Visual Basic Cracking Part 1
(Compare Methods and Breakpoints)

Written by:
Eternal Bliss
Email: Eternal_Bliss@hotmail.com
Website: http://crackmes.cjb.net

Date Released:
17th Jan 1999

Last Update:
23rd Jan 1999

Foreword:
I'd like to say that I'm a new cracker and I'll be updating this whenever I find any new information. If you have any information that I seem to miss out, please email me. In the examples below, I've used the simplest protection routine (hardcoded codes) for easy understanding.


COMPARE METHODS

In Visual Basic, there are more than 8 compare methods available for the author to use in order to check for the correct serial/code. I'm going to mention only 8 because they are easier and more feasible. The most common of the 3 are:

1) STRING COMPARE

In this compare method, a string eg "Correct Password" is compared to the password you entered in textbox eg "Entered Password".
String data type consists of a sequence of contiguous characters that represent the characters themselves rather than their numeric values. A String can include letters, numbers, spaces, and punctuation. The String data type can store fixed-length strings ranging in length from 0 to approximately 63K characters and dynamic strings ranging in length from 0 to approximately 2 billion characters.

The code in VB will be:

If "Correct Password" = "Entered Password" then        <--Direct comparison of 2 Strings
GoTo Correct Message
Else
GoTo Wrong Message
End if

Basically, it is considered the simplest form of compare used by protection schemes. It can be easily used to break into Softice when the author uses this function.

Breakpoints available include:
i) __vbastrcomp or __vbastrcmp                   <--Stands for STRing COMpare

Note: If you are cracking a VB6 program, you have to add msvbvm60! in front of the two breakpoints.
eg. bpx msvbvm60!__vbastrcomp or bpx msvbvm60!__vbastrcmp

ii) Searching for a specific byte combination (seen in Sandman's essay 59)
56,57,8b,7c,24,10,8b,74,24,0c,8b,4c,24,14,33,c0,f3,66,a7
 

2) VARIANT COMPARE

In this method, two variables (of Variant data type) is used to compare with each other.
Variant data type is a special data type that can contain numeric, string, or date data as well as user-defined types and the special values Empty and Null. The Variant data type has a numeric storage size of 16 bytes and can contain data up to the range of a Decimal, or a character storage size of 22 bytes (plus string length), and can store any character text.

An example of the code is like this:

Dim correct As Variant, entered As Variant    <--Defines "correct" and "entered" as Variant
correct = Correct Password                           <--Set "correct"as the "Correct Password"
entered = Text1.Text                                       <--Set "entered" as the password you entered
If correct = entered Then                                <--Compare using the Variant method
GoTo Correct Message
Else
GoTo Wrong Message
End If

In this method, the above breakpoints will not appear because the program no longer uses __vbastrcomp etc...

Breakpoint available:
i) __vbavartsteq                                             <--Stand for VARiant TeST EQual

Note: If you are cracking a VB6 program, you have to add msvbvm60! in front of the breakpoint.
eg. bpx msvbvm60!__vbavartsteq
 

3) LONG COMPARE

This is one of the common methods used as well. Two variables (of Long Data type) is used to compare with one another.
Long data type is a 4-byte integer ranging in value from -2,147,483,648 to 2,147,483,647.
Therefore, one limitation to this method is that what is compared must consist of numbers only. (Thank goodness, thus we will see less of such protection)

An example of the code is like this:

Dim correct As Long, entered As Long          <--Defines "correct" and "entered" as Long
correct = 12345                                            <--Set "correct" as the correct code
entered = Text1.Text                                     <--Set "entered" as the entered code
If entered = correct Then                              <--Compare using the Long method
GoTo Correct Message
Else
GoTo Wrong Message
End If

There are no specific breakpoints for this type of method because the code for this comparison is in the main program and not in the VB dll file. Thus, they vary from program to program. Please refer to the section "General advice on VB Cracking" instead.


I'll briefly touch upon the other 5 compare methods as well. If the below methods sound weird or impossible to you, just ignore them but remember that protection schemes in VB are not limited to the above three methods.

4) SINGLE COMPARE

This method uses two variables of Single data type to compare with each other.
It is a data type that stores single-precision floating-point variables as 32-bit (4-byte) floating-point numbers, ranging in value from -3.402823E38 to -1.401298E-45 for negative values, and 1.401298E-45 to 3.402823E38 for positive values.
Therefore, one limitation to this method is that what is compared must consist of numbers only. But sometimes, in calculations routine where your Username is converted to Serial, the correct serial can in the form of Single.

