Name      : Web Tacho

Version   : 1.20.3

Editor    : Internolix

Target    : webtacho.exe

s/n saved : HKEY_CURRENT_USER\Software\VB and VBA Program Settings\WebTacho

Tools     : Softice
	    Brain
	    
Cracker   : LW2000

Tutorial  : No.25

www.Internolix.com


---
DISCLAIMER
For educational purposes only!
I hold no responsibility of the mis-used of this material!
---

1.	We go to the regscreen and enter the details. 
	Name: LW2000
	Key : 1230099

	*BOOM* We get a error message, that our code is not correct.

	What the hell is this? Seems, that we found a bug... ;)
	Let's fix it.

2.	Close Webtacho. Let's snoop a bit.
	Mhmm, MSVBVM50.DLL in the import table. This means we have a
        visual basic 5 proggy. This is no real problem, this means
        only we can't use W32Dasm very well... 	but Softice =)
	
	Ok, first a little bit knowledge about VB5 proggies. The compare
        function is NOT in the 	*.exe, it is in the system file
        MSVBVM50.DLL.
        
	Start Webtacho and enter the details, again. Press [ctrl]+[d]
        to switch to softice.

        bpx hmemcpy 
	(hey, I hope you have the MSVBVM5.DLL in your winice.dat....)

        [F5] to return to app. Now press ok. Sice pops up.
        Press F11 to get the caller and then trace with F10 to
        the code until you are in MSVBVM50.DLL. Now 'bd *' the old bpx's.

	The compare function in VB is always the same:

	: 56                  push esi
	: 57                  push edi
	: 8B7C2410    mov edi, [esp + 10]
	: 8B74240C    mov esi, [esp + 0C]
	: 8B4C2414    mov ecx, [esp + 14]
	: 33C0            xor eax, eax
	: F366A7        repz cmpsw        <<---  (WideChar) String ds:esi


	Let's search for this code. Enter:

's 0 l ffffffff 56,57,8b,7c,24,10,8b,74,24,0c,8b,4c,24,14,33,c0,f3,66,a7'

	If you don't like to type it every time, put it into a shortcut in
        the Winice.dat. I.e. my shortcut is [Alt]+[F4]
        (i love this window killer shortcut! ;)
	If you don't know how to add a shortcut for Sice, ask me or take
        a look in a softice tut in tKCs Cracking tutorials.

	For Example, Sice found 0517:0E7B8411. Then we will bpx on
        0157:0E793B84. 'bpx 0517:0E7B8411'. Then press F5 to return
        to the app.
	
	Sice will pop up at our bpx, then we can take a look at our
        fake serial ('d esi') and the correct serial ('d edi').
        But remember this is the WideCharFormat!! This means '1234' is
        '1 2 3 4'.

4.	Ok, all done? Got your serial? Let's try it.


Congratulation! You are a registered user.


FINISH! Easy, or?

cu LW2000
Any comments? Mail me LW2000@gmx.net !!!
----
tKC, thx for your tutors!
I started with tutor 1 and i still read them... they are the best!