PDA

View Full Version : protection with vb and ocx


NikDH
July 23rd, 2001, 11:51
Hi to all
was working on a protection made 4 vb progs
Its an ocx component which nags when
u r not registered and ask 4 the regcode
When u put in a valid regcode it sets a property
that original prog has to check to know how it has to behave: registered or not
So my question is
How can i know where this property value is stored in memory?
The program checks its value using the
__vbaBoolVar() function but i've no info about it
Does some of u know anything more about it ?
See ya
NikDH

goatass
July 23rd, 2001, 12:48
hi, that API checks to see whether a variable is True or False, 1 or 0.
So for example, if you entered the correct regcode that variable will be set to 1 so when __vbaBoolVar() is called it will return true telling the application that it's registered and it can continue.

Since this program is VB you can use SmartCheck to see what it does, it might tell you where this flag is stored. You can also use FileMon and RegMon to see where on the hard drive or registry the program may store this flag. In order for it not to ask you for a regcode every time you open the program it has to store this flag somewhere. The other thing you can do is trace the OCX with SoftIce and find out where is the regcode checking algo and disassemble it and study it. You could make a keygen or just a regcode for your name.

good luck
goatass

NikDH
July 23rd, 2001, 18:23
>You can also use FileMon and RegMon to see >where on the hard drive or registry the program >may store this flag. In order for it not to ask >you for a regcode every time you open the >program it has to store this flag somewhere.

Well i think the program will store my regcode and check 4 it every time it needs: this way its much better 4 the program security


>The other thing you can do is trace the OCX >with SoftIce and find out where is the regcode >checking algo and disassemble it and study it.

Thats a good idea but in disasming it i havent had anything familiar to deal with
Perhaps u can gimme some hints on debugging ocx
See ya
NikDH

goatass
July 23rd, 2001, 20:54
That's what I mean, the program will store the serial and check for it when needed but you need to figure out where it is stored and FileMon and RegMon will help you.

If you could upload the OCX file I could look at it....tracing it would be the same as tracing anything else.

goatass

Kilby
July 24th, 2001, 04:05
Hi Sorry to butt in,

I have only worked on 2 .ocx files, active skin and something else.
As goat ass says they are just like any other .exe file to dissassemble

If you pass it through IDA it will dissassemble very happily (providing it's not packed).

From there you can find your suspect routines and set breakpoints on them

BPM works best I found.

Regards,

Kilby...

NikDH
July 24th, 2001, 06:00
Hi to all,
i've already disasmed the ocx with ida and cought the code but its not as clear as 4 exe
In ocx there r functions that r not called as dll function:
in a dll they r exported and the origianl program call them with call far
in an ocx the things r much more complicated coz there r no functions exported but the ones 4 the ocx managing (installing and disinstalling it)
So its quite hard to identify what a function does if we dont know its name and we have to deal only with vb api (which r imported by vb dll)
It should be useful to know something more about function like __vbaBoolVar()
It seems to take one param in the stack but its not a mem addr but it seems like a var ID
Tried to reverse the function in the vb dll and it seems to look somewhere in the mem 4 the value of the BoolVar, whats strange is that the addr it reads is not in the ocx mem zone
Is it normal ?

goatass
July 24th, 2001, 12:58
Dude you are making this way too complicated.
OCX don't have exported APIs because they don't export anything, they are accessed through interfaces, but that's besides the point. All you do is, you trace the application from where you enter the serial number until you see that it jumped to the OCX code, at that point you trace until you see that it's doing something that looks like serial generation or anything related to serial generating/comparing. At that point you write down the address of where you think the key gen routine is and use IDA to take a broader look at the code.

OCXs are not DLLs, therefore you will not find exported functions in them to set BPXs on.

What I do many times is use IDA to locate key areas where I think the protrection might be in, then I load the application, break in and start tracing until I'm in the OCX code, then I set a BPX on the address I noted from IDA, F5 to it, and trace it to see what happens.

Don't make this too complicated, it's not.

goatass

NikDH
July 25th, 2001, 02:54
Perhaps what i need is to study the com technology coz ocx use com tech
It seems __vbaBoolVar() takes a obj reference and i need to know much more about that
If someone will provide me some url or doc about this topic it will be great

Tnx to TTom 4 his kindness

See ya
NikDH