Now is time to know the target, execute it and look is behaviour, when you've launched the executable there are a nag screen which tell us about trial residual day evaluation (this is a 30 day evaluation version), to unlock the program you've to register it.

Fig. 3 Nag screen about evaluation time.

Press Continue and then close the program. Load the executable into OllyDbg:

Fig. 4 Starting code after you've load it into OllyDbg.

Press F9 in order to run the executable, there are the nag screen of figure 3, press Continue, there are another window about user Options, fill it with your data, Full Name can be set equal to your Nickname, place your e-mail adress and press OK button:

Fig. 5 mIRC user detail.

Now it's time to take a look on the registration page, go to the Help menu and then select Register...:

Fig. 6 Go to the registration window.

a nice window arise, write your name and fake registration code:

Fig. 7 Registration window.

press OK to continue, a new message box arise to infor about wrong serial:

Fig. 8 Registration error.

now go to the code window in OllyDbg and press F12 in order to stop program execution, press ALT+K to show the call stack and see where this message box was called into the program:

Fig. 9 Call stack about the registration messagebox.

the first call before the DialogBoxParamA is the code section where this message is called, press CTRL+G and write 004675D0 to jump in this address (you can also simple double click on the mirc.004675D0 address):

Fig. 10 DialogBoxParamA calling used to show the registration message.

place a breakpoint on 004675D0 (press F2 on it) and run the program, write your fake registration and press OK, OllyDbg stop on this breakpoint, look on the register window, EAX is pointing to the error message string then we've to trace before this call. To keep the code which have called this routine look at figure 9 into the column Called from, you've mirc.004B7CEE (the mirc string before the address means which this address reside into the main executable module and not in some DLL or other executable module). If you scroll up into the code can place another breakpoint on 004B7C00, try again the registration and look if there are the error message into the register window. When you have done it OllyDbg stop in 004B7C00, nothing is into register window, but this message is into the stack window, then serial check is made before this point.
From figure 9 the calling code is in 004C7D4F, scroll up into the code until you reach this section:

Fig. 11 Code section about serial verification.

there are some interesting point, on 004C7BD2 there is a pointer to the entered serial code, next instruction point to the user name, after this there are a call to check the code and then a TEST EAX,EAX instruction.
If you step through the code, after CALL 004C766E there are another TEST EAX,EAX, well if EAX is equal to 1 serial code was right and the is accepted, if EAX is equal to 0 code entered is wrong.

Fig. 12 Serial checking.

to force registration you've to patch the executable, to do this there are several ways, you can place a INC EAX instruction followed by a NOP or put only a single MOV AL,1 instruction, i prefer the last one because some program is able to check about NOP instruction:

Fig. 13 First patching to make all serial accepted.

make again the registration with a fake registration code and press OK, now all code is accepted:

Fig. 14 Force registration with all serial.

press OK and you're confirmed about registration:

Fig. 15 Step 1 completed.

fix the executable, right click and then Copy to Executable -> Selection then again right click into the new window and choose Save file option to patch the file.

Well, close OllyDbg and run the executable to see if this work, apparently this dosn't work, nothing appear, hence there are some integrity check to defeat. Load the patched file into OllyDbg and run it (F9), program stop and terminate, ok, now is time to search and defeat the integrity check to keep the patched program still working. There are several methods to find the integrity control, my first approach is based on behaviour comparation between the original executable and the patched one, to do this you've to trace the program flow for each executable.
To make this check in a faster way use first the Trace over (or CTRL+F12) option to make a high level comparation between the obtained trace listing, to do this first select the Run trace menu, there are a button located on the OllyDbg command bar (this is the red highlighted).

When you've pressed this button a new window appear, right click on this and select Log to file, choose a file name:

Fig. 16 Set the Log to file tracing.

go to OllyDbg Debug menu and select Open or clear run trace option, select the Trace over option (or simply press CTRL+F12) and wait until the program terminate:

Fig. 17 Open the trace feature.

now is time to load in OllyDbg the original executable, make same procedure to trace until you reach the main program window, at this point you can stop program execution (press F12).

Well, compare this two trace listing and find where is the first difference between it, looking about the patched version give:

Address  Thread Command                          Registers and comments
0057472B Main   PUSH mirc.00593220
00574730 Main   CALL mirc.005769A8               EAX=0012FFB0, EBP=0012FFC0
[...]
005748A2 Main   CALL NEAR EDI                    EAX=00400000
005748A4 Main   PUSH EAX                         Arg1 = 00400000
005748A5 Main   CALL mirc.004DF160               EAX=00000000, ECX=0000276D, EDX=71A4224C

about the original executable you've:

Address  Thread Command                          Registers and comments
0057472B Main   PUSH mirc.00593220
00574730 Main   CALL mirc.005769A8               EAX=0012FFB0, EBP=0012FFC0
[...]
005748A2 Main  CALL NEAR EDI                      EAX=00400000
005748A4 Main  PUSH EAX                           Arg1 = 00400000
005748A5 Main  CALL mirc.004DF160                  EAX=00000000, ECX=00C00000, EDX=F8785D64,
                                                  EBX=00000000, EBP=0012F228, EDI=00000000

now you can put a breakpoint in 005748A5 and make again the trace analysis and comparison between patched and original executable from 004DF160 address. After this you have also to try again the trace process starting from 004DAFF0, well if you check this code, near the RET instruction on 004DB0E6 address, there is a section of code which is not executed into the patched version, to force this you have to place some nop instruction, look at figure 18:

Fig. 18 Defeating the integrity check.

fix the patched executable and run it, this work right, make your fake registration and all work is done, when you start again mIRC nothing nag screen about residual time appear then your fresh mIRC copy is already registered!

I hope this tutorial can be useful to understand some simple tracing/compare techinique to defeat integrity check control, and i hope to see all ARTeam friends on IRC channel soon.

Remember, if you plan to use this software you must purchase the product in order to support the author to develop other good software.

Any suggest, correction or criticism is welcome, if you need help about this tutorial or other stuff you can reach me on ARTeam forum.

[MAIN TEAM]
| Nilrem | Ferrari | MaDMAn_H3rCuL3s | EJ12N | Kruger | Shub-Nigurrath | Jdog45 | Teerayoot | R@Dier |

[TRIAL MEMBERS]
| ThunderPwr | Eggi |

ThunderPwr