ActiveX / OCX Reversing 
by +Sandman
6th November 1999 
A revision for my Essay No3
"A cracking template for OCX & VBX files!"
Written by +Sandman 
Best Viewed: 800 x 600 mode
( X )Beginner   ( )Intermediate   ( )Advanced   ( )Expert 
As a tutorial writer I find that it is important to continually update & revise my reversing techniques as demonstrated in some of my tutorials. No one is infallible, least of all me, therefore in order to put right an oversight in my Essay No 3 entitled "A cracking template for OCX & VBX files!" it is necessary that I re-write this tutorial and explain how to properly reverse this type of software. 

ActiveX controls can be found in many Window's 95/98/NT applications, from web pages to programming languages such as Visual Basic 4 and above. My Essay No 3 dealt with one such ActiveX control, Videosoft's VSOCX6.OCX control, an add-on for Visual Basic 4/5/6 which is by far, the most useful add-on I've ever seen!. It's a shame though, that the developers have decided to use such a weak protection system for their industry leading controls! 

1. Regmon 
2. Visual Basic 4/5/6  
About this
We are going to re-explore reversing an ActiveX control (VSOCX6.OCX), a Visual Basic add-on that I have already written about but made a complete hash of the first time I reversed it. 

By and large, ActiveX controls, especially those used in Visual Basic do *not* require any patching to their code, that was where I went wrong. I tried to crack a nut with a sledge hammer instead of trying to understand exactly -how- an ActiveX control operates under Windows. 

Go grab yourself this VB control, you can find it here. On the download page just open up the page source and you will see where you can download this file without having to fill in any details about yourself..:) 

Now install this control on your system as normal. Our ActiveX control (VSOCX6.OCX) can be found in our C:\Windows\System folder with a file size of 232K.  

Now fire up Visual Basic and via the Tools Menu then Custom Controls select the "Videosoft vsOcx Controls' option. 

We're now ready to use this control in our program..:) 

Now insert this control onto a form, if you've started with a new project then Form1 will already be opened for you. 

So far so good, no nag or error message..:) 

Now Run our project.  As expected, we are presented with a runtime nag screen, clicking on the OK button clears this nag for the duration of the running program.  

So what is happening here?.  

What we have is a control that when executed performs a check on our computer to see if it has been registered, this can be via one of a number of ways.  

The two most common/standard methods used are:- 

1. Performing a check in the User's Registry file for a valid license key. 

If you open up your Registry File using RegEdit and go to this location: HKEY_CLASSES_ROOT\Licenses  you will see a number of CLSID's keys, these keys usually contain an encrypted string that identifies it as being a valid license key for a particular OCX control. This is the standard way that license keys are formatted and stored in the Registry file. 

2. Locating a valid .lic file of the same filename used for the control itself in the User's \Windows\System directory. So if our control is called VSOCX6.OCX then the .lic file will usually be be named VSOCX6.LIC 
Since our control is unregistered, whatever checks it makes for the presence of a valid key/.lic will fail, thereby triggering our nag screen. 

The weakest of the two protection systems described above is the reliance on finding a key within our System Registry file, so we will begin work examining what checks, if any, our control makes to this file. 

FileMon is an excellent utility that records all accesses made to our Registry file, although it's pretty much useless when used on VXD's, but this is not a worry to us since our control is not a VXD. 

Right, lets us begin... 

Save your VB project with our control still on the form and then re-load it. This is necessary in order to clear the nag screen display flag. The nag screen doesn't always show when you re-run the program so we will start a fresh.  

Before running our program fire up RegMon and set it's Process filter to Include only Vb32 or whatever development version of VB you are currently using. Already RegMon has started to record a number of events to our Registry File. Now run our program again, our Control should already be on our form. 

When the nag screen appears go directly into RegMon and click on the Icon to prevent any further Registry recordings being made.  

Now look closely at RegMon's output, you are looking for a line that looks like this:- 

OpenKey HKCR\Licenses\30A04360-A239-11d1-BAA2-444553540000 NOTFOUND  

Bingo!. We have found such an entry but what does it all mean and how do we make use of it?. 

 Registry Access Sequence  Comments 



A method used to initiate an attempt to read an item of  information from the System Registry File. Rather like the API command OpenFileA used in Windows. 

This tells us -where- in the System Registry file the program wants to read from. This is the same principle as specifying a PATH name in Windows/DOS  

This is the key name being searched! 

Oh dear, our control couldn't find this key name, not surprisingly because we've not registered it yet!.


As already explained, most ActiveX/OCX controls that uses the System Registry to store it's license keys will, 99 times out-of-a-100 use the  HKCR\Licenses\ folder to store it's license keys in.  Any line ending with SUCCESS instead of NOTFOUND can be ignored, since we're looking for something that the control is looking for but cannot find, our license key for instance..:)   Armed with this knowledge tells us what we must look for in Regmon's output. 

So how do we make use of this knowledge? 

Easy, simply fire up RegEdit and go into HKEY_CLASSES_ROOT folder then scroll down until you come across the \Licenses folder. 

From here create a new Key. 

Give this Key the same 36 character name being searched for by our control. In this example our new Key would be called "30A04360-A239-11d1-BAA2-444553540000". 

Now when you re-run our VB program there will be no nag screen reminding us to register the control. 

Job Done..:) 

In the case of all Videosoft's controls, this method works every time because they choose to use the name of the Key as the license string, rather than assigning an encrypted value to it. So when you run any of their controls all it will do is check for the presence of our license key, rather than checking for it's assigned value.  Once you understand how this method of licensing controls using the Registry File is, then you will appreciate just how unsecured it really is..:)  

If your in a hurry or, you don't yet have Visual Basic installed then open up the file: 
c:\windows\system\vsocx6.ocx using Hex Workshop and perform a ASCII search on it, using "Licenses" as your search string. 


Hex Sequence  Ascii Sequence
Again, the procedure is the same. Fire up RegEdit, go into the HKEY_CLASSES_ROOT\Licenses folder and create a Key called: 30A04360-A239-11d1-BAA2-444553540000 
Ob duh
I wont even bother explaining you that you should BUY your software if you intend to use it for a longer period than the allowed one. Should you want to STEAL software instead, you don't need to crack its protection scheme at all: you'll find it on most Warez sites, complete and already regged, farewell. 
Final Notes
Original format of this tut by (c) flipper (upg) 12/30/97 All rights reversed. 
way out
 Next   Return to Essay Index   Previous 

Essay by:   +Sandman 
Page Created: 19th April 1998