Cracking Tutorial for OnlineCounter '98 5.0

Target Program: OnlineCounter '98 5.0
Description: OnlineCounter is an easy to use program for checking & managing your telephone and internet provider costs.
Protection: Name / Reg #
Tools needed: - SoftICE 3.24
Ob duh: Do I really have to remind you all that by BUYING and NOT stealing the software you use will ensure that these software houses will continue to produce even *better* software for us to use and more importantly, to continue offering even more challenges to breaking their often weak protection systems.
BTW, It's illegal to use cracked Software!

If you're looking for cracks or serial numbers from these pages then your wasting your time, try to search elsewhere on the Web under Warez, Cracks, etc.
Info: Brand and product names are trademarks or registered trademarks of their respective holders.
Level: (X)Beginner ( )Intermediate ( )Advanced ( )Expert

Since the VB40032.DLL was copied into the Windows-System-Directory, OnlineCounter is written in Visual Basic 4. If we have to crack a Visual Basic program, that needs a Reg #, we can't use the breakpoints GetWindowTextA and GetDlgItemTextA; we must use a HMEMCPY breakpoint. So since we know this, we can start our cracking session.
Go to the registration screen and enter "cRACKING tUTORIAL" as Name and "1234-1234" as Reg #. Now enter SoftICE and set a BPX to HMEMCPY. Then press the "Continue"-Button. SoftICE will pop up now. Since there were two input fields, we can leave SoftICE, because it will pop up again at the HMEMCPY-breakpoint. So after SoftICE had poped up the second time, clear the HMEMCPY breakpoint and press F12 a few times (about 7 times) until you're in VB40032.DLL. You wanna crack Visual Basic programs as fast as possible, since you can't learn much from a moron, right? So we can use a trick, CbD (a good cracker) has been published (the trick is also in the cRACKER's n0TES of course!). We just have to search for the Visual Basic 4 compare function in SoftICE and we'll get the exact location where we can set our breakpoint to get a valid Reg #. The Visual Basic 4 compare function looks like the following:

56                  PUSH     ESI
57                  PUSH     EDI
8B7C2410            MOV      EDI,[ESP+10]
8B74240C            MOV      ESI,[ESP+0C]
8B4C2414            MOV      ECX,[ESP+14]
33C0                XOR      EAX,EAX
F366A7              REPZ     CMPSW
7405                JE       0F79B362
1BC0                SBB      EAX,EAX
83D8FF              SBB      EAX,FFFFFFFF
5F                  POP      EDI
5E                  POP      ESI
C20C00              RET      000C

So to get to this code, we can search for it. So search for 56,57,8B,7C,24,10,8B,74,24,0C,8B,4C,24,14 now (s 0 L FFFFFFFF 56,57,8B,7C,24,10,8B,74,24,0C,8B,4C,24,14). SoftICE will find the code at something like 0F79B348. So set a BPX to that address. Now you'll be inside the Visual Basic 4 compare routine. If you have a quick look at the ESI, you'll find out that it contains "escom/CORE" in wide-char-format. If you have a look at EDI, you'll see our name in wide-char-format: "cRACKING tUTORIAL". So why does our name get's compared with "escom/CORE"? Well the Reg # for this code is invalid. I don't know the cracker "escom" from CORE, but he seems to be known by the programmer of OnlineCounter.
We're not interested in the name-compare, so press CTRL-D to leave SoftICE. SoftICE will pop up again. Now have a look at ESI. What do you see? Well, it contains "331-343-4H", which looks very like a Reg #, doesn't it? Just check EDI. EDI will contain our fake Reg #, which was "1234-1234".
Another target has been Reverse Engineerd. Do you have any questions?

If you're USING OnlineCounter BEYOND it's FREE TRIAL PERIOD, then please BUY IT.

Copyright © 1998 by TORN@DO and The Immortal Descendants. All Rights Reserved.

t keep the bpr on where the checksum is stored. NPP will continue loading until it breaks here: