TTFPlus 3.3 32-bit demo
A "quiver" in Visual Basic 5

by Vizion
(18 September 1997)

Courtesy of Fravia's page of reverse engineering
Well, A visual basic 5 target (without strings) with a quiver protection, very well reversed by Vizion, even if, as usual with protectionists that are NOT careful enough, you could have directly searched insie the dead listing the strings: "MSVBVM50.rtcMsgBox" and "cmp ax, 000A"

 :::: TARGET

 TTFPlus 3.3 32-bit demo (url : www.wmsoftware.com)



 :::: TOOLS 

 W32Dasm 8.9, SoftIce for NT 3.01, UltraEdit-32 4.40b



 :::: PROTECTiON

 Quiver protection (see +ORC, lesson 4.1). Internal counter. 

 The demo counts the number of times you select a font you like to see.



 :::: REMARK(s)

 You will need to change winice.dat for this crack. Open winice.dat in your

 favorite text editor and add the next line,



 EXP=:\\msvbvm50.dll



 Save the file and restart your computer if SoftIce is loaded.



 :::: FiND THE COUNTER

 Like always, I start with loading the target in W32Dasm. The first thing I

 noticed was that there were no String References. Pretty annoying if you

 ask me. If you take a look at the list of .dll files that are used you'll

 see only one :



  MSVBVM50.DLL aka. Microsoft Visual Basic Virtual Machine 5.0 (I think)



 Ok, this is quite new, and I haven't seen any tutorials on a VB5 program.

 Due to the lack of String References and the usage of only one .dll file

 we need a "new" approach to crack this baby, I suggest you sit down and

 start thinking about the way to crack this target...



 Well I came up with the following idea.



 Start the target and select several times a font, after 10x clicking you'll

 get the nag screen telling you... well read it :). The problem is that you

 need to restart the target if you want to use it some more.



 Back in W32Dasm, take a look at the imported functions from the .dll,



 Addr:0F0D3109 hint(0000) Name: __vbaStrBool

 Addr:0F01A5AE hint(0000) Name: __vbaExitProc

 Addr:0F0239B1 hint(0000) Name: __vbaFileCloseAll

 Addr:0F023FA0 hint(0000) Name: __vbaOnError

 Addr:0F04F618 hint(0000) Name: __vbaObjSet

 Addr:0F0CF404 hint(0253) Name: rtcMsgBox                    



 (c) Vizion 1997. All rights reversed



You are deep inside fravia's page of reverse

engineering, choose your way out:









homepage 

 links

red anonymity

+ORC students' essays tools

cocktails 


academy database 

antismut search_forms mail_fravia




is reverse engineering legal?