Visual Basic Unprotection
Programmers: don't protect with visual basic!
visual basic
Visual Basic
04 May 1998
by Little-John
Courtesy of Fravia's page of reverse engineering
slightly edited
by Fravia+
Well, I think that with this essay by Little-John we can CLOSE the 'first part' of our Visual Basic reversing. No more essays on Visual Basic "simple" reversing, please, we have made our point enough. But there seem to be some new protection 'breeds' ('stains'?) around: Visual Basic MIXED with assembler... interesting food for our future work...
This said, here you have an interesting little work by Little-John that will teach a couple of things to beginner and intermediate carckers and protectors alike... Enjoy!
There is a crack, a crack in everything That's how the light gets in
(x)Beginner (x)Intermediate ( )Advanced ( )Expert

This essay is dedicated to those programmers that think to be serious, but they aren't...
Another brick in the wall
Vb4 unprotection
Written by Little-John

Two days ago a friend of mine (an engineer) pointed me a nice program, very useful for
engineers (especially in Italy) called 'Verifiche Periodiche IPSOA', but he had a 
problem... a nice nag appeared at the start...

Tools required
Soft-Ice 3.22
Win95 File Monitor

Target's URL/FTP
Sorry, I don't know url or ftp for this application :-(

Program History
Well the version I had was dated 1997/10 and that was the Version 1.0... quite a bad start.

I recommend you to read first all the VB essays in the Visual Basic project, but with special attention to the one by Razzia and sth.

This is another example for programmers on how Visual Basic takes rid of your work. You, serious programmer, let not use Vb for your creatures, because with that development tool you'll never protect your programs and your work has gone away...

Ok, let's start.
Verifiche periodiche has been created with Visual Basic 4 (16 bit version), in fact it is runnable also in Windows 3.1. First of all
always remember to read the documentation given with the program. In the help file it's said


"L'applicazione è dotata di un sistema di protezione; per utilizzare il programma occorre infatti inserire un codice di 15 cifre che identifica univocamente il computer sul quale può essere eseguito il programma stesso. La richiesta del codice d'autorizzazione avviene tutte che le volte che si avvia l'applicazione stessa; se non si possiede il codice occorrerà selezionare Ok senza digitare nulla nella casella di testo Codice Autorizzazione. Viene consentito l'utilizzo del prodotto per un numero limitato di volte, superato questo limite sarà necessario inserire il codice o uscire dall'applicazione premendo il pulsante Chiudi.

Venuti in possesso del codice di autorizzazione mediante le procedure descritte di seguito, occorrerà digitarlo per permettere lo sblocco dell'applicazione. Una volta compiuta tale operazione il codice non verrà più richiesto.

Il codice può essere inserito all'atto dell'avvio dell'applicazione.

Per ottenere il codice d'autorizzazione è necessario:

- Telefonare all'ASSISTENZA CLIENTI INDICITALIA al numero 06/5196111
- Comunicare il numero di serie che viene visualizzato
- Comunicare il proprio codice cliente (ricavabile dalle fatture)

Tale operazione è necessaria solo all'atto della prima installazione. Per gli aggiornamenti non è necessario inserire di nuovo il codice d'autorizzazione.
Il codice deve essere custodito poichè rappresenta la "Licenza d'uso"."


The application has got a protection system; in fact to use this program you need a 15 character code, to identify uniquely your computer on which the program runs. Every time you run the application the authorization code is required; if you haven't it, just press Ok, without inserting anything in the text-box named Codice di Autorizzazione. You are allowed to use the program a few times, once you go beyond this limit you must insert the code or press Close.

When you have the authorization code, that you can obtain following the procedures described below, you have to insert it to register the application. After that the code will never be required.

The code can be inserted at the application start.

To obtain the code you need to:
- Communicate your visualized serial number
- Communicate your client code

This operation is necessary only at the first program installation. For the upgrades the authorization code is not needed.

The code is your 'User License'."

(Sorry for my English =).

