SERIAL NUMBER IS FISHY - DECLINE YOUR PATCH'ITCH'ING


S N O W F L A K E   3 D   V 1.0
A Cracking Tutorial 
by ASTAGA [WTF/TTM]*


DISCLAIMER 

This reading material is not intended to violate Copyrights 
and/or it is law, but educational purposes only. I hold no 
responsibility ( by all means and in any shape whatsoever ) 
of the mis-used of this material.
Read END NOTES section at the end of this file.



ABOUT THE PROGRAM 


Grab the best snowflake screen saver on the web.  
Both large and small snowflakes are drawn in 3D 
which create a beautiful snow image you will have 
to see to believe.  Options include changing the 
background color, the number of snowflakes active, 
the speed at which they fall, and much more.  
Resolution switching, passwords, and mouse filter
ing are fully supported.  
Registering for the full version enables five new 
snowflakes and gets rid ofa few 'Please Register' 
messages.

To activate it: right click on your desktop background and 
select properties,then select the screen savers tab, then it 
should be in the Screen Saver selection box.  So select it, 
then click properties to setup the screen saveror preview to 
see it, when done hit Ok.

R E Q U I R E M E N T S
OpenGL, Windows 95/98/NT/2000
3D accelerator recommended




WHERE TO DOWNLOAD


Author   	: Isotope244 Graphics LLC
Copyright	: Isotope244 Graphics LLC
Homepage 	: http://www.isotope244.com
URL		: http://www.isotope244/Snowflake3D.zip
Size 		: 200 KB  as of December 27,2000
Rel Date	: July 2000



HOW TO GET VALID SERIAL NUMBER by using SoftIce



1.  Activate SNOWFLAKE3D.SCR, click REGISTER button, in the 
    registration dialog box type these below informations :

	Name	 : Pirates Order
	E-mail  : rackham@pirates.com
	Code    : 73881050

    Do not click REGISTER button yet
    

2.  Load SoftIce by pressing [ CTRL + D ], set a breakpoint 
    as follow :
    
	BPX getdlgitemtexta     [enter]   and
   	F5  to return to the main program

3.  Now, click OK button... you'll return back into SoftIce!
    Within SoftIce press F11, F5, F11, F5 and F11 once again
    until you see and break at :

	015F:004013CE  FFD6                CALL      ESI
	015F:004013D0  8D942410010000      LEA       EDX,[ESP+00000110] <==
	015F:004013D7  8D442410            LEA       EAX,[ESP+10]
	015F:004013DB  52                  PUSH      EDX
	015F:004013DC  8B9540040000        MOV       EDX,[EBP+00000440]
	015F:004013E2  8D8C2414020000      LEA       ECX,[ESP+00000214]
	015F:004013E9  50                  PUSH      EAX
	015F:004013EA  51                  PUSH      ECX
	015F:004013EB  52                  PUSH      EDX
	015F:004013EC  C684241F03000000    MOV       BYTE PTR [ESP+0000031F],00
	015F:004013F4  C684241F01000000    MOV       BYTE PTR [ESP+0000011F],00
	015F:004013FC  C684241F02000000    MOV       BYTE PTR [ESP+0000021F],00
	015F:00401404  C6450600            MOV       BYTE PTR [EBP+06],00
	015F:00401408  E883100000          CALL      00402490 ==> F8
	015F:0040140D  83C410              ADD       ESP,10
	015F:00401410  85C0                TEST      EAX,EAX
	015F:00401412  0F84B2000000        JZ        004014CA
	...
	...
	015F:004014CA  8B1598654200        MOV       EDX,[00426598]
	015F:004014D0  6A00                PUSH      00                                 
	015F:004014D2  6820124000          PUSH      00401220
	015F:004014D7  53                  PUSH      EBX
	015F:004014D8  6A6D                PUSH      6D
	015F:004014DA  52                  PUSH      EDX
	015F:004014DB  FF1534D24100        CALL      [USER32!DialogBoxParamA]
	...
	...
	___________________ SNOWFLAKE3D!.text+04C7 __________________________

