SERIAL NUMBER IS FISHY - DECLINE YOUR PATCH'ITCH'ING Notpad v2.66 A Cracking Tutorial by ASTAGA [D4C/C4A] DISCLAIMER This reading material is not intended to violate Copyrights and/or it is law, but educational purposes only. I hold no responsibility ( by all means and in any shape whatsoever ) of the mis-used of this material. Read END NOTES section at the end of this file. ABOUT THE PROGRAM Notpad v2.66, An improved text editor for Windows 95 and NT Annoyed by the limitations of Notepad. This started out as an introduction for a friend of mine to MFC programming and has ballooned into a fully featured text editor. It's not Notepad--it's Notpad. This 32-bit Windows text editor is a great alternative to Microsoft's Notepad. It opens large text files and offers tool and status bars, font customization, search-and-replace, and case conversion. With one command it can open all system files in multiple windows (like Windows' own Sysedit), and it has MAPI support. Notpad has an optional text-to-speech mode--directions are furnished on how to down load the additional file you'll need to activate that feature. Notpad is a nice improvement over Notepad, but you'll want to decide quickly if you want to register it because this trial version pops up a nag screen every few minutes. Online help is not included. FEATURES: o Standard MFC options including dockable toolbar, tooltips, status bar, print preview and MAPI (mail) support. o Files of unlimited file size can be edited. o Font attributes used to display and print can be changed. o Full screen mode, where the editing area is displayed full screen (similar to the option in Microsoft Word). o Supports Text to Speech, so the program will speak the file back to you! o Together with the full screen option, text to speech support and sizeable font, the program can be used by people with computer accessibility problems. o Option to minimize to tray notification area where sound volume and the time are normally displayed. This allows you to save some task bar screen estate when you have multiple copies of Notpad running. o .... and more WHERE TO DOWNLOAD Author : PJ Naughter Copyright : PJ Naughter Homepage : http://www.naughter.com/notpad.html URL : http://www.naughter.com/download/notpad.zip Add-on : http://www.naughter.com/download/spellc.zip Size : 238 KB as of December 20,2000 Rel Date : July 15, 1999 HOW TO GET VALID SERIAL NUMBER by using SoftIce I have no choice to complete figures all my tracing steps due to memory address changed all the time whenever I quit SoftIce during writing this tute. Address may differ on your PC but not for the bytes code. There's no time to explain you in what address should you dump a register(s) to see username and fake code, just take my brief keystroke commands at the end of the code(s). You freely to dump any changes in the register window wher ever you stop as long as in the given below snippet codes. 1. Run NOTPAD.EXE, when the nag pops-up click on ENTER REG INFO button - in the registration dialog box type these below informations : Name : Pirates Order Code : 73881050 Do not click OK button yet ( note : Sometime that nag does not appear. In the main program's window click HELP/ABOUT submenu. Now, drag / bring your mouse cursor into the main program's icon at the top left side program's ID. Hold SHIFT+CTRL all together followed with double clicking left mouse button - registration dialog box will appear ) 2. Load SoftIce by pressing [ CTRL + D ], set a breakpoint as follow : BPX