HOW TO REGISTER PrimaSoft Inventory Organizer v3.5 

Tutorial by UmE

Introduction: in this tutorial I'll try to explain you how to register Prima Soft Inventory 
Organizer 3.5 finding the registrtation number inside the code. Follow me.... :)

Necessary tools: SoftIce 3.24 or better.

Program description: PrimaSoft Inventory Organizer 3.5, INO30.exe, 2.162.688 bytes.

PARENTAL ADVISORY: this tutorial is cracking oriented!!!

Step 1: when you run the program until you're unregistered you can see a nag screen with three 
buttons. We are interested in "Enter registration key" button but take a moment to look at the 
"Purchase" option: click this button and a user form will appear telling you some informations 
about yourself. In this form you can notice on the right side that there are three types of 
licenses so we expect to find three registration numbers during our serial fishing. Ok, close 
the form and click on the "Enter registration key" button.

Step 2: press Ctrl+D to enter in SoftIce and place a breakpoint on the HMEMCPY function (type 
bpx hmemcpy). We work with this function because the GetDlgItemTextA and GetWindowTextA 
functions don't work. Press Ctrl+D again to return to the operating system and now enter a name 
and a registration number on the window that requires this datas (I've entered "UmE Cracks!!" 
and "12345") . Push the "Ok" button and you'll land in SoftIce!!

Step 3: now you're in SoftIce, press F11 to return to the code snippets that has called the 
hmemcpy function and then start to trace the code (pressing F10) until you reach the INO30.exe 
code. In fact when you land in SoftIce you're in the USER (...) part of the code (you can 
observe this looking to the green line under the code) and pressing F10 you can go forward to 
the code of our interest. Now you can notice that during the code traceing the HMEMCPY function is called another time because it reads the two edit fields where you've entered your informations. As just described press F11 and then continue to press F10 until you reach the INO30.exe code. When you're in start to give very attention to the instructions....at a certain point you'll notice:

:00499F68 8B45F8                  	mov eax, dword ptr [ebp-08]
:00499F6B 5A                      	pop edx
:00499F6C E89773FEFF           	call 00481308	<-- compute the S/N
:00499F71 84C0                    	test al, al		<-- test if your S/N is ok
:00499F73 7437                    	je 00499FAC		<-- wrong S/N, jump to unregistered!!
:00499F75 C683F401000001     		mov byte ptr [ebx+000001F4], 01

As you have read in many other tutorials this is a typical protection scheme in serial number 
routines. Ok, now we know that in the call at the 00481308 address the right S/N is computed so 
when this line is highlighted during the trace, press F8 and you'll be at the start point of 
the call. Now is a good thing to take a look at the various registers values to understand what 
the program has passed to the function. Type d [register name] to look at the registers contents
where [register name] is eax or ebx.....You'll notice that eax contains "UmE Cracks!!" and edx 
contains "12345"....we're in the right place!! :)
Now start to trace the function always pressing F10 until eax and edx are used. The first thing 
you'll find will be this:

:00481312 894DFC     		mov dword ptr [ebp-04], ecx
:00481315 8BDA         		mov ebx, edx		<-- Moves our S/N in ebx
:00481317 8BF0          	mov esi, eax		<-- Moves our name in esi
:00481319 33C0          	xor eax, eax
:0048131B 55              	push ebp

Now we're interested int ebx and esi registers. Continue to trace the function until you'll 
see: 

:00481369 8D55FC                  	lea edx, dword ptr [ebp-04]
:0048136C 8BC6                    	mov eax, esi				Note 1
:0048136E E875FBFFFF          	call 00480EE8				Note 2
:00481373 8B45FC                  	mov eax, dword ptr [ebp-04]		Note 3
:00481376 8BD3                    	mov edx, ebx				Note 4
:00481378 E8832EF8FF              	call 00404200				Note 5
:0048137D 0F848C000000        	je 0048140F					Note 6
:00481383 DD45F4                  	fld qword ptr [ebp-0C]

Note 1: moves our name in eax: this parameters is passed to the following call.

Note 2: compute the right S/N for the first type of license.

Note 3: moves the right S/N in eax. Type d eax and you'll see the right registration key!!

Note 4: moves our S/N in edx: this parameter is passed to the following call with eax (right 
S/N).

Note 5: compare the right S/N with the one entered by us.

Note 6: if the comparison is ok jumps at the end of the function.

If the comparison is not ok the function will calculate a new S/N for the second type of license.
In fact after few lines you can note the same identical routine described above starting from 
the "mov eax, esi" instruction that make the same operations for the second type of license. 
For the third type is the same thing. So just type d eax after the first of the two calls and 
you'll have the three registration keys!!
If none of the three comparison is ok the function will return 0 so at the return the program 
will jump to unregistered.

Ok that's all for now. I hope you've enjoyed during this tutorial.

Greetings to Volatility and all the Immortal Descendants.

Contact me at: ume15@hotmail.com