--------------------------------------------------------
How to find a serial in WinPull 2000
--------------------------------------------------------

Cracker: stealthFIGHTER 

Target: WinPull 2000

Tools: SoftIce	
       Brain

Where: http://www.softseek.com

Sorry for my english, its not my mother language.


-----------
Step 1:
-----------

===
Run progg, Enter registration Code, fill the boxes.
Switch to SoftIce, set breakpoint on memory copy
(bpx hmemcpy). "F5" - go back. Press OK =boom=> we are
in SoftIce. Press twice "F5" because we have 3 input boxes,
then F11 to caller and by pressing "F12" (about 12x) get to the
proggrams (32-bit) code. You should be here:
===


015F:00445DB9	CALL 004240C4
015F:00445DBE	MOV EAX, [EBP-20]	<--- we land here		
015F:00445DC1	LEA EDX, [EBP-15]		<--- our fake s/n
015F:00445DC4	CALL 00407B18
015F:00445DC9	MOV EAX, [EBP-1C]	
015F:00445DCC	LEA EDX, ]EBP-18]
015F:00445DCF	CALL 0040797C
015F:00445DD4	MOV EDX, [EBP-18]
015F:00445DD7	POP EAX
015F:00445DD8	CALL 00403C88		<--- D EAX = our real s/n
015F:00445DDD	JNZ 00445DE8		<--- bad boy


===
Trace ("F10") on the CALL before the JUMP (bad jump).
Type "D EAX" and in data window youŽll see your real s/n.
Clear all bpx ("BC *"), enter real code.
===


---------------------------------------
If i make a mistake, please e-mail 
me to: stealthfighter@another.com
---------------------------------------   |