SERIAL NUMBER IS FISHY - DECLINE YOUR PATCH'ITCH'ING S N O W F L A K E 3 D V 1.0 A Cracking Tutorial by ASTAGA [WTF/TTM]* DISCLAIMER This reading material is not intended to violate Copyrights and/or it is law, but educational purposes only. I hold no responsibility ( by all means and in any shape whatsoever ) of the mis-used of this material. Read END NOTES section at the end of this file. ABOUT THE PROGRAM Grab the best snowflake screen saver on the web. Both large and small snowflakes are drawn in 3D which create a beautiful snow image you will have to see to believe. Options include changing the background color, the number of snowflakes active, the speed at which they fall, and much more. Resolution switching, passwords, and mouse filter ing are fully supported. Registering for the full version enables five new snowflakes and gets rid ofa few 'Please Register' messages. To activate it: right click on your desktop background and select properties,then select the screen savers tab, then it should be in the Screen Saver selection box. So select it, then click properties to setup the screen saveror preview to see it, when done hit Ok. R E Q U I R E M E N T S OpenGL, Windows 95/98/NT/2000 3D accelerator recommended WHERE TO DOWNLOAD Author : Isotope244 Graphics LLC Copyright : Isotope244 Graphics LLC Homepage : http://www.isotope244.com URL : http://www.isotope244/Snowflake3D.zip Size : 200 KB as of December 27,2000 Rel Date : July 2000 HOW TO GET VALID SERIAL NUMBER by using SoftIce 1. Activate SNOWFLAKE3D.SCR, click REGISTER button, in the registration dialog box type these below informations : Name : Pirates Order E-mail : rackham@pirates.com Code : 73881050 Do not click REGISTER button yet 2. Load SoftIce by pressing [ CTRL + D ], set a breakpoint as follow : BPX getdlgitemtexta [enter] and F5 to return to the main program 3. Now, click OK button... you'll return back into SoftIce! Within SoftIce press F11, F5, F11, F5 and F11 once again until you see and break at : 015F:004013CE FFD6 CALL ESI 015F:004013D0 8D942410010000 LEA EDX,[ESP+00000110] <== 015F:004013D7 8D442410 LEA EAX,[ESP+10] 015F:004013DB 52 PUSH EDX 015F:004013DC 8B9540040000 MOV EDX,[EBP+00000440] 015F:004013E2 8D8C2414020000 LEA ECX,[ESP+00000214] 015F:004013E9 50 PUSH EAX 015F:004013EA 51 PUSH ECX 015F:004013EB 52 PUSH EDX 015F:004013EC C684241F03000000 MOV BYTE PTR [ESP+0000031F],00 015F:004013F4 C684241F01000000 MOV BYTE PTR [ESP+0000011F],00 015F:004013FC C684241F02000000 MOV BYTE PTR [ESP+0000021F],00 015F:00401404 C6450600 MOV BYTE PTR [EBP+06],00 015F:00401408 E883100000 CALL 00402490 ==> F8 015F:0040140D 83C410 ADD ESP,10 015F:00401410 85C0 TEST EAX,EAX 015F:00401412 0F84B2000000 JZ 004014CA ... ... 015F:004014CA 8B1598654200 MOV EDX,[00426598] 015F:004014D0 6A00 PUSH 00 015F:004014D2 6820124000 PUSH 00401220 015F:004014D7 53 PUSH EBX 015F:004014D8 6A6D PUSH 6D 015F:004014DA 52 PUSH EDX 015F:004014DB FF1534D24100 CALL [USER32!DialogBoxParamA] ... ... ___________________ SNOWFLAKE3D!.text+04C7 __________________________ Press F10 once - stop at 015F:004013D7 - dump EDX register : : d edx [enter] ==> your fake code appear at 0167:0067E9D4 Press F10 once - stop at 015F:004013DB - dump EDX register : : d eax [enter] ==> your e-mail ID appear at 0167:0067E8D4 Press F10 3 times - stop at 015F:004013E9 - dump EDX register : : d eax [enter] ==> your name appear at 0167:0067EAD4 Press F10 7 times - stop at 015F:00401408 - here we are facing problems : o If you step passed this CALL function you'll faced JZ instruction three lines below, and as soon as you landed at 004014CA you'll faced beggar-off message caller at 004014DB. o If you follow this CALL function , youl'll faced the same trap in another location. This time I really sorry can't give you a clear explana tion. As long as I remember, I press F8 at 015F:00401408 and ( again ) if I had no mistaken I do " r fl z " in the Command Line when I stopped at JB ( Jump if Bigger ) instruction for which I can't remember where exactly that location. If you patience enough just press F10, a repetitive looping proc will encountered, converting of your name into uppercase, etc., until you reach snippet codes as described in the below step #4. However, i give you another hints on how to self registe ring this program. Are you ready ? Stop at 015F:00401412 , in the Command Line type : r fl z [enter] and continue pressing F10 until you step passed CALL [USER32!DialogBoxParamA] at 015F:004014DB . You'll received a classic message " Regisration successful ..... " , just click OK to confirm. Disable all breakpoints and check registry info as described in step #9 below. So, do you wanna patch this program to accept any name and serial ?? Edit SNOWFLAKE3D.SCR in your HexEditor do a search byte 85 C0 0F 84 B2 00 00 00 , in my case it was found at hex offset #1413. Change the byte as follows : 85 C0 0F 84 B2 00 00 00 change into 85 C0 0F 85 B2 00 00 00 Save your work, don't forget to delete previous registry info. 4. These below snippet codes are my final result in fishing serial number for this program : EAX=00000002 EBX=00000021 ECX=00000008 .... ESI=0067E890 EDI=0000000A EBP=00800EB0 ESP=0067E85C .... o d I s Z a P c CS=015F DS=0167 SS=0167 ES=0167 FS=1217 GS=0000 ------------------------------------byte--------------PROT---(0)-- 0167:0067E890 32 30 30 ...... 