Cache Master 95 v1.06 - Tutorial

http://www.offsitelabs.com
cm32106.zip (393k).

Welcome once again, in this tutorial I'm going to show you yet another trick I often use when reversing Visual Basic applications. In Cache Master we have a VB4 application (vb40032.dll imported), so lets firstly locate our register option. After trying various VB4 breakpoints (MultiByteToWideChar) etc and getting nowhere I figured there had to be an easier way.

So lets firstly trigger our nag box, you'll find a bpx MessageBoxA works well, you'll locate it at address 0F771820, but still irritatingly inside vb40032.dll. So I thought for a while figuring that tracing through pages of the dll was pointless, and then it occured to maybe the program was using the same memory locations to store my inputs, so lets firstly >bpx MessageBoxA. Once returned back into SoftICE lets do a memory string search for the serial # we entered (remember we are looking in wide character format).

>s 0 l ffffffff 31 00 32 00 31 00 32

You'll actually find probably only 2 memory locations where the string is stored. Mine was found at 0048A7D4 & 004902D4, so what I'm going to do is set a breakpoint on those memory locations.

>bpm 0157:0048A7D4 >bpm 0157:004902D4

Now lets Ctrl+D out of Softice and attempt to re-register, you'll probably break a few times getting back to the Registration screen, just keep using F5 to exit SoftICE. Now when you click O.K you should get a break, look at the code you break in, sometimes it will be kernel32, other times oleaut32, just keep pushing F5 until you get a break at this very interesting piece of code inside vb40032.dll. (You may have to repeat this process a few times to get at this code).

:0F79B34C AND AL,10
:0F79B34E MOV ESI,[ESP+0C]
:0F79B352 MOV ECX,[ESP+14]
:0F79B356 XOR EAX,EAX
:0F79B358 REPZ CMPSW <-- Its the old wide-char compare again.
:0F79B35B JZ 0F79B362 <-- You'll break here.

Well lets take a look at the contents of ESI & EDI, you should see your entered code in EDI and the good code in ESI. Note that you are looking at the 2nd character so scroll the data window to view the first, and there you have it, a seemingly tedious VB4 application reversed. Note the good code is written out to the file cm.ini in the program directory.

© 1998 CrackZ. 29th May 1998.