Name      : Online Counter

Version   : 5.45.1612

Editor    : SWR3

Target    : OnlineCounter.Exe

Tools     : Softice 4.0
	    Snooper for Windows
	    Brain
	    
Cracker   : LW2000

Tutorial  : No.20

http://www.swr3.de/Fun/Downloads/Onlinecounter/


---
DISCLAIMER
For educational purposes only!
I hold no responsibility of the mis-used of this material!
---



1.	Ok, enter the details:
	Name: LW2000
	Code: 1234

	*Boom* Shit, wrong code, think we found a bug... ;) 
	
2.	Close OnlineCounter. Let's snoop a bit.
	Mhmm, VB40032.DLL in the import table. This means we have a
        visual basic 4 proggy. This is no real problem, this means
        only we can't use W32Dasm very well... 	but Softice =)
	
	Ok, first a little bit knowledge about VB4 proggies. The compare
        function is NOT in the 	*.exe, it is in the systemfile VB40032.DLL.
        
	Start Online Counter and enter the details, again. Press [ctrl]+[d]
        to switch to softice.

        bpx hmemcpy

        [F5] to return to app. Now press ok. Sice pops up.
        Press F11 to get the caller and then trace with F10 to
        the code until you are in VB40032.DLL. Now 'bd *' the old bpx's.

	The compare function in VB is always the same:

	: 56                  push esi
	: 57                  push edi
	: 8B7C2410    mov edi, [esp + 10]
	: 8B74240C    mov esi, [esp + 0C]
	: 8B4C2414    mov ecx, [esp + 14]
	: 33C0            xor eax, eax
	: F366A7        repz cmpsw        <<---  (WideChar) String ds:esi


	Let's search for this code. Enter:

's 0 l ffffffff 56,57,8b,7c,24,10,8b,74,24,0c,8b,4c,24,14,33,c0,f3,66,a7'

	If you don't like to type it every time, put it into a shortcut in
        the Winice.dat. I.e. my shortcut is [Alt]+[F4]
        (i love this window killer shortcut! ;)
	If you don't know how to add a shortcut for Sice, ask me or take
        a look in a softice tut in tKCs Cracking tutorials.

3.	For Example, Sice found 0157:0E793B84. Then we will bpx on
        0157:0E793B84. 'bpx 0157:0E793B84'. Then press F5 to return
        to the app.
	
	Sice will pop up at our bpx, then we can take a look at our
        fake serial ('d esi') and the correct serial ('d edi').
        But remember this is the WideCharFormat!! This means '1234' is
        '1 2 3 4'.

4.	Ok, all done? My serial is 851118H. Let's try it.
	Name: LW2000
	Code: 851118H

Congratulation! You are a registered user.



FINISH! Easy, or?

cu LW2000
Any comments? Mail me LW2000@gmx.net !!!
----
tKC, thx for your tutors!
I started with tutor 1 and i still read them... they are the best!
