http://www.eztechnologies.com - Webpage (8.57Mb).
Another day and yet more VB atrocities to reverse engineer. E-Z Credit '98 is a program which claims to somehow help you improve your credit rating, (as if you'd actually want to submit all your worldly details to an unscrupulous credit card company anyhow), the program would appear to be well researched if a little US biased, however there are some very sloppy errors and bloat features, "Curent User" for example, and isn't writing your own integrated calculator somewhat pointless when everyone will have calc.exe.
The protection is a single serial # dialog affair and the nag box is created by a very enticing rtcMsgBox at address 0050982C (ezcrediTutorials.exe), some tedious backtracing leads us to this code.
:0050976C CALL MSVBVM50.__vbaVarTstNe <-- Intuitive
name I think.
:00509774 MOV EDI,EAX <-- Store return value in EDI.
:00509783 CMP DI,BX <-- The inevitable compare.
:00509786 JZ 00509944 <-- Jump_nice_buyer.
At this point all I did was dive in with a bpx, search for my entered string in memory and dump the areas +/- 100h around each occurence, you'll know that affectionately as the "lazy string" approach. Sure enough you'd have to be blind to miss it. As is usual I looked for anything that might be interesting to study, sadly there wasn't anything :). Note however the bpx __vbaVarTstNe which I've started to see being used more often, the return is also worth noting, -1 = variables not equal, 0 = equal.
Whilst examining the disassembly I also realised something regarding the protection, if you look at the location of this code relative to the overall file, its actually very near to the end, a certain amount of positioning is due to the compiler (and the VB5 compiler is certainly unpredictable), however it seems more likely than not that the programmer wrote his wonderful program and thought about his protection at the very end, obviously this isn't recommended.
The protection uses a file called cmndlg1.dll for recognition, of course this file isn't encrypted but its contents might look innocent enough, on an initial install its length is 6 bytes and the contents are shown below.
q w t y 0Dh 0Ah <-- the 0D,0A could well be delimiters.
After registration this file is changed slightly to:
q w e r t y 0Dh 0Ah <-- 8 bytes and registered.
The code, just in case you didn't find it is 44565B092 although I can't really see that there is any real benefit in registering. As an aside the credit scoring is dubious to say the least (Joe Average will almost certainly be borderline, do you really need a program to tell you that?).