Cracking Visual Basic 5/6 Appz


Using
Softice, W32Dasm


1. Is VB hard to crack?
2. Identifying a VB 5/6 Application
3. Setting up Softice
4. Breakpoints
5. W32Dasm

Appendix VB5 Functions



1. Is VB hard to crack?

For *newbies* a Visual Basic App seems to be uncrackable. The usual breakpoints like GetWindowTextA and stuff won't work - there are so many weird Jumps/ Calls and stuff that you won't get anywhere w\ doing stupid tracing/ stepping!




2. Identifying a VB 5/6 Application

First we have to know what we're dealing with Version 5 or 6. So we take a look into the .exe.
I use
Hex Workshop for that action simply right click the .exe and select Hex Edit. At Offset (+/-) 238(hex) or 250 (hex) you'll find the entry MSVBVM50.DLL or MSVBVM60.DLL.




3. Setting up Softice

OK we know which DLL is used. Now we have to setup up Softice

That's the most important thing in this tutorial!!!


Open winice.dat in your softice directory and go to section:


; ***** Examples of export symbols that can be included *****
; Change the path to the appropriate drive and directory

exp=c:\windows\system\msvbvm60.dll
;exp=c:\windows\system\msvbvm50.dll

Enter these two lines. Depending on which .DLL is used you have to disable the other by using the ; (Semicolon).
In this case my program uses msvbvm60.dll and msvbvm50.dll is disabled
NEVER ENABLE BOTH DLL's!!

Give softice a little bit more memory SYM=4096

After you have saved the changes you have to reboot!




4. Breakpoints

I assume that we want to get a Serial Number (=S/N)
90% of all cases the VB program uses __VBSTRCOMP to compare our input string with the S/N!

Run the program which you want to crack.
All we have to do is to pop up Softice (CTRL+D) and enter bpx __vbastrcomp to set the Breakpoint.

To make it sure enter BL * Now you should see this:
bpx msvbvm60!__vbastrcomp or bpx msvbvm50!__vbastrcomp

if you see something else like bpx 017F:23878865 go to Step 3.

We enter a Name (Magic Mike) and our Lucky Number (12121212) and click the register button

SoftIce pops up here:

:66060A80
:66060A85
:66060A8B
:66060A90
:66060A94
:66060A98
:66060A9C



:653C10E6
:653C10E7
:653C10E9
:653C10EA
:653C10EB
:653C10EC
:653C10EF
:653C10F0
:653C10F2
:653C10F4
:653C10F7
:653C10FA
:653C10FC
:653C10FE
:653C1100
:653C1103
:653C1106
:653C1108
:653C110A
:653C110D
:653C110F
:653C1111
:653C1113
:653C1115
:653C1117
:653C1119
:653C111C
:653C111F
:653C1122
:653C1125
:653C1127
:653C1128
:653C112A
cmp dword ptr [esp+04], 00000002
je 6608FB24
push 00030001
push [esp+08]
; For Advanced Crackers: It's already in here!
push [esp+10]
; For Advanced Crackers: It's already in here!
push [esp+18]
; For Advanced Crackers: It's already in here!
call dword ptr [66110010] ; Trace into this Call

following the Call

push ebp
mov ebp, esp
push ecx
push ebx
push esi
mov esi, dword ptr [ebp+08]
push edi
test esi, esi
jne 653C1140
and dword ptr [ebp-04], esi
mov ecx, dword ptr [ebp+0C]
test ecx, ecx
jne 653C1148
xor ebx, ebx
cmp dword ptr [ebp-04], ebx
mov edx, dword ptr [ebp-04]
jb 653C110A
mov edx, ebx
mov eax, dword ptr [ebp+10]
test eax, eax
jne 653C116C
test edx, edx
je 653C1175
mov eax, edx
shr eax, 1
mov dword ptr [ebp+10], eax
mov edi, dword ptr [ebp+0C]
; EDI contains the s/n
mov esi, dword ptr [ebp+08]
; ESI the entered STRING
mov ecx, dword ptr [ebp+10]
xor eax, eax
repz
cmpsw
je 653C1131


We follow the call and step till
:653C1122
Now we could take a look at the S/N

Both strings are in UNICODE that means that each char follows a hex 00
e.g. 123 = 31,00,32,00,33 (hex)

D ESI (Displays our entered Luck Number - if not enter wd 5!)
D EDI (Displays the S/N)

All we have to do is write down the S/N.




