Talking Email v1.0


                                      _____
                              _____  ___  /_______
                              __  / / /  __/  ___/
                              _  /_/ // /_ / /__
                              _\__, / \__/ \___/
                              /____/ytc98.cjb.net



Target Info
~"~"~"~"~"~

Name	   : Talking Email v1.0
URL	   : http://www.4developers.com
Protection : Keyfile, Visual Basic 5, native code



Introduction
~"~"~"~"~"~"

This program from has a nag screen during startup. Some of it's functions
are disabled. Plus, it has a 14-day evaluation period. This program is 
written in Visual Basic 5 and compiled in native code, therefore, the 
need of using SmartCheck.

Here, I'll be using the SmartCheck + IDA approach. You will be suprised
to see how well these two tools coincides with each other, as if they 
were meant to be together. It's just so perfect that words really can't 
describe it. I'm sure all the other crackers out there will agree with 
me.



Tools Needed
~"~"~"~"~"~"

SmartCheck v6.0
Interactive Disassembler v3.76
Softice v3.24
UltraEdit v5.21



The Essay
~"~"~"~"~

Let's begin by making a backup copy of your target, TalkMail.exe. Next,
use IDA and disassemble the target. You *MUST* read Mammon_'s intro to 
this great tool first to know about what settings to choose when you 
load the program. You should refer to Mammon's IDA primer to learn how 
to configure IDA to get the best results to your own liking. While IDA
is running, let's have a look at SmartCheck.

Fire up SmartCheck and load the exe file. Play around with the settings 
to see what is it for until you find one which suits yourself. Here's 
how mine looks like. Under Error Detection tab, I checked everything. 
In Advanced... settings, check Suppress system API and OLE calls and 
Report errors only once. Under Reporting tab, everything is checked 
except for Report MouseMove events from OCX controls. All other tabs 
are left alone. The others are up to you to choose. Then Start the 
program and you will see that the window on your right hand side with 
have lots of things going on. After the program has loaded, quit it 
and we'll have a look at the things discovered by SmartCheck. Before 
doing that, go to View 
and choose Show All Events. Also check on Arguments and Seqence Numbers. 
You will see most of the things happening inside that program, with the 
number events.

Now, look through the listing. With the names given, you should be able 
to easily identify what are the functions for. For example, take a look 
at event number 9, frmMain (Form) created, on the left pane. Make sure 
the blue bar is on it. Then look at the right pane. On top of it, you 
should be able to see MSVBVM50.DLL!00028FAD. This means that the frmMain 
function, which creates the main form, is created in the MSVBVM50.DLL 
at address 00028FAD. Let's take a look at another example, this time, 
a function which happens in our target.

At line 50 in SmartCheck (maybe you will get a different number), the 
function is frmMain_Load. Looking on the right pane, you will see that 
this function starts at line 00014A10 in TalkMail.exe. Lets see if it 
is correct (it is correct, I assure you). Go back to IDA. It might still 
be in THINKING mode, but don't worry, you still can explore your dead 
listing of the target. Press G and key in 414A10. Hey, what's this?? 
Didn't the address showed 14A10 in SmartCheck? Why the extra digit?! 
Solution is simple. In IDA, the starting address of this code starts at 
40000, hence, the extra digit, 4. Here's what you should see. Mine 
should be a little bit different from yours because of the different 
settings in ida.cfg.


00414A10		loc_414A10:		; CODE XREF: 0040642E|j
00414A10 55		push	ebp
00414A11 8B EC		mov	ebp, esp
00414A11 83 EC 0C	sub	esp, 0Ch


There, simple deduction will tell you that *this* is the routine which 
calls the creation of frmMain. If you want, you can rename is routine, 
from loc_414A10, to any name you like. I'd prefer the name used in 
SmartCheck to make referring easier for me. How to do this? Place your 
cursor on line 00414A10 and press N.Now we'll have a look at the next 
few events in SmartCheck, which is quite interesting.


LCase$(String:"/eta")
UCase$(String:"lk.key")
Dir(VARIANT:ByRef String:"C:\Progr...",FLAGS:00000000)


By looking at the right pane, you can easily guess what all this crap 
is. LCase changes your string to lowercase and UCase changes the string 
to uppercase. The third line combines them, together with the directory. 
And again, simple deduction wins again. This program looks for a key 
file, etaLK.KEY, to determine whether you are registered or not. Have 
a closer look at this routine in IDA. Rename the calls, locations and 
routines recklessly to make sure you can understand the code easily at 
first look. If  you guessed that this whole routine is the protection 
scheme, you can congratulate yourself. Scrolling down, you will see a 
few Visual Basic functions such as _vbaFileOpen, _vbaFileClose and so 
on. By comparing and studying the events which happened in SmartCheck 
with your dead listing, you can easily deduce that jumping at every 
jnz loc_4201C3 brings you to the nag screen. If you want, you can change 
jnz loc_4201C3 to any other names. I changed mine to jnz sucker. Looking 
at the whole routine, you can see that there are many jnz suckers. Which 
means, it does a whole lot of comparing and testing.

Well, I hope this information is already enough for you to decide where 
to patch, or better, to create your own keyfile. I changed mine to 
jnz next_line, which brings them to the next line so that even if they 
have the valid keyfile, they will also be considered registered. With 
simple common sense, you should know that if you change it to jz sucker, 
the user will go to unregistered status if they have a valid key file. 
Please take note that by changing the first jnz sucker to jnz next_line, 
you will get an error because it will go to _vbaFileOpen function, but 
there's no file to open! So you need to change the jump to go over the 
_vbaFileOpen and _vbaFileClose function, but before the second jnz sucker.



Final Notes
~"~"~"~"~"~

Notice that I didn't use a debugger here. A combination of SmartCheck and 
IDA is already enough to kill protection schemes in Visual Basic 5 programs. 
By the way, if you want to use this program, pay for it. It is very very 
important for users to do so because the developers needs the money to 
further develop their programs to serve their customers. Without supporting 
them, users will be stuck to their old versions, and worse still, we 
crackers will lose our source of challenges.


Group greets: MASSiVE, tNO, PC, DEViOUS, Kac, Heritage, FFO, PGC, CIA, 
	      Mexelite, ECG, MiB, C4A, MANiFEST.
Personal greets: +ORC, Fravia+, +Greythorne, The Sandman, Kwai_Lo, 
		 Phrophecy, blorght, Razzia, Fresh--, Iczelion, Plushmm,
		 The+Q, Quantico, tKC, Stone, Iceman, Crackz, MisterE,
		 Mister Fanatic, Kiyone, KingGatso, ufk, NeuRaL_NoiSE, 
		 MeM_LosT, Icedragon, Cruehead, Bisuox, Wyatt98, Hacx98, 
		 Croma, Xenyx, HEAT98, Oxygen, lightb, BigMom, Sirax, 
		 virogen, Flu[X], nibbers, immoral, Sleepers, masta, 
		 night, C4ffeine, Icecream, WKT_White, Sixx, +Malattia, 
		 HarvestR, BuLLeT, Ghirribizzo
		 (Gosh, quite a long list here ;).

Please excuse me if you don't like the order of the names.


Good luck!

ytc_