	Press F10 once - stop at 015F:004013D7 - dump EDX register :
	: d edx  [enter] ==> your fake code appear at 0167:0067E9D4

	Press F10 once - stop at 015F:004013DB - dump EDX register :
	: d eax  [enter] ==> your e-mail ID appear at 0167:0067E8D4

	Press F10 3 times - stop at 015F:004013E9 - dump EDX 
	register :
	: d eax  [enter] ==> your name appear at 0167:0067EAD4


	Press F10 7 times - stop at 015F:00401408 - here we are 
	facing problems : 
	
	o   If you step passed this CALL function you'll faced 
	    JZ  instruction three lines below, and as soon as 
	    you landed at 004014CA you'll faced beggar-off
	    message caller at  004014DB.

	o   If you follow this CALL function , youl'll faced 
	    the same trap in another location.

    This time I really sorry can't give you a clear explana
    tion.
    As long as I remember, I press F8 at 015F:00401408 and
    ( again ) if I had no mistaken I do " r fl z " in the
    Command Line when I stopped at JB ( Jump if Bigger ) 
    instruction for which I can't remember where exactly 
    that location.  If you patience enough just press F10,
    a repetitive looping proc will encountered, converting
    of your name into uppercase, etc., until you reach 
    snippet codes as described in the below step #4.

    However, i give you another hints on how to self registe
    ring this program.
    Are you ready ?  Stop at 015F:00401412 , in the Command
    Line type :  r fl z  [enter]  and continue pressing F10
    until you step passed CALL [USER32!DialogBoxParamA] at
    015F:004014DB .  You'll received a classic message
    " Regisration successful ..... " , just click OK to
    confirm.  Disable all breakpoints and check registry
    info as described in step #9 below.

    So, do you wanna patch this program to accept any name
    and serial ??  Edit SNOWFLAKE3D.SCR in your HexEditor
    do a search byte 85 C0 0F 84 B2 00 00 00 , in my case
    it was found at hex offset #1413. Change the byte as
    follows : 

	 85 C0 0F 84 B2 00 00 00 change into
	 85 C0 0F 85 B2 00 00 00	
    
    Save your work, don't forget to delete previous 
    registry info. 


4.  These below snippet codes are my final result in fishing
    serial number for this program : 

	EAX=00000002   EBX=00000021   ECX=00000008 .... ESI=0067E890        
	EDI=0000000A   EBP=00800EB0   ESP=0067E85C .... o d I s Z a P c     
	CS=015F   DS=0167   SS=0167   ES=0167   FS=1217   GS=0000                       
	------------------------------------byte--------------PROT---(0)--

	0167:0067E890 32 30 30 ...... 37 36 33 38  2003003013257638^
	0167:0067E8A0 30 33 00 ...... 40 42 6F 00  03..C.......@Bo.^
	0167:0067E8B0 0D 14 40 ...... D4 E8 67 00  ..@...B...g...g. 
	0167:0067E8C0 D4 E9 67 ...... 24 F0 67 00  ..g...g.H...$.g. 
	0167:0067E8D0 F0 EF 67 ...... 70 69 72 61  ..g.rackham@pira 
	0167:0067E8E0 74 65 73 ...... 67 01 00 00  tes.com.G*Ryg... 
	...
	_________________________________________________________________

	015F:0040243D  E89E730000          CALL      004097E0 <== HERE
	015F:00402442  83C420              ADD       ESP,20
	015F:00402445  33C9                XOR       ECX,ECX
	015F:00402447  33C0                XOR       EAX,EAX <== ret loop
	015F:00402449  BF0A000000          MOV       EDI,0000000A
	015F:0040244E  8A0429              MOV       AL,[EBP+ECX]
	015F:00402451  99                  CDQ 
	015F:00402452  F7FF                IDIV      EDI
	015F:00402454  80C230              ADD       DL,30
	015F:00402457  88540E09            MOV       [ECX+ESI+09],DL
	015F:0040245B  41                  INC       ECX
	015F:0040245C  83F908              CMP       ECX,08
	015F:0040245F  72E6                JB        00402447 (NO JUMP)  
	015F:00402461  55                  PUSH      EBP

