-----------------------------------------------------+
These informations are for educational purposes only!|
-----------------------------------------------------+

mIRC V5.4 for Win95/98
Cracked By Hambo.H
Written By Hambo.H 
Date: Jun 28 1998

Select "Help"->"Register.." to Enter your name & Registration Code you like.
Name: Hambo.H
Registration Code: 12345-67890
I will tell you why I enter this registration code later. 
You can enter other, but it must include "-" this chars in REG Code.

Press "CTRL-D" to return SOFTICE. 
Set BPX MESSAGEBOXA
Return program.
Press "Register!" botton.
It will return SOFTICE. and press "F12" once.

0177:0043D335  PUSH    10
0177:0043D337  PUSH    004C5298
0177:0043D33C  PUSH    004C5202
0177:0043D341  MOV     EAX,[EBP+08]
0177:0043D344  PUSH    EAX
0177:0043D345  CALL    USER32!MessageBoxA
0177:0043D34A  PUSH    00000083			<== return here
0177:0043D34F  MOV     EAX,[EBP+08]

Use "Page Up" to browse.
You will see following code.

0177:0043D255  PUSH    004D1B58			<== REG Code you enter.
0177:0043D25A  PUSH    004D189C			<== Your Name
0177:0043D25F  CALL    0048EA40			<== check your REG Code. You See.
0177:0043D264  ADD     ESP,08
0177:0043D267  TEST    EAX,EAX
0177:0043D269  JZ      0043D300			<== Jump to show register fail message.
0177:0043D26F  PUSH    004C81B8
0177:0043D274  PUSH    004C5196

Let's go in CALL 0048EA40 to see how to cal the real REG Code.

0177:0048EA4C  PUSH    EBX			<== EBX = 004D189C    Your Name
0177:0048EA4D  CALL    004B3734			<== Cal your name's length
0177:0048EA52  POP     ECX
0177:0048EA53  CMP     EAX,05
0177:0048EA56  JAE     0048EA5C			<== If length >=5 than Go on.
0177:0048EA58  XOR     EAX,EAX
0177:0048EA5A  JMP     0048EAD3
0177:0048EA5C  PUSH    ESI
0177:0048EA5D  PUSH    EBX
0177:0048EA5E  CALL    0048E960			<== Cal and CMP REG Code & Name.
0177:0048EA63  ADD     ESP,08
0177:0048EA66  TEST    EAX,EAX
0177:0048EA68  JZ      0048EA71			<== If OK then set EAX = 1, Register Succeed.
0177:0048EA6A  MOV     EAX,00000001
0177:0048EA6F  JMP     0048EAD3			<== Jump to Return CALL.
0177:0048EA71  PUSH    ESI

Let's go in CALL 0048E960, It is easy to understand how to Use Name to find out a code.

0177:0048E96C  PUSH    2D			<== Char "-" value
0177:0048E96E  PUSH    ESI			<== SI = 004D1B58    REG Code you enter
0177:0048E96F  CALL    004B36E0			<== find where is "-" in REG Code your enter, so we can know it is seperate code two parts.
0177:0048E974  ADD     ESP,08
0177:0048E977  MOV     EBX,EAX
0177:0048E979  TEST    EBX,EBX
0177:0048E97B  JNZ     0048E984			<== If can not find than it will go on to jump to return CALL, Register Fail
0177:0048E97D  XOR     EAX,EAX
0177:0048E97F  JMP     0048EA36
0177:0048E984  MOV     BYTE PTR [EBX],00
0177:0048E987  PUSH    ESI
0177:0048E988  CALL    004B8AD0			<== Cal an value withfirst part code, and return in EAX.
0177:0048E98D  POP     ECX
0177:0048E98E  MOV     [EBP-04],EAX		<== store EAX in [EBP-04]
0177:0048E991  MOV     BYTE PTR [EBX],2D
0177:0048E994  INC     EBX
0177:0048E995  CMP     BYTE PTR [EBX],00
0177:0048E998  JNZ     0048E9A1
0177:0048E99A  XOR     EAX,EAX
0177:0048E99C  JMP     0048EA36
0177:0048E9A1  PUSH    EBX
0177:0048E9A2  CALL    004B8AD0			<== Cal an value with second part code, and return in EAX.
0177:0048E9A7  POP     ECX
0177:0048E9A8  MOV     [EBP-08],EAX		<== store EAX in [EBP-08]
0177:0048E9AB  MOV     EAX,[EBP+08]
0177:0048E9AE  PUSH    EAX
0177:0048E9AF  CALL    004B3734			<== Cal your name's length
.........
Following code is cal two value with your name, and CMP them with [EBP-04] & [EBP-08],
If OK than It show Register Succeed.

So I dont list that code.

Ok, Go on. Next Let's see the CALL 004B8AD0 that It is Cal an value with second part code.
But I dont list the code. I use C language to show it.

for (i=0;il1) j=0;
}
nz1=ebx;

ebx=0; j=0;
for (i=3;il1) j=0;
}
nz2=ebx;

After calculate two value, you can use follow to calclate real REG Code.

ebx = nz1; i=0;    // or ebx = nz2; i=0;
while (ebx>0)
{
 ecx = ebx/10;
 ys = ebx-ecx*10;
 ebx = ecx;
 sn[i]=ys+0x30;
 i++;
}