-----------------------------------------------------------
How to find a serial in Key Pack 2000
-----------------------------------------------------------

Cracker: stealthFIGHTER 

Target: Key Pack 2000 v1.10

Tools: Soft-Ice
	Brain

Where: http://www.magellass.com

Sorry for my english, its not my mother language.


-----------
Step 1:
-----------

===
Run KeyPack ... press Register button and type your name
and s/n. Press OK ... all disappear (i hate it). Fill them again.
Goto Soit-Ice set breakpoint --> bpx hmemcpy. 
Now press OK ...b.o.o.m... you should be in SI.
===
The program will break 5 times (5x pressing "F5"), but
all we need is the 3rd break (3x pressing "F5").
So now in SoftIce press 3 times "F5" then "F11" to get
to the caller and 11 times "F12" to get to 32-bit code.
You should be here:
===



:004A74CE	MOV EDX, [EBP-04]
:004A74D1	MOV EAX, 004B0DD4		<--- D EDX = our fake s/n
:004A74D6	CALL 00403B7C
:004A74DB	XOR EBX, EBX
:004A74DD	LEA ECX, [EBP-08]
:004A74E0	MOVSX EDX, BX
:004A74E3	MOV EAX, [004AF824]	       \
:004A74E8	MOV EAX, [EAX]		         \___ a lot of EAX here
:004A74EA	MOV EAX, [EAX+00000390]	         /	
:004A74F0	MOV EAX, [EAX+24]	       /
:004A74F3	MOV ESI, [EAX]			<--- here type D EAX



===
On the last line of MOVs type D EAX -- you will get some code in the data window
(= not interesting now).
Once you typed D EAX, press "ALT+Page Down" till you get some interesting in
data window (about 20 press).
===
You must come to area in memory were is lot of numbers.
For example: 7D3FA-F588-PC72-5T2T ... ... ... s/n ???
===
So try enter one of the numbers ... yeah ... it works.
===
==
=
---------------------------------------------------------
If i make a mistake, please e-mail me 
to: stealthfighter@another.com
---------------------------------------------------------