An example of the code is like this:

Dim correct As Single, entered As Single      <--Defines "correct" and "entered" as Single
correct = Correct Password                         <--Set "correct"as the "Correct Password"
entered = Text1.Text                                     <--Set "entered" as the password you entered
If correct = entered Then                              <--Compare using the Variant method
GoTo Correct Message
Else
GoTo Wrong Message
End If

There are no specific breakpoints for this type of method because the code for this comparison is in the main program and not in the VB dll file. Thus, they vary from program to program. Please refer to the section "General advice on VB Cracking" instead.
 

5) DOUBLE COMPARE

This method uses two variables of Double data type to compare with each other.
It is a data type that holds double-precision floating-point numbers as 64-bit numbers in the range -1.79769313486232E308 to -4.94065645841247E-324 for negative values; 4.94065645841247E-324 to 1.79769313486232E308 for positive values.
As you can probably see, Double is very similar to Single. Therefore, one limitation to this method is that what is compared must consist of numbers only. But sometimes, in calculations routine where your Username is converted to Serial, the correct serial can be in the form of Double.

An example of the code is like this:

Dim correct As Double, entered As Double    <--Defines "correct" and "entered" as Double
correct = Correct Password                           <--Set "correct"as the "Correct Password"
entered = Text1.Text                                     <--Set "entered" as the password you entered
If correct = entered Then                              <--Compare using the Variant method
GoTo Correct Message
Else
GoTo Wrong Message
End If

There are no specific breakpoints for this type of method because the code for this comparison is in the main program and not in the VB dll file. Thus, they vary from program to program. Please refer to the section "General advice on VB Cracking" instead.
 

6) INTEGER COMPARE

This method uses two variables of Integer data type to compare with each other.
It is a data type that holds integer variables stored as 2-byte whole numbers in the range -32,768 to 32,767. The Integer data type is also used to represent enumerated values.
Therefore, one limitation to this method is that what is compared must consist of numbers only. But sometimes, in calculations routine where your Username is converted to Serial, the correct serial can be in the form of Integer.

An example of the code is like this:

Dim correct As Integer, entered As Integer     <--Defines "correct" and "entered" as Integer
correct = Correct Password                           <--Set "correct"as the "Correct Password"
entered = Text1.Text                                      <--Set "entered" as the password you entered
If correct = entered Then                                <--Compare using the Variant method
GoTo Correct Message
Else
GoTo Wrong Message
End If

There are no specific breakpoints for this type of method because the code for this comparison is in the main program and not in the VB dll file. Thus, they vary from program to program. Please refer to the section "General advice on VB Cracking" instead.
 

7) BYTE COMPARE

This method uses two variables of Byte data type to compare with each other.
It is a data type used to hold positive integer numbers ranging from 0-255. Byte variables are stored as single, unsigned 8-bit (1-byte) numbers.
Therefore, one limitation to this method is that what is compared must consist of numbers and only to the limit of 255. But sometimes, in calculations routine where your Username is converted to Serial, the correct serial can be in the form of Byte.

An example of the code is like this:

Dim correct As Byte, entered As Byte     <--Defines "correct" and "entered" as Byte
correct = Correct Password                   <--Set "correct"as the "Correct Password"
entered = Text1.Text                              <--Set "entered" as the password you entered
If correct = entered Then                        <--Compare using the Variant method
GoTo Correct Message
Else
GoTo Wrong Message
End If

There are no specific breakpoints for this type of method because the code for this comparison is in the main program and not in the VB dll file. Thus, they vary from program to program. Please refer to the section "General advice on VB Cracking" instead.
 

8) CURRENCY COMPARE

This method uses two variables of Currency data type to compare with each other. Yes, it might sound weird, but it works!!
It is a data type with a range of -922,337,203,685,477.5808 to 922,337,203,685,477.5807. Use this data type for calculations involving money and for fixed-point calculations where accuracy is particularly important.
Therefore, one limitation to this method is that what is compared must consist of numbers only. But sometimes, in calculations routine where your Username is converted to Serial, the correct serial can be in the form of Currency.

An example of the code is like this:

Dim correct As Currency, entered As Currency   <--Defines "correct" and "entered" as Currency
correct = Correct Password                               <--Set "correct"as the "Correct Password"
entered = Text1.Text                                           <--Set "entered" as the password you entered
If correct = entered Then                                    <--Compare using the Variant method
GoTo Correct Message
Else
GoTo Wrong Message
End If

There are no specific breakpoints for this type of method because the code for this comparison is in the main program and not in the VB dll file. Thus, they vary from program to program. Please refer to the section "General advice on VB Cracking" instead.


So, does that mean that with these 8 compare methods, we can break into every single compare routine? The answer is NO. This is because, I also realise that other than these 8, comparison can be made between Currency and String, Variant and Long etc...
So, I've created this table...

