|
|
Serial Catching in VB 5 |
| 0 1 0 1 0 1 0 | Targets : Pretty Good Solitaire 98 - Pam v.13 | 0 1 0 1 0 1 0 |
| Reversing Engineering Lab | Tools Used : Softice V3.24 |
... from newbie to another ... |
Intro |
Hi guys ... u are reading my 3rd
tutor ... sorry if there's any grammatical errors .. hope you'll understand this piece
...This is my first experience in VB programs ... i've heard a lot of comments about VB
protection schemes ... someone said " ..VB is Newbies Nightmare . " ... hmm ..
it sounds like a chalenge for me ... i invite you to join with me to reversing this
"naughty" programs ... |
| Flash Course |
Tips & Tricks (SandMan) : Visual
Basic cracking still remains to many, a tough nut to crack because you can't just dead
list it and expect to see where your going ... Therefore we need to adopt new methods to
circumvent this natual barrrier and one possible way is to locate routines within the VB
runtime library that we can place traps (breakpoints) on with SoftICE. In order to program
Softice to quickly locate the String Compare Routine for us we place the following three
lines in our WINICE.DAT file:
|
| Pretty Good Solitaire 98 |
| Author | : Thomas Warfield Goodsol Development Inc. |
| : support@goodsol.com | |
| Homepage | : http://www.goodsol.com |
Overview |
Pretty Good Solitaire 98 is a collection of 230 solitaire games, from classic games like Klondike, FreeCell, and Spider, to 22 original games invented especially for the program. Features: 230 solitaire games, full 256-color graphics, sound, undo to the beginning of the game, redo of all moves undone, automatic game saving on exit, selectable card backs, automatic card moving, quick mouse shortcuts for easy play : right click- quick move middle click- undo double click- move to foundation, over 2 billion starting positions for each game, statistics for multiple players, full history of the scores of all games played, selectable background colors for each game, choose one of the bitmap backgrounds provided, use any tilable bitmap file for a background, snapshot position - return to a previously saved position, The Solitaire Wizard - create your own solitaire games by selecting the rules for the game. Millions of different games can be created. |
| Protection system |
Interesting one ... since there is no registration screen to enter registration data ... but in the help file mentions this : " if you do register this program, this is what you will get for your money: A registration code and instructions on how to input this code to register your copy " ... hmm ... seems that thomas wants to play a game with us ... hurrah ... this would be fun ! ... somehow it reminds me of sandra bullock in " The Net "... are u thinkin' what i'm thinkin' .. !? .. yeah she has a great ash ... Firstly ... i try holding [CTRL] key 'n start pushing on cards in help menu ... order screen pops up ... try again ... push on register ... #boom# ... huh ... game is over ... it was 2 easy .. here we're asked to enter : Name
: The registration code is based on what you type in for name. 1. Deep within your System Registry it uses the following branch to store it's license data.
HKEY_CURRENT_USER\Software\Goodsol\PGS98\Registration |
| The essay |
... Click on Help - About ... Hold [CTRL] key and click on [Register] .... #boom# ... use the following entry as example : Name
: widYa@cL 2011 DO NOT push [OK] yet .... fire up Softice ( CTRL+D) and set breakpoint on HMEMCPY (BPX HMEMCPY) ... X [ENTER] to leave Softice ... then click [OK] button ... #bOOm# ... . From here press the 'F12' key 7 times to get into msvbvm50.dll code ... Now we want to quickly find the routine that compares our serial number with the *real* one and we can do this effortlessly by pressing the ALT-F4 keys together ... Softice should now report back one memory location of where the sub-routine were looking for is to be found in memory. In my case Softice reported: BC* [ENTER] ... #boom# ... 'n Sice should now display this code snippet:-
... hmmm .... strange isn't it ?!... This routine is checking for a Name we didn't type in "Michael Kreyling" ... makes me wonder ... is it use for the generation of the valid serial or the author has a bad memory of thiz guy ...?! ... ... anyway ... thiz number '981977600' seems to be ur valid reg code ... clear all the breakpoints ... BC* [ENTER] ... enter registration again ... Name
: widYa@cL 2011 ... push [OK] ... # # ...
