The Preparation  A one time reconfiguration of Winice.DAT

  ---------------------------------------for a more indepth look at the following configuration see
                                                                    _____The Sandman's  Essay 59 _____
                    ________________located at http://www.proweb.co.uk/~greenway/Es59.html______________

Make sure you have this highlighted line included with the rest of these lines in your Winice.dat file which is located in your Softice directory .
Winice.dat file can be opened for editing using NotePad.
 

EXP=C:\windows\system\kernel32.dll
EXP=C:\windows\system\user32.dll
EXP=C:\windows\system\gdi32.dll
EXP=C:\windows\system\comdlg32.dll
EXP=C:\windows\system\shell32.dll
EXP=C:\windows\system\shell232.dll
EXP=C:\windows\system\advapi32.dll
EXP=C:\windows\system\vb40032.dll
EXP=C:\windows\system\msvbvm50.dll <<--- make sure that this .dll file is listed in your winice.dat file.  Make sure that there are NO " ; " (semi-colons) in front of these statements or the file will not be read.

Of course you will want to make sure that the path above is also correct and matches the path that your file is actually  'housed' in...! C:\windows\system...ect...
 
 
2. Next,  reconfigure the  Alt-F4  key  and re-program it so that it will automatically locate the EXACT Visual Basic sub-routine that compares our entered serial number against the one the target program expects us to use.

While still editing Winice.dat locate the line starting with AF4="^ and REPLACE it with the highlighted line shown below.
 
F1="h;"
F2="^wr;"
F3="^src;"
F4="^rs;"
F5="^x;"
F6="^ec;"
F7="^here;"
F8="^t;"
F9="^bpx;"
F10="^p;"
F11="^G @SS:ESP;"
F12="^p ret;"
SF3="^format;"
CF8="^XT;"
CF9="TRACE OFF;"
CF10="^XP;"
CF11="SHOW B;"
CF12="TRACE B;"
AF1="^wr;"
AF2="^wd;"
AF3="^wc;"
AF4="^s 0 l ffffffff 56,57,8b,7c,24,10,8b,74,24,0c,8b,4c,24,14,33,c0,f3,66,a7;"
AF5="CLS;"
AF8="^XT R;"
AF11="^dd dataaddr->0;"
AF12="^dd dataaddr->4;"
CF1="code on; altscr off; lines 58; wc 33; wd 8; wr; wl; ww 2; faults off;"
CF2="^wr;^wd;^wc;"

The above lines assigns commonly used Softice commands to some of your function keys, this saves a lot of typing on your part if you can execute a whole sequence of commands just by press two keys together.  Now the new ALT-F4 function will save you from having to type:

s 0 l ffffffff 56,57,8b,7c,24,10,8b,74,24,0c,8b,4c,24,14,33,c0,f3,66,a7

every time you wish to locate the VB routine that compares two strings together.

This command simply tells Softice to search for a unique sequence of 19 bytes starting from memory location 0 all the way to the maximum amount of memory installed on your pc. These bytes form just a part of the VB routine we're interested in and have to include this number of bytes because there are other very similar routines to the one we're interested in and this way we can be sure that the VB routine Softice finds is the right one.

Now save your winice.dat file.  Make sure you make a backup first just in case you make any mistakes.
 
That's it!. 
 

The Essay

Run the program Cconvert.exe ...a box appears saying you're unregistered; click okay; now select the 'about'
and then the "Register" button.

Type in your Name/Handle then a random sequence of numbers into the Registration box.

Before going any further press CTR-D to fire up Softice and then type:
bpx hmemcpy.  Now type X to leave Softice.

OK, now you can click on the 'Validate' button...

Softice breaks at the beginning of the HmemCpy sub-routine.

Now we want to quickly find the routine that compares our serial number with the *real* one and we can do this effortlessly by pressing the ALT-F4 keys together.

Softice should now report back a first memory location of where the sub-routine were looking for is to be found in memory.

