How to crack EscapeRC v1.0.1 by ACiD BuRN [ECLiPSE/CiA]



Description : a VB5 Time_Limit!


tools used : - Wdasm89 (yes , i wanna have fun!)
             - hexeditor!




the essai :


As you can see , the tool used isn't Soft ice or Smart check , but Wdasm !!
In Vb app , you can't found string data refernces with the original version of wdasm :(
anyway , you can use the imports !!

So , run your target , after you moved your computer's date in 2002 for exemple...
Boom , you see a messagebox : Trial period is over , BLABLABLA....

ok , the VB apps don't use the API : messageboxa.
they use one similar : rtcmsgbox

So , in VB, for messagebox , you need to use : Bpx rtcmsgbox (for vb6 : bpx msvbvm60!rtcmsgbox)
ok , u can use soft ice , but in this essay i want to show that u can use Wdasm for
cracking VB...


Fire up , Wdasm , dessasm your target (EscapeRC.exe)...
goto imort and look for : rtcmsgbox
click 2 times , coz the 1st time is not important.
you will see this :

* Reference To: MSVBVM50.rtcMsgBox, Ord:0253h 
scroll up and you see :





* Referenced by a (U)nconditional or (C)onditional Jump at Address:    <== Referenced at 
|:0041FA39(C)                                                              41FA39
|
:0041FB84 B904000280              mov ecx, 80020004
:0041FB89 B80A000000              mov eax, 0000000A
:0041FB8E 894DAC                  mov dword ptr [ebp-54], ecx
:0041FB91 894DBC                  mov dword ptr [ebp-44], ecx
:0041FB94 894DCC                  mov dword ptr [ebp-34], ecx
:0041FB97 8D5594                  lea edx, dword ptr [ebp-6C]
:0041FB9A 8D4DD4                  lea ecx, dword ptr [ebp-2C]
:0041FB9D 8945A4                  mov dword ptr [ebp-5C], eax
:0041FBA0 8945B4                  mov dword ptr [ebp-4C], eax
:0041FBA3 8945C4                  mov dword ptr [ebp-3C], eax
:0041FBA6 C7459C205A4000          mov [ebp-64], 00405A20
:0041FBAD C7459408000000          mov [ebp-6C], 00000008

* Reference To: MSVBVM50.__vbaVarDup, Ord:0000h
                                  |
:0041FBB4 FF158CD34200            Call dword ptr [0042D38C]
:0041FBBA 8D55A4                  lea edx, dword ptr [ebp-5C]
:0041FBBD 8D45B4                  lea eax, dword ptr [ebp-4C]
:0041FBC0 52                      push edx
:0041FBC1 8D4DC4                  lea ecx, dword ptr [ebp-3C]
:0041FBC4 50                      push eax
:0041FBC5 51                      push ecx
:0041FBC6 8D55D4                  lea edx, dword ptr [ebp-2C]
:0041FBC9 6A00                    push 00000000
:0041FBCB 52                      push edx

* Reference To: MSVBVM50.rtcMsgBox, Ord:0253h         <=== you land here after click

------------------------------------------------------------------------------------


So , you saw  : Referenced at 0041FA39
in Wdasm , menu goto , and choose Code location and enter : 0041FA39

you will land here :



* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0041FA24(C)


:0041FA34 66837DEC1F              cmp word ptr [ebp-14], 001F  <== compare with 1F (31 in deci)
:0041FA39 0F8D45010000            jnl 0041FB84                 <== a conditional jump!! :)        
:0041FA3F 6830394000              push 00403930

* Reference To: MSVBVM50.__vbaNew, Ord:0000h
                                  |
:0041FA44 FF15E8D24200            Call dword ptr [0042D2E8]
:0041FA4A 50                      push eax
:0041FA4B 6810A04200              push 0042A010




now , u have just to patch it !!!
to be sure it works , i changed it to :

:0041FA34 66837DEC00         cmp word ptr [ebp-14], 00
:0041FA39 0F8445010000       je 0041FB84


hex edit your target and:
- search : 66837DEC1F and change it to : 66837DEC00.
- search : 0F8D45010000 and change it to : 0F8445010000 


save it , and run it !!


WOW !! no more Time limit !! hehe
fucking easy !! now , u know how to patch VB using Wdasm !!!


