CODE REVERSING
"VBCommander 6.0"
Fishing the right RegCOde
Please read the DISCLAIMER first!!
 
Author: vladimir
Program: Visual Basic Commander 6.0 (VBCommander6.0)
Web: vbctrial.exe, 1174440 bytes
Filename/length: http://www.becubed.com
Protection: Combination User Registrations code/ User name
Crack: Fish Reg-Code 
Tools:  SoftIce
Time: 2 Minutes 
 
As a becoming friend of VB-Programming is everybody who feels the same happy about every useful tool. On my long way through the web I crossed a page that advertised VBCommander 6.0- that's the way I get interested in it. (VBC6 has got a few nice and tricky features for programming, so get it!!). Before you could d/l, install and run/crack it (hehehe), you've got to give them your Email-address, ´coz they send you and "trial-unlock-sort-of-stupid-word-combination". But as it's the normal way for people who are in that "reversing business", we all have an faked MailUP for that (or am i an lonesome idiot ???). After receiving that, i installed VBC6- hot to see, if there's a way to make a full-version of it...and- what should I say? My teary eyes saw an little nag appearing, with the option "ENTER PASSWORD". Beautiful
 

 
Okay, lets hit it:
When you choose "ENTER PASSWORD", a dialog will popup, with three textfields:

(a) Registration code:
(b) Your Name:
(c) Company Name:

In order I let filemon/regmon on my first launch do a helpful job for me, I recognized, that VBC6 is an Vb. itself (hehe VB for VB, how lovely). Everybody who has read some VB-reversing-tutorial maybe knows the next steps.
 


 
This app is already on Version 6, and that seems to be a sign for a longer time on the software- market???!!! (i think so). I was surprised, how fast a newbie could break
through the protect! Hm. Maybe the programmer believe in the goodness of mankind, or never heard of crackerz before? (Or are crackerz by themselves, working for Becubed -who knows= :-))
 

 
I took "vladimir" for my name and "0815" for the Registration code and   "gcc" for the Company Name.
 
use CTRL + D = launch Sice
type BPX HMEMCPY = Set our loved standard-break
hit F5 = go back to VBC6
click "OK"... and SICE´s back again....at

KERNEL!HMEMCPY
XXXX: 9E7A 55 PUSH BP

(As you might know, the XXXX could be different to mine, that´s why XXXX, hehehe)
Now you must hit F5 again (one time!!!- a few would wonder, but I find out that only the name is the holy-char),then hit F11 to get back to where this function was called. You'll land here:
 
XXXX: 0b40 9a7a9e1701 CALL KERNEL!HMEMCPY
XXXX: 0b45 ff35 PUSH WORD PTR (DI)
XXXX: 0b47 9ab0011f01 CALL KERNEL!LOCALUNLOCK

Everybody's there??? YEAH... Ok...further with F10ing (hit F10 very often), until you read in the status bar of SICE: MSVBVM50!.Text. Then you've got to hit ALT + F4 ( I´ll hope you've got Sandman´s winice.dat with the comparing-search-modification??? NOT?.
 
Than it will be time to d/l that, hurry up..HEHEHE). Sorry-back to VBC6: Sice´s answer:

Pattern found at XXXX: 0f00d9ea (0f00d9ea)

Ok, now type u XXXX:00f00d9ea (to unassemble this snippet), and you´ll see following code:

XXXX: 0f00d9ea 56 PUSH ESI
XXXX: 0f00d9eb 57 PUSH EDI
XXXX: 0f00d9ec 8b7c2410 MOV EDI, (ESP+10)
XXXX: 0f00d9f0 8b74240c MOV ESI, (ESP+0c)
XXXX: 0f00d9f4 8b4c2414 MOV ECX, (ESP+14)

How lovely, and now? Now you should delete your breakpoint with BC0 (or disable it
with BD0), set another break on the pattern address with: BPX XXXX:00f00d9ea, hit
ONCE F5, and BOUUMMM- SICE is there. Now hit THREE times F10, until you're  at the following position in the code:

XXXX: 0f00d9f0 8b74240c MOV ESI, (ESP+0c)

and type D EDI ( to display the EDI-Register, that´s the Register where´s the REGCODE is stored), and take a look in your "hex window" in SICE. THERE'S THE BABE:
In my case the RegCOde was: 2-040-2636
 
Perfect, that was a very fast exercise (but there are slower and HARDER ones- they break my teeth) Now you could delete or disable all breakpoints, go out of SICE with X or F5 or even CTRL + D and REGISTER....

DONE

Some thoughts and stuff like that:
 
I tested and played a little with that coding, and fixed a few interesting things out:
 
Every letter is converted to an number, and- as it's quite often the way- mirrored-.
So you got "rimidalv" instead of "vladimir". There are only six numbers: 0,1,2,3,4,5,6
who are used to construct the REGCODE. But how?
 
I took my ASCII-Table and made a little safari (before that i tested a few names/letters to see how the reg- reacts). Let´s take a look:

a=6 b=0 c=1 d=2 e=3 f=4 g=5 h=6 i=0 j=1 k=2 l=3 m=4 n=5 o=6 p=0 q=1 r=2
s=3 t=4 u=5 v=6 w=0 x=1 y=2 z=3

But this is only for lowercase letters. But when you count, take your ASCII and this hint, you could do the regcode for every letter/wildcat/symbol with a piece of paper and a pencil. The code is max ten characters: f.E.
 
abcdefghij = 106-543-2106 ( last 4 characters + - + middle 3 characters + - max 1-3 characters )

AND-VERY FUNNY:
 
It seems that the programmers "forgot" their "MASTER PASS". I found a Combination in the Code, that ALWAYS matches (should so, i tested it a few times): 64-046-4336

Tsk, Task...
 
The information's for Registration are stored in a file called VBCMNDR.INI in the
Windoz-root. In this file you´ll find all entry's you've made (after installation) + an
column that says CheckSum: &&@(
 
If you leave that entry untouched, you could do what you want with the rest of the reg-information-so VBC6 only looks for that and doesn't compare the Code every startup....
 
THAT´S ALL

DISCLAIMER
 
Do I really have to remind you all that by buying and NOT stealing the software you
use will ensure that these software houses will continue to produce even *better*
software for us to use and more importantly, to continue offering even more challenges to breaking their often weak protection systems. If your looking for cracks or serial numbers from these pages then your wasting your time, try searching elsewhere on the Web under Warze, Cracks etc.

 
 


 
  

 
Goodbye, best greetingz andkeep cr@cking
(c) 13/03/1999 vladimir