Cracking "Cli-Mate v 1.5"
Date: July 18, 1999
Author : +ViPeR+
[E]bola [V]irus [C]rew

Program Name : Cli-Mate v 1.5
Location     : http://users.nac.net/splat/climate/index.htm

Method: VB6 program. Wide Chars Compare.

<<Note : this document is only for educational purpose ONLY>>
-------------------------------------------------------------------------------

First, notice that this is a Visual Basic Program. I knew it because after I 
traced it for a little bit while, I am kind of lost and so, I fire-up w32dasm
to get a deadlist of this program and that is when I found out about it.

Open the file winice.dat file, and add the following line at the bottom of 
winice.dat

EXP=c:\windows\system\msvbvm60.dll

Restart the computer.

Ok. here, just show you the procedure to find the correct registeration code.

-------------------------------------------------------------------------------

After typing your name and registration code, 'Ctrl-D' to get into Soft-Ice
and 'bpx hmemcpy'. 'Ctrl-D' out of Soft-Ice and click 'Ok' button.

Now, you are back to Soft-Ice.
'x Enter' one time.
'F11' and then 'F12' 6 times then you will find you are in the MSVBVM60.dll 
process. (If you follow the above setting, you should be able to see
something looks like --> MSVBVM!__&*&^%$^  <-- on the line just above your
code window).

Set a breakpoint by typing 'bpx__vbastrcmp' in Soft-Ice. (Notice: that's 2 
underscores after bpx). 

Get out of Soft-Ice by 'x enter' and you will be back to Soft-Ice due to 
the breakpoint about 'bpx__vbastrcmp'. 'F11' to go back to the caller.

Scroll up the code window a littel bit up by pressing 'Ctrl-up arrow key'
a little bit. You will see something like the following in the code window.

:0046E90E E8DD3BF9FF              Call 004024F0
:0046E913 FF75BC                  push [ebp-44] ; <-- set breakpoint here
:0046E916 FF75E8                  push [ebp-18] ; <-- set breakpoint here
:0046E919 E8AE3BF9FF              Call 004024CC ; <-- this is the call causes
                                                ;     the break this time
:

Now, 'bc*' and set breakpoints on those two lines containing push.

>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
Some explaination here for the above code snippet.

:0046E913 FF75BC                  push [ebp-44] ; <-- point to the location
                                                      of the fake code
:0046E916 FF75E8                  push [ebp-18] ; <-- point to the location
:0046E919 E8AE3BF9FF              Call 004024CC ; <-- call __vbastrcmp
:
<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<

Get out of Soft-Ice and click 'Ok' button again. This time, you will break 
on line 0046E913. If you 'd ebp-44' you will see the address that points to 
your fake registration code in wide char format. (i.e. 5.4.5.4.5.4.5.4)

'd ebp-18' to see the location of the correct registration code and then
dump that address to see what it is. In my case, it is 'E.1.2.5.2.5.R'.

Enter

Name: evc_viper
Code: E12525R

to see the thanks for registering message box.

Final Note:
   none.


Ob Duh
   Do I really have to remind you all that by buying and NOT stealing the 
   software you use will ensure that these software houses will continue to
   produce even *better* software for us to use and more importantly, to
   continue offering even more challenges to breaking their often weak
   protection systems.


+ViPeR+
[E]bola [V]irus [C]rew
July 18 1999