Lord Soth
....
Wed Dec 9 17:22:30 1998


well, I did found this part of the code, that wasn't my problem though.. Altho it does help to clarify how the strings are compared.
After posting my earlier msg, I went ahead and gave it another whirl, using a string value, of 8 numbers..
I created a DW value, and it was way off course.. :(
so with my new key, I went into the proggy.
I found out how it calculates it's serial.
first it checks if the char is out of the alphabet area, by checking for 7a and 20...
if it's ok, it goes on and calculates as follows:

it divides by 2, the reminder is not important.
it adds 22h, to it, and then the result is being checked.
first check is to see if it's a capital letter, by cmping it to 'A' , if so, it continues...
if not, it checks if it's in the normal letters area, by cmping its value with 'a'. If not, then it means it's in the middle, and then the program adds 6, to bring it into the normal letters area.
Then it checks if it's a num. if it is, then it continues, if not, it checks if it's in the capital letter again (this because last digit is 39h, and first capital letter is 41h, and it can't have a char in between).
If not there, then it's between 39h and 41h, which is again not good, and thus the program adds 8, to bring it into the capital letter area.
All those checks are made to make sure that the serial digit is either a num, a letter, or a capital letter.
Then, I found out that the 3 bytes in memory location 0064FC78 always hold the address of where the serial num is going to be put, with out newly added char.
Then of course comes the part of increasing the [ebp-10] pointer, to see if we got to the end of the name string.
And here I found another very interesting thing.
I donno if u guys saw this or not, but lemme tell u...

After [ebp-10] is INCed, there's a check on it, and if we're not at the end of the string, all well, we go back.
Then ECX is loaded with 3, and the current position we are in (i.e, ebp-10), is divided by 3..
If there's a reminder (in DX), then the program SKIPS a char, and goes directly to increasing the ebp-10 pointer again.
this goes on untill the position we are checking divides by 3 without a reminder.
So if your name had 12 chars for example, only chars 0,3,6,9,12 will be used to make a serial number.. :))
Then it adds the end char from the weird string we found, and stores it again.

Now, all this happens BEFORE the dialogues are even up. It checks the serial, and if not good, it pops up the nag.
If you wanna crack the unlock mechanism, some1 already showed that it's easy, with setting EAX to 1, or changing the Z flag.
See that before that test there's a call to make the serial num, so I was in the right place.. :)))

Well, now I figured out this baby up :) hehe

The only thing I had to show u was about the position devided by 3, when I read all your posts I knew most if not all found exactly what I found just now :)

great job guys, it's been fun..
Lets see what challenges The Sandman has for us!!

and once again, a BIG smile and thanks to all of u!

:)))

Lord Soth