Hi Cracking : mIRC32 v5.8 Toolz Needed: Softice 4.05 Author : YoKe Ok a New mIRC released which means a new cracking challenge :) ( not really its nearly the same as 5.4 :-( ) First Open mirc32.exe and click on Help/About... we see the text "Unliscenced Copy." scrolling in the dialog uhh! now click on Help/Register..!!! Enter in any crap eg. Name: YoKe-2k Serial: 12345-67890 Now press CTRL-D to open Softice!( now i always when serial fishing but a breakpoint on Hmemcpy so we can trace to the programs code to see what other breakpoint we could set or even find where the real serial and our serial is compared! ) so in sice type bpx hmemcpy then press F5 now in mirc register dialog hit ok.. softice flashes up on da screen but we want it to break for the serial text field so hit F5 to make softice break again! when hit F11. Now we see the memory code press F10 until we are in the program code until you see... 018F:004984A5 Call USER32!SendDlgItemMessageA 018F:004984AA push 00538E2F <-- our name! 018F:004984AF push 00538A48 <-- our fake serial 018F:004984B4 call 00498085 <-- call routine to check good serial to bad serial 018F:004984B9 test eax, eax <-- test eax = eax 018F:004984BB je 0049855A <-- if not jump to bad code! 018F:004984C1 mov esi, 00527C88 <-- our fake serial is in esi 018F:004984C6 mov edi, 00538A48 <-- move our name to edi stack 018F:004984CB xor eax, eax <- zero eax Do you see SendDlgItemMessageA yes! we could just have set a bpx senddlgitemmessagea to get right to here, anyway you will know that for later.. in sice press F10 until you are on the line: 018F018F:004984AA now type d 00538E2F we see our name now type d 00538a48 and you see our fake serial. We must go into that Call at 018F:004984B4 to see what it does so press F10 until you are on the line: 018F018F:004984B4 call 00498085 and press F8 now you should see something like.. 018F:00498085 push ebp 018F:00498086 mov ebp, esp 018F:00498088 push ebx 018F:00498089 push esi 018F:0049808A push edi 018F:0049808B mov esi, dword ptr [ebp+0C] our name goes to esi - d *(ebp+0c) 018F:0049808E mov ebx, dword ptr [ebp+08] our fake serial goes to ebx - d *(ebp+08) 018F:00498091 push esi <-- our fake serial 018F:00498092 mov esi, 0054A114 <-- is been moved all this i don't care about move down by pressing F10 until you reach this code: 018F:004980DC pop esi 018F:004980DD push 0054A218 <-- our fake serial 018F:004980E2 push 0054A114 <-- our name 018F:004980E7 call 00497F92 <-- call to do something on them 018F:004980EC test eax, eax <-- test the value of eax 018F:004980EE je 004980F7 <-- jump if equal 018F:004980F0 mov eax, 01 <-- set eax 1 018F:004980F5 jmp 0049816B <-- jump (conditional) Guess what? move onto the line: 018F:004980E7 call 00497F92 by F10 and press F8 now youshould see some code that deals with the serial numbers!.... 018F:00497F92 push ebp 018F:00497F93 mov ebp, esp 018F:00497F95 add esp, FFFFFFF4 018F:00497F98 push ebx <-- our name 018F:00497F99 push esi <-- our fake serial 018F:00497F9A push edi 018F:00497F9B mov esi, dword ptr [ebp+0C] <-- our fake serial, type d*(ebp+0c) 018F:00497F9E push [ebp+08] <-- our fake serial, type d*(ebp+0c) 018F:00497FA1 call 0050DEF0 <-- not important just gets name length 018F:00497FA6 pop ecx 018F:00497FA7 cmp eax, 05 <-- call above set eax to our name length and is compared to 5 type ? eax we should see 00000000007 (YoKe-2k) 018F:00497FAA jnb 00497FB3 <-- jump if not below 018F:00497FAC xor eax, eax <-- zero eax 018F:00497FAE jmp 0049807C <-- jump to bad code 018F:00497FB3 push 2D <-- type ? 2D we see "-" so we know - is in the serial lucky we had that (12345-67890) 018F:00497FB5 push esi 018F:00497FB6 call 0050DE50 <-- see if - is in our fake serial 018F:00497FBB add esp, 00000008 <-- add esp + 08 018F:00497FBE mov ebx, eax <-- move eax to ebx 018F:00497FC0 test ebx, ebx <-- test ebx 018F:00497FC2 jne 00497FCB <-- jump if not zer0 018F:00497FC4 xor eax, eax <-- zer0 out eax 018F:00497FC6 jmp 0049807C <-- jump to bad code mode code.... to determine if - is in our serial F10 until you come across.. 018F:0049802C jl 00498012 <-- jump if less (loop) 018F:0049802E cmp ebx, dword ptr [ebp-04] <-- compare our fake serial and the real one before the - (first part) 018F:00498031 jz 00498037 <-- jump if zer0 Ok pressing F10 to move onto the line: 018F:0049802C 7CE4 jl 00498012 we have come to a loop which i find annoying but press F10 to go the next line we jump back up through some code so press F10 until we are back on: 018F:0049802c it jumps again , just keep pressing F10 and you will eventually get on line: 018F:0049802E 3B5DFC cmp ebx, dword ptr [ebp-04] Now here cmp == compare cool! now in sice type ? *(ebp-04) cool its the first part of our serial 12345 NEVER MIND THE 0000 THESE ARE NOT PART OF THE SERIAL whats it compared to? ? ebx cool 3515 its our first part of our real serial so now we have: 3515- Time to get the last part hÉHé, press F10 and you are on the line below the compare because the serials were not the same the flag is wrong and the jump is not taken :~( so we type r fl z now it will jump so press F10 and softice jumps to :00498037 press F10 until we see something similar.. 018F:0049806C jl 0049804B <-- jump if less (loop) 018F:0049806E cmp ebx, dword ptr [ebp-08] <-- compare our fake serial and the real one after the - (first part) 018F:00498071 jz 00498077 <-- jump if zer0 This is very like above just do the loop until you come to the compare :) You now type *(ebp-08) and its the last part of our fake serial 67890 YES YES ? ebx is the last part of our real serial COOL!!! 213045 :-) Don't worry about the jump below we have all we want! :D Name: YoKe-2k Serial: 3515-213045 So now type bc * and press F5 click on ok for invalid serial and enter in: Name: YoKe-2k Serial: 3515-213045 Or now that you know how to crack mIRC32 5.8 do a serial for your name :) Ok now mIRC32 v5.8 is cracked but NOT for iLLeGaL purposes i hope! i hope you enjoyed this tutorial.. :D YoKe YoKe@CotD.de ><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><