This tutorial is coming from...

ReFleXZ '99 Url: Http://ReFleXZ99.cjb.net Email: ReFleXZ@fcmail.com

About the essay...

Written by: MiZ Date: 25th January 1999 Program name: Xara3D v3.02 Program type: Win32 Program location: Here Program filename: N/A Program size: 917KB Tools required: W32Dasm V8.9 - Disassembler Difficult level: Easy ( X )  Medium (   )  Hard (    )  Pro (    )

Introduction...

Getting Xara3D to accept any serial.

About the protection...

Type of protection: Name/Timelimit/Serial At startup you'll get a NAG and an option to register.

The Essay...

Let's see what kind of protection it has.So,fire up the program,and we see evaluation notice: a nag screen.You have an option to purchase the software,so click on Purchase button,and enter some codel like 323323213 and press Unlock software button.A message appears sayin' that you entered an invalid code. OK.Disassembly the Xara3d with W32Dasm.When disassembled goto String Data References and look for a messge "You entered and invalid...",double click on it,now you should be here: * Referenced by a (U)nconditional or (C)onditional Jump at Addresses: |:0040F434(C), :0040F448(C), :0040F464(C), :0040F480(C), :0040F49C(C) |:0040F4B8(C), :0040F4D4(C), :0040F4F0(C), :0040F55C(C) | * Possible Reference to Dialog: DialogID_0133, CONTROL_ID:00FF, ""                                   | :0040F615 6AFF                           push FFFFFFFF :0040F617 6A10                           push 00000010 * Possible Reference to String Resource ID=03005: "You entered an invalid unlock code. The program has not been"                                   | :0040F619 68BD0B0000              push 00000BBD :0040F61E E809D30700              call 0048C92C * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:0040F424(C) | :0040F623 8A442413                   mov al, byte ptr [esp+13] Look above at all those jumps,so scroll up to the first one(:0040F434) and you should be here: :0040F42A 8B842440010000          mov eax, dword ptr [esp+00000140] :0040F431 3958F8                           cmp dword ptr [eax-08], ebx :0040F434 0F85DB010000              jne 0040F615                                   <--- Bad jump :0040F43A 0FBE10                         movsx edx, byte ptr [eax] :0040F43D 52                                  push edx :0040F43E E8DD700500                call 00466520 :0040F443 83C404                          add esp, 00000004 :0040F446 85C0                              test eax, eax :0040F448 0F84C7010000              je 0040F615                                   <--- Bad jump :0040F44E 8B842440010000          mov eax, dword ptr [esp+00000140] :0040F455 0FBE4801                      movsx ecx, byte ptr [eax+01] :0040F459 51                                   push ecx :0040F45A E8C1700500                 call 00466520 :0040F45F 83C404                         add esp, 00000004 :0040F462 85C0                              test eax, eax :0040F464 0F84AB010000             je 0040F615                                   <--- Bad jump :0040F46A 8B942440010000          mov edx, dword ptr [esp+00000140] :0040F471 0FBE4202                      movsx eax, byte ptr [edx+02] :0040F475 50                                   push eax :0040F476 E8A5700500                  call 00466520 :0040F47B 83C404                          add esp, 00000004 :0040F47E 85C0                              test eax, eax :0040F480 0F848F010000              je 0040F615                                   <--- Bad jump :0040F486 8B8C2440010000          mov ecx, dword ptr [esp+00000140] :0040F48D 0FBE5103                      movsx edx, byte ptr [ecx+03] :0040F491 52                                   push edx :0040F492 E889700500                   call 00466520 :0040F497 83C404                          add esp, 00000004 :0040F49A 85C0                             test eax, eax :0040F49C 0F8473010000              je 0040F615                                   <--- Bad jump :0040F4A2 8B842440010000          mov eax, dword ptr [esp+00000140] :0040F4A9 0FBE4804                      movsx ecx, byte ptr [eax+04] :0040F4AD 51                                  push ecx :0040F4AE E86D700500                 call 00466520 :0040F4B3 83C404                          add esp, 00000004 :0040F4B6 85C0                              test eax, eax :0040F4B8 0F8457010000              je 0040F615                                      <--- Bad jump :0040F4BE 8B942440010000          mov edx, dword ptr [esp+00000140] :0040F4C5 0FBE4205                      movsx eax, byte ptr [edx+05] :0040F4C9 50                                  push eax :0040F4CA E851700500                 call 00466520 :0040F4CF 83C404                         add esp, 00000004 :0040F4D2 85C0                             test eax, eax :0040F4D4 0F843B010000             je 0040F615                                       <--- Bad jump :0040F4DA 8B8C2440010000        mov ecx, dword ptr [esp+00000140] :0040F4E1 0FBE5106                      movsx edx, byte ptr [ecx+06] :0040F4E5 52                                  push edx :0040F4E6 E835700500                 call 00466520 :0040F4EB 83C404                        add esp, 00000004 :0040F4EE 85C0                            test eax, eax :0040F4F0 0F841F010000             je 0040F615                                       <--- Bad jump :0040F4F6 8B842440010000         mov eax, dword ptr [esp+00000140] :0040F4FD 0FBE4804                    movsx ecx, byte ptr [eax+04] ... :0040F554 69D251ED8764            imul edx, 6487ED51 :0040F55A 3BCA                           cmp ecx, edx :0040F55C 0F85B3000000            jne 0040F615                                       <--- Bad jump :0040F562 8B0D70EB4D00           mov ecx, dword ptr [004DEB70] You see that we must NOP every single jump that jumps to 0040F615,in order to register. So make sure the line is at :0040F434 and look what offset it is(it should be E834),now open your favourite hexeditor and goto offset E834 and enter OF84.You must do this for every other jump that jumps to 0040F615. Example if the jump is jne 0040F615 then you must change it to je 0040F615 (in hex it would be 0F85 to 0F84) and if it is je 0040F615 then change it to jne 0040F615 (in hex: 0F84 to 0F85). When done all this,then save and start Xara3D and enter any code press to register.And it accepts the code. After you register it creates a key in registry: HKEY_CURRENT_USER/SOFTWARE/XARA/X3D3/INSTALL/KEY                0x1da8403d (497565757) The key could be different on your computer. Job done.

Final notes...

Greetz and thanx: McCodEMaN,Bjanes,The Sandman,CrackZ,+ORC,Jeff,Eternal Bliss.....and all otherz....

Disclaimer...

This tutorial is written for EDUCATIONAL purposes only. So if you want to use the program after its trial period ends please BUY IT! Support shareware(and its authors), this is our learning tool!   ReFleXZ is not responsibile for any damage caused with this essay or any of its parts. So everything what you're doing and 'experimenting' is on your own responsibile!   Also, in this tutorial you'll not find any serial numbers, so try to search elsewhere under Cracks and Warez.