Hi, I have got NetZip Deluxe 6.5. The URL is ftp://ftp.download.com/pub/win95/utilities/NetZIP.exe The author of this software plays a funny trick. I will try to explain this trick.This essay is quite long.Please forgive me for my poor English. You know that your serial number should be 8 chars long. Here is the check(in Evalware.dll): (I have removed some stupid comments made by W32Dasm) :100017B0 8B542404 mov edx, dword ptr [esp+04] :100017B4 53 push ebx :100017B5 8BD9 mov ebx, ecx :100017B7 57 push edi :100017B8 8BFA mov edi, edx :100017BA 83C9FF or ecx, FFFFFFFF :100017BD 33C0 xor eax, eax :100017BF F2 repnz :100017C0 AE scasb :100017C1 F7D1 not ecx :100017C3 49 dec ecx :100017C4 83F908 cmp ecx, 00000008;Check the length :100017C7 7405 je 100017CE :100017C9 5F pop edi :100017CA 5B pop ebx :100017CB C20400 ret 0004 :100017CE 8BFA mov edi, edx :100017D0 83C9FF or ecx, FFFFFFFF :100017D3 33C0 xor eax, eax :100017D5 56 push esi :100017D6 F2 repnz :100017D7 AE scasb :100017D8 F7D1 not ecx :100017DA 2BF9 sub edi, ecx :100017DC 8BC1 mov eax, ecx :100017DE 8BF7 mov esi, edi :100017E0 8BFB mov edi, ebx :100017E2 C1E902 shr ecx, 02 :100017E5 F3 repz :100017E6 A5 movsd :100017E7 8BC8 mov ecx, eax :100017E9 83E103 and ecx, 00000003 :100017EC F3 repz :100017ED A4 movsb :100017EE 8BCB mov ecx, ebx :100017F0 E83B010000 call 10001930 ; SubroutineA After checking the length of you serial,it calls a subroutine at 10001930 to process your serial(Let's call this subroutine SubroutineA).I use "19740907" as my fake serial number.The output of SubroutineA is a 8-byte array. For me this array is: char OutputArray[8]={ 0x39,0x31,0x3F,0x3C,0x38,0x31,0x38,0x07}; Then it will check OutputArray[2]: :100017F5 8A4B0B mov cl, byte ptr [ebx+0B] :100017F8 33C0 xor eax, eax :100017FA 80E10F and cl, 0F :100017FD 5E pop esi :100017FE 80F90A cmp cl, 0A :10001801 5F pop edi :10001802 0F94C0 sete al ;Good guy if cl==0A :10001805 5B pop ebx :10001806 C20400 ret 0004 In order to let it return 1,I have to change my serial from "19740907" to "19T40908".This time the array is { 0x36,0x3E,0x2A,0x33,0x37,0x3E,0x37,0x08}. The body of SubroutineA is here(Easy to understand): :10001930 51 push ecx :10001931 53 push ebx :10001932 8A5C2407 mov bl, byte ptr [esp+07]; :10001936 BA07000000 mov edx, 00000007 ;index of array :1000193B 8A040A mov al, byte ptr [edx+ecx];get a char :1000193E 3C60 cmp al, 60 :10001940 7604 jbe 10001946 :10001942 04C3 add al, C3 :10001944 EB26 jmp 1000196C :10001946 3C40 cmp al, 40 :10001948 7608 jbe 10001952 :1000194A 3C5B cmp al, 5B :1000194C 7304 jnb 10001952 :1000194E 04C9 add al, C9 :10001950 EB1A jmp 1000196C :10001952 3C2F cmp al, 2F :10001954 7608 jbe 1000195E :10001956 3C3A cmp al, 3A :10001958 7304 jnb 1000195E :1000195A 04D0 add al, D0 :1000195C EB0E jmp 1000196C :1000195E 3C2B cmp al, 2B :10001960 7504 jne 10001966 :10001962 B03E mov al, 3E :10001964 EB06 jmp 1000196C :10001966 3C2D cmp al, 2D :10001968 7524 jne 1000198E :1000196A B03F mov al, 3F :1000196C 83FA07 cmp edx, 00000007 ;The last char ? :1000196F 7509 jne 1000197A :10001971 8AD8 mov bl, al :10001973 F6D3 not bl :10001975 80E33F and bl, 3F :10001978 EB02 jmp 1000197C :1000197A 32C3 xor al, bl :1000197C 88440A09 mov byte ptr [edx+ecx+09], al ;Save the result :10001980 4A dec edx :10001981 83FAFF cmp edx, FFFFFFFF :10001984 7FB5 jg 1000193B ;continue the loop :10001986 B801000000 mov eax, 00000001 :1000198B 5B pop ebx :1000198C 59 pop ecx :1000198D C3 ret :1000198E 33C0 xor eax, eax :10001990 5B pop ebx :10001991 59 pop ecx :10001992 C3 ret Then it will save your fake serial to windows registry. But the names of keys in windows registry are determined by OutputArray[0]. This is very important ! Here is the code: :10001B5E 8A4609 mov al, byte ptr [esi+09] ;get OutputArray[0] :10001B61 8D4C2410 lea ecx, dword ptr [esp+10] :10001B65 83E03F and eax, 0000003F ; OutputArray[0] & 0x3F :10001B68 C644242001 mov [esp+20], 01 :10001B6D 50 push eax * Possible StringData Ref from Data Obj ->"%ddata" ;generate key name | :10001B6E 68ACF00110 push 1001F0AC :10001B73 51 push ecx :10001B74 E82FB70000 call 1000D2A8 :10001B79 8A5609 mov dl, byte ptr [esi+09] ;OutputArray[0] :10001B7C 83C40C add esp, 0000000C :10001B7F 83E23F