January  1999
"Winwatc v2.22"
( 'My first crack in Visual Basic'  )
Win '95 PROGRAM
Win Code Reversing
 
 
by TheSnake
 
 
Code ReversingFor Beginners 
 
 
 
Program Details
Program Name: Winwatch.zip
Program Type: System Utility
Program Location: Here 
Program Size: 610K 
 
   
Tools Used:
 Softice V3.23 - Win'95 Debugger
W32Dasm V8.93 - Win'95 Dissembler
 
Rating
Easy(X )  Medium (X)  Hard (    )  Pro (   ) 
  
RWinwatch v2.22
( 'My first crack inVisual Basic 3'  )
Written by TheSnake
 
Introduction
 
The author of  Winwatchsays:-
 
If you use Windows,sometimes you will get this error message "Out of  memory" or "Insufficientmemory" even you have 16 MB memory or more.  "Out ofmemory" or "Insufficientmemory" doesn't mean your system memory is used up, instead it just warnyou of out of some Windows resources(for instance, fixed memory ,GDI orUSER resource). Even Windows uses virtual memory to expand memory space,but there are still limits of some resources used by Windows OS. Windowsprograms stiil need to use fixed memory or conventional memory(below 1MB).For example, if you use Windows for Workgroup may need 300-400KB fixedmemory without loading any drivers or applications.
WinWatch also providessome test tools which you can do some experiments yourself. You can letWinWatch(use "Stress" of "Fixed Memory") to eat up the fixed memory below1MB, then launch some "memory-hungry" apps like MS Word, Excel, or someMultimedia apps. No surprise, you'll get "Out of memory" or "Insufficientmemory" error message."
 
About this protection system
 
This program uses a nag screen shown eachtime you run this program, counting-down 10-0 informing you that you needto register this utility after 30 days. After counting is
done, You get the Register, Quit and theEvaluate bottons.
When first runing it creates a Watch222.inifile in the directory where Winwatch were installed in, with thisdetails :
 
[Register]
Resource=AUQ]S_V
RegisterNumber=TQWUPTU]X[[T  (<-- you cann'treg with this key !!)

The last 2 entries will be added on successfulregistration.

Lets go to have a closer look at this protectionroutine. 
 
The Essay 
 
Try to register with fake code, we willget the "Your registration is not correct!. This
reminder will come up again". OHHH.. Thisis the worst Nag screen i ever saw, we need to get ridd of it !!

At this point, i was creating a dead listwith W32sadm, and i notice that there is no
"String Data References", is it a VB prog?

This program using the 16 bit functionGETDLGITEMTEXT to "read" the input.
Run Winwatch,  fill any Code youlike.

1.When you've done this fire up Softice by pressing CTL-D.
2.Type: bpx getdlgitemtext then x to leave Softice.
3.Click on the 'OK' button.
4.Softice now breaks at the beginning of the 1st System Function GetdlgitemText.
5. pressx  two times
   Press 'F11'

   We arein VBRUN300.DLL  code !!!!  It is a VB3 program !!!

If you've read Razzia's essay about "cracking all vb programs", i'll give here only the basicthings we need to do before we can go on..

You need to have this line in your "winice.dat"file :
Make sure you have a backup of the filebefore edit it !!

EXP=c:\windows\system\vbrun300.dll
AF5="^s 0 l ffffffff8b,ca,f3,a6,74,01,9f,92,8d,5e,08,e8,0e,06;"
(i'm using the ALT+F5,cause it was un-useble for me untill now - AF5="CLS;")

The first line is to let you break in SIin the VB3 code.
The second is to save you a lot of hand-writingwhile searching the right code we're
looking for, which is :

: 8BCA      mov cx, dx
: F3A6      repz cmpsb
: 7401      je 8CB6
: 9F        lahf
: 92        xchg ax,dx
: 8D5E08    lea bx, [bp+08]
: E80E06    call 92CB

So, after doing that, re-boot your computerto make SI to use this changes, rerun Winwatch, and follow the steps aboveuntill you are again in VBRUN300.DLL code.

Press the keys "alt+F5" together, SoftIcis looking in the VBRUN300 for the code,
and you get the "Pattern found at xxxx:yyyyyyyy".
Type u xxxx:yyyyyyyy" with the locationand offset it was. pay attention that this location will be different onany other computer. At the top of the code window there is the instructionsthat our search was about.
We want to break on this lines when theprogram gets here, so, type this :
bpx xxxx:yyyyyyyy with the location thatyou've got from the search, and type x to leave. SI breaks here :

: 8BCA      mov cx, dx ;<--we are here !!
: F3A6      repz cmpsb ;<- here the strings in ds:si and es:di
: 7401      je 8CB6    ; are being compared
: 9F        lahf
: 92        xchg ax,dx
: 8D5E08    lea bx, [bp+08]
: E80E06    call 92CB

Press F10 once, Doa 'ed es:di' and you will see the text being compared to the code
that you entered, but as i notice,it'snot the original ascii code, it's get somehow encrypted, and i can't saywhat is the real code, at this point keep press the F10 until you landon the je 8CB6    type bc * to deletethe prev bpx's and thentype "r fl z" to change thevalue of the "zero flag" , and to force SI to proceed the jump, and pressx to leave SI.

We did it !! we get the "thank you forregister" window.

Job done.
 
The Patches 
  
Nothing needed
 
REMEMBER, i'mdoing my cracks as a hobby and challenge, so please, if you like
this utility andwant to keep using it, support the author and pay for it.

 
Final Notes
 
I was trying to remove the register entryin the "ini" file, and try it again, but i've got the "pattern not found",untill i re-boot the computer.....

Try to use the key that in the "ini" filecan't be done, and i couln't tell how to "see" the real one in the VB code.
Can someone try to break this babe toget the real code and post his essay about it ? I'll put it beside theone i've wrote !!!
 

My thanks and gratitude goes to:-
 
The Sandman for all what he is doing forus, newbies.
 
Rhayader for helping me with Reverse CodeEngineering and
useful tips

Razzia for giving me the basic knolegeof how to start with VB programs 


Essay by:           Thesnake
Page Created: 29th January1999