37 36 33 38 2003003013257638^ 0167:0067E8A0 30 33 00 ...... 40 42 6F 00 03..C.......@Bo.^ 0167:0067E8B0 0D 14 40 ...... D4 E8 67 00 ..@...B...g...g. 0167:0067E8C0 D4 E9 67 ...... 24 F0 67 00 ..g...g.H...$.g. 0167:0067E8D0 F0 EF 67 ...... 70 69 72 61 ..g.rackham@pira 0167:0067E8E0 74 65 73 ...... 67 01 00 00 tes.com.G*Ryg... ... _________________________________________________________________ 015F:0040243D E89E730000 CALL 004097E0 <== HERE 015F:00402442 83C420 ADD ESP,20 015F:00402445 33C9 XOR ECX,ECX 015F:00402447 33C0 XOR EAX,EAX <== ret loop 015F:00402449 BF0A000000 MOV EDI,0000000A 015F:0040244E 8A0429 MOV AL,[EBP+ECX] 015F:00402451 99 CDQ 015F:00402452 F7FF IDIV EDI 015F:00402454 80C230 ADD DL,30 015F:00402457 88540E09 MOV [ECX+ESI+09],DL 015F:0040245B 41 INC ECX 015F:0040245C 83F908 CMP ECX,08 015F:0040245F 72E6 JB 00402447 (NO JUMP) 015F:00402461 55 PUSH EBP ______________________ SNOWFLAKE3D!.text+143D ___________________ As soon as you landed at 015F:0040243D - display ESI register : : d esi [enter] ==> in the Data Window you'll see something like 200300301XXXXXXXX3 . Press F10 10 times - keep an eye when you step passed 015F:0040245B the " X " in the above sequence number will be replaced by number. Press F10 again until you reach 015F:0040245F - a loop procedure between 015F:0040245F to 015F:00402447 will start, and everytime you step passed 015F:0040245B the " X " will be replaced again with number. Keep continue pressing F10 until loop process is finish ed, and ( NO JUMP ) indicator appear in your Code Window. Finally, you've got 200300301325763803 as well as you dump ESI register at 015F:00402461. Write down this potential reg code. 5. Disable all breakpoints by typing BD * [enter] Press F5 or X to return to the main program 6. Repeat registration procedure and keyed-in 200300301325 763803 as your S/N. Click REGISTER button ..... there you're registered. 7. Where the hell is my registration code is stored ?? The correct registration code is stored in the registry as follows : REGEDIT4 [HKEY_LOCAL_MACHINE\Software\I244\Snowflake3D] "000_000"=dword:00000001 "000_001"=dword:00000000 "000_002"=dword:00000001 "000_003"=dword:00000064 "000_004"="Current Resolution" "000_005"="0801051140971161011150320791141001011140320 320320320320320320320320320320320320320320320320320321 140970991071040971090641121051140971161011150460991111 090320320320320320320320320320320320320320500480480510 480480510480490510500530550540510560480510320320320320 32032032032032032032032032032049" "000_100"=dword:0000004f "000_101"=dword:00000058 "000_102"=dword:00000064 "000_103"=dword:00000002 "000_104"=dword:00000003 "000_105"=dword:00000003 NOTE: deletion over "000_005" value will return the program back into unregistered. 8. How can I practise with my own user name ? - I strongly recommended you not to do this ! E N D N O T E S Distributing your serial number is illegal and is no different than distributing illegal copies of the registered software. Violation of this rule may result in temporary or permanent revocation of this license and cancellation of the serial number; the original licensee will also be held responsible for damages, physical and estimated. Do not distribute your crack release based on this tutorial, because you become a LAMER(s)!!!!!!!! ( tHATDUDE (PC97) defined LAMER(s) is the guy who sits in front of personal computer, using Hex Editor, ripping off other group(s) crack release, repacking (distro) them under his name. Adopted from newsgroup alt.cracks, alt.crackers - February 1997 ) More about LAMER(s): lamer /n./ [prob. originated in skateboarder slang] Synonym for luser, not used much by hackers but common among warez d00dz, crackers, and phreakers. Oppose elite. Has the same connota tions of self-conscious elitism that use of luser does among hackers. < SOURCE: http://sagan.earthspace.net/jargon/jargon_27.html > Never attribute to malice that which is adequately explained by stupidity ASTAGA [WTF/TTM/D4C/C4A] tute-snowflake3d10.zip [EOF] 1/3/01 9:09:01 AM