Every time I start a cracking session I use to precrack my target (a good rule for all crackers). I open Filemon, Regmon and VxDmon, and after that I run my target. In this case Filemon is the one we need, because this a 16 bit application, so no Registry and no VxD. While running we see the program performing some queries on
"product.inf" file on the CD and in the Windows directory on the "Mappdrv.inf" file. Mmhh. Those nice programmers are using a STRANGE name to read data from. Let's have a look. A huge number is there and it seems to be like:
824400=824400199710... (The other numbers are not in our interest and they change from one computer to another).

If we try to change one number in this file the application will say Checksum error and then will stop. Now all is clear. The application reads the value from MAPPDRV.INF and then compares'em to some others...

Ok, so start the program and you need a 15 digit number, let's say 123456789012345. The program returns Error Code number
4. If we obmit a digit the program returns error code number 6! Put a breakpoint on hmemcpy (it works fine 99% of times) and you will find the code you inserted, just bpr it and then g(o). You'll fall into VB40016.dll in RTCMIDCHARVAR and, while g(oing), see what happens. Yep! The memory image is quite nice. In my memory I see:


...(and so on till the end of the number). So the program is reproducing our code. Why? In order to check reason. It controls that all digits are number, in fact if you insert a non-number character you'll see the 2 columns stop at that char and then the Error Code. If all is right, at the end of two columns, the program re-writes our code without the last two numbers. They're re-written below it. At the left of these two numbers the program reports in the same location all the digits one after the other. Put a bpr on the two stand-alone digits and see what happens. The program stops at a 'REPNZ CMPSB' (see sth essay) and compares'em (45) with other two numbers (75 in our case). Take note and write'em at the end of your code. So now the first REPNZ CMPSB check is right and then the application performs another check. I saw the comparison between 9012355 and 4290156. What does it mean? NICE programmers... They pick up some digit from the code and then compare'em with some others:


They are very fancyful programmers. So, our number now is 123466784290175. Press OK and the Error Code number 4 will compare again. It's a natural thing. Since we have changed some number in the code, the last two digits will change. Let's check. Yes, I'm right. It compares 75 with 77. And our number will be now 123466784290177. Is it cracked? Maybe. Press Ok and all goes well. It seems to work fine, but when we restart the program the Insert_Your_Code_Here nag will appear again. 7 numbers in our code hadn't been used, (1234.678). The program performs two checks on our number, the first to make the nag appear and the second to start the program. In this case the only way to make the program work is to trace the first check made (the one for the nag). In my case the program performs 24 different types of check; some of'em are meaningless and some others very useful instead. While checking, a very strange comparison is effected between "c:\windows\mappdrv.inf" and "ERRORE" (error :). I think this is a way to confuse a possible cracker... At a certain point it compares NL with LI... mmhh... NL is in our mappdrv.inf file and maybe it means Non-Licensed, and it compares with LIcensed. Ok, so let's change NL with LI in our file and run the program. Checksum Error... this means we have to change some other values in our mappdrv.inf file. So trace again the first comparison. In fact it compares the last two numbers of the mappdrv.inf with newer values. Just use them in the .inf file and all goes fine. CRACKED =)

Final Notes
Just a few days ago my engineer friend showed me some other products of INDICITALIA, the same software-house... of VERIFICHE PERIODICHE, and they use the same VB-unprotection... :-(

!!! Programmers don't use Visual Basic !!!
The Micro$oft mouse-trap is working well

Ob Duh
I wont even bother explaining you that you should BUY this target program if you intend to use it for a longer period than the allowed one. Should you want to STEAL this software instead, you don't need to crack its protection scheme at all: you'll find it on most Warez sites, complete and already regged, farewell.

You are deep inside Fravia's page of reverse engineering, choose your way out:

Back to project 8

redhomepage redlinks redsearch_forms red+ORC redstudents' essays redacademy database
redreality cracking redhow to search redjavascript wars
redtools redanonymity academy redcocktails redantismut CGI-scripts redmail_Fravia
redIs reverse engineering legal?

--====================987654321_0==_ Content-Type: text/plain; charset="us-ascii" --====================987654321_0==_--