huh ... no expression of thanks ...!? . Look in Help - About ... (NOTES : to Unregister Pgs98 run regedit - goto HKEY_CURRENT_USER\Software\Goodsol\PGS98\Registration - Delete Registration key) ... i've noticed that there's few
'odd' things in the generation of a valid serial after trying different registration
names ... e.g : Name
:
CrackZ .. [OK] ... #boom# ... "Sorry . Invalid Registration Code ..." ... then i looked again at every valid registration number that i've got .... it always begin with "98" ... let's check it out... : Name
:
CrackZ . [OK] ... #boom# ... now registered ... 2. I also triedthe following details : Name
:
widYa ... 'damn' ... the valid reg code never showed up ... so i change my dummy reg code .... then ... after a few times entering registration with different key ... finally ... it showed up "98467069" ... hmmm .. though i've found the valid code i wasn't satisfied ... since we must scroll down the data window and sometimes we need to repeat the routine .... is there 'something' left behind !?? .... is it a buggie ??! .... aaahhh ..... i'm sleepy now ... i better sleep now ...............)^%$!.............!@# ...............*&* ....................&^%$!!!()%$ ......... #DAMN# .... who said that vb program is newbees nightmare ..... !? ... huh ... now i'm back !! .. with new energy ... let's continue our examination ... from what i've learned .. VB programs are not really a "program" since they used a lot of call to a library (dll). Let's say it wants to convert a strings into uppercase then it will call a function in dll (dynamic link library) that performs this task. Especially in serial prot schemes we can say there are 3 main routine we need to know (i've discussed this in my 2'nd tutor) : read your input, calculate a code with some formula, compare our input with the correct one. Now .. if we'd like to write a program ... then we will make it as effective as possible 'n as efficient as possible right? ...same as writter of msvbvm50.dll ... he must be wrote a one good function to make any uppercase strings task ... he must be wrote a one good function to make any compare strings task ... etc. Now .. i'd like to find a function in msvbvm50.dll which generates our valid code for all VB programs which has serial prot schemes ... is it possible ??? ... hmmm .. where do we start ..?!.... think .... think .... think ...... !!! ... from what we've seen .. our name was converted to uppercase (right ?!) ... a good start for me .... what's this function name in msvbvm.dll ... rtcUpperCaseBstr ?! ... let's check it out ....... enter reg again .. with the following entry : Name
:
CrackZ ... CTRL+D ... BPX rtcUpperCaseBstr [ENTER] ... [OK] ... #bOOm# .. press F12 once ... we land here :
BC* [ENTER] ... r u thinkin' wht i'm thinkin' ?! ... yeah ... where is that "bloody" function !! ... after learning about VB functions for a few minutes .. i decided to use __VbaStrCat function .... now enter reg again ... fill out the entries ....CTRL+D . BC* [ENTER] .. [OK] ... #BOOM# .... F12 once ... we land here :
... D EAX ... wht do u see ? : M I .... interesting ?! .. No ?? ... BC* [ENTER] ... D EAX ... wht do u see ? : M I C ....
interesting ?! .. No ?? ... X [ENTER] ... here i decided to trace the CALL ... snip ... snip ... snip ... heii i think i found the code which generates data we looked at EAX ... here is the snippet code :
AF5="^s 0 l ffffffff
F3,A4,5D,5F,5E,5B,C2,08,00;" ... Restart windows .... make another cup of coffee .... now enter reg again with the following entry : Name
:
CrackZ ... CTRL+D ... BPX __VbaStrCat [ENTER] .. [OK] ... #BOOM# .... press ALT+F5 ... In
my case Softice reported : BC* [ENTER] ... #bOOm# ... we're here :
BC* [ENTER] .... heiii ... u can relax now ... 'coz i'll show u the greatest magic you've ever seen .... ... Keep pressing F5 until you see the valid reg code in data window ( ... just like a slide show or a movie isn't it ?! ... everytime we push F5 .. the data window is updated char by char copy from "Michael Kreyling" strings .... after no more char to copy from "Michael Kreyling" ... then we have 'a commercial break' ... keep pressing F5 ... #bOOm# ... finally ... data window shows 97652288 in wide char format ... NO NEED TO SCROLL DOWN DATA WINDOW.... ) .... u can try with different entry ... soon you'll see that my new method will always shows the valid reg code .... aahh .... i'm satisfied now ... r u thinkin' somethin' ... ?! .. Yeah ... the valid reg code has 2 version ... Pgs97 version 'n Pgs98 version ... so the valid reg code for name : CrackZ is 98652288 or 97652288 ... both are works fine .... ... hmm ... now i have one more question in my mind .... r u thinkin' wht i'm thinkin' .. !? ... AGAINNN !!!?? ... what if we enter "Michael Kreyling" as name ... though we saw 974309568 in data window ... still we can't make it registered .... seems that Thomas Warfield has blacklist this guyz ...?!? ... (anyone knows who is Michael Kreyling ?!) ... ... heiii ... r u sayin' somethin' ... ?! .... ThankGod my parents didn't gave me name "Michael Kreyling" ...???
