Jan. 2, 1999
( 'Visual Basic V5 Cracking'  )
Win Code Reversing
by Jeff
Code Reversing For Beginners 
Program Details
Program Name: Cconvert.exe
Program Type: Hex to Binary Utility
Program Location:  Prophecy's Crackme site 
Program Size:unzipped; aprox.  20 kb
Tools Used:
 Softice V3.2 - Win'95 Debugger
Easy ( X  )  Medium (   )  Hard (    )  Pro (    ) 
There is a crack, a crack in everything. That's how the light gets in.
( 'Visual Basic V5 Cracking'  )
Written by Jeff
The author of Cconvert.exe is:-
Violatily; He has put this crackme together as an excercise in VB5 cracking; and the tool can also be used as a very handy Hex to binary conversion table...
About this protection system
I am not experienced enough to comment on protection systems; yea; or nay;
But i will try here to give several examples of different ways to tackel VB mysteries.
 As some will verify I can at times get long-winded so I will try to keep this a short tutorial...:)

The Preparation
 A one time reconfiguration of Winice.DAT
For a more indepth look at the following configuration see The Sandman's  Essay 59 located at http://www.proweb.co.uk/~greenway/Es59.html

Make sure you have this highlighted line included with the rest of these lines in your Winice.dat file which is located in your Softice directory .
Winice.dat file can be opened for editing using NotePad.

EXP=C:\windows\system\msvbvm50.dll <<--- make sure that this .dll file is listed in your winice.dat file.  Make sure that there are NO " ; " (semi-colons) in front of these statements or the file will not be read.

Of course you will want to make sure that the path above is also correct and matches the path that your file is actually  'housed' in...! C:\windows\system...ect...
2. Next,  reconfigure the  Alt-F4  key  and re-program it so that it will automatically locate the EXACT Visual Basic sub-routine that compares our entered serial number against the one the target program expects us to use.

While still editing Winice.dat locate the line starting with AF4="^ and REPLACE it with the highlighted line shown below.
F11="^G @SS:ESP;"
F12="^p ret;"
CF11="SHOW B;"
AF4="^s 0 l ffffffff 56,57,8b,7c,24,10,8b,74,24,0c,8b,4c,24,14,33,c0,f3,66,a7;"
AF8="^XT R;"
AF11="^dd dataaddr->0;"
AF12="^dd dataaddr->4;"
CF1="code on; altscr off; lines 58; wc 33; wd 8; wr; wl; ww 2; faults off;"

The above lines assigns commonly used Softice commands to some of your function keys, this saves a lot of typing on your part if you can execute a whole sequence of commands just by press two keys together.  Now the new ALT-F4 function will save you from having to type:

s 0 l ffffffff 56,57,8b,7c,24,10,8b,74,24,0c,8b,4c,24,14,33,c0,f3,66,a7

every time you wish to locate the VB routine that compares two strings together.

This command simply tells Softice to search for a unique sequence of 19 bytes starting from memory location 0 all the way to the maximum amount of memory installed on your pc. These bytes form just a part of the VB routine we're interested in and have to include this number of bytes because there are other very similar routines to the one we're interested in and this way we can be sure that the VB routine Softice finds is the right one.

Now save your winice.dat file.  Make sure you make a backup first just in case you make any mistakes.
That's it!. 
The Essay 

First approach:

Run the program Cconvert.exe ...a box appears saying you're unregistered; click okay; now select the 'about' and then the "Register" button.

Type in your Name/Handle then a random sequence of numbers into the Registration box.

Before going any further press CTR-D to fire up Softice and then type:  bpx hmemcpy.  Now type X to leave Softice.

OK, now you can click on the 'Validate' button...

Softice breaks at the beginning of the HmemCpy sub-routine.

Now we want to quickly find the routine that compares our serial number with the *real* one and we can do this effortlessly by pressing the ALT-F4 keys together.

