"Dynamic Tracing and analysis" for software cracking"

Comments: 1. SOFTICE preparation although most VB Programs still call Win32 API functions, you must add the VB dll Runtime Library to SOFTICE preparation if you want to disable it in the VB dll Runtime Library. In the following example, you add the relevant vb dll Runtime Library to the winice. dat configuration file under win95/98. (Part); Note: 1. SOFTICE preparation

Although most VB Programs still call Win32 API functions, you must add the VB dll Runtime Library to the SOFTICE preparation if you want to disable it in the VB dll Runtime Library. In the following example, you add the relevant vb dll Runtime Library to the winice. dat configuration file under win95/98. (Part)

Note that the semicolon is followed by the description language and is not executed. Each time you load only the required VB dll, it is best not to load more than two at the same time, remove the semicolon of the line that you want to load the VB dll, and restart it. In addition, there are several methods to determine which VB dll the software is. The most direct method is to use WDasm89 to view the software, and the other method is to use a hexadecimal tool to open the program for observation. Or use SOFTICE to follow in (bpx hmemcpy), and turn around for a moment. You can observe what vb dll will appear in the airspace of the debugging window .; EXP = c: \ windows \ system \ msvbvm60.dll; Visual Basic 6
; EXP = c: \ windows \ system \ msvbvm50.dll; Visual Basic 5
; EXP = c: \ windows \ system \ vb40032.dll; Visual Basic 4 (32-bit)
; EXP = c: \ windows \ system \ vb40016.dll; Visual Basic 4 (16-bit) is rare
; EXP = c: \ windows \ system \ vbrun300.dll; Visual Basic 3

After preparation, restart and set the breakpoint of each function in the VB Runtime Library. --------------------------------------------------------------------------------
Ii. Common functions of VB dll 1. Character Processing functions MultiByteToWideChar, bytes, WideCharToMultiByte, _ vbaStrCmp, _ vbaStrComp, _ vbaStrCopy, _ vbaStrMove, _ vbaVarTstNe.

Note: The underlines _ in front of these functions are composed of two short-line _. Do not make a mistake. If you are a crack VB6 program, you should add msvbvm60 before the breakpoint! . For example, bpx msvbvm60! _ Vbastrcomp

Some common string functions:

Val () convert the string to a number Rtrim $ () Remove spaces on the left of the string
Str $ () convert a number to a string Trim $ () Remove spaces on both sides of the string
Left $ () Take the character from the Left as required. For example: Left $ (Theodolite, 4) = "Theo" Asc () converts the character to ANSI encoding. For example: Asc ("A") = 65 Note: 65 is an ASCII decimal code.
Ltrim $ () removes spaces on the left of the string, for example: Ltrim $ Content $ nbsp; ("Hello") = "Hello" Chr $ () converts ANSI encoding to characters. for example, Chr $ (65) = ""
Right $ () Get characters from the Right as required. Common functions:
1. If _ vbavartstne is in VB5, CALL MSVBVM50! ___ Vbavartstne

After entering, you will see in 0F04E351:
Push dword ptr [ebp 0c]; Push address * real * serial address
Push dword ptr [ebp 10]; Push address command under the serial address you entered: d ebp 0c
In the data window, you will see 4-byte address in reverse order. You can see the serial number again when you D the address (which has been corrected.

2. _ vbaR8Str in VB5 is as follows:
Push ebp-20
Call MSVBUM50. _ vbaR8Str; Convert string to Integer/Real
Fcomp qword ptr [00401028]; data comparison in this line of fcomp qword ptr [00401028] Type: DL 00401028 will see * real * serial #.
O
DL is the Long/real type, and SOFTICE is the DB state by default.

3. _ vbastrcmp

Example:

: 005BDC32 CALL [MSVBVM50! _ VbaFreeVar]
: 005BDC38 mov esi, [EBP 08]
: 005BDC3B PUSH ESI
: 005BDC3E CALL [ECX 00000790] <-- the value is returned to EDX.
: 005BDC44 mov edx, [ESI 4C] <-- the entered number, but reversed
: 005BDC47 mov eax, [005E0078] <-- correct number
: 005BDC4C PUSH EDX
: 005BDC4D push eax <-- Push parameter to _ vbaStrCmp.
: 005BDC4E CALL [MSVBVM50! _ VbaStrCmp] <-- Visual Basic string comparison
: 005BDC54 test eax, EAX <-- TEST comparison result
: 005BDC56 JNZ 005BDC64 <-- unequal skip

