smartc_2.htm Cracking VB5 Programs with SmartCheck 5.0

	"Smartchecking" VB Programs Yet another stupid protection unearthed	Visual Basic reversing
25 February 1998	by Hs2L
	Courtesy of Fravia's page of reverse engineering	slightly edited by fravia+
fra_00xx 980225 Hs2L 1000 OT VB	Well, I always said this: Smartcheck is the 'final cracker weapon'. You may want to have a look at my own essay An interesting tool: Numega's Smartcheck, written in November 1997, and at Snatch's essay: An interesting tool: Numega Smartcheck 5.0, written in October 1997 Hs2L's essay is a nice work and will have quite some interest for beginners AND for anyone among my readers that still does not use smartcheck. I like especially the list of alternative reversing methods at the end. I believe that it would ALWAYS be a good idea, writing an essay, to compare the 'innovative' solution you propose with the 'traditional' alternative cracking methods you know of. And yes, by all means, use Smartcheck... and not only for visual basic programs... you won't regret it! Enjoy!
	There is a crack, a crack in everything That's how the light gets in
Rating	(x)Beginner ( )Intermediate ( )Advanced ( )Expert

This is an easy crack using the powerful SmartCheck 5 VB debugger to unearth hidden code the programmer doesn't want you to see. Our target is VB Project Analyzer

An example of VB Cracking using SmartCheck
(as opposed to Softice or IDA)
Written by Hs2L

Introduction

VB Project Analyzer is a Visual Basic code analyzer-not too usefull for 

most of us but a good demonstration of a bad protection scheme implemented 

by a greedy programmer

Tools required

SmartCheck 5.0 - This is the only tool you'll (ever) need.

Target's URL/FTP

ftp://kgb.quarta.com/NTUtil/NuMega/smchk50.exe http://www.numega.com www.aivosto.com/vb.html

Essay


I dont think too many reverse engineers would find this target useful. 

This is mainly to demonstrate how fantastic Smartcheck is rather then 

how to undo a certain protection scheme.

For those who don't have smartcheck 5.0, I suggest you download it NOW 

and crack it using Softice (see Snatch's essay). 

This Visual Basic runtime debugger and flow analyzer has to be seen to be 

believed. After having used this tool, I just hope more people make their 

stupid shareware in VB 5 so we can reverse all of their code, automagically, 

using this wonderful tool : )

You actually get ALL the code events, even COMMENTED, with their ORIGINAL 

names!!! Just load your target into Smartcheck and sit back and watch it 

generate event after event!

I wish you luck in trying to get this tool from NuMega's web site

They're starting to become difficult to deal with. I suggest you do an

FTP search.

Well, that's enough about smartcheck



A friend had downloaded this target and I just copied the compressed 

file onto my disk. The program is , as the name suggests, a Visual Basic 

code analyzer. 



I'm assuming you have SmartCheck 5 and have it configured to get maximum

events. Here are the steps:

After loading Project Analyzer and BEFORE beginning, click on settings 

from the Program menu. Click on the "Reporting" tab and enable everything 

except "Mouse movement from OCX". 

Under the "File to check" tab, enable everything.

Under "Error detection"  in "Type of errors to check for" check everything

Check "Save settings" before exiting. 

When you run the program, select "Show all events" from the "View" menu 

as well as "Arguments" and "Sequence Numbers"



After installing, when you run the program you see a simple 

nag screen with a edit box with the words "Guess..." in it. Obviously 

this is the place where you enter the registration code. Also, there's an 

option which allows you to analyze multiple project files. This is 

called Super Analyzer and requires a seperate registration.

(shareware programmers never get too greedy) This too, displays a nag. 

Now that we've seen the program we can load SmartCheck with the program.

So once we're in, SC begins dishing all the code as it runs the program 

(if you have the setting set for Show all events, you've got an incredible 

quantity of code right about now) so now the nag screen is displayed in all 

its glory. 

For now press OK and clear it. Go to Project Analyzer's menu and select 

Add In-->Super Analyzer. A second nag screen asking you to register Super 

Analyzer pops up. Now, near the end of the code listing you should see 

something interesting



FreeFile(VARIANT:Missing) returns Integer:1

Open(String:"C:\projectana\superpa.lic",Integer:1,long:-1)

Visual Basic Runtime Error 53: File not found

Close(Integer:1)

Super_About (form) create



What's happening here? You have to know a minimum amout of Visual Basic 

to understand this code



FreeFile(VARIANT:Missing) returns Integer:1



		---->Free file returns a filenumber that isn't

 		     in used. It is an	integer and can be used 

		     to open files.In this case the Number returned 

		     is 1

                                                       

Open(String:"c:\projectana\superpa.lic", 

                ----> Translated in Basic this means:

	                

Open "c:\projectana\superpa.lic" for input as #1 

  



So, its looking for a file called superpa.lic 

(/projectana is the directory where I installed VBPA)

After this, Smartcheck returns a runtime error stating that the file 

couldn't be opened. 

After this we see



Super_About (form) create 

		----> The nag screen is created



The above code has "Protection routine" written all over it. Essentially 

whats happening is, when you load Super Analyzer, the program attempts to 

open a license file. If it doesn't find one, it loads the nag screen. 

So, we can safely assume that when the registration code is correct, 

a license file is automatically generated. So, now, we create a superpa.lic

file in the Project Analyzer Directory. We leave it as an empty file 

and restart Project Analyzer through Smartcheck. This time when we try to 

open the Super Analyzer, the nag screen still shows up and some new code 

in Smartcheck.



