Hi All,

Here's a VB6 crackme with 6 or more built-in serial number, nag and timer tasks. I've just started it, managed to register it and patch out one of the nags. I have no idea what VB breakpoint to use to try to get at the timers though.

I thought this might make an interesting project, there's several tasks here, including getting rid of the splash screen if possible, and I think several ways to attack the problems. It would be great if everyone could come up with a solution to one of the tasks so we could all learn how to approach these protections in VB.

Good luck and learn.

Kayaker

Valid Serial is : 349-345-345-667 But damn it it was so easy that i couldnt learn anything !

I di more and make some patch...Couldnt defeat crackme2 though

ps:its a rar file so clear .zip part

If you want to have more challenge, why not try Code-Lock from Dream Impression? It is VB too.

w*w.dreamimpression.com/code-lock.shtml

It is for those who like challenges and are not afraid of losing. *grin*

Regards
Ryan

Check my nick I am a loser myself lol! Anyway I will give a shot to code-lock
Though and interesting protection. No luck

still interested in this crackme? i wrote a brief tut in german, i might translate it in english. i couldn't kill the last timer though

figugegl

hi all

i`m back on the board and im going to give this crackme a try

i`ll post my findings if i have any

l8er

Sphinx

yeah crackme #1 was pretty easy, its the #2 I am having trouble with..i don't even know where to start

can anyone give any advice.. i tried putting the allmighty hmemcpy break on it and hit the cancel to see if i could trace backwards.. but no luck

just need a kickstart!!! hehe

nazxul

Hi,

I had a chance to look at the Crackme #2 tonight, the one like a regular reg box but with a disabled OK button. There's 2 options here, the code is monitoring your s/n as you input it and doing a check behind the scenes, enabling the OK button only if the s/n matches a certain check. Or the OK button is disabled to begin with during it creation.

I tried breaking on hmemcpy as you did to see if I could find some behind-the-scenes action on the s/n, but couldn't reach any suspicious code. In that case what you can do is run an API monitor on it as you select the crackme #2 from the menu and see what code is called in creating the dialog box.

VB still calls regular kernel and user functions, so you can select the 2 most useful window creation API's to monitor for controls being enabled/disabled - CreateWindowExA and ShowWindow. It's a little trickier monitoring through the VB code, but use APISpy32, select the 2 User32 API's, and then select MVSBVM60.dll as an added module. Pause the trace until just before you select the menu item for the crackme.

As soon as you've gotten an API report saved, you can use a windows class utility (like Winshow) to get the HWND's of each of the controls on the dialog box if you want to use them to reference those listed in your report.

You should get something like:

-------------------------------------------------
6601FD34: CreateWindowExA
DWORD:00000004, // extended window style
LPSTR:0000C2A2, // pointer to registered class name
LPSTR:00E9E238:"OK", // pointer to window name
DWORD:4C012000, // window style
DWORD:00000018, // horizontal position of window
DWORD:00000020, // vertical position of window
etc.

6601FD3A: CreateWindowExA = A88
---------------------------------------------------

You can see the "OK" string obviously listed in this case, A88 being returned as the Hwnd of the control.

The other API call immediately after is:

----------------------------------------------------
66036638: ShowWindow
HWND:00000A88, // handle of window
DWORD:00000005) // show state of window

6603663E: ShowWindow = 0 (MSVBVM60.DLL)
---------------------------------------------------

Let's take the last one first. The 2nd parameter, Show state of window, is 00000005h. You can use an API reference that lists the windows constants to find that this stands for SW_SHOW. If it was 00000000h it would be SW_HIDE. So obviously this API isn't causing us problems. (If you'ze all want a good API Constant utility, do a search for and d/l API-Toolshed).

So now check out CreateWindowExA. We know this is the call which creates the OK button. (VB is really weird...). The 4th parameter Window style is 4C012000. This one is a little harder to parse out the contributions to each window style possible from that flag value without some guesswork. Luckily there is an identical Enabled control we can use to compare with, the Cancel button.

Look a little further down the APISpy32 trace and the next CreateWindowExA call creates the Cancel button.
CreateWindowExA (DWORD:00000004, LPSTR:0000C2A2, LPSTR:00E9E318:"Cancel", DWORD:44012000...


The 4th parameter window style flags for this one is:
44012000
Compare it to the Disabled control - 4C012000
and the difference is 08000000h

Back to checking API Toolshed, and you find:
Const WS_DISABLED = &H8000000

So there's the answer, the OK button is being set Disabled during its creation by that one flag.

Now you can set a

BPX CreateWindowExA do "dd esp+10"

as you select from the menu, and break when you see the disabled 4th parameter 4C012000h displayed. If you change it to 44012000 the OK button will be enabled when you return to the crackme (runtime only). Then you can treat it as a regular reg box and use 'bpx __vbaStrCmp' to find the ironic p-code s/n ;-)

Hope this helps,

Kayaker

Thanks a bunch kayaker, that really did help..ALOT. I knew there was an API spying prog out there, just have no clue how to find it..ill look around though

I think i tried breaking on CreateWindowExA, but i had no clue where to go from there..and yes I even tried to figure out off the top of my head what numbers were being pushed onto the stack before the CreateWindowExA API was called, but didnt know where to find out what the numbers meant.. api toolshed? interesting I will have to look for that

After tracing through everything I just gave up and went on to figuring out how to kill that nice looking splash screen at the beggining Which i am still working on.. I will go back to #2 as soon as I find that darn APIspy32

back to REing


nazx

Hi All,

Could someone please sort me out)

The first serial part is quite easy. You can get the serial with a hex editor or with Softice (strcmp, or createwindowexa) or with SC6 by looking at the click_ sections..........

