Name      : mIRC

Version   : 5.61

Target    : mIRC32.exe

Tools     : W32Dasm 8.93
	    Hacker's View 6.01
	    Brain
	    
Cracker   : LW2000

Tutorial  : No.7

http://www.mirc.com/


---
DISCLAIMER
For educational purposes only!
I hold no responsibility of the mis-used of this material!
---


Please excuse my poor english, its not my mother language....


1.	Launch mIRC, you might have noticed, that the program has
	no limitations, even unregistered. But hey, i hate unregistered
	shareware... So go to HELP | REGISTER and enter LW2000 as username
	and use 123456 for your serial number.

2.	*BOOM* mIRC Registration! messagebox: "Sorry, your registration
	name and number don't match! Please make sure you're typing
	them in using the correct capitalization and spacing. Thanks!"
	Mhmm, lets take a look in W32DASM.

3.	Now copy MIRC32.exe to backup.exe and disassemble MIRC32.EXE
	with W32Dasm. Click on the String Data Reference (SDR) button
	and find "Sorry, your registration name and number don't match!"
	doubleclick on this string and close the SDR window.

4.	Now you should see this:

	* Possible Reference to String Resource ID=01913: "Sorry, your
	registration name and number don't match!"
                                 
	:0043B708 6879070000              push 00000779
	:0043B70D E8D2EFFCFF              call 0040A6E4
	:0043B712 50                      push eax
	:0043B713 8B4508                  mov eax, dword ptr [ebp+08]
	:0043B716 50                      push eax

5. 	Mhmm..this doesn't look like the code we should see!
	OK, trace up until you see the following piece of asm code:

	* Referenced by a (U)nconditional or (C)onditional Jump at Address:
	:0043B621(C)  <<-- Here we go!

	:0043B6C2 6A00                    push 00000000

	You see, we jumped from 0043B621, so lets go there and take a look.


6.	Now you should see this:

	* Reference To: USER32.SendDlgItemMessageA, Ord:0000h
                                  |
	:0043B60B E80A250A00        Call 004DDB1A
	:0043B610 6803E14E00        push 004EE103
	:0043B615 681CDD4E00        push 004EDD1C
	:0043B61A E899950600        call 004A4BB8  <<-- Mhmm, a interesting call
	:0043B61F 85C0              test eax, eax  <<-- test eax if zero or one
	:0043B621 0F849B000000      je 0043B6C2    <<-- Jump if result is equal





7.	OK, whatmeans this piece of code? First we've got a call that returns
	one or zero. This depends on the code thats inside. Then we've got a test, 
	which will test if the result from this call is 1 or 0. And at last we
	have a JE which will take you either to the CORRECT or to the WRONG
	registration messagebox. Looks easy, or? Simple Name/Code check...
	OK, lets try it! Place the bar on :0043B621 0F849B000000   je 0043B6C2 
	You're Offset is 3AC21 (you see this in the statusbar).

	Copy mirc32.exe to try.exe. Open try.exe with hiew. Press Enter twice
	to go to decode mode. Press F5 enter enter 3AC21.
	OK, now press F3 to edit the file. Change 0F84 to 0F85, this changes
	je to jump not equal (jne). F9 to update and F10 to quit.

8.	Now start try.exe. Enter any name and serial.
	*BOOM* "Your registration has been entered successfully.
	Thanks for registering! :)" Hey Cool, you've done it!!!

9.	Mhmm, exit the program and start try.exe again.
	*BOOM* SHIT!!! Unlicensed copy! So, this program has a startup check.
	So, open mirc32.exe in W32DASM, again.

	So lets go back to:
	* Reference To: USER32.SendDlgItemMessageA, Ord:0000h
                                  |
	:0043B60B E80A250A00        Call 004DDB1A
	:0043B610 6803E14E00        push 004EE103
	:0043B615 681CDD4E00        push 004EDD1C
	:0043B61A E899950600        call 004A4BB8  <<-- Mhmm, lets go there...
	:0043B61F 85C0              test eax, eax  
	:0043B621 0F849B000000      je 0043B6C2    
						   


10.	What we've go other but the call? Nothing! So lets take a look...
	Put the bar on the call line and click on the CALL button:
	Now, it should look like this:


	:004A4BB8 55                      push ebp
	:004A4BB9 8BEC                    mov ebp, esp
	:004A4BBB 53                      push ebx
	:004A4BBC 56                      push esi
	:004A4BBD 57                      push edi
	:004A4BBE 8B750C                  mov esi, dword ptr [ebp+0C]
	:004A4BC1 8B5D08                  mov ebx, dword ptr [ebp+08]
	:004A4BC4 53                      push ebx
	:004A4BC5 E87AC20200              call 004D0E44
	:004A4BCA 59                      pop ecx
	:004A4BCB 83F805                  cmp eax, 00000005 <<-- compare eax with 5
	:004A4BCE 7307                    jnb 004A4BD7	    <<-- jump if not below
	:004A4BD0 33C0                    xor eax, eax	    <<-- eax goes empty
	:004A4BD2 E9DA000000              jmp 004A4CB1	    <<-- jump to 4A4CB1


11.	So lets trace down a bit until you see:

	:004A4C23 6864205000              push 00502064
	:004A4C28 68641F5000              push 00501F64
	:004A4C2D E8A6FEFFFF              call 004A4AD8	    <<-- well I've seen
	:004A4C32 85C0                    test eax, eax	    <<-- something like
	:004A4C34 7407                    je 004A4C3D	    <<-- this before ;)
	:004A4C36 B801000000              mov eax, 00000001
	:004A4C3B EB74                    jmp 004A4CB1

	Hee, i think you have the same idea, like me ;)
	Lets change je to jne. Place the bar on :004A4C34 7407  je 004A4C3D
	your offset is A4234.

12.	Hiew mirc32.exe. Same procedure as everytime...
	Enter twice, F5 and enter A4234, F3 to edit and change
	7407 to 7507. F9 to update F10 to quit.


13.	Fire up Mirc32.exe. Click on Help | register and enter:
	Name:   LW2000
	Serial: 123456
	Press OK.
   
Congratulation! You are a registered user!




FINISH! Easy, or?

cu LW2000
Any comments? Mail me LW2000@gmx.net !!!
----

I'd like to thank tKC for his tutors!
I started with tutor 1 and i still read them... they are the best!