|In my 19th
essay I taught you how to crack a Visual Basic program by using SmartCheck. This time
I'll teach you how to crack a Visual Basic program using SoftICE. I've used this technique
on quite a lot of Visual Basic 5 programs - and mostly it works perfectly (there were
some exceptions of course). Before we can start our Cracking Session, make sure
you've the a line like "EXP=C:\WINDOWS\MSVBVM50.DLL" in your WINICE.DAT - then
let's start our Cracking Session:
After you've started Close Popup and pressed the "Register"-Button, a
dialog box asking for a "User Name" and "Registration Code" get's
displayed. As "User Name", enter "Cracking Tutorial" - and as
"Registration Code" enter "12345". Then enter SoftICE and set a BPX to
HMEMCPY; leave SoftICE and press the "OK"-Button. Now SoftICE will pop up. Clear
that HMEMCPY breakpoint and press F12 until you reach the code located in MSVBVM50.DLL.
Now use another great feature of SoftICE - the memory search. Now let's search for the
Visual Basic 5 String Compare routine, which looks like the following:
|:0F00D9EA 56 PUSH ESI
:0F00D9EB 57 PUSH EDI
:0F00D9EC 8B7C2410 MOV EDI,[ESP+10]
:0F00D9F0 8B74240C MOV ESI,[ESP+0C]
:0F00D9F4 8B4C2414 MOV ECX,[ESP+14]
:0F00D9F8 33C0 XOR EAX,EAX
:0F00D9FA F366A7 REPZ
:0F00D9FD 7405 JZ 0F00DA04
:0F00D9FF 1BC0 SBB EAX,EAX
:0F00DA01 83D8FF SBB EAX,-01
:0F00DA04 5F POP EDI
:0F00DA05 5E POP ESI
:0F00DA06 C20C00 RET 000C
We must search this part of
the code if we look for the Visual Basic 5 String Compare routine. So we need to look for
"56, 57, 8B, 7C, 24, 10, 8B, 74, 24, 0C, 8B, 4C, 24, 14"
- but why to search for such a "long" part of the code? Well, if we don't look
for that "long" part of the Code, we would find several other addresses which
are not interesting for us. So you may edit your WINICE.DAT and edit the Alt-F4 key, which
is nearly never used, to the following:
AF4="^S 0 L FFFFFFFF 56,57,8B,7C,24,10,8B,74,24,0C,8B,4C,24,14"
Then every time we're looking for the Visual Basic 5 string compare routine, we can
just press ALT-F4 and we get the address. Then we BPX on that address. Then we can check
what's compared and if our fake serial # get's compared to the right one, we can simply
sniff out the real serial #.
But before we can use our "Hotkey", we must reboot, since we changed the
WINICE.DAT so do this now. Then enter the same registration details as before and set a
BPX to HMEMCPY. Then press the "OK"-Button. Delete that BPX HMEMCPY and press
F12 until you reached the Visual Basic 5 code. Then just press "Alt-F4". SoftICE
will now display something like the following:
Pattern found at 013F:0F00D9EA (0F00D9EA)
So just set a BPX to 0F00D9EA and leave SoftICE. SoftICE will now pop up at the
string compare function. Just have a look at ESI and EDI (at e. g. 0F00D9E4) to check
what's checked. First EDI will contain "TEX98" and ESI will contain
"CRACKING TUTORIAL" - so our User Name get's compared with "TEX98"
(the name of someone who has been blacklisted). We're *not* interested in that, so leave
SoftICE. As SoftICE pops up "UNREGISTERED" and "Cracking Tutorial" are
compared to see if we've changed that (it was the start text as the dialog box was
displayed). We're also *not* interested in that, so leave SoftICE. SoftICE pops up again -
and this time "12345" and "16558gVX`^c\`Ijidg^Va" are compared.
So let's try "16558gVX`^c\`Ijidg^Va" as Registration Code - and voilla -
you get the "Thank you!"-dialog.
So you can Reverse Engineer a lot of Visual Basic 5 programs in less than 60
1) enter the registration details
2) set a BPX to HMEMCPY
3) press the "OK"-Button
4) press F12 until you're in the Visual Basic 5 code
5) delete the HMEMCPY breakpoint
6) press ALT-F4
7) BPX to the address SoftICE displayed
8) sniff out the real code
BTW, your registration info is stored at
"HKEY_CURRENT_USER/Software/VB and VBA Program
Settings/Take a Hike Software/Close Popup"
- so just delete the "User" and "Code" key and you can Reverse
Engineer it again
Another target has been Reverse Engineerd. Any
questions (no crack requests)?