KeyGen Studio 2002

home *** CD-ROM | disk | FTP | other *** search

/ KeyGen Studio 2002 / KeyGen_Studio_2002.iso / Tutorials / Code Inside / Tut6.txt < prev next >

Wrap

Text File | 2001-09-21 | 29.7 KB | 508 lines

******************************************************************************************************************************************************************************************************************** Winzip V8.0 ******************************************************************************************************************************************************************************************************************** Author: Nico Mak Computing Protection: Name / Serial URL: http://www.winzip.com/getsite.cgi?winzip80.exe Tools: SoftICE 4.05 Hex-Editor ---> Intro... Hi, welcome to my next tutorial about Winzip :) I know that there are a million of Cracks, Patches, KeyGen's, Tutorials outthere about Winzip but i just want to make one my own :) Ok, first im just gonna "sniff the serial" and then i'll patch it in some different way :) I'm trying to tell it very detailed. Oh btw, Thanks "Borna Janes" for his tutorial about Winzip because he told that there were 2 ways Winzip is creating a Serial. I've never saw the second Serial Algo because i saw the first and that was enough :), anyway i'll explain the second also. ---> Let's Begin... *** Serial Sniffing Method *** Ok, start the program and you'll notice some kind of NAG saying that you must register the software, so click on "Enter Registration Code..." and you'll see a new window asking us for a Name and Serial i used this: Name: CoDe_InSiDe Serial: 1234567890 Ok, now get into SoftICE (CTRL+D) and type "bpx hmemcpy" , i almost always use this as it almost always breaks :) But you can also type "bpx GetDlgItemTextA" and press enter, then out of SoftICE (CTRL+D) and press "Ok" and SoftICE pops up. Now press (F11) or (F12) and we're in the Winzip code and you'll see this: -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00407ED0(C) | :00407F5F BF78CD4800 mov edi, 0048CD78 <--- EDI holds the offset for our name :00407F64 6A29 push 00000029 <--- Maximum string length that'll be copied from our name :00407F66 57 push edi * Possible Reference to Dialog: DialogID_0C82, CONTROL_ID:0C80, "" | :00407F67 68800C0000 push 00000C80 :00407F6C 53 push ebx * Reference To: USER32.GetDlgItemTextA, Ord:0104h | :00407F6D FF1528744700 Call dword ptr [00477428] :00407F73 57 push edi <--- HERE WE LAND AFTER THE BREAK !!! :00407F74 E821790300 call 0043F89A <--- Checking routine 1 :00407F79 57 push edi :00407F7A E844790300 call 0043F8C3 <--- Checking routine 2 :00407F7F 59 pop ecx :00407F80 BEA4CD4800 mov esi, 0048CDA4 <--- ESI holds the offset for our "fake" serial :00407F85 59 pop ecx :00407F86 6A0B push 0000000B <--- Maximum string length that'll be copied from our "fake" serial :00407F88 56 push esi * Possible Reference to Dialog: DialogID_0C82, CONTROL_ID:0C81, "" | :00407F89 68810C0000 push 00000C81 :00407F8E 53 push ebx * Reference To: USER32.GetDlgItemTextA, Ord:0104h | :00407F8F FF1528744700 Call dword ptr [00477428] :00407F95 56 push esi :00407F96 E8FF780300 call 0043F89A <--- Checking routine 1 :00407F9B 56 push esi :00407F9C E822790300 call 0043F8C3 <--- Checking routine 2 -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- Ok, so here it just takes the Name and Serial we entered and Checked it. Let's see what it checks, Checking Routine 1: -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- :0043F89A 55 push ebp :0043F89B 8BEC mov ebp, esp :0043F89D 56 push