"Smartchecking" VB Programs

Yet another stupid protection unearthed Visual Basic

reversing
25
February
1998
by Hs2L
slightly edited
Courtesy of Fravia's page of reverse engineering
by Fravia+
Well, I always said this: Smartcheck is the 'final cracker weapon'. You may
want to have a look at my own essay An interesting tool: Numega's
Smartcheck, written in November 1997, and at Snatch's essay: An interesting
fra_00xx tool: Numega Smartcheck 5.0, written in October 1997
980225 Hs2L's essay is a nice work and will have quite some interest for beginners
Hs2L AND for anyone among my readers that still does not use smartcheck. I like
1000 especially the list of alternative reversing methods at the end. I believe that it
OT would ALWAYS be a good idea, writing an essay, to compare the 'innovative'
VB solution you propose with the 'traditional' alternative cracking methods you
know of.
And yes, by all means, use Smartcheck... and not only for visual basic
programs... you won't regret it!
Enjoy!
There is a crack, a crack in everything That's how the light gets in
Rating (x)Beginner ( )Intermediate ( )Advanced ( )Expert

This is an easy crack using the powerful SmartCheck 5 VB debugger to unearth hidden code the programmer
doesn't want you to see. Our target is VB Project Analyzer

An example of VB Cracking using SmartCheck

(as opposed to Softice or IDA)
Written by Hs2L

Introduction
VB Project Analyzer is a Visual Basic code analyzer-not too usefull for
most of us but a good demonstration of a bad protection scheme implemented
by a greedy programmer

Tools required
SmartCheck 5.0 - This is the only tool you'll (ever) need.

Target's URL/FTP
ftp://kgb.quarta.com/NTUtil/NuMega/smchk50.exe http://www.numega.com www.aivosto.com/vb.html
 Essay
I dont think too many reverse engineers would find this target useful.
This is mainly to demonstrate how fantastic Smartcheck is rather then
how to undo a certain protection scheme.
For those who don't have smartcheck 5.0, I suggest you download it NOW
and crack it using Softice (see Snatch's essay).
This Visual Basic runtime debugger and flow analyzer has to be seen to be
believed. After having used this tool, I just hope more people make their
stupid shareware in VB 5 so we can reverse all of their code, automagically,
using this wonderful tool : )
You actually get ALL the code events, even COMMENTED, with their ORIGINAL
names!!! Just load your target into Smartcheck and sit back and watch it
generate event after event!
I wish you luck in trying to get this tool from NuMega's web site
They're starting to become difficult to deal with. I suggest you do an
FTP search.
Well, that's enough about smartcheck

A friend had downloaded this target and I just copied the compressed
file onto my disk. The program is , as the name suggests, a Visual Basic
code analyzer.

I'm assuming you have SmartCheck 5 and have it configured to get maximum
events. Here are the steps:
After loading Project Analyzer and BEFORE beginning, click on settings
from the Program menu. Click on the "Reporting" tab and enable everything
except "Mouse movement from OCX".
Under the "File to check" tab, enable everything.
Under "Error detection" in "Type of errors to check for" check everything
Check "Save settings" before exiting.
When you run the program, select "Show all events" from the "View" menu
as well as "Arguments" and "Sequence Numbers"

After installing, when you run the program you see a simple
nag screen with a edit box with the words "Guess..." in it. Obviously
this is the place where you enter the registration code. Also, there's an
option which allows you to analyze multiple project files. This is
called Super Analyzer and requires a seperate registration.
(shareware programmers never get too greedy) This too, displays a nag.
Now that we've seen the program we can load SmartCheck with the program.
So once we're in, SC begins dishing all the code as it runs the program
(if you have the setting set for Show all events, you've got an incredible
quantity of code right about now) so now the nag screen is displayed in all
its glory.
For now press OK and clear it. Go to Project Analyzer's menu and select
Add In-->Super Analyzer. A second nag screen asking you to register Super
Analyzer pops up. Now, near the end of the code listing you should see
something interesting

FreeFile(VARIANT:Missing) returns Integer:1

Open(String:"C:\projectana\superpa.lic",Integer:1,long:-1)
Visual Basic Runtime Error 53: File not found
Close(Integer:1)
Super_About (form) create

What's happening here? You have to know a minimum amout of Visual Basic
to understand this code

FreeFile(VARIANT:Missing) returns Integer:1

---->Free file returns a filenumber that isn't

in used. It is an integer and can be used
to open files.In this case the Number returned
 is 1

Open(String:"c:\projectana\superpa.lic",
----> Translated in Basic this means:

Open "c:\projectana\superpa.lic" for input as #1

So, its looking for a file called superpa.lic

(/projectana is the directory where I installed VBPA)
After this, Smartcheck returns a runtime error stating that the file
couldn't be opened.
After this we see

Super_About (form) create

----> The nag screen is created

The above code has "Protection routine" written all over it. Essentially
whats happening is, when you load Super Analyzer, the program attempts to
open a license file. If it doesn't find one, it loads the nag screen.
So, we can safely assume that when the registration code is correct,
a license file is automatically generated. So, now, we create a superpa.lic
file in the Project Analyzer Directory. We leave it as an empty file
and restart Project Analyzer through Smartcheck. This time when we try to
open the Super Analyzer, the nag screen still shows up and some new code
in Smartcheck.

