Cracking "PixPlayer99 v 1.0.0"
Date: July 24, 1999
Author : +ViPeR+
[E]bola [V]irus [C]rew
Program Name : PixPlayer99 v 1.0.0
Location : http://www.techsono.com/
Method: VB6 program. WideChar Compare.
<<Note : this document is only for educational purpose ONLY>>
-------------------------------------------------------------------------------
VB6 program.
Trace, trace, trace until you see the 'Invalide Registration Key' screen.
click 'ok' to go back to Soft-Ice. Back-trace to locate the possible
call that cause the fail-jump. For this program, this is not hard to find.
'F8' into the call and trace, trace, trace until.....
Code generation routine:
:
:
015F:00422092 3BBD20FFFFFF CMP EDI,[EBP-00E0]
015F:00422098 0F8F86000000 JG 00422124 (NO JUMP)
015F:0042209E 8D55CC LEA EDX,[EBP-34]
015F:004220A1 8D855CFFFFFF LEA EAX,[EBP-00A4]
015F:004220A7 52 PUSH EDX
015F:004220A8 57 PUSH EDI
015F:004220A9 8D4DBC LEA ECX,[EBP-44]
015F:004220AC 50 PUSH EAX
015F:004220AD 51 PUSH ECX
015F:004220AE C745D401000000 MOV DWORD PTR [EBP-2C],00000001
015F:004220B5 C745CC02000000 MOV DWORD PTR [EBP-34],00000002
015F:004220BC 899D64FFFFFF MOV [EBP-009C],EBX
015F:004220C2 C7855CFFFFFF08400000MOV DWORD PTR [EBP-00A4],00004008
015F:004220CC FF15F8104000 CALL [MSVBVM60!rtcMidCharVar]
015F:004220D2 8D55BC LEA EDX,[EBP-44]
015F:004220D5 8D45DC LEA EAX,[EBP-24]
015F:004220D8 52 PUSH EDX
015F:004220D9 50 PUSH EAX
015F:004220DA FF15A0114000 CALL [MSVBVM60!__vbaStrVarVal]
015F:004220E0 50 PUSH EAX
015F:004220E1 FF1550104000 CALL [MSVBVM60!rtcAnsiValueBstr]
015F:004220E7 0FBFC8 MOVSX ECX,AX
015F:004220EA 03CE ADD ECX,ESI
015F:004220EC 0F805B010000 JO 0042224D (NO JUMP)
015F:004220F2 8BF1 MOV ESI,ECX
015F:004220F4 8D4DDC LEA ECX,[EBP-24]
015F:004220F7 FF158C124000 CALL [MSVBVM60!__vbaFreeStr]
015F:004220FD 8D55BC LEA EDX,[EBP-44]
015F:00422100 8D45CC LEA EAX,[EBP-34]
015F:00422103 52 PUSH EDX
015F:00422104 50 PUSH EAX
015F:00422105 6A02 PUSH 02
015F:00422107 FF153C104000 CALL [MSVBVM60!__vbaFreeVarList]
015F:0042210D B801000000 MOV EAX,00000001
015F:00422112 83C40C ADD ESP,0C
015F:00422115 03C7 ADD EAX,EDI
015F:00422117 0F8030010000 JO 0042224D (NO JUMP)
015F:0042211D 8BF8 MOV EDI,EAX
015F:0042211F E96EFFFFFF JMP 00422092 (JUMP)
After go over the length of the name, JMP to 00422092.
015F:00422124 8BCE MOV ECX,ESI
015F:00422126 8B3D18104000 MOV EDI,[MSVBVM60!__vbaStrI4]
015F:0042212C 6BC910 IMUL ECX,ECX,10
015F:0042212F 0F8018010000 JO 0042224D (NO JUMP)
015F:00422135 51 PUSH ECX
015F:00422136 FFD7 CALL EDI
015F:00422138 8B1D54124000 MOV EBX,[MSVBVM60!__vbaStrMove]
015F:0042213E 8BD0 MOV EDX,EAX
015F:00422140 8D4DE4 LEA ECX,[EBP-1C]
015F:00422143 FFD3 CALL EBX
015F:00422145 8B450C MOV EAX,[EBP+0C]
; <-- point to location
; of fake reg. code
;
015F:00422148 8B55E4 MOV EDX,[EBP-1C]
; <-- point to real code
; 'd edx' to see it.
; 1.5.4.0.8
;
015F:0042214B 52 PUSH EDX
015F:0042214C 8B08 MOV ECX,[EAX]
015F:0042214E 51 PUSH ECX
015F:0042214F FF1510114000 CALL [MSVBVM60!__vbaStrCmp]
<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
015F:660614AF FF742408 PUSH DWORD PTR [ESP+08]
015F:660614B3 6A00 PUSH 00
015F:660614B5 E8C6F5FFFF CALL MSVBVM60!__vbaStrComp
015F:660614BA C20800 RET 0008
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
Enter
Name: evc_viper
Code: 15408
to see the thanks for registering message box.
Final Note:
There are a lot of location that calls MSVBVM60!__vbaStrComp. Hence,
even though if you set a breakpoint on __vbaStrComp, it is still not very
clear what they are compare. Use the stratege I stated at the beginning
of this tutorial -- back-tarce after fail.
Ob Duh
Do I really have to remind you all that by buying and NOT stealing the
software you use will ensure that these software houses will continue to
produce even *better* software for us to use and more importantly, to
continue offering even more challenges to breaking their often weak
protection systems.
+ViPeR+
[E]bola [V]irus [C]rew
July 24, 1999