Cracking "PixPlayer99 v 1.0.0" Date: July 24, 1999 Author : +ViPeR+ [E]bola [V]irus [C]rew Program Name : PixPlayer99 v 1.0.0 Location : http://www.techsono.com/ Method: VB6 program. WideChar Compare. <> ------------------------------------------------------------------------------- VB6 program. Trace, trace, trace until you see the 'Invalide Registration Key' screen. click 'ok' to go back to Soft-Ice. Back-trace to locate the possible call that cause the fail-jump. For this program, this is not hard to find. 'F8' into the call and trace, trace, trace until..... Code generation routine: : : 015F:00422092 3BBD20FFFFFF CMP EDI,[EBP-00E0] 015F:00422098 0F8F86000000 JG 00422124 (NO JUMP) 015F:0042209E 8D55CC LEA EDX,[EBP-34] 015F:004220A1 8D855CFFFFFF LEA EAX,[EBP-00A4] 015F:004220A7 52 PUSH EDX 015F:004220A8 57 PUSH EDI 015F:004220A9 8D4DBC LEA ECX,[EBP-44] 015F:004220AC 50 PUSH EAX 015F:004220AD 51 PUSH ECX 015F:004220AE C745D401000000 MOV DWORD PTR [EBP-2C],00000001 015F:004220B5 C745CC02000000 MOV DWORD PTR [EBP-34],00000002 015F:004220BC 899D64FFFFFF MOV [EBP-009C],EBX 015F:004220C2 C7855CFFFFFF08400000MOV DWORD PTR [EBP-00A4],00004008 015F:004220CC FF15F8104000 CALL [MSVBVM60!rtcMidCharVar] 015F:004220D2 8D55BC LEA EDX,[EBP-44] 015F:004220D5 8D45DC LEA EAX,[EBP-24] 015F:004220D8 52 PUSH EDX 015F:004220D9 50 PUSH EAX 015F:004220DA FF15A0114000 CALL [MSVBVM60!__vbaStrVarVal] 015F:004220E0 50 PUSH EAX 015F:004220E1 FF1550104000 CALL [MSVBVM60!rtcAnsiValueBstr] 015F:004220E7 0FBFC8 MOVSX ECX,AX 015F:004220EA 03CE ADD ECX,ESI 015F:004220EC 0F805B010000 JO 0042224D (NO JUMP) 015F:004220F2 8BF1 MOV ESI,ECX 015F:004220F4 8D4DDC LEA ECX,[EBP-24] 015F:004220F7 FF158C124000 CALL [MSVBVM60!__vbaFreeStr] 015F:004220FD 8D55BC LEA EDX,[EBP-44] 015F:00422100 8D45CC LEA EAX,[EBP-34] 015F:00422103 52 PUSH EDX 015F:00422104 50 PUSH EAX 015F:00422105 6A02 PUSH 02 015F:00422107 FF153C104000 CALL [MSVBVM60!__vbaFreeVarList] 015F:0042210D B801000000 MOV EAX,00000001 015F:00422112 83C40C ADD ESP,0C 015F:00422115 03C7 ADD EAX,EDI 015F:00422117 0F8030010000 JO 0042224D (NO JUMP) 015F:0042211D 8BF8 MOV EDI,EAX 015F:0042211F E96EFFFFFF JMP 00422092 (JUMP) After go over the length of the name, JMP to 00422092. 015F:00422124 8BCE MOV ECX,ESI 015F:00422126 8B3D18104000 MOV EDI,[MSVBVM60!__vbaStrI4] 015F:0042212C 6BC910 IMUL ECX,ECX,10 015F:0042212F 0F8018010000 JO 0042224D (NO JUMP) 015F:00422135 51 PUSH ECX 015F:00422136 FFD7 CALL EDI 015F:00422138 8B1D54124000 MOV EBX,[MSVBVM60!__vbaStrMove] 015F:0042213E 8BD0 MOV EDX,EAX 015F:00422140 8D4DE4 LEA ECX,[EBP-1C] 015F:00422143 FFD3 CALL EBX 015F:00422145 8B450C MOV EAX,[EBP+0C] ; <-- point to location ; of fake reg. code ; 015F:00422148 8B55E4 MOV EDX,[EBP-1C] ; <-- point to real code ; 'd edx' to see it. ; 1.5.4.0.8 ; 015F:0042214B 52 PUSH EDX 015F:0042214C 8B08 MOV ECX,[EAX] 015F:0042214E 51 PUSH ECX 015F:0042214F FF1510114000 CALL [MSVBVM60!__vbaStrCmp] <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<< 015F:660614AF FF742408 PUSH DWORD PTR [ESP+08] 015F:660614B3 6A00 PUSH 00 015F:660614B5 E8C6F5FFFF CALL MSVBVM60!__vbaStrComp 015F:660614BA C20800 RET 0008 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Enter Name: evc_viper Code: 15408 to see the thanks for registering message box. Final Note: There are a lot of location that calls MSVBVM60!__vbaStrComp. Hence, even though if you set a breakpoint on __vbaStrComp, it is still not very clear what they are compare. Use the stratege I stated at the beginning of this tutorial -- back-tarce after fail. Ob Duh Do I really have to remind you all that by buying and NOT stealing the software you use will ensure that these software houses will continue to produce even *better* software for us to use and more importantly, to continue offering even more challenges to breaking their often weak protection systems. +ViPeR+ [E]bola [V]irus [C]rew July 24, 1999