WHY PATCHING WHILE SERIAL NUMBER IS FISHY 1toX v2.01 A Cracking Tutorial by ASTAGA [D4C/C4A] DISCLAIMER This reading material is not intended to violate Copyrights and/or it is law, but educational purposes only. I hold no responsibility ( by all means and in any shape whatsoever ) of the mis-used of this material. ABOUT THE PROGRAM 1toX is a 32 bit software for Windows 95, 98 and NT 4.x used to split big files into several smaller files. 1toX cuts a file by different ways: - 1toX adds to each cut file (called 1toX file) a small header describing the file - Each 1toX file is a simple part of the original file (production of a batch 1toX). .... .... WHERE TO DOWNLOAD Author : Jean Piquemal Homepage : http://www.logipole.com URL : http://j.piquemal.free.fr/1toxe.zip Size : 366 KB - as of October 11,2000 HOW TO GET VALID SERIAL NUMBER by using SoftIce 1. Run 1TOX.EXE, in the main program click on HELP/REGISTER submenu. In the registration dialog box type these below informations : Name : Order First : Pirates Key : 73881050 Do not click OK button yet 2. Fire up SoftIce by pressing [ CTRL + D ], create a new breakpoint as follow : BPX MessageBoxA [enter] and F5 to return to the main program 3. Now click OK button... you'll return back into SoftIce. In within SoftIce press F11, then click OK to confirm 'Invalid Key .... ' message. Again, you'll return back into SoftIce and landed at MessageBoxA call instruction at 015F:00414127. Now, scroll up several line above by pressing [Ctrl+Up arrow], did you interesting CMP ( Compare ) instruction at 015F:00409D37 ? Scroll up again until you see CALL instruction at 015F:00409D29. Here you know where the call instruction being called and compari son between EAX and ECX register were made. Disable previous breakpoint and set a new breakpoint : bd * [enter] bpx 015F:00409D29 [enter] Press F5 to return to the main program 4. Repeat registration procedure Step 1, click OK button. If nothing goes wrong, you'll see these below following snippet codes : ___________________________________________________________________ 00409D29: E81A100100 call 00041AD48 <-- you land here 00409D2E: 8B0DD8D94200 mov ecx,[00042D9D8] 00409D34: 83C404 add esp,004 ;"" 00409D37: 3BC1 cmp eax,ecx <--- !!!!!!!!! 00409D39: 742E je 000409D69 00409D3B: 6A10 push 010 00409D3D: 68BCA54200 push 00042A5BC ;" BÑ+ 00409D42: 6814A54200 push 00042A514 ;" BѶ 00409D47: 55 push ebp 00409D48: FF15E8614200 call MessageBoxA ; <==== 3rd step 00409D4E: 6A01 push 001 ___________________________________________________________________ Press F10 3 times ( stop at 015F:00409D37 ), dump/display EAX and ECX register by typing : ? EAX [enter] SoftIce will response : 26A6F012 0648474642 ooops it wasn't your fake code .... ? ECX [enter] SoftIce will response : DB97427B 3684123259 well... what the heck is this ? However, write down those two suspicious number for further usage. Press F10 again around 6 times, you'll jump pass call instruction at 015F:00409D48 and got beggar-off message " Invalid Key .... ". Click OK button, Press F5 and disable all breakpoints, press F5 again to return to the main program. 5. Let's think a while why at 00409D39: 742E je 000409D69 instruction we didn't get that beggar-off message ? Does the program doesn't have classic message " Thank you for regis tering .... " when the correct key is entered ? What will happen if we enter 0648474642 and/or 3684123259 as your serial number ? 6. Just do it ! Repeat registration procedure and keyed-in 0648474642 and/or 3684123259 as your serial number respectively. Did you feel the difference ? The first one you'll face beggar-off message, and the last one you will have just a splash screen.... but look at the title bar..... the "( Unregistered )" text is gone. Upto this step you can noticed that this program doesn't have " Thank you for registering .... " as we expected. 7. To ensure you're registered or not, click HELP/ABOUT submenu. Yes, you're illegaly registered and your key is 3684123259 ! 8. Where the hell is my registration code is stored ?? - The correct registration code is encrypted and stored in the file called 1TOX.LIC which located in your 1TOX directory. 9. How can I practise with my own user name ? - I strongly recommended you not to do this ! END NOTES This program is sold as shareware, so you can try before you buy. This is convenient for you, saves expenses by dispensing with all that packaging, and cuts out the middle person. So it is cheap, but it is not free. If you like the program, and you will, be sure to register and pay. To keep shareware prices low, users must do the right thing: Register, pay up, and smile/grin at yourself in the mirror. Do not distribute your crack release based on this tutorial, because you become a LAMER(s)!!!!!!!! ( tHATDUDE (PC97) defined LAMER(s) is the guy who sits in front of personal computer, using Hex Editor, ripping off other group(s) crack release, repacking (distro) them under his name. Adopted from newsgroup alt.cracks, alt.crackers - February 1997 ) More about LAMER(s): lamer /n./ [prob. originated in skateboarder slang] Synonym for luser, not used much by hackers but common among warez d00dz, crackers, and phreakers. Oppose elite. Has the same connota tions of self-conscious elitism that use of luser does among hackers. < SOURCE: http://sagan.earthspace.net/jargon/jargon_27.html > _ Never attribute to malice that which is adequately explained by stupidity _ ASTAGA [D4C/C4A] tute-1toX201.zip [EOF] October 11,2000 12:45:24 PM 10/10/00