Fax Wizard/ExDec/P-Coded VB5
Quick Notes by ?ferret

Proggy: Faxwizard 2000


Tools discussed: ExDec, Softice get exdecbeta.zip(or somethin like that) *g* and msdbg.zip at http://members.xoom.com/c4n4ever/.space/

I tried smartcheck...got some info,
but not enough to be really helpful because it's p-coded

I tried ExDec....haven't figured out all of the disassembly codes yet hehe....
thought I found where the protection was but sice didn't break on the addy
(after some discussion w/ JosephCo, I managed to figure this out, and make a few discoveries of my own)
...more later

I tried Razzia's (VB4) magic byte pattern

Enter your fake key #, set a bp on hmemcpy and click unlock.

Search for byte pattern for string comparisons.
s 0 l ffffffff 56,57,8b,7c,24,10,8b,74,24,0c,8b,4c,24,14

BP on address given

here's the cool part. ;-)

1st time u break on that addy

esi==fake key

edi==number, if u enter this number you are NOT registered, but the time trial starts over ;-)

2nd time

esi==fake key

edi==good key... write it down

3rd and subsequent times

esi==fake key

edi==serial #...after u enter the good key you will be asked for your name company and serial #...
this part is skipped when 1st number is entered instead of the good key

1st time I've seen a proggy that lets u enter a number to start the trial over

This is an excerpt from a JosephCo message regarding ExDec usage:

[start excerpt]
Here is a simple explanation.. I leave it up to you to do more work.
I have broken everything down to 7 procs.
The address, the number stored and the number that is compared
(and has to be equal to) in order to enter that particular proc.

47d459-47d474 store 1 compare number 526149
47d4f7-47d590 store 2 compare number 942973
47d593-47d5e3 store 3 compare number 127397
47d5e6-47d67f store 4 compare number 286218
47d682-47d732 store 5 compare number 526192
47d735-47d7c3 store 6 compare number 228591

All of the procs have this in them, except the number stored at local_120 changes.
Most excodes with 'St' in them are for "storing" information.
Likewise, those with Ld are for loading.

47D4A3: f5 LitI4: 0x1 1 (....) number stored
47D4A8: 71 FStR4 local_0120 at LOCAL_0120!
47D4AB: 00 LargeBos
47D4AD: 1b LitStr: winini.ini
47D4B0: 04 FLdRfVar local_0150
47D4B3: 34 CStr2Ansi
47D4B4: 6c ILdRf local_0150
other procs

This snippet of code just shows that what is loaded from local_0120
is then stored at local_0154, then is compared to 1

47D7C3: 32 FFreeStr
47D7CE: 00 LargeBos
47D7D0: 00 LargeBos
47D7D2: 6c ILdRf local_0120
47D7D5: 71 FStR4 local_0154
47D7D8: 00 LargeBos
47D7DA: 6c ILdRf local_0154
47D7DD: f5 LitI4: 0x1 1 (....)
47D7E2: c7 EqI4
47D7E3: 1c BranchF: 47D8B4
47D8B4: 00 LargeBos
47D8B6: 6c ILdRf local_0154
47D8B9: f5 LitI4: 0x2 2 (....)
47D8BE: c7 EqI4
47D8BF: 1c BranchF: 47DC0C
47D8C2: 00 LargeBos
47D8DE: 00 LargeBos
47D8E0: 6c ILdRf local_0120
47D8E3: f5 LitI4: 0x1 1 (....)
47D8E8: c7 EqI4
47D8E9: 6c ILdRf local_0120
47D8EC: f5 LitI4: 0x16 22 (....)
47D8F1: c7 EqI4
47D8F2: c5 OrI4
47D8F3: 1c BranchF: 47DBFE Falls through
47D8F6: 00 LargeBos
47D8F8: 0a ImpAdCallFPR4: 45cd10
47D8FD: 00 LargeBos
47D8FF: 27 LitVar_Missing
47D902: 27 LitVar_Missing
47D905: 3a LitVarStr: ( local_00CC ) Authorization Successful
47D90A: 4e FStVarCopyObj local_00DC
47D90D: 04 FLdRfVar local_00DC
47D910: f5 LitI4: 0x30 48 (...0)
47D915: 3a LitVarStr: ( local_00AC ) Application activated!

Correct me if I'm wrong, but all you need to do is enter the number that corresponds to number 2.
Also visit http://members.xoom.com/c4n4ever/.space/ and get msdbg.zip.
Inside that are 2 .nms you can load inside of sice.
LOAD=c:\windows\system\msvbvm50.nms is what you want to do.
Then you will be able to bpx doexdisp and all of your problems should be solved.
Also you may use symbol loader to do this.
[end excerpt]

an observation I made on breaking where u want in sice...

if u find a procedure in ExDec that u wish to break on in sice... note the addy (proc: xxxxxxxx)

set BPX doexdisp IF EBX == XXXXXXXX

u then only break on that procedure, instead of EVERY procedure....
i.e. if u want to break on the routine that golem is so interested in (for checking dates, etc, calling keylib32.dll)
u would BPX doexdisp IF EBX == 478924.
You then break just before entering this function, allowing you to browse around & see what's goin on.

If you F10 through the code, watch the registers...the addresses shown in ExDec for each ExCode will be shown in ESI (or Eax maybe? ;-)) just before you jump into the assembly code for that ExCode
...or...if you know exactly where you want to break (i.e. the line before a compare), simply BPM ds:address (not cs:)

Now for some input from golem:

[start excerpt]
What a fascinating program. An interesting blend of VB3, VB5, and 'shrinker' VB5 (All the key programs ;).

FaxWiz has a lot of interesting stuff.
Particularly interesting is it's interaction with KeyLib32.DLL
(the DLL sub names are like a big neon sign).

Module02 (the third subroutine) contains code that sets some interesting global values
(current date, expiration date, days remaining in demo period, etc.
(computed by calling KeyLib32 routines :)
Thanks for the proggie ?ferret (lots of new opcodes!).
Is there anything in particular you might want to know? :)

[end excerpt]

The original proggy is a 14 day trial.

using Razzia's VB4 magic byte pattern for compares,
u get quite a few numbers that come up.

1st resets the trial back to 14 days...even if totally expired.

2nd is the missing piece of the CD key

the rest are serial numbers

there are 3 different valid license keys:

I can't find any difference between the 1st 2 keys' functionality. They both seem to fully reg the proggy

The 3rd key is really wierd....it turns the proggy into a 30 day trial!!!
I have never seen these options in a cinderella protection b4





Alot of this information I uncovered by learning a bit from ExDec,
finding it in sice or other traditional means,
discovering a bit more about the proggy,
looking that up in ExDec, and repeating the whole process.
I could probably spend a week looking at this 1 app if I wanted ;-)

Well, there ou have it...the aimless wanderings of ?ferret...they may or may not help you...
If they do, mail me at jcferret AT yahoo DOT com and let me know.
I may post more tidbits & quick notes of cracking info that may be of interest,
but not really worthy of being called a tutorial ;-)

GREETZ & THANX to all of the people who've helped me @ the Newbies Forum. (I'm too damn lazy to type all the names ;-))...but for this page I feel I must thank JosephCo in particular...THX JOE!
e that 100 is multiplied with 7