Speak & Mail v1.9.6
Introduction |
Greetings and welcome to the noble art of reverse engineering!
Tools required |
Numega SmartCheck v6.x
Target's URL |
http://www.shadisoft.com
Essay |
Step1 Run Smartcheck and configure the settings, like this:
Under Program/settings menu:
*ERROR DETECTION: Check all boxes except 'Report errors immediately'
*ADVANCED SETTINGS: Check the first four boxes. The others should be emty!
*REPORTING: All boxes should be checked
except the one for:
'Report Mouse Move events from ocx controls'
Step2 OK, now you are ready to fight!
Step3 Load speak.exe by clicking 'File' and 'Open', => open speak.exe!
Step4 Run speak.exe in SmartCheck by pressing F5 or by pressing
the runbuttom in the
toolfield.
Step5 Ok, now you are going to type in name and a fake serial,
i use:
McCodEMaN &
1234567890,
the program
validates the serial and tell you that it was wrong.
Now terminate
speak.exe by clicking on the stop buttom.
Step7 Ok, now look through the strings, do you see 'frmMain_Load'?
Good,
open it by clicking the ' + ' sign.
Step8 Now go into: 'mnuAboutUnlock_Click' ,then down and
into: 'frmUnlock.Show'
Ok, we are inside
frmUnlock.Show...were should we go now?
>
textName.Text
Trim
textName.Text
Trim
Len returns
LONG:9 <= McCodEMaN (Your username)!
Len returns
LONG:) <= McCodEMaN
Skip the: Chr$ and go down to.......
Len returns
LONG:9 <=McCodEMaN
Len returns
LONG:54 <=EIcaDkZsjQSdh.........
Keep tracing down trough the code until you find........
Double (209952)-->Long (209952)
Hmm, this was
very interesting, can this be a part of the valid serial?
Three strings
down we can see......
Long (209952)-->String ("209952")
An other tree strings down we find......
Long (xxxxxxx)-->String ("xxxxxxx")
And farther down we find.............
Long (xxxxx)-->String ("xxxxx")
Well,
i think that this can be the valid serial, but to confirm and see so that
we ain`t
missing anything
let`s check the routine!
Go up to: Long(209952)-->String
("209952")!
Make sure the
blue bar is on it!
Go to "View"
and choose: "Show All Events" now you will see almost everything
that happens
inside the program.
This is what we see.............
Long(209952)-->String ("209952") <= Here we are!
__vbaStrMove
returns DWORD:4E0E9C
= "209952"
chr$
__vbaStrMove returns DWORD:4D4F08
= ";"
__vbaStrCat returns DWORD:481BB8
= ";"
= "209952"
__vbaStrMove returns DWORD:481BB8
= "209952;"
Len returns LONG:9
= "McCodEMaN"
Long(xxxxxxx)-->String ("xxxxxxx")
__vbaStrMove returns DWORD:4D0BC4
= "xxxxxxx"
__vbaStrCat returns DWORD:4D8814
= "xxxxxxx"
= "209952;"
__vbaStrMove returns DWORD:4D8814
= "209952;xxxxxxx"
chr$
__vbaStrMove returns DWORD:4E0E88
= "y" <= This 'y' symbolize a sign!
__vbaStrCat returns DWORD:4D62AC
= "y"
= "209952;xxxxxxx"
__vbaStrMove returns DWORD:4D62AC
= "209952;xxxxxxxy"
__vbaStrVarVal returns DWORD:4D4E28
Asc returns Integer:67
Len returns LONG:9
__vbaStrVarVal returns DWORD:4D5418
Asc returns Integer: 111
Long(xxxxx)-->String ("xxxxx")
__vbaStrMove return DWORD:4E0760
= "xxxxx"
__vbaStrCat returns DWORD:4D87D0
= "xxxxx"
= "209952;xxxxxxxy"
__vbaStrMove return DWORD:4D87D0
= "209952;xxxxxxxyxxxxx"
If you jump down to...........
__vbaStrCmp returns DWORD:FFFFFFFF
compare string1 and string2
string1= valid serial
string2= fake serial
__vbaFreeStr returns DWORD:1
= "209952;xxxxxxxyxxxxx"
Work Done!
Final Notes |
I would like to thank:
Razzia, for making me interested in VB in the first place!
Jeff, for making me come back to the VB environment after a long vacation!
Eternal Bliss, for providing us with a great VB source!
MiZ, Bjanes, The Sandman and my friends in TRES2000!