Hi everyone,

I'm new to cracking so I would appreciate all the help I could get.

I'm trying to crack a VB6 program that has no means to enter name\serial and so on.

When you install it it creates a file called USERID.txt and when you run it it stops and says you need to send the ID code below (which is found in the USERID.txt file) to them so they can send you a license key.

I have looked through the code many times to try and jmp where it checks for the license but i can't seem to find it. I have read a tutorial that says not to start cracking with VB files as they take a lot of commands from the msvbvm60.dll file and it's easy to get lost, so i really hope someone can tell me where to start looking (and possibly post the code for that part).


Thanks a lot!
Alan

Filemon and/or regmon, checking for references to funny/interesting files/keys would be a start. And ofcourse, something suitable to debug the thing with.

Fake

Hi again,

Just a quick note about the above when i tried running the exe in W32Dasm and also IDA Pro the program terminated because of some floating point error. So i can't trace the code it's going through until it loads and tells me i need to send the key to....

Thanks again!

Hi Fake,

Thanks for the quick reply. I didn't think i would need to use Filemon or Regmon as i know that it creates a file in the same folder called USERID.txt. When this program is registered there is a license file that is put in the same directory so i'm assuming it looks into the USERID.txt file and performs some algorithm in it to compare to the license file

I tried copying both 2 files to another pc but it wouldn't work so i'm also assuming that the program calculates a static variable from my pc to create the USERID.txt

Thanks

You should try putting BP on "__vbaFileOpen" and "rtcDir" and see what hapens.

Regards

See if you can figure out what the license file name is supposed to be - maybe the post above will help or you can open the .exe in a Hex editor and do a search for .lic or .key or just find the a reference to the userid.txt file - the lic. file name should be close by. Then create a bogus lic. file filled with garbage or all ones or something - then load the target in olly and place a bp on _VbaStrCmp, (you may need to do this via the msvbm60 file), - it may break many times, eventually showing your bogus numbers, fish from there - you may come up with something that way.

SiGiNT

Whenever I'm faced with a VB target, my first (and often last) refuge is Numega SmartCheck.

Admiral,

I too usually use Smartcheck, but sifting through all of the timer grabage, especially with large programs can be a real pain in the butt, and it will find hidden routines, like the serial for Kruger's toolbox - embedded in a destroy window routine, and it has the little discussed ability to work with some packed files - but for some progs Olly works just as well if not faster and cleaner, and since the comparison will not take place after a user initiated event (click), it seemed that Olly would be a good choice for this one - I did however omit the other possible bp's (TstEqv).

SiGiNT

This OLLYDBG was modified by me, for found OEPs and work with VB native programs

http://www.ricnar456.dyndns.org/HERRAMIENTAS/L-M-N-O-P/OLLY%20PARCHEADO%20PARA%20BUSCAR%20OEPs.rar

user and pass:hola

In this OLLY when you put a MEMORY BREAKPOINT ON ACCESS only stop by execution and continue running if is triggered by READ or WRITE.

For OEPS you put a MEMORY BREAKPOINT ON ACCESS in the first section if the program will run in this section, and OLLY stop in the first line executed of code in the section (possible OEP if there are no stolen bytes or some extrange things hehe)

In VB you put a Memory breakpoint in the first section and if the program is native (not P-code), OLLY BREAK in the lines executed by the program and never in the VB dll.

you can continue pressing f9, and OLLY step line by line in the code of the program, and never stop in dll.

With this you can crack any VB native program easy in OLLY, without stopping in the dll mess.

Ricardo Narvaja

sigint33, I agree that for many apps OllyDbg is the best-suited tool (VB ones included), but often I've found that VB programmers tend to be the most clueless. In such cases, applying my standard VB filter to remove all the junk API calls that SmartCheck spews at you can leave you with a 30-second task of locating the point where your serial is being processed and lead you straight to the ___vbaStrCmp against the correct serial, whereas using OllyDbg it would take me far longer to do the same job (mainly due to the fact that ___vbaStrCmp is used so so many times).

Sure enough, you may need some luck to get straight to the sweet spot, but just by setting aside five minutes to do this you can potentially turn a standard reversing procedure into a walk in the park.

So I guess I'm not suggesting that SmartCheck as a replacement for OllyDbg (indeed using the two together is the best idea), but I tend to use it in the same way I use PEid - as a constant-time first step to get an idea of how the target thinks. Either way, one would be a fool to write any tool off when there's a possibility it'll do the business.

Regards
Admiral

Admiral,

I'd be really interested in your standard filter details!, I've tried lots of different filter combo's and apparently have not hit that "sweet spot" - just dense! (as usual).

