INTRO
Hi Guys. Firstly, I'd just like to thank TORN@DO for coming up with the great idea of having a weekly project for newbies to learn with. I think it's a great idea. I'll try to be as thorough as I can with this tutorial so even the newest of newbies can understand it..
INFO
The Proggie - Security Administrator for Windows95/98 v1.3. Download from The C4N Projects Webiste.
The Protection - This program has reg code protection. And it's fairly simple too!
The Required Tools - I used NuMega Softice, the debugger of all debuggers. You could use W32Dasm, as this program's protection is fairly easy to defeat, but you'll benefit from seeing whats going on with softice. Also, as per usual, a brain and an open mind are required.
The Greetz - Many thanks to those who take the time to write the crackmes. Thanks to all people in #cracking4newbies and #win32asm. Greetz to StRAzOr, ACiD BuRN, Shannon-, Volatility, The Sandman, Fravia, +ORC, ALx, _Tribe, all the legends from Desync and any other aspiring Crackerz!
Other Info - All S-ICE commands will be highlighted in RED. I will possibly use the following abbreviations:

- WTF = What the fuck?!
- HV = Hexadecimal valud
- ML = Memory Location
- SICE = Softice

Before I cracked the app in question, I was planning on keygenning it. I soon found out that this wasn't required. I will show you how the protection works, and how to get round it will a valid serial number.

THE ESSAY
OK People. Load up the app (download now if you haven't downloaded it). And you'll see that the first thing that comes up is the registration screen asking you to enter a reg code. Now the way I approached this from here, I entered my usual reg code that I enter when cracking - karnak19781205. So punch in your dummy reg code now (i'll use mine for reference throughout this tutorial).

Now we'll set a breakpoint in softice using the hmemcpy function (coz alot of the time this will work). So BPX hmemcpy. And come back to windows. After pressing the go button, SICE with jump back up again. Since we are deep down in the depths of the windows functions, we need to F12 until we see the applications name in the border. So we know we are looking at the right code. When you first reach the programs code, you'll still have to press F12 a few more times until you reach the following code: 

	
	:0046AFED  E822F8FBFF          CALL    0042A814
	:0046AFF2  8B45F8              MOV     EAX,[EBP-08]           <--- We are here
	:0046AFF5  8D55FC              LEA     EDX,[EBP-04]
	:0046AFF8  E8CF62FFFF          CALL    004612CC
	:0046AFFD  837DFC00            CMP     DWORD PTR [EBP-04],00
	:0046B001  750D                JNZ     0046B010
	:0046B003  8D45FC              LEA     EAX,[EBP-04]
	:0046B006  BA74B04600          MOV     EDX,0046B074
	:0046B00B  E82C8AF9FF          CALL    00403A3C
	:0046B010  A1F43E4700          MOV     EAX,[00473EF4]
	:0046B015  8B00                MOV     EAX,[EAX]
	:0046B017  8B55FC              MOV     EDX,[EBP-04]
	:0046B01A  E8256C0000          CALL    00471C44
	:0046B01F  8B8308030000        MOV     EAX,[EBX+00000308]
	:0046B025  8B10                MOV     EDX,[EAX]
	:0046B027  FF92B4000000        CALL    [EDX+000000B4]
	:0046B02D  A14C3E4700          MOV     EAX,[00473E4C]
	:0046B032  803800              CMP     BYTE PTR [EAX],00
	:0046B035  740A                JZ      0046B041
Right, at this point we have just returned from the "GetText" routine. If you take a look at the EAX register you'll see the length of our 'RegCode'. Press F10 once, and DD EAX, and in the data window you should see the reg code that you typed in. Now at this point I decided to trace through the code (using F10 to step OVER) until I found the following code: 
	