5. W32Dasm

IF __vbastrcomp hasn't worked we start to disassemble the program .exe!
Before we start to disassemble we should make sure that the .exe isn't packed!

File is disassembled now we take a look into the section "Imported Module Details"
All VB function which the program uses are listed there!

So try to figure out which function are used for the registration process!
Now it might comming handy if you're familiar with coding in Visual Basic.




Appendix


Visual Basic 5.0 (MSVBVM50.dll)

ThunRTMain
VBDllUnRegisterServer
VBDllCanUnloadNow
VBDllRegisterServer
VBDllGetClassObject
UserDllMain
DllRegisterServer
DllUnregisterServer
__vbaAryLock
__vbaBoolErrVar
__vbaStrErrVarCopy
__vbaAryVarVarg
__vbaFpCDblR4
__vbaFpCDblR8
__vbaFpCSngR4
__vbaFpCSngR8
__vbaFpCmpCy
__vbaFpCy
__vbaFpI2
__vbaFpI4
__vbaFpR4
__vbaFpR8
__vbaFpUI1
__vbaFreeObj
__vbaFreeStr
__vbaFreeVar
__vbaFreeVarg
__vbaI2Abs
__vbaI2I4
__vbaI2Sgn
__vbaI4Abs
__vbaI4Sgn
__vbaStrCopy
__vbaStrMove
__vbaUI1I2
__vbaUI1I4
__vbaUI1Sgn
__vbaVarCopy
__vbaVarDup
__vbaVarMove
__vbaVarVargNofree
__vbaVargParmRef
__vbaVargVar
__vbaVargVarCopy
__vbaVargVarMove
__vbaVargVarRef
DLLGetDocumentation
_CIatan
_CIcos
_CIexp
_CIlog
_CIsin
_CIsqrt
_CItan
__vbaAptOffset
__vbaAryConstruct
__vbaAryCopy
__vbaAryDestruct
__vbaAryMove
__vbaAryRebase1Var
__vbaAryUnlock
__vbaBoolStr
__vbaBoolVar
__vbaBoolVarNull
__vbaCastObj
__vbaCastObjVar
__vbaCheckType
__vbaCheckTypeVar
__vbaChkstk
__vbaCopyBytes
__vbaCyAbs
__vbaCyAdd
__vbaCyErrVar
__vbaCyFix
__vbaCyForInit
__vbaCyForNext
__vbaCyI2
__vbaCyI4
__vbaCyInt
__vbaCyMul
__vbaCyMulI2
__vbaCySgn
__vbaCyStr
__vbaCySub
__vbaCyUI1
__vbaCyVar
ProcCallEngine
DllFunctionCall
__vbaRecAssign
__vbaRecDestruct
CopyRecord
__vbaDateR4
__vbaDateR8
__vbaDateStr
__vbaDateVar
TipGetAddressOfPredeclaredInstance
__vbaDerefAry
__vbaDerefAry1
__vbaEnd
MethCallEngine
__vbaErase
__vbaEraseKeepData
__vbaEraseNoPop
__vbaError
__vbaErrorOverflow
__vbaExceptHandler
__vbaExitEachAry
__vbaExitEachColl
__vbaExitEachVar
__vbaExitProc
__vbaFPException
__vbaFPFix
__vbaFPInt
__vbaFailedFriend
__vbaFileClose
__vbaFileCloseAll
__vbaFileLock
__vbaFileOpen
__vbaFileSeek
__vbaFixstrConstruct
TipSetOption
__vbaForEachAry
__vbaForEachCollAd
__vbaForEachCollObj
__vbaForEachCollVar
__vbaForEachVar
__vbaFreeObjList
TipUnloadProject
__vbaFreeStrList
__vbaFreeVarList
TipCreateInstanceProject
