Find a quick way back to more documents with this link.
Return to Main Index
First of all I'd like to say that Split32 is a VB5 program, and that's why I have chosen to have a look at it : I have heard so many things about Numega SmartCheck that I wanted to try it. VB5 progs are different in the way that the functions used are not implemented in the program itself but in a DLL called msvbvm50.dll and then, VB5 programs are just of a list of calls to functions in that dll.
When cracking VB5 programs you can use SoftICE, adding EXP=c:\windows\system\msvbvm50.dll to your winice.dat file, or by disassembling the file and taking a look at the code, or by using SmartCheck, THE perfect tool for VB5 programs.
This tutorial is divided into two parts : an easy part consists in getting a serial number for Split32, the second one, a little harder in making a key generator. For the second part you'll need SmartCheck 6.0 and a ascii/hex/dec convertor, and, of course Split32.
Choose File/Open and open Split32.exe. Then chose Program/Start. The program is now lauched by SmartCheck. You will get some API failures, just click on Acknowledge each time. After a moment the window of the program will appear.
As you might have noticed, a window in SmartCheck has opened, showing all the events associated to the program. This will be the most usefull window in your whole life of VB cracking (hmm, perhaps not that true...). Now let's click on About in the Split32 window. You'll notice that your clicks are recorded in the Program Results window.
OK. Now enter a name (I used PaRKeR) and a key (I used 12345). Click on OK. Nothing happened and your back at Spli32 main window. Click on Quit. Don't forget to acknoledge the few failures you'll have in return.
Now you are alone facing that BIG window with all the results and events of the program. Let's boggle the concept a while. If a key is generated and a comparison happens, it must be when clicking on OK in the about window or that kind of thing, right? So let's have a look at what happens when you clicked on OK. Because you are very clever, you have noted the name of the event associated to your click. In my case, it is :
+ Command1_ClickLet's click on the "+" sign : it changes into a "-" sign and all the events that happened are shown to you! Great! This should look like :
- Command1_Click | Text1.Text | Text3.Text <-- "0" (String) | Text1.Text | Len returns LONG:6 | ... | ... | + Form4_Unload - Command1_ClickEven for a new cracker, it would appear clearly that this REALLY sounds like a key generation routine. Now let's place the highlighted bar on Text1.Text for exemple. In the right window, it will show :
(No additional details)Hmmm, moving the bar down 3 times we can see :
- String string1 = 0043372C |- = "PaRKeR"Pretty clear : 6 is the length of the string PaRKeR. If you have a little knowledge of computer programming, all the other operations will be clear as crystal for you. Let's go down ... nothing very interesting, but WAIT!, look at this strange string :
Text3.Text <-- "905591-S47"Si ce n'est pas un numero de serie, je veux bien etre pendu ! (CrackZ - translated to "if this is not the serial number....."). Note this string down. Close SmartCheck. Run Split32. About. Name : PaRKeR, Key : 905591-S47. OK. Nothing appeared to happen. About. Registered to one user.
- string (variant) | - String .bstrVal = 0043372C | |- = "PaRKeR" |- Long length = 1 0x00000001 - start (variant) |- Integer .iVal = 1 0x0001Then we have another event : Asc returns Integer:80. Of course! 80 is the decimal value for the character "P". Then a little after, we have Text3.Text <-- "81" (String). Why 81 and not 80??? Hmmm, 81 is 80+1. Some lines after, we have : Asc returns Integer:97. Once again as you should have guessed, 97 is the decimal value for "a". Then we have Text3.Text <-- "180" (String). DOH!! 97+81=178. Wait a sec... 180=178+2, so we have 180=(80+1)+(97+2). Sounds like this part of the algorithm will be sum(i+Name[i], i, 0, length-1).
This will be verified with the other lines after : 265=(80+1)+(97+2)+(82+3), and it goes again and again. Ok. 6 chars later, we have :
Val returns double:538 (displayed as single-precision floating point) Text3.Text <-- "905591-S47" (String)Damn, even Einstein won't know how to get from the first line to the other one... What can we do now. A little leprechaun on my shoulder says that SmartCheck is hiding some things from me. Well, let's chose View/Show All Events when the bar is over "905591-S47". A lot of new stuff appears in the window.
Let's highlight Val returns double:538 (...). Just under is a call to __vbaVarMul, look the stuff in the right window : that's 150756*6 (hmmm, 6 is the length of the name...), then __vbaVarAdd : that's 904536+517 (hmmm, 904536=6*150756), then __vbaVarAdd : that's 905053+538 (hmmm, our 538 and 905053=904536+517). Now, we have the first part of the key : "905591".
Then a __vbaVarCat, then __vbaVarAdd : that's 41+6 (remember, 6 is the length of the string). We have the third part of the key "47" and then another __vbaVarCat. That means that the prog gets "905591", "-S" and "47" to make the key.
We're done! But we have a few things to check : are 150756, 517 and 41 constants or variables? Is the formula sum(i+Name[i]) right? For the second part, you can check that now with the Show All Events option : indeed this is right. For the first part, the only way I found to check the theory above was with a different name : and it appears that those 3 numbers are indeed constants.
Now we are really done. Here is the final generation routine :
- first part : 150756*length+517+sum(i+Name[i], i, 0, length-1);
- second part : -S;
- third part : length+41.
Thanks a lot SmartCheck. Personal greetings goes to : tKC, CrackZ and Josh. Don't forget to unregister Split32 when you are done. For that, open regedit, remove the key HKEY_USERS/.Default/Software/Microsoft/Windows/CurrentVersion/rh or buy the license. Authors deserve your help.
PaRKeR - parker__@caramail.com
Return to Main Index