Ok, after monica has loaded goto the help menu and select about. Once again it says unregistered and has an option to goto the next box, hit "next". Now it gives us an option to register monica via a Name/Serial combo, enter some bogus data, i used:

Name: Pirate Copy
Serial: 123987

Hmm, nothing happens, it must check your serial after each letter is entered, but i found also that if i entered 12 or more letters for my serial the register button would be available. Enter 12 or more numbers as your serial, i used 123456789012 and then hit the register button, remember the error msg we get and close monica.

Now fire up W32dasm and load monica.exe into it.. waiting, waiting, DONE! Remember the first rule of dissassembly? Always search for your error msg first. Goto ref's and select string data references, in the next box search for your error msg and double click on it. I can tell you right now there is only one reference to it, so close your SDR box and you should be looking at this section of code:
 

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
:0045598F(C)

:00455A01 E886F7FFFF     call 0045518C     <-This call returns eax=ffffffff or eax=-1
:00455A06 40             inc eax           <-eax=0
:00455A07 7524           jne 00455A2D      <-This will jump if eax does not = 0
:00455A09 A144584900     mov eax, dword ptr [00495844]
:00455A0E 8B90E4020000   mov edx, dword ptr [eax+000002E4]
:00455A14 A144584900     mov eax, dword ptr [00495844]
:00455A19 E812E5FDFF     call 00433F30

* Possible StringData Ref from Code Obj ->"Sorry, You typed an incorrect "
                                        ->"license key, please try again."

:00455A1E B8505B4500     mov eax, 00455B50 <-Move bad cracker message to eax
:00455A23 E8DCECFFFF     call 00454704     <-Call the "BAD" messagebox
:00455A28 E9EB000000     jmp 00455B18      <-Jump away and skip the "GOOD" code below

As you can see from the above code, if that call at 00455a01 returns ffffffff or -1 then we are doomed. So our goal is to get that call to return anything other than -1. Now its time to fire up softice, enter softice and set a breakpoint on hmemcpy, disable it and leave sice. Enter your bogus data into monica, go back into sice and enable the breakpoint, return to monica and hit register, BOOM straight back to sice.

Now you want to be able to trace into that call and see whats going on so disable the bpx and hit f12 7 times to get to monica's code. Then set a breakpoint on the call which is at address: 00455a01. Press f5 and straight away we are at that crucial call, hit f8 to step inside the call and trace down to this section of code:

.......

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
:0045521D(C)

:004551C7 8D4DE4         lea ecx, dword ptr [ebp-1C]
:004551CA 33D2           xor edx, edx
:004551CC 8B45FC         mov eax, dword ptr [ebp-04] <-Move your name into eax
:004551CF E894FEFFFF     call 00455068               <-Calculate the serial for the name provided
:004551D4 8B45E4         mov eax, dword ptr [ebp-1C] <-Move something into eax :)
:004551D7 8B55F8         mov edx, dword ptr [ebp-08] <-Move your fake serial into edx
:004551DA E875ECFAFF     call 00403E54               <-Compare the two serials....
:004551DF 7508           jne 004551E9                <-Jump if not correct
:004551E1 8B45F0         mov eax, dword ptr [ebp-10]
:004551E4 8945F4         mov dword ptr [ebp-0C], eax
:004551E7 EB36           jmp 0045521F

.......

Well as you can probably see if you did a "d eax" at 004551d4 you would get the correct serial, but what i found very strange is the fact that monica doesnt jump to the bad cracker code if you enter a wrong serial. The program will continue on and calculate another 12 serials for your name, every name has 13 correct serials. The serials, however do not change anything, they are all valid and none of them get any special/extra features, like extra licences etc. But of course if your serial doesn't match any of those 13 then well, i bet you can guess...
 

The Crack

     
None  required.
 

Final Notes

Once again if this was your first crack then congratulations, but if it isnt then i hope you have learnt something from this tutorial otherwise i've just wasted my time writing it :)

Greets and Thanks to: The Sandman :) , Warezpup , Hojo, Bubblegun , DeionXxX , Flu[X] , Highlander
                                  Sortof , everyone at ECG & TRPS and anyone else i forgot!!

You can contact me via E-mail or on efnet at #ecg or #trps or via icq: 14941229  

Ob Duh

 
Do I really have to remind you all that by buying and NOT stealing the software you use will ensure that these software houses will be encouraged to producing even *better* software for us to use and enjoy.

Ripping off software through serials and cracks is for lamers..
 
If your looking for cracks or serial numbers from these pages then your wasting your time, try searching elsewhere on the Web under Warze, Cracks etc.