Find a quick way back to more documents with this link.
Return to Main Index,
Visual Basic.
© 1999 Hosted by CrackZ. widYa-cL, 25th February 1999.
Tools Used : SoftICE v3.24, W32Dasm v8.93.
Hi guys ... you are reading my 3rd tutor ... sorry if there's any grammatical errors .. hope you'll understand this piece ...This is my first experience of VB programs ... I've heard a lot of comments about VB protection schemes ... someone said " ..VB is a Newbies Nightmare". Hmm .. it sounds like a challenge for me ... I invite you to join with me to reversing these "naughty" programs.
Tips & Tricks (SandMan) - Visual Basic cracking still remains to many, a tough nut to crack because you can't just dead list it and expect to see where your going ... Therefore we need to adopt new methods to circumvent this natural barrrier and one possible way is to locate routines within the VB runtime library that we can place traps (breakpoints) on with SoftICE. In order to program SoftICE to quickly locate the String Compare Routine for us we place the following three lines in our WINICE.DAT file:
AF4="^s 0 l ffffffff 56,57,8B,7C,24,10,8B,74,24,0C,8B,4C,24,14,33,C0,F3,66,A7;"
EXP=C:\WINDOWS\SYSTEM\VB40032.DLL
EXP=C:\WINDOWS\SYSTEM\MSVBVM50.DLL
This has been tested on both VB4 & VB5 programs and does work, however, if the target program uses Integer/Reals for the serial number then the program will use a different set of routines instead, bypassing our String Compare Routine altogether...
In order to combat this I think I've found a Integer/Real routine in VB5 that we can place a BPX on that will show us the *real* numeric serial that the program expects us to use... The VB5 Routine looks like this:
PUSH EBP-20
CALL MSVBVM50._vbaR8Str ; Convert string to Integer/Real.
FCOMP QWORD PTR [00401028] ; Our numeric compare!
Once you land on FCOMP QWORD PTR [00401028] Type: DL 00401028 to see the *real* serial #. DL is not a typing error, DL means Display Long/Real while D on it's own simply uses the current display format... See SoftICE manual for more information on SoftICE Commands. Okay, we now have something new for SoftICE to check on, so lets program this new Search Macro into it ... Open up WINICE.DAT, Make sure you have these lines:
EXP=C:\WINDOWS\SYSTEM\VB40032.DLL
EXP=C:\WINDOWS\SYSTEM\MSVBVM50.DLL
AF3="^s 0 l ffffffff FF,75,E0,E8,85,EF,FF,FF,DC,1D,28,10,40,00,DF,E0,9E,75,03;"
AF4="^s 0 l ffffffff 56,57,8B,7C,24,10,8B,74,24,0C,8B,4C,24,14,33,C0,F3,66,A7;"
ALT-F3 Is our Integer/Real Compare search, works only in VB5.
ALT-F4 Is our String Compare search, works in VB4 & VB5.
Author : Thomas Warfield, Goodsol Development Inc.
E-mail : support@goodsol.com
Homepage : http://www.goodsol.com
Pretty Good Solitaire 98 is a collection of 230 solitaire games, from classic games like Klondike, FreeCell, and Spider, to 22 original games invented especially for the program.
Interesting one ... since there is no registration screen to enter registration data ... but in the help file he mentions this : "if you do register this program, this is what you will get for your money: A registration code and instructions on how to input this code to register your copy". Hmm ... seems that Thomas wants to play a game with us ... hurrah ... this would be fun ! ... somehow it reminds me of Sandra Bullock in "The Net"... (really! - CrackZ).
Firstly ... I tried holding [CTRL] key and start pushing on cards in help menu... order screen pops up ... try again ... push on register ... #boom# ... game is over ... it was too easy .. here we're asked to enter :
Name : Registration Code :The registration code is based on what you type in for a name.
1. Deep within your System Registry it uses the following branch to store it's license data.
HKEY_CURRENT_USER\Software\Goodsol\PGS98\Registration Code=" " Name=" " RVersion="4.98.2"2. It's a 30 day, time limited program that will 'expire' after 30 days of being installed.
Click on Help - About ... Hold [CTRL] key and click on [Register] .... #boom# ... use the following entry as example :
Name : widYa@cL 2011 Registration Code : 0101010DO NOT push [OK] yet .... fire up SoftICE (Ctrl+D) and set a breakpoint on HMEMCPY (BPX HMEMCPY) ... X [ENTER] to leave SoftICE ... then click [OK] button. From here press the 'F12' key 7 times to get into msvbvm50.dll code ... Now we want to quickly find the routine that compares our serial number with the *real* one and we can do this effortlessly by pressing the ALT-F4 keys together ... SoftICE should now report back one memory location of where the sub-routine were looking for is to be found in memory.
In my case SoftICE reported:
Pattern found at 017F:7B2FD9EA <- This address (SEGMENT:OFFSET) will be different.Your next step is to set a breakpoint on it but first clear HMEMCPY beakpoint because we don't need it anymore.
BC* [ENTER]
BPX 7B2FD9EA [ENTER] ; Once again I remind you this address will be different in your system.
