Please correct me if I am wrong (need I ask? )

I want to crack a serial number type protection on a VB program running on W2000. I think I understand the general technique for VB cracking 16 bit programs using hmemcpy but I think that W2000 does not have hmemcpy (i.e. it does not need it)

Is there an equivalent API that can be used in a similar manner to hmemcpy on W2000 to crack serial type protections?

NO.



There are tons of VB cracking essays on the net. They cover from 16-bit VB progs(VB3, VB4) to 32-bit ones(VB4/5/6), from p-code to native VB progs Try to collect as many tutorials as you can, read them. Do some research by yourself

if its 16-bit it has to be VB3 or VB4 as Solomon pointed
out. Most of them can be decompiled.

for 32 bit. find ou which version it is (means if it uses MSVBVM50.DLL or MSVBVM60.DLL).
Always a good idea to disassemble these dlls to see on what you can break. There´s lots of intresting stuff:
__vbastrcmp (VisualBasicforApplicationsSTRingCoMPare)
__vbavartsteq (VariableTeSTEQual)
__vbavartstne .....

to be able to break on these you got to load the exports of the dll with numegas symbol-loader. (or specify them in winice.dat)

CTRL-D

Hi....

I do not usually reverse on 2k machine, but...

Hmemcpy is useful is getting an opening, ie breaking into the code somewhere before the good/bad boy jmp/s.

For VB apps in Win2k, a better approach would be, use SmartCheck and get necessary info.. SmartCheck(if not crashed) will surely give you an opening... and much more info..

Learn about the protection with SmartCheck... it will also give you the RVAs... Then break at those points using S-Ice...

SmartCheck S-Ice combo IS SUPERB!!!

-spl thanks to Viper

Hi:

I've cracked couple of really tough (oxymoron ;-)) VB Apps using SmartCheck. Look for it!

Signed,
-- FoxThree

SmartCheck seems pretty hard to find. All the download links are broken. I tried downloading a version from the numega site by creating my own licence number but that did not work, I think they have tightened up that loop-hole.

I made some progress however. An IDA listing shows me the call to rtaMsgBox when I enter a wrong serial number. There is however no obvious good boy-bad boy code anywhere near it

I am also having some problems with setting break points at the moment in SoftIce so things are not going too well

I have also tried breakpoints on __vbaLenBstr to no avail, but this may be because of the problems with SoftIce.

If anyone is interested in looking at this program it can be downloaded at h**p://63.211.21.181/download.html

Typical, five minutes after saying I can't find SmartCheck I find it I will have a play.

IcyDee

It takes less than 2 mins to find a serial for this on in Smartcheck.

For me the codes were

2083394396

5025895835546111

Just Look for __vbaStrCmp call at FileFinder.exe 00113355
(note smartcheck offsets are usually off by 1 byte)

ZD

For some reason SmartCheck does not show me any events at all when I run it. I have it set for 'all events' I have turned off 'suppress system API calls' but still no joy.

Your help allowed me to register the program, thanks. The main problem I seem to have however is that on my PC (W2000 SP2, SoftIce 4.0) breakpoints just don't break! I can set INT3 in my code and break in the MS VisualStudio but that is the only way I can debug at the moment. It is doing my head in!

I wonder if the Softice and SmartCheck problems are related?