Well , this tut is finish , hope u understand all this piece of text , but if you have a 
comment or one question, mail me to : ACiD_BuRN@crackerinaction.org 

have fun...


greetings to my groups : ECLiPSE / CiA

also greetingz to: (no specific order)


R!SC, ^Inferno^, AB4DS, Cyber Blade, Klefz, , Volatility, Torn@do, T4D
Jeff, [Virus], JaNe , Appbusta , Duelist , tKC , BuLLeT , Lucifer48 , 
MiZ , DnNuke , Bjanes , Skymarshall , afkayas , elmopio , SiFLyiNG , 
Fire Worx , Crackz , neural_en  , WarezPup , _y , SiONIDE , SKORPIEN
Lazarus , Eternal_Bliss , Magic Raphoun , DEZM , Bisoux , Carpathia ,
K17 , theMc , noos , Xmen , TeeJi , JB007 , Arobas ....

i want to greets PWA members , i left this group due to not enough time for them :(
sorry Dudes ;) , i will back !!

if your name is not here sorry !!! lot of men to greets !

					ACiD BuRN [ECL/CiA]








o-o- ' FRMREGIN.FRM Option Explicit Sub Command1_Click () ' ' Well, looky here, he's using the same "protection" as the other titles .... dig out an ASCII ' table and the string works out to be ...... ' ' gv0014$ = "RC,PPT,757" ' gv0014$ = Chr$(82) + Chr$(67) + Chr$(44) + Chr$(80) + Chr$(80) + Chr$(84) + Chr$(44) + Chr$(55) + Chr$(53) + Chr$(55) ' Correct text entered but no name ? If Text2.Text = gv0014$ Then If Text1.Text = "" Then MsgBox "Valid user name is required.", 48 Text1.SetFocus Exit Sub End If ' Number is corrent and person remembered to type in their name this time, so let's write it to ' WIN.INI ........ gv0018$ = Text1.Text gv0012% = extfn00BE("Craps", "Name", gv0018$, gv0028$) gv0018$ = Text2.Text gv0012% = extfn00BE("Craps", "Number", gv0018$, gv0028$) MsgBox "Registration information verified.", 64 End ' For those people unfortunate enough not to know how to use a VB Decompiler ..... Else MsgBox "Invalid registration information entered!", 48 Text1.Text = "" Text2.Text = "" End If End Sub '-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o- ' ' The registration code for CT DiskCopy v1.2 by CT Software ' '-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o- ' FRMREGIN.FRM Option Explicit Sub Command1_Click () Dim l0028 As String Dim l002E As Integer ' This time, he has defined the "secret code" somewhere else in the code, but I've pasted the line here ' so you can see what he was doing (it was in the main code file DISK16) ' gv002A$ = Chr$(82) + Chr$(69) + Chr$(65) + Chr$(42) + Chr$(44) + Chr$(57) + Chr$(48) + Chr$(52) + ' Chr$(44) ' Which in reality, equates to:- ' ' gv002A$ = "REA*,904," ' So his code is the same as the other programs, check the code and the name can be anything you like ! If Text2.Text = gv002A$ Then If Text1.Text = "" Then MsgBox "Valid user name is required.", 48 Text1.SetFocus Exit Sub End If ' Paying (?) customer found, dump contents of Name & Number into Registry. l0028$ = Text1.Text l002E% = extfn00D6("DiskCopy", "Name", l0028$, gv001E$) l0028$ = Text2.Text l002E% = extfn00D6("DiskCopy", "Number", l0028$, gv001E$) MsgBox "Registration information verified.", 64 End ' What shall we do with a non-user of VB Discompiler ? Kick him/her out :) Else MsgBox "Invalid registration information entered!", 48 Text1.Text = "" Text2.Text = "" End If End Sub '-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o- ' ' The registration code for CT Hotspot v1.02 by CT Software ' '-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o- ' FRMREGIN.FRM Option Explicit Sub Command1_Click () ' This time, he has defined the "secret code" somewhere else in the code, but I've pasted the line here ' so you can see what he was doing (it was in the main code file) ' gv0018$ = Chr$(115) + Chr$(52) + Chr$(48) + Chr$(48) + Chr$(44) + Chr$(57) + Chr$(49) + Chr$(51) + ' Chr$(44) + Chr$(42) + Chr$(49) + Chr$(49) + Chr$(51) ' The real code (decryption took a long time to work it out .... hmmm :) ' gv0018$ = "s400,913,*113" If Text2.Text = gv0018$ Then If Text1.Text = "" Then MsgBox "Valid user name is required.", 48 Text1.SetFocus Exit Sub End If gv0008$ = Text1.Text