This method is probably a little bit long but it's run :)

Launch the application and let's occupy ourselves of the registration button.

You are asked for Serial and Name, in my case :

- Nom : Mackoi

- Serial : 112113

CTRL+D to run Softice and we put a BPX HMEMCPY

F5 to return to Calendarium then to click on DONE

Softice break on HMEMCPY, usual -;)

Now push F11

You may find this KERNEL!LOCALUNLOCK

We are going to trace with F10 has melted the turbines until has approach the legible KERNEL32!FREQUASM+0529 at the bottom of your SOFTICE window.

We 're going to relax a little on the F10 as there now going progressively.....

We are now in CALENDARIUM.EXE and one arrives here:

:00485D56 E8B1CA0700 Call 0050280C
:00485D5B 89430C mov dword ptr [ebx+0C], eax

:00485D5E 8B03 mov eax, dword ptr [ebx]
:00485D60 83F80C cmp eax, 0000000C
:00485D63 751B jne 00485D80
:00485D65 8B5308 mov edx, dword ptr [ebx+08]
:00485D68 52 push edx
:00485D69 8B4B04 mov ecx, dword ptr [ebx+04]
:00485D6C 8BD0 mov edx, eax
:00485D6E 8BC6 mov eax, esi
:00485D70 E8AFBEFFFF call 00481C24
:00485D75 EB09 jmp 00485D80

:00485D77 8BD3 mov edx, ebx
:00485D79 8BC6 mov eax, esi
:00485D7B E844D4FFFF call 004831C4
:00485D80 5D pop ebp
:00485D81 5F pop edi
:00485D82 5E pop esi
:00485D83 5B pop ebx
:00485D84 C3 ret

Continue has TRACE with F10 as passing on all RET for you recovers here:

:00409ED8 E847810700 call 00482024
:00409EDD 837DF800 cmp dword ptr [ebp-08], 00000000
:00409EE1 7408 je 00409EEB
:00409EE3 8B4DF8 mov ecx, dword ptr [ebp-08]
:00409EE6 8B41FC mov eax, dword ptr [ecx-04] ............. <---------- D ECX displays "Mackoi"
:00409EE9 EB02 jmp 00409EED
:00409EEB 33C0 xor eax, eax
:00409EED 85C0 test eax, eax
:00409EEF 8D45F8 lea eax, dword ptr [ebp-08]

We are in the routine that tests your NAME.

Continue has TRACE.. F10.. and you are going to meet on the HMEMCPY of the departure.

And it left for a tour... F10... until the KERNEL32!FREQUASM+0529

One passes the RET.... but this time one meets with this:

The following routine is going to test our Serial.

..........................................

00409F24 E8FB800700 call 00482024
:00409F29 837DF000 cmp dword ptr [ebp-10], 00000000
:00409F2D 7405 je 00409F34
:00409F2F 8B55F0 mov edx, dword ptr [ebp-10]
:00409F32 EB05 jmp 00409F39
:00409F34 BABE6F5000 mov edx, 00506FBE
:00409F39 52 push edx
:00409F3A E889430000 call 0040E2C8
:00409F3F 83C40C add esp, 0000000C
:00409F42 8BD0 mov edx, eax ...................................... <--------- D EAX.. HALLELUJAH.. Our SERIAL, for Mackoi "SARARFOCA1UA", -:)
:00409F44 8D45EC lea eax, dword ptr [ebp-14]
:00409F47 E80C510B00 call 004BF058
:00409F4C FF461C inc [esi+1C]
:00409F4F 8D4DEC lea ecx, dword ptr [ebp-14]
:00409F52 51 push ecx

..........................................

This method is not certainly the fastest way to find our serial, but the END does justify the MEANS -;)

GREETZ RUNS TO THE CREW !!!!