach the main
prog codes, press F11, F5, F11 and F12 eleven (11) times
until you see :
_____________________________________________________________
015F:0044C26D E83623FDFF CALL 0041E5A8 <== break here
015F:0044C272 8B55F4 MOV EDX,[EBP-0C]
015F:0044C275 8D4340 LEA EAX,[EBX+40] ==> d edx
015F:0044C278 E82377FBFF CALL 004039A0
015F:0044C27D 8D4DFC LEA ECX,[EBP-04]
015F:0044C280 8B5340 MOV EDX,[EBX+40]
015F:0044C283 8B4324 MOV EAX,[EBX+24] ==> d edx
015F:0044C286 E875F9FFFF CALL 0044BC00
015F:0044C28B 837DFC00 CMP DWORD PTR [EBP-04],00
015F:0044C28F 741F JZ 0044C2B0
015F:0044C291 8B45FC MOV EAX,[EBP-04]
015F:0044C294 8B533C MOV EDX,[EBX+3C] ==> d eax
015F:0044C297 E83C7AFBFF CALL 00403CD8 ==> d edx
015F:0044C29C 7512 JNZ 0044C2B0
_____________________ESIG97!.shrink0+0004B26D_________________
Press F10 2 times - stop at 015F:0044C275 - and display EDX
register :
: d edx [enter] ==> your name appear in the Data Window's
virtual address 0167:00BFB9E0.
Press F10 4 times - stop at 015F:0044C283 - and display EDX
register :
: d edx [enter] ==> your name appear in the Data Window's
virtual address 0167:00BFB9E0. Again ?
Press F10 5 times - stop at 015F:0044C294 - and display EAX
register :
: d eax [enter] ==> did you see 939152959248 in the Data
Window's virtual address 0167:00C01558.
Write down this potential reg code.
Press F10 once - stop at 015F:0044C297 - and display EDX
register :
: d edx [enter] ==> did you see sumthin' like these ?
0167:00C01524 37 33 38 38 ... 28 BF 00 73881050.natL(..
0167:00C01534 38 B9 BF 00 ... 45 53 4F 8.......PIRATESO
0167:00C01544 52 44 45 52 ... 00 00 00 RDER............
0167:00C01554 0C 00 00 00 ... 32 34 38 ....939152959248
It is very clear that 939152959248 is your real reg.code.
6. Disable all breakpoints by typing
BC * [enter]
Press F5 or X to return to the main program
7. Repeat registration procedure, and keyed-in 939152959248 as your
reg code, click OK and .... a classic message " Thank You .... "
appear on your screen.
9. We got lucky we can fish the correct serial number within
shrinked (packed) executable .EXE file, while in some other
program it's almost imposible unless you deshrinked first
and start tracing the codes.
10. Where the hell is my registration code is stored ??
The correct registration code is stored in the registry as
follows :
REGEDIT4
[HKEY_CURRENT_USER\Software\Doesn't Byte Software\ESig95\
Validation]
"User"="Pirates Order"
"Reg No"="939152959248"
11. How can I practise with my own user name ?
- I strongly recommended you not to do this !
E N D N O T E S
Distributing your serial number is illegal and is no
different than distributing illegal
copies of the registered
software. Violation of
this rule may
result in
temporary or permanent revocation of this
license and cancellation of the
serial number;
the original licensee
will also be held responsible for
damages, physical and estimated.
Do not distribute your crack release based on this tutorial, because
you become a LAMER(s)!!!!!!!!
( tHATDUDE (PC97) defined LAMER(s) is the guy who sits in front of
personal computer, using Hex Editor, ripping off other group(s)
crack release, repacking (distro) them under his name.
Adopted from newsgroup alt.cracks, alt.crackers - February 1997 )
More about LAMER(s):
lamer /n./ [prob. originated in skateboarder slang]
Synonym for luser, not used much by hackers but common among warez
d00dz, crackers, and phreakers. Oppose elite. Has the same connota
tions of self-conscious elitism that use of luser does among
hackers.
< SOURCE: http://sagan.earthspace.net/jargon/jargon_27.html >
Never attribute to malice that which is adequately
explained by stupidity
ASTAGA [D4C/C4A] tute-esig97v331.zip
[EOF] Revised/Updated : 11/29/00 11:42:34 AM
First Edited : 05/14/2000