PROG: InfoSpy v2.61
TYPE: 16-bit
PROT: Name/Reg
CHECK: 240F:06EC JZ
HEX:

1. Let's find the protection
   a. BPX GetDlgItemText        ; set our breakpoint in SoftICE
   b. Run InfoSpy               ; and enter some registration info
      1) help, use registration key
      2) enter your first name, last name, and any reg number
      3) click ok
   c. ICE pops
      1) F11                    ; step out of the function
      2) F10, F10, F10,...      ; walk thru the code
   d. Gets first string, runs thru loop to calculate reg code
   e. Gets second string, runs thru loop to calculate reg code
   f. After stepping thru the loops I found the final compare at 240F:06EC
      (your memory segment may be differnt; it's the JZ 06F1)
   g. Keep stepping thru and it'll beep and display invalid reg code
2. Since we now know the final compare (JZ) is at 240F:06EC
   a. BC 0                      ; clear the original breakpoint
   b. BPX 240F:06EC             ; set a new breakpoint before the compare
   c. Run InfoSpy, enter your first name, last name, and any reg number, ok
   d. ICE pops
   e. R FL Z                    ; toggle zero flag
   f. F10, F10, F10,...         ; continue running
   g. Or just Ctrl-D a few times to get back to the program
3. Thank you for registering!
4. Key is written to \windir\infospy.ini
   [InfoSpy]
   RegStat=DLBGJ4320
5. Happy cracking!

PROG: Win-eXpose Registry v1.0
TYPE: 32-bit
PROT: Name/Reg
CHECK: 0137:004024F9 JZ
HEX: 0F84CF, replace with E9D000

1. Use same approach as InfoSpy...
2. Final compare is at 0137:004024F9
3. BPX 0137:004024F9
4. R FL Z                       ; toggle zero flag
5. Thank you for registering!
6. Stepping thru the program, found real password:
   First, Lst name: dr
   Company name: LAN
   Address line #1: 1
   Address line #2: 1
   Serial Number: 1
   Password: f422c070

PROG: Win-eXpose I/O v2.0
TYPE: 32-bit
PROT: Name/Reg
CHECK: 0137:004061D9 JZ
HEX: 0F84CF, replace with E9D000

1. Use same approach as Win-eXpose Registry...
2. Final compare is at 0137:004061D9
3. BPX 0137:004061D9
4. R FL Z                       ; toggle zero flag
5. Thank you for registering!
6. Stepping thru the program, found real password:
   First, Last name: dr
   Company name: LAN
   Address line #1: 1
   Address line #2: 1
   Serial Number: 1
   Password: f422c070

PROG: StartClean v1.2
TYPE: 32-bit
PROT: Name/Reg
CHECK: BPX lstrcmpA
HEX:

From Qapla's Cracking Tutorial...

BPX lstrcmpA    ; in sICE

Enter name and a bogus registration number and click ok.
I entered drLAN, 12345.

.
.
.
PUSH EAX        ; push your code on the stack
PUSH 406030     ; push the right code on the stack
CALL [KERNEL32!lstrcmp] ; compare them
TEST EAX,EAX    ; test results of string compare and set Zero flag
JNZ 00401271    ; 1 = bad boy; not reg'd, 0 = good boy; reg'd
.
.
.

d 406030        ; here's the right code

972-8766-1717-341

PROG: WizCat Pro v4.2
TYPE:
PROT: Name/Reg
CHECK: 2F97:CED9 JZ
HEX:

2F97:CED9 3C01          CMP AL,01       ; holy flag
2F97:CEDB 7403          JZ CEE0         ; 0=good guy; reg'd
2F97:CEDD E9DD00        JMP CDBD        ; <>0=bad guy; beggar off

A good, clean crack would be:

MOV AL,01
JMP CEE0

However, the program does some internal checking and won't run if modified.
So, all we can do is find the correct reg code and then use it.

I entered drLAN, 006969.  Then searched for my reg code and set BPR's on
the ranges.

s 0 l ffffffff '006969'.  Should find the entered code in memory.
BPR ssss:oooo SSSS:OOOO RW.  Where ssss:oooo is segment:offset of starting
address where string resides.  SSSS:OOOO is ending address (last byte of the
string).

I eventually found my reg code somewhere that BX pointed to.  It showed up
as one big ugly number, and then a little earlier in memory in the correct
format: 42041-7420.

So to register, use:

drLAN
42041-7420