-----------------------------------------------------+
These informations are for educational purposes only!|
-----------------------------------------------------+

SERIAL NUMBER IS FISHY - DECLINE YOUR PATCH'ITCH'ING

Notpad v2.66
A Cracking Tutorial 
by ASTAGA [D4C/C4A]


DISCLAIMER 

This reading material is not intended to violate Copyrights 
and/or it is law, but educational purposes only. I hold no 
responsibility ( by all means and in any shape whatsoever ) 
of the mis-used of this material.
Read END NOTES section at the end of this file.



ABOUT THE PROGRAM 


Notpad v2.66, An improved text editor for Windows 95 and NT
Annoyed by the limitations of Notepad. This started out as 
an introduction for a friend of mine to MFC programming and 
has ballooned into a fully featured text editor. 
It's not Notepad--it's Notpad. This 32-bit Windows text editor 
is a great alternative to Microsoft's Notepad. It opens large 
text files and offers tool and status bars, font customization, 
search-and-replace, and case conversion. With one command it 
can open all system files in multiple windows (like Windows' 
own Sysedit), and it has MAPI support. Notpad has an optional 
text-to-speech mode--directions are furnished on how to down
load the additional file you'll need to activate that feature. 
Notpad is a nice improvement over Notepad, but you'll want to 
decide quickly if you want to register it because this trial 
version pops up a nag screen every few minutes. Online help 
is not included. 

FEATURES:
o Standard MFC options including dockable toolbar, tooltips, 
  status bar, print preview and MAPI (mail) support. 

o Files of unlimited file size can be edited. 

o Font attributes used to display and print can be changed. 

o Full screen mode, where the editing area is displayed full 
  screen (similar to the option in Microsoft Word). 

o Supports Text to Speech, so the program will speak the file 
  back to you! 

o Together with the full screen option, text to speech support 
  and sizeable font, the program can be used by people with 
  computer accessibility problems. 

o Option to minimize to tray notification area where sound 
  volume and the time are normally displayed. This allows you 
  to save some task bar screen estate when you have multiple 
  copies of Notpad running. 
o .... and more 


WHERE TO DOWNLOAD


Author   	: PJ Naughter
Copyright	: PJ Naughter
Homepage 	: http://www.naughter.com/notpad.html
URL		: http://www.naughter.com/download/notpad.zip
Add-on	: http://www.naughter.com/download/spellc.zip
Size 		: 238 KB  as of December 20,2000
Rel Date	: July 15, 1999



HOW TO GET VALID SERIAL NUMBER by using SoftIce



I have no choice to complete figures all my tracing 
steps due to memory address changed all the time 
whenever I quit SoftIce during writing this tute.
Address may differ on your PC but not for the bytes
code.  There's no time to explain you in what address
should you dump a register(s) to see username and fake
code, just take my brief keystroke commands at the end
of the code(s).  You freely to dump any changes in the
register window wher ever you stop as long as in the
given below snippet codes.  



1.  Run NOTPAD.EXE,  when the nag pops-up click on ENTER REG 
    INFO button - in the registration dialog box type these 
    below informations :

	Name	: Pirates Order
	Code   : 73881050

    Do not click  OK  button yet

    ( note : Sometime that nag does not appear. In the main
    program's window click HELP/ABOUT submenu.  Now, drag /
    bring your mouse cursor into the main program's icon at
    the top left side program's ID.
    Hold SHIFT+CTRL all together followed with double clicking
    left mouse button - registration dialog box will appear ) 
    

2.  Load SoftIce by pressing [ CTRL + D ], set a breakpoint as 
    follow :
    

	BPX GetWindowTextA     [enter]   and
   	F5  to return to the main program

3.  Now, click OK button... you'll return back into SoftIce!
    Press F11, F5 and F11 once again until you see and break at :
	
	______________________________________________________________

	015F:5F4141A3  FF1588B5495F   CALL   [USER32!GetWindowTextA]
	015F:5F4141A9  8D4518         LEA    EAX,[EBP+18] <== HERE
	015F:5F4141AC  50             PUSH   EAX
	015F:5F4141AD  8D45E0         LEA    EAX,[EBP-20]
	015F:5F4141B0  FF7510         PUSH   DWORD PTR [EBP+10]
	015F:5F4141B3  50             PUSH   EAX
	015F:5F4141B4  E803010000     CALL   5F4142BC
	015F:5F4141B9  85C0           TEST   EAX,EAX
	015F:5F4141BB  0F84B1210500   JZ     5F466372
	015F:5F4141C1  5F             POP    EDI
	015F:5F4141C2  5E             POP    ESI
	015F:5F4141C3  C9             LEAVE
	015F:5F4141C4  C3             RET ===============> F10 here

	________________________ MFC42!.text+000131A3 _________________

	Press F10 4 times - stop at 015F:5F4141B3 - dump EAX register :
	: d eax  ===> your fake code at virtual address 0167:0074EEEC

