*************************************************************************************************
					IconToy V3.1
*************************************************************************************************

Author:		Lighttek Software
Protection:	Name / Serial
URL:		http://www.lighttek.com/files/icontoy.zip
Tools:		W32Dasm V8.93
		Hex-Editor


--->	Let's Begin...

Start the program and click on "?" on top of the program then we'll get the about box.
Click on the second tab which says "Registration".
Then we can enter a Registration Name and Code, enter anything you want and click on "Register!".
Then you'll get a Message Box saying:


"Registration key error!"


Ok, remember this line or write it down on some paper and open up W32Dasm.
Then disassemble the file "icontoy.exe" and click on "Strn Ref" (String Data References).
Now search for that line we found and double click on it and we're here:


* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00485FAC (C)
|

* Possible StringData Ref from Code Obj -> "Registration key error!"
				  |
:00486076 B838614800		  mov eax, 00486138
:0048607B E80080FCFF		  call 0044E080


Notice the (C)onditional Jump from Address "00485FAC" there must be the choice between good and
bad :)
So trace a few lines up till that Address and you'll see this:


:00485F9B A104E94800              mov eax, dword ptr [0048E904]
:00485FA0 E8B3FCFFFF              call 00485C58				<--- Check out this call
:00485FA5 803D00E9480001          cmp byte ptr [0048E900], 01
:00485FAC 0F85C4000000            jne 00486076				<--- THIS IS THE PLACE!!!
:00485FB2 8D55F8                  lea edx, dword ptr [ebp-08]
:00485FB5 8B45FC                  mov eax, dword ptr [ebp-04]
:00485FB8 8B800C030000            mov eax, dword ptr [eax+0000030C]


Now we know the place to patch but before we're going to patch the program check out the call.
So double click on the "call 00485C58" and press "Left", now we're stepping into the call.
Now if you trace a little bit down you'll notice a lot of compares, these are all serials.
If you want to check this out a little better use SoftICE and break with "hmemcpy" then you'll
see that it makes a value out of your serial number you've entered and it just compares that
value with these values :)
If you want to know what serials are made out of these values then write a program of your own
and use "wsprintfA" and the value "%d" then you'll see the real serials :)
But anyway get back to that JNE and double click on it then look at the bottom of the window.
You'll see this:


@Offset 000853AC


Write down the Offset or keep in mind and open up a Hex-Editor and close W32Dasm.
Then in your Hex-Editor open up the program (icontoy.exe) and get to that Address (000853AC).
Then change it into this:


0F85C4000000	--->	909090909090


I've just used the NOP function, i can also let it jump a little bit but why should I :)
Now when you've done all this and you entered a fake Name and Serial you'll probably notice
something, it says that your registered now, so that's ok :)
But the Registration tab isn't away hmm... maybe it doesn't go away i suggest to restart the
program so close it and start again.
Goddamnit, the Registration is still here so it does another check :)
Ok, remember all those values it compares to we're going to take a better look there so fire up
W32Dasm again (Sorry if you closed it :) and get to that Address of all those compares (00485C6B)
Now you'll see something like this:


cmp eax, xxxxxxxx
je 00485E2F
cmp eax, xxxxxxxx
je 00485E2F
...


When you've entered a correct serial all those JE's jumps to the Address 00485E2F.
Ok check out the last compare it looks like this:


cmp eax, xxxxxxxx
jne 00485EAB


See the last one jumps to another location and we fail :)
So we're going to patch this JNE to NOP and every entered serial will work.
Double click on the JNE and look down below you'll see this:


@Offset 0008522D


Write down on some paper or keep in mind and close W32Dasm and open up your Hex-Editor.
Then go to that location and change it into this:


757C	--->	9090


Save it and start the program.
You probably noticed something when the program starts it has no Registration tab anymore and
we're allready registered :)
So it checks the place with the compares allready when the program begins.
Ok, program patched !!!

If you have questions mail me at:	code.inside@home.nl


--->	Greetings

Everybody at TrickSoft,
Everybody at FCC,
Everybody in #Cracking4Newbies and YOU :)


			Don't trust the Outside, trust the InSiDe !!!

					  Cya...

					CoDe_InSiDe