Method 1

This program is written in Visual Basic 6, so we know we can't use the common Win32 APIs. (GetDlgItemTextA, GetWindowTextA, etc.)  We are stuck using the Visual Basic comparing API's like __vbastrcomp and __vbastrcmp.  If those don't work, we can try MultiByteToWideChar, or HMEMCPY is ALL else fails. To save you the time, __vbastrcmp is the correct one for this.  So press CTRL-D to get into Soft-ICE, then type in "bpx __vbastrcmp", without the quotes.  Soft-ICE should pop. Soft-ICE should pop at code location 0137:00403661, with the assembly instruction CALL __VBASTRCMP. (Note: the 0137 in the code location is a code segment and may be different on your computer)Just to show you where you should be, (and to make myself feel more sophisticated by giving asm codes in this tut :) )here is where you should be:

:0040365B 68DC214000    push 004021DC ;<--Interesting
:00403660 50                      push eax             ;<--Interesting

* Reference To: MSVBVM60.__vbaStrCmp, Ord:0000h
                                  |
:00403661 FF1544104000            CALL __VBASTRCMP       ;<----We land here!
:00403667 8BF0                    mov esi, eax
:00403669 8D4DE8                  lea ecx, dword ptr [ebp-18]
:0040366C F7DE                    neg esi
:0040366E 1BF6                    sbb esi, esi
:00403670 46                      inc esi
:00403671 F7DE                    neg esi

* Reference To: MSVBVM60.__vbaFreeStr, Ord:0000h
                                  |
:00403673 FF1598104000            CALL __VBAFREESTR
:00403679 8D4DE4                  lea ecx, dword ptr [ebp-1C]

* Reference To: MSVBVM60.__vbaFreeObj, Ord:0000h
                                  |
:0040367C FF159C104000            CALL __VBAFREEOBJ

* Reference To: MSVBVM60.__vbaBoolStr, Ord:0000h
                                  |
:00403682 8B1D20104000            mov ebx, dword ptr [00401020]
:00403688 684C224000              push 0040224C
:0040368D FFD3                    call ebx
:0040368F 663BF0                  cmp si, ax     ;<---Check to see whether the serial is correct
:00403692 756E                    jne 00403702  ;<--Is it correct? Then take the jump.

* Reference To: MSVBVM60.__vbaVarDup, Ord:0000h
                                  |
:00403694 8B3584104000            CALL __VBAVARDUP
 

That above code snippet is all you need to apply a TON of cracks/patches to this program...Although to a newbie it may seem confusing, it is really pretty simple...Now here's what you do...Right when you break, scroll up in the code window...See those two instructions right above the CALL? The two push instructions say 'PUSH EAX' and PUSH 00401DC...Two pushes right before a string compare routine...If you have been cracking for a while, a siren should go off in your head telling you what to do....However, if you are new at this, here is what you do: Right after Soft-ICE breaks, type in 'D EAX' (Don't forget to type 'wd' to toggle the data window)...In the hex/data window, you will see the serial number you entered in wide character format, since VB programs make all strings wide character strings...In my case I entered 123123, so I see 1.2.3.1.2.3.   The command 'D EAX' does a memory dump of a code location or register. EAX is a register which stores memory...Since we saw the PUSH EAX instruction which moves EAX to the stack, and were curious as to what EAX held, typing D EAX would show us that. Now above that you see yet ANOTHER PUSH instruction...Again, if you have been cracking a while, a siren should go off in your head...This push instruction pushes the memory location 004021DC onto the stack...To display it, type 'D 004021DC' and look in the data window...You will see, in wide character format, S.e.r.i.a.l..m.u.s.t..b.e..a.t..l.e.a.s.t..o.n.e.c.h.a.r.a.c.t.e.r.s..l.o.n.g.!.      What could that be?? Press CTRL-D to get out of Soft-ICE, and you will get a msg box saying "Wrong serial!"...Now erase the serial you typed, in, and while there is nothing in the serial box, press OK....You get again the message 'Wrong serial!'...Wait a second! Shouldn't the "Serial must be at least one characters long!" message show up? Hmm....If the 'Serial must be at least...' message doesen't show up when you type less than one character, what IS it for?? Could it be the serial? Only one way to find out...Type it into the box, and press OK...You will get a "Good job tell me how you did it!" message...Job done...This probably the easiest method...Now for those of you who are interested I am going to show one way to patch this program.

                                                           Method 2: Patching

    This second method is how to patch it...From the above, you know that the following code snippet:

:0040365B 68DC214000              push 004021DC
:00403660 50                      push eax

* Reference To: MSVBVM60.__vbaStrCmp, Ord:0000h
                                  |
:00403661 FF1544104000            Call dword ptr [00401044]
:00403667 8BF0                    mov esi, eax
:00403669 8D4DE8                  lea ecx, dword ptr [ebp-18]
:0040366C F7DE                    neg esi
:0040366E 1BF6                    sbb esi, esi
:00403670 46                      inc esi
:00403671 F7DE                    neg esi

* Reference To: MSVBVM60.__vbaFreeStr, Ord:0000h
                                  |
:00403673 FF1598104000            Call dword ptr [00401098]
:00403679 8D4DE4                  lea ecx, dword ptr [ebp-1C]

* Reference To: MSVBVM60.__vbaFreeObj, Ord:0000h
                                  |
:0040367C FF159C104000            Call dword ptr [0040109C]

* Reference To: MSVBVM60.__vbaBoolStr, Ord:0000h
                                  |
:00403682 8B1D20104000            mov ebx, dword ptr [00401020]
:00403688 684C224000              push 0040224C
:0040368D FFD3                    call ebx
:0040368F 663BF0                  cmp si, ax
:00403692 756E                    jne 00403702

* Reference To: MSVBVM60.__vbaVarDup, Ord:0000h
                                  |
:00403694 8B3584104000            mov esi, dword ptr [00401084]

is a goldmine for cracks/patches we can do...Well now the CMP instruction at 0040368F is an instruction to see if SI and AX are equal...If they are equal,it will not jump, and you will get the 'Bad cracker' message...If they are not equal, ESI will be FFFFFFFF and EAX will be 00000000....Although they could really be anything, that 's just the way the program set it up...(It could be 1 and 0 for example)...Now we want it to always take that jump, right? So disassemble the file in W32DSM and go to the code location :0040368F. When its highlighted, take down the OFFSET at the bottom of the screen...Now close W32DASM (You must do this or the program will be in use and you won't be able to edit) and load it up in your favorite HEX EDITOR (I reccomend HIEW)...Now go to the offset you took down earlier, and change the bytes 756E to EB6E...EB is the opcode for JMP, which is an UNCONDITIONAL jump, meaning it will jump no matter what, which is what we want...Now Save, and quit....Done
 

The 'Crack'

 
See Method 2, though none is REQUIRED...
 

Final Notes

 
 
This was a great crack for newbies, and I think there is a lot to be learned from it. If you've never looked at a generation routine before, this is a good first one.

My thanks goes to:- The Sandman for all he's done for newbies like me and providing such a great site.

Eternal Bliss for providing his website and support for newbies

Borna Janes for writing this Crackme. :)

Everyone who helped me on the Sandman's forum, all writers of tutorials that helped me, and anyone who is reading this :).
 
 

Ob Duh

 
Do I really have to remind you all that by buying and NOT stealing the software you use will ensure that these software houses will continue to produce even *better* software for us to use and more importantly, to continue offering even more challenges to breaking their often weak protection systems.

If your looking for cracks or serial numbers from these pages then your wasting your time, try searching elsewhere on the Web under Warze, Cracks etc.