X [ENTER] ; Leave SoftICE.
SoftICE should now display this code snippet:
: 56 PUSH ESI ; Save ESI for later use.
: 57 PUSH EDI ; Save EDI for later use.
: 8B7C2410 MOV EDI, [ESP+10] ; press F10 at here .... D EDI.
You'll see "MICHAEL KREYLING" in wide format. Now scroll down the data window ... until you see the following data :
. . . . \ 5 S . & . . . . . . .
9 . 8 . 1 . 9 . 7 . 7 . 6 . 0 .
0 . . . Z . { . { . , , , , , ,
: 8B74240C MOV ESI, [ESP+0C] ; F10, D ESI, you'll see "WIDYA@CL 2011"
in wide char. format.
Strange isn't it ?!... This routine is checking for a Name we didn't type in "Michael Kreyling" ... makes me wonder ... is it used for the generation of the valid serial or the author has a bad memory of this guy. Anyway this number '981977600' seems to be our valid registration code ... clear all the breakpoints.
BC* [ENTER]
X [ENTER]
Enter registration again.
Name : widYa@cL 2011
Registration Code : 981977600
Push [OK], huh, no expression of thanks. Look in Help - About and we are registered. (NOTE : to Unregister Pgs98 run regedit - goto HKEY_CURRENT_USER\Software\Goodsol\PGS98\Registration - Delete Registration key).
I've noticed that there's a few 'odd' things in the generation of a valid serial, after trying different registration names, e.g. :
1. When I used "CrackZ" as name the data window showed this number "652288", I enter registration screen again with the following entry :
Name : CrackZ
Registration Code : 652288
[OK] "Sorry . Invalid Registration Code ...", then I looked again at every valid registration number that I've got, it always begin with "98" ... let's check it out :
Name : CrackZ
Registration Code : 98652288
[OK], now registered.
2. I also tried the following details :
Name : widYa
Registration Code : 0101010
'Damn' ... the valid registration code never showed up ... so I changed my dummy reg code .... then ... after a few times entering registration with different key ... finally ... it showed up "98467069" ... hmmm .. though I've found the valid code I wasn't satisfied. Since we must scroll down the data window and sometimes we need to repeat the routine .... is there 'something' left behind !?? .... is it a bug ??!.
Now I'm back !! .. with new energy ... let's continue our examination ... from what I've learned .. VB programs are not really a "program" since they use a lot of call to a library (dll). Let's say it wants to convert a string into uppercase then it will call a function in the dll (dynamic link library) that performs this task. Especially in serial protection schemes we can say there are 3 main routines we need to know (I've discussed this in my 2nd tutor) :
Read your input, calculate a code with some formula and compare our input with the correct one. Now .. if we'd like to write a program ... then we will make it as effective as possible and as efficient as possible right? ...same as writer of msvbvm50.dll ... he must be wrote a one good function to make any uppercase strings task ... he must be wrote a one good function to make any compare strings task ... etc.
Now .. I'd like to find a function in msvbvm50.dll which generates our valid code for all VB programs which has serial prot schemes ... is it possible ??? ... hmmm .. where do we start ..?! from what we've seen .. our name was converted to uppercase (right ?!) ... a good start for me .... what's this function name in msvbvm50.dll ... rtcUpperCaseBstr ?! ... let's check it out ....... enter reg again .. with the following entry :
Name : CrackZ
Registration Code : 0101010
... Ctrl+D ...
BPX rtcUpperCaseBstr [ENTER]
X [ENTER]
... [OK] ... press F12 once ... we land here :
:7B3CF8DC E8ADFFFFFF CALL MSVBVM50!rtcUpperCaseBstr
:7B3CF8E1 66833E08 CMP WORD PTR [ESI], 08 ; D EAX .... CRACKZ in wide char. format.
:7B3CF8E5 8945F8 MOV [EBP-08], EAX ; Set BPX for this code.
BC* [ENTER]
BPX 7B3CF8E1 ; This address will be different in your system (maybe not - CrackZ).
X [ENTER]
X [ENTER]
D EAX ... you'll see UNREGISTERED COPY .. in wide char. format ... scroll down data window ... we found a fixed valid reg code "98652288" ... but still we need to repeat entering registration sometimes to find it ... I don't know if all this 'odd' things happen in your system too ... Are you thinking what I'm thinking ?! ... yeah ... where is that "bloody" function !!. After learning about VB functions for a few minutes, I decided to use __VbaStrCat. Enter registration again, fill out the entries ....Ctrl+D.
BC* [ENTER]
BPX __VbaStrCat [ENTER]
X [ENTER]
[OK], F12 once ... we land here :
:7B3EEC36 E85434F0FF CALL MSVBVM50!__vbaStrCat. :7B3EEC3B 50 PUSH EAX ; We're gonna set BPX at here.D EAX ... what do u see ? : M I .... interesting ?! .. No ?? ...
BC* [ENTER]
BPX 7B3EEC3B ; This address will be different in your system.
X [ENTER]
D EAX ... what do you see ? : M I C .... interesting ?! .. No ?? ... X [ENTER]
D EAX ... what do you see ? : M I C H .... interesting ?! .. hmm !? ...
