Creating Dead listings using W32Dasm or IDA Pro won't help you much because most of the code won't make any sense to you what-so-ever and trying to use Softice to trace through the program's code will only succeed in burying you under huge numbers of sub-routines thereby tiring you out long before you found the actual code you were looking for.  I speak on behalf of newbies for the above statement, the more experienced crackers like Razzia, +Fravia etc would find ways and means to avoid these pitfalls.

Once you put these silly thoughts out of your mind about Visual Basic programs being hard to crack then all your left with is a weak, serial number registration scheme hiding behind a 'myth' hehehe. The serial number used in Minimize Magic is based on your Handle/Name and just to add a little more spice to the *crack* it's also tied into the 'Installation key', which is a randomly generated sequence of numbers that is produced each time this software is installed. This means you can't use the same serial number twice on different computers but we don't have to worry about that..:)
 
One other small item of info about the protection system used by this program. It can detect changes to it's registry entries and upon detection will disable most of the functions within this program, but you can still access the Registration screen without any problems.

Here's where I found a bug in the program.  It seems that once the program detects changes with it's registry entries it performs a number of steps (one of which to display a few message boxes informing the User that the program has detected "tampering" with it's registry entries) that in someway causes it to create a General protection Fault each time you subsequently exit from the program.  Even if you register this program this fault STILL persists. Re-booting the system does not cure this problem.
 

On successful installation of Minimize Magic the following entries are created in your System Registry:

HKEY_CURRENT_USER\Software\Genesoft
HKEY_LOCAL_MACHINE\SOFTWARE\Genesoft Developments
 
Once registered the following entry is created with the following data.

HKEY_LOCAL_MACHINE\SOFTWARE\Genesoft\MinimizeMagic

Key         = KJBJBAG     <--- Unique key generated on each installation copy.
Password = KCIIGFAEB  <--- The serial number to register this babe.
User       = The Sandman
Version   = 2.2.870
 
 

The Preparation  A one time reconfiguration of Winice.DAT

 
1. Edit your winice.dat file (this file is found in your Softice Directory) and make sure you have this highlighted line included with the rest of these line.  Use NotePad to edit this file.

; WINICE.DAT
; (SIW95\WINICE.DAT)
; for use with SoftICE Version 3.2 (Windows 95)
; 14 July 1997

; Change the path to the appropriate drive and directory

EXP=C:\windows\system\kernel32.dll
EXP=C:\windows\system\user32.dll
EXP=C:\windows\system\gdi32.dll
EXP=C:\windows\system\comdlg32.dll
EXP=C:\windows\system\shell32.dll
EXP=C:\windows\system\shell232.dll
EXP=C:\windows\system\advapi32.dll
EXP=C:\windows\system\vb40032.dll <--VB4 Run Time library.

Without this line Softice won't be able to tell you which sub-routine you might be tracing through or which sub-routine is being called by the target program.
 
2. Next, we are going to reconfigure one of Softice's Function keys Alt-F4 which is not often required or used and re-program it so that it will automatically locate the EXACT Visual Basic sub-routine that compares our entered serial number against the one the target program expects us to use. Forget about setting any breakpoints on memory locations etc, we will go for the juggler with this new function.

While still editing Winice.dat locate the line starting with AF4="^ and REPLACE it with the highlighted line shown below.
 
F1="h;"
F2="^wr;"
F3="^src;"
F4="^rs;"
F5="^x;"
F6="^ec;"
F7="^here;"
F8="^t;"
F9="^bpx;"
F10="^p;"
F11="^G @SS:ESP;"
F12="^p ret;"
SF3="^format;"
CF8="^XT;"
CF9="TRACE OFF;"
CF10="^XP;"
CF11="SHOW B;"
CF12="TRACE B;"
AF1="^wr;"
AF2="^wd;"
AF3="^wc;"
AF4="^s 0 l ffffffff 56,57,8b,7c,24,10,8b,74,24,0c,8b,4c,24,14,33,c0,f3,66,a7;"
AF5="CLS;"
AF8="^XT R;"
AF11="^dd dataaddr->0;"
AF12="^dd dataaddr->4;"
CF1="code on; altscr off; lines 58; wc 33; wd 8; wr; wl; ww 2; faults off;"
CF2="^wr;^wd;^wc;"

The above lines assigns commonly used Softice commands to some of your function keys, this saves a lot of typing on your part if you can execute a whole sequence of commands just by press two keys together.  Now the new ALT-F4 function will save you from having to type:

s 0 l ffffffff 56,57,8b,7c,24,10,8b,74,24,0c,8b,4c,24,14,33,c0,f3,66,a7

every time you wish to locate the VB routine that compares two strings together.

This command simply tells Softice to search for a unique sequence of 19 bytes starting from memory location 0 all the way to the maximum amount of memory installed on your pc. These bytes form just a part of the VB routine we're interested in and have to include this number of bytes because there are other very similar routines to the one we're interested in and this way we can be sure that the VB routine Softice finds is the right one.

Now save your winice.dat file.  Make sure you make a backup first just in case you make any mistakes.
 
That's it!. 
 

The Essay

     
Most crackers by now, have read Razzia's tutorial on Cracking ALL VB programs, but perhaps it was me misreading something I couldn't get the VB40032.DLL patched no matter how many ways I tried things. So after a couple of hours of sheer frustration I decided to cut my losses and have a go myself at cracking Minimize Magic.  This time however I will do my best to try and explain every step I took and to give you all the information you need to try your hand at cracking other VB4 programs. Yes Visual basic 5 is already out and so is 6 but lets take things one step at a time.

Razzia had already done the ground work for cracking this program and others like it so I will also take this opportunity in giving you some helpful tips along the way which should help you to make VB cracking a lot easier.