EbResetProject
EbGetHandleOfExecutingProject
__vbaGenerateBoundsError
__vbaGet3
__vbaGet4
__vbaGetFxStr3
__vbaGetFxStr4
__vbaGetOwner3
__vbaGetOwner4
__vbaGosub
__vbaGosubFree
__vbaGosubReturn
__vbaHresultCheck
__vbaHresultCheckNonvirt
__vbaHresultCheckObj
__vbaI2Cy
__vbaI2ErrVar
__vbaI2ForNextCheck
__vbaI2Str
__vbaI2Var
__vbaI4Cy
__vbaI4ErrVar
__vbaI4ForNextCheck
__vbaI4Str
__vbaI4Var
__vbaInStr
__vbaInStrB
__vbaInStrVar
__vbaInStrVarB
__vbaInputFile
__vbaLateIdCall
__vbaLateIdCallLd
__vbaLateIdCallSt
__vbaLateIdNamedCall
EbResetProjectNormal
TipUnloadInstance
__vbaLateIdNamedCallLd
EbLibraryLoad
EbLibraryUnload
__vbaLateIdNamedCallSt
EbLoadRunTime
__vbaLateIdNamedStAd
__vbaLateIdSt
EbCreateContext
EbDestroyContext
EbSetContextWorkerThread
__vbaLateIdStAd
__vbaLateMemCall
__vbaLateMemCallLd
__vbaLateMemCallSt
__vbaLateMemNamedCall
__vbaLateMemNamedCallLd
__vbaLateMemNamedCallSt
__vbaLateMemNamedStAd
__vbaLateMemSt
__vbaLateMemStAd
__vbaLbound
__vbaLenBstr
__vbaLenBstrB
__vbaLenVar
__vbaLenVarB
__vbaLineInputStr
__vbaLineInputVar
__vbaLsetFixstr
__vbaLsetFixstrFree
__vbaMidStmtBstr
__vbaMidStmtBstrB
EbIsProjectOnStack
TipCreateInstanceEx
GetMem2
GetMem4
GetMem8
GetMemStr
GetMemVar
GetMemObj
PutMem2
PutMem4
PutMem8
PutMemStr
PutMemVar
PutMemObj
SetMemVar
SetMemObj
GetMemNewObj
PutMemNewObj
SetMemNewObj
GetMem1
PutMem1
GetMemEvent
PutMemEvent
SetMemEvent
__vbaMidStmtVar
__vbaMidStmtVarB
__vbaNameFile
__vbaNew2
__vbaNew
__vbaNextEachAry
__vbaNextEachCollAd
__vbaNextEachCollObj
__vbaNextEachCollVar
__vbaNextEachVar
__vbaObjAddref
__vbaObjIs
__vbaObjSet
__vbaObjSetAddref
__vbaObjVar
__vbaOnError
__vbaOnGoCheck
__vbaPowerR8
__vbaPrintFile
__vbaPrintObj
__vbaPut3
__vbaPut4
__vbaPutFxStr3
__vbaPutFxStr4
__vbaPutOwner3
__vbaPutOwner4
__vbaR4Cy
__vbaR4ErrVar
__vbaR4ForNextCheck
__vbaR4Sgn
__vbaR4Str
__vbaR4Var
__vbaR8Cy
__vbaR8ErrVar
__vbaR8FixI2
__vbaR8FixI4
__vbaR8ForNextCheck
__vbaR8IntI2
__vbaR8IntI4
__vbaR8Sgn
__vbaR8Str
__vbaR8Var
__vbaRaiseEvent
__vbaRecAnsiToUni
__vbaRecDestructAnsi
__vbaRecUniToAnsi
__vbaRedim
__vbaRedimPreserve
__vbaRedimPreserveVar
__vbaRedimVar
__vbaRefVarAry
__vbaResume
__vbaRsetFixstr
__vbaRsetFixstrFree
__vbaSetSystemError
__vbaStopExe
__vbaStr2Vec
__vbaStrAryToAnsi
__vbaStrAryToUnicode
__vbaStrBool
__vbaStrCat
__vbaStrCmp
__vbaStrComp
__vbaStrCompVar
__vbaStrCy
__vbaStrDate
__vbaStrFixstr
__vbaStrI2
__vbaStrI4
__vbaStrLike
__vbaStrR4
__vbaStrR8
__vbaStrTextCmp
__vbaStrTextLike
__vbaStrToAnsi
__vbaStrToUnicode
__vbaStrUI1
__vbaStrVarCopy
EVENT_SINK_QueryInterface
