How to find a serial for Malz++Kassner CAD 4.7 Economy? ======================================================== by M.o.D. [f2f] tools used : - SoftIce 4.05 ( protools.exit.de) Ok, let's start! First start out target and goto the registerbox! Enter your Name and as serial 1122334455. Now open Softice and set a breakpoint on GetDlgItemTextA(bpx GetDlgItemTextA). Press the button to register and *boom* you're in SI. Press two times F5 and you should see a nice box telling us that our code was wrong. SI breaked two times that means that the programm grabs our entered name and serial and after this it compares the serial with the good one. So now press the registerbutton again and SI should break again. Now press one times F5 to get the next GetDlgItemTextA. Press F12 and we're in the programm. You should see this code: * Reference To: KERNEL32.lstrlenA, Ord:02A1h 00429D17 8B3D3C225200 mov edi, dword ptr [0052223C] 00429D1D 8D85E8FBFFFF lea eax, dword ptr [ebp+FFFFFBE8] -> ptr to our name 00429D23 50 push eax 00429D24 FFD7 call edi 00429D26 83F804 cmp eax, 00000004 -> in EAX is the length of our name 00429D29 7D16 jge 00429D41 -> jmp to next check if name is longer as 4 Characters. So, the programm checks whether our name is longer then 4 Characters. If your name isn't then fix this problem ;). 00429D41 8D85ECFDFFFF lea eax, dword ptr [ebp+FFFFFDEC] -> ptr to our serial 00429D47 50 push eax 00429D48 FFD7 call edi 00429D4A 85C0 test eax, eax -> tests whether we entered anything as serial 00429D4C 7524 jne 00429D72 I think this check isn't a real problem :). We should jmp to the following code: * Referenced by a (U)nconditional or (C)onditional Jump at Addresses: :00429D4C(C), :00429D54(C) 00429D72 8D85ECFDFFFF lea eax, dword ptr [ebp+FFFFFDEC] -> ptr to serial 00429D78 50 push eax 00429D79 8D85E8FBFFFF lea eax, dword ptr [ebp+FFFFFBE8] -> ptr to name 00429D7F 50 push eax 00429D80 E865390D00 call 004FD6EA -> keycheck-routine 00429D85 59 pop ecx 00429D86 85C0 test eax, eax -> tests if we entered the correct key 00429D88 59 pop ecx 00429D89 7530 jne 00429DBB -> ! jump to register user ! Ok, at 00429D80 the programm checks our serial and jumps/jumps not to good/bad message! Clear your breakpoints ( bc * ) and set one on the serialcheck-call! When you break on the call, press F8 to look what happens in it! We see this: 004FD6EA 55 push ebp 004FD6EB 8BEC mov ebp, esp 004FD6ED 81EC04020000 sub esp, 00000204 004FD6F3 8D85FCFDFFFF lea eax, dword ptr [ebp+FFFFFDFC] 004FD6F9 50 push eax 004FD6FA FF7508 push [ebp+08] 004FD6FD FF750C push [ebp+0C] 004FD700 E84CFFFFFF call 004FD651 -> break here and press F8 to go in the call After going in the call you see this: 004FD663 8A0C02 mov cl, byte ptr [edx+eax] -> first char of our serial 004FD666 80F930 cmp cl, 30 -> compare with 0 004FD669 7C79 jl 004FD6E4 004FD66B 80F939 cmp cl, 39 -> first char of our serial 004FD66E 7F74 jg 004FD6E4 -> compare with 9 004FD670 0FBEC9 movsx ecx, cl 004FD673 8D34BF lea esi, dword ptr [edi+4*edi] 004FD676 42 inc edx 004FD677 83FA05 cmp edx, 00000005 -> 5. char of our serial? 004FD67A 8D7C71D0 lea edi, dword ptr [ecx+2*esi-30] 004FD67E 7CE3 jl 004FD663 -> jump to next char Ok, here the programm checks whether the first 5 chars of our serail contains only numbers. So we should pass this check successfully! The next check looks like this: 004FD680 8078052D cmp byte ptr [eax+05], 2D -> compares 6. char with a '-' 004FD684 755E jne 004FD6E4 -> jump to bad serial We see that the 6. char of our serial have to be a '-'. So enter as new serial 11223-3445566. Then break at this cmp again and you see that we don't jump. Now comes this check: 004FD684 755E jne 004FD6E4 004FD686 81FF204E0000 cmp edi, 00004E20 -> type ? edi in SI & you see '11223' 004FD68C 7C56 jl 004FD6E4 004FD68E 81FF14500000 cmp edi, 00005014 -> type ? edi in SI & you see '11223' Type also in SI ? 4E20 and ? 5014. This reveals that the first 5 chars must be a number between 20000 and 20500. So enter as new serial 20100-11223. Now clear also your breakpoints and set one at 004FD68E. The next check please: 004FD69B 8A0C02 mov cl, byte ptr [edx+eax] -> 7. char of our serial 004FD69E 80F930 cmp cl, 30 -> compare with 0 004FD6A1 7C41 jl 004FD6E4 004FD6A3 80F939 cmp cl, 39 -> compare with 9 004FD6A6 7F3C jg 004FD6E4 004FD6A8 0FBEC9 movsx ecx, cl 004FD6AB 8D34B6 lea esi, dword ptr [esi+4*esi] 004FD6AE 42 inc edx 004FD6AF 83FA0A cmp edx, 0000000A -> 10. char of our serial? 004FD6B2 8D7471D0 lea esi, dword ptr [ecx+2*esi-30] 004FD6B6 7CE3 jl 004FD69B -> jumps to next char 004FD6B8 8A400A mov al, byte ptr [eax+0A] -> compare 11. char with '-' 004FD6BB 3C2D cmp al, 2D 004FD6BD 7404 je 004FD6C3 -> jump to good serial . . . 004FD6C3 81FEC2010000 cmp esi, 000001C2 -> type ? esi in SI & you see '11223' 004FD6C9 7C19 jl 004FD6E4 004FD6CB 81FEF4010000 cmp esi, 000001F4 -> type ? esi in SI & you see '11223' 004FD6D1 7D11 jge 004FD6E4 This code looks similar to us! Here the programm checks whether the 7.-10. character of our serial is a number. Then it checks the 11. character -> must be a '-'. Futhermore the compares at 004FD6C3 & 004FD6CB reveal that the characters 7-10 have to be a number between 0450-0500! So enter as new serial 20100-0455-11223! Ok, last part follows now. You should break again at 004FD68E. Now press F10 until you reach at line 004FD700. There you see this code: 004FD700 E84CFFFFFF call 004FD651 004FD705 83C40C add esp, 0000000C 004FD708 85C0 test eax, eax 004FD70A 7419 je 004FD725 004FD70C 8D85FCFDFFFF lea eax, dword ptr [ebp-0204] At line 004FD70C type in SI d eax! Look at the Data-Window and what we see there... yes, it's our regcode! For me it is: ~~~~~~~~~~~~~ M.o.D. 20100-0455-5996-9636-82 Enter your name and serial, press the register button and you are a registered user! Ok, that's it! For questions and comments mail me : MoD_f2f@gmx.net cu M.o.D. ps: english isn't my mother tongue!