Compare Table

 
String
Variant
Long
Currency
Single
Double
Integer
Byte
String
Normal
V
SD
SC
SS
SD
SD
SD
Variant
-
Normal
V
V
V
V
V
V
Long
-
-
Normal
__vbaFpCmpCy
Sin to D
DC
DC
DC
Currency
-
-
-
Normal
__vbaFpCmpCy
__vbaFpCmpCy
__vbaFpCmpCy
__vbaFpCmpCy
Single
-
-
-
-
Normal
DC
DC
DC
Double
-
-
-
-
-
Normal
DC
DC
Integer
-
-
-
-
-
-
Normal
DC
Byte
-
-
-
-
-
-
-
Normal

V   = Variant Compare
SD = String is converted to Double before comparing
SC = String is converted to Currency before comparing
SS = String is converted to Single before comparing
Sin to D = Single is converted to Double before comparing
DC = Direct comparison
__vbaFpCmpCy = Floating point Compare Currency

From this, you will probably realise by using Softice without other tools, you will have a hellish time trying to figure out what sort of breakpoints to set near the compare routine. This is where SmartCheck comes in handy... Look below on how to use SmartCheck in general VB cracking.


POSSIBLE BREAKPOINTS

There are a lot of them and I've just listed down the commonest few.

1) Data Type Conversion
i) String to Byte or Integer: __vbai2str
ii) String to Long: __vbai4str
iii) String to Single: __vbar4str
iv) String to Double: __vbar8str
v) String to Currency: VarCyFromStr (for VB6. You have to have oleaut32.dll in your winice.dat)
vi) Integer to String: VarBstrFromI2 (for VB6. You have to have oleaut32.dll in your winice.dat)

2) Moving Data
i) String to memory: __vbaStrCopy
ii) Variant to memory: __vbaVarCopy or __vbaVarMove

3) Mathematical
i) Addition: __vbavaradd             <--Adding Variants
ii) Subtraction: __vbavarsub        <--Subtracting Variants
iii) Multiplication: __vbavarmul      <--Multiplying Variants
iv) Division: __vbavaridiv            <--Dividing Variant to get answer in Integer
v) XOR: __vbavarxor                 <--XOR

4) Miscellaneous
i) __vbavarfornext           <--Used in codes where there is a For... Next... Statement (Loop)
ii) __vbafreestr
iii) __vbafreeobj
iv) __vbastrvarval            <--Get the value from a specific location in a String
v) multibytetowidechar
vi) rtcMsgBox
vii) __vbavarcat               <--Joining 2 Variants together
viii) __vbafreevar
ix) __vbaobjset


General advice on VB Cracking:

The unique part of VB cracking is that there is SmartCheck to help us. It is a very useful program and you should learn how to use it well. Or at least understand what it is showing. We often use Softice in programs written in other languages and W32Dasm. W32Dasm is more or less useless in VB cracking. But luckily, we have SmartCheck. I'll try and give a brief account of how to go about cracking using both SmartCheck and Softice at the same time.

1) As a rule thumb, run the program a few times. Try and see what messages are shown, the way the program acts.

2) Use SmartCheck to run the program. For general settings of SmartCheck, you can find it on the website stated on top of this essay. After running once and trying to register, close the program down (Not SmartCheck). When you choose "Show All Events", a whole chunk of information can be seen. And it is very easy not to find the lines you need. So, click on the line you want before choosing "Show All Events". Usually, it is xxxxxx_Click. xxxxxx is the name of the button refered to by the program. For programmers that are too lazy to change the name, it is usually CommandX_Click where X starts from 1.

3) Look for __vbastrcomp, __vbastrcmp or __vbavartsteq first. If you are lucky, you might just see the correct code being compared to the one you entered.

4) If you can't find the 3 of them, most probably the program uses the other comparison methods. Now, go through the lines and look for the Bugger-off message. A few lines above it, there are usually the few __vba commands I listed. Start from the one nearest to the Bugger-off message line. Set your breakpoint using it. Count the number of occurence of the breakpoint you set and use F5 in Softice to return to the program and break again.

For example, if you set __vbafreestr, there might be a lot of them used after you click on the register button. And if the specific breakpoint you want is shown to be the 10th __vbafreestr in SmartCheck, you have to press F5 nine times to get to the 10th __vbafreestr.

Remember that if you are cracking a VB6 program, add msvbvm60! in front.

5) Run the program, enter whatever is needed and click to register. Softice WILL break unless you set the breakpoint wrongly. One weird thing I discover in VB6 is that I need to set the breakpoint FIRST before I run the program. Remember that. It might apply to older VB versions.

6) Start tracing into EVERY call and display any suspicious register changes. It won't take you long since you are near to the Bugger-off message. If you did not come across anything suspicious, go back to SmartCheck and look for the next breakpoint. The previous breakpoint might be after the compare routine.