-----------------------------------------------------+
These informations are for educational purposes only!|
-----------------------------------------------------+

Hi

Cracking    :  mIRC32 v5.8
Toolz Needed:  Softice 4.05
Author      :  YoKe


Ok a New mIRC released which means a new cracking challenge :)
( not really its nearly the same as 5.4 :-( )
 
First Open mirc32.exe and click on Help/About...  we see the text "Unliscenced Copy." 
scrolling in the dialog  uhh! now click on Help/Register..!!!

Enter in any crap  eg.  Name: YoKe-2k     Serial: 12345-67890

Now press CTRL-D to open Softice!( now i always when serial fishing but a breakpoint on 
Hmemcpy so we can trace to the programs code to see what other breakpoint we could set or even
find where the real serial and our serial is compared! )
so in sice type bpx hmemcpy  then press F5  now in mirc register dialog hit ok.. softice 
flashes up on da screen but we want it to break for the serial text field so hit F5 to make
softice break again! when hit F11. Now we see the memory code press F10 until we are in the
program code until you see...

018F:004984A5              Call USER32!SendDlgItemMessageA
018F:004984AA              push 00538E2F                   <-- our name!
018F:004984AF              push 00538A48                   <-- our fake serial 
018F:004984B4              call 00498085                   <-- call routine to check good serial to bad serial
018F:004984B9              test eax, eax                   <-- test eax = eax
018F:004984BB              je 0049855A                     <-- if not jump to bad code!
018F:004984C1              mov esi, 00527C88               <-- our fake serial is in esi
018F:004984C6              mov edi, 00538A48               <-- move our name to edi stack
018F:004984CB              xor eax, eax                    <- zero eax

Do you see SendDlgItemMessageA  yes! we could just have set a bpx senddlgitemmessagea to get
right to here, anyway you will know that for later..

in sice press F10 until you are on the line:

018F018F:004984AA

now type d 00538E2F  we see our name now type d 00538a48  and you see our fake serial. 
We must go into that Call at 018F:004984B4 

to see what it does so press F10 until you are on the line:
 
018F018F:004984B4          call 00498085 and press F8 now you should see something like..

018F:00498085                 push ebp
018F:00498086                 mov ebp, esp
018F:00498088                 push ebx
018F:00498089                 push esi
018F:0049808A                 push edi
018F:0049808B                 mov esi, dword ptr [ebp+0C] our name goes to esi - d *(ebp+0c)
018F:0049808E                 mov ebx, dword ptr [ebp+08] our fake serial goes to ebx - d *(ebp+08)   
018F:00498091                 push esi                     <-- our fake serial
018F:00498092                 mov esi, 0054A114            <-- is been moved

all this i don't care about move down by pressing F10 until you reach this code:

018F:004980DC                 pop esi
018F:004980DD                 push 0054A218                <-- our fake serial
018F:004980E2                 push 0054A114                <-- our name
018F:004980E7                 call 00497F92                <-- call to do something on them
018F:004980EC                 test eax, eax                <-- test the value of eax
018F:004980EE                 je 004980F7                  <-- jump if equal
018F:004980F0                 mov eax, 01                  <-- set eax 1
018F:004980F5                 jmp 0049816B                 <-- jump (conditional)

Guess what? move onto the line:
018F:004980E7    call 00497F92 
by F10 and press F8  now youshould see some code that deals with the serial numbers!....

018F:00497F92                 push ebp
018F:00497F93                 mov ebp, esp
018F:00497F95                 add esp, FFFFFFF4
018F:00497F98                 push ebx                     <-- our name
018F:00497F99                 push esi                     <-- our fake serial
018F:00497F9A                 push edi
018F:00497F9B                 mov esi, dword ptr [ebp+0C]  <-- our fake serial, type d*(ebp+0c)
018F:00497F9E                 push [ebp+08]                <-- our fake serial, type d*(ebp+0c)
018F:00497FA1                 call 0050DEF0                <-- not important just gets name length
018F:00497FA6                 pop ecx
018F:00497FA7                 cmp eax, 05                  <-- call above set eax to our name length and is compared to 5 type ? eax we should see 00000000007 (YoKe-2k)
018F:00497FAA                 jnb 00497FB3                 <-- jump if not below
018F:00497FAC                 xor eax, eax                 <-- zero eax 
018F:00497FAE                 jmp 0049807C                 <-- jump to bad code
018F:00497FB3                 push 2D                      <-- type ? 2D we see "-" so we know - is in the serial lucky we had that (12345-67890)
018F:00497FB5                 push esi
018F:00497FB6                 call 0050DE50                <-- see if - is in our fake serial
018F:00497FBB                 add esp, 00000008            <-- add esp + 08
018F:00497FBE                 mov ebx, eax                 <-- move eax to ebx       
018F:00497FC0                 test ebx, ebx                <-- test ebx 
018F:00497FC2                 jne 00497FCB                 <-- jump if not zer0
018F:00497FC4                 xor eax, eax                 <-- zer0 out eax
018F:00497FC6                 jmp 0049807C                 <-- jump to bad code
mode code....   to determine if - is in our serial  F10 until you come across..

018F:0049802C                 jl 00498012                  <-- jump if less  (loop)
018F:0049802E                 cmp ebx, dword ptr [ebp-04]  <-- compare our fake serial and the real one before the - (first part)
018F:00498031                 jz 00498037                  <-- jump if zer0 

Ok pressing F10 to move onto the line:
018F:0049802C 7CE4        jl 00498012
we have come to a loop which i find annoying but press F10 to go the next line we jump back up 
through some code so press F10 until we are back on:
018F:0049802c
it jumps again , just keep pressing F10 and you will eventually get on line:
018F:0049802E 3B5DFC          cmp ebx, dword ptr [ebp-04] 

Now here cmp == compare cool!  now in sice type ? *(ebp-04)  cool its the first part of our
serial 12345  NEVER MIND THE 0000  THESE ARE NOT PART OF THE SERIAL  whats it compared to?
? ebx   cool 3515 its our first part of our real serial  so now we have:
3515-

Time to get the last part  hÉHé, press F10 and you are on the line below the compare because
the serials were not the same the flag is wrong and the jump is not taken :~( so we type
r fl z    now it will jump so press F10 and softice jumps to :00498037 press F10 until
we see something similar..

018F:0049806C                  jl 0049804B                  <-- jump if less  (loop)
018F:0049806E                  cmp ebx, dword ptr [ebp-08]  <-- compare our fake serial and the real one after the - (first part)
018F:00498071                  jz 00498077                  <-- jump if zer0

This is very like above just do the loop until you come to the compare :)
You now type *(ebp-08) and its the last part of our fake serial 67890  YES YES ? ebx  is the 
last part of our real serial  COOL!!! 213045  :-)
Don't worry about the jump below we have all we want! :D
Name: YoKe-2k
Serial: 3515-213045

So now type bc *   and press F5    click on ok for invalid serial and enter in:
Name: YoKe-2k
Serial: 3515-213045

Or now that you know how to crack mIRC32 5.8 do a serial for your name :) 
Ok now mIRC32 v5.8 is cracked but NOT for iLLeGaL purposes i hope!
i hope you enjoyed this tutorial..  :D
YoKe
YoKe@CotD.de

><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><