esi :0043F89E 8B7508 mov esi, dword ptr [ebp+08] <--- Offset for our Name in moved in ESI :0043F8A1 56 push esi :0043F8A2 E869820200 call 00467B10 <--- Here it gets the length of our Name :0043F8A7 803E00 cmp byte ptr [esi], 00 <--- Compare first Char with 00 (checks if we really entered something) :0043F8AA 59 pop ecx :0043F8AB 8D4430FF lea eax, dword ptr [eax+esi-01] <--- EAX now points to our last Char :0043F8AF 740F je 0043F8C0 <--- If first Char 00 jump to end, if not continue * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:0043F8BE(U) | :0043F8B1 803820 cmp byte ptr [eax], 20 <--- Compare last char with 20 (space) :0043F8B4 750A jne 0043F8C0 <--- If not equal go to end, else continue :0043F8B6 3BC6 cmp eax, esi <--- Compare ESI (which holds the offset of the beginning of our Name) with EAX (which holds the offset of the end of our Name) :0043F8B8 7206 jb 0043F8C0 <--- Jump if EAX is lower, if not continue :0043F8BA 802000 and byte ptr [eax], 00 <--- Replace the 20 (space) with 00 :0043F8BD 48 dec eax <--- EAX -1 :0043F8BE EBF1 jmp 0043F8B1 <--- Repeat loop * Referenced by a (U)nconditional or (C)onditional Jump at Addresses: |:0043F8AF(C), :0043F8B4(C), :0043F8B8(C) | :0043F8C0 5E pop esi :0043F8C1 5D pop ebp :0043F8C2 C3 ret -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- Ok, this is not so difficult what it actually does is: It checks if we really entered something and then it checks if the last Char is a space (20), if so replace it with 00 (nothing), then it checks the Char before the last Char if its a space (20) Replace it with 00 (nothing) and so on... If my Name would be: "CoDe_InSiDe " <--- 5 spaces, then it'll change to: "CoDe_InSiDe" <--- 0 spaces Ok, so let's see what the next check does, Checking Routine 2: -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- :0043F8C3 55 push ebp :0043F8C4 8BEC mov ebp, esp :0043F8C6 8B5508 mov edx, dword ptr [ebp+08] <--- Offset for our Name is moved in EDX :0043F8C9 803A20 cmp byte ptr [edx], 20 <--- Compare first Char with 20 (space) :0043F8CC 7517 jne 0043F8E5 <--- If not equal go to end, else continue :0043F8CE 8BCA mov ecx, edx <--- Move the offset for our Name in ECX * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:0043F8D4(C) | :0043F8D0 41 inc ecx <--- ECX +1 :0043F8D1 803920 cmp byte ptr [ecx], 20 <--- Compare next Char with 20 (space) :0043F8D4 74FA je 0043F8D0 <--- If equal repeat this loop, else continue * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:0043F8E0(U) | :0043F8D6 8A01 mov al, byte ptr [ecx] <--- Move one byte from ECX in AL :0043F8D8 84C0 test al, al <--- Test if AL is 00 :0043F8DA 7406 je 0043F8E2 <--- if so jump, else continue :0043F8DC 8802 mov byte ptr [edx], al <--- Move AL in EDX :0043F8DE 42 inc edx <--- EDX +1 :0043F8DF 41 inc ecx <--- ECX +1 :0043F8E0 EBF4 jmp 0043F8D6 <--- Repeat loop * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:0043F8DA(C) | :0043F8E2 802200 and byte ptr [edx], 00 <--- Replace the byte in EDX with 00 * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:0043F8CC(C) | :0043F8E5 5D pop ebp :0043F8E6 C3 ret -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- Ok, so it actually does this: It checks if the first Char is a 20 (space) if so then it checks the next Char with 20 (space) and repeat this, then all these spaces will be replaced with our Name... look at the example: " CoDe_InSiDe" <--- 5 spaces, then it'll change to: "CoDe_InSiDe" <--- 0 spaces I think that Winzip doesn't like spaces :) ok, so these are the checking routines let's see what's after the second Checking Routine 2: -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- :00407FA1 803D78CD480000 cmp byte ptr [0048CD78], 00 <--- Checks again if we entered something as our Name :00407FA8 59 pop ecx :00407FA9 59 pop ecx :00407FAA 7459 je 00408005 <--- If equal jump to Bad Guy, else continue :00407FAC 803DA4CD480000 cmp byte ptr [0048CDA4], 00 <--- Checks again if we entered something as our Serial :00407FB3 7450 je 00408005 <--- If equal jump to Bad Guy, else continue :00407FB5 E81BFAFFFF call 004079D5 <--- STEP INTO THIS CALL !!! :00407FBA 85C0 test eax, eax <--- Test if EAX is 00 :00407FBC 7447 je 00408005 <--- If equal jump to Bad Guy, else continue -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- Ok, so here it checks again if we entered something now get into the CALL at offset 00407FB5. And you'll see this: -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- :004079D5 55 push ebp :004079D6 8BEC mov ebp, esp :004079D8 81EC08020000 sub esp, 00000208 :004079DE 53 push ebx :004079DF 56 push esi :004079E0 33F6 xor esi, esi :004079E2 803D78CD480000 cmp byte ptr [0048CD78], 00 <--- Checks again if we entered something, you can't check enough... :) :004079E9 57 push edi :004079EA 0F849A000000 je 00407A8A <--- If equal jump to the end and xors EAX so that we fail and get the Bad Guy message :004079F0 8D45EC lea eax, dword ptr [ebp-14] :004079F3 50 push eax * Possible StringData Ref from Data Obj ->"c" | :004079F4 6868E34700 push 0047E368 <--- This points to a weird set of Characters :004079F9 E8AE9DFFFF call 004017AC <--- In here it generates "MuradMeraly" from the weird set of Characters and puts it in Memory :004079FE 8D85F8FDFFFF lea eax, dword ptr [ebp+FFFFFDF8] :00407A04 BF78CD4800 mov edi, 0048CD78 <--- EDI now holds the offset for our Name :00407A09 50 push eax :00407A0A 57 push edi :00407A0B E89B020000 call 00407CAB <--- In here it puts our Name (without any spaces or weird Characters) in Memory :00407A10 8D85F8FDFFFF lea eax, dword ptr [ebp+FFFFFDF8] :00407A16 50 push eax :00407A17 8D45EC lea eax, dword ptr [ebp-14] :00407A1A 50 push eax :00407A1B E8B0180600 call 004692D0 <--- And here it Compares "MuradMeraly" with our Name :00407A20 83C418 add esp, 00000018 :00407A23 85C0 test eax, eax <--- Test if EAX is 00 :00407A25 6A01 push 00000001 <--- Push 00000001 into Stackdump :00407A27 5B pop ebx <--- Pop 00000001 in EBX :00407A28 7502 jne 00407A2C <--- if not we continue as a Good Guy if yes (Hi MuradMeraly) your dead meat :) :00407A2A 8BF3 mov esi, ebx <--- ESI now holds 00000001 (Bad thing) * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00407A28(C) | :00407A2C 8D45EC lea eax, dword ptr [ebp-14] :00407A2F 50 push eax :00407A30 6878E34700 push 0047E378 <--- This points to another weird set of Characters :00407A35 E8729DFFFF call 004017AC <--- In here it generates "bcom" from the weird set of Characters and puts it in Memory :00407A3A 8D45EC lea eax, dword ptr [ebp-14] :00407A3D 50 push eax :00407A3E 57 push edi :00407A3F E88C180600 call 004692D0 <--- And here it Compares "bcom" with our Name :00407A44 83C410 add esp, 00000010 :00407A47 85C0 test eax, eax <--- Test if EAX is 00 :00407A49 750C jne 00407A57 <--- if not we jump and continue as Good Guy, if yes (Hi bcom) your dead meat :) * Reference To: KERNEL32.GetTickCount, Ord:016Dh | :00407A4B FF15D8714700 Call dword ptr [004771D8] :00407A51 84C3 test bl, al :00407A53 7402 je 00407A57 :00407A55 8BF3 mov esi, ebx <--- ESI now holds 00000001 (Bad thing) -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- Ok, so here in this piece of code it just Compares our Name with "MuradMeraly" and "bcom", if your one of them your screwed and we fail, if your not one of them we continue as Good Guy :) Let's see what's next: -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- :00407A57 6A14 push 00000014 :00407A59 8D45EC lea eax, dword ptr [ebp-14] :00407A5C 6A00 push 00000000 :00407A5E 50 push eax :00407A5F E8AC010600 call 00467C10 <--- Here it removes the Names in Memory :00407A64 68C8000000 push 000000C8 :00407A69 8D85F8FDFFFF lea eax, dword ptr [ebp+FFFFFDF8] :00407A6F 6A00 push 00000000 :00407A71 50 push eax :00407A72 E899010600 call 00467C10 <--- Here it removes the Names in Memory :00407A77 83C418 add esp, 00000018 :00407A7A 85F6 test esi, esi <--- test if ESI is 00 :00407A7C 7413 je 00407A91 <--- If equal we jump and continue as Good Guy, if not then it xors EAX and we fail :00407A7E E823080000 call 004082A6 <--- Here it moves 00 at the beginning of our Name and Serial and we fail :00407A83 8325DC9F480000 and dword ptr [00489FDC], 00000000 * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:004079EA(C) | :00407A8A 33C0 xor eax, eax <--- Xor EAX (Bad thing) :00407A8C E9B1000000 jmp 00407B42 <--- Jump to the end -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- Ok, here it cleans up the Memory by removing the Names and it Tests if ESI is 00. For us its 00 (Unless your MuradMeraly or bcom) so we jump and you'll see this: -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00407A7C(C) | :00407A91 8D85C0FEFFFF lea eax, dword ptr [ebp+FFFFFEC0] :00407A97 50 push eax :00407A98 57 push edi :00407A99 E8A9000000 call 00407B47 <--- Serial Algo 1 :00407A9E BEA4CD4800 mov esi, 0048CDA4 <--- ESI now holds the offset for our "fake" Serial :00407AA3 8D85C0FEFFFF lea eax, dword ptr [ebp+FFFFFEC0] :00407AA9 56 push esi :00407AAA 50 push eax :00407AAB E820180600 call 004692D0 <--- And here it Compares our "fake" Serial with the "Real Serial 1" :00407AB0 83C410 add esp, 00000010 :00407AB3 F7D8 neg eax :00407AB5 1BC0 sbb eax, eax :00407AB7 40 inc eax :00407AB8 A3DC9F4800 mov dword ptr [00489FDC], eax :00407ABD 7568 jne 00407B27 <--- if not equal we jump and that means we entered the "Real Serial 1", if not continue to Serial Algo 2 -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- Ok, so step into the CALL 00407B47 to get to the "Serial Algo 1". And now you'll see this: -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- :00407B47 55 push ebp :00407B48 8BEC mov ebp, esp :00407B4A 8B4D08 mov ecx, dword ptr [ebp+08] <--- Move offset to our Name in ECX :00407B4D 53 push ebx :00407B4E 56 push esi :00407B4F 57 push edi :00407B50 8A11 mov dl, byte ptr [ecx] <--- Move first Char in DL :00407B52 33DB xor ebx, ebx <--- XOR EBX which is now 00 :00407B54 33C0 xor eax, eax <--- XOR EAX which is now 00 :00407B56 8BF1 mov esi, ecx <--- Move the offset for our Name from ECX in ESI :00407B58 33FF xor edi, edi <--- XOR EDI which is now 00 * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00407B6C(U) | :00407B5A 84D2 test dl, dl <--- Test if DL is 00 (Are we at the end of our Name ?) :00407B5C 7410 je 00407B6E <--- If so we jump to the next stuff, if not we continue to make the first part of our Serial :00407B5E 660FB6D2 movzx dx, dl <--- Move DL to DX :00407B62 0FAFD7 imul edx, edi <--- Multiply EDI with EDX (in the beginning EDI is 00) :00407B65 03DA add ebx, edx <--- Add EDX in EBX :00407B67 8A5601 mov dl, byte ptr [esi+01] <--- Move next Char in DL :00407B6A 47 inc edi <--- EDI +1 :00407B6B 46 inc esi <--- ESI +1 :00407B6C EBEC jmp 00407B5A <--- Repeat loop -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- Ok, so here we got