PROG: InfoSpy v2.61 TYPE: 16-bit PROT: Name/Reg CHECK: 240F:06EC JZ HEX: 1. Let's find the protection a. BPX GetDlgItemText ; set our breakpoint in SoftICE b. Run InfoSpy ; and enter some registration info 1) help, use registration key 2) enter your first name, last name, and any reg number 3) click ok c. ICE pops 1) F11 ; step out of the function 2) F10, F10, F10,... ; walk thru the code d. Gets first string, runs thru loop to calculate reg code e. Gets second string, runs thru loop to calculate reg code f. After stepping thru the loops I found the final compare at 240F:06EC (your memory segment may be differnt; it's the JZ 06F1) g. Keep stepping thru and it'll beep and display invalid reg code 2. Since we now know the final compare (JZ) is at 240F:06EC a. BC 0 ; clear the original breakpoint b. BPX 240F:06EC ; set a new breakpoint before the compare c. Run InfoSpy, enter your first name, last name, and any reg number, ok d. ICE pops e. R FL Z ; toggle zero flag f. F10, F10, F10,... ; continue running g. Or just Ctrl-D a few times to get back to the program 3. Thank you for registering! 4. Key is written to \windir\infospy.ini [InfoSpy] RegStat=DLBGJ4320 5. Happy cracking! PROG: Win-eXpose Registry v1.0 TYPE: 32-bit PROT: Name/Reg CHECK: 0137:004024F9 JZ HEX: 0F84CF, replace with E9D000 1. Use same approach as InfoSpy... 2. Final compare is at 0137:004024F9 3. BPX 0137:004024F9 4. R FL Z ; toggle zero flag 5. Thank you for registering! 6. Stepping thru the program, found real password: First, Lst name: dr Company name: LAN Address line #1: 1 Address line #2: 1 Serial Number: 1 Password: f422c070 PROG: Win-eXpose I/O v2.0 TYPE: 32-bit PROT: Name/Reg CHECK: 0137:004061D9 JZ HEX: 0F84CF, replace with E9D000 1. Use same approach as Win-eXpose Registry... 2. Final compare is at 0137:004061D9 3. BPX 0137:004061D9 4. R FL Z ; toggle zero flag 5. Thank you for registering! 6. Stepping thru the program, found real password: First, Last name: dr Company name: LAN Address line #1: 1 Address line #2: 1 Serial Number: 1 Password: f422c070 PROG: StartClean v1.2 TYPE: 32-bit PROT: Name/Reg CHECK: BPX lstrcmpA HEX: From Qapla's Cracking Tutorial... BPX lstrcmpA ; in sICE Enter name and a bogus registration number and click ok. I entered drLAN, 12345. . . . PUSH EAX ; push your code on the stack PUSH 406030 ; push the right code on the stack CALL [KERNEL32!lstrcmp] ; compare them TEST EAX,EAX ; test results of string compare and set Zero flag JNZ 00401271 ; 1 = bad boy; not reg'd, 0 = good boy; reg'd . . . d 406030 ; here's the right code 972-8766-1717-341 PROG: WizCat Pro v4.2 TYPE: PROT: Name/Reg CHECK: 2F97:CED9 JZ HEX: 2F97:CED9 3C01 CMP AL,01 ; holy flag 2F97:CEDB 7403 JZ CEE0 ; 0=good guy; reg'd 2F97:CEDD E9DD00 JMP CDBD ; <>0=bad guy; beggar off A good, clean crack would be: MOV AL,01 JMP CEE0 However, the program does some internal checking and won't run if modified. So, all we can do is find the correct reg code and then use it. I entered drLAN, 006969. Then searched for my reg code and set BPR's on the ranges. s 0 l ffffffff '006969'. Should find the entered code in memory. BPR ssss:oooo SSSS:OOOO RW. Where ssss:oooo is segment:offset of starting address where string resides. SSSS:OOOO is ending address (last byte of the string). I eventually found my reg code somewhere that BX pointed to. It showed up as one big ugly number, and then a little earlier in memory in the correct format: 42041-7420. So to register, use: drLAN 42041-7420