VB5 Serial Number Tip

Welcome to a slightly modified page. I'm going to describe a few small tips with regards to Visual Basic applications (specifically those with serial number protections). The first thing to know about VB is that the program executable files are essentially just scripts running functions exported from the VB run-time dll. You'll notice that VB exe's tend to be fairly small although this isn't always true. You'll immediately recognise a VB program when you disassemble it because of the dll imports or when you land in these dll's via SoftICE.

vbrun300.dll - VB3 (16-bit)
vb40016.dll - VB4 (16-bit) - rare.
vb40032.dll - VB4 (32-bit)
msvbvm50.dll - VB5 (32-bit)

The VB dll essentially acts as a substitute API for the Win32 API, although most VB applications still use the Win32 subsystem. You should add all of the VB dll's as exports in your winice.dat file if you wish to set breakpoints on VB functions.

In most VB applications, we can try >bpx Hmemcpy but you'll find yourself stepping through msvbvm50.dll and very quickly lost in the mire that is VB. In most cases you'll never actually reach the real compare routine inside the exe, you'll usually have to rely on the lazy string approach. Remember also that VB programs store and compare strings in wide character format (essentially string padding with 20h).

Ordinary String Example: CRACKZ (43h 52h 41h 43h 4Bh 5Ah).
Wide Character Format: C R A C K Z (43h 20h 52h 20h 41h 20h 43h 20h 4Bh 20h 5Ah).

I'll introduce 1 useful VB breakpoint, that is MultiByteToWideChar, in most VB reversing finding the right breakpoint is usually the difficulty. Setting MBTWC inside SoftICE and attempting to register should get you returned inside msvbvm50.dll on most occasions, now look for registers (EAX & EBX) holding the length of the string you entered. If you don't see it, try hitting Ctrl+D again. You may get another return (repeat ad infinitum).

Once you've got the string length in a register you should step a few lines and then do a search, with any luck you'll find the string you entered either lying around in a register or very close to one. If you scroll the data window around your input you will probably be able to find your good code sat lazily in memory.

Addendum

Well, here is an addition by myself as I was so irritated with the lack of VB5 reversing approaches. I bring you now 'exclusively' (if thats the word) the VB5 String Compare routine, merely a simple but slightly different variation on the VB4 & VB3 compare code.

:0F00D9EA PUSH ESI (56)
:0F00D9EB PUSH EDI (57)
:0F00D9EC MOV EDI,[ESP+10] (8B7C2410)
:0F00D9F0 MOV ESI,[ESP+0C] (8B74240C)
:0F00D9F4 MOV ECX,[ESP+14] (8B4C2414)
:0F00D9F8 XOR EAX,EAX (33C0)
:0F00D9FA REPZ CMPSW (F366A7) <-- Compare those strings.
:0F00D9FD JZ 0F00DA04 (7405)

If you are in any doubt as to what you should do now, go and read my tutorial about INT 3 patching, just patch a copy of msvbvm50.dll and use >bpint 3 to break in on this compare code, and if its being used you've beaten your target. This technique will not work all of the time but its certainly worth keeping a patched copy of the dll on your system for other VB5 programs.


© 1998 CrackZ. 26th May 1998.
2 screens you'll see something with many "+". Just click on +command_click and it extracts.. good..
Scroll down to the bottom and scroll up again untill you'll see your wrong serial (22446688 in my case).
You'll see that it will be "converted" to an other character. Some places lower you see a similaire number that's been converted to a "normal" number.
This is the serial (in my case it is:   265185164 )
(The numbers could be otherwise one your computer).
Now you can try of it works, or you can repeate all of this with your name.

Final notes

I don't really know anything about the Visual Basic code, but it isn't really dificult to crack these applications. Please note that if you wonna keep on using this program, please buy it.


Meta Master 2000


Well, Since I've written this tutorial, I checked the website again and I found a new version of META MASTER, I've cracked it by a M8, and I saw that the registration proces was diferent, so here we go (again).
Assuming that you already D/L and installed this program, you would like the FULL version for removing that anoying banner, and to make the first option work. So, what do we do? Let's check in which language it's written.
Right, check it in HIEW (Tip: Make a shortcut in your WINDOWS\SEND TO directory). Go to the dir. Where Meta Master is installed, and click on it, right click, Send to --> HIEW. What do we see?
Well, we see the program isn't encrypted or packed, and we see it's written in VB (U should see the reference to MSVBVM50.DLL --> this stands for VB 5.0).
So, already 2 choices about how to crack: SoftICE or Smartcheck. Because I've not seen so many tutorials about Smartcheck, I'm writing one. So, here we go.