GetWindowTextA [enter] and F5 to return to the main program 3. Now, click OK button... you'll return back into SoftIce! Press F11, F5 and F11 once again until you see and break at : ______________________________________________________________ 015F:5F4141A3 FF1588B5495F CALL [USER32!GetWindowTextA] 015F:5F4141A9 8D4518 LEA EAX,[EBP+18] <== HERE 015F:5F4141AC 50 PUSH EAX 015F:5F4141AD 8D45E0 LEA EAX,[EBP-20] 015F:5F4141B0 FF7510 PUSH DWORD PTR [EBP+10] 015F:5F4141B3 50 PUSH EAX 015F:5F4141B4 E803010000 CALL 5F4142BC 015F:5F4141B9 85C0 TEST EAX,EAX 015F:5F4141BB 0F84B1210500 JZ 5F466372 015F:5F4141C1 5F POP EDI 015F:5F4141C2 5E POP ESI 015F:5F4141C3 C9 LEAVE 015F:5F4141C4 C3 RET ===============> F10 here ________________________ MFC42!.text+000131A3 _________________ Press F10 4 times - stop at 015F:5F4141B3 - dump EAX register : : d eax ===> your fake code at virtual address 0167:0074EEEC Press F10 again and step pass RET command at 015F:5F4141C4 until you reach : 015F:5F466480 E8FBDCFAFF CALL 5F414180 <== drop here 015F:5F466485 83C414 ADD ESP,14 015F:5F466488 5D POP EBP 015F:5F466489 C20C00 RET 000C ==> F10 here Here is you'll drop after RET command : 015F:00618511 E8FA190000 CALL 00619F10 <== drop here 015F:00618516 5F POP EDI 015F:00618517 5E POP ESI 015F:00618518 C20400 RET 0004 ==> F10 here Here is you'll drop after RET command : 015F:5F40A8B8 FF908C000000 CALL [EAX+ drop 0000008C] <== here 015F:5F40A8BE C7450801000000 MOV DWORD PTR [EBP +08],00000001 015F:5F40A8C5 8B45E8 MOV EAX,[EBP-18] 015F:5F40A8C8 8B4DF4 MOV ECX,[EBP-0C] 015F:5F40A8CB 8987B8000000 MOV [EDI+000000B8],EAX 015F:5F40A8D1 8B4508 MOV EAX,[EBP+08] 015F:5F40A8D4 5F POP EDI 015F:5F40A8D5 5E POP ESI 015F:5F40A8D6 64890D00000000 MOV FS:[00000000],ECX 015F:5F40A8DD 5B POP EBX 015F:5F40A8DE C9 LEAVE 015F:5F40A8DF C20400 RET 0004 ==> F10 here Here is you'll drop after RET command : 015F:00618535 E804190000 CALL 00619E3E <== drop here 015F:0061853A 85C0 TEST EAX,EAX 015F:0061853C 744C JZ 0061858A 015F:0061853E 57 PUSH EDI 015F:0061853F E83C1FFFFF CALL 0060A480 015F:00618544 8BF8 MOV EDI,EAX 015F:00618546 8B4664 MOV EAX,[ESI+64] 015F:00618549 8D4E60 LEA ECX,[ESI+60] 015F:0061854C 50 PUSH EAX 015F:0061854D 51 PUSH ECX 015F:0061854E 8BCF MOV ECX,EDI 015F:00618550 E83B2EFFFF CALL 0060B390 015F:00618555 8BCF MOV ECX,EDI 015F:00618557 E8D42CFFFF CALL 0060B230 ==> F8 here 015F:0061855C 85C0 TEST EAX,EAX Here you're upon step into CALL function : 015F:0060B22F 90 NOP return 015F:0060B230 64A100000000 MOV EAX,FS:[0000] <== CALL 015F:0060B236 6AFF PUSH FF 015F:0060B238 6818BD6100 PUSH 0061BD18 015F:0060B23D 50 PUSH EAX 015F:0060B23E 64892500000000 MOV FS:[00000000],ESP 015F:0060B245 83EC18 SUB ESP,18 015F:0060B248 53 PUSH EBX 015F:0060B249 56 PUSH ESI 015F:0060B24A 8BF1 MOV ESI,ECX 015F:0060B24C E80FFFFFFF CALL 0060B160 015F:0060B251 85C0 TEST EAX,EAX 015F:0060B253 7479 JZ 0060B2CE ==> F10 here 015F:0060B255 57 PUSH EDI Here you in/at return JUMP instruction : 015F:0060B2CD 5F POP EDI 015F:0060B2CE 68B48F6200 PUSH 00628FB4 <== ret JNZ here 015F:0060B2D3 81C6C4000000 ADD ESI,000000C4 015F:0060B2D9 68C8876200 PUSH 006287C8 015F:0060B2DE 8D542410 LEA EDX,[ESP+10] 015F:0060B2E2 68A8816200 PUSH 006281A8 015F:0060B2E7 52 PUSH EDX 015F:0060B2E8 8BCE MOV ECX,ESI 015F:0060B2EA E8017CFFFF CALL 00602EF0 015F:0060B2EF BB01000000 MOV EBX,00000001 015F:0060B2F4 683C846200 PUSH 0062843C 015F:0060B2F9 8D4C240C LEA ECX,[ESP+0C] 015F:0060B2FD 895C242C MOV [ESP+2C],EBX 015F:0060B301 E83CF00000 CALL 0061A342 015F:0060B306 