Win Sensual Jack - Tutorial

Available from -

Another suggestion and hence another tutorial. I must firstly warn any younger readers that Win Sensual Jack does contain soft-core porn pictures so downloading it might be unwise. What Creatiel are actually marketing here is really just a collection of semi-nude pictures bound together with Visual Basic 4 to create a game of utmost simplicity and of very dubious quality. Pay $30 for this and in my opinion your either incredibly desperate or plain nuts.

Starting the program results in you having to insert your details before you reach the "please insert license number" screen. Its probably a good idea to note down your ID (from the Order menu), mine incidentally is 5517. As I said earlier WSJ was written in VB4, so lets insert a response code (e.g. 12345) and set a bpx MultiByteToWideChar. The first break I got was inside mfc40.dll (obviously not interesting), so hit Ctrl+D again. I'll proceed now to take you through each step, the next break was inside vb40032.dll (remember this code).

:0F738BC1 CALL KERNEL32.MultiByteToWideChar <-- Note this is exported from KERNEL32.
:0F738BD2 CALL OLEAUT32.SysAllocStringLen <-- Trace past this and check the contents of EAX.

You'll need to trace past the string length allocation call and then check the contents of EAX, at this stage I found nothing interesting but in other VB4 applications you may find your input, another Ctrl+D beckons and this time you should find something interesting (again we are inside vb40032.dll), remember this code as well.

:0D738BEB CALL KERNEL32.MultiByteToWideChar <-- Called yet again.
:0D738BF1 MOV EAX,EBP <-- Check contents of EAX.

If you've followed thus far then you should be looking at your code in wide character format at [EAX], now we'll start following our code more precisely, so disable the breakpoint and set a bpm on your input, in my case the precise form was bpm 013F:00563A60, note 2 things here, firstly your address is almost certain to be different and secondly the current CS is always different from your input.

Another Ctrl+D will bring you a break inside oleaut32.dll, but look down a few instructions and you'll see a REPZ MOVSB, this code is in fact making a 2nd copy of your input in memory, you can just trace a few lines and note the 2nd copies location before setting a bpm to that location as well, if you don't immediately find it obvious as to the 2nd copies location you can always resort to searching. I set a >bpm 013F:005639D4.

Another Ctrl+D, and yet again its oleaut32.dll, once again the code is making another copy of your input, you know the drill by now, set a bpm to the 3rd location (in my case 013F:005639EC) and prepare for another Ctrl+D. The next break is inside kernel32.dll, you can just scroll the data window around EDI and you'll see all of your details nearby (name etc), but it seems finally that the program has finished making copies of our code anyhow.

We really need now to Ctrl+D back into either the program.exe or the vb40032.dll, a few breaks later and look whats up, its the VB4 ESI:EDI compare.

:0F79B358 REPZ
:0F79B359 CMPSW <-- SoftICE stops here.
:0F79B35B JZ 0F79B362 <-- The compare.

You can now find your good code languishing in EDI, I think they are all of the form BJxxxxx anyhow, so note it down. There is actually an interesting twist to this program, after registering and restarting the code seems to appear from nowhere, I checked for ini files, registry access but couldn't see where it was being stored, as a last resort I did a swift fc /b of the default install files and the registered user directory files, it suffices that the file bja.exe holds both the user details and tracks registered status.

Return to Visual Basic

© 1998,1999,2000 CrackZ. 29th October 1998.