After succesfully opening the Superpa.lic file we see this:



LineInputNum(Integer:1)

Visual Basic Runtime Error :Input past end of file



So now, Project Analyzer (PA for short) is reading information sequentially

from the file and since the file is empty, we get an error message 

"Input past end of file"



That means, PA is not just seeing if the license file exists but checking 

the contents as well. That means we'll have to fill the contents of 

"SuperPA.lic" with something.



Now comes the incredible part. Just look at the line below in the

Smartcheck code and you should see something like this:



LCase(VARIANT:By Ref String:"norppa")



What does this mean? Yes, you guessed it. It's the string that's supposed 

to be compared with what's in the license file! What does this mean? 

It means we just put "norppa" on the first line in the license file and 

it becomes valid!! Go ahead and try it. You are now the proud owner of a 

fully registered Super Analyzer addin : )



Now lets try the same thing with the Project Analyzer itself:



Wait for the nag screen to show up and then in the Smartcheck code, do a 

search for "lic". You should end up in a series of string manipulations. 

Scroll down until you see something like the following:



RTrim$(String:"Lic")		---->removes spaces to the right of "Lic"

RTrim$(String:"Project")             these aren't important

Len(String:"Lic") returns LONG:3



...some irelevant stuff



OnError(long:-1)		----> Used for error handling

FreeFile(VARIANT:missing) returns integer:1

Open(String:"c:\projectana\project.lic",Integer:1,Long:-1)fails

Close(Integer:1)

About (Form) created



So, now we know what to do. We simply create another license file, 

this time with something written in it. So we make a "project.lic" 

file and in the first 5 lines put "crap"



We fire up SmartCheck again and get this code:



Open(String:"C:\projectana\project.lic",Integer:1,Long:-1,long:1)

Close(Integer:1)

Freefile

Open

LineInputNum(Integer:1)

LCase(VARIANT:ByRef String:"crap")  --->converts to lower case

LCase(VARIANT:ByRef String:"Tikannakit")

LCase(VARIANT:ByRef String:"crap")

LCase(VARIANT:ByRef String: "Sibelius")

Lcase(VARIANT:ByRef String:"crap")

LCase(VARIANT:ByRef String: "Ryppyotsa")

Close(Integer:1)

About(Form) created



Now, PA is checking if the file exists, then opening it a second time to 

input sequentially.Now this part is particularly interesting:



LCase(VARIANT:ByRef String:"crap")

LCase(VARIANT:ByRef String:"Tikannakit")

LCase(VARIANT:ByRef String:"crap")

LCase(VARIANT:ByRef String: "Sibelius")

Lcase(VARIANT:ByRef String:"crap")

LCase(VARIANT:ByRef String: "Ryppyotsa")



This looks like a direct case-insensitive string comparison which can only 

mean its comparing the contents of the license file with what it's supposed

to contain. So, we create the license file as we did above, first line 

being "Tikannakit" and second being "Sibelius" the third is "Ryppyotsa". 

With Smartcheck cracking this is almost a joke! With our new license file 

we simply load up PA again and this time we are fully registered!



Interestingly enough, if we attempt to analyse some Visual Basic code with 

SmartCheck running, we can clearly see just how the analyzer goes about 

reading and intepreting the files. An invaluable bonus to its usage as a 

reversing tool.



Inside this target there are a couple of other add-in tools (Graph and Printer) 

that also requre seperate registration (greedy programmers never learn)



For these procedures, as you will see, just work same as above.

1) Search for "lic"

2) Find the name of the license file to create.

3) Create it and add some junk in it

4) Run the program and see what it really needs



That's about it. I hope you understood this. You could have cracked this 

of course in many different ways:

1)	by scanning the code in the buttonclick event for the nag 

screen to see how it processes the registration code you entered and 

checks it against the real one but Smartcheck solves the problem in a much 

easier way.



2)	using filemon/regmon/vxdmon in order to check the manoeuvres of 

your target (and identifying that way the various *.lic the target was 

searching) but -again- Smartcheck solves the problem in a much easier 

way.



3)	You might have done it following Razzia's excellent tutorial on 

cracking VB apps by setting break points and patching the runtime file but 

that was in the "pre-smartcheck" era : ) Now that this outstanding tool is 

available, you'll never have to think about even touching softice or IDA 

again.

Final Notes


I personally don't know anyone who would purchase Project Analyzer in his 

right mind: The program costs over $100 and you have moreover to register 

any add-in tools seperatley. 

On top of this, just check out the bug list after having installed this program! 

I wouldn't distribute a freeware program that has so many bugs! 

Guess whoever made the program didn't have SmartCheck 5.0 to debug it!

(If (s)he had used SmartCheck, neither the protection nor the program 

itself would have been so weak! : ) 



Send your comments and insults to shivanan@ens.lk

Ob Duh

I wont even bother explaining you that you should BUY this target program if you intend to use its not allowed functionalities (use as opposed to study them). Should you want to STEAL this software instead, you don't need to crack its (pathetical) protection scheme at all: you'll find it on most Warez sites, complete and already regged, farewell.

You are deep inside fravia's page of reverse engineering, choose your way out:

Back to Visual Basic reversing

homepage

links

search_forms

+ORC

students' essays

academy database

reality cracking

how to search

javascript wars

tools

anonymity academy

cocktails

antismut CGI-scripts

mail_fravia+

Is reverse engineering legal?