hi all,

it has been a while since i don't play with rce. Anyway here's my problem. I am trying to reverse a vb program. I am doing it in smartcheck because it's far easier to follow the code.
Now at some point the program picks my fake key and do the following:



At the second line the program compares string "5" with "unsigned short .vt = 32776 0x8008". what does it mean? 8008 does not match anything in ascii. I tried also in olly but i cannot find anything useful. I already tricked the program but i would like to know how this compare works. (maybe i am missing something with vb string functions)

Now if i put a trial key i got from the developer this is what i get



The const string is always the same (0x8008). I can provide more info if requested but i cannot upload the program since it uses a physical device id to generate the key.

Thank you.

"unsigned short .vt = 32776 0x8008" isn't showing in your log snippets above.

hi disavowed,

i found the "unsigned short .vt = 32776 0x8008" in the right pane of smartcheck when i highlight the cmpne instruction.

i verified myself in ollydbg that 8008 is in the stack when compared but i have no idea of what it is.

Smartcheck is not able to interpret the variant (http://msdn.microsoft.com/en-us/library/ms221627.aspx) as a string. The VB engine probably interprets that value as an index into a string table.

You may want to try http://www.woodmann.com/collaborative/tools/Whiskey_Kon_Tequilla_VB_P-Code_Debugger