Softice should now report back a first memory location of where the sub-routine were looking for is to be found in memory.  In my case Softice reported:
Pattern found at:  0030:0F00D9EA  --<-This address may be different on your puter

Now type:  u followed_by_the_memory_address_just_given_by_Softice

In my case I type: u 0030:0F00D9EA
 Softice should now display this code snippet:-
: 56                      push esi  <<<---you land here; this is where you will set a new breakpoint.
: 57                      push edi
: 8B7C2410       mov edi, [esp + 10]
: 8B74240C       mov esi, [esp + 0C]
: 8B4C2414       mov ecx, [esp + 14]
: 33C0                 xor eax, eax
: F366A7            repz cmpsw
: 7405                 je 0F79B362
: 1BC0                sbb eax, eax
: 83D8FF           sbb eax, FFFFFFFF
: 5F                     pop edi
: 5E                    pop esi
: C20C00          ret 000C

Ok, from here type:

Example: bpx  followed_by_the_memory_address_just_given_by_Softice
In my case I type: bpx 0030:0F00D9EA .  I have found that in order to get the above address you sometimes must type 's' to do another search until you have found the above line #.  You also can double click on the line  0030:0F00D9EA, instead of typing it in, to set the breakpoint...
Lastly, type: bd 00 to disable our original hmemcpy breakpoint, we don't need it anymore and finally, type X to leave Softice.
Softice now breaks again, this time on our newly created breakpoint,

: 56             push esi  <<<---we land here
: 57             push edi
: 8B7C2410       mov edi, [esp + 10]
: 8B74240C       mov esi, [esp + 0C]
: 8B4C2414       mov ecx, [esp + 14]  <<<--F-10 to here;
                                 <<<< type "d ecx"...the real serial will
                                 <<<< be displayed...
                                 <<<< typing "d esi"; the line above; and
                                 <<<< this will display your fake # input.
: 33C0           xor eax, eax
: F366A7         repz cmpsw
: 7405           je 0F79B362
: 1BC0           sbb eax, eax
: 83D8FF         sbb eax, FFFFFFFF
: 5F             pop edi
: 5E             pop esi
: C20C00         ret 000C

Our registration code will be in Wide Character Format, which simply means that instead of our Registration/Serial number looking like  "GypsyJoker"  it will now look like: "G.y.p.s.y.J.o.k.e.r " instead.  Other than that it's still the REAL serial number.

In this case Violatily has mixed letters and Numbers; and the code for my input was:

User Name: jasman <<<---I usually use "jas" but lately the user name has been "length" sensitive..I just may have to get myself a longer  handel...

Registration Code: "XXX-2120-XXXX" <<<---Where "X" is a hard coded part of this Reg code and for which I'll not publish.

Ya'all will see it if you follow the guidelines above...

The numerical part of this reg is generated by a part of your user name input.....I'll leave that for you to figure out also...

BUSTED this dude!

Second approach:
Now here is a quirk of this particular program:

If you now type bd *, to clear all breakpoints, and re-open the program and type in a new name and reg #; ctrl-d; and type in "be 00", (our hmemcpy bpx #); and then x to leave; ice will now POP and will immediately show in the data window the new reg code for the new name you used......without having to re-search any code at all.....:)
Okay; I must explain a little: SOMETIMES this works; at other times I must hit x ; enter; x; enter; x, enter, til the "Sorry" error box appears; now hit your 'x' and enter key once more and the new Username and new reg key will be displayed in data window without having to go back inside any code!!!
Are we done?
Some will be...
if they are only interested in 'the' crack.; but for those of you who have just used this Alt-f4 key combo on some other VB program that will not break to bpx 0f00d9ea...stick around...more to come...

Third approach:
Something that you will find rather quickly is that the alt-f4 key combo does not always work out...

#1 Sometimes the bpx 0f00d9ea simply will not return to your set breakpoint to enable you to view this code.

