<pre>
-----------------------------------------------------+
These informations are for educational purposes only!|
-----------------------------------------------------+

      How to find a serial for Malz++Kassner CAD 4.7 Economy?
     ========================================================
                           by M.o.D. [f2f]

tools used : - SoftIce 4.05 ( protools.exit.de)


Ok, let's start!

First start out target and goto the registerbox!
Enter your Name and as serial 1122334455.
Now open Softice and set a breakpoint on GetDlgItemTextA(bpx GetDlgItemTextA).
Press the button to register and *boom* you're in SI. Press two times F5 and
you should see a nice box telling us that our code was wrong. 

SI breaked two times that means that the programm grabs our entered name and 
serial and after this it compares the serial with the good one.
So now press the registerbutton again and SI should break again. Now press 
one times F5 to get the next GetDlgItemTextA. Press F12 and we're in the 
programm.

You should see this code:

* Reference To: KERNEL32.lstrlenA, Ord:02A1h

00429D17 8B3D3C225200  mov edi, dword ptr [0052223C]
00429D1D 8D85E8FBFFFF  lea eax, dword ptr [ebp+FFFFFBE8] -> ptr to our name
00429D23 50            push eax
00429D24 FFD7          call edi
00429D26 83F804        cmp eax, 00000004 -> in EAX is the length of our name
00429D29 7D16          jge 00429D41      -> jmp to next check if name is longer 
                                            as 4 Characters.

So, the programm checks whether our name is longer then 4 Characters.
If your name isn't then fix this problem ;).

00429D41 8D85ECFDFFFF  lea eax, dword ptr [ebp+FFFFFDEC] -> ptr to our serial
00429D47 50            push eax
00429D48 FFD7          call edi
00429D4A 85C0          test eax, eax -> tests whether we entered anything as serial
00429D4C 7524          jne 00429D72

I think this check isn't a real problem :).
We should jmp to the following code:

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
:00429D4C(C), :00429D54(C)

00429D72 8D85ECFDFFFF  lea eax, dword ptr [ebp+FFFFFDEC] -> ptr to serial
00429D78 50            push eax
00429D79 8D85E8FBFFFF  lea eax, dword ptr [ebp+FFFFFBE8] -> ptr to name
00429D7F 50            push eax
00429D80 E865390D00    call 004FD6EA -> keycheck-routine
00429D85 59            pop ecx
00429D86 85C0          test eax, eax -> tests if we entered the correct key
00429D88 59            pop ecx
00429D89 7530          jne 00429DBB  -> ! jump to register user !

Ok, at 00429D80 the programm checks our serial and jumps/jumps not to good/bad message!
Clear your breakpoints ( bc * ) and set one on the serialcheck-call! 
When you break on the call, press F8 to look what happens in it!
We see this:

004FD6EA 55             push ebp
004FD6EB 8BEC           mov ebp, esp
004FD6ED 81EC04020000   sub esp, 00000204
004FD6F3 8D85FCFDFFFF   lea eax, dword ptr [ebp+FFFFFDFC]
004FD6F9 50             push eax
004FD6FA FF7508         push [ebp+08]
004FD6FD FF750C         push [ebp+0C]
004FD700 E84CFFFFFF     call 004FD651 -> break here and press F8 to go in the call

After going in the call you see this:

004FD663 8A0C02   mov cl, byte ptr [edx+eax] -> first char of our serial
004FD666 80F930   cmp cl, 30                 -> compare with 0
004FD669 7C79     jl 004FD6E4
004FD66B 80F939   cmp cl, 39                 -> first char of our serial 
004FD66E 7F74     jg 004FD6E4                -> compare with 9 
004FD670 0FBEC9   movsx ecx, cl
004FD673 8D34BF   lea esi, dword ptr [edi+4*edi]
004FD676 42       inc edx
004FD677 83FA05   cmp edx, 00000005           -> 5. char of our serial?
004FD67A 8D7C71D0 lea edi, dword ptr [ecx+2*esi-30]
004FD67E 7CE3     jl 004FD663                 -> jump to next char

Ok, here the programm checks whether the first 5 chars of our serail contains only 
numbers. So we should pass this check successfully!
The next check looks like this:

004FD680 8078052D  cmp byte ptr [eax+05], 2D -> compares 6. char with a '-'
004FD684 755E      jne 004FD6E4              -> jump to bad serial

We see that the 6. char of our serial have to be a '-'. So enter as new serial
11223-3445566. Then break at this cmp again and you see that we don't jump. Now
comes this check:

004FD684 755E          jne 004FD6E4
004FD686 81FF204E0000  cmp edi, 00004E20 -> type ? edi in SI & you see '11223'
004FD68C 7C56          jl 004FD6E4
004FD68E 81FF14500000  cmp edi, 00005014 -> type ? edi in SI & you see '11223'

Type also in SI ? 4E20 and ? 5014. This reveals that the first 5 chars must be
a number between 20000 and 20500. So enter as new serial 20100-11223. Now clear also
your breakpoints and set one at 004FD68E.

The next check please:

004FD69B 8A0C02    mov cl, byte ptr [edx+eax] -> 7. char of our serial
004FD69E 80F930    cmp cl, 30                 -> compare with 0
004FD6A1 7C41      jl 004FD6E4
004FD6A3 80F939    cmp cl, 39                 -> compare with 9
004FD6A6 7F3C      jg 004FD6E4
004FD6A8 0FBEC9    movsx ecx, cl
004FD6AB 8D34B6    lea esi, dword ptr [esi+4*esi]
004FD6AE 42        inc edx
004FD6AF 83FA0A    cmp edx, 0000000A          -> 10. char of our serial? 
004FD6B2 8D7471D0  lea esi, dword ptr [ecx+2*esi-30]
004FD6B6 7CE3      jl 004FD69B                -> jumps to next char
004FD6B8 8A400A    mov al, byte ptr [eax+0A]  -> compare 11. char with '-'
004FD6BB 3C2D      cmp al, 2D 
004FD6BD 7404      je 004FD6C3                -> jump to good serial
                       .
                       .
                       .
004FD6C3 81FEC2010000  cmp esi, 000001C2 -> type ? esi in SI & you see '11223'
004FD6C9 7C19          jl 004FD6E4       
004FD6CB 81FEF4010000  cmp esi, 000001F4 -> type ? esi in SI & you see '11223'
004FD6D1 7D11          jge 004FD6E4
 
This code looks similar to us! Here the programm checks whether the 7.-10. character
of our serial is a number. Then it checks the 11. character -> must be a '-'.
Futhermore the compares at 004FD6C3 & 004FD6CB reveal that the characters 7-10 have to
be a number between 0450-0500!
So enter as new serial 20100-0455-11223!

Ok, last part follows now. You should break again at 004FD68E. Now press F10 until you
reach at line 004FD700. There you see this code:

004FD700 E84CFFFFFF    call 004FD651
004FD705 83C40C        add esp, 0000000C
004FD708 85C0          test eax, eax
004FD70A 7419          je 004FD725
004FD70C 8D85FCFDFFFF  lea eax, dword ptr [ebp-0204]

At line 004FD70C type in SI d eax! Look at the Data-Window and what we see there...
yes, it's our regcode!

For me it is:  
~~~~~~~~~~~~~
M.o.D.
20100-0455-5996-9636-82

Enter your name and serial, press the register button and you are a registered user!

Ok, that's it!

For questions and comments mail me : MoD_f2f@gmx.net 

cu
M.o.D.

ps: english isn't my mother tongue!