After succesfully opening the Superpa.lic file we see this:

LineInputNum(Integer:1)
Visual Basic Runtime Error :Input past end of file

So now, Project Analyzer (PA for short) is reading information sequentially

from the file and since the file is empty, we get an error message
"Input past end of file"

That means, PA is not just seeing if the license file exists but checking
the contents as well. That means we'll have to fill the contents of
"SuperPA.lic" with something.

Now comes the incredible part. Just look at the line below in the
Smartcheck code and you should see something like this:

LCase(VARIANT:By Ref String:"norppa")

What does this mean? Yes, you guessed it. It's the string that's supposed
to be compared with what's in the license file! What does this mean?
It means we just put "norppa" on the first line in the license file and
it becomes valid!! Go ahead and try it. You are now the proud owner of a
fully registered Super Analyzer addin : )

Now lets try the same thing with the Project Analyzer itself:

Wait for the nag screen to show up and then in the Smartcheck code, do a
search for "lic". You should end up in a series of string manipulations.
Scroll down until you see something like the following:

RTrim$(String:"Lic") ---->removes spaces to the right of "Lic"

RTrim$(String:"Project") these aren't important
Len(String:"Lic") returns LONG:3

...some irelevant stuff

OnError(long:-1) ----> Used for error handling

FreeFile(VARIANT:missing) returns integer:1
Open(String:"c:\projectana\project.lic",Integer:1,Long:-1)fails
Close(Integer:1)
About (Form) created

So, now we know what to do. We simply create another license file,
this time with something written in it. So we make a "project.lic"
file and in the first 5 lines put "crap"

We fire up SmartCheck again and get this code:

Open(String:"C:\projectana\project.lic",Integer:1,Long:-1,long:1)
Close(Integer:1)
Freefile
Open
LineInputNum(Integer:1)
LCase(VARIANT:ByRef String:"crap") --->converts to lower case
LCase(VARIANT:ByRef String:"Tikannakit")
LCase(VARIANT:ByRef String:"crap")
LCase(VARIANT:ByRef String: "Sibelius")
Lcase(VARIANT:ByRef String:"crap")
LCase(VARIANT:ByRef String: "Ryppyotsa")
Close(Integer:1)
About(Form) created

Now, PA is checking if the file exists, then opening it a second time to

input sequentially.Now this part is particularly interesting:

LCase(VARIANT:ByRef String:"crap")
LCase(VARIANT:ByRef String:"Tikannakit")
LCase(VARIANT:ByRef String:"crap")
LCase(VARIANT:ByRef String: "Sibelius")
Lcase(VARIANT:ByRef String:"crap")
LCase(VARIANT:ByRef String: "Ryppyotsa")

This looks like a direct case-insensitive string comparison which can only
mean its comparing the contents of the license file with what it's supposed
to contain. So, we create the license file as we did above, first line
being "Tikannakit" and second being "Sibelius" the third is "Ryppyotsa".
With Smartcheck cracking this is almost a joke! With our new license file
we simply load up PA again and this time we are fully registered!

Interestingly enough, if we attempt to analyse some Visual Basic code with

SmartCheck running, we can clearly see just how the analyzer goes about
reading and intepreting the files. An invaluable bonus to its usage as a
reversing tool.

Inside this target there are a couple of other add-in tools (Graph and Printer)
that also requre seperate registration (greedy programmers never learn)

For these procedures, as you will see, just work same as above.
1) Search for "lic"
2) Find the name of the license file to create.
3) Create it and add some junk in it
4) Run the program and see what it really needs

That's about it. I hope you understood this. You could have cracked this
of course in many different ways:
1) by scanning the code in the buttonclick event for the nag
screen to see how it processes the registration code you entered and
checks it against the real one but Smartcheck solves the problem in a much
easier way.

2) using filemon/regmon/vxdmon in order to check the manoeuvres of

your target (and identifying that way the various *.lic the target was
searching) but -again- Smartcheck solves the problem in a much easier
way.

3) You might have done it following Razzia's excellent tutorial on

cracking VB apps by setting break points and patching the runtime file but
that was in the "pre-smartcheck" era : ) Now that this outstanding tool is
available, you'll never have to think about even touching softice or IDA
again.

Final Notes
I personally don't know anyone who would purchase Project Analyzer in his
right mind: The program costs over $100 and you have moreover to register
any add-in tools seperatley.
On top of this, just check out the bug list after having installed this program!
I wouldn't distribute a freeware program that has so many bugs!
Guess whoever made the program didn't have SmartCheck 5.0 to debug it!
(If (s)he had used SmartCheck, neither the protection nor the program
itself would have been so weak! : )

Send your comments and insults to [email protected]

Ob Duh
I wont even bother explaining you that you should BUY this target program if you intend to use its not
allowed functionalities (use as opposed to study them). Should you want to STEAL this software instead, you
don't need to crack its (pathetical) protection scheme at all: you'll find it on most Warez sites, complete and
already regged, farewell.

You are deep inside Fravia's page of reverse engineering, choose your way out:

Back to Visual Basic reversing

homepage links search_forms +ORC students' essays academy database

reality cracking how to search javascript wars
tools anonymity academy cocktails antismut CGI-scripts mail_Fravia
Is reverse engineering legal?