TTFPlus 3.3 32-bit demo
A "quiver" in Visual Basic 5
by Vizion
(18 September 1997)
Courtesy of Fravia's page of reverse engineering
Well,
A visual basic 5 target (without strings)
with a quiver protection, very well reversed
by Vizion, even if, as usual with protectionists that are NOT
careful enough, you could have
directly searched insie the dead listing the
strings:
"MSVBVM50.rtcMsgBox"
and
"cmp ax, 000A"
:::: TARGET
TTFPlus 3.3 32-bit demo (url : www.wmsoftware.com)
:::: TOOLS
W32Dasm 8.9, SoftIce for NT 3.01, UltraEdit-32 4.40b
:::: PROTECTiON
Quiver protection (see +ORC, lesson 4.1). Internal counter.
The demo counts the number of times you select a font you like to see.
:::: REMARK(s)
You will need to change winice.dat for this crack. Open winice.dat in your
favorite text editor and add the next line,
EXP=:\\msvbvm50.dll
Save the file and restart your computer if SoftIce is loaded.
:::: FiND THE COUNTER
Like always, I start with loading the target in W32Dasm. The first thing I
noticed was that there were no String References. Pretty annoying if you
ask me. If you take a look at the list of .dll files that are used you'll
see only one :
MSVBVM50.DLL aka. Microsoft Visual Basic Virtual Machine 5.0 (I think)
Ok, this is quite new, and I haven't seen any tutorials on a VB5 program.
Due to the lack of String References and the usage of only one .dll file
we need a "new" approach to crack this baby, I suggest you sit down and
start thinking about the way to crack this target...
Well I came up with the following idea.
Start the target and select several times a font, after 10x clicking you'll
get the nag screen telling you... well read it :). The problem is that you
need to restart the target if you want to use it some more.
Back in W32Dasm, take a look at the imported functions from the .dll,
Addr:0F0D3109 hint(0000) Name: __vbaStrBool
Addr:0F01A5AE hint(0000) Name: __vbaExitProc
Addr:0F0239B1 hint(0000) Name: __vbaFileCloseAll
Addr:0F023FA0 hint(0000) Name: __vbaOnError
Addr:0F04F618 hint(0000) Name: __vbaObjSet
Addr:0F0CF404 hint(0253) Name: rtcMsgBox
(c) Vizion 1997. All rights reversed
You are deep inside fravia's page of reverse
engineering, choose your way out:
homepage
links
anonymity
+ORC students' essays tools
cocktails
academy database
antismut search_forms mail_fravia
is reverse engineering legal?