#2 Sometimes the breakpoint  will break and you will find and see a legitimate looking code displayed; but when you enter it, it brings back an error "bad reg" statement. DON'T let this fool you! This code , in most cases, is the correct code; but it simply needs some more work; albeit, a xor routine somewhere in the code that you will have to find and convert.

#1 By following the next two examples you can increase your chances of finding a correct code when alt-f4 key  does not produce.
I came in the backdoor on this one by stepping thru the 0f00d9ea call; when we do so, we return to this area: MSVBUM50!__vbastrcomp

014f:0f003563...55...push ebp...
So checking several programs that would not break-back to the alt-f4 key I found if I set a breakpoint at:bpx __vbastrcomp instead; that I was enabled to break back; and interesting; your code lies here also.
Try this:
Using Volatilities CConvert program; fill in the Reg and name key, set a bpx hmemcpy in ice; x; hit the Validate button; ice pops; type bd 00 to disable your hmemcpy break; and now type bpx __vbastrcomp; x; ice flashs and pops back into ice... (note here that the __ <<--are TWO underscores together!)
You will land here:

014f:0f003563   55      push...ebp <<--land here
014f:0f003564   8bec    mov ebp, esp

F-10 down to

014f:0f003564   8bec    mov ebp, esp  <<--type 'd' esp here

now if you are not already running your data window in this mode:

type dd esp.
Your data window will now look like this:


Notice the fourth stack; 00424798

now type 'd' 00424798....this reveals the Real Code
curious as to the #.00424750 in first stack; second line:
I typed 'd' 00424750....this is your fake #......
If you continue to step thru this routine in this way you will continue to find half a million references to your  fake and real code being revealed.
Also I found something repeated in some programs;
If you step down to line # 014f:0f00358f...jae 0f0035b6...it wants to jump here to 0f0035b6
By typing r eip=0f003591

You will be allowed to step to the next line  down and at 10 more lines down you arrive at...
0f0035a6...call 0f00d9ea

(Do you recognize this #?)

Yep; our alt-f4 routine;

step into it (f-8) and explore...

Where will it return us too? Yep; the MSVBUM50!__vbastrcomp check. Hummmm; I wonder where tracing backwards from here would take us? Are we done?

Fourth Approach:
As I say; none of these proceedures are infalable; I have tried to explore many VB programs to find a difinite pattern that we could follow and sometimes one or the other of these work out but never... ALWAYS...
So here is another approach when the above fails...

Once again fill in all information and bpx hmemcpy; x to leave; hit Validate button; ice pops; F-11 once; and now f -12 thirteen times;

(Note: this number is consistant with every VB program I tried; it is always 13 f-12's; unless you have a greyed out button and type in an extra # to pop hmemcpy; then the #of f-12's changes) Now you will land  in MSVBUM50 dll... and on a RET instruction;
F-10 into this Ret. You will now land inside of the program code.

Step down to line # 014f:0040ac84...mov...ecx...[ebp-58]

type: dd esp; to change the data window.

Now type 'd' ebp-58

you will see this:


Now just type: 'd' 00424774...

you'll see your user name and just below this you will see your real code: Now this proceedure is not consistant AT this paricular line,not always; in this case the real code was revealed to us in the data window; BUT often you must continue stepping thru this code area continuing to check your various registers to find the real code; ...so far I have been fortunate and have found 7 out of 12 in this way in my test of this proceedure...

Are we done?


Not unless you are!

Fifth Proceedure:
I have found this proceedure, when it works out; to be most powerful! VB uses the following APIs to manipulate strings:



Heres what we are going to do this time.

Okay; fire up Ice:

type the following lines very carefully in the ice input window!