2. Warning window functions rtcBeep, rtcGetPresentDate (time API ),

--------------------------------------------------------------------------------

III. In most VB Programs, we can use the bpx Hmemcpy command to set the disconnection, but you will find yourself entering VBRUNxxx soon. DLL Runtime Library quickly falls into the Vb dll. In most cases, it is difficult for you to reach the true core of the EXE file. You usually follow the program by string clues. Remember VB (VB4 or above) program storage and comparison characters are in the wide character format (in essence, 0x00 is entered between each character ).
The MultiByteToWideChar () function maps a character string to a wide-character (Unicode) string. The character string mapped by this function is not necessarily from a multibyte character set.

Int MultiByteToWideChar (
UINT CodePage, // code page
DWORD dwFlags, // character-type options
LPCSTR lpMultiByteStr, // string to map
Int cbMultiByte, // number of bytes in string
LPWSTR lpWideCharStr, // wide-character buffer
Int cchWideChar // size of buffer
); For example:


Original string: CRACKZ (43 h 52 h 41 h 43 h 4Bh 5Ah ). wide string format: c r a c k z (43 h 00 h 52 h 00 h 41 h 00 h 43 h 00 h 4Bh 00 h 5Ah ). in this case, when you view the strings in the memory in SOFTICE, you may see that in some cases, you should use the DL (long real) command to see the correct number. (By default, SOFTICE is DB (byte type ))

In most cases, it is difficult to set the correct breakpoint in VB. After the breakpoint is set, enter the serial number. After running, VBRUNxxx is returned. DLL, now look for the value in the register (EAX & EBX), which contains the length of your input string. If nothing is found, you should press ctrl D to return to another location in VB dll, continue viewing. 1. When you find the length of a string in the register, you should observe it step by step. If you are lucky, you will find that the input string is lying in the register or nearby memory. In this case, you use the ALT optical mark key in the data window in SOFTICE to perform a rolling search. You may find that the correct serial number is lying in the vicinity.

--------------------------------------------------------------------------------

Iv. Introduction to oleaut32.dll (Author: dr0)

When the vbprogram is cracked *. dll (VB4, VB3) and msvbvm *. dll (VB5 and VB6) emphasizes a lot. In fact, many operations of vbprogram are completed in oleaut32.dll. This dll provides many functions to operate variables of the Variant type in VB, it is mainly a series of VarXXX (), several of which are used to compare strings and values, as follows: Addr: 77A11AAE Ord: 176 (00B0h) Name: VarCmp
Addr: Maid Ord: 311 (0137 h) Name: VarCyCmp
Addr: 77A0E5F8 Ord: 312 (0138 h) Name: VarCyCmpR8
Addr: 77A129CD Ord: 314 (013Ah) Name: VarBstrCmp
Addr: 77A12958 Ord: 316 (013Ch) Name: VarR4CmpR8
Addr: 77A13697 Ord: 204 (00CCh) Name: VarDecCmp
Addr: 77A1298B Ord: 298 (012Ah) Name: VarDecCmpR8 here is a small program RAMQuota (www.stepnet.com. au), which is written in VB6, uses VarBstrCmp () in the above function to compare the registration code. The key commands for this function are as follows:

: 77A12A03 8B7D0C mov edi, dword ptr [ebp 0C]
: 77A12A06 8B7508 mov esi, dword ptr [ebp 08]
: 77A12A09 8B4D10 mov ecx, dword ptr [ebp 10]
: 77A12A0C 33C0 xor eax, eax
: 77A12A0E F3 repz;
: 77A12A0F 66A7 cmpsw
: 77A12A11 7405 je 77A12A18
: 77A12A13 1BC0 sbb eax, eax
: 77A12A15 83D8FF sbb eax, FFFFFFFF
: 77A12A18 85C0 test eax, eax _ 2
: 77A12A1A 7F45 jg 77A12A61
: 77A12A1C 7D16 jge 77A12A34
: 77A12A1E 33C0 xor eax, eax

It seems necessary to take a closer look at oleaut32.dll

5. Visual Basic program comparison methods there are more than 8 methods in Visual Basic to detect the correct serial number/password. I will talk about these eight methods here, which are easier to use. The first is the most common three types:

1) string comparison
In this comparison method, the Correct Password string is as follows: "Correct Password" and the Password string you Entered is as follows: "Entered Password.

A string is composed of adjacent characters in order. A string contains letters, numbers, spaces, and punctuation marks. A fixed-length string can store 0 to 63 K characters. If it is a dynamic string, the number of stored characters can reach 2 billion characters.

Common VB string comparison code format: If "Correct Password" = "Entered Password" then <-- directly compare two string characters
GoTo Correct Message Else

GoTo Wrong Message End if is a simple protection scheme. if the program uses this function to protect it, it is easy to intercept it with SOFTICE.

Available breakpoint:

I) _ vbastrcomp or _ vbastrcmp (the underline is composed of two short-line _) <-- string comparison function Note: if you are a crack VB6 program, you should add msvbvm60 before the two breakpoints! .

For example, bpx msvbvm60! _ Vbastrcomp or bpx msvbvm60! _ Vbastrcmp

Ii) Search for special comparison codes (refer to the next section), for example, 56,57, 8b, 7c, 24,10, 8b, 0c, 8b, 4c, 24,14, 33, c0, f3, 66, a7

2) variable (Variant) Comparison

In this method, two variables (variable data type) are compared with each other. Variable data type is a special data type, including numbers, strings or date data and some user-defined types. This type Stores numbers of 16 bytes or 22 characters (plus string length ).

Sample Code:

Dim correct As Variant, entered As Variant <-- Define "correct" and "entered" As the variable correct = Correct Password <-- set "correct" to place "Correct Password" entered = Text1.Text <-- set "entered" enter your password

If correct = entered Then <-- compare with the variable method
GoTo Correct Message Else GoTo Wrong Message

In this method, the two breakpoints in 1 do not work, because the program no longer uses _ vbastrcomp...
Useful breakpoint:

I) _ vbavartsteq <-- test whether the variables are equal to %
Note: If you are a crack VB6 program, you should add it before two breakpoints. Example: bpx msvbvm60! _ Vbavartsteq 3) long integer (long) comparison; this is also a common method. Two variables (long integer) are compared with each other. The long data type is a 4-byte (32-bit) integer in the range of-2,147,483,648 to 2,147,483,647. Therefore, this method has the limitation that only numbers can be compared. Example of this type: Dim correct As Long, entered As Long <-- defines "correct" and "entered" As Long integer correct = 12345 <-- sets "correct" As the correct password
Entered = Text1.Text <-- set "entered" to enter the password
If entered = correct Then <-- comparison using the long integer Method
GoTo Correct Message Else GoTo Wrong Message End If

There is no special breakpoint function for this type, because the data is compared in the main program rather than in VB dll.
There are also five other methods in the scheme. If the method below sounds a bit strange or unlikely, you can ignore them, but remember that the VB protection method is not limited to the above three. 4) Comparison of Single precision real numbers (Single) 5) Comparison of Double Precision

6) Integer (Integer) Comparison

7) Byte (Byte) Comparison 8) Does the CURRENCY comparison mean that we can interrupt each time in a single Comparison Program of the above eight types? The answer is no. This is because the program may use two methods for comparison at the same time, such as Currency, String, Variant, and Long... some possible breakpoints

1) Data Type Conversion

I) String (String) Conversion Byte or Integer: _ v1_2str

Ii) String (String) to Long (Long): _ v1_4str iii) String (String) to Single precision (Single): _ vbar4str

Iv) String (String) Conversion Double (Double): _ vbar8str

V) String (String) to Currency type: VarCyFromStr (suitable for VB6. your WINICE. DAT must have OLEAUT32.DLL) vi) Integer (Integer) to String (String): VarBstrFromI2 (suitable for VB6. your WINICE. DAT must be OLEAUT32.DLL) 2) move data

I) String (String) to memory: _ vbaStrCopy ii) variable (Variant) to memory: _ vbaVarCopy or _ vbaVarMove
3) Operators

I) addition: _ vbavaradd <-- add variable

Ii) subtraction: _ vbavarsub <-- minus variable iii) multiplication: _ vbavarmul <-- multiply by variable

Iv) Division: _ vbavaridiv <-- Dividing Variant to get answer in Integer

V) XOR: _ vbavarxor <-- XOR 4) other Class I) _ vbavarfornext <-- Used in codes where there is a... next... statement (Loop) ii) _ vbafreestr

Iii) _ vbafreeobj iv) _ vbastrvarval <-- Get the value from a specific location in a String

V) multibytetowidechar

Vi) rtcMsgBox

Vii) _ vbavarcat <-- Joining 2 Variants together viii) _ vbafreevar

Ix) _ vbaobjset