http://www.musicmatch.com - Webpage.
Welcome, in this tutorial I'm looking once again at a Visual Basic application, although this is actually the best MP3 player/encoder that I've used. So as is customary, lets launch our application and perform the necessary actions with a music CD to reach the main program. You should easily locate the Upgrade button swiftly followed by the Upgrade from Demo button. Like the SalesAgent scheme you'll soon realise that ordering by phone is a wise decision.
After taking note of the serial number generated by the program you can proceed to enter your Enable Key. I'm going to highlight another way in which you can reverse VB protections, this approach will involve using the message box that appears when you enter an invalid code. So before pressing O.K. set a >bpx rtcMsgBox in SoftICE, you'll need to have msvbvm50.dll exports loaded to do this.
You should find the program breaks at this address and inside the file mmjb.exe.
:005BDCAB CALL [MSVBVM50!rtcMsgBox] <-- "Incorrect key"
So lets disassemble mmjb.exe, you should easily see that our message box is referenced by the following code.
:005BDC4E CALL [MSVBVM50!__vbaStrCmp] <-- Visual Basic string compare.
:005BDC54 TEST EAX,EAX <-- Test result of compare.
:005BDC56 JNZ 005BDC64 <-- Jump_bad_guy.
So lets >bpx __vbaFreeVar, note this is at address
005BDC32, just before our compare function, note that Visual Basic functions
do not differ in anyway from WIN32 API's in that they must also push any
parameters they use onto the stack. So you should easily reach this code
(just before our critical compare), you might need to push F5 & F11 a few times.
:005BDC32 CALL [MSVBVM50!__VbaFreeVar]
:005BDC38 MOV ESI,[EBP+08]
:005BDC3B PUSH ESI
:005BDC3E CALL [ECX+00000790] <-- Interesting return in EDX.
:005BDC44 MOV EDX,[ESI+4C] <-- Code entered but in reverse.
:005BDC47 MOV EAX,[005E0078] <-- Good code backwards.
:005BDC4C PUSH EDX
:005BDC4D PUSH EAX <-- Push them as parameters for __vbaStrCmp.
Now you should easily be able to snatch the good code from EDX after the function
return, in my case it is 18 numbers, you therefore may need to scroll the data
window, note also that the good code will be compared in reverse form, so you'll
need to read from right to left the good code (note also the wide character format).
You should also take a trace of the CALL at 005BDC3E and the function immediately below it, you'll discover a plethora of VB functions, note in particular, __vbaLenBstr (gets string length), as well as __vbaStrCopy and __vbaStrMove, so when you are next reversing a VB target all of these functions might well be worth trying.
MusicMatch Jukebox v2.03
Enable Key: 156921879596960000
Serial number (generated by program): 000069695978131143
You should of course note the rather surprising similarity between the enable key and the serial number generated by the program, it would certainly seem that 12 digits of the enable key are just a reversed form of the program serial number, I understand from a reverser that created a key generator for this program that only the last 6 numbers are manipulated. I think patching this program is easy, else find your own code, I'll leave both as an exercise.