and edx, 0000003F ;OutputArray[0] & 0x3F :10001B82 8D44240C lea eax, dword ptr [esp+0C] :10001B86 52 push edx * Possible StringData Ref from Data Obj ->"%durl" ;generate key name | :10001B87 68A4F00110 push 1001F0A4 :10001B8C 50 push eax :10001B8D E816B70000 call 1000D2A8 :10001B92 83C40C add esp, 0000000C :10001B95 8BCE mov ecx, esi :10001B97 E834FDFFFF call 100018D0 :10001B9C 8D4C2414 lea ecx, dword ptr [esp+14] :10001BA0 8D542408 lea edx, dword ptr [esp+08] :10001BA4 51 push ecx :10001BA5 52 push edx :10001BA6 6A00 push 00000000 :10001BA8 683F000F00 push 000F003F :10001BAD 6A00 push 00000000 * Possible StringData Ref from Data Obj ->"Application Global Data" | :10001BAF 68B4F00110 push 1001F0B4 :10001BB4 6A00 push 00000000 * Possible StringData Ref from Data Obj ->"sbi" | :10001BB6 68A0F00110 push 1001F0A0 :10001BBB 6800000080 push 80000000 * Reference To: ADVAPI32.RegCreateKeyExA, Ord:011Bh | :10001BC0 FF1534750210 Call dword ptr [10027534] :10001BC6 8B442410 mov eax, dword ptr [esp+10] :10001BCA 8B4C2408 mov ecx, dword ptr [esp+08] * Reference To: ADVAPI32.RegSetValueExA, Ord:0141h | :10001BCE 8B3D38750210 mov edi, dword ptr [10027538] :10001BD4 6A08 push 00000008 :10001BD6 56 push esi :10001BD7 6A01 push 00000001 :10001BD9 6A00 push 00000000 :10001BDB 50 push eax :10001BDC 51 push ecx :10001BDD FFD7 call edi :10001BDF 8B7614 mov esi, dword ptr [esi+14] :10001BE2 8B44240C mov eax, dword ptr [esp+0C] :10001BE6 8B4C2408 mov ecx, dword ptr [esp+08] :10001BEA 8B56F8 mov edx, dword ptr [esi-08] :10001BED 52 push edx :10001BEE 56 push esi :10001BEF 6A01 push 00000001 :10001BF1 6A00 push 00000000 :10001BF3 50 push eax :10001BF4 51 push ecx :10001BF5 FFD7 call edi :10001BF7 8B542408 mov edx, dword ptr [esp+08] :10001BFB 52 push edx * Reference To: ADVAPI32.RegCloseKey, Ord:0117h | :10001BFC FF1530750210 Call dword ptr [10027530] For my fake serial,OutputArray[0] is 0x36. 0x36 & 0x3F = 0x36 (54 in decimal format) So the keys in windows registry are: \HKEY_CLASSES_ROOT\sbi\54data (my fake serial) \HKEY_CLASSES_ROOT\sbi\54url (empty ) This puzzled me. How does it read my serial when it starts ? It doesn't know the registry key name because the registry key name is determined by my fake serial ! I use Regmon to see what registry keys it reads when it starts.I find that it always uses \HKEY_CLASSES_ROOT\sbi\11data and \HKEY_CLASSES_ROOT\sbi\11url. That means 54 should be 11 ! This is the trick !!! In other words,the following requirement should be met: OutputArray[0] & 0x3F = 11 I have used bpx RegQueryValueExA if *(esp->8)=='11da' do "db esp+14" as a breakpoint,and traced my fake serial,but nothing new found(If you find something useful,please let me know. My mail is happynetguy@163.net). So far we can figure out the correct serial. I have found another subroutine which can produces the serial providing that its input is OutputArray[ ]. Let's call it SubroutineB. serial number ----> SubroutineA -----> OutputArray[ ] OutputArray[ ] ----> SubRoutineB ----->serial number OK, with SubroutineB we can write a key maker now. Here is the body of SubroutineB: :100018D0 56 push esi :100018D1 8BF1 mov esi, ecx :100018D3 BA07000000 mov edx, 00000007 :100018D8 8A4E10 mov cl, byte ptr [esi+10] :100018DB F6D1 not cl :100018DD 80E13F and cl, 3F :100018E0 8A443209 mov al, byte ptr [edx+esi+09] :100018E4 83FA07 cmp edx, 00000007 :100018E7 7402 je 100018EB :100018E9 32C1 xor al, cl :100018EB 3C0A cmp al, 0A :100018ED 7304 jnb 100018F3 :100018EF 0430 add al, 30 :100018F1 EB26 jmp 10001919 :100018F3 3C09 cmp al, 09 :100018F5 7608 jbe 100018FF :100018F7 3C24 cmp al, 24 :100018F9 7304 jnb 100018FF :100018FB 0437 add al, 37 :100018FD EB1A jmp 10001919 :100018FF 3C23 cmp al, 23 :10001901 7608 jbe 1000190B :10001903 3C3E cmp al, 3E :10001905 7306 jnb 1000190D :10001907 043D add al, 3D :10001909 EB0E jmp 10001919 :1000190B 3C3E cmp al, 3E :1000190D 7504 jne 10001913 :1000190F B02B mov al, 2B :10001911 EB06 jmp 10001919 :10001913 3C3F cmp al, 3F :10001915 7502 jne 10001919 :10001917 B02D mov al, 2D :10001919 880432 mov byte ptr [edx+esi], al :1000191C 4A dec edx :1000191D 83FAFF cmp edx, FFFFFFFF :10001920 7FBE jg 100018E0 :10001922 5E pop esi :10001923 C3 ret That's all.Thank you.