3D Mark 99 MAX

So, let's analyze 3DMark, start the program, go in the register box and enter a name and a stupid code (something like 666 :)), now press ok, what's happen?
Well the program tell you that the code is invalid.
Well now it's time to SoftICE'ing (:), press control-d and type in SoftICE: bpx GetDlgItem, exit SoftICE, press Ok again and... boom!
you're back in SoftICE!!
Now press F5, then F11 and finally press F10 until you end up here:

:0040B86A 8B4F64 mov ecx, dword ptr [edi+64] <-- Put in ecx the name you entered
:0040B86D 8B41F8 mov eax, dword ptr [ecx-08] <-- Put in eax the length of the name
:0040B870 85C0 test eax, eax <-- Length = 0?
:0040B872 747E je 0040B8F2 <-- If so jump
:0040B874 8B5760 mov edx, dword ptr [edi+60] <-- Put in edx the key
:0040B877 8B42F8 mov eax, dword ptr [edx-08] <-- Put in eax the length of the key
:0040B87A 85C0 test eax, eax <-- Length = 0?
:0040B87C 7474 je 0040B8F2 <-- If so jump
:0040B87E 83F811 cmp eax, 00000011 <-- Is key lenght = 17? (you will see why the key length must be 17) :0040B881 741B je 0040B89E <-- If so jump to registration process, else the code is incorrect

Ok, the code above is only for some controls, we don't need it.
Ok, now enter a key of 17 characters, put a bpx on GetDlgItem, repeat the same step (press F5, F11, F10, ecc), the jump at :0040B881 will be executed and you will end in the registration process:

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|
:0040B881(C)
|
:0040B89E E88DE50500 call 00469E30 <-- Not important
:0040B8A3 3C01 cmp al, 01 <-- Not important
:0040B8A5 75DC jne 0040B883 <-- Not important
:0040B8A7 8B4F64 mov ecx, dword ptr [edi+64] <-- Not important
:0040B8AA 53 push ebx <-- Not important
:0040B8AB 56 push esi <-- Not important
:0040B8AC 8B7760 mov esi, dword ptr [edi+60] <-- esi = key
:0040B8AF E8CCE50500 call 00469E80 <-- Call the key generation routine
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|
:0040B8D6(C)
|
:0040B8B4 8A10 mov dl, byte ptr [eax] <-- Good code
:0040B8B6 8A1E mov bl, byte ptr [esi] <-- Bad code

Ok, now you know that the call at address 0040B8Af calls the registration routine, now you will ask: "Why you will not make a keygen?", and I answer: "I'll show you a funny metod...". :)
Now, let's trace into the call (press F8 in SoftICE) what you will get??? The key generation routine!!!!
Here it is:

:00469E80 83EC40 sub esp, 00000040 <-- Take 64 bytes from the stack
:00469E83 53 push ebx :00469E84 55 push ebp
:00469E85 56 push esi
:00469E86 8BF1 mov esi, ecx <-- Now esi is the name you entered
:00469E88 83C9FF or ecx, FFFFFFFF
:00469E8B 57 push edi
:00469E8C 33C0 xor eax, eax
:00469E8E 8BFE mov edi, esi
:00469E90 F2 repnz
:00469E91 AE scasb
:00469E92 F7D1 not ecx
:00469E94 49 dec ecx <-- ECX = name length
:00469E95 8BD1 mov edx, ecx
:00469E97 8BCE mov ecx, esi
:00469E99 E852FFFFFF call 00469DF0 <-- This is the interesting call
:00469E9E 8BF0 mov esi, eax

Ok, now come the funny part, the call at address 00469E99 will make some manipulation on each single char in the name, what will happen if we remove the call???

Let's do that, now it's time to use W32Dasm, open W32Dasm, and load the file 3dmark.exe, go to the address of the call and look in the bottom of the screen you will see a @Offset 00069E99, that's the offset of the istruction, now open up the file with Hiew go in disassembler mode, press F5 and then enter the offset, you will be at the call, now press F3 and then press enter, now enter the following assembler istruction:
jmp 00469E9E
now press esc and save the code by pressing F9, close Hiew and back to 3DMark.

Got to the registration box enter a name and a code and press Ok, now you will say: "What's that? The program it's still giving me the error!!!
You're are a stupid cracker :))", well try to enter the code CCCCC-CCCCC-CCCCC, boom!!!
You're a registered user of the program, now every name you enter the code will be everytime CCCCC-CCCCC-CCCCC (as you can see there is 17 character in the key), and also if you enter the correct (for example you've buy the program before) code the program will not believe that's correct, becose the correct is CCCCC-CCCCC-CCCCC.
That's really funny (at least for me it's funny).
Ok, that's all for now, the next tutorial (hopefully:) will be on making a keygen for 3DMark 99 MAX.
Bye!!!