Run the program. The first time you'll see a dialog box that allows you to associate html files, etc.. with the Opera browser. Deal with this dialog box as you see fit. Now another box pops up. This is the box that we are going to be working with: the registration box.
 
Fill in your name, organization, and fake registration number (make the reg number 12 characters long). As an example, I used:
 
Name: KLee8084
Organization: na
Registration No: CrackingFool
 
Press CTRL-D to go into Softice.
 
In Softice, type bpx GetDlgItemTextA (there are many other breakpoints that you can use, but I find it better to use this particular one...when it works, that is!)
 
Now, type X to return to the program.
Ready? Click on "Register".
Bang! We're back in Softice at the beginning of USER32!GetDlgItemTextA.
 
Type X.
Type X again.
 
This brings you to the third time that USER32!GetDlgItemTextA is called: to get the fake registration number that you had entered.
 
Type F11 to step out of this function.   Now, type F10 until you reach:

:00477D6B    CALL 0044AC2A            <- Is registration number legit?
 
F8 into this call.   F10 until you reach:
 
:0044AC3F    CALL 004C3CE0            <- Get length of Name

The routine starting at :004C3CE0 determines the length of whatever is PUSHed just before the call to this routine. If you look at the instruction just before this call, you'll see that your name is being pushed onto the stack.
 
F10 over this call (unless you want to trace through it to see how it works).
Notice that EAX now holds the length of the name that you had entered.
 
F10 until:

:0044AC59    CALL 004C3CE0            <- Get length of Organization

F10 over this call. EAX now holds the length of the Organization that you had entered.
F10 until:

:0044AC9D    CALL 00496A04            <- Copies Name to another location in memory

F10 over this call. EAX now holds the new location of the Name that you had entered. To prove this to yourself, type d EAX
 
F10 until:

:0044ACAC    CALL 00496A04   <- Copies Organization to another location in memory

F10 over this call. EAX now holds the new location of the Organization that you had entered.
 
F10 until:

:0044ACBB    CALL 00496A04            <- Copies fake reg number to another location

F10 over this call. EAX now holds the new location of the fake reg number that you had entered.
 
F10 until:

:0044ACC8    CALL 00496A74            <- Get length of fake reg number at new location

F10 over this call (you can F8 into this call to see how it works, if you want to). EAX now holds the length of the fake reg number.
 
F10 until:

:0044ACDD    CALL 004C3CE0            <- Get length of Name

F10 over this call. EAX now holds the length of the Name that you had entered.
F10 until:

:0044ACF2    CALL 004C3CE0             <- Get length of Organization

F10 over this call. As usual, EAX now holds the length of the Organization that you had entered. Are you starting to realize how convoluted this code is? Imagine if you had traced each and every call (as I did, just out of curiosity)!
F10 until:

:0044AD04    CALL 0044AE54

F8 into this call (about time, eh?).
F10 until:

:0044AE63    CALL 004C3CE0       <- Get length of fake reg number
:0044AE68    CMP EAX, 0C         <- Is fake reg number 12 characters long?
:0044AE6B    POP ECX
:0044AE6C    JNZ 0044AEA7        <- No? Then jump.

F10 over the call at :0044AE63. EAX now holds the length of the fake reg number.
F10 until:

:0044AE73    CALL 004C3E00             <- Copy fake reg number to new location

F10 over this call. EAX now holds the new location of the fake reg number.
F10 until:

:0044AE7E    CALL 0044AE01

F8 into this call.
F10 until:

:0044AE32    CALL 0044AD81

F8 into this call.
F10 until you get to this interesting section of code:

:0044ADB1    MOV ECX, [EBP+0C]
:0044ADB4    MOV [ECX], ESI

Now would be a good time to type d ecx in Softice. You might want to leave the data window here and not dump any other memory locations. *wink*
F10 and keep on hitting F10...*twiddling my thumbs, here*
 
Sooner or later, you're going to notice that the first 4 characters of your fake registration number (if you made your reg number 12 characters long, that is) are in the data window with 8 other characters following. Did you notice that the whole garbled mess is 12 characters long? My own data window (set to ECX, as your's should be) shows: CracCqtGvDPL
 
That is the REAL registration number.
 
Clear your breakpoints by typing bc *
 
Now, type X to return to the program, and click on "Ok" (well, did you NOT expect a message box to pop up? *grin*). Now enter your name, organization and REAL registration number in the registration dialog box (if you have trouble finding the box, Click on Help and then click on Register Opera...). Got it? Good. Now, click on Register.
 
Program cracked.
 

The 'Crack'

 
None. As a note, though, when you are reaching the last part of the essay you can type d 0077F690 to see the REAL reg number in your data window.
 
 

Final Notes

 
This browser is small and fast. The creators really do deserve to be paid for their efforts.

 
My thanks and gratitude goes to:-
 
Fravia+ for providing possibly the greatest source of Reverse Engineering
knowledge on the Web.
 
+ORC for showing me the light at the end of the tunnel.
 

Ob Duh

 
 
Do I really have to remind you all that by buying and NOT stealing the software you use will ensure that these software houses will continue to  produce even *better* software for us to use and more importantly, to continue offering even more challenges to breaking their often weak protection systems.
 
If your looking for cracks or serial numbers from these pages then your wasting your time, try searching elsewhere on the Web under Warze, Cracks etc.

Essay by: KLee8084
Page Created: 15th August 1998