	______________________ SNOWFLAKE3D!.text+143D ___________________
	

	As soon as you landed at 015F:0040243D - display ESI 
	register : 

	: d esi  [enter] ==> in the Data Window you'll see something 
				like  200300301XXXXXXXX3 .

	Press F10 10 times - keep an eye when you step passed
	015F:0040245B  the " X " in the above sequence number 
	will be replaced by number.
	
	Press F10 again until you reach 015F:0040245F - a loop
	procedure between 015F:0040245F to 015F:00402447 will 
	start, and everytime you step passed 015F:0040245B the
	" X " will be replaced again with number.
	Keep continue pressing F10 until loop process is finish
	ed, and ( NO JUMP ) indicator appear in your Code Window.
	
	Finally, you've got 200300301325763803 as well as you
	dump ESI register at 015F:00402461.
	Write down this potential reg code. 


5.  Disable all breakpoints by typing 

	BD *   [enter]
	Press F5 or X to return to the main program
     

6.	Repeat registration procedure and keyed-in 200300301325
	763803  as your S/N. 
	Click REGISTER button .....  there you're registered.


7.	Where the hell is my registration code is stored ??

	The correct registration code is stored in the registry as
	follows : 
	REGEDIT4
	[HKEY_LOCAL_MACHINE\Software\I244\Snowflake3D]
	"000_000"=dword:00000001
	"000_001"=dword:00000000
	"000_002"=dword:00000001
	"000_003"=dword:00000064
	"000_004"="Current Resolution"
	"000_005"="0801051140971161011150320791141001011140320
	320320320320320320320320320320320320320320320320320321
	140970991071040971090641121051140971161011150460991111
	090320320320320320320320320320320320320320500480480510
	480480510480490510500530550540510560480510320320320320
	32032032032032032032032032032049"
	"000_100"=dword:0000004f
	"000_101"=dword:00000058
	"000_102"=dword:00000064
	"000_103"=dword:00000002
	"000_104"=dword:00000003
	"000_105"=dword:00000003


	NOTE: deletion over "000_005" value will return the
	program back into unregistered.


8.  How can I practise with my own user name ?

	-  I strongly recommended you not to do this !




					E N D   N O T E S


		Distributing your serial number is illegal and is no 
			different than distributing illegal 
				copies of the registered 
				 software. Violation of
					this rule may 
					  result in 
			temporary or permanent revocation of this
			     license and cancellation of the 
			              serial number; 
				   the original licensee
			   will also be held responsible for 
			    damages, physical and estimated.


   Do not distribute your crack release based on this tutorial, because
   you become a LAMER(s)!!!!!!!!
   ( tHATDUDE (PC97) defined LAMER(s) is the guy who sits in front of
   personal computer, using Hex Editor, ripping off other group(s)
   crack release, repacking (distro) them under his name. 
   Adopted from newsgroup alt.cracks, alt.crackers - February 1997 ) 

    More about LAMER(s):
	lamer /n./ [prob. originated in skateboarder slang]
	Synonym for luser, not used much by hackers but common among warez 
	d00dz, crackers, and phreakers. Oppose elite. Has the same connota
	tions of self-conscious elitism that use of luser does among 
	hackers.
      < SOURCE: http://sagan.earthspace.net/jargon/jargon_27.html >


 		Never attribute to malice that which is adequately 
				explained by stupidity


ASTAGA [WTF/TTM/D4C/C4A] tute-snowflake3d10.zip
[EOF] 1/3/01 9:09:01 AM