Well Fravia+, as promised here comes my essay on OCX controls. It really 

doesn't bring any new approaches. It took time but it's difficult to 

find the time to do everything that we want...I mean all that stuff 

about listening to music or reading the classics.

OCX controls have replaced their VBX counterparts as software 

components to be added to the main applications. The reason is 

that OCX controls can use 32 bit technology while VBX controls 

can't.

These controls need to be registered so that the OS can be aware of 

them. That's why they have all some self registering functions built 

inside. But this doesn't mean we can use them whenever we want to. 

For example a control can be used as a part of an application in some 

machine but will not load in the user programming environment (Visual 

Basic for instance) because a licensing scheme, used by the control, 

prevents him to do so.

The reason is that when we try to use a control that uses a licensing 

procedure it will try to find some specific information in our machine. 

If it is not there the control doesn't get loaded.

During the application execution the control can be loaded because 

the application carries inside the necessary info to give to the control 

and allow its loading. 

In brief, let's say that the application generates some lic info or 

lic key (look for RequestLicKey, CreateInstanceLic and GetLicInfo in 

the target's control).

We will see now two examples.



Example1: Using a LIC file

Target: Fountain.ocx

Where to find: http://www.soe.bcit.bc.ca/ocx/

When we place the control in a form, an ocx malfunction pops a 

nagscreen which makes one loose its concentration. 

Very disturbing...

So we need to find out what went wrong.

Let's start with a bpx dialogbox (just to start fishing). 

We load the control in the Visual Basic environment and bang... 

We pop into Softice at 0001.1677: 



:0001.1637 C8280000               enter 0028, 00

:0001.163B 1E                     push ds

:0001.163C 8ED8                   mov ds, ax

:0001.163E 9AF5000000             call OC25.Ord{0985h}

:0001.1643 8EC2                   mov es, dx

:0001.1645 8BD8                   mov bx, ax

:0001.1647 26FF7708               push word ptr es:[bx+08]

:0001.164B 0E                     push cs

:0001.164C 68A209                 push 09A2	'Fountain.lic

:0001.164F 0E                     push cs	'Fountain Fill OCX Copyright

:0001.1650 686209                 push 0962



* Possible Reference to Dialog: DialogID_0064, CONTROL_ID:00FF, ""

                                  |

:0001.1653 6AFF                   push FFFF

:0001.1655 9AFFFF0000             call OC25.Ord{027Eh}

:0001.165A 0BC0                   or ax, ax	'If valid lic file then ax=1 

:0001.165C 7523                   jne 1681	'and we jump above the nag



:0001.165E 68CF00                 push 00CF	'nag screen procedures start 

here

:0001.1661 50                     push ax

:0001.1662 50                     push ax

:0001.1663 8D46D8                 lea ax, [bp-28]

:0001.1666 16                     push ss

:0001.1667 50                     push ax

:0001.1668 9AFFFF0000             call OC25.Ord{011Bh}

:0001.166D 8D46D8                 lea ax, [bp-28]

:0001.1670 16                     push ss

:0001.1671 50                     push ax

:0001.1672 9AFFFF0000             call OC25.Ord{0373h}  'bpxing the dialogbox

:0001.1677 8D46D8                 lea ax, [bp-28]	'We have landed here!

:0001.167A 16                     push ss

:0001.167B 50                     push ax

:0001.167C 9AFFFF0000             call OC25.Ord{0198h}



                                  |

:0001.1681 B80100                 mov ax, 0001

:0001.1684 1F                     pop ds

:0001.1685 C9                     leave

:0001.1686 CA0400                 retf 0004



Scrolling up the code we soon find the location where the decision 

is taken. The dead list doesn't give us enough info so we place a 

bpx at 0001.164B to trace from that point on and understand the jne

at 0001.165C (yes, we felt it, but we want to understand).

After doing some tracing around this point we see that after all the 

problem is that a license file called Fountain.lic with a string 

inside seem to be curiously missing.

Ok we can take care of that, in order to avoid further interruptions 

in our programming and/or reversing activities,by preparing a simple 

LIC file with the required string.

Make a note of it: this call to OC25.dll Ord{027Eh} is found in 

many controls that implement such simple licensing scheme. 

The reason is that this procedure is generated automatically by the

control building wizard. Of course the programmer can (and should)

override such a simple verification in order to make things at least 

a little harder. 

Anyway I've used this approach of searching the dead list for this 

call and I can tell you that it works. Simply modify the routine 

0x27E inside OC25.dll (keep a 'sound copy of it as OC25.ori) in 

order to get always ax=1 as a return value and all these targets 

won't bother you anymore with OCX with their funny license files.



