Cracking visual basic, a lesson for the programmers

by Zero

(14 July 1997, slightly edited by Fravia+)


Courtesy of Fravia's page of reverse engineering

Well, Visual Basic cracking can always come at hand... here is another essay by Zero, master of the "save disabled" protections



Cracking a Visual Basic program with a decompiler

Cracking Plasmid Toolkit 1.3

Plasmid Toolkit version 1.3 (1996) from Microbe Software can be found at
ftp.sunet.se/pub/molbio/ibmpc/ptk-demo.exe.
The main exe file is PTK13.EXE (1 040 448 bytes).

 This program is pretty useless, even for a DNA hacker like me, but I
decided to crack it, because the authors of this program were too pushy
asking for my money and I don't like that. As it turned out, this program is
also good candidate for the most stupid protection award (IMHO).
 To make it clear: I can understand if a programmer implements a simple
protection scheme knowing that it will protect against average users, (even 
if the more complicated ones will be useless against dedicated crackers :-)
 What I can't understand is, why they put two locks on the front door and
let the back door wide open. As you will see, in this case it probably took the
programmer more time to code and debug the protection routine than us to
crack it. 

Let's see the target:
 During installation, we observe that the program installs vbrun300.dll,
so we have another Visual Basic "toy application", on our hands. After 
starting it, the first thing we get is a registration form (nice welcome!) 
with Name, Company and Licence info required. Pressing the Cancel button
takes us through a nag screen (which reminds us about the unregistered
status of the program) to the working area. We load up a sample map and
quickly discover that the export and save functions have been disabled and 
that in the middle of our plasmid graphic sits a "unregistered version" sign.
Upon leaving the program we get another nag screen, reminding us to register
in order "to enable all functions".
 Well, we have here an arsenal of nag functions (and a licence agreement
that even Micro$oft could envy), all these problems can be cured entering 
a correct licence number.

Let's crack:
 This program, written in Visual Basic, means that WDASM is no good, and 
that debugging with Softice will not be a great fun, either. 
You could crack the registration as written in the fine essay by Razzia, 
of course... yet let's see if there is another... a more "relaxed" way. 
Let's try first of all DoDi's excellent VBdecompiler, an obvious choice. 
You can get the demo version from his homepage at 
http://ourworld.compuserve.com/homepages/DoDi/ but it 
can't decompile large files like ptk13.exe, so I suggest to get the registered
version of this nice decompiler, somehow :-)

 Let the decompiler operate on the PTK13.EXE file. Surprise! It works nicely
and we practically have the VB source code in our hands (what a shame!).
The meaningful variable names are gone, but that's really no problem 
for us.
After a little searching, we find the interesting REGFORM.BAS module.
Ok, let's peek into it! All right, the code deals with the registration,
and the most interesting part is this:

Sub OKButton_Click () 
Dim l005A As Integer <-Flag
Dim l005C As String
Dim l0060 As Integer
l005A% = fn6338(rname, rlicence) <-Flag set here
If  (l005A% = 1) Then  
  gv0668 = Trim$(rlicence.Text) <-Good guy goes here
  gv0664 = Trim$(rname.Text)
  gv066C = Trim$(rcomp.Text)
  l005C$ = gv0464 & "ptk.ini"
  l0060% = extfn1050("Registration", "Registered User", gv0664, l005C$)
  l0060% = extfn1050("Registration", "Company", gv066C, l005C$)
  l0060% = extfn1050("Registration", "Licence Number", gv0668, l005C$)
  PFWmenu.Export.Enabled = True <-Let's enable everything for good guy
  PFWmenu.save.Enabled = True
  PFWmenu.save_as.Enabled = True
  PFWmenu.SaveButton.Enabled = True
  Unload RegForm
Else 
  gv0668 = "" <-Bad guy goes here
  rlicence.Text = ""
  MsgBox "Invalid Licence Number", 48, "Registration Failure"
  Exit Sub
End If
End Sub

