Hello Community,

It seems visual FoxPro Reversing isn't an easy task to tackle maybe because it is not already discussed in any RCE forums or because of the lack of dedicated tools for Visual FoxPro reversing. Anyway, this is my first attempt to see what's behind its sophistication. I tried to use ReFox 11.0.502.20 Full Version! Decompiler to dig deeper in order to find where the registration routine is located but to no avail and the overall code structure isn't clear at all. IDA identified it as New Executable NE (16-Bit) format and W32Dasm disassembled but nothing worth to be investigated. Everything is bundled into one NE file (Data: Free Tables, Queries; Documents: Forms, Reports, Labels; Class Libraries: Classes; Code: Programs, API Libraries; Other: Menus, Text Files, Other Files: Images, Icons...). With Refox all of these structures extracted as separate entities which are ready to be examined. There are two files in the same directory “xxxxxxxx.Set” and “FOXW2600.ESL” where they gets loaded along with the main NE file “xxxxxxxx.EXE“. I have the registration data for the computer I copied from which located inside “xxxxxxxx.INI” file in encrypted format, maybe it’s linked somehow to hardcoded number from the other computer (maybe drive C volume number???).
I changed some code statements but I didn’t knew how to recompiled it (I’m using Microsoft Visual FoxPro 6.0).
Would you please shed some light on this subject: Tutorials, Tools, General Info. …
TIA
Best regards,
tHE mUTABLE

Go read more. You managed to load it into IDA, that's a start. Now read the articles on general reversing for more information.

I can't resist, I have to try to help.

Let's take what you know, and start from there. You know that it writes it's registration info to an .ini file. So, search through the disassembly for ".ini", and you should find where they reference it. Then, once you understand that, look for calls to the *PrivateProfile* functions. These are used to read, and write to the .ini file. So, you should be able to locate where they're writing the info to the .ini. Once you have that, you have the address that they're writing from, you can trace it backwards through the code, and see where the memory gets written to, and you have where the reg info is coming from, trace back from that, and you should see where they get the info.

As for how to write it back, find the code that you want to change, write down the hex bytes for that section of code, and find them in the normal .exe, and change them inside it. (Using something like Hex Workshop of the like).

I don't understand because I've already serached for any FoxPro reversing materials but nothing, and regarding IDA nothing identified or worth to be tracked as a starting point... Can you elaborate on that a little!
Thanks Frank. As I said it's completely new scenario (No debugger, disassembler only a decompiler...)

http://www.woodmann.com/fravia/index.htm

And perhaps you should study up on how to use IDA as well.

IDA has nothing to do in this case, and I know how to use IDA!. What I'm asking about is general info. about FoxPro reversin... Anyway thanks....?

So what does your FoxPro decompiler produce?

Post us a sample, so that we can see what you are seeing, maybe we can work from that. If not, I might have you PM me the whole thing, or at least tell me where I can download it.