Example2: Using the registry or a lic file

Target: Vsocx.ocx

Where to find: http://www.videosoft.com



Ok, let's install the OCX control using the setup prog included in the 

evaluation pack.

Now in the VB environment we try to load the control using the Custom 

Control menu dialog.

The control appears in the control toolbox. Everything seems to be 

fine... 

When we place one of the 3 controls that come within vsocx we get a 

nag screen telling us where to call to get a registered version. 

That's a bug of course, because this screen is supposed to be shown 

only when we click the about button in the properties window.

So we are here to fix this misplaced call.

As this window does not seem to be a messagebox, so we place a bpx 

dialogbox and wait to see what we fish. 

Unload the control clearing the checkbox on the custom controls menu 

and check it again to get it again in the controls toolbox. 

We try to place the control in the form and ..bang! into Softice we

go.

After some F12's we find ourselves in vsocx16.



* Referenced by a CALL at Address:0002.1EC7

|

:0002.23D6 B82D24                 mov ax, SEG ADDR of Segment 0005

:0002.23D9 C8280000               enter 0028, 00

:0002.23DD 1E                     push ds

:0002.23DE 8ED8                   mov ds, ax



* Possible Reference to Dialog: DialogID_01F4 

                                  |

:0002.23E0 68F401                 push 01F4

:0002.23E3 6A00                   push 0000

:0002.23E5 6A00                   push 0000

:0002.23E7 8D46D8                 lea ax, [bp-28]

:0002.23EA 16                     push ss

:0002.23EB 50                     push ax

:0002.23EC 9AFFFF0000             call OC25.Ord{011Bh}

:0002.23F1 8D46D8                 lea ax, [bp-28]

:0002.23F4 16                     push ss

:0002.23F5 50                     push ax

:0002.23F6 9A24BF0000             call OC25.Ord{0373h}

:0002.23FB 48                     dec ax		'We land here!

:0002.23FC 751E                   jne 241C

:0002.23FE C45E06                 les bx, [bp+06]



  The code at this place doesn't feel interesting so we scroll up to 

the begining of this rotine where we place a bpx at the very beginning, 

in order to use  the stack command next time we come by.

Make a note of it: Call OC25.Ord{011Bh} followed by call OC25.Ord{0373h} 

are used in about boxes. 

Once more we unload and load the control into the VB toolbox; place the 

control in a form... bum!

Back into Softice, at our own breakpoint. 

Now we do a stack command. 

Note that from the dead list we also get the caller!

This is where we are:



:0002.1EAC FF7608                 push word ptr [bp+08]

:0002.1EAF 56                     push si

:0002.1EB0 9AD05C5519             call 0001.5CD0

:0002.1EB5 833E520D00             cmp word ptr [0D52], 0 'our friends "compare"

:0002.1EBA 750E                   jne 1ECA               'and "jump if true"

:0002.1EBC C706520D0100           mov word ptr [0D52], 1

:0002.1EC2 FF7608                 push word ptr [bp+08]

:0002.1EC5 56                     push si

:0002.1EC6 0E                     push cs

:0002.1EC7 E80C05                 call 23D6		  'This call starts 

							  'the nag screen

:0002.1ECA 1F                     pop ds

:0002.1ECB 5E                     pop si

:0002.1ECC C9                     leave

:0002.1ECD CA1000                 retf 0010





What controls the unwanted call? 

Obviously the cmp word ptr [0D52]

Is it written somewhere during the loading of the control?

Let's find out with a bpm ds:0d52

Unload and load the control bl· bl· bl·...

Aha! Now this is interesting...



:0001.B9C6 B837A6                 mov ax, SEG ADDR of Segment 0005

:0001.B9C9 C8080000               enter 0008, 00

:0001.B9CD 1E                     push ds

:0001.B9CE 8ED8                   mov ds, ax

:0001.B9D0 833E520D00             cmp word ptr [0D52], 0000

:0001.B9D5 757D                   jne BA54		

  

OCX controls seem to be poorly protected from what we have 

seen here. 

There are of course several ways to pinpoint these components. 

Instead of showing you a way to get along with a specific control 

I want to give you a general idea of the concepts regarding ocx 

licensing control from the point of vue of a +HCU study. 

We will see in the near future more interesting things to work on, 

like digital signatures of activeX controls, which are dowloaded 

by all web browsers when they show some html pages. 



Thanks to +ORC and the +HCU fellows, who taught me 99% of what 

I know. Well... I've also learned something by myself I must say.

I thank again Fravia+ for maintaining his site with such powerful 

information, and a special thanks goes to +ReZiDeNt for his help.



(c) +PopJack    15 January 1998