------------------------------------------------------------------
How to find serial in Web Page Creator 32
------------------------------------------------------------------

Cracker: stealthFIGHTER

Target: Web Page Creator 32 v7.6

Tools: SoftIce
	Brain

Where: http://www.download.com

Sorry for my english, its not my mother language.


-----------
Step 1:
-----------

===
Run WPCreator ... go to Options --> Register. Type your Name
(iNFiNiTY [2000]), Registration Key (12345) and Registration
Number (7878787878787878). DO NOT TYPE THE NUMBERS SAME.
Ready?
===
As usual we use breakpoint: BPX HMEMCPY (break, when something was
copied to memory).
So set the breakpoint and press OK ... ... ... BANG! ... ... ... we are in SI.
===
Now press 6 times "F5" key and "F11" to get to the caller.
Then 11 times "F12" key to get to the 32-bit code.
You should be here:
===



0137:004881FD	CALL 004158C0		<--- start of rountine
0137:00488102	MOV EAX, [EBP-08]
0137:00488105	CALL 00406370
0137:0048810A	MOV EDX, [0049FD54]
0137:00488110	MOV ESI, [EDX+000003D4]
0137:00488116	MOV [ESI+28], AX
0137:0048811A	MOV EAX, ESI)
0137:0048811C	CALL 004677B0		<--- CALL a "good" s/ns.
0137:00488121	TEST AL, AL		<--- Are the s/ns right?
0137:00488123	JZ 00488308		<--- No? Then jump to bad boy



===
Trace into the 2nd CALL (press F8).
Then press "F10" key sometimes till you get here:
===



0137:004677EB	CALL 00477830		<--- CALL right Reg. Key
0137:004677F0	MOV AX, [EBP-06]
0137:004677F4	CMP AX, [ESI+28]		<--- Compare our Keys
0137:004677F8	JNZ 00468709		<--- Bad boy



===
The CoMPare is interesting. Here you´ll see in the right top corner something like this:

DS:01353F30=3039

If you type: ? 3039 you´ll get 12345 - YeaH! Our false Reg. Key.
And if you type: ? EAX - YeaH! Our real Reg. Key. (for me 58598)
===
Now set breakpoint on the CMP instruction. Type: bpx 0137:004677F4
Now disable all breakpoints (bd *) and type X to go back to WPC.
Reenter your name and type your real Reg. Key. The Reg. Number stay
same (7878787878787878).
Press OK. BAnG! We are in Soft-Ice right at the CMP instruction:
===



0137:004677F4	CMP AX, [ESI+28]
0137:004677F8	JNZ 00468709		<--- Now it si a good boy
0137:004677FA	MOV EAX, [EBP-04]
0137:004677FD	MOV EDX, [ESI+24]	<--- Final target



===
If you look at :004677FD MOV EDX, [ESI+24] and type ? EAX you´ll get
in your data window real Reg. Number (I get EQE-PPNKLBAU8Y7-2KN79VBKL92)
===
Now clear all breakpoints bc * and enter all again.
BAaAaNG!
===
==
=
---------------------------------------------------------
If i make a mistake, please e-mail me 
to: stealthfighter@another.com
---------------------------------------------------------