Construct-It v5.50

A VB Based Prog with a Beautiful Crystal Ball

 
Date 4/16/01

by Sojourner

Published by Tsehp Oct 2001

 
 
There is a crack, a crack in everything. That's how the light gets in.
 
Rating
(x)Beginner ( )Intermediate ( )Advanced ( )Expert
 


This one is so simple the newbiest newbies can learn a quick lesson here!


 

Introduction
This is a cost estimating software for builders. It can help you make accurate takeoffs
so you can easily find out how much a project will cost.

Tools required

w32dasm 8.x--your choice of flavors- must be vb enhanced

hex editor needed- UltraEdit 7.xx or whatever you want to use--- NOT NEEDED!!!!!

Target's URL/FTP

www.construct-it-USA.com

Just go to this site and then download what you need.

To Do List
What to do - The only thing we will do is register our new software.
Essay

Hello everyone. It's been a long time since I've published any tutorials. I've been very busy in college taking further courses to advance my degree in computer science. I have been a visitor at Hambo's forum and communicated with several people from there. hambo.yeah.net is the main page access. I appreciate all the positive feedback from those of you who have read my work and hopefulyt have learned from me something useful. I am still learning new things all the time. Todays lesson deals with a vb5 prog which tries to use a sophisticated key generator to protect their prog. As you will see, it is a very lame attempt, although, no one without any skills whatsoever would be able to luck into the code. It uses a 16 byte numeric string as the necessary output and that is evident enough from the layout in the program general because it shows you exactly where to put each character and how many go there.

I'll assume you have downloaded the program and have disassembled it. Have you? Come on, we've gone through this a hundred times before. You know the routine. OK, so it's 35 meg big. Don't cry. Just get the files and let's go on. You can remove any files after we've finished the lesson and restore your space. I told you this was an easy lesson and it is. All you need to do is to set a breakpoint on all the vbaStrCmp you find. Personally, I would wait until after the prog has loaded and you have the registration screen filled out. Be sure to put in whatever name you want to use and stick with it the whole time, because changing it will cause you to have to go back and start over. Now you can certainly do that, as I have done, after your first registration success. Here some code to peruse:

 

:00558330 50 push eax
:00558331 F7DA neg edx
:00558333 8995F4FDFFFF mov dword ptr [ebp+FFFFFDF4], edx

* Reference To: MSVBVM50.__vbaStrCmp, Ord:0000h
|
:00558339 FF1508245900 Call dword ptr [00592408]
:0055833F 8B8DF4FDFFFF mov ecx, dword ptr [ebp+FFFFFDF4]
:00558345 F7D8 neg eax
:00558347 1BC0 sbb eax, eax
:00558349 F7D8 neg eax
:0055834B 0BC8 or ecx, eax
:0055834D 7514 jne 00558363
:0055834F 66C7053CA05700FFFF mov word ptr [0057A03C], FFFF
:00558358 68D0875500 push 005587D0
:0055835D 9B wait
:0055835E E9E7030000 jmp 0055874A

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0055834D(C)
|

* Reference To: MSVBVM50.__vbaVarDup, Ord:0000h
|
:00558363 8B1D30255900 mov ebx, dword ptr [00592530]
:00558369 B904000280 mov ecx, 80020004
:0055836E 898D5CFFFFFF mov dword ptr [ebp+FFFFFF5C], ecx
:00558374 B80A000000 mov eax, 0000000A
:00558379 898D6CFFFFFF mov dword ptr [ebp+FFFFFF6C], ecx
:0055837F 8D9504FFFFFF lea edx, dword ptr [ebp+FFFFFF04]
:00558385 8D8D74FFFFFF lea ecx, dword ptr [ebp+FFFFFF74]
:0055838B 898554FFFFFF mov dword ptr [ebp+FFFFFF54], eax
:00558391 898564FFFFFF mov dword ptr [ebp+FFFFFF64], eax

* Possible StringData Ref from Code Obj ->"No valid registration"
|
:00558397 C7850CFFFFFF80574400 mov dword ptr [ebp+FFFFFF0C], 00445780
:005583A1 C78504FFFFFF08000000 mov dword ptr [ebp+FFFFFF04], 00000008
:005583AB FFD3 call ebx
:005583AD 8D9514FFFFFF lea edx, dword ptr [ebp+FFFFFF14]
:005583B3 8D4D84 lea ecx, dword ptr [ebp-7C]

* Possible StringData Ref from Code Obj ->"This software has not yet been "
->"registered or has been registered "
->"incorrectly and therefore various "
->"options have been disabled. Click "
->"OK to attempt registration."
|

:005583B6 C7851CFFFFFF38564400 mov dword ptr [ebp+FFFFFF1C], 00445638
:005583C0 C78514FFFFFF08000000 mov dword ptr [ebp+FFFFFF14], 00000008
:005583CA FFD3 call ebx
:005583CC 8D9554FFFFFF lea edx, dword ptr [ebp+FFFFFF54]
:005583D2 8D8564FFFFFF lea eax, dword ptr [ebp+FFFFFF64]
:005583D8 52 push edx
:005583D9 8D8D74FFFFFF lea ecx, dword ptr [ebp+FFFFFF74]
:005583DF 50 push eax
:005583E0 51 push ecx
:005583E1 8D5584 lea edx, dword ptr [ebp-7C]
:005583E4 6A20 push 00000020
:005583E6 52 push edx

* Reference To: MSVBVM50.rtcMsgBox, Ord:0253h
|
:005583E7 FF1598235900 Call dword ptr [00592398]
:005583ED 8BC8 mov ecx, eax

At 00558339 you will breakpoint on the most important code. Look around the registers here and you will find your wonderful little number awaiting your notice. It will look something like this: 6288 1050 2418 4667 Just snag it and input into your prog and hit the register key. Congratulations! You now have a registered version of this little guy. If you have inserted your numbers incorrectly, you will be kicked to here. The JNE at 0055834D will catch that discrepancy and kick you out.





 
 

Final Notes

 This was a simple lesson. Until later.

If you have any questions please feel free to contact me at jomamameister@yahoo.com


Oh Duh
I wont even bother explaining you that you should BUY this target program if you intend to use it for a longer period than the allowed one.