	Press F10 again and step pass RET command at 015F:5F4141C4
	until you reach :

	015F:5F466480  E8FBDCFAFF   CALL      5F414180   <== drop here
	015F:5F466485  83C414       ADD       ESP,14 
	015F:5F466488  5D           POP       EBP 
	015F:5F466489  C20C00       RET       000C  ==> F10 here

	Here is you'll drop after RET command :

	015F:00618511  E8FA190000   CALL      00619F10  <== drop here
	015F:00618516  5F           POP       EDI
	015F:00618517  5E           POP       ESI
	015F:00618518  C20400       RET       0004  ==> F10 here

	Here is you'll drop after RET command :

	015F:5F40A8B8  FF908C000000        CALL  [EAX+		drop
							0000008C] <== here
	015F:5F40A8BE  C7450801000000      MOV   DWORD PTR [EBP
							+08],00000001
	015F:5F40A8C5  8B45E8              MOV   EAX,[EBP-18]
	015F:5F40A8C8  8B4DF4              MOV   ECX,[EBP-0C]
	015F:5F40A8CB  8987B8000000        MOV   [EDI+000000B8],EAX
	015F:5F40A8D1  8B4508              MOV   EAX,[EBP+08]
	015F:5F40A8D4  5F                  POP   EDI
	015F:5F40A8D5  5E                  POP   ESI
	015F:5F40A8D6  64890D00000000      MOV   FS:[00000000],ECX
	015F:5F40A8DD  5B                  POP   EBX
	015F:5F40A8DE  C9                  LEAVE 
	015F:5F40A8DF  C20400              RET   0004  ==> F10 here

	Here is you'll drop after RET command :

	015F:00618535  E804190000   CALL      00619E3E  <== drop here
	015F:0061853A  85C0         TEST      EAX,EAX
	015F:0061853C  744C         JZ        0061858A
	015F:0061853E  57           PUSH      EDI
	015F:0061853F  E83C1FFFFF   CALL      0060A480
	015F:00618544  8BF8         MOV       EDI,EAX
	015F:00618546  8B4664       MOV       EAX,[ESI+64]
	015F:00618549  8D4E60       LEA       ECX,[ESI+60]
	015F:0061854C  50           PUSH      EAX
	015F:0061854D  51           PUSH      ECX 
	015F:0061854E  8BCF         MOV       ECX,EDI
	015F:00618550  E83B2EFFFF   CALL      0060B390
	015F:00618555  8BCF         MOV       ECX,EDI
	015F:00618557  E8D42CFFFF   CALL      0060B230 ==> F8 here                         
	015F:0061855C  85C0         TEST      EAX,EAX 

	Here you're upon step into CALL function :

	015F:0060B22F  90              NOP                    return
	015F:0060B230  64A100000000    MOV    EAX,FS:[0000] <== CALL
	015F:0060B236  6AFF            PUSH   FF                                 
	015F:0060B238  6818BD6100      PUSH   0061BD18                           
	015F:0060B23D  50              PUSH   EAX                                
	015F:0060B23E  64892500000000  MOV    FS:[00000000],ESP                  
	015F:0060B245  83EC18          SUB    ESP,18                             
	015F:0060B248  53              PUSH   EBX                                
	015F:0060B249  56              PUSH   ESI                                
	015F:0060B24A  8BF1            MOV    ESI,ECX                            
	015F:0060B24C  E80FFFFFFF      CALL   0060B160                           
	015F:0060B251  85C0            TEST   EAX,EAX                            
	015F:0060B253  7479            JZ     0060B2CE ==> F10 here   
	015F:0060B255  57              PUSH   EDI                                

	Here you in/at return JUMP instruction : 

	015F:0060B2CD  5F            POP    EDI
	015F:0060B2CE  68B48F6200    PUSH   00628FB4  <== ret JNZ here
	015F:0060B2D3  81C6C4000000  ADD    ESI,000000C4
	015F:0060B2D9  68C8876200    PUSH   006287C8
	015F:0060B2DE  8D542410      LEA    EDX,[ESP+10]
	015F:0060B2E2  68A8816200    PUSH   006281A8
	015F:0060B2E7  52            PUSH   EDX
	015F:0060B2E8  8BCE          MOV    ECX,ESI
	015F:0060B2EA  E8017CFFFF    CALL   00602EF0
	015F:0060B2EF  BB01000000    MOV    EBX,00000001
	015F:0060B2F4  683C846200    PUSH   0062843C
	015F:0060B2F9  8D4C240C      LEA    ECX,[ESP+0C]
	015F:0060B2FD  895C242C      MOV    [ESP+2C],EBX
	015F:0060B301  E83CF00000    CALL   0061A342
	015F:0060B306  6A00          PUSH   00
	015F:0060B308  68A0896200    PUSH   006289A0
	015F:0060B30D  68A8816200    PUSH   006281A8
	015F:0060B312  8BCE          MOV    ECX,ESI
	015F:0060B314  E8777BFFFF    CALL   00602E90
	015F:0060B319  8D4C2410      LEA    ECX,[ESP+10]

