Pedromy answers 4-6Wed Dec 9 12:10:52 1998 I typed in my name as Pirate Copy and a serial number of 111222333I then set a bpx getwindowtexta using Softice, pressed Enter and this is where I brokeafter 2 p ret:00403D50 E85F4B0000 Call 004088B4:00403D55 68FF000000 push 000000FF:00403D5A 8B4DF0 mov ecx, dword ptr [ebp-10]:00403D5D 68F8C74000 push 0040C7F8:00403D62 81C1A0010000 add ecx, 000001A0*************************************** Stuff deleted************************************ Referenced by a (U)nconditional or (C)onditional Jump at Address:|:00403DAE(C)|:00403DC9 E872FCFFFF call 00403A40 ;This call is where the serial number ;is created*****************************************************************************************I did trace through this call and it also showed that the name you type in must be more than eight characters. The line below is where it checked.:00403A6D 83F908 cmp ecx, 00000008 ;length of name must be more than 8****************************************************************************************** Referenced by a (U)nconditional or (C)onditional Jump at Address:|:00403DAE(C)|:00403DC9 E872FCFFFF call 00403A40 ;This call is where the serial number ;is created:00403DCE 85C0 test eax, eax ;If eax is 0 then beggar off:00403DD0 0F84A5000000 je 00403E7B ;jump to bad boy:00403DD6 8D45E8 lea eax, dword ptr [ebp-18];serial hereHERE is the serial If you do a d eax it will display the address where the serial is stored.In my case it was 7C0877 so I did a d 77087C (reversed) and it displayed my serial number which was 8267-%JR2ZZActually I just redid this after a reboot and the serial was not complete at that address. It was displayed fully a little further down. HmmmmThe stuff below uses the registry to write your name and serial number into the 4D key * Reference To: ADVAPI32.RegCreateKeyExA, Ord:00C6h |:00403E05 FF158CE54000 Call dword ptr [0040E58C]:00403E0B 8BF8 mov edi, eax:00403E0D 85FF test edi, edi:00403E0F 752E jne 00403E3F:00403E11 6800020000 push 00000200* Possible StringData Ref from Data Obj ->"4D" |:00403E16 A1F4C64000 mov eax, dword ptr [0040C6F4]:00403E1B 68F8C64000 push 0040C6F8Your name is pushed on the line above:00403E20 8B4DEC mov ecx, dword ptr [ebp-14]This I don't know what it is. I guess it tied up with the serial number somehow. Even when registered it seems to compute the serial number from this info in the registry rather than just read in the serial number.I also cracked the program by patching it. You will see that the call 4039c0 checks to see if you are registered because if you aren't then the value that comes back in eax is 0 and the test is equal and it falls through and displays unregistered.Do a search on 4039C0 and see how many times it is called. When it is it is always followed by a compare. Interesting stuff indeed.:00401224 E897270000 call 004039C0:00401229 85C0 test eax, eax:0040122B 752B jne 00401258* Possible StringData Ref from Data Obj ->" - UNREGISTERED VERSION" |:0040122D 6860C04000 push 0040C060What you can do is change the call so it will always come back with 1 instead of 0Change this:004039C0 83EC08 sub esp, 00000008:004039C3 8B0DECC64000 mov ecx, dword ptr [0040C6EC]:004039C9 8D442400 lea eax, dword ptr [esp]To this:004039C0 B801000000 mov eax,00000001:004039C5 C3 ret:004039C6 90 nop:004039C7 90 nop:004039C8 90 nop:004039C9 8D442400 lea eax, dword ptr [esp]Pedro