http://www.musicmatch.com - Webpage.
Welcome, in this tutorial I'm looking once again at a Visual Basic application, although this is actually the best MP3 player/encoder that I've used. So as is customary, lets launch our application and perform the necessary actions with a music CD to reach the main program. You should easily locate the Upgrade button swiftly followed by the Upgrade from Demo button. Like the SalesAgent scheme you'll soon realise that ordering by phone is a wise decision.
After taking note of the serial number generated by the program you can proceed to enter your Enable Key. I'm going to highlight another way in which you can reverse VB protections, this approach will involve using the message box that appears when you enter an invalid code. So before pressing O.K. set a >bpx rtcMsgBox in SoftICE, you'll need to have msvbvm50.dll exports loaded to do this.
You should find the program breaks at this address and inside the file mmjb.exe.
:005BDCAB CALL [MSVBVM50!rtcMsgBox] <-- "Incorrect
So lets disassemble mmjb.exe, you should easily see that our message box is referenced by the following code.
:005BDC4E CALL [MSVBVM50!__vbaStrCmp] <-- Visual Basic
:005BDC54 TEST EAX,EAX <-- Test result of compare.
:005BDC56 JNZ 005BDC64 <-- Jump_bad_guy.
So lets >bpx __vbaFreeVar, note this is at address 005BDC32, just before our compare function, note that Visual Basic functions do not differ in anyway from WIN32 API's in that they must also push any parameters they use onto the stack. So you should easily reach this code (just before our critical compare), you might need to push F5 & F11 a few times.
:005BDC32 CALL [MSVBVM50!__VbaFreeVar]
:005BDC38 MOV ESI,[EBP+08]
:005BDC3B PUSH ESI
:005BDC3E CALL [ECX+00000790] <-- Interesting return in EDX.
:005BDC44 MOV EDX,[ESI+4C] <-- Code entered but in reverse.
:005BDC47 MOV EAX,[005E0078] <-- Good code backwards.
:005BDC4C PUSH EDX
:005BDC4D PUSH EAX <-- Push them as parameters for __vbaStrCmp.
Now you should easily be able to snatch the good code from EDX after the function return, in my case it is 18 numbers, you therefore may need to scroll the data window, note also that the good code will be compared in reverse form, so you'll need to read from right to left the good code (note also the wide character format).
You should also take a trace of the CALL at 005BDC3E and the function immediately below it, you'll discover a plethora of VB functions, note in particular, __vbaLenBstr (gets string length), as well as __vbaStrCopy and __vbaStrMove, so when you are next reversing a VB target all of these functions might well be worth trying.
MusicMatch Jukebox v2.03
Enable Key: 156921879596960000, Serial number (generated by program): 000069695978131143
Note the rather surprising similarity between the enable key and the serial number generated by the program, it would certainly seem that 12 digits of the enable key are just a reversed form of the program serial number. In fact I understand from Prophecy who created a key generator for this program (available in the VB key generator archive) that only the last 6 numbers are manipulated (a simple subtraction of 1492 i.e. 131143-1492=129651). Alternatively patch the program or find your own code, both are left as an exercise.
After reverse engineering v2.03 of MusicMatch JukeBox some 6mths ago, a tutorial where I highlighted the weakness of the protection scheme, I've decided to re-acquaint myself with this rather good MP3 player. The protection scheme hasn't changed a great deal (we've still got a serial/upgrade key), we might however expect some improvements. The first of these is apparent when you follow the traditional "purchase by phone" option, the default serial number structure has changed.
We proceed onwards, following the prompts and eventually reaching the insert unlock code stage, what we'll discover like many VB schemes is that the algorithm writer was either too lazy or stupid to do anything revolutionary, the unlock code is most probably of the form xxxxx-xxxxx-xxxxx-xxxxx as per the serial #. Unlike the previous version the nag box has been removed in favour of a message beep (rtcBeep, address 0067C460 mmjb.exe).
We could elect to disassemble mmjb.exe and work our way back to the deciding jump or set breakpoints and try to reach it manually, (SmartCheck is also an option). I took the relaxed approach with W32Dasm but there isn't any good reason why you can't bpx MultiByteToWideChar and use SoftICE to trace through the actual scheme.
:0067B7A3 MOV EDX, DWORD PTR [0069F290] <-- Code entered.
:0067B7A9 PUSH EDX <-- Push entered code.
:0067B7AA CALL 00661780 <-- Protection routine.
:0067B7AF CMP AX, FFFF <-- Check AX.
:0067B7B3 JNZ 0067C459 <-- Jump_bad.
The return value of AX depends on the value of the word ptr [EBP-30], you'll easily see how functions should work to achieve this, in fact much of 00661780 is devoted to string moving/copying, note that before we reached here the program called a Mid$ function to strip away the hyphens, the length is checked on both strings, 18h (with), 14h (without). You can hack your way through the manipulations if you so please.
Fatally MusicMatch offer lifetime upgrades for their product, this means that the fundamental protection can't have changed, (the license file License.mml still stores the registration details but registry keys control the registered/not registered status). You can open the license file with a text editor, there aren't any aesthetic gains in specifying a user name so we can easily create a generic registry license file. Finding your real code is very easy indeed, firstly reach the deciding check above and reverse the jump, then continue tracing to this code.
:0067B86D MOV EDX,EAX <-- Good code is in EAX/EDX.
Sadly all you need now is your favourite pen and paper and a willingness to register this software. The patchers amongst you might like to consider using an in-memory approach with a message box which displays the good code, evidently you can depend on the real codes location.