	Keep on going press that damn F10 key.
	At last, after long hot hot summer night ( iam listening to
	my fave JT. Taylor's hits ) you're drop dead at these below
	snippet codes :

	cont'd
	015F:0060B319  8D4C2410      LEA       ECX,[ESP+10]
	015F:0060B31D  8BF0          MOV       ESI,EAX   <== drop here
	015F:0060B31F  E8BC63FFFF    CALL      006016E0 *****
	015F:0060B324  8B442408      MOV       EAX,[ESP+08]
	015F:0060B328  8D4C2408      LEA       ECX,[ESP+08]
	015F:0060B32C  C644242802    MOV       BYTE PTR [ESP+28],02
	015F:0060B331  8B40F8        MOV       EAX,[EAX-08]
	015F:0060B334  50            PUSH      EAX
	015F:0060B335  50            PUSH      EAX
	015F:0060B336  E8F9EB0000    CALL      00619F34 ****
	015F:0060B33B  50            PUSH      EAX 
	015F:0060B33C  8D4C2418      LEA       ECX,[ESP+18]
	015F:0060B340  E80B64FFFF    CALL      00601750 ****
	015F:0060B345  33C9          XOR       ECX,ECX
	015F:0060B347  3BF0          CMP       ESI,EAX ==> ? EAX ? ESI
	015F:0060B349  0F94C1        SETZ      CL
	015F:0060B34C  8BF1          MOV       ESI,ECX
	015F:0060B34E  6AFF          PUSH      FF
	015F:0060B350  8D4C240C      LEA       ECX,[ESP+0C]
	015F:0060B354  E8D5EB0000    CALL      00619F2E

	_________________________ NOTPAD!.text+A319 ___________________

	Press F10 13 times - stop at 015F:0060B347 - a classic CMP 
	comparison instruction, now, check the contents of ESI and
	EAX registers : 

	:? esi  [enter]
	046755DA  0073881050  " gU " ==> your suxx damn fake code

	:? eax
	7A7BB8FB  2054928635  "z{  " ==> your REAL CODE. Write down.


4.  Disable all breakpoints by typing 

	BD *   [enter]
	Press F5 or X to return to the main program
     

5.  Repeat registration procedure and keyed-in 2054928635 as 
    your S/N. 
    Click  OK  button .....  you are registered.


6.	Where the hell is my registration code is stored ??

	The correct registration code is stored in the registry as
	follows : 
	REGEDIT4
	[HKEY_LOCAL_MACHINE\Software\PJ Naughter\Notpad\General]
	"Name"="Pirates Order"
	"ID"=dword:7a7bb8fb


7.  How can I practise with my own user name ?

	-  I strongly recommended you not to do this !


8.  GreeTZ to : eGIS! + TheBrabo + DaSavant + mRF + The_Libran
    + TheBritish + Cyanida + Cyberlatin + .... you.



					E N D   N O T E S


		Distributing your serial number is illegal and is no 
			different than distributing illegal 
				copies of the registered 
				 software. Violation of
					this rule may 
					  result in 
			temporary or permanent revocation of this
			     license and cancellation of the 
			              serial number; 
				   the original licensee
			   will also be held responsible for 
			    damages, physical and estimated.


   Do not distribute your crack release based on this tutorial, because
   you become a LAMER(s)!!!!!!!!
   ( tHATDUDE (PC97) defined LAMER(s) is the guy who sits in front of
   personal computer, using Hex Editor, ripping off other group(s)
   crack release, repacking (distro) them under his name. 
   Adopted from newsgroup alt.cracks, alt.crackers - February 1997 ) 

    More about LAMER(s):
	lamer /n./ [prob. originated in skateboarder slang]
	Synonym for luser, not used much by hackers but common among warez 
	d00dz, crackers, and phreakers. Oppose elite. Has the same connota
	tions of self-conscious elitism that use of luser does among 
	hackers.
      < SOURCE: http://sagan.earthspace.net/jargon/jargon_27.html >


 		Never attribute to malice that which is adequately 
				explained by stupidity


ASTAGA [D4C/C4A] tute-notpad266.zip
[EOF] First Edited : 12/29/00 12:06:12 PM
Updated : 1/16/01 6:19:31 AM

History of BPX listing for Notpad v2.66 - ASTAGA [TTM]
02) * BPX USER32!GetWindowTextA                                                 
03) * 015F:00618535                                                        
04) * 015F:0060B24C                                                        
05)   BPX #015F:0060B31F                                                        
Tute completed : 1/16/01 6:19:40 AM