Vanor - Tutorial: Registration of Web Graphics Optimizer v4.0

Program: 		Web Graphics Optimizer v4.0
Description: 	optimize your webgraphics
Author: 		(c)1997, 1998 Plenio Software Solutions
Size: 		884.736 Bytes (WebOpt.exe)


Tools	:   - SoftIce
	    - HexWorkshop
          
1. First, we must find out which kind of protection use this program. To this we start "WebGraphicsOptimizer"
   and a window opens where we can register us.
      
   Well, "WebGraphicsOptimizer" uses a Serial-Number as protection !

   Now, we must investigate if "WebGraphicsOptimizer" is a VB program ! If it isn't a VB program and 
   no Disassembly protection has it into this either, we usually take WDasm.. To know which kind of program is it, 
   we start HexWorkshop and load WebGraphicsOptimizer into it. After we looked a little bit downwards, we'll
   see following "MSVBVM60.DLL".Well, "WebGraphicsOptimizer" is a Visual BASIC 6.0 program and we use SoftIce 
   to catch the Serial. 

2. Configuring SoftIce (if necessary) and starting system newly. After that, we'll run "WebGraphicsOptimizer".

   Fundamental Settings	: EXP=c:\windows\system\kernel32.dll
			  EXP=c:\windows\system\user32.dll
			  EXP=c:\windows\system\gdi32.dll
			  EXP=c:\windows\system\comdlg32.dll
			  EXP=c:\windows\system\comctl32.dll
			  EXP=c:\windows\system\advapi32.dll
   
   if VB programs     	: EXP=c:\windows\system\vb40032.dll	-> Visual Basic 4.0
                          EXP=c:\windows\system\msvbvm50.dll	-> Visual Basic 5.0
                          EXP=c:\windows\system\msvbvm60.dll	-> Visual Basic 6.0
    			

4. If been not carried out yet, we start  "WebGraphicsOptimizer" now. We go into the 
   "Register" Menu and enter our datas. For example:

    Name		: Vanor
    Company		: DOOM
    City		: DOOMTOWN
    Registration Code 	: 112233445566778899 

   But don't push the "REGISTER" button !!!

5. With CTRL-D we'll jump into SoftIce. There we set a Breakpoint "bpx __vbastrcmp" and
   we leave SoftIce with CTRL-D or F5. Now, we click on "REGISTER" ! Wow, SoftIce stops the
   program, we push F11 once (to leave the Call) and we'll see following lines: 

015F:004C7C38 E8A7C9F3FF              Call MSVBVM60!__vbaStrCmp		; our Breakpoint
015F:004C7C3D 85C0                    test eax, eax			; here we are now
015F:004C7C3F 750F                    jne  004C7C50
015F:004C7C41 BA14244100              mov  edx, 00412414
015F:004C7C46 8D4DD8                  lea  ecx, [ebp-28]
015F:004C7C49 E8E4C9F3FF              Call MSVBVM60!__vbaStrCopy
015F:004C7C4E EB5E                    jmp  004C7CAE

 SNIP

   Ah! Now, we scroll downwards with F10 (twice) until we'll see following lines:

015F:004C7C50 FF75D8                  push dword ptr [ebp-28]		; here we'll look for ebp-28
015F:004C7C53 681C974100              push 0041971C
015F:004C7C58 E887C9F3FF              Call MSVBVM60!__vbaStrCmp
015F:004C7C5D 85C0                    test eax, eax
015F:004C7C5F 750F                    jne 004C7C70

 SNIP

In the row 015F:004C7C50 we take a look at offset [ebp-28] !
To do this, we enter following command into :

	d ebp-28		-> displays the contents of an address, an offset or a register 
				   in this case offset ebp-28

After we have enter this command, following 1st line appears in the Data Window of SoftIce :

0167:0070D81C 4C BC 4F 00 44 3B 4F 00-D5 06 00 00 38 D9 70 00  L.O.D;O.....8.p.

SNIP

There is a Dword in ebp-28, that's why we are interested only in the first 4 bytes (read backwards) -> 004FBC4C.
We well have found an address and since the address becomes pushed before a comparison (__ vbaStrCmp), it must 
be important ;)
We enter following command, to become a little bit cleverer :

	d 4FBC4C

After we have enter this command, following lines appears in the Data Window of SoftIce :
 
0167:004FBC4C 57 00 50 00 31 00 2D 00-30 00 35 00 30 00 2D 00  W.P.1.-.0.5.0.-.
0167:004FBC5C 37 00 34 00 39 00 2D 00-36 00 37 00 30 00 2D 00  7.4.9.-.6.7.0.-.
0167:004FBC6C 31 00 34 00 33 00 2D 00-38 00 39 00 39 00 30 00  1.4.3.-.8.9.9.0.
0167:004FBC7C 2D 00 38 00 39 00 39 00-30 00 2D 00 38 00 30 00  -.8.9.9.0.-.8.0.
0167:004FBC8C 33 00 00 00 70 00 67 00-00 00 00 00 64 00 00 A0  3...p.g.....d...

SNIP 

Wow, it seems to be a RegCode:

		WP1-050-749-670-143-8990-8990-803

5. After we know now enough, we delete our Breakpoint  (bc *) and leave SoftIce (CTRL-D or F5).
   We get a note, that our code (112233445566778899) is wrong. But this doesn't disturb us because
   we have hopefully found the right code.   
   Now, we change our RegCode to the Code we have found and click on "Register".
   Yeah, we are a "registered" user of WebGraphicsOptimizer.

6. Now, we can register "WebGraphicsOptimizer" with the Code we have found.

   e.g. Name     : Vanor
	Company  : DOOM
        City     : DOOMTOWN  
	RegCode  : WP1-050-749-670-143-8990-8990-803

7. Note :

   After the successful registration, WebGraphicsOptimizer writes down our datas
   into the file "license.dat" in the "WebGraphicsOptimizer"-Directory.

I hope you have fun with cracking!
Vanor [DOOM]
14.03.1999