WHY PATCHING WHILE SERIAL NUMBER IS FISHY


MKopy v1.07
A Cracking Tutorial
by ASTAGA [D4C/C4A]


ABOUT THE PROGRAM 

You have downloaded a file and want to save a backup to 
your A: drive. Oops, the file is larger than your floppy 
drive can handle! No problem -- with MKopy. This simple 
utility program allows you to easily copy files larger 
than the size of your floppy drive. It automatically 
includes a restore program so restoring the information 
from a multiple-floppy set is a snap!


BACKGROUND INFORMATION

Program Name: MKopy.exe 
Platforms: Windows 95/98/NT
Free trial period: 30 days
Registration cost: $10 US$.
Current version: 1.0.7
Version date: 25-Apr-2000
(c)Copyright 2000 - Donth Technology Group
Web site: www.donth.com
Author : Joseph L. Donth



HOW TO FISH SERIAL NUMBER by USING SOFTICE


1.  Run the program, click REGISTER button and keyed-in fake
    reg code = 73881050

    Do not click OK button yet.


2.  Load SoftIce and create a new breakpoint : 

	bpx hmemcpy
	Press F5

3.  Click OK button now, and you'll break in SoftIce again.
    Press F11 once and press F12 several times until you see
    this below snippet codes. 


	__________________________________________________________________
	
	015F:00445698  8BC3                MOV   EAX,EBX	
	015F:0044569A  E87D04FEFF          CALL	00425B1C  <=== break here	
	015F:0044569F  8B55D8              MOV   EDX,[EBP-28]                       	015F:004456A2  8B45F8              MOV   EAX,[EBP-08] <== D EDX	
	015F:004456A5  E882E4FBFF          CALL  00403B2C                           	015F:004456AA  C645F701            MOV   BYTE PTR [EBP-09],01               	........
	........ 
	
	________________________MKOPY!CODE+00044698_____________________

	Break due to BPX KERNEL!HMEMCPY
	Break due to G 
 	: bd  *   [enter]
	: BPX 015F:0044569A  [enter] 
	: Press F10 2 times and display EDX register,  your fake reg code 
        appear in the Data Window at virtual address 0167:00BC3470 .
	: BPM 0167:00BC3470  [enter]
	: Press X or F5


    You'll break again in SoftIce and see these below snippet codes :
	_________________________________________________________________
               	
	015F:00403E8D  8B0E                MOV       ECX,[ESI]
	015F:00403E8F  8B1F                MOV       EBX,[EDI] <== here
	015F:00403E91  39D9                CMP       ECX,EBX <=== D EDI
	015F:00403E93  7558                JNZ       00403EED
	015F:00403E95  4A                  DEC       EDX 
	015F:00403E96  7415                JZ        00403EAD 
	.....
	..... 
	__________________________ MKOPY!CODE+2E8D ______________________

	Break due to BPMB #0167:00BC3470 RW DR3
	Press F10  once
	: ? ecx  [enter]
	: 38383337  0943207223  "8837"  ==> part of your fake code
	: ? ebx  [enter]
	: 34363130  0875966768  "4610"  ==> part of the real code 
      : d esi  [enter]  ===> your fake code at 
      : d edi  [enter]  ===> did you see   0164-1385-5895-1987 at
 			         0167:00BC4654 . Write down this potential 
                             reg code.  Scroll up one line above you 
                             will see your own product ID ( in my case 
                             is 5554-7305-2998-0857 ) . 
	: bd *
	: F5  to return to registration dialog box


4.  Repeat registration procedures, and keyed-in  0164-1385-5895-1987 
    as your registration code. 
    You're registered. 


5.  Where the hell is my registration info is stored ??

	-  The correct registration code is stored in the HKCR and HKLM
	   registry as follows ( before it's registered ) :
	   REGEDIT4
	   [HKEY_CLASSES_ROOT\CLSID\{9E75C100-7B25-11D3-AA01-C0B30A8C0003}]
	   [HKEY_CLASSES_ROOT\CLSID\{9E75C100-7B25-11D3-AA01-C0B30A8C0003}\
	   ProgID]
	   @="008FFC"

	   [HKEY_CLASSES_ROOT\CLSID\{9E75C100-7B25-11D3-AA01-C0B30A8C0003}
	   \Mask]
	   @="74161794"


	   REGEDIT4
	   [HKEY_LOCAL_MACHINE\Software\CLASSES\CLSID\{9E75C100-7B25-11D3-
	   AA01-C0B30A8C0003}] 
	   [HKEY_LOCAL_MACHINE\Software\CLASSES\CLSID\{9E75C100-7B25-11D3-
	   AA01-C0B30A8C0003}\ProgID]
	   @="008FFC" 

	   [HKEY_LOCAL_MACHINE\Software\CLASSES\CLSID\{9E75C100-7B25-11D3-
	   AA01-C0B30A8C0003}\Mask]
	   @="74161794" 



6.  How can I practise with another registration key ?

	-  I strongly recommended you not to do this !

END NOTES

   This program is sold as shareware, so you can try before you buy.  
   This is convenient for you, saves expenses by dispensing with all 
   that packaging, and cuts out the middle person.  So it is cheap, 
   but it is not free.  
   If you like the program, and you will, be sure to register and pay.
   To keep shareware prices low,  users must do the right thing: 
   Register, pay up, and smile/grin at yourself in the mirror.

   Do not distribute your crack release based on this tutorial, because
   you become a LAMER(s)!!!!!!!!
   ( tHATDUDE (PC97) defined LAMER(s) is the guy who sits in front of
   personal computer, using Hex Editor, ripping off other group(s)
   crack release, repacking (distro) them under his name. 
   Adopted from newsgroup alt.cracks, alt.crackers - February 1997 ) 

    More about LAMER(s):
	lamer /n./ [prob. originated in skateboarder slang]
	Synonym for luser, not used much by hackers but common among warez 
	d00dz, crackers, and phreakers. Oppose elite. Has the same connota
	tions of self-conscious elitism that use of luser does among 
	hackers.
    < SOURCE: http://sagan.earthspace.net/jargon/jargon_27.html >


 _ Never attribute to malice that which is adequately explained by stupidity _


ASTAGA [D4C/C4A] tute-mkopy107.zip
[EOF] 10/31/00 6:32:06 PM