As a tutorial writer I find that it is important to continually update & revise my reversing techniques as demonstrated in some of my tutorials. No one is infallible, least of all me, therefore in order to put right an oversight in my Essay No 3 entitled "A cracking template for OCX & VBX files!" it is necessary that I re-write this tutorial and explain how to properly reverse this type of software.
ActiveX controls can
be found in many Window's 95/98/NT applications, from web pages to programming
languages such as Visual Basic 4 and above. My Essay No 3 dealt with one
such ActiveX control, Videosoft's
VSOCX6.OCX control, an add-on for Visual Basic 4/5/6 which is by far, the
most useful add-on I've ever seen!. It's a shame though, that the developers
have decided to use such a weak protection system for their industry leading
2. Visual Basic 4/5/6
We are going to re-explore reversing an ActiveX control (VSOCX6.OCX), a Visual Basic add-on that I have already written about but made a complete hash of the first time I reversed it.
By and large, ActiveX
controls, especially those used in Visual Basic do *not* require any patching
to their code, that was where I went wrong. I tried to crack a nut with
a sledge hammer instead of trying to understand exactly -how- an ActiveX
control operates under Windows.
Go grab yourself this VB control, you can find it here. On the download page just open up the page source and you will see where you can download this file without having to fill in any details about yourself..:)
Now install this control on your system as normal. Our ActiveX control (VSOCX6.OCX) can be found in our C:\Windows\System folder with a file size of 232K.
Now fire up Visual Basic and via the Tools Menu then Custom Controls select the "Videosoft vsOcx Controls' option.
We're now ready to use this control in our program..:)
Now insert this control onto a form, if you've started with a new project then Form1 will already be opened for you.
So far so good, no nag or error message..:)
Now Run our project. As expected, we are presented with a runtime nag screen, clicking on the OK button clears this nag for the duration of the running program.
So what is happening here?.
What we have is a control that when executed performs a check on our computer to see if it has been registered, this can be via one of a number of ways.
The two most common/standard methods used are:-
1. Performing a check in the User's Registry file for a valid license key.
If you open up your
Registry File using RegEdit and go to this location: HKEY_CLASSES_ROOT\Licenses
you will see a number of CLSID's keys, these keys usually contain an encrypted
string that identifies it as being a valid license key for a particular
OCX control. This is the standard way that license keys are formatted and
stored in the Registry file.
2. Locating a
valid .lic file of the same filename used for the control itself in the
User's \Windows\System directory. So if our control is called VSOCX6.OCX
then the .lic file will usually be be named VSOCX6.LIC
The weakest of the two protection systems described above is the reliance on finding a key within our System Registry file, so we will begin work examining what checks, if any, our control makes to this file.
FileMon is an excellent utility that records all accesses made to our Registry file, although it's pretty much useless when used on VXD's, but this is not a worry to us since our control is not a VXD.
Right, lets us begin...
Save your VB project with our control still on the form and then re-load it. This is necessary in order to clear the nag screen display flag. The nag screen doesn't always show when you re-run the program so we will start a fresh.
Before running our program fire up RegMon and set it's Process filter to Include only Vb32 or whatever development version of VB you are currently using. Already RegMon has started to record a number of events to our Registry File. Now run our program again, our Control should already be on our form.
When the nag screen appears go directly into RegMon and click on the Icon to prevent any further Registry recordings being made.
Now look closely at RegMon's output, you are looking for a line that looks like this:-
OpenKey HKCR\Licenses\30A04360-A239-11d1-BAA2-444553540000 NOTFOUND
Bingo!. We have found
such an entry but what does it all mean and how do we make use of it?.
As already explained, most ActiveX/OCX controls that uses the System Registry to store it's license keys will, 99 times out-of-a-100 use the HKCR\Licenses\ folder to store it's license keys in. Any line ending with SUCCESS instead of NOTFOUND can be ignored, since we're looking for something that the control is looking for but cannot find, our license key for instance..:) Armed with this knowledge tells us what we must look for in Regmon's output.
So how do we make use of this knowledge?
Easy, simply fire up RegEdit and go into HKEY_CLASSES_ROOT folder then scroll down until you come across the \Licenses folder.
From here create a new Key.
Give this Key the same 36 character name being searched for by our control. In this example our new Key would be called "30A04360-A239-11d1-BAA2-444553540000".
Now when you re-run our VB program there will be no nag screen reminding us to register the control.
In the case of all Videosoft's controls, this method works every time because they choose to use the name of the Key as the license string, rather than assigning an encrypted value to it. So when you run any of their controls all it will do is check for the presence of our license key, rather than checking for it's assigned value. Once you understand how this method of licensing controls using the Registry File is, then you will appreciate just how unsecured it really is..:)
If your in a hurry or, you don't
yet have Visual Basic installed then open up the file:
Again, the procedure is the same. Fire up RegEdit, go into the HKEY_CLASSES_ROOT\Licenses folder and create a Key called: 30A04360-A239-11d1-BAA2-444553540000
||I wont even bother explaining you that you should BUY your software if you intend to use it for a longer period than the allowed one. Should you want to STEAL software instead, you don't need to crack its protection scheme at all: you'll find it on most Warez sites, complete and already regged, farewell.|
Essay by: +Sandman
Page Created: 19th April 1998