the first part of "Real Serial 1". It takes the first Char and multiplies with EDI then adds to EBX and repeats this loop, for my Name it would be: "CoDe_InSiDe" Puts first Char in DL which is "C" (Hex = 43) and checks if its 00 if so we got our first part of the Serial, if not we continue with the Algo Then multiplies with EDI which is 00 at the beginning. Then adds EDX in EBX Result in EBX is now 00 Increase EDI with 1 Increase ESI with 1 Then puts second Char in DL which is "o" (Hex = 6F) Then multiplies with EDI which is now 01 Then adds EDX in EBX Result in EBX is now 6F Increase EDI with 1 Increase ESI with 1 And so on... The final result for my name is "00001386" Let's see the second and final part of our "Real Serial 1": -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00407B5C(C) | :00407B6E C70544C8480001000000 mov dword ptr [0048C844], 00000001 :00407B78 8BF1 mov esi, ecx <--- Move the offset for our Name in ESI :00407B7A 8A09 mov cl, byte ptr [ecx] <--- Move first Char in CL * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00407B97(U) | :00407B7C 84C9 test cl, cl <--- Test if CL is 00 (Are we at the end of our Name ?) :00407B7E 7419 je 00407B99 <--- If so we jump to the next stuff and we got the second part of our "Real Serial 1", if not we continue to make the Serial :00407B80 660FB6C9 movzx cx, cl <--- Move CL in CX :00407B84 6821100000 push 00001021 <--- Push 00001021 onto the Stackdump (Suspicious :) :00407B89 51 push ecx :00407B8A 50 push eax :00407B8B E829000000 call 00407BB9 <--- Check out this CALL !!! :00407B90 8A4E01 mov cl, byte ptr [esi+01] <--- Move second Char in CL :00407B93 83C40C add esp, 0000000C :00407B96 46 inc esi <--- ESI +1 :00407B97 EBE3 jmp 00407B7C <--- Repeat loop -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- Ok, i can't tell you so much about this now we need to see what happends in the CALL 00407BB9, so let's check it: -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- :00407BB9 55 push ebp :00407BBA 8BEC mov ebp, esp :00407BBC 8B4508 mov eax, dword ptr [ebp+08] <--- The value that will become our second part of the "Real Serial 1" (in the beginning its 00) :00407BBF 56 push esi :00407BC0 33C9 xor ecx, ecx <--- XOR ECX which is now 00 :00407BC2 6A08 push 00000008 <--- Push 00000008 into the Stackdump :00407BC4 8A6D0C mov ch, byte ptr [ebp+0C] <--- Move our first Char in CH :00407BC7 5A pop edx <--- Pop 00000008 into EDX * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00407BDF(C) | :00407BC8 8BF0 mov esi, eax <--- Move EAX to ESI :00407BCA 33F1 xor esi, ecx <--- XOR ECX with ESI :00407BCC 66F7C60080 test si, 8000 <--- Test if SI is lower then 8000 :00407BD1 7407 je 00407BDA <--- If so we jump and skip three instructions, if not we continue :00407BD3 03C0 add eax, eax <--- ADD EAX to itself so it doubles :00407BD5 334510 xor eax, dword ptr [ebp+10] <--- XOR EAX with 00001021 (Remember this value was pushed before the CALL) :00407BD8 EB02 jmp 00407BDC <--- Jump and skip one instruction * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00407BD1(C) | :00407BDA D1E0 shl eax, 1 <--- Shift EAX to the left with 1 (The value doubles) * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00407BD8(U) | :00407BDC D1E1 shl ecx, 1 <--- Shift ECX to the left with 1 (The value doubles) :00407BDE 4A dec edx <--- EDX -1 :00407BDF 75E7 jne 00407BC8 <--- if EDX is 00 continue else we repeat the loop :00407BE1 5E pop esi :00407BE2 5D pop ebp :00407BE3 C3 ret -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- Ok, it goes through this process till it reaches the end of our name and