How to crack the password protection of VB5 Program

Source: bounty hunter

Haha, this is a quick way to crack VB5 program password protection (and even some DLL dynamic link libraries)

Assume that you already have SoftIce.

First, let's discuss the structure of the VB5 program.

Start with the executable code of the machine. When you write your own code on a system, it is called the source code (you cannot directly compile it in hexadecimal notation, right? Especially in WinXX systems), because programming languages are much easier to test and debug, your source code needs to be executed on the machine at this stage. There are two ways to do this, the first method (slow) is to take a line of translation and execute the line, which is called interpretation execution. Because there is a way to translate your source code into a program that can be recognized by the machine, of course, some tasks can be completed at the end of the program execution; the second method (FAST) is to directly translate the entire source code into a form that the machine can recognize (the machine does not need to take a line of the Program for translation and then execute it). This method is called compilation and execution, no other program is required for translation during running!

Microsoft has once again blurred this concept, or is trying to cheat it! As they often do (always hiding the truth !)

Okay! Let's go back to the original topic-cracking VB5! (EXE or DLL)

VB5 programs will not run independently! It always requires MSVBm50.DLL to explain and execute, even if Microsoft says "Now VB code can be fully compiled !" (Bull s. ITT !)

This means that EXE or other things compiled by VB5 will have to call MSVBm50.DLL to learn what to do next! Even in string comparison! It calls a function or a program named _ VbaStrComp for comparison (Can you believe it ?!!?)

You may have cracked Dongdong Under Win9x before, and you have some ideas on how to set up the disconnections, however, it does not work since VB5 calls MSVBm50.DLL to explain the program execution (the code will not be processed in its own writing mode, but will be interpreted in MSVBm50.DLL ), it also makes the system very slow! However, we also learned that the function (GetDlgItemText) Will not be used, whether it is 16 bits or 32 bits! Or even if it is used, it will not be connected to the source program! Remember, if you want to be a programmer, never write a VB program!

This also tells us that you must add MSVBm50.DLL to the exp part of softice. dat or winice. dat in the softice directory. You will have to add the following line to the file:

EXP = C: *** the windows Installation Directory *** SystemMSVBm50.DLL

After adding this line, you need to restart the machine.

After restart...

Run the program to be cracked until a dialog box asking you to enter your password appears. Press CTRL + D to enter SoftIce.

Type

Bpx _ vbaStrComp

This breakpoint stops the string comparison action in the VB5 program.

Now press CTRL + X. you will return to the VB program, type some characters, and press Enter. What happened !?! The program will be disconnected and return to SoftIce.

Clear all breakpoints and flip down the screen (CTRL + DownArrow) until the following code is displayed:

F003585: mov ecx, [EBP + 0C]
F003588: mov edi, [ECX-04]
F00358B: cmp edi, ESI

Set a breakpoint (the location of cmp edi and ESI) at F00358B. You only need to double-click it. Press F5 to return to the program. The program that calls the function at this point will push the data to be compared to the memory. The result is that the source data is stored in the first position, its pointer exists in EAX, and the second position is the target data. Its pointer is in ECX. To view the data in these two locations, just type

D EAX

This is to view the data pointed to by EAX,

D ECX

This is to view the data pointed to by ECX...

If you find what you are looking for, haha! Clear the breakpoint, return to the original program, and fill in the found data (Piece of cake !) If you don't find it, don't be discouraged. Press F5 again, because you may be in another string comparison or in the system (such as storing variables or something! Press F5 and you will block it in the same position.

D EAX
D ECX

Check the memory data and you will find it so easy to find its password! (If you do not press F5 again)

This method can be 100% used for Visual Basic5 compiled programs (EXE, DLL, I think it can also be used for OCX files, but I have never tried it !)

If you cannot find what you are looking for, you can also disable it elsewhere in MSVBm50.DLL.

You can stop at any place where the Linked Library has relatively operations, or you can view all functions in the Linked Library after it is stopped. You just need to type:

(Since I am new to SoftIce, I only know that this is a very quick way)

EXP

In this way, we will see all the functions in the System Linked Library, of course, including MSVBm50.DLL, but it is listed at the end, because I gave MSVBm50.DLL to the end of WinIce. Dat:

Well, the following are the main functions used for comparison:

For strings:
_ VbaStrComp
_ VbaStrCmp
_ VbaStrCompVar
_ VbaStrLike
_ VbaStrTextComp
_ VbaStrTextLike

For variables:
_ VbaVarCompEq
_ VbaVarCompLe
_ VbaVarCompLt
_ VbaVarCompGe
_ VbaVarCompGt
_ VbaVarCompNe
.
.
I believe you will find more, but the main object in VB is the string! Because any text box returns a string! (Unless they take the value, but it is unlikely !), Because they often use letters, numbers, and special symbols as passwords! The result is a word!