6A00 PUSH 00 015F:0060B308 68A0896200 PUSH 006289A0 015F:0060B30D 68A8816200 PUSH 006281A8 015F:0060B312 8BCE MOV ECX,ESI 015F:0060B314 E8777BFFFF CALL 00602E90 015F:0060B319 8D4C2410 LEA ECX,[ESP+10] Keep on going press that damn F10 key. At last, after long hot hot summer night ( iam listening to my fave JT. Taylor's hits ) you're drop dead at these below snippet codes : cont'd 015F:0060B319 8D4C2410 LEA ECX,[ESP+10] 015F:0060B31D 8BF0 MOV ESI,EAX <== drop here 015F:0060B31F E8BC63FFFF CALL 006016E0 ***** 015F:0060B324 8B442408 MOV EAX,[ESP+08] 015F:0060B328 8D4C2408 LEA ECX,[ESP+08] 015F:0060B32C C644242802 MOV BYTE PTR [ESP+28],02 015F:0060B331 8B40F8 MOV EAX,[EAX-08] 015F:0060B334 50 PUSH EAX 015F:0060B335 50 PUSH EAX 015F:0060B336 E8F9EB0000 CALL 00619F34 **** 015F:0060B33B 50 PUSH EAX 015F:0060B33C 8D4C2418 LEA ECX,[ESP+18] 015F:0060B340 E80B64FFFF CALL 00601750 **** 015F:0060B345 33C9 XOR ECX,ECX 015F:0060B347 3BF0 CMP ESI,EAX ==> ? EAX ? ESI 015F:0060B349 0F94C1 SETZ CL 015F:0060B34C 8BF1 MOV ESI,ECX 015F:0060B34E 6AFF PUSH FF 015F:0060B350 8D4C240C LEA ECX,[ESP+0C] 015F:0060B354 E8D5EB0000 CALL 00619F2E _________________________ NOTPAD!.text+A319 ___________________ Press F10 13 times - stop at 015F:0060B347 - a classic CMP comparison instruction, now, check the contents of ESI and EAX registers : :? esi [enter] 046755DA 0073881050 " gU " ==> your suxx damn fake code :? eax 7A7BB8FB 2054928635 "z{ " ==> your REAL CODE. Write down. 4. Disable all breakpoints by typing BD * [enter] Press F5 or X to return to the main program 5. Repeat registration procedure and keyed-in 2054928635 as your S/N. Click OK button ..... you are registered. 6. Where the hell is my registration code is stored ?? The correct registration code is stored in the registry as follows : REGEDIT4 [HKEY_LOCAL_MACHINE\Software\PJ Naughter\Notpad\General] "Name"="Pirates Order" "ID"=dword:7a7bb8fb 7. How can I practise with my own user name ? - I strongly recommended you not to do this ! 8. GreeTZ to : eGIS! + TheBrabo + DaSavant + mRF + The_Libran + TheBritish + Cyanida + Cyberlatin + .... you. E N D N O T E S Distributing your serial number is illegal and is no different than distributing illegal copies of the registered software. Violation of this rule may result in temporary or permanent revocation of this license and cancellation of the serial number; the original licensee will also be held responsible for damages, physical and estimated. Do not distribute your crack release based on this tutorial, because you become a LAMER(s)!!!!!!!! ( tHATDUDE (PC97) defined LAMER(s) is the guy who sits in front of personal computer, using Hex Editor, ripping off other group(s) crack release, repacking (distro) them under his name. Adopted from newsgroup alt.cracks, alt.crackers - February 1997 ) More about LAMER(s): lamer /n./ [prob. originated in skateboarder slang] Synonym for luser, not used much by hackers but common among warez d00dz, crackers, and phreakers. Oppose elite. Has the same connota tions of self-conscious elitism that use of luser does among hackers. < SOURCE: http://sagan.earthspace.net/jargon/jargon_27.html > Never attribute to malice that which is adequately explained by stupidity ASTAGA [D4C/C4A] tute-notpad266.zip [EOF] First Edited : 12/29/00 12:06:12 PM Updated : 1/16/01 6:19:31 AM History of BPX listing for Notpad v2.66 - ASTAGA [TTM] 02) * BPX USER32!GetWindowTextA 03) * 015F:00618535 04) * 015F:0060B24C 05) BPX #015F:0060B31F Tute completed : 1/16/01 6:19:40 AMnbsp;