EVENT_SINK_AddRef
EVENT_SINK_Release
EVENT_SINK_GetIDsOfNames
EVENT_SINK_Invoke
__vbaStrVarMove
__vbaStrVarVal
__vbaUI1Cy
__vbaUI1ErrVar
__vbaUI1Str
BASIC_CLASS_QueryInterface
BASIC_CLASS_AddRef
BASIC_CLASS_Release
BASIC_CLASS_GetIDsOfNames
BASIC_CLASS_Invoke
__vbaUI1Var
__vbaUbound
__vbaUnkVar
__vbaVar2Vec
__vbaVarAbs
BASIC_DISPINTERFACE_GetTICount
BASIC_DISPINTERFACE_GetTypeInfo
__vbaVarAdd
__vbaVarAnd
__vbaVarCat
__vbaVarCmpEq
__vbaVarCmpGe
__vbaVarCmpGt
__vbaVarCmpLe
__vbaVarCmpLt
Zombie_QueryInterface
Zombie_AddRef
Zombie_Release
Zombie_GetTypeInfoCount
Zombie_GetTypeInfo
Zombie_GetIDsOfNames
Zombie_Invoke
__vbaVarCmpNe
__vbaVarDateVar
__vbaVarDiv
EVENT_SINK2_AddRef
EVENT_SINK2_Release
__vbaVarEqv
__vbaVarErrI4
__vbaVarFix
__vbaVarForInit
__vbaVarForNext
__vbaVarIdiv
__vbaVarImp
__vbaVarIndexLoad
__vbaVarIndexLoadRef
__vbaVarIndexLoadRefLock
__vbaVarIndexStore
__vbaVarIndexStoreObj
__vbaVarInt
__vbaVarLike
__vbaVarLikeVar
__vbaVarMod
__vbaVarMul
__vbaVarNeg
__vbaVarNot
__vbaVarOr
__vbaVarPow
__vbaVarSetObj
__vbaVarSetObjAddref
__vbaVarSetUnk
__vbaVarSetUnkAddref
__vbaVarSetVar
__vbaVarSetVarAddref
__vbaVarSub
__vbaVarTextCmpEq
__vbaVarTextCmpGe
__vbaVarTextCmpGt
__vbaVarTextCmpLe
__vbaVarTextCmpLt
__vbaVarTextCmpNe
__vbaVarTextLike
__vbaVarTextLikeVar
__vbaVarTextTstEq
__vbaVarTextTstGe
__vbaVarTextTstGt
__vbaVarTextTstLe
__vbaVarTextTstLt
__vbaVarTextTstNe
__vbaVarTstEq
__vbaVarTstGe
__vbaVarTstGt
__vbaVarTstLe
__vbaVarTstLt
__vbaVarTstNe
__vbaVarXor
__vbaVargObj
__vbaVargObjAddref
__vbaVargUnk
__vbaVargUnkAddref
__vbaVerifyVarObj
__vbaWriteFile
_adj_fdiv_m16i
_adj_fdiv_m32
_adj_fdiv_m32i
_adj_fdiv_m64
_adj_fdiv_r
_adj_fdivr_m16i
_adj_fdivr_m32
_adj_fdivr_m32i
_adj_fdivr_m64
_adj_fpatan
_adj_fprem
_adj_fprem1
_adj_fptan
_allmul
rtcLeftBstr
rtcLeftVar
rtcRightBstr
rtcRightVar
rtcAnsiValueBstr
rtcLowerCaseBstr
rtcLowerCaseVar
rtcTrimBstr
rtcTrimVar
rtcLeftTrimBstr
rtcLeftTrimVar
rtcRightTrimBstr
rtcRightTrimVar
rtcSpaceBstr
rtcSpaceVar
rtcUpperCaseBstr
rtcUpperCaseVar
rtcKillFiles
rtcChangeDir
rtcMakeDir
rtcRemoveDir
rtcChangeDrive
rtcBeep
rtcGetTimer
rtcStrFromVar
rtcBstrFromAnsi
