Published by Tsehp September 2000




InstaPass Pro v1.20  by Ashish Computer Systems


This program can find the database password for MS Access databases from

Access '95 and up to Access 2000.

You can find the demo version at

This demo version is limited to files up to 150 kilobyte in size.



Required software:


SoftICE for Windows 9x v4.05 (search the net, buy it, or download evaluation

   version from

HIEW v6.16 (I think you can find it on

ANY MS Access '95 or newer database over 150kb in size - if you can't find

   one, or don't know how to create one yourself, email me.

TDUMP.EXE - I'm not around my own computer right now, but I think it is

   Turbo Dump, or something. I'll correct this in the next version, but

   for now I'd just like some feedback.





I have been into the art of Reversing for the past three or four years now,

but I have never really taken the time to find some tutorials on the 'net to

get myself really started. Many people claim that reversing is very difficult

to learn and master, but in reality all it takes is a day or two of dedicated

experimentation, and you're set to go. Of course, you are not anywhere near

a super-Fravia yet, but at least you'll know the basics, and if nothing

else you'll be able to do some small, simple reversing/cracking jobs.


In any event, I found it very difficult to find an essay which wasn't too

difficult to read - many contained a lot of small assembly dumps, and those

were pretty hard to follow, so I thought I'd give it a go and write something

which I thought would be good for an apprentice in the art of Reversing.





This is pretty much my first crack-job, but it does work, and I have done

other half-baked stuff before this. The meaning of this essay is to teach

the basics of using SoftICE, and to be a small introduction to reversing

a simple protection.


PLEASE let me know if you've even read this essay, and if you have any

comments, let me know! I want to write more essays in the hope of strengthening

the Fravia-community, but if I'm not sure the way I'm writing these essays

is good, it'll be pretty hard to produce any quality.


Also, if there are ANY terms you are unclear on, or any passages which are

unreadable either because of too many fancy words, or because of bad English,

please do not hesitate to let me know!





First of, it might be a good idea to print this out in some way, since it

is very hard to memorize all the steps. You could also just read it, make

some notes, and try without reading again, but be aware that once you are

inside SoftICE, you can't switch back to a Windows program and read this -

you have to exit the SoftICE-window, and then you'll have to start over.


Try running the program on your database. If your database was over 150kb in

size, you'll see it pops up with an error message when you press "Go".

Since it will be able to do it's job to the fullest as long as the database

is less than 150kb, we will for now assume that it is simply a matter of

checking the filesize and showing a dialog box.


Now, the next step is to see if we can get any help from the .EXE file itself.

I used TDUMP.EXE, but anything that dumps the imports and exports of the EXE-

file can be used. In any event, you'll see that this EXE imports functions

from MSVBVM50.DLL. If you don't already know, this is the runtime DLL for

programs built in Visual Basic v5.0 (Microsoft Visual Basic Virtual

Machine 5.0). If there are anybody who wants me to expand on this subject

(like, what is a runtime DLL, what is Visual Basic, or what imported functions

are), please lemme know, and I'll write a section on it.


Visual Basic is an interpreted language, meaning that you don't actually

do much work in the program file, but rather rely on the .DLL file to supply

the functions you want to do. This makes Visual Basic a VERY high level

language - it is easy to learn, but extremely in-efficient. So, what you

want to do is see which functions are exported from MSVBVM50.DLL, to see if

there are any functions we can set a breakpoint on (more on this later).


Running "TDUMP.EXE c:\windows\system\msvbvm50.dll > msvbvm50.exp" suffices.

This will produce a file called "msvbvm50.exp" with the output from the TDUMP

command. You will see all the exports, which are the functions available

for other programs to use. We are interested in anything that has to do with

file lengths, and perusing down the list we see "rtcFileLen" and

"rtcFileLength". Okay, remember these. Now we will get into action with




I assume that you have installed SoftICE, and that it is running. You can

verify this by pressing CTRL+D - SoftICE should pop up. Press CTRL+D to

remove it again. If SoftICE is not installed, or it is installed but isn't

working/running, and you'd like me to explain how this should be set up,

email me and I'll include it here.


Now, start InstaPass if it isn't running already. Press CTRL+D to get into



The layout of the SoftICE screen can be customized, so how it looks on your

screen might vary, but I hope that this short introduction is good enough.

What you see on the top is the registers of the CPU. We'll deal shortly with

this later. Beneath is usually the data window - it is equal to a hex dump

of the memory. This window might not be on your screen, though.

Next is the Code window - this window can display source-code if you are

debugging an application, or it can show assembler-instructions, as it

probably is doing now.

In the lower, right corner you'll see what context we are in now. The context

is the program we are currently working in, and the place where our

breakpoints will take effect. It might read "DISPLAY" or ".text!MsAccess", or

something else. We need to change it to our InstaPass program.

If you type in "ADDR", you will see all the address context's we can switch

to. Now, just type "addr InstaPas", and we will be in InstaPas's context.


Remember to two functions we saw? Now, we can make a breakpoint on these,

so each time one of the two functions are called, SoftICE will halt the

system temporarily, and switch into the debugger (what you are seeing now).

There are many types of breakpoints, but that is for another tutorial.


Right now, we use the "bpx" command. Type these two commands:


    "bpx rtcFileLen"

    "bpx rtcFileLength"


and press CTRL+D. Now, select your test database, and press "Go". SoftICE

interrupts, saying that the breakpoint was encountered.

Just below the CPU registers window, it will say something with "msvbvm50" in

it. This means that the execution point (the point where the computer is

running code) is in the msvbvm50 module. We want to be in the Instapas-module,

since this is the code we need to hack. If you press F12, SoftICE will trace

the code until it encounters the next "ret"-instruction, meaning that it will

execute all the assembler-instructions, until it meets "ret". The "ret"-

instruction will return the computer to the place where a "call" instruction

was issued.


