
----------------------------------------------------------
How to find a serial in Icon Packager
----------------------------------------------------------

Cracker: iNFiNiTY 

Target: Icon Packager v0.99.019 (VB5)
Tools: SoftIce	
           Brain

Where: http://www.stardock.com

Sorry for my english, its not my mother language.


-----------
Step 1:
-----------

===
Run Icon packager, NAG pop up, go to Register.
Enter any name and s/n. YOUR SERIAL MUST BE
9 OR MORE CHARACTER LONG. (i entered: name: [iNFiNiTY]
s/n: IP-2212345678900).


Explanation: -> the "IP" is the inicials of the name of the prog. (Icon Pack..)
	-----> the "-" must be there (if you try load the program in SmartCheck, 
		youll see, that the program require it)
	-----> the middle of the s/n (123456789) must be 9 chars long to, because     
		this is the minimal lenght of NAME!
	-----> the "22" and "00" numbers can be anything (must be NUMBER!!)
		eg.: 11 and 99 or 22 and 88 or 12 and 34
===
===
Ready?
Go to SoftIce (Ctrl+D) and set breakpoint on memory copy (bpx hmemcpy).
Go back (F5). Push REGISTER button. B00M => we are in SI.
Now press 9x "F5" (if you press it for the 10th time youll get the message).
Then press 13x "F12" to get to the 32-bit code, then press "F11" to get 
to the caller. You should be here:


015F:00F05A5C0	E86F6FFEFF	CALL 0F041534
015F:00F05A5C5			RET 0008	<--- YOU MUST BE HERE!	
015F:00F05A5C8	C20800		PUSH EBX


===
We land on one RET. (this is RETurn of the funciton). 
When you are on the RET, press one time "F10" and
you will jump here:
===


015F:0044BB2F	FF90A00000000	CALL [EAX+00000000A0]
015F:0044BB35	85C0		TEST EAX, EAX	
015F:0044BB37	7D12		JGE 0044BB4B
015F:0044BB39	68A0000000	PUSH 000000A0
015F:0044BB3E	68847E4100	PUSH 00417E84
015F:0044BB43	57		PUSH EDI
015F:0044BB44	50		PUSH EAX
015F:0044BB45	FF155C334700	CALL [MSVBVM50!__vbaHresultsCheckObj]
015F:0044BB4B	5B45E8		MOV EAX, [EBP-18]
015F:0044BB4E	8D55E0		LEA EDX, [EBP-20]		<--- D EDX - our name
015F:0044BB51	52		PUSH EDX
015F:0044BB52	50		PUSH EAX
015F:0044BB53	E8C8D8		CALL 00449420		<--- call the real s/n.
015F:0044BB58			MOV EDX, EAX		<--- D EAX - our real s/n.


===
On the the line 015F:0044BB58 , type D EAX and youll see
your REAL s/n in "w.i.d.e.c.h.a.r"(VISUAL BASIC). Write down
the number.
I get: [iNFiNiTY] and IP-22KQFIPLTY00 (in widechar: I.P.-.2.2.K.Q.F.I.P.L.T.Y.0.0.)

Clear all breakpoint (BC *). Enter s/n again. YESS!!!


---------------------------------------------------------------------------
---<<<>>>--- We are registered user ---<<<>>>----
---------------------------------------------------------------------------

=============================
If i make a mistake, please e-mail me 
to codewaster@crosswinds.net.
You can also find me on the web:
---===[   http://hop.to/nitrous   ]===---
=============================
=============================
Thanks to all crackers on the web !!!
=============================