Name : Web Tacho Version : 1.20.3 Editor : Internolix Target : webtacho.exe s/n saved : HKEY_CURRENT_USER\Software\VB and VBA Program Settings\WebTacho Tools : Softice Brain Cracker : LW2000 Tutorial : No.25 www.Internolix.com --- DISCLAIMER For educational purposes only! I hold no responsibility of the mis-used of this material! --- 1. We go to the regscreen and enter the details. Name: LW2000 Key : 1230099 *BOOM* We get a error message, that our code is not correct. What the hell is this? Seems, that we found a bug... ;) Let's fix it. 2. Close Webtacho. Let's snoop a bit. Mhmm, MSVBVM50.DLL in the import table. This means we have a visual basic 5 proggy. This is no real problem, this means only we can't use W32Dasm very well... but Softice =) Ok, first a little bit knowledge about VB5 proggies. The compare function is NOT in the *.exe, it is in the system file MSVBVM50.DLL. Start Webtacho and enter the details, again. Press [ctrl]+[d] to switch to softice. bpx hmemcpy (hey, I hope you have the MSVBVM5.DLL in your winice.dat....) [F5] to return to app. Now press ok. Sice pops up. Press F11 to get the caller and then trace with F10 to the code until you are in MSVBVM50.DLL. Now 'bd *' the old bpx's. The compare function in VB is always the same: : 56 push esi : 57 push edi : 8B7C2410 mov edi, [esp + 10] : 8B74240C mov esi, [esp + 0C] : 8B4C2414 mov ecx, [esp + 14] : 33C0 xor eax, eax : F366A7 repz cmpsw <<--- (WideChar) String ds:esi Let's search for this code. Enter: 's 0 l ffffffff 56,57,8b,7c,24,10,8b,74,24,0c,8b,4c,24,14,33,c0,f3,66,a7' If you don't like to type it every time, put it into a shortcut in the Winice.dat. I.e. my shortcut is [Alt]+[F4] (i love this window killer shortcut! ;) If you don't know how to add a shortcut for Sice, ask me or take a look in a softice tut in tKCs Cracking tutorials. For Example, Sice found 0517:0E7B8411. Then we will bpx on 0157:0E793B84. 'bpx 0517:0E7B8411'. Then press F5 to return to the app. Sice will pop up at our bpx, then we can take a look at our fake serial ('d esi') and the correct serial ('d edi'). But remember this is the WideCharFormat!! This means '1234' is '1 2 3 4'. 4. Ok, all done? Got your serial? Let's try it. Congratulation! You are a registered user. FINISH! Easy, or? cu LW2000 Any comments? Mail me LW2000@gmx.net !!! ---- tKC, thx for your tutors! I started with tutor 1 and i still read them... they are the best!