Once Minimize Magic has been properly installed, run the program and select the menu option Help then Permanent Registration..

Type in your Name/Handle then a random sequence of numbers into the Registration box.

Before going any further press CTR-D to fire up Softice and then type:
bpx hmemcpy.  Now type X to leave Softice. So far so good..

OK, now you can click on the 'OK' button...

Softice breaks at the beginning of the HmemCpy sub-routine.

From here press the 'F11' key once then start pressing the 'F10' key UNTIL you see softice display on it's code status line this:

MSVBVM50!.Text + 000B881
                              :---------:   <--This address will be different on your puter.

Your now deep within the Visual Basic Code.  You might have to press the 'F10' quite a few times before you actually see this but do keep trying, you'll get there..

Now we want to quickly find the routine that compares our serial number with the *real* one and we can do this effortlessly by pressing the ALT-F4 keys together.

Softice should now report back one memory location of where the sub-routine were looking for is to be found in memory.

In my case Softice reported:
Pattern found at:  0030:0F00D9EA
                           :-----------------: <-This address will be different on your puter

Now type:  u followed_by_the_memory_address_just_given_by_Softice

In my case I type: u 0030:0F00D9EA but you will have a different memory address and it's this memory address YOU must type in.
 
All going well and Softice should now display this code snippet:-
 
: 56             push esi
: 57             push edi
: 8B7C2410       mov edi, [esp + 10]
: 8B74240C       mov esi, [esp + 0C]
: 8B4C2414       mov ecx, [esp + 14]
: 33C0           xor eax, eax
: F366A7         repz cmpsw
: 7405           je 0F79B362
: 1BC0           sbb eax, eax
: 83D8FF         sbb eax, FFFFFFFF
: 5F             pop edi
: 5E             pop esi
: C20C00         ret 000C

If your going to crack VB4 programs then memorize this tiny routine, it's the whole key to unlocking a whole host of VB4 programs just waiting for you to crack!
 
Ok, from here type: bpx

Example: u followed_by_the_memory_address_just_given_by_Softice
In my case I type: bpx 0030:0F00D9EA but you will have a different memory address and it's this memory address YOU must type in.
 
Lastly, type: bd 00 to disable our original hmemcpy breakpoint, we don't need it anymore and finally, type X to leave Softice.
 
Softice now breaks again, this time on our newly created breakpoint, so it's a good opportunity for us to explore and understand just exactly how this sub-routine compares two sets of strings.

I've done this for you (see below) but by all means check for yourself by pressing the 'F10' key a few times:-

: 56           push esi             ;Save register esi for safe keeping
: 57           push edi             ;Save register edi for safe keeping
: 8B7C2410     mov edi, [esp + 10]  ;edi = "PC97" Check for known cracker!
: 8B74240C     mov esi, [esp + 0C]  ;esi = Your entered serial number
: 8B4C2414     mov ecx, [esp + 14]  ;Length of User name "PC97" ecx=4
: 33C0         xor eax, eax         ;Clear eax register
: F366A7       repz cmpsw           ;repeat_until_ecx=0 & compare strings
: 7405         je 0F79B362          ;jmp if both the same.
: 1BC0         sbb eax, eax
: 83D8FF       sbb eax, FFFFFFFF
: 5F           pop edi
: 5E           pop esi
: C20C00       ret 000C             ;Return from this sub-routine.

Notice anything odd here?. This routine is checking for a User Name we didn't type in, in this case "PC97". It seems the authors of this program have added a few extra routines to their latest version of Minimize Magic than what Razzia used.

No problem, while still in Softice press X to leave and once again Softice breaks at the same place as before.  So, the program want's to do some more string checking..:)

: 56           push esi             ;Save register esi for safe keeping
: 57           push edi             ;Save register edi for safe keeping
: 8B7C2410     mov edi, [esp + 10]  ;edi = Your entered Serial Number
: 8B74240C     mov esi, [esp + 0C]  ;esi = The *REAL* Serial Number
: 8B4C2414     mov ecx, [esp + 14]  ;Length of your Serial Number
: 33C0         xor eax, eax         ;Clear eax register
: F366A7       repz cmpsw           ;repeat_until_ecx=0 & compare strings
: 7405         je 0F79B362          ;jmp if both the same.
: 1BC0         sbb eax, eax
: 83D8FF       sbb eax, FFFFFFFF
: 5F           pop edi
: 5E           pop esi
: C20C00       ret 000C             ;Return from this sub-routine.

Notice now that the edi and esi registers now are reversed when holding the two strings to be compared against each other.  It makes no difference to us however because once we are on the instruction: mov ecx, [esp + 14] all we need to do is type d esi and we see our Registration Code in Softice's Code Window.

Unlike cracking in other programs, our registration code will be in Wide Character Format, which simply means that instead of our Registration/Serial number looking like  HGII74EAG it will now look like: H.G.I.I.7.4.E.A.G instead.  Other than that it's still the REAL serial number.

CONGRATULATIONS! You've just cracked your first VB4 program!
 
Job Done.
 

The Crack

     
None required.
 

Visual Basic is now DEAD!

My thanks and gratitude goes to:-
 
Fravia+ for providing possibly the greatest source of Reverse Engineering
knowledge on the Web.
 
+ORC for showing me the light at the end of the tunnel.
 

Ob Duh

 
Do I really have to remind you all that by buying and NOT stealing the software you use will ensure that these software houses will be encouraged to producing even *better* software for us to use and enjoy.

Ripping off software through serials and cracks is for lamers..
 
If your looking for cracks or serial numbers from these pages then your wasting your time, try searching elsewhere on the Web under Warze, Cracks etc.