Open Smartcheck, and let the program load (F5)
It will take a while, so let it go. I'll be back when it's done (I wont breakfast!! NOW). When it's done you'll see Meta Master Pops up.
Try to register it. It doesn't work?

Damn, it needs to be cracked.

Close META MASTER, and then I'll be back of breakfast. I yust dressed up and looked at my PC, It was ready, so breakfast can wait, and here we go again.

We see, after long waiting: (Left side):


Green bar at top
Blue bar under it
Form1 (Fomr) created
+Form1_Load
+Picture1 (1)_MouseMove
+Picture1 (1)_MouseMove
+Picture1 (1)_MouseMove
+Picture1 (1)_MouseMove
+Picture1 (1)_MouseMove
+Picture1 (1)_MouseMove
+Picture1 (1)_MouseMove
+Timer1_Timer
+Picture1 (1)_MouseMove
+MnuUnlock_Click
+Timer1_Timer
+CmdRegister_Click

Note that the number of times you see +Picutre1 (1)_MouseMove, depends on the number of times you moved with your cursor over the banner.
We wonna get our serial, so let's see what's in Form1_Load. Click on the "+" and scroll down untill you see all the other items. We need to see this:


Long (0) Integer (0)
Left <-- We need this one!!!!!!
ActiveLock.PropertyChanged
Form1.Caption <-- "Meta Master 2000 - Unregistered" (String)

Well, asuming that you see this code, it isn't really dificult. You should start "Revers engeniering", so we see [Fomr1.Captiona <--].
Well, this is something wich tells us that it isn't registered.
Click on it and you will only see this text in your right window.

[ActiveLock.PropertyChanged] Doesn't give more information. Let's Click on [Left]. Well, what we see here is more interesting:


- string (variant)
- Unsigned Short * * .pbstrVal = 0065F380
o String = 00530C08
o ="CB8C9FBD9FFA537B575601D733606E12ACF597B3"
- Long Lengt = 16 0x00000010

Note that the software number on my computer is: 3336F1577D51B0E6
Well, what would happen if we give the FIRST 16 numbers as serial?
Nothing. Wrong serial. But I gave them in LOWERCASE.
Let's do the same UPPERCASE.

Registration was succesfull. Thank you for supporting our products.

Cool it works.
Click OK and you've got your 100% working program.
Please note that the numbers could be different on each computer.
I'm searching where they get that number, and If I find it, you'll find it on my homepage:
http://move.to/DoB.
If you know, let me know: NEcRO_DoB@ThePentagon.com

Greets, NE©RO.

Ok, that's it for now, cya l8er.
Please mail your comments and remarks to: NEcRO_DoB@ThePentagon.com. You can find me on EFNET in #C.i.A and #DREAD as NEcRO or Natazzz

Thnx to: tKC for his wonderfull tutor's, NaShA (xxx), SuPeRio®, PfH, DoBuTiL, G-Force, Northpole, everybody of CiA & DREAD.

Download some cracking tools here:
http://HarvestR.cjb.net
http://move.to/DoB

I hope you enjoyed this tutorial as much as I did...

Cya in my next tutorial.
We're small, but we're everywhere. [DoB]

 

Disclaimer notice

DREAD is NOT responsible for any abuse of the information we provide. Members of DREAD don't crack to get programs registered. As a matter of fact, we don't crack at all, since we are reverse engineers. Our only objective is to further our knowledge. If you want to use a program you reversed, you have to buy it!

 
This essay is © copyright 1999 by NECRO'99.

RE Lab Essay Overview Coding Lab Essay Overview

Main Reverse Engineering Lab Coding Lab The Guide Resources Search

erator()
{
}

TextField nameText;
TextField codeText;
Label label1;
Label label2;
}
------------------------End Code------------------------

Ok fire up the program enter the yes button enter your name
Enter your calculated code and it's registered.
For the lazy people:
Name: Rhytm [Dread]
Code: 8973

Conclusion

So what was different in this program.
We now know why the breakpoint on the comparestring was useless.
The strings don't get compared.
The program checks if the difference between the codes is larger then 3 :)

Well that was all folks, sorry for my bad English.
And sorry for the messy way of writing this tutor.
I'll write a better one later.

Questions, Comments and Money can be send to:
Rhytm@Newmail.net or ICQ me at 16549991

 

Disclaimer notice

DREAD is NOT responsible for any abuse of the information we provide. Members of DREAD don't crack to get programs registered. As a matter of fact, we don't crack at all, since we are reverse engineers. Our only objective is to further our knowledge. If you want to use a program you reversed, you have to buy it!

 
This essay is © copyright 1999 by Rhytm.

RE Lab Essay Overview Coding Lab Essay Overview

Main Reverse Engineering Lab Coding Lab The Guide Resources Search

E="Arial,Helvetica">