
--------------------------------------------------------
How to find a serial in WinPull 2000
--------------------------------------------------------

Cracker: iNFiNiTY 

Target: WinPull 2000
Tools: SoftIce	
           Brain

Where: http://www.softseek.com

Sorry for my english, its not my mother language.


-----------
Step 1:
-----------
===
Run progg, Enter registration Code, fill the boxes.
Switch to SoftIce, set breakpoint on memory copy
(bpx hmemcpy). "F5" - go back. Press OK =boom=> we are
in SoftIce. Press twice "F5" because we have 3 input boxes,
then F11 to caller and by pressing "F12" (about 12x) get to the
proggrams (32-bit) code. You should be here:
===


015F:00445DB9	CALL 004240C4
015F:00445DBE	MOV EAX, [EBP-20]	<--- we land here		
015F:00445DC1	LEA EDX, [EBP-15]		<--- our fake s/n
015F:00445DC4	CALL 00407B18
015F:00445DC9	MOV EAX, [EBP-1C]	
015F:00445DCC	LEA EDX, ]EBP-18]
015F:00445DCF	CALL 0040797C
015F:00445DD4	MOV EDX, [EBP-18]
015F:00445DD7	POP EAX
015F:00445DD8	CALL 00403C88		<--- D EAX = our real s/n
015F:00445DDD	JNZ 00445DE8		<--- bad boy


===
Trace ("F10") on the CALL before the JUMP (bad jump).
Type "D EAX" and in data window youll see your real s/n.
Clear all bpx ("BC *"), enter real code.
===

---<<<>>>--- We are registered user ---<<<>>>----


=============================
If i make a mistake, please e-mail me 
to codewaster@crosswinds.net.
You can also find me on the web:
---===[   http://hop.to/nitrous   ]===---
=============================
=============================
Thanks to all crackers on the web !!!
=============================