/------------------------------HellSpawn 2K1-----------------------\
| 	Author: 		KahnAbyss	|
| 	Target: 		Trillian 0.6351	|
| 	Tools: 		SoftIce 4.05    	|
|			W32Dasm 8.93	|
| 	Crack Type: 	Serial		|
|	Level:		Novice		|
\-----------------------------------------------------------------------------/


Step 1:	Start Trellian and go to Preference --> General --> Donate
	Enter anything ie: KahnAbyss/666-6666
	Write down the message error
	"Incorrect key/username combination ......."

Step 2:	Make a copy of Trellian.exe to Trellian.ori
	open it with W32Dasm in string ref find the error message
	you should land here:

	* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
	:00411323(C), :00411341(C)

	:004113BA 6A00        		push 00000000

	* Possible StringData Ref from Data Obj ->"Incorrect input: Please try again."
	:004113BC 6850D34200    		push 0042D350

* Possible StringData Ref from Data Obj 	->"Incorrect key/username combination "
                                        		->"or number of tries exceeded (max "
                                        		->"tries = 10 per load of trillian)."

	:004113C1 68E8D24200		push 0042D2E8
	:004113C6 53                      		push ebx

	You see the 2 conditional jumps so lets see what is hidden there
	press Shift-F12 then type 411323 you gonna be there:

	:0041131A FFD7                		call edi	
	:0041131C 833DCC2C43000A          	cmp dword ptr [00432CCC], 0000000A
	:00411323 0F8D91000000            	jnl 004113BA	<-- 1st conditional jump useless since it calls edi 
	:00411329 8D542410                	lea edx, dword ptr [esp+10]
	:0041132D 8D842410010000          	lea eax, dword ptr [esp+00000110]
	:00411334 52                      		push edx
	:00411335 50                      		push eax
	:00411336 E815B70000              	call 0041CA50	<-- Hmmm a call we should dig it more l8r
	:0041133B 83C408                  	add esp, 00000008
	:0041133E 83F801                  	cmp eax, 00000001	<-- Compare Eax with 01
	:00411341 7577                    		jne 004113BA	<-- If Eax <> 1 then Jump to error
	:00411343 A3D82C4300              	mov dword ptr [00432CD8], eax

Step 3:	Enter SoftIce (Ctrl-D) then put a breakpoint on GetWindowTextA (bpx GetWindowTextA)
	Press F5 to exit from SIce now click on GO softice should lock
	Now you can clear the Getwindowtexta (bc*)	
	Now press F11 to get back to the caller then put a breakpoint on 411341
	Press F5 SoftIce should lock at this address.
	Change the (Z)ero Flag (r fl z). Press F5 now you are registered
	Ok now we know that the previsious call generate the Key
	if you restart Trellian you'll still not be registered.

Step 4:	So restart Trellian then enter your name
	KahnAbyss click Go
	when you'll lock at 411341 type d edx and you
	should find your serial number for me it was

	KahnAbyss
	a96140d3e94c0cf29eabe8aa1424966e