Cracking "Cli-Mate v 1.5" Date: July 18, 1999 Author : +ViPeR+ [E]bola [V]irus [C]rew Program Name : Cli-Mate v 1.5 Location : http://users.nac.net/splat/climate/index.htm Method: VB6 program. Wide Chars Compare. <> ------------------------------------------------------------------------------- First, notice that this is a Visual Basic Program. I knew it because after I traced it for a little bit while, I am kind of lost and so, I fire-up w32dasm to get a deadlist of this program and that is when I found out about it. Open the file winice.dat file, and add the following line at the bottom of winice.dat EXP=c:\windows\system\msvbvm60.dll Restart the computer. Ok. here, just show you the procedure to find the correct registeration code. ------------------------------------------------------------------------------- After typing your name and registration code, 'Ctrl-D' to get into Soft-Ice and 'bpx hmemcpy'. 'Ctrl-D' out of Soft-Ice and click 'Ok' button. Now, you are back to Soft-Ice. 'x Enter' one time. 'F11' and then 'F12' 6 times then you will find you are in the MSVBVM60.dll process. (If you follow the above setting, you should be able to see something looks like --> MSVBVM!__&*&^%$^ <-- on the line just above your code window). Set a breakpoint by typing 'bpx__vbastrcmp' in Soft-Ice. (Notice: that's 2 underscores after bpx). Get out of Soft-Ice by 'x enter' and you will be back to Soft-Ice due to the breakpoint about 'bpx__vbastrcmp'. 'F11' to go back to the caller. Scroll up the code window a littel bit up by pressing 'Ctrl-up arrow key' a little bit. You will see something like the following in the code window. :0046E90E E8DD3BF9FF Call 004024F0 :0046E913 FF75BC push [ebp-44] ; <-- set breakpoint here :0046E916 FF75E8 push [ebp-18] ; <-- set breakpoint here :0046E919 E8AE3BF9FF Call 004024CC ; <-- this is the call causes ; the break this time : Now, 'bc*' and set breakpoints on those two lines containing push. >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Some explaination here for the above code snippet. :0046E913 FF75BC push [ebp-44] ; <-- point to the location of the fake code :0046E916 FF75E8 push [ebp-18] ; <-- point to the location :0046E919 E8AE3BF9FF Call 004024CC ; <-- call __vbastrcmp : <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<< Get out of Soft-Ice and click 'Ok' button again. This time, you will break on line 0046E913. If you 'd ebp-44' you will see the address that points to your fake registration code in wide char format. (i.e. 5.4.5.4.5.4.5.4) 'd ebp-18' to see the location of the correct registration code and then dump that address to see what it is. In my case, it is 'E.1.2.5.2.5.R'. Enter Name: evc_viper Code: E12525R to see the thanks for registering message box. Final Note: none. Ob Duh Do I really have to remind you all that by buying and NOT stealing the software you use will ensure that these software houses will continue to produce even *better* software for us to use and more importantly, to continue offering even more challenges to breaking their often weak protection systems. +ViPeR+ [E]bola [V]irus [C]rew July 18 1999