tCA Tutorial on cracking a VB6 program - Tweaki for power users 2.7.3


Author:               YoKe 
Target:                Tweaki... for power users 2.7.3
Tools needed:      Softice 4.05 | Smart Check 6.03
Protection:           Serial

Tweaki is my first VB6 program i cracked and i wanna show you how i done it.
Tweaki  is a cool program, you get to mess about with loads a things. Yes! but here we are interested in that About/Register button undar options tab. So lets click on it and enter in any silly name and serial and hit enter .. Damn it was obvious wrong serial. Lets try again this time with Softice loaded!! But this is a Visual Basic Program so a breakpoint on getwindowtexta or getdlgitemtexta or anything like that. So what could we use? hmm i tried and looked up the imports in Win32Dasm. i noticed too that look like string compares (could compare our serial to the right one)  MSVBVM60!__vbastrcmp also MSVBVM60!__vbastrcomp             but i put a breakpoint on these and clicked register, sure enough softice broke but there is no real reference to the serial and muck traceing has to be done. ( note to but a breakpoint on a vb6 program this line must be added in winice.dat with the imports:  EXP=c:\windows\system\msvbvm60.dll )

So lets try a different plan, use Smartcheck 6.03 a visual basic debugger. Load it up. Make sure you have it setup correct ( there is some tuts on the net to do this) Now with smartcheck load up Tweaki.exe then press F5 to  open the program with smartcheck. When it has finished loading register tweaki with name YoKe [tCA] and enter in any serial. Now hit Register. Go to smartcheck and search for Yoke [tCA] you should see: 

Left&(String:"YoKe [tC...", long:1)                                                                                                                                 Much more code, it looks like it examined every letter separetly, Anyway go down until you see:
Double (1.05141e+008) --> String (105141015")               <- hmm this looks like a serial!!!  and right undar this we see the invalid serial MsgBox and above we see the date and time see below *

So a serial is calculated from all that we've seen above what looks like a serial in smartcheck, so lets check the serial enter it in  Tweaki ...... God! it doesn't work, it is a serial we know this because there is no other reference to a serial in smartcheck, maybe something is done with the serial or something is added on to the serial that is not showing up in smartcheck. At that point i had got an idea ...just follow along... Load up softice and enter in name: Yoke [tCA] and any serial (not the one above i will explain later) no press CTRL+D and type bpx hmemcpy   to put a breakpoint on memory. Now hit F5 and click register. softice breaks now that we are going to do is search for our serial in memory, but i searched in hex so you do that. (if you do not now the char. in hex use a hex editor to findout) 105141015 in hex is  31 30 35 31 34 31 30 31 35 but you may know text in memory of a VBx program is in wide Char format it has a . in between the characters but its not a full stop who's hex is 2E its a different char who's hex is 00.  So we will search for the serial in widechar in hex by typing in softice:                s 0 l ffffffff 31 00 30 00 35 00 31 00 34 00 31 00 30 00 31 00 35                                                                                          (  1   .    0    .    5   .   1    .    4   .   1    .    0   .   1   .    5 )

So when you have typed  s 0 l ffffffff 31 00 30 00 35 00 31 00 34 00 31 00 30 00 31 00 35  softice should find something and llook in the ascii window you should see  something like: 

....1.0.5.1.4.1.0.1.5.N.U.J......

Well cool?!! Our finished serial (we hope)  type BC * to clear breakpoint and F5 to exit softice. Now in tweaki enter in Name: Yoke [tCA]    Serial: 105141015NUJ     and click register  weyhey it says registered!!

note-   NUJ seems to be but on the end of the serial that we get in smartcheck but i cracked this in june 2000 if i change the month to july 2000 the serial is invalid!! weird protection (* when i cracked 2.4.0 backsome time my serial was 105141015YAM. In other words the first part of the serial is always the same and the last part changes as the date changes but once you are registered you are always registered..)                                      on 3 july 2000  the serial for me is 105141015LUJ

I hope you have learned something here mail me at yoke@tca2k.net if you didor if anything is incorrect here, if the tut if f**ked and wrong or you know a different way to crack this program.                                                                                               Or visit us at  www.tca2k.net   =   tHE cRACKiNG aNSWER                     Chat to me in #tca2k or #cotd     EFNet

-=[ Greetz to: sEVanD02k, kab00m, Apus, LAP, NADA, weed2k, ZuleikaH, r00t_HT, Speedystep, Subzonic, NaRRoW, TiVe, TheTiggA, JackBlack, IBLUN and the rest of the [tCA] + [CotD] crew  03/06/2000 ]=-

<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><>