Happy VB5 cracking
(Blackwindow's demise ~ IF visual basic THEN cracked at once)

by intruder mexelite97

(19 December 1997)


Courtesy of fravia's page of reverse engineering
Well, another very interesting contribution to our visual basic project! I find intruder mexelite97's project of preparing our own references for the Msvbvm50.dll functions VERY interesting, and I will send my contribution asap. In the mean time, once more, I would like to suggest to all those that are working on VisualBasic (or any other kind of software reversing, come to think of that :-) to have at least a try at Smartcheck, a fantastic Numega's cracking tool (see my relevant essay), those of you that have not used it yet for cracking purposes will be quite surprised :-)
One last thing: is there a lesson for shareware programmers? Yes, a quite interesting one:
IF VISUAL BASIC THEN CRACKED AT ONCE
Therefore, DO NOT USE visual basic... or if you really think you must, at least prepare your protection schemes in assembly, so learn assembly, so forget Visual Basic... it's the devil (cracker) circle! :-)


First i would like to thanks fravia+, +gthorne, the_owl, niabi, razzi, josephco and all of you guys that i can't remember now. This is my small contribution for the war against our beloved bill and Micro$oft, i hope you enjoy this tute.

Tools needed:
-Softice (I'm using v3.2)
-Wdasm
-Hex editor
 
Blackwindow  v3.21

Blackwidow is an off-line browser  and I find it pretty kewl (get it at Tucows or any other shareware archive), but has some limitations. This is  a VB5 proggie, the exe is about  400 kb and has lots of calls to the the big, fat mama: Msvbvm50.dll. 
First i will crack the _blackwidow.exe (no browser) and _bwds.exe (this exe is called to download the selected files), since this program as two more exe files (the others, blackwidow.exe and bwds.exe, allow you to browse through the downloaded files.
Now run the proggie a couple of times and check the protection type, have u checked?
Ok there is a stupid nag window that tells you how many days you have left to evaluate ("You have XX days left…")**, and you  can download a maximum of 50 files each time (this really pisses me off), why can't they let us evaluate the full working proggie, grrrrrrrrr, but we have the possibility to register the proggie if we want to, it's a S/N protection.
Now change the date, say one month forward, now run the proggie again, can u see the nag that tells u that your evaluation is over ("Your evaluation period has expired…..")***? And if u try to explore any site , the same nag will pop up and ask you to register.
How do we crack this one?
You can use razzi's techniques of  hmemcpy and MultiBytetoWidechar but you will get in  some huge encryption and checksum  routines, damn there must be another way!!!
I lost a couple of days trying to crack the S/N and finally I decided to try another approach.
I'll use a different approach, one that i've never seen in any essay. (For the moment, just remember, that in vb4 proggies and vb5 as well, strings are in wide format).
Let's crack! First thing is to get a disassembled list of _blackwidow.exe. Have u got it? Good, let's go on. Can you see the huge amount of calls? (damn VB programmers).
Now check  the imports …hmm…interesting name rtcMsgBox, __vbalenBstr, ….etc., since we are going to use softice don't forget to load Msvbvm50.dll exports into softice.
Ok now run blackwidow, can u see the nag? now we will set a breakpoint on blackwidow code, press Ctrl+D  to get into softice and type bpx  __vbalenBstr (you can try any bpx you fancy on other functions, but this one will work for sure), now Ctrl+D to get out of softice and just try to register the proggie (just press the OK button) and Softice will pop up at the beginning of __vbalenBstr, press F11 to get out of the call and you will be inside blackwidow code.
Now here's the approach, we are going to search for the message in the nag, remember  - "You have XX days left…", but don't forget that the string is in wide format. So we will search for  "You have…"
 
 

Character  ASCII
Y 59
o 6f
u 75
(space) 20
h 68
a 61
v 76
e 65
Let's search.....in softice type -  s 0 lffffffff 59 00 6f 00 75 00 20 00 68 00 61 00 76 00 65

softice will probably find some memory locations with this string but only one will be inside blackwidow data, check the line that separates the data window from the window above if something like this appears:

----------_BLACKWIDOW!.text+1010C----------byte-----------

then you found your string!!!!!!
Now just write down them mem location, mine is  411C0C, now disable the breakpoint you set and go to your disassembled list and search for '411C0C' (ATTENTION: ignore the code line with the offset '411C0C' we are looking for the code where data offset '411C0C' is used, not code offset) .....there is only one place where this address is used, look at the code:

* Referenced by a Jump at Address:0044486B(C)
|
:00444BCA 680C1C4100               push 00411C0C  ;<----here 'You have % days left.....'
:00444BCF 50                                 push eax
 

Hmm...interesting isn't it? Let's go on now we will search for the string that appears in the message when the evaluation period is over. We will use the same method we used to find the first string, enable the breakpoint and repeat the same procedure, when you're inside blackwidow code just search for the string in the nag. So we will search for  "Your evaluation period has now expired…"
 
 

Character ASCII
Y 59
o 6f
u 75
r 72
(space) 20
e 65
v 76
a 61
l 6c
 
Let's search.....in softice type -  s 0 lffffffff 59 00 6f 00 75 00 72 00 20 00 65 00 76  00 61 00 6c

search until you find the string we are looking for inside blackwidow data, check the line that separates the data window from the window above. Write down the adress and search for it inside the disassembled list, once again it will only appear once:


* Referenced by a Jump at Address:00444850(U) 

* Reference To: MSVBVM50.rtcGetTimer, Ord:0217h 

                                  | 

:00444858 FF1590444600   Call dword ptr [00464490] 