In my case Softice reported:
Pattern found at:  0030:0F00D9EA
                           :-----------------: <-This address may be different on your puter 

Now type:  u followed_by_the_memory_address_just_given_by_Softice

In my case I type: u 0030:0F00D9EA
 
 Softice should now display this code snippet:-
 
: 56             push esi  <<<---you land here; this is where you will set a new breakpoint.
: 57             push edi
: 8B7C2410       mov edi, [esp + 10]
: 8B74240C       mov esi, [esp + 0C]
: 8B4C2414       mov ecx, [esp + 14]
: 33C0           xor eax, eax
: F366A7         repz cmpsw
: 7405           je 0F79B362
: 1BC0           sbb eax, eax
: 83D8FF         sbb eax, FFFFFFFF
: 5F             pop edi
: 5E             pop esi
: C20C00         ret 000C
 

Ok, from here type:

Example: bpx  followed_by_the_memory_address_just_given_by_Softice
In my case I type: bpx 0030:0F00D9EA .  I have found that in order to get the above address you sometimes must type 's' to do another search until you have found the above line #.  You also can double click on the line  0030:0F00D9EA, instead of typing it in, to set the breakpoint...
 
Lastly, type: bd 00 to disable our original hmemcpy breakpoint, we don't need it anymore and finally, type X to leave Softice.
 
Softice now breaks again, this time on our newly created breakpoint,

: 56             push esi  <<<---we land here
: 57             push edi
: 8B7C2410       mov edi, [esp + 10]
: 8B74240C       mov esi, [esp + 0C]
: 8B4C2414       mov ecx, [esp + 14] <<<<--F-10 to here; type "d ecx"...the real serial will be displayed... typing "d esi"; the line above; and this will display your fake # input.
: 33C0           xor eax, eax
: F366A7         repz cmpsw
: 7405           je 0F79B362
: 1BC0           sbb eax, eax
: 83D8FF         sbb eax, FFFFFFFF
: 5F             pop edi
: 5E             pop esi
: C20C00         ret 000C

Our registration code will be in Wide Character Format, which simply means that instead of our Registration/Serial number looking like  "GypsyJoker"  it will now look like: "G.y.p.s.y.J.o.k.e.r " instead.  Other than that it's still the REAL serial number.

In this case Violatily has mixed letters and Numbers; and the code for my input was:

User Name: jasman <<<---I usually use "jas" but lately the user name has been "length" sensitive..I just may have to get myself a longer  handel...

Registration Code: "XXX-2120-XXXX" <<<---Where "X" is a hard coded part of this Reg code and for which I'll not publish.

Ya'all will see it if you follow the guidelines above...

The numerical part of this reg is generated by a part of your user name input.....I'll leave that for you to figure out also...

CONGRATULATIONS!
 
BUSTED this dude!

I would like to congratulate Volatilty for producing one of the greatest teaching programs anyone could have written for teaching the many ways VB could be attacked and handeled.
 

As we have learned at the Sandmans projects site @  http://disc.server.com/Indices/33330.html the crack is not done until the cracker ' knows' his crack.
 

My thanks and gratitude goes to:-
 
The Sandman for providing possibly the greatest source of Reverse Engineering
knowledge for newbys on the Web; and who told me to never give up when VB was strangeling me.

Special thanks go to Crackz; Prophesy, for their great tutes; to Volatility; and BornaJanes who wouldn't let me give up. And to my great internet compadre', twno, who forever teaches and watches over me.:) and also to D0gbytes who can drink me under the table at virtual whiskey sites...:)

And to all those of you who write and teach me each day, no matter your depth of knowledge.
 

 

Ob Duh

 
Do I really have to remind you all that by buying and NOT stealing the software you use will ensure that these software houses will be encouraged to producing even *better* software for us to use and enjoy.

Ripping off software through serials and cracks is for lamers..
 
If your looking for cracks or serial numbers from these pages then your wasting your time, try searching elsewhere on the Web under Warze, Cracks etc.