Cracking "CYBER-INFO E-MAIL NOTIFY V4.52"
Date: August 24, 1999
Author : +ViPeR+
[E]bola [V]irus [C]rew

Program Name : CYBER-INFO E-MAIL NOTIFY V4.52
Location     : http://www.cyber-info.com/

Method: ECHO

<<Note : this document is only for educational purpose ONLY>>
-------------------------------------------------------------------------------

Enter the following infomation in the registration box:

Name: evc_viper
Key Code: 12345678
Password: 54545454

Ok. Now,

'Ctrl-D' to get in Soft-Ice
set a breakpoint by typing 'bpx hmemcpy'
'Ctrl-D' out of Soft-Ice
Click 'Ok' button and you will be back into Soft-Ice.

Now,
'F11' one time.
'F12' 6 times.
'F10' 21 times and you will find you land at :004BB86F.

From the following block of code, the correct registration will echo on your
data window. Follow my instruction to see it. You can use this trick to
find the correct registration code in several program.

:004BB86A E809B3F5FF              call 00416B78
:004BB86F 8B45F8                  mov eax, dword ptr [ebp-08] <-- land here
:004BB872 50                      push eax

In Soft-Ice, 'F10' until the above line (:004BB872) is highlighted. Now,
'd eax' to see the fake password '54545454' in data window(DW).

:004BB873 8D55EC                  lea edx, dword ptr [ebp-14]
:004BB876 8B87B8010000            mov eax, dword ptr [edi+000001B8]
:004BB87C E8F7B2F5FF              call 00416B78 <---- (1)

'd edx' to see a bunch of '00' in DW. Those '00' will be replaced by something 
after you 'F10' through the call instruction. 


:004BB881 8B55EC                  mov edx, dword ptr [ebp-14]
:004BB884 8D4DF0                  lea ecx, dword ptr [ebp-10]
:004BB887 A1C4805300              mov eax, dword ptr [005380C4]
:004BB88C E8B34F0500              call 00510844 <--- (2)

'F10' until the line :004BB88C is highlighted. Basically, the call in (1) 
puts your name in [ebp-14]. You can see this by typing 'd edx' to see
it(in DW) now. 'd ecx' to see a bunch of '00' again. Now, 'F10' the call at
(2) and you will see that those '00' have been replaced by something. In my
case, it shows

10 E9 3C 01 ** ** ** ** ......

To see what that is, 'd 013ce910'. I saw '48760' in my DW. That is the 
correct key code.

:004BB891 8B55F0                  mov edx, dword ptr [ebp-10]
:004BB894 8D4DF4                  lea ecx, dword ptr [ebp-0C]
:004BB897 A1C4805300              mov eax, dword ptr [005380C4]
:004BB89C E83B510500              call 005109DC <--- (3)

Again, 'F10' until the line :004BB89C is highlighted. 
'd edx' to see '48760' in DW.
'd ecx' to see 00 00 00 00 ** ** ** ** ..... in DW
Now, 'F10' through the call at (3) and you will see those 4 '00' have been
replaced by something. In my case, it shows

14 CD 3C 01 ** ** ** ** ...... 

Now, 'd 013ccd14'. Well, I saw '2017279098871232' in my DW. That is the 
correct password.

Quit Soft-Ice with 'bc*' and key in the following info:

Name: evc_viper
Key Code: 48760
Password: 2017279098871232

Click 'ok'. No thank-you pop-up. No browser pop-up. The registration
option in the menu has been gray-out.  Job done.


Final Note:
   None.


Ob Duh
   Do I really have to remind you all that by buying and NOT stealing the 
   software you use will ensure that these software houses will continue to
   produce even *better* software for us to use and more importantly, to
   continue offering even more challenges to breaking their often weak
   protection systems.


+ViPeR+
[E]bola [V]irus [C]rew
August 24, 1999