rtcPackDate
rtcPackTime
rtcGetDateValue
rtcGetTimeValue
rtcGetDayOfMonth
rtcGetHourOfDay
rtcGetMinuteOfHour
rtcGetMonthOfYear
rtcGetPresentDate
rtcGetSecondOfMinute
rtcSetDateVar
rtcSetDateBstr
rtcSetTimeVar
rtcSetTimeBstr
rtcGetDayOfWeek
rtcGetYear
rtcFileReset
rtcFileAttributes
rtcIsArray
rtcIsDate
rtcIsEmpty
rtcIsError
rtcIsNull
rtcIsNumeric
rtcIsObject
rtcVarType
rtDecFromVar
rtcFileWidth
rtcInputCount
rtcInputCountVar
rtcFileSeek
rtcFileLocation
rtcFileLength
rtcEndOfFile
rtcHexBstrFromVar
rtcHexVarFromVar
rtcOctBstrFromVar
rtcOctVarFromVar
rtcFileCopy
rtcFileDateTime
rtcFileLen
rtcGetFileAttr
rtcSetFileAttr
rtcR8ValFromBstr
rtcSin
rtcCos
rtcTan
rtcAtn
rtcExp
rtcLog
rtcRgb
rtcQBColor
rtcMacId
rtcTypeName
rtcIsMissing
rtcRandomNext
rtcRandomize
rtcMsgBox
rtcInputBox
rtcAppActivate
rtcDoEvents
rtcSendKeys
rtcShell
rtcArray
rtcGetErl
rtcStringBstr
rtcStringVar
rtcVarBstrFromAnsi
rtcGetDateBstr
rtcGetDateVar
rtcGetTimeBstr
rtcGetTimeVar
rtcVarStrFromVar
rtcSqr
rtcIMEStatus
rtcLeftCharBstr
rtcLeftCharVar
rtcRightCharBstr
rtcRightCharVar
rtcInputCharCount
rtcInputCharCountVar
rtcStrConvVar
rtcGetHostLCID
rtcCreateObject
rtcGetObject
rtcAppleScript
rtcMidBstr
rtcMidVar
rtcInStr
rtcMidCharBstr
rtcMidCharVar
rtcInStrChar
rtBstrFromErrVar
rtBoolFromErrVar
rtCyFromErrVar
rtI2FromErrVar
rtI4FromErrVar
rtR4FromErrVar
rtR8FromErrVar
rtcDateFromVar
rtcVarFromVar
rtcCVErrFromVar
VarPtr
rtcDir
rtcCurrentDirBstr
rtcCurrentDir
rtcFreeFile
rtcCompareBstr
rtcBstrFromFormatVar
rtcBstrFromError
rtcVarFromError
rtcLenCharVar
rtcLenVar
rtcFixVar
rtcAbsVar
rtcIntVar
rtcSgnVar
rtcVarFromFormatVar
rtcDateAdd
rtcDateDiff
rtcDatePart
rtcPartition
rtcChoose
rtcEnvironVar
rtcEnvironBstr
rtcSwitch
rtcCommandBstr
rtcCommandVar
rtcSLN
rtcSYD
rtcDDB
rtcIPMT
rtcPPMT
rtcPMT
rtcPV
rtcFV
rtcNPer
rtcRate
rtcImmediateIf
rtcIRR
rtcMIRR
rtcNPV
rtcErrObj
rtUI1FromErrVar
rtcVarDateFromVar
rtcGetSetting
rtcSaveSetting
rtcDeleteSetting
rtcGetAllSettings
rtcByteValueBstr
rtcBstrFromByte
rtcVarBstrFromByte
rtcCharValueBstr
rtcBstrFromChar
rtcVarBstrFromChar
rtcSetCurrentCalendar
rtcGetCurrentCalendar
TipInvokeMethod2
TipInvokeMethod
IID_IVbaHost
EbGetObjConnectionCounts
CreateIExprSrvObj
EbGetVBAObject


eMail me for Questions - Suggestions - Feedback


Thanx to Mystic Elf for Grammar/Spell-checking


Magic Mike in your Softice code window.  These