ROMEO'S LOG FOR DISK FACTORY 32-BIT V2.10 ========================================= ..ooOO00OOoo....ooOO00OOoo....ooOO00OOoo....ooOO00OOoo....ooOO00OOoo.. Greetz to JUANDA++ 1997 & Porcupine ---------------------------------------------------------------------- SERIALZ CRACKING INFO SHAREWARE INFO ---------------------------------------------------------------------- Bpx : GetDlgItemInt Name : Disk Factory 32-bit D : - Version : 2.10 ? : EAX @ 014F:0040E06A Price : $39.95 S : - Author : Mark J. McGinty Add Info: The first comparison Company : Accurate Technologies checks if you have Homepage : N/A version 1.x S-Loc : HKEY_LOCAL_MACHINE SOFTWARE The second comparison Accurate Technologies checks if you have DiskFactory32 a valid upgrade serialz 2.0 Registered User The third comparison checks if you have a valid current version serialz ---------------------------------------------------------------------- ..ooOO00OOoo....ooOO00OOoo....ooOO00OOoo....ooOO00OOoo....ooOO00OOoo.. ******************************************************* Step-by-Step Tutorial using Soft-Ice v3.0 (s/n : 2110-00617F-77) ******************************************************* 1. Set breakpoint Ctrl-D (to enter soft-ice screen) bpx getdlgitemint 2. Key in name and dummy serialz Ctrl-D (to exit soft-ice screen) romeo '97 987654321 3. Click OK 4. (you should be in soft-ice screen) Disable breakpoint and press F11 bd 0 (press F11) This is what you should see (for Disk Factory 32-bit v2.10 only!): p/s : the exact memory location may differ!!! (press F10 to step down each line) ----------------------------------------------------------------------- Comments ----------------------------------------------------------------------- 014F : 0040DFBD [USER32!GetDlgItemInt] convert 987654321 into 3ADE68B1 (hex value) 0040DFC3 MOV [0042AC70],EAX save EAX (3ADE68B1) in [0042AC70] 0040DFC8 MOV EAX,[00427350] 0040DFCD PUSH EAX 0040DFCE PUSH 0042AC38 0040DFD3 CALL 0040E653 call the function to calculate the serialz for version 1.x 0040DFD8 ADD ESP,08 0040DFDB MOVZX EAX,AX 0040DFDE CMP EAX,[0042AC70] First comparison, compare EAX with 987654321 ? EAX and you get 4997 0040DFE4 JNZ 0040E00B Jump to 0040E00B if the numbers do not match ----------------------------------------------------------------------- 0040E00B PUSH 0042AC38 0040E010 Call [KERNEL32!lstrlen] count string length, which is 09 (987654321) 0040E016 PUSH EAX 0040E017 PUSH 0042AC38 0040E01C CALL 0040E9F7 call the function to calculate the serialz for upgrade 0040E021 ADD ESP,08 0040E024 CMP EAX,[0042AC70] Second comparison, compare EAX with 987654321 ? EAX and you get 1229694791 0040E02A JNZ 0040E051 Jump to 0040E051 if the numbers do not match ----------------------------------------------------------------------- 0040E051 PUSH 0042AC38 0040E056 Call [KERNEL32!lstrlen] count string length, which is 09 (987654321) 0040E05C PUSH EAX 0040E05D PUSH 0042AC38 0040E062 CALL 0040E516 call the function to calculate the serialz for current version 0040E067 ADD ESP,08 0040E06A CMP EAX,[0042AC70] Third comparison, compare EAX with 987654321 ? EAX and you get 1507558471 0040E070 JNZ 0040E092 Jump to 0040E051 if the numbers do not match ----------------------------------------------------------------------- RESULTS: Name : romeo '97 s/n : 1507558471 Shorthand to remember how to find the number next time : Bpx GetDlgItemInt ? EAX @ 014F:0040E06A ----------------------------------------------------------------------- 5. Clear breakpoint and exit soft-ice bc 0 Ctrl-D (to exit soft-ice screen) ----------------------------------------------------------------------- Notes for absolute beginners : ============================ ADD = Add CMP = Compare MOV = Move JNZ = Jump if not zero JZ = Jump if zero ? = Converts hexadecimal value to decimal value (plus a couple of other stuff) S = search (for ASCII or hexadecimal values) D = display (data/ASCII or hexadecimal values) BL = list all breakpoints BC = clear breakpoints BE = enable breakpoints BD = disable breakpoints BPX = breakpoint on execution BPR = breakpoint on memory range F8 = step into a function F10 = step down each line Ctrl-D = enter/exit soft-ice screen Useful breakpoints ================== Typical breakpoints that work : GetDlgItemText GetDlgItemTexta GetDlgItemInt GetWindowText GetWindowTexta lstrlen lstrcmp When the typical breakpoints above do not work, use : SendMessagea (when you get a message if the serialz is wrong) SendMessage (when you get a message if the serialz is wrong) GetDlgItem (a bit tedious) GetPrivateProfileStringa (reading from file e.g. *.key, *.reg, *.lic) GetStartupInfo (reading from file e.g. *.ini) MessageBeep (when you hear a beep if the serialz is wrong) When all the above does not work, then you should use BPR (breakpoint on memory range) rather than BPX (breakpoint on execution). (works all the time! .. so far) ----------------------------------------------------------------------- Regards, -romeo '97- ***************************** To learn and to teach ... Many thanx to Ed!son and JUANDA++ who have taught me. ***************************** ..ooOO00OOoo....ooOO00OOoo....ooOO00OOoo....ooOO00OOoo....ooOO00OOoo..