http://www.newsposterpro.com - Webpage.
anewspro.zip - (2.49Mb).
Welcome once again. It seems for some reason that a lot of very capable reversers struggle with Visual Basic applications, in fact the difficulty most people have with VB is following the quagmire that is the dll. News Poster Pro provides an example of how to systematically reverse engineer a VB protection. However a small theoretical digression, with VB5 we already know that our beloved W32Dasm will for the most part be ineffective, so lets use other tools, like RegMon & FileMon for clues.
Launch News Poster Pro and make a note of your User Key (Register Menu), mine is USJXRK, now lets make our way to enter the registration key we obtained after paying our $199. With SoftICE our best option we must turn our mind to breakpoints, you should find that our nag box is easily located with a >bpx RtcMsgBox. Its called at address 0046E031.
Looking at this code inside W32Dasm, you should easily trace this as being the deciding jump.
:0046DEF4 CALL 00446720 <-- Function call.
:0046DEF9 MOV CX, WORD PTR [0047B070] <-- Set value of CX.
:0046DF00 CMP CX, WORD PTR [0047B308] <-- Check CX against ptr 0047B308.
:0046DF07 JNZ 0046DFDF <-- Jump_Bad_Registration_Code.
So lets just think carefully and logically, its amazing how many reversers just blindly reverse jumps without feeling the code. See how reversing the jump results in a call to RtcMsgBox being made at address 0046DFC7 after which the code will just jump over our bad message box. So the code in between must perform some kind of user configuration, say for example, placing the information in the registry.
You might like also to think about which functions would be worth tracing, just examine the code before our critical jump. So lets jump in with SoftICE, I would suggest >bpx __VbaR8IntI2 but you can also reach here with >bpx Hmemcpy, allowing 3 breaks, using F12 to reach msvbvm50.dll and then F10 work.
Trace inside 00446720 and look around, note some of these e-mail addresses you'll see being copied into various registers as well as the table there seems to be at location 0041FD00, as you might expect, patience and gentle code examination is the key, and eventually you'll trace to this very simple compare routine.
:00446910 MOV EAX, DWORD PTR [0047B05C] <-- Code entered, use ? EAX.
:00446915 TEST EAX,EAX <-- Check code was entered.
:00446917 JZ 00446949 <-- Bad_jump.
:00446919 MOV ECX, DWORD PTR [0047B058] <-- Real good code, use ? ECX.
:0044691F TEST ECX,ECX <-- Was good code 0, (a strange check).
:00446921 JZ 00446949 <-- Bad_jump.
:00446923 CMP EAX,ECX <-- Compare.
:00446925 JNZ 00446935 <-- Bad_jump.
Several things you could have done differently here, firstly the zen way, you
knew from the first code snippet that locations [0047B070 & 0047B308] were
significant, if you had searched the disassembly for these locations you
would have located the above compare very easily (look at the 2 instructions
directly after JNZ 00446935).
The good code is of course written to a registry key, HKEY_USERS/.Default/Software/VB and VBA Program Settings/NPP2.1/data, the relevant key being 'misd'. I didn't actually look to see how the program calculates the good code (I know that it must use the key because the user name and organisation do not make any difference). Note that you may also have been able to reverse engineer this protection using RegMon and bpx's on registry functions.
News Poster Pro v5.3.4
Name/Company: CrackZ/Zencrack
Registration Code: USJXRK/73703