The second serial with the disabled "OK" button, is tricky. Yes again you can trace it in SoftIce, until the position where you see 44012000 at esp. (Refer to the thorough post of Kayaker above).
BUT....how do we crack/patch this?

I have learned the following:
Look at the following code (from hexedit)
0000B600: 05 00 63 6D³64 4F 4B 00³04 01 02 00³4F 4B 00 04 ..cmdOK.....OK..
0000B610: 68 01 E0 01³74 04 86 01³08 00 11 02³00 13 FF FF h.*.t.¶.......ïï
0000B620: 03 2B 00 00³00 03 09 00³63 6D 64 43³61 6E 63 65 .+......cmdCance
0000B630: 6C 00 04 01³06 00 43 61³6E 63 65 6C³00 04 80 07 l.....Cancel..°.
0000B640: E0 01 74 04³77 01 11 03³00 14 FF FF³03 25 00 00 *.t.w.....ïï.%..

You see 2 buttons, one enabled and one disabled.
After the name of the button (cmdOK or cmdCancel) there is 5 bytes open and then the text of the button (OK or Cancel)
After the label name (text button name) there is 11 bytes and then we get .......the enable/disable flag !! It also looks like the total command is 0x26h bytes in length.
Can anyone say if these coincide with API constants or something like that. ???

But, beware! It looks like this is ONLY true if the button is disabled/greyed to start with. This can not change en enabled button to the disabled state. Anyone has more experience on this?

Now without boring all further, i would like to find out if there is a more "scientific" way in going about these disabled items??


I have one other idea, can someone say if this is stupid??
Why do we bother tracing the disabled buttons, the msvb6xxx.dll handles all these interpretations right? Why can we not patch the
dll instead? Any comments / rants / raves ??

Ciao,
.meaculpa

.meaculpa:

thanks for using my statements in your post :-)

i've been playing around for quite a while with editing resources in vb applications, mainly while reversing crackmes.

i even thought of coding a kind of resource editor. unfortunately i don't code in vb, i don't even have vb installed on my pc. so i can't emulate grayed/disabled/... buttons etc. that's why i didn't code it.

i think this would be an interesting miniproject and would like to be part of it.

figugegl

Hi figugegl,
I hope you forgive me for _borrowing_ 2 lines from our conversations. :=)

I couldn't agree with you more. I certainly does not look like everyone has this basic matter in their skillsbase.
I think we can certainly make this a new mini-project, and several of us has small seperate nuggets of information that we could share.

It is always good to have some basic lessons, covering important aspects that relate to our ......uhmm.........hobbies.

Regards,
.meaculpa

Just FYI, some of this is available in the "Decompiler Discussion" forum.

Sarge

Hi All,
Please refer to my update regarding this in the "Decompiler Discussion" forum.

Regards,
.MeaCulpa

Hi all, a word to say that there is another newbie in da reversing shit! Maybe i should of not got started in this world as it been doing a week that am not sleeping! Jne there je that cmp this ctrl-d that break there F-10 this, dump that, ?eax... wouuuuuushhhhhhh... what a world!!! But yall know what?? i looooove it.. am an experience programmer and am just realizing that no mather how much complex you can code some things, well it all end's out at the same place.. in the mov this an jmp there thing! And from there nothing is impossible (Well i think..). This is fascinating me.. (Sorry for my english).
Nof blah blah.

---> Ryan, why wont you get somebody to test you code-lock stuff and stop acting like you do over here? Man it's been doing a couple week am reading without replyng or some and my word for you is that youre unbeleavable.. And this maybe not a compliment...

--> All others! I've been searching alot, in this board and elsewehere for tut's of all kind and for some crackme and example, i learned alot, but the majority of tut's and example out there are out of date... link not good, version change.. etc. Woodman pointed us out (newbie) for some good tut's up to date and i did them (i.e. auto ftp premium) that was nice.
Some body could point me to a good start for vb apps? dont mind if it's some crackme or soft on the market.. purpose is knowledge and that's all. I've search alot but none that i've found fullfilled (is this ok???) my need's. I do not know nothing bout vb reversing apart that i got all tools to reverse it, smartcheck and other's.
(Till then, i'me working on this vb crackme with the best of my knowledge... who is maybe not so good!!! )
Snoop

Hi

I'd suggest going to the AntiCrack RCE site listed at the bottom of the page and access the Crackmes, Reversemes, Reverser course and Forum links listed at the top of the anticrack.de page. You should be able to find several VB and other crackmes and lots more information there.

Kayaker

Thank's Kayaker. I Guest that If i dont find nothing there to gain knowledge well am either stupid or blind!!!

Have a nice day.

Snoop

Thanks Kayaker i really learn a lot from your posts on api stuff!!....

Theres an easier way to enable the disabled "ok" button for anyone wanting to trace from it ..Use SHOWIN..I use it all the time for disabled functions.sometimes it works sometimes it doesnt but nearly always with VB apps..im working on the same prob at the mo with another project

h++p://www.freebits.co.uk/download/showin.exe

paul333

Another method to find the disabled button:

----------Begin COMMAND BUTTON----------
Name: cmdOK
(Offset d/h: 46592/B600)
Caption: OK
(Offset d/h: 46602/B60A)
Left: 360
Top: 480
Height: 390
Width: 1140
(Offset d/h: 46608/B610)
Enabled: False
(Offset d/h: 46617/B619)
TabIndex: 2
(Offset d/h: 46619/B61B)
Default: True
(Offset d/h: 46622/B61E)
----------End COMMANDBUTTON---------

As you can see, the enabled property is set to false in the GUI properties , and "lives" at file offset 0xB619-0xB61A. It should be easy now to hexedit that byte.

This output was created by "RACE", available at:

h??p://www.decomplier.com



Sarge