PACT 12Ghost  Registration rotine.
==================================
http://www.12ghosts.com

Launch the program. Press 'Enter Registration info'.
Enter your name and any number.
Then press CRTL+D to SoftICE. Set a breakpoint at hmemcpy. 
'bpx hmemcpy'
Then press CRTL+D to return to the program.
Press OK. You are now back in SoftICE. Press F5 to jump to the next dialog box.
Now press F11 and then F12 until you are in 32-bit mode.
Now I will just tell tou which CALL you must get into to get to the reg-routine.
You will see that you could set a breakpoint at GetDlgItemInt instead of hmemcpy
but we are now at the place so . . .



Now step over the first two calls and get in the third one.
It will look like this:

CALL #3  <-- Get in here!!
TEST EAX,EAX
POP ECX
JZ ~~~


Now, step until you reach the CALL[!Sleep]. You will now enter the third call from here. It will look like:

CALL #3
CMP EAX, EBX
POP ECX

You will now step through lots of CALL ESI and finally you reach the
XOR EDX,EDX and take it careful now:


You will notice the address in the brackets, [00418570]. If you do a d 418570 in SoftICE
you will se a string table in Hex-format. Write it down!
and notice how EAX and ESI will look like.. In Reverse order.


* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00409E28(C)
|
:00409E2E A170854100              mov eax, dword ptr [00418570]   <-- EAX=Magic_Number_1
:00409E33 33C9                    xor ecx, ecx  <-- Here...
:00409E35 39542414                cmp dword ptr [esp+14], edx
:00409E39 761A                    jbe 00409E55
:00409E3B 8B3574854100            mov esi, dword ptr [00418574]   <-- ESI=Magic_Number_2

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00409E53(C)
|
:00409E41 0FBE1C39                movsx ebx, byte ptr [ecx+edi]  <-- Loop START, EBX=Name-Ascii
:00409E45 0FAFD8                  imul ebx, eax
:00409E48 03DA                    add ebx, edx
:00409E4A 41                      inc ecx
:00409E4B 03D6                    add edx, esi
:00409E4D 3B4C2414                cmp ecx, dword ptr [esp+14]   <-- Is Name done? (d esp+14)
:00409E51 8BC3                    mov eax, ebx  <-- EAX=GOOD Serial. ? EAX
:00409E53 72EC                    jb 00409E41   <-- Loop STOP??

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00409E39(C)
|
:00409E55 3D00CA9A3B              cmp eax, 3B9ACA00   <-- EAX>1000000000 ??
:00409E5A 7306                    jnb 00409E62        <-- If not Above add Magic_Number_3
:00409E5C 030578854100            add eax, dword ptr [00418578]

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00409E1F(U), :00409E5A(C)
|
:00409E62 5F                      pop edi
:00409E63 5E                      pop esi
:00409E64 5D                      pop ebp
:00409E65 5B                      pop ebx
:00409E66 C3                      ret


Now you could easily find your own serial numbers for all PACT software, and most important:
Make the KeyGen!!!

/AlpHaz [TNO '99]