Target : Tweaki... for Power Users v4.0.1
Target URL : http://www.jermar.com/tweaki4.exe
Tools : PEiD v0.8 or PE-Scan v3.13, De-Crunch v1.0, W32Dasm, Hex Workshop v3.1
Tools URL : http://protools.cjb.net

INTRODUCTION
Welcome to my second tutor for the Phrozen Crew. Although this tutor will cover the unpacking of files as well as disassembling and hex editing them, this is again aimed at the intermediate to advanced crackers. I have included my latest De-Crunch v1.0 tool with this tutor to help you in your task. If for some reason the version you download is slightly different, this tutor's method explained below may still work perfectly fine with a few exception like the actual offset inside the target executable that I had given in this tutor.

IDENTIFICATION
Like with all other target programs, it is an advantage to know whether or not an application is packed with a encryption/protection scheme and if so, with which one. For this reason I recommend the PEiD (PE iDentifier v0.8) coded by snaker & Qwerton or PE-Scan v3.13 by Snyper.

I also recommend that if you use PEiD that you turn on the HARDCORE scanning option number 2 ON. The reason for this is that a lot of the more advanced packers/encryptors will try and fake identifiers by using other packers/cryptors' identification strings as well as virtually no identification markings at all. This will limit those chances to allmost none!

Using either one of these identification packages (I use both since PEiD will tell me what language it was coded in too whereas PE-Scan will give me more SPECIFIC packer versions numbers), you will find out that Tweaki is protected by Bit-Arts' Crunch v2.0.0.2 protection scheme.

Before I continue with unpacking it and the rest just a little more about this specific protection scheme. This is a very tricky and powerful protection scheme but it has a major weakness as you will see in a minute or two. I have coded an unpacker for this scheme that will successfully unpack the Tweaki executable. This however, is not the end of the solution, since if you simply unpack the target application, you will find that the program (especially when u turn the PC clock forward and backward) will complain that your trial version has expired and that there had been tampered with the license, etc.

UNPACKING
Tweaki was coded in Visual Basic 6, and since the SoftlocX protection scheme is a user-definable .OCX plugin, you have to deal with this part of the protection scheme seperately. The .OCX file in this particular case named "Softlocx5.ocx" is located in either your "C:\Windows\System" or "C:\Windows\System32" directory. Ironically enough, this .OCX plugin has been protected with its own SoftlocX protection scheme. Execute my unpacker and select the "Softlocx5.ocx" file in your Windows system directory. It will successfully unpack it and rename the unpacked version to"!Softlocx5.ocx". Now rename or delete the original "Softlocx5.ocx" file and rename the unpacked "!Softlocx5.ocx" file back to "Softlocx5.ocx".

Now when you try to execute Tweaki, it WILL tell you the trial has expired. Don't worry, since you now just simply run my unpacker and select the protected "tweaki.exe" file and again my unpacker will unpack and rename the file to "!tweaki.exe". If you execute this "!tweaki.exe" file it will STILL tell you the trial has expired. What now you ask? Well, now your file is at least ready to be disassembled and hex edited.

DISASSEMBLING AND PATCHING
Like I explained in my first tutor, copy and paste and rename a backup copy of the "!tweaki.exe" executable to "target.exe". Load W32Dasm and select the "!tweaki.exe" executable. You'll probably have to wait quite a while since it has a lot of information in the executable. Once it has finished dissassembling the file, save your PROJECT and COMMENTS. This is just for "in case". I assume being of the intermediate/advanced level of cracking, you already know how to use W32Dasm... Click on the String Reference button and scroll down to a string reference saying "LICENSED". Double-click on this and scroll up to you find the following:

Now load Hex Workshop or another hex editor and select the "target.exe" file. Alt+TAB back to W32Dasm and make sure where the actual hex fiel offset is in "target.exe" and Alt+TAB back to (in this case) Hex Workshop, press F5, type in the desired hex file offset and change the conditional jump at 1BACE0 from 84 to 85 and boom! you're done!


AFTER THOUGHTS
How come, if SoftlocX is such a "powerful" protection scheme, is it so easy to circumvent it... you may ask? Well, when you unpack the "Softloc5.OCX" itself, the way it behaves and the actual target application communicates with it changes in such a way that it is still functioning but just half-arsed!

Using this method you can safely unpack the .OCX plug-in, leaving it semi-functioning and then unpack the target application itself, leaing it W32Dasm disassembler friendly and ready to be modified as desired. I hope you see from this tutor that you don't have to back off from powerful commercial protection schemes since its coded by human beings, and like all human beings the authors of this scheme have their faults/limitations and probably have not forseen this kinda of attack yet.

Now all you can do, if you want to conserve some space on your hard disk, is download ASpack v2.1x and select the unpacked "Softlocx5.OCX" file in your Windows system directory and compress it and then follow that by selecting the unpacked and patched "!tweaki.exe" file and packing it - this will significantly reduce both their file sizes saving you a few megabytes. Now you can safely delete al the old executables and rename the "!tweaki.exe" executable back to "tweaki.exe".

Enjoy!

Valek / Phrozen Crew

PS: Click on the Phrozen Crew logo to visit our website or on my logo to contact me via email