:0044485E A128E04500     mov eax, dword ptr [0045E028]   ;eax=days left 

:00444863 D91D30E04500   fstp dword ptr [0045E030]       ;doesn't matter 

:00444869 3BC3           cmp eax, ebx       ;cmp eax with ebx, ebx=0 

:0044486B 0F8F59030000   jg 00444BCA        ;jmp if any days left, this 

                                            ;jump will lead you to the nag 

                            

* Reference To: MSVBVM50.__vbaStrCopy, Ord:0000h 

                                  | 

:00444871 8B3DD0444600   mov edi, dword ptr [004644D0] 

:00444877 BAB81B4100     mov edx, 00411BB8            ;<-----here 

:0044487C 8D4DEC         lea ecx, dword ptr [ebp-14] 
We found the place where the program decides which nag should pop up, now let's take a look of the code just before this, this call to rtcGetTimer:

:0044471A 1BFF           sbb edi, edi 

:0044471C F7DF           neg edi 

:0044471E E8DD6A0100     call 0045B200             ;<---what is this?? 

:00444723 33D2           xor edx, edx              ;edx=0 

:00444725 3DDABF0202     cmp eax, 0202BFDA         ;cmp eax with some checksum 

:0044472A 0F95C2         setne dl                  ;set dl=1 if not equal 

:0044472D 0BFA           or edi, edx                  

:0044472F 750D           jne 0044473E              ;jmp unregistered user--

:00444731 66391D78E04500 cmp word ptr [0045E078], bx            

:00444738 0F8403040000   je 00444B41                     



* Referenced by a Jump at Address:0044472F(C)                           

:0044473E 833D28E0450001 cmp dword ptr [0045E028], 1 ;compare days left **

:00444745 0F8C07010000   jl 00444852                 ;jmp if 0 days left 

:0044474B 8D4598         lea eax, dword ptr [ebp-68] 

:0044474E 50             push eax 



* Reference To: MSVBVM50.rtcGetDateVar, Ord:0262h 

                                  | 

:0044474F FF1508454600  Call dword ptr [00464508] 



* Referenced by a Jump at Address:00444745(C) 

* Reference To: MSVBVM50.__vbaStrMove, Ord:0000h 

                                  | 

:00444852 8B3544454600  mov esi, dword ptr [00464544]; <- here, if 0 days left 



* Referenced by a Jump at Address:00444850(U) 

* Reference To: MSVBVM50.rtcGetTimer, Ord:0217h 

                                  | 

:00444858 FF1590444600  Call dword ptr [00464490] 

:0044485E A128E04500    mov eax, dword ptr [0045E028]   ;eax=days left 

:00444863 D91D30E04500  fstp dword ptr [0045E030]       ;doesn't matter 

:00444869 3BC3          cmp eax, ebx     ;cmp eax with ebx, ebx=0 

:0044486B 0F8F59030000  jg 00444BCA      ;jmp if any days left, this jump 

                                         ;will lead you to the nag 



* Reference To: MSVBVM50.__vbaStrCopy, Ord:0000h 

                                  | 

:00444871 8B3DD0444600  mov edi, dword ptr [004644D0] 

:00444877 BAB81B4100    mov edx, 00411BB8 ;<-----"Your evaluation period..." 

:0044487C 8D4DEC        lea ecx, dword ptr [ebp-14] 

...

* Referenced by a Jump at Address:0044486B(C) 

| 

:00444BCA 680C1C4100    push 00411C0C     ;<---here 'You have % days left...' 

:00444BCF 50            push eax 

As you can see after this strange call the value in EAX is compared and DL is set to 1 if eax different of 0202BFDA
if you are a registered user just go on, else check how many days are left , there are 2 checks for this, the first one will check if you can still use blackwidow and set it up, and the second one will decide which nag should pop up. The mem location that stores the number of days left (in my computer) is 45E028. So let's crack.... permanently, remember the strange call just before the registered user check? Now check that address (45b200 in my computer) and you'll see 9 calls to this routine, now write down those 9 addresses and check each one of these 9 locations. Can u see that after any of these call eax is compared with 202BFDA and that after that there is a 'setne dl'.
Look!

:0044471E E8DD6A0100           call 0045B200
:00444723 33D2                 xor edx, edx
:00444725 3DDABF0202           cmp eax, 0202BFDA
:0044472A 0F95C2               setne dl

so to permanently crack this one you'll just need to change all 'setne <reg>' that appear after the call to 'sete <reg>'.
The 'sete <reg>' opcode is OF94XX". It's done. Now let's check _bwds.exe, this is the executable that _blackwidow.exe uses to download the files, and this exe also checks for the registered user (if you aren't a registered user you'll only be able to download a maximum of 50 files) and uses the same routine to do it, so just search for the value that is compared  with eax after each call (0202BFDA), open your eax editor and search for 'DABF0202' and you will find two occurrences now just change the 0F95 bytes to 0F94. And you will be able to download as many files as you want.
It's CRACKED, now just register with some fake serial.
 
 
I've tried this 'live string search' approach in some others VB5 proggies and worked fine. Currently i'm doing a reference for Msvbvm50.dll functions (i'll try to release it in a couple of weeks) so if you have reversed any of those i would apreciate you could send it to me, to devils_cave@hotmail.com.


(c) intruder mexelite97 All rights reversed
You are deep inside fravia's page of reverse engineering, choose your way out:

redBack to Project 8
redhomepage redlinks redanonymity +ORC redstudents' essays redacademy database
redtools redcocktails redantismut CGI-scripts redsearch_forms redmail_fravia
redIs reverse engineering legal?