|
|
|
|
|
|
| 0 1 0 1 0 1 0 | Targets : Pretty Good Solitaire 98 - Pam v.13 | 0 1 0 1 0 1 0 |
| Reversing Engineering Lab |
|
... from newbie to another ... |
| Intro |
| Hi guys ... u are reading my 3rd tutor ... sorry if there's any grammatical errors .. hope you'll understand this piece ...This is my first experience in VB programs ... i've heard a lot of comments about VB protection schemes ... someone said " ..VB is Newbies Nightmare . " ... hmm .. it sounds like a chalenge for me ... i invite you to join with me to reversing this "naughty" programs ... |
| Flash Course |
| Tips
& Tricks (SandMan) :
Visual Basic cracking
still remains to many, a tough nut to crack because you can't just dead
list it and expect to see where your going ... Therefore we need to adopt
new methods to circumvent this natual barrrier and one possible way is
to locate routines within the VB runtime library that we can place traps
(breakpoints) on with SoftICE. In order to program Softice to quickly locate
the String Compare Routine for us we place the following three lines in
our WINICE.DAT file:
|
| Pretty Good Solitaire 98 |
| Author | : Thomas Warfield Goodsol Development Inc. |
| : support@goodsol.com | |
| Homepage | : http://www.goodsol.com |
| Overview |
| Pretty
Good Solitaire 98 is a collection of 230 solitaire games, from classic
games like Klondike, FreeCell, and Spider, to 22 original games invented
especially for the program.
Features:
|
| Protection system |
| Interesting
one ... since there is no registration screen to enter registration data
... but in help file mentions this :
" if you do register this program, this is what you will get for your money: A registration code and instructions on how to input this code to register your copy " ... hmm ... seems that thomas wants to play a game with us ... hurrah ... this would be fun ! ... somehow it reminds me to sandra bullock in " The Net "... are u thinkin' what i'm thinkin' .. !? .. yeah she has a great ash ... Firstly ... i try holding [CTRL] key 'n start pushing on cards in help menu ... order screen pops up ... try again ... push on register ... #boom# ... huh ... game is over ... it was 2 easy .. here we're asked to enter : Name
:
The registration code is based on what you type in for name. 1. Deep within your System Registry it uses the following branch to store it's license data. HKEY_CURRENT_USER\Software\Goodsol\PGS98\Registration
Code=" "
|
| The essay |
| ... Click
on Help - About ... Hold [CTRL] key 'n click on [Register] .... #boom#
... use the following entry as example :
Name
: widYa@cL 2011
DO NOT push [OK] yet .... fire up Softice ( CTRL+D) ' n set breakpoint on HMEMCPY function (BPX HMEMCPY) ... X [ENTER] to leave Softice ... then click [OK] button ... #bOOm# ... . From here press the 'F12' key 7 times to get into msvbvm50.dll code ... Now we want to quickly find the routine that compares our serial number with the *real* one and we can do this effortlessly by pressing the ALT-F4 keys together ... Softice should now report back one memory location of where the sub-routine were looking for is to be found in memory. In my case Softice
reported:
... ur next step is to set breakpoint on it but first clear HMEMCPY beakpoint 'coz we don't need it anymore ... BC* [ENTER]
... #boom# ... 'n Sice
should now display this code snippet:-
... anyway ... thiz number '981977600' seems to be ur valid reg code ... clear the garbage from ur planet ... BC* [ENTER]
... enter registration again ... Name
: widYa@cL 2011
... push [OK] ... # # ... huh ... no expression of thanks ...!? . Look in Help - About ... Registered to :
(NOTES : to Unregister Pgs98 run regedit - goto HKEY_CURRENT_USER\Software\Goodsol\PGS98\Registration - Delete Registration key) ... i noticed that there's few 'odd' things in the generation of valid serial after entering registration with different entry several times ... ex : 1. when i used "CrackZ" as name the data window showed this number "652288" ... i enter reg screen again with the following entry : Name