	:0046CCDF  E8C06CF9FF          CALL    004039A4
	:0046CCE4  8B45FC              MOV     EAX,[EBP-04]
	:0046CCE7  E8346FF9FF          CALL    00403C20                <--- I stopped here
	:0046CCEC  83F80C              CMP     EAX,0C
	:0046CCEF  0F8599000000        JNZ     0046CD8E
	:0046CCF5  8B45FC              MOV     EAX,[EBP-04]
	:0046CCF8  803838              CMP     BYTE PTR [EAX],38       <--- Interesting
	:0046CCFB  0F858D000000        JNZ     0046CD8E
	:0046CD01  8B45FC              MOV     EAX,[EBP-04]
	:0046CD04  80780233            CMP     BYTE PTR [EAX+02],33    <--- Interesting
	:0046CD08  0F8580000000        JNZ     0046CD8E
	:0046CD0E  8B45FC              MOV     EAX,[EBP-04]
	:0046CD11  80780331            CMP     BYTE PTR [EAX+03],31    <--- Interesting
	:0046CD15  7577                JNZ     0046CD8E
	:0046CD17  8B45FC              MOV     EAX,[EBP-04]
	:0046CD1A  80780439            CMP     BYTE PTR [EAX+04],39    <--- Interesting
	:0046CD1E  756E                JNZ     0046CD8E
	:0046CD20  8B45FC              MOV     EAX,[EBP-04]
	:0046CD23  80780830            CMP     BYTE PTR [EAX+08],30    <--- Interesting
	:0046CD27  7565                JNZ     0046CD8E
	:0046CD29  8B45FC              MOV     EAX,[EBP-04]
	:0046CD2C  80780935            CMP     BYTE PTR [EAX+09],35    <--- Interesting
	:0046CD30  755C                JNZ     0046CD8E
	:0046CD32  8B45FC              MOV     EAX,[EBP-04]
	:0046CD35  80780A53            CMP     BYTE PTR [EAX+0A],53    <--- Interesting
	:0046CD39  7553                JNZ     0046CD8E
	:0046CD3B  8B45FC              MOV     EAX,[EBP-04]
	:0046CD3E  80780B45            CMP     BYTE PTR [EAX+0B],45    <--- Interesting
	:0046CD42  754A                JNZ     0046CD8E
	:0046CD44  B8BC584700          MOV     EAX,004758BC
	:0046CD49  8B55FC              MOV     EDX,[EBP-04]
	:0046CD4C  E8A76CF9FF          CALL    004039F8
	:0046CD51  C605B858470001      MOV     BYTE PTR [004758B8],01
	:0046CD58  B301                MOV     BL,01
	:0046CD5A  33D2                XOR     EDX,EDX
	:0046CD5C  8B8600050000        MOV     EAX,[ESI+00000500]
	:0046CD62  E86DCEFCFF          CALL    00439BD4
OK, at the point where I stopped EBP-04 contained my reg code. Pressing F10 again, I saw that EAX contained 0E (the length of my reg code). This is compared to the value 0C, and if they aren't the same then we jump to the end of the routine. Hmmm.. not good :-) So I put 2 and 2 together, and decided to change the length of my regcode to 12. But before carrying on I couldn't help but notice the code afterwards. Take note of all of the 'INTERESTING' comparisons in the above code.

As you can see, EAX contains our regcode, and particular parts of the code are compared to particular values. If any of these values are different, we jump to the end of the routine. So at this point we can safely say that we need to be able go through all these comparisons without jumping. So let's take a look at the comparisons:

EAX is compared to 38. 38h = '8'
EAX+02 is compared to 33. 33h = '3'
EAX+03 is compared to 31. 31h = '1'
EAX+04 is compared to 39. 39h = '9'
EAX+08 is compared to 30. 30h = '0'
EAX+09 is compared to 35. 35h = '5'
EAX+0A is compared to 53. 53h = 'S'
EAX+0B is compared to 45. 45h = 'E'

So, in other words, if our regcode follows the above criteria, we should have a valid key! OK, so lets try it out. Disable all breakpoints, and punch in a code following this format:

8x319xxx05SE

I used '8K319ARN05SE'. Hit the 'GO' button. BINGO!! Program cracked!
THE SOLLUTION
Well this has already been shown. Any registration code that follows the format:

8x319xxx05SE

(where x = any character) will work perfectly!

THE END
Well thats it guys, hope you learned something from this essay! Please drop me a line at karnak@techies.com if you need any help.

Thanks again to TORN@DO for mainting the C4NProjects Site.

Happy Cracking!

Karnak.