Hi,

I'm pretty new at this stuff, but then again, this is for newbiez. I think I have all necessary tools, I know a good deal about programming asm included, but still. BTW : I was sent here with the compliments of "The Blackbird".

OK, to the problem :

I'm trying to reverse an activx (ocx) that is preparing all of it's parameters (including the serial) using javascript (it's building up some kind of a class). Is there a way I can find out how and where the OCX gets and stores these parameters, so that I can set some kind of breakpoint in softice when it tries to reach for the serial-parameter ? I have already tried to disassemble it with w32 disassembler, but that does not seems to be correct...

In the evaluation serial, a time limit is inserted as well, but when I set a breakpoint to the api "getsystemtime or getlocaltime", it breaks about a million times. Perhaps there is an api I can watch for, that parses the hostname ?

Well, this is a long shot, but BlackB said that I'm at the right place, so...

Use ExeScope or similar tools to examine the COM interface of your ActiveX DLL. They will give readable description of the interface.

Please also refer to this:
http://www.woodmann.net/forum/showthread.php?s=&threadid=1430

G'day..

In my experience, it is easier to reverse ocx controls in a development tool.

Use an api/ole tracer such as smartcheck on the development tool that supports the ocx (such as the visual basic ide).

Ocx controls make an IClassFactory::CreateInstance call (OLE call)when they are initialised for the first time (note subsequent calls are cached so it is wise to restart the tracing each time you wish to test something) within the development environment. 90% of ocx controls place their license testing within that call.

Smartcheck will show you the api calls used within that call and the memory locations they were called from within the ocx control.
It also shows you the parameters values passed to the api calls.

With this knowledge you can then set a breakpoint on these api calls, a breakpoint within the ocx or you may also set a breakpoint on the development tool (in this case VB6.exe) at the point it calls the IClassFactory::CreateInstance call. (This is the same spot each time within the vb6 executable)

I have also found it is often easier to use OllyDbg rather than SoftIce (note again 90% of ocx controls are poorly protected) to trace the code.

Note the above is for OCX controls, not COM components.
COM components are initialised a slightly different way.

Hope that helps.

ZD

Thx for the replies,

what have tried this far :

I have tried to start IEXPLORE.EXE withing smartcheck. It launches, I go to the page with the activeX and smartcheck does show some events. I see that it does some stuff using instr, mid, left, right functions, etc with the serial (contains hostname + a bunch of numbers). Further I can't see that much. The Activx doesn't seem to completely load as well when I launch it in smartcheck, It stops on a CallWindowProcA. When I try to break, using softice on CallWindowProcA (what I had tried before), it breaks about every 1 ms.

Do I have to try to debug with smartcheck withing VB6 ? The ActiveX gives a nagscreen, maybe I can do st with that ? Or is softIce not to be used with activeX ?

thx

Hi there again,

I have played a bit more with smartcheck, and it helped toggling on/off a few times with "view reporting". Suddenly the Activx stopped pushing my CPU to 100% and proceeded to showing the nag-screen. After browsing through the events, I saw what appeared as checking the serial. I could suddenly see a variable containing a bunch of numbers what looked as a serial. I thought, what the hell, let's give it a try...

And whoohoo, I have cracked my first ActiveX !

Thanx to zacdac !