Results 1 to 8 of 8

Thread: protection with vb and ocx

  1. #1
    NikDH
    Guest

    protection with vb and ocx

    Hi to all
    was working on a protection made 4 vb progs
    Its an ocx component which nags when
    u r not registered and ask 4 the regcode
    When u put in a valid regcode it sets a property
    that original prog has to check to know how it has to behave: registered or not
    So my question is
    How can i know where this property value is stored in memory?
    The program checks its value using the
    __vbaBoolVar() function but i've no info about it
    Does some of u know anything more about it ?
    See ya
    NikDH
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  2. #2
    goatass
    Guest
    hi, that API checks to see whether a variable is True or False, 1 or 0.
    So for example, if you entered the correct regcode that variable will be set to 1 so when __vbaBoolVar() is called it will return true telling the application that it's registered and it can continue.

    Since this program is VB you can use SmartCheck to see what it does, it might tell you where this flag is stored. You can also use FileMon and RegMon to see where on the hard drive or registry the program may store this flag. In order for it not to ask you for a regcode every time you open the program it has to store this flag somewhere. The other thing you can do is trace the OCX with SoftIce and find out where is the regcode checking algo and disassemble it and study it. You could make a keygen or just a regcode for your name.

    good luck
    goatass
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  3. #3
    NikDH
    Guest
    >You can also use FileMon and RegMon to see >where on the hard drive or registry the program >may store this flag. In order for it not to ask >you for a regcode every time you open the >program it has to store this flag somewhere.

    Well i think the program will store my regcode and check 4 it every time it needs: this way its much better 4 the program security


    >The other thing you can do is trace the OCX >with SoftIce and find out where is the regcode >checking algo and disassemble it and study it.

    Thats a good idea but in disasming it i havent had anything familiar to deal with
    Perhaps u can gimme some hints on debugging ocx
    See ya
    NikDH
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  4. #4
    goatass
    Guest
    That's what I mean, the program will store the serial and check for it when needed but you need to figure out where it is stored and FileMon and RegMon will help you.

    If you could upload the OCX file I could look at it....tracing it would be the same as tracing anything else.

    goatass
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  5. #5
    Kilby
    Guest
    Hi Sorry to butt in,

    I have only worked on 2 .ocx files, active skin and something else.
    As goat ass says they are just like any other .exe file to dissassemble

    If you pass it through IDA it will dissassemble very happily (providing it's not packed).

    From there you can find your suspect routines and set breakpoints on them

    BPM works best I found.

    Regards,

    Kilby...
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  6. #6
    NikDH
    Guest
    Hi to all,
    i've already disasmed the ocx with ida and cought the code but its not as clear as 4 exe
    In ocx there r functions that r not called as dll function:
    in a dll they r exported and the origianl program call them with call far
    in an ocx the things r much more complicated coz there r no functions exported but the ones 4 the ocx managing (installing and disinstalling it)
    So its quite hard to identify what a function does if we dont know its name and we have to deal only with vb api (which r imported by vb dll)
    It should be useful to know something more about function like __vbaBoolVar()
    It seems to take one param in the stack but its not a mem addr but it seems like a var ID
    Tried to reverse the function in the vb dll and it seems to look somewhere in the mem 4 the value of the BoolVar, whats strange is that the addr it reads is not in the ocx mem zone
    Is it normal ?
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  7. #7
    goatass
    Guest
    Dude you are making this way too complicated.
    OCX don't have exported APIs because they don't export anything, they are accessed through interfaces, but that's besides the point. All you do is, you trace the application from where you enter the serial number until you see that it jumped to the OCX code, at that point you trace until you see that it's doing something that looks like serial generation or anything related to serial generating/comparing. At that point you write down the address of where you think the key gen routine is and use IDA to take a broader look at the code.

    OCXs are not DLLs, therefore you will not find exported functions in them to set BPXs on.

    What I do many times is use IDA to locate key areas where I think the protrection might be in, then I load the application, break in and start tracing until I'm in the OCX code, then I set a BPX on the address I noted from IDA, F5 to it, and trace it to see what happens.

    Don't make this too complicated, it's not.

    goatass
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  8. #8
    NikDH
    Guest
    Perhaps what i need is to study the com technology coz ocx use com tech
    It seems __vbaBoolVar() takes a obj reference and i need to know much more about that
    If someone will provide me some url or doc about this topic it will be great

    Tnx to TTom 4 his kindness

    See ya
    NikDH
    I promise that I have read the FAQ and tried to use the Search to answer my question.

Similar Threads

  1. how to know which protection is used
    By alim2201 in forum Malware Analysis and Unpacking Forum
    Replies: 3
    Last Post: April 23rd, 2011, 11:41
  2. protection i need help
    By mr.smart in forum The Newbie Forum
    Replies: 2
    Last Post: October 31st, 2004, 10:04
  3. Does anyone know the name of this protection ?
    By Asassin in forum Malware Analysis and Unpacking Forum
    Replies: 1
    Last Post: March 10th, 2002, 20:56
  4. who has already seen this protection ?
    By bobik in forum Malware Analysis and Unpacking Forum
    Replies: 5
    Last Post: June 11th, 2001, 23:40
  5. Help with protection
    By Timmy in forum Malware Analysis and Unpacking Forum
    Replies: 1
    Last Post: March 29th, 2001, 21:07

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •