AIM Keys v 2.00.1230 breakpoint: hmemcpy land at :0043E505 :0043E4FF FF1560354500 Call dword ptr [00453560] :0043E505 8B4D10 mov ecx, dword ptr [ebp+10] <-- land here press 'F10' a lot of times and you will see the following code segment. :0040300B 8B86A0000000 mov eax, dword ptr [esi+000000A0] :00403011 8B3D00324500 mov edi, dword ptr [00453200] :00403017 686C814600 push 0046816C :0040301C 50 push eax :0040301D 6860814600 push 00468160 :00403022 6858814600 push 00468158 :00403027 FFD7 call edi :00403029 8B8EA4000000 mov ecx, dword ptr [esi+000000A4] :0040302F 686C814600 push 0046816C :00403034 51 push ecx :00403035 6850814600 push 00468150 :0040303A 6858814600 push 00468158 :0040303F FFD7 call edi :00403041 8B86A4000000 mov eax, dword ptr [esi+000000A4] <-- 54545454 :00403047 8B8EA0000000 mov ecx, dword ptr [esi+000000A0] <-- evc_viper :0040304D 50 push eax :0040304E 51 push ecx :0040304F 6A03 push 00000003 :00403051 E83AEA0000 call 00411A90 <-- 'F8' inside We need to 'F8' into the call at :00403051. The code dump below shows you why. :00403056 83C40C add esp, 0000000C :00403059 85C0 test eax, eax :0040305B 7537 jne 00403094 <-- jump over the bad cracker screen :0040305D 8B96A0000000 mov edx, dword ptr [esi+000000A0] :00403063 8B42F8 mov eax, dword ptr [edx-08] :00403066 85C0 test eax, eax :00403068 750D jne 00403077 <-- jump to bad cracker screen :0040306A 8B86A4000000 mov eax, dword ptr [esi+000000A4] :00403070 8B48F8 mov ecx, dword ptr [eax-08] :00403073 85C9 test ecx, ecx :00403075 7441 je 004030B8 :00403077 8B0D8C9E4600 mov ecx, dword ptr [00469E8C] * Possible StringData Ref from Data Obj ->"You have entered incomplete registration " ->"information. Please re-enter the " ->"correct registration information. " ->"If you have entered this information " ->"in error, after returning to the " ->""nag" screen and removing the " ->"text in the registration fields, " ->"press OK to continue your evaluation." | :0040307D 8B15889E4600 mov edx, dword ptr [00469E88] :00403083 8B461C mov eax, dword ptr [esi+1C] : : ================================================================= Ok, after 'F8' into the call at :00403051, we are on :00411A90. :00411A90 8B4C2408 mov ecx, dword ptr [esp+08] :00411A94 8B542404 mov edx, dword ptr [esp+04] :00411A98 81EC00040000 sub esp, 00000400 :00411A9E 8D442400 lea eax, dword ptr [esp] :00411AA2 53 push ebx :00411AA3 56 push esi :00411AA4 50 push eax :00411AA5 51 push ecx :00411AA6 52 push edx :00411AA7 E804FFFFFF call 004119B0 :00411AAC 8B842420040000 mov eax, dword ptr [esp+00000420] :00411AB3 83C40C add esp, 0000000C :00411AB6 8D742408 lea esi, dword ptr [esp+08] :00411ABA 8A10 mov dl, byte ptr [eax] ; <-- eax points to fake code :00411ABC 8A1E mov bl, byte ptr [esi] ; <-- esi points to real code the rest of them just compare the fake and real code. type 'd eax' and you will see 54545454 in the code window. type 'd esi' and you will see 57423879 which is the real registration code. name: evc_viper code: 57423879 Oct 8, 1999