Here I decided to trace the CALL, I think I found the code which generates the data we looked at EAX ... here is the snippet code :
F3A4 REPZ MOVSB ; copy string (move byte while CX!=0 - CrackZ).
5D POP EBP ; D EAX here.
5F POP EDI
5E POP ESI
5B POP EBX
C20800 RET 0008
Let's create a function key to make our examination easier, open up winice.dat and make the following changes :
AF5="^s 0 l ffffffff F3,A4,5D,5F,5E,5B,C2,08,00;"
F5="^x;^dd eax;"
Restart windows, make another cup of coffee. Now use the following details :
Name : CrackZ
Registration Code : 0101010
... CTRL+D ...
BPX __VbaStrCat [ENTER]
X [ENTER]
[OK], press ALT+F5, In my case SoftICE reported :
Pattern found at 017F:7B2F20F5 <- This address (SEGMENT:OFFSET) will be different on your system.BC* [ENTER]
Now we're here :
:7B2F20F5 F3A4 REPZ MOVSB
:7B2F20F7 5D POP EBP ; we're gonna set BPX at here.
BC* [ENTER]
BPX 7B2F20F7
You can relax now because I'll show you the greatest magic you've ever seen, keep pressing F5 until you see the valid reg code in data window (just like a slide show or a movie isn't it ?! ... everytime we push F5 .. the data window is updated char by char copy from "Michael Kreyling" string .... after no more char to copy from "Michael Kreyling" ... then we have 'a commercial break' ... keep pressing F5 ... finally ... data window shows 97652288 in wide char format ... NO NEED TO SCROLL DOWN DATA WINDOW... ).
You can try with a different entry ... soon you'll see that my new method will always shows the valid reg code, I'm satisfied now. Are you thinking something ?! .. Yeah ... the valid reg code has 2 version ... Pgs97 version and Pgs98 version ... so the valid reg code for name : CrackZ is 98652288 or 97652288 ... both work fine.
Now I have one more question in my mind .... are you thinking what I'm thinking ??, what if we enter "Michael Kreyling" as name ... though we saw 974309568 in data window ... we can't make it registered .... seems that Thomas Warfield has blacklist this guy ...?!? ... (anyone knows who is Michael Kreyling ?!) ...
Author : Michael Doering
E-mail : pam@tindrum.oche.de, michael.doering@post.rwth-aachen.de
Homepage : http://www.fs2.RWTH-Aachen.DE/doelf/pam/
A full featured multi-audio player (aren't they all - CrackZ) : pal skins, playlist editor, plays mp3, wav , mid etc.
Registration is via selecting "About Pam" - Register ... we're asked to enter :
Name :
E-mail :
Number :
The registration code is based on what you type in for name and e-mail.
1. Deep within your System Registry it uses the following branch to store it's license data.
HKEY_CURRENT_USER\Software\OhBugger\Pam2. It's a 42 day, time limited program that will 'expire' after 42 days of being installed.
Another VB program, this is good, we're gonna test my new method. Use the following entry as example :
Name : widYa@cL 2011
E-mail : widya-cl@usa.net
Number : 0101010
DO NOT push [register PAM] yet ....CTRL+D ...
BPX __VbaStrCat [ENTER]
X [ENTER]
[Register PAM] ... press ALT+F5, In my case SoftICE reported :
Pattern found at 017F:7B2F20F5 <- This address (SEGMENT:OFFSET) may be different on your system.
BC* [ENTER]
BPX 017F:7B2F20F5
X [ENTER]
We're here :
:7B2F20F5 F3A4 REPZ MOVSB
:7B2F20F7 5D POP EBP ; We're gonna set BPX at here.
BC* [ENTER]
BPX 7B2F20F7
Now let's enjoy the movie presented by Visual Basic ..... Keep pressing F5 until you see the good serial form in wide format ... after pushing F5 for about 62 times the data window displays :
5 . E . o . 1 . 8 . 2 . a . S . 6 . 1 . 2 . 7 . 7 . n . j . 9 . p . 7 . 3 . 2 . 0 . 7 . 5 . 3 . 8 . 2 . 7 . A . g . x . . . c . ) . . c . o . p . y . r . i . g . h . t . . 1 . 9 . 9 . 8 . . b . y . . m . . d . o . e . r . i . n . g . . . .Is this the valid reg code ? ... let's find out :
Name : widYa@cL 2011
E-mail : widya-cl@usa.net
Number : 5Eo182aS61277nj9p7320753827Agx
Registered to widYa@cL 2011 - Thank You! ... You're Welcome! ....
That's all for now guys ... pity .. I only have 2 programs written in VB, I would like to test it with more programs. Well I'm sure you have one ... please test my new method on your VB (4/5) programs which use a serial protection scheme. Let me know for the result or if you have any comments / suggestions.
Thomas Warfield, Michael Doering for giving me a challenge ... you forced me to improve my skills a little bit.
Written / Design bY : widYa-cL 2011
Page Created : 23 February 1999
Return to Main Index,
Visual Basic.