Ricardo,

Many thanks! I've been meaning to thank you for all of your contributions, I'll certainly give your Olly a try.

SiGiNT

i forgot tell you mark all exceptions, in debugging options, exceptions, for OLLYDBG stop only in MEMORY BREAKPOINT and skip the exceptions.
Anyway f ollydbg stop in a exception you can shift +f9 and skip, till OLLYDBG stop by MEMORY BREAKPOINT in EXECUTION.

Ricardo

Sigint, I'd love to paste you my filter settings but as all the settings seem to be in SmartCheck, I can't find any plaintext resembling it. However, there are some fairly simple rules to follow if you want to set up such filters. Using SmartCheck is an absolute chore until you get the hang of it, but with a little work you can cut out a large proportion of the useless stuff (this goes for targets written in any language):

Under the Settings dialog, most of the options go just as you'd expect, though it's often tedious to get everything right. I tend to go for:

Check for all kinds of error
Report errors immediately
Don't report any of handled VB RT errors, Mousemove, WM, Callbacks/hooks.
Check as few files as possible. Usually this list will only include the target exe but sometimes a DLL or too will need to be checked.

From here it's only a matter of using trial-and-error to remove the remaining spam: Run for a sample, find a few functions that appear lots but will never help you, right-click 'suppress'. Lather, rinse, repeat.

In this way (with some patience) you can cut the report down to 'just the facts'. Once your output is manageable, it's worth saving the filter settings and setting it as the default for all new targets.

Regards
Admiral

Edit: 2^(2*2²)/2th post

Just in case the "younger folk" don't know about Eternal Bliss' site, there are several articles on VB reversing with Smartcheck. Especially be sure to check at the very bottom of the page for the essays on VB breakpoints and Smartcheck usage and settings.

http://ebliss.host.sk/cte.html

Kayaker,

Eternal Bliss' tutorials are alway's on the top of my pile - and have been my bible from day one with smartcheck - anyone who considers using this tool must read these!

SiGiNT

PS: Admiral. I've been more or less ignoring the files settings - thats probably been my problem.

Here is small tool which will find oep for VB exe/dll/ocx packed with almost anything.
At least it was tested with dozens of packers including arma,aspr,securom etc...

Feel free to give it a shot.

Regards

Hi again,

Nothing helped so far. Does anyone know where i can get a fully functional vb decompiler. I found some trial versions but it won't let me see the code of the actual License module which showed up.

I used smartcheck on the computer where it's registered and on another one where it isn't and i couldnt find any "compute" strings or compare so i couldn't find where i needed add a jmp and to where.

I saw where it took the data inside the license key and then there was about 50 pages of chr$ mid$ integer to byte.....stuff like that.

I didn't understand the flow in those pages, if i did i would have been able to maybe create a keygen out of it but again my biggest problem was that i couldn't find a string that compares the value in teh license file with the proper one.

There are 3 files...a license file a userid file and a file created hidden in the systems folder with a 3 digit value. I guess what's happening here is that there is some calculation that compares those files with each other to verify the license.

Anyways thanks a lot for everybody's help i'm still learning and trying to crack...again if anyone has a fully functional vb6 decompiler i would be very grateful.

Thanks!

Well now you know how it works the serial, it's up to you to find out what it does. Have a look around that list of string manipulation functions (which almost certainly lie inside a loop or two) and try to find out any particulars that could point you to the right place in the disassembly.

Chances are that Mid$ isn't called too many times before the target reaches the validation routine, so it may be worthwhile setting a breakpoint on Mid and hitting F9 until you spot your serial in the stack somewhere. This should at least land you in the right place to consider keygenning or to hunt for the right Jcc.

Regards
Admiral

Just as a note, there is on-going work on a VB5-6 decompiler, aand I think in one google search I found a company that claims to have one, I have not been able to duplicate that find since, but there is a company that will decomplle it for a price, so, the answer to your question is at this time there is no VB5-6 decompiler, it doesn't exist yet and will probably be obsolete the day it's released, a lot of people switching to version 7 (.net).

SiGiNT

Yeah thanks for that. I actually came across it myself. I also came across 3 VB6 decompilers:

VB Rezq
VB Decompiler 2.2 (looks really good)
and another one called Semi VB decompiler i think.

I also noticed, as you said, that it's easier to find .net decompiler's then vb6.

Anyways happy cracking for all, i'm going to work on it again over the weekend.

Thanks again!

Just a note, don't waste your time om VBRezq - it's useless, but if you can find VBReformer 3.7 - that can be of some use.

SiGiNT