gv0006% = extfn00CB("HotSpot", "Name", gv0008$, gv001C + "\win.ini") gv0008$ = Text2.Text gv0006% = extfn00CB("HotSpot", "Number", gv0008$, gv001C + "\win.ini") MsgBox "Registration information verified.", 64 End Else MsgBox "Invalid registration information entered!", 48 Text1.Text = "" Text2.Text = "" End If End Sub '-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o- ' ' The registration code for CT Swapper v1.1 by CT Software ' '-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o- ' ' FRMREGIN.FRM Option Explicit Sub Command1_Click () Dim l0028 As String Dim l002E As Integer ' Oh gosh, what a surprise, it's the same routine again.... must go an grab my DES chip ' so that I can work out the code ........ ' gv002C$ = Chr$(50) + Chr$(56) + Chr$(52) + Chr$(51) + Chr$(44) + Chr$(80) + Chr$(66) ' + Chr$(83) + Chr$(44) + Chr$(55) + Chr$(42) ' Which in reality, is really .... ' ' gv002C$ = "2843,PBS,7*" ' Not much point in describing what goes on here as I am tired of finding new ways to ' describe writing to INI files etc. etc. Look at the first of these tutorials/hacks to ' see my comments :) If Text2.Text = gv002C$ Then If Text1.Text = "" Then MsgBox "Valid user name is required.", 48 Text1.SetFocus Exit Sub End If l0028$ = Text1.Text l002E% = extfn009B("Swapper", "Name", l0028$, gv0018$) l0028$ = Text2.Text l002E% = extfn009B("Swapper", "Number", l0028$, gv0018$) MsgBox "Registration information verified.", 64 End Else : MsgBox "Invalid registration information entered!", 48 Text1.Text = "" Text2.Text = "" End If End Sub Sub Command2_Click () frmRegInfo.Hide End Sub '-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o- ' ' The registration code for CT Swapper v1.1 by CT Software ' '-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o- ' FRMREGIN.FRM Option Explicit Sub Command1_Click () ' Hmmm ...... I think you all know by now what this little line is setting up a variable for ? gv0052$ = Chr$(122) + Chr$(107) + Chr$(105) + Chr$(44) + Chr$(44) + Chr$(50) + Chr$(44) + Chr$(42) + Chr$(56) + Chr$(51) + Chr$(55) + Chr$(52) + Chr$(50) ' Decoded version is:- ' ' gv0052$="zki,,2,*83742" If Text2.Text = gv0052$ Then If Text1.Text = "" Then MsgBox "Valid user name is required.", 48 Text1.SetFocus Exit Sub End If gv0062$ = Text1.Text gv0060% = extfn011A("Notebook", "Name", gv0062$, gv006E$) gv0062$ = Text2.Text gv0060% = extfn011A("Notebook", "Number", gv0062$, gv006E$) MsgBox "Registration information verified.", 64 End Else MsgBox "Invalid registration information entered!", 48 Text1.Text = "" Text2.Text = "" End If End Sub Sub Command2_Click () frmRegInfo.Hide End Sub '-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o- ' ' The registration code for CT Swapper v1.1 by CT Software ' '-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o- ' FRMREGIN.FRM Option Explicit Private Sub Command1_Click () Dim l0028 As String Dim l002A As String ' gv0022$ = Chr$(55) + Chr$(49) + Chr$(103) + Chr$(112) + Chr$(44) + Chr$(42) + Chr$(99) ' gv0022$ = gv0022$ + Chr$(109) + Chr$(112) + Chr$(44) + Chr$(52) + Chr$(57) + Chr$(57) + Chr$(52) ' gv0022$ was stored in another module, but I've brought it in here to make it easier :) ' ' gv0022$ = "71gp,*cmp,4994" If Text2.Text = gv0022$ Then If Text1.Text = "" Then MsgBox "Valid user name is required.", 48 Text1.SetFocus Exit Sub End If l0028$ = Text1.Text l002A$ = Text2.Text gv0014% = extfn00C6("Safety Net", "Name", l0028$, gv001E$) gv0014% = extfn00C6("Safety Net", "Number", l002A$, gv001E$) MsgBox "Registration information verified.", 64 End Else : MsgBox "Invalid registration information entered!", 48 Text1.Text = "" Text2.Text = "" End If End Sub Private Sub Command2_Click () frmRegInfo.Hide End Sub Private Sub Form_Load () sub01A1 Me frmRegInfo.Icon = Form1.Icon End Sub

You have finished reading another tutorial courtesy of CrackZ's Reverse Engineering Page.
Find a quick way back to more documents with this link.

Back to Main Index
© 1998 Hosted by CrackZ. Bubba_Hacks 29th December 1998.
push ax