Cracking visual basic, a lesson for the programmers
by Zero
(14 July 1997)
Cracking a Visual Basic program with a decompiler
Cracking Plasmid Toolkit 1.3
Plasmid Toolkit version 1.3 (1996) from Microbe Software can be found at
ftp.sunet.se/pub/molbio/ibmpc/ptk-demo.exe.
The main exe file is PTK13.EXE (1 040 448 bytes).
This program is pretty useless, even for a DNA hacker like me, but I
decided to crack it, because the authors of this program were too pushy
asking for my money and I don't like that. As it turned out, this program is
also good candidate for the most stupid protection award (IMHO).
To make it clear: I can understand if a programmer implements a simple
protection scheme knowing that it will protect against average users, (even
if the more complicated ones will be useless against dedicated crackers :-)
What I can't understand is, why they put two locks on the front door and
let the back door wide open. As you will see, in this case it probably took the
programmer more time to code and debug the protection routine than us to
crack it.
Let's see the target:
During installation, we observe that the program installs vbrun300.dll,
so we have another Visual Basic "toy application", on our hands. After
starting it, the first thing we get is a registration form (nice welcome!)
with Name, Company and Licence info required. Pressing the Cancel button
takes us through a nag screen (which reminds us about the unregistered
status of the program) to the working area. We load up a sample map and
quickly discover that the export and save functions have been disabled and
that in the middle of our plasmid graphic sits a "unregistered version" sign.
Upon leaving the program we get another nag screen, reminding us to register
in order "to enable all functions".
Well, we have here an arsenal of nag functions (and a licence agreement
that even Micro$oft could envy), all these problems can be cured entering
a correct licence number.
Let's crack:
This program, written in Visual Basic, means that WDASM is no good, and
that debugging with Softice will not be a great fun, either.
You could crack the registration as written in the fine essay by Razzia,
of course... yet let's see if there is another... a more "relaxed" way.
Let's try first of all DoDi's excellent VBdecompiler, an obvious choice.
You can get the demo version from his homepage at
http://ourworld.compuserve.com/homepages/DoDi/ but it
can't decompile large files like ptk13.exe, so I suggest to get the registered
version of this nice decompiler, somehow :-)
Let the decompiler operate on the PTK13.EXE file. Surprise! It works nicely
and we practically have the VB source code in our hands (what a shame!).
The meaningful variable names are gone, but that's really no problem
for us.
After a little searching, we find the interesting REGFORM.BAS module.
Ok, let's peek into it! All right, the code deals with the registration,
and the most interesting part is this:
Sub OKButton_Click ()
Dim l005A As Integer <-Flag
Dim l005C As String
Dim l0060 As Integer
l005A% = fn6338(rname, rlicence) <-Flag set here
If (l005A% = 1) Then
gv0668 = Trim$(rlicence.Text) <-Good guy goes here
gv0664 = Trim$(rname.Text)
gv066C = Trim$(rcomp.Text)
l005C$ = gv0464 & "ptk.ini"
l0060% = extfn1050("Registration", "Registered User", gv0664, l005C$)
l0060% = extfn1050("Registration", "Company", gv066C, l005C$)
l0060% = extfn1050("Registration", "Licence Number", gv0668, l005C$)
PFWmenu.Export.Enabled = True <-Let's enable everything for good guy
PFWmenu.save.Enabled = True
PFWmenu.save_as.Enabled = True
PFWmenu.SaveButton.Enabled = True
Unload RegForm
Else
gv0668 = "" <-Bad guy goes here
rlicence.Text = ""
MsgBox "Invalid Licence Number", 48, "Registration Failure"
Exit Sub
End If
End Sub
Function fn6338 (p0068, p006C As Variant) As Integer <-This sets the flag
Dim l0072 As String
If (Len(Trim$(p006C)) <> 16 Or Mid$(Trim$(p006C), 6, 1) <> "-") Then
fn6338 = 0
Exit Function
End If
l0072$ = fn2030(p0068) <- Last ten char of the licence is calculated
If (UCase$(Mid$(Trim$(p006C), 7, 10)) = l0072$) Then
fn6338 = 1
Else
fn6338 = 0
End If
End Function
Well, the above snippet talks for itself. The licence code is checked
with the fn6338 function which gets the name and registration code as
input. The code must be 16 char long with the 6th char being a dash.
The last ten character of the code are created by the fn2030 function
which gets the name string as input. Ok, let's search for the fn2030
function in the decompiled modules. We find it in MODULE5.BAS:
Function fn2030 (p000A As Variant) As String
Dim l000E As String
Dim l0010 As String
Dim l0012 As Integer
Dim l0014 As String
Dim l0016 As Integer
Dim l0018 As String
Dim l001A As Integer
Dim l001C As Integer
Dim l001E As Integer
l000E$ = Trim$(p000A)
l000E$ = LCase$(l000E$)
l0010$ = ""
For l0012% = 1 To Len(l000E$) <-Removing spaces
l0014$ = Mid$(l000E$, l0012%, 1)
If (l0014$ <> " ") Then
l0010$ = l0010$ + l0014$
End If
Next l0012%
l0016% = Len(l0010$)
l0018$ = ""
If (l0016% <= 10) Then <-Adjusting the lenght to 10 char
l0010$ = "bibblefnord" + l0010$
l0010$ = Right$(l0010$, 10)
End If
For l0012% = 10 To 1 Step -1 <-Calculation of code
l0014$ = Mid$(l0010$, l0012%, 1)
For l001A% = l0012% - 1 To 2 Step -1
l001C% = Asc(l0014$) Xor Asc(Mid$(l0010$, l001A%, 1))
Next l001A%
If (l001C% > 90 Or l001C% <48) Then l001E%="l001C%" Mod 42 l001E%="l001E%" + 48 If (l001E% > 57 And l001E% < 65) Then l001E%="l001E%" 7 End If l0014$="Chr$(l001E%)" End If l0018$="l0018$" + l0014$ Next l0012% fn2030="l0018$" End Function Finally, here it is, the heart of the code "generator..class" tppabs="http://cracking.byus.com/fravia/generator..class" We can see the adjustment of the name string with "bibblefnord", some XORing, etc., but
in fact we do not need to understand the precise mechanism of the code
generation to get a good code. We can rip out this function and modify it
a bit, to get the name input (p000A) from the keyboard and print the result
to the screen (actually, the "12345-"+result string, keeping in mind what
the fn6338 function does) and we get a perfect code generator in basic!
(Before you run the code you might have to tailor it a bit to your basic
interpreter, like with MS QBasic trim$ must be replaced by consecutive
Ltrim$ and Rtrim$ functions, etc).
I did not write here any valid licence code, because the purpose of this
essay is not to distribute a crack for this useless program, but to show:
1) The beginner crackers that they can spare a lot of work by trying a VB
decompiler, before attacking with Softice.
2) The shareware VB programmers that it is useless to implement "tricky"
code generators, if they don't protect against decompilation. Not even
mentioning that they show their "source code" to the whole world.
("Antidecompiler" tools can be found on Dodi's homepage).
Finally, I would like to thank +ORC and his' students for the fine essays
and Fravia+ for his amazing WEB site.
Written by ZER0