WHY PATCHING WHILE SERIAL NUMBER IS FISHY

Bubbles Screensaver
A Cracking Tutorial
by ASTAGA [D4C/C4A]


DISCLAIMER

This reading material is not intended to violate Copyrights
and/or it is law, but educational purposes only. I hold no
responsibility ( by all means and in any shape whatsoever )
of the mis-used of this material.


ABOUT THE PROGRAM


This screensaver displays animated colored translucent bubbles
that pop on your desktop. This screensaver is shareware that
will expire after 10 days.
Date Released: 09/25/00 File Size: 812k


WHERE TO DOWNLOAD

Author   	: North Star Studios
Homepage 	: http://www.NorthStarStudios.com
URL		: http://www.northstarstudios.com/downloads/ss/
		  BubblesInstaller.exe
Size 		: 812  KB  as of October 17,2000


HOW TO GET VALID SERIAL NUMBER by using SoftIce



1.  Open your Display Properties ( in the Control Panel or HighRes icon
    in the traybar ).
    Choose "BUBBLES" as your screen saver, click SETTINGS button, then
    you'll see program's opening windows.
    Click on the key icon, and in the registration dialog box type
    these below informations :

	User Name       : Pirates Order
	Serial Number   : 73881050

    Do not click OK button yet


2.  Fire up SoftIce by pressing [ CTRL + D ], put a new breakpoint in
    this regard is HMEMCPY :

	BPX HMEMCPY     [enter]   and
   	F5  to return to the main program

3.  Click OK button... you'll return back into SoftIce.
    In within SoftIce press F11, F5, F11, then press F12
    several times until you see and landed at :

	_____________________________________________________________

	015F:0048F7A0  E84FFEFAFF 	CALL	0043F5F4
	015F:0048F7A5  8B45F8   	MOV 	EAX,[EBP-08]
	015F:0048F7A8  5A        	POP 	EDX
	015F:0048F7A9  E8DE020000 	CALL	0048FA8C
	015F:0048F7AE  84C0      	TEST 	AL,AL
	...
	...

    ______________________BUBBLES!CODE+0008E798_____________________


    Disable previous breakpoint, and set a new one as follow :

	bd*  [enter]
	bpx 015F:0048F7A0  [enter]


4.  Press F10 3 times and stop at 015F:0048F7A9 , dump/display EDX
    register by typing  :

	D EDX  [enter]
	your fake code appear in the Data Window at the virtual
	address 0167:00C33280.

	Disable previous breakpoint ( BD * or BD 00 ), and create
	a new breakpoint as follow

	bpr 0167:00C33280 0167:00C33280+10 RW  [enter]
	Press F5 or X, to let SoftIce break in this location


5.  If nothing goes wrong, soon you'll break and face these below
    snippet codes :

	______________________________________________________________

	015F:00403F67  7426	JZ        00403F8F <== you land here
	015F:00403F69  8B0E 	MOV       ECX,[ESI]
	015F:00403F6B  8B1F 	MOV       EBX,[EDI]
	015F:00403F6D  39D9 	CMP       ECX,EBX   <== D EDI or ESI
	015F:00403F6F  7558 	JNZ       00403FC9

	________________________BUBBLES!CODE+2F67______________________

	Press F10 2 times and stop at 015F:00403F6D, ouchhh ..it's CMP
	instruction.  Let's display what are the contents on those two
	registers.  In the command Line type these :

	? ecx  [enter]
	SoftIce will response :
	38383337  0943207223  "8837"  <== fake S/N in reverse order

	? ebx  [enter]
	SoftIce will response :
	31433231  0826487345  "1C21"  <== hmmm.. what the heck is this
						also in reverse order

	Upto this step you may ask what and where are your complete
	serial number ... wasn't it they're just first four digits ?
	Okay, don't be panic ... all you have to do are like this :

	D EDI  [enter]
	Look at the Data Window - at virtual address 0167:00C3A2B8 -
	did you see  12C1097F  ?


	D ESI  [enter]
	Look at the Data Window - at virtual address 0167:00C33280 -
	hehe.... it's your fake 73881050.


6.  Now, you can guess that  12C1097F  is your potential valid
    serial number. Do you remember the CMP ECX,EBX instruction
    as described in the above paragraph.
    Disable all breakponit, press F5 to return to the main program.


7.  Repeat registration procedure.
    Keyed-in 12C1097F as your serial number, then click OK button.
    The classic " thank you for registering " pops up on your screen.
    Hell... you're registered now, but it's ILLEGAL !!


8.  Where the hell is my registration info is stored ??

	-  The correct registration code is stored in the registry
	   as follow :


8.  How can I practise with another registration key ?

	-  I strongly recommended you not to do this !



END NOTES

   This program is sold as shareware, so you can try before you buy.
   This is convenient for you, saves expenses by dispensing with all
   that packaging, and cuts out the middle person.  So it is cheap,
   but it is not free.
   If you like the program, and you will, be sure to register and pay.
   To keep shareware prices low,  users must do the right thing:
   Register, pay up, and smile/grin at yourself in the mirror.

   Do not distribute your crack release based on this tutorial, because
   you become a LAMER(s)!!!!!!!!
   ( tHATDUDE (PC97) defined LAMER(s) is the guy who sits in front of
   personal computer, using Hex Editor, ripping off other group(s)
   crack release, repacking (distro) them under his name.
   Adopted from newsgroup alt.cracks, alt.crackers - February 1997 )

    More about LAMER(s):
	lamer /n./ [prob. originated in skateboarder slang]
	Synonym for luser, not used much by hackers but common among warez
	d00dz, crackers, and phreakers. Oppose elite. Has the same connota
	tions of self-conscious elitism that use of luser does among
	hackers.
    < SOURCE: http://sagan.earthspace.net/jargon/jargon_27.html >


 _ Never attribute to malice that which is adequately explained by stupidity _


ASTAGA [D4C/C4A] tute-bubblescrsvr.zip
[EOF] 10/17/00 1:13:15 PM