In this case, in the Instapas-program, the program wants to know the file

length, so it can see if it is larger than the allowed 150 kilobyte.

It calls the function "rtcFileLen", and the computer starts running code from

msvbvm50.dll, where the function rtcFileLen is located. When the "ret"-

instruction is encountered, we are returned to Instapas. This is the point

were we will be after having pressed F12.


Now, in the code window, you will se a lot of numbers, and towards the right

side, these two assembler instructions:


      CMP EAX, 000249F0

        SETGE CL


Now, this is were the registers come into play. If you have ever programmed,

you'll know what a variable is. The registers are variables in the CPU.

If you have never programmed - you might want to try it, good experience... -

this is similar to the x and y stuff from math class. EAX, EBX, ECX and EDX

are four of the variables available to us, and what the first assembler

instruction does is compare the value we have stored in the register EAX

to the hex-value 0x249F0.

Now, at the very top, you'll see the registers, and their current contents.

You can also see the EAX register. Now, try typing "? " and the value you can

see in the EAX register. This will evaluate the expression you have just

typed. Also, it will display the value again, along with the decimal

representation. I'll bet you this value is the same as the filesize of your

test database. So, what it does is compare your test-databases filesize with

0x249F0. Try typing "? 249F0", and you'll see that in decimal this is

"150000". Does this ring a bell? This is precisely what we have been looking

for - the 150kb limit (actually, pretty imprecise, since 150kb = 153600 bytes).


Now, the next instruction is what we want to modify. As I said earlier, I'm

pretty much still learning this, so I'm not quite sure what this command does

precisely, but I know it modifies something based on the flags in the CPU.

The flags, in turn, get set by the result of the CMP command, so what these

two lines do is check if the filesize is greater than 150.000 bytes, and

modifies a flag based upon that comparison.

What we want it to do is ALWAYS return with a success.


We can alter the CMP-instruction, so it compares with a greater value.

"CMP EAX, 00ABCDEF" will make the max filesize equal 11259375 bytes (roughly

11 megabytes), but this is not what we want. No limits! :)

So, we change this (more on how to change later) to "CMP EAX, 00000000", which

will fail always - files over 0 byte not allowed. Now we are sure of the

outcome of the CMP-instruction. On to changing the SETGE-instruction. Now, I

have really not checked what this instruction does, and I will post a more

up-to-date version explaining what this instruction does, but instead I just

toyed around with the manual to NASM, a great freeware assembler - find it

at "htpp://". It listed the different SET* instructions

there are, and I just tested them until I found one which worked :)

Not the most elegant method, I know. Sorry about that...


Anyway, "SETZ CL" worked, and with these two modifications, InstaPass will

accept all files, regardless of size.


This is how you do the actual modification. Bear in mind, though, that this

is only in-memory, and not the actual contents of the file itself we are

changing. Once your quit InstaPass, the changes will be lost - however, I

will demonstrate how to make the changes permanent a little later on.


The command we are looking for now is "A" for Assemble. This is because we

want to enter the two new machine-code statements we have just figured out.


The argument to A is the address at which we want to start assembling. This

_should_ be 0x00408C42, but there is a little possiblity of this changing

(e.g. a newer or older version of the program). You can see the address

just to the left of the "CMP EAX, ..." instruction in the code window.


Now, type "A 408C42" (or the correct address, if this is not the one)

The input window will display "00408C42 " and wait for your input. Type the

new commands:

    "CMP EAX, 0"

    "SETZ CL"

    and make another blank return, to end the assembler mode.


You will be able to see your changes in the code window.

Lastly, type "bc *" to clear the two breakpoints we've set. We have patched

the memory, and don't want SoftICE to use the breakpoints anymore.

Type CTRL+D, and verify that InstaPass indeed works with files larger than



This is actually a crack! There are more things you could do, like change

the text in the About box (it says "Evaluation Version"), but this is

only cosmetic.


What we want to do know is make the changes permanent. There are two ways

to accomplish this. Either we make a process patcher, or we patch the program



The first method is a bit complicated, and outside the scope of this essay.

Suffice to say, you "attach" a small program at the end of the real program,

which will, once the "real" program is loaded, patch certain memory locations.

This has a couple of advantages, but you should search for more information

before using this.


The other method I'll describe here. I wrote that HIEW is a requirement - this

is because it is what I find the easiest to use on these kind of operations.

There might be other editors suited, but for now, stick with HIEW.


Just run HIEW, and use it's file-browser to select InstaPas.exe.

Now, press F4, select Decode, and press F5. We want to go to the location

where we patched the program. If we were using a regular editor, we couldn't

just type "408C42" and get there, since this is a virtual offset, or

something akin to that. Now, here comes the reason why I use HIEW -

type ".408C42", and press RETURN. With the "." in front, HIEW knows it is a

virtual (or whatever) address, and we land smash right where we were in

SoftICE. This time, it's just the actual EXE file.


Now, press F3 to get into edit mode. Navigate the cursor past the "3D"-portion

of the hex-code, and enter "000000". Now, press <TAB> to enter assembler-mode,

and enter "SETZ CL". The reason for not entering the "CMP"-command the same

way is that HIEW translates this to a shorter version, and we have to patch

a little more. Nothing dangerous, but it's just a notch over beginner if you're

totally new to assembler.

Anyway, <ESC> to quit assembler-mode, press F9 to keep the changes, and press

F10 to exit HIEW. Quit any running InstaPass-instances, start the new

patched version, and voila - no limits! Your very own, semi-registered





I hope this essay has been helpfull. If you feel something is missing,

something is wrong, something is unexplained, have something nice to say

about it (or bad), or just want to chat, please email me at


/ cHaron '00