Visual Basic
Pluckit 3.0 ~ Hip Hip Hurray for Smartcheck
by +Indian_Trail , 04 May 1998
f
Courtesy of Fravia's page of reverse engineering
Fravia's comments
An interesting essay for beginners, which underlines an old truth:
IF visual basic THEN cracked at once
Protectors working in visual basic should be aware of the existence of Smartcheck (I can't imagine anyone working vith ANY programming language that doesn't know of this GREAT incredible reversing tool..., as I have written myself repeatedly :-)
f
There is a crack, a crack in everything
That's how the light gets in
Rating
(x)Beginner ( )Intermediate ( )Advanced ( )Expert
We have all seen fine examples on how to use smartcheck. This essay will be about how to get a valid serial number from smartcheck rather than finding a byte to patch. I don't think it's possible to write a clever protection in visual basic so thereof this protection is not interesting at all...
Title
Pluckit 3.0 Hip Hip Hurray for Smartcheck
Written by +Indian_Trail
Introduction

A friend of mine asked me to crack this program. It a newsscanner that downloads pictures from newsgroups, probably written for porno lusers. Anyway I didn't know that Pluckit was written with Visual Basic. So this was my first attempt at a visual basic program.

I never liked Visual Basic or delphy, I don't see the point in using a language that produce bad code. The obvious way shuld be to try to write as small and efficent programs as possible and to do that -as you all know- you have to write tha meain routines in pure assembler. Anyway I don't mind people using Visual Basic as an introduction language to computer programming. Most of us learned basic as a start on the first home computers like Zx80 or Sinclair Spectrum and C64. But, programs that are written in toy languages like this should be free for all people.

Applications that are slow and filled with bugs should not be commercial, they should be freeware (this is valid for word an Excel as well, btw). Unfortunatley the author of this lame crap has another idea about this. On startup there is an ugly nagscreen with some text inside it and an "ok_ button" and a "cancel_button". After the nagscreen is a register screen where you can input a serialnumber, if you don't have a serial# you'll only be able to download 15 files. We will focus on the serial#.

Tools Required
Smartchecker 5.0
Win32Dasm
~
www.pluckit.com
T
H
E

E
S
S
A
Y

Step I: loading the target through smartcheck.


As I mentioned this is my first attempt to crack a VB program. In my first approach I changed some jumps in memory, but there were too many jumps to change so I decided to go for the serialnumber. I'm not gonna cover how to set up smartcheck cause Fravia+ has already done that. Well lets fire smartcheck...

On startup you'll get two 'invalid arguments' errors, like I said, this crap is filled with bugs. Proceed to the registration screen and type in any#. In smartcheck choose view "specific events.. " so you can easily navigate and find what we are looking for.

After the "invalid..." dialogbox appears, terminate Pluckit3 and go to smartcheck and look around. At sequence# 16745 you'll see your false serial number. Now what follows is:

16752	Trim (variant: string"false#")	4d4260
16763	Val (string"false": 	
	| 
	|
16931	msgbox
-----

Now it's time to choose view "All events". I reached this point after 3 seconds, and What you'll see now is the first barricade of the protection scheme. The last things that are done before the messagebox as you'll see (if you chosen view all events) is :

16926	__VbaVarOr()		
16927	__VbaBoolVarNull()	Return dword FFFFF
16928	_vbaVarDup(VARIANT: string "invalid", Variant boolean false)
----
This looks very strange, no manipulations at all so far execpt from the basic ones ie calculate length of string and so on. I don't know what __vbaVarOr or __vbaBoolVarNull does exactly but judging from their names they must check something from beeing either true or false. That was what I thought when I first glanced at it. But what could it be? It could be three things:
1 A letter 
2 A char ie "%" or whatever
3 both of them

So start all over again and this time enter your name as registration#. Remeber to choose view "specific events and errors" if you want to skip alot of unimportant "code".

There are some significant changes, first obvious one is we passed the __vbaBoolVarNull and second the sequence numbers has shrinked !!? The messagebox is now at sequence# 14764. But what's more interesting is the lines above 14764. From 14731 ---> 14758 are a bunch of Integer(#)-->Long(#) where # is starting from 0 and ending at 9. View all events and you'll see that under each Integer(#) there is a a different number that is tested against a variable called double:0. The values that are tested against double:0 are:

55276
39824
68684
75268
12367
59826
48927
65826
34096
15824

This means that double:0 should have a value equal to one of these numbers and the registration code must contain a letter(s) for us to pass __vbaBoolVarNull(). We also know that double:0 is zero when we only entered letters. So the registration code must have some numbers and one or more letters

step II

Start again (I know this begins to be boring but we are almost finished). This time we must use systematical inputs. Lets begin with 123A and see what happens what value is given to double:0. Hmmn we didn't pass the __vbaBoolVarNull() function with 123A. Well my experience in registration codes tells me that the letter may be a separator of two numbers. Lets try 123A123.

Great (balls of fire) we passed the evil __vbaBoolVarNull(), lets find out if double:0 has a value. Just click on one of the __vbaVarTestEq at sequence# 14909 for example wich is the first one. As you'll see double:0 has the value of 15129 and is therefore called double:15129 instead of double:0. How did it get that value?

14347 __vbaVarMull(variant:double:123, variant:double:123) returns dword 6FF714

Well 123*123=15129 and thats where double:15129 got it's value from. So the form of the regisration code is #####X#####=Y where # is a number and X is a letter and Y any of the valid numbers that our double:15129 is tested against. Lets pic one of the valid numbers and use them in our code like this:

55276A1000 = 55276*1000 = 55276000

Since such a visual programmer is assumed to be a moron, he will probably only check the five first numbers but hey, should he check all numbers we still have the equation... so it would be really easy to solve it. But lets first try the above to see how dumb such a "programmer" can be... Could you believe that? It worked at once! What a moron programmer!

Numega deserves all credits for its Smartcheck, this is truly an amazing tool. Thats it for now.

Indian_Trail
(Saddle all the horses far on the Indian Trail, 'til it's time to change the key and jump to a different scale...a boogie woogie on the run)
Ob duh
I wont even bother explaining you that you should BUY this target program if you intend to use it for a longer period than the allowed one. Should you want to STEAL this software instead, you don't need to crack its protection scheme at all: you'll find it on most Warez sites, complete and already regged, farewell.
Final Notes
I don't know why one should choose visual basic to make an application like this one. But this Author is probably just a greedy looser, who only want to make some fast money instead of taking pride in a good, lean and fast program.
way out
You are deep inside Fravia's page of reverse engineering, choose your way out:

visual basic
Back to Visual Basic -->
redhomepage redlinks redanonymity +ORC redstudents' essays redacademy database
redtools redcocktails redantismut CGI-scripts redsearch_forms redmail_Fravia
redIs reverse engineering legal?