This will be the hardest to follow so pay attention...:)

bpx multibytetowidechar do "d * (esp+4*3)"
bpx widechartomultibyte do "d * (esp+4*3)"

Okay; once you have up these two breakpoints then open up Cconvert... Ice will immediately break. Now this varys from program to program so you will have to watch what happens in your data window; In Cconverts case we are going to use the f-5 key to step thru the loading and converting of your input.  Now f-5 (50) times until the Unregistered Version box pops; press the okay button; Volatilitys Unregistered program is displayed. Now click on the About button.
ICE will pop; 16 f-5's will pop the About-Register box .

 Click on Register button.

Fill in the User-name and Registration Code Areas.

Click the Validate button.

Ice will pop :

 Your code window will show that you are at

Kernel32!multibytetowidechar & Kernel32!widechartomultibyte

In your data window you will see your Username; Now f-5 until you see your fake serial # input in the data window. When you see your fake # displayed type: dd esp

This will change the appearance of your data window.

You will see four stacks of numbers:


typing:  d 00d9e4dc  reveals our fake #
Now type:  d 0f0414e2...and press F-11 key

Your code window has now changed; you are here:

0f0414e2......mov......ebx, eax.....<<<--land here

Now watching your data window...

continue to f-5 until you SEE the "Sorry; You no good excuse for a cracker" message
Here you will also see that your code has been processed and is displayed in the data window.
You might have to scroll up a line or two.

I checked this on 4 VB programs and although the number of f-5's change; basically this same format works for those I checked ...except for two... Those two exceptions (so far) hung up and simply continued to go on and on and on once I saw the reg box pop behind ice window; and so I simply control-d-ed back to ice; bd *; my two bpx multi statements; THEN I x-ed out; filled in the Reg box; cntrl-d back to ice; BE 00 & BE 01 to re-enable the two bpxs; x-ed out; hit reg key; and then kept f-5-ing to the next step of proceedure above...

Procedure done.

This dude busted.
One last note to all of these above proceedures;
You are going to come across VB programs (mostly crackme's for me so far) that will actually be revealing to you, a REAL CODE; but when you type it in to the reg box it will return a 'bad cracker' message.
Do not give up!
You have probably found the correct REG; but you still have work to do; this code probably needs to be changed from its Letter value BACK to a hex value; and then you will probably need to, also, find the Xor routine that converts this actual true value to its END value...which in this NEW FORM will reg you.
Are we done?
Final Notes 
This tute is not an answer for VB and it probably reveals nothing new to those who have studied it; but for me I have learned alot by taking VB by the throat and lookin deeper. The above proceedures can difinetly be used for other VB programs and not just for this program... I hope that it helps some newbys with the challanges of VB and some of the tasks attainable by exploring different uses of ice commands than those we might be used to. If I ever learn to use ICE correctly...VB will be a done deal....

I would like to congratulate Volatilty for producing one of the greatest teaching programs anyone could have written for teaching the many ways VB could be attacked and handeled.

As we have learned at the Sandmans projects site @  http://disc.server.com/Indices/33330.html the crack is not done until the cracker ' knows' his crack.

My thanks and gratitude goes to:-
The Sandman for providing possibly the greatest source of Reverse Engineering knowledge for newbys on the Web; and who told me to never give up when VB was strangeling me.

Special thanks go to Crackz; Prophesy, for their great tutes; to Volatility; and BornaJanes who wouldn't let me give up. And to my great internet compadre', twno, who forever teaches and watches over me.:) and also to D0gbytes who can drink me under the table at virtual whiskey sites...:)

And to all those of you who write and teach me each day, no matter your depth of knowledge.

Ob Duh 
Do I really have to remind you all that by buying and NOT stealing the software you use will ensure that these software houses will be encouraged to producing even *better* software for us to use and enjoy.

Ripping off software through serials and cracks is for lamers..
If your looking for cracks or serial numbers from these pages then your wasting your time, try searching elsewhere on the Web under Warze, Cracks etc.
For more info. on this type protection and set-up Goto the Sandmans' Essays #59 & #63

 [ Return ] 

Essay by:          Jeff
Page Created: jan 2, 1999