Function fn6338 (p0068, p006C As Variant) As Integer <-This sets the flag
Dim l0072 As String
If  (Len(Trim$(p006C)) <> 16 Or Mid$(Trim$(p006C), 6, 1) <> "-") Then
  fn6338 = 0 	
  Exit Function			
End If
l0072$ = fn2030(p0068) <- Last ten char of the licence is calculated
If  (UCase$(Mid$(Trim$(p006C), 7, 10)) = l0072$) Then	
  fn6338 = 1			
Else
  fn6338 = 0
End If
End Function

 Well, the above snippet talks for itself. The licence code is checked
with the fn6338 function which gets the name and registration code as 
input. The code must be 16 char long with the 6th char being a dash.
 The last ten character of the code are created by the fn2030 function
which gets the name string as input. Ok, let's search for the fn2030
function in the decompiled modules. We find it in MODULE5.BAS:

Function fn2030 (p000A As Variant) As String
Dim l000E As String
Dim l0010 As String
Dim l0012 As Integer
Dim l0014 As String
Dim l0016 As Integer
Dim l0018 As String
Dim l001A As Integer
Dim l001C As Integer
Dim l001E As Integer
l000E$ = Trim$(p000A)
l000E$ = LCase$(l000E$)
l0010$ = ""
For l0012% = 1 To Len(l000E$) <-Removing spaces
  l0014$ = Mid$(l000E$, l0012%, 1)
  If  (l0014$ <> " ") Then
    l0010$ = l0010$ + l0014$
  End If
Next l0012%
l0016% = Len(l0010$)
l0018$ = ""
If  (l0016% <= 10) Then <-Adjusting the lenght to 10 char
  l0010$ = "bibblefnord" + l0010$
  l0010$ = Right$(l0010$, 10)
End If
For l0012% = 10 To 1 Step -1 <-Calculation of code
  l0014$ = Mid$(l0010$, l0012%, 1)
  For l001A% = l0012% - 1 To 2 Step -1
    l001C% = Asc(l0014$) Xor Asc(Mid$(l0010$, l001A%, 1))
  Next l001A%
  If  (l001C% > 90 Or l001C% <48) Then l001E%="l001C%" Mod 42 l001E%="l001E%" + 48 If (l001E% > 57 And l001E% < 65) Then l001E%="l001E%" 7 End If l0014$="Chr$(l001E%)" End If l0018$="l0018$" + l0014$ Next l0012% fn2030="l0018$" End Function Finally, here it is, the heart of the code "generator..class" tppabs="http://Fravia.org/generator..class" We can see the adjustment of the name string with "bibblefnord", some XORing, etc., but
in fact we do not need to understand the precise mechanism of the code
generation to get a good code. We can rip out this function and modify it
a bit, to get the name input (p000A) from the keyboard and print the result
to the screen (actually, the "12345-"+result string, keeping in mind what
the fn6338 function does) and we get a perfect code generator in basic!
(Before you run the code you might have to tailor it a bit to your basic
interpreter, like with MS QBasic trim$ must be replaced by consecutive
Ltrim$ and Rtrim$ functions, etc).
 I did not write here any valid licence code, because the purpose of this
essay is not to distribute a crack for this useless program, but to show:

1) The beginner crackers that they can spare a lot of work by trying a VB
decompiler, before attacking with Softice.

2) The shareware VB programmers that it is useless to implement "tricky"
code generators, if they don't protect against decompilation. Not even
mentioning that they show their "source code" to the whole world. 
("Antidecompiler" tools can be found on Dodi's homepage).

Finally, I would like to thank +ORC and his' students for the fine essays
and Fravia+ for his amazing WEB site. 

Written by ZER0



You are deep inside Fravia's page of reverse engineering, choose your way out:

homepage links red anonymity +ORC students' essays tools cocktails
search_forms corporate mailFravia
Is reverse engineering legal?