WinArj98 - Tutorial - Suggested Webpage.

"I like this essay a lot, as I recall receiving several e-mails from people who hadn't worked out how WinArj98's scheme worked, when attacking VB4 I'd always advise examining the famous REPZ CMPSW sequence up close."
"Slightly edited by CrackZ".

Some time ago, I got a request from a friend asking how to crack WinArj98. After installing I fired up SoftICE and tried the fast attack by trying to break on the string compare routine that CrackZ kindly published, >bpx 0F79B356 inside vb40032.dll.

I entered my Name: bigmom and Serial: 12345678 and SoftICE stopped many times, (single character compares), the number I entered however never showed up, but my name did, (after a load more stops). As I'm lazy now and then, I changed the bpx to '0F79B356 if ecx !=1', so it only stopped when my name came up. My name was being compared to something I did not recognize having entered to begin with.

Each break resulted in my name being compared to this sequence: 1C, 4C, 36, 1F. This appeared to be strange because the length of the my name is 6, and not 4. So I deduced that for every letter there had to be 2 numbers.

I restarted the process using 123456789012, i.e. length 12 as my fake serial number. This deduction also means that only uppercase letters are allowed, since lowercase letters will have values larger than 99 in decimal. Note by CrackZ - (I see your point, but a, b and c would be acceptable).

This time, the length of the compare was 6 as required, and the bytes compared to my name were these: 16, 0A, 62, 4C, 36, 1F. Note that the last 3 bytes are the same as in the first compare. This gave me another hint, that there may not be any real mathematical scheme used here. So the next thing I did was to convert those bytes from Hex to Decimal:

Hex: 16, 0A, 62, 4C, 36, 1F.
Dec: 22, 10, 98, 76, 54, 31. (221098765431) <-- looks rather familiar.

When looking a little closer we see, that this is almost the same number we entered, but in reverse. Lets reverse it back to its former glory.

We get: 1 3456789012 2 <-- Note how I've spaced this.

We are now virtually finished, the only thing we needed to do with this example was put that last letter (2) in between 1 and 3 and we've restored our original code, however when I tried verifying this theory with different numbers I found that this was not the case. After a little experimenting I came up with this:

Lets say the string entered was 'ABCDEFGHIJKL' instead of numbers. This will allow us to see how the scheme really works, because no numbers appear twice. First it copies a part of the string backwards, from position length-1 to 2: This gives a new 'string': KJIHGFEDCB. It then takes the first number/letter from the original string and places it in front of the new string: AKJIHGFEDCB.

Finally, it takes the last number from the original string and places it in front of the new string: LAKJIHGFEDCB. Now were done, the keymaker must obviously do the opposite of this. Lets make a valid serial number for our friend CRACKZ :).

First we convert every character to its respective two number decimal equivalent:

'C R A C K Z' gives ' 67 82 65 67 75 90' >678265677590.

Small note - if a converted letter is only one digit e.g. * = F, then we add a zero in front of it (done automatically). Now we'll start doing the opposite of what WinArj98 does:

Stage 1. Take the last digit and make it the first in a new string --> 0.
Stage 2. Take the first digit and make it the second digit in the new string --> 06.
Stage 3. Copy the rest reversed from length-1 down to 2. --> 069577656287

Now we are finished and the information [Name: CRACKZ, Number: 069577656287] is valid. You'll get a nice 'WinArj 98 has been successfully registered to CRACKZ' :).

Regards, BigMoM / Manifest Destiny.

Return to Visual Basic

© 1998,1999,2000 BigMoM. 3rd December 1998.