we have the right Serial :) not yet completely so let's see what's next when we have reached the end of our Name: -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00407B7E(C) | :00407B99 83C063 add eax, 00000063 <--- ADD 00000063 to EAX (EAX holds our second part of the Serial) :00407B9C 0FB7CB movzx ecx, bx <--- Move BX to ECX (This was the first part of our Serial but will actually be used as the second part :) :00407B9F 0FB7C0 movzx eax, ax <--- Move AX to EAX (This was the second part of our Serial but will actually be used as the first part :) :00407BA2 51 push ecx :00407BA3 50 push eax * Possible StringData Ref from Data Obj ->"%04X%04X" | :00407BA4 688CE34700 push 0047E38C <--- This string will make the numbers we got as the Serial to Readable Characters :00407BA9 FF750C push [ebp+0C] :00407BAC E803FF0500 call 00467AB4 <--- In this CALL it will make the Serial Readable :00407BB1 83C410 add esp, 00000010 :00407BB4 5F pop edi :00407BB5 5E pop esi :00407BB6 5B pop ebx :00407BB7 5D pop ebp :00407BB8 C3 ret -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- Ok, so now we know the "Real Serial 1" for my Name it was: Name: CoDe_InSiDe Serial: A5BA1386 So this was the first Serial we could get out of Winzip :), if you get over this "ret" we return and you'll see that it checks EAX with 00, now it won't jump because we haven't entered the correct Serial as our Serial :) so then it continues to the "Serial Algo 2". I'm not going to tell exactly how this goes because it almost goes the same as the first Serial. First of all the Algo makes the Characters from our Name "lowercase". Then it goes through the same process but only counts the LETTERS. So in my Name "CoDe_InSiDe" it would ignore the "_". And it makes the Serial 8 Characters and it uses the string "%04u%04u" to make the Serial readable. Then the result for the "Real Serial 2" for my Name would be: Name: CoDe_InSiDe Serial: 13652471 so this was the "Serial Sniffing method" i hope it wasn't too much maybe you understand it very good now, or your confused as hell :) Anyway i'll show you a different way of Patching now :) ---> Let's Begin... *** Patching *** Ok, i saw this in some tutorial from some guy (Sorry i don't know your name anymore :) about patching Winzip so that every Serial will work. It's a very simple approach. Fire up a Hex-Editor and open the file "Winzip32.exe". If you've read this whole tutorial then you know that i was talking about a string that generates the Serial to Readable Characters. Now find that string "%04X%04X" in your Hex-Editor and replace it with whatever you want, its that simple :) Just change it into this: %04X%04X ---> 12345678 Now if you enter your Name and this Serial (12345678) it will work but only this Serial unless you changed it into something else. If you look in your Hex-Editor to this string again, you'll notice another string below of it. "%04u%04u" this one is used for the "Serial Algo 2", so you can change this as well but its not necessary :) I think i'm gonna quit now pretty long tutorial. ---> Outro... Thank You for reading this tutorial and i hope you learned something from it :) I hope you haven't fall asleep, hehe Anyway Thanks again for reading this tutorial and i hope to see you in the next tutorial ;) ---> Greetings Everybody at TrickSoft (www.TrickSoft.net) Everybody at #Cracking4Newbies (www.Cracking4Newbies.com) Borna Janes (for the other Solution :) Some guy (for the Patch Method, sorry that i forgot your Name :) And You... Don't trust the outside, trust the InSiDe !!! Cya... CoDe_InSiDe Email: code.inside@home.nl