Description :- A VB5 Time Limit.
Tools :- HEX Editor, W32Dasm.
As you can see, the tool used won't be SoftICE or SmartCheck, but W32Dasm. In VB applications, you won't find String Data References, however you can use the imports. So, run your target after you've moved your computer's date to 2002 for example. You see a messagebox :- "Trial period is over".....
OK, VB apps don't use the API :- MessageBoxA, they use one similar :- RtcMsgBox. So, in VB, for a MessageBox, you need to use : bpx rtcmsgbox (for VB6 : bpx msvbvm60!rtcmsgbox). OK, so you can use SoftICE, but in this essay I want to show that you can also use W32Dasm for cracking VB. Fire up W32Dasm, disassemble your target (EscapeRC.exe). Goto imports and look for : RtcMsgBox, click 2 times because the 1st is not important. You will see this :-
* Referenced by a (U)nconditional or (C)onditional Jump at Address: <-- Reference to RtcMsgBox. :0041FA39(C) :0041FB84 MOV ECX, 80020004 :0041FB89 MOV EAX, 0000000A :0041FB8E MOV DWORD PTR [EBP-54], ECX :0041FB91 MOV DWORD PTR [EBP-44], ECX :0041FB94 MOV DWORD PTR [EBP-34], ECX :0041FB97 LEA EDX, DWORD PTR [EBP-6C] :0041FB9A LEA ECX, DWORD PTR [EBP-2C] :0041FB9D MOV DWORD PTR [EBP-5C], EAX :0041FBA0 MOV DWORD PTR [EBP-4C], EAX :0041FBA3 MOV DWORD PTR [EBP-3C], EAX :0041FBA6 MOV [EBP-64], 00405A20 :0041FBAD MOV [EBP-6C], 00000008 * Reference To: MSVBVM50.__vbaVarDup, Ord:0000h | :0041FBB4 CALL DWORD PTR [0042D38C] :0041FBBA LEA EDX, DWORD PTR [EBP-5C] :0041FBBD LEA EAX, DWORD PTR [EBP-4C] :0041FBC0 PUSH EDX :0041FBC1 LEA ECX, DWORD PTR [EBP-3C] :0041FBC4 PUSH EAX :0041FBC5 PUSH ECX :0041FBC6 LEA EDX, DWORD PTR [EBP-2C] :0041FBC9 PUSH 00000000 :0041FBCB PUSH EDX * Reference To: MSVBVM50.rtcMsgBox, Ord:0253h <-- You land here.
So, you can see "Referenced at 0041FA39" in W32Dasm, goto the menu, and choose "Goto Code Location" and enter : 0041FA39. You will land here :-
* Referenced by a (U)nconditional or (C)onditional Jump at Address: |:0041FA24(C) :0041FA34 CMP WORD PTR [EBP-14], 001F <-- Compare with 1Fh (31 decimal). :0041FA39 JNL 0041FB84 <-- A conditional jump :-). :0041FA3F PUSH 00403930 * Reference To: MSVBVM50.__vbaNew, Ord:0000h | :0041FA44 CALL DWORD PTR [0042D2E8] :0041FA4A PUSH EAX :0041FA4B PUSH 0042A010
Now, you just have to patch it. To be sure it works, I changed the following :-
:0041FA34 CMP WORD PTR [EBP-14], 00 :0041FA39 JZ 0041FB84 HEX edit your target :- Search : 66837DEC1F and change it to : 66837DEC00. Search : 0F8D45010000 and change it to : 0F8445010000.
Save it, and run it and no more Time Limit, very easy.
ACiD BuRN.