|
| Pam v1.13 |
| Author | : Michael Doering |
| : pam@tindrum.oche.de michael.doering@post.rwth-aachen.de | |
| Homepage | : http://www.rwth-aachen.de/fsarch/Ww/members/doelf/pam/ http://www.fs2.RWTH-Aachen.DE/doelf/pam/ |
Overview |
The full featured multi audio player : pal skins, playlist editor, timer, karaoke, id3tag, lyrics 1.0 & 2.0, plays mp3, wav ,mid .... |
| Protection system |
Registration is via selecting "About Pam" - Register ... we're asked to enter : name : The registration code is based on what you type in for name 'n e-mail. 1. Deep within your System Registry it uses the following branch to store it's license data.
HKEY_CURRENT_USER\Software\OhBugger\Pam |
| The essay |
... Heei another VB programs ... this is good .... we're gonna test my new method. Use the following entry as example : Name
: widYa@cL 2011 ... DO NOT push [register PAM] yet ....CTRL+D ... BPX __VbaStrCat [ENTER] . [register PAM] ... #bOOm# .... press
ALT+F5 ,,, In my case Softice reported : BC* [ENTER] ... #bOOm# ... we're here :
BC* [ENTER] ... now let's enjoy the movie presented by Visual Basic ..... Keep pressing F5 until you see the good serial form in wide format ... after pushing F5 for about 62 times .. the data window displays :
... hmm .. is it the valid reg code ?! ...
let's find out .... enter reg again : ... #bOOm# ... Registered to widYa@cL 2011 - Thank You! ... You're Welcome! .... ... Wow .. the longest serial i've ever seen
... |
| Final notes |
... that's all for now guys ... pity .. i only have 2 programs written in VB ... i wish i can test with more programs ... Well i'm sure you have one ... please test my new method on your VB (4/5) programs which using serial prot schemes .. 'n let me know for the result or if u have any comments/suggestions/critics ... |
Greetz : |
| SandMan,CrackZ,tKC/All PC
members, tHATDUDE, UCF, Torn@do, The Immortal Descendants, +ORC, MiB , Iczelion, GCG,
ED!SON, Razzia, +Xoanon, iCECREAM, FraVia, Lord Caligo, Buckaroo Banzai, +gthorne ,
Mexelite , Corn2, Vizion, Manson69, nIabI, Cyborg, ^pain^, intruder, Yaan, Laxity, JoGy,
nIabI [C4N/ME], MR NICK, NaTzGUL [REVOLT], Qapla', The _RudeBoy_ , BigMoM, Aphex Twin
[Vandals], v√lt√_δ, eXact, YOSHi, Volatility, ZeroDay, Aescu, _CbD_, Gavin Estey, DR.
Encryption, Joshua Auerbach, Klee8084, masta_, Chuck Nelson, _HaK_, Nemrod and ReN, R.
DeYoung, Hugo Perez, lownoise, Hayras, YOU ..... |
| Special Thanks: |
| Thomas Warfield, Michael Doering ... for giving me a chalenge ... u forced me to improve my skills a little bit |
| Written / Design bY | : widYa-cL 2011 |
| Page Created | : 23 February 1999 |