: CrackZ
.. [OK] ... #boom# ... "Sorry . Invalid Registration Code ..." ... hmm ... then i look again for every valid reg that i got .... it always begin with "98" ... let's check it out... : Name
: CrackZ
. [OK] ... #boom# ... registered ... 2. I used the following entry : Name
: widYa
... 'damned' ... the valid reg code never showed up ... so i change my dummy reg code .... then ... after a few times entering registration with different key ... finally ... it showed up "98467069" ... hmmm .. though i've found the valid code but still it didn't satisfy me ... since we must to scroll down data window 'n sometimes we need to repeat the routine .... is there 'something' left behind !?? .... is it a buggie ??! .... aaahhh ..... i'm sleepy now ... i should take a nap for a while .... ...........)^%$!.............!@# ...............*&* ...................... **^%$**^^%$ .............. ... #DAMNED# .... who said that vb program is newbees nightmare ..... kewl ... !? ... huh ... now i'm back !! .. with new energy ... let's continue ur examination ... from what i've learned .. VB programs is not a really "program" since it used a lot of call to a library (dll). Let's say if it wants to convert a strings into uppercase then it will call a function in dll (dynamic link library) that dealing with this task. Especially in serial prot schemes we can say there are 3 main routine we need to know (i've discussed this in my 2'nd tutor) : read ur input, calculate them in unique formula, compare ur input with the correct one (part of them). Now .. if we'd like to write a program ... then we will make it as effectively as possible 'n as efficient as possible right? ...same as writter of msvbvm50.dll ... he must be wrote a one good function to make any uppercase strings task ... he must be wrote a one good function to make any compare strings task ... etc. Now .. i'd like to find a one good function in msvbvm50.dll which generate our valid code for all VB programs which has serial prot schemes ... is it possible ??? ... hmmm .. where do we start ..?! .... think .... think .... think ...... eureka ! ... from what we've seen .. ur name was converted to uppercase (right ?!) ... a good start for me .... what's this function name in msvbvm.dll ... rtcUpperCaseBstr ?! ... let's check it out ....... enter reg again .. with the following entry : Name
: CrackZ
... CTRL+D ... BPX rtcUpperCaseBstr
[ENTER]
... [OK] ... #bOOm#
.. press F12 once ... we land here :
BPX 7B3CF8E1 ; This address will be different in your system X [ENTER] X [ENTER] ... D EAX ... you'll see UNREGISTERED COPY .. in wide format ... scroll down data window ... we found a fix valid reg code "98652288" ... but still we need to repeat entering registration sometimes to find it ... ... i don't know if all this 'odd' things happen in your system too ... ... r u thinkin' wht i'm thinkin' ?! ... yeah ... where is that "bloody" function !! ... after learned about vb function for a few minutes .. then i decided to use __VbaStrCat function .... now enter reg again ... fill out the entries ....CTRL+D . BC* [ENTER]
.. [OK] ... #BOOM#
.... F12 once ... we land here :
BC* [ENTER]
... D EAX ... wht do
u see ? : M I C .... interesting ?! .. No ?? ... X [ENTER]
... at here .. i decided
to trace the CALL ... snip ... snip ... snip ... heii i think i found
the instruction code which generate data we looked at EAX ...
here is the snippet code :
AF5="^s 0 l ffffffff
F3,A4,5D,5F,5E,5B,C2,08,00;"
... Restart windows .... make another cup of coffee .... (Unregister Pgs98 : run regedit - goto HKEY_CURRENT_USER\Software\Goodsol\PGS98\Registration - Delete Registration key) .... now enter reg again with the following entry : Name
: CrackZ
... CTRL+D ... BPX __VbaStrCat [ENTER]
.. [OK] ... #BOOM#
.... press ALT+F5 ,,, In my case Softice reported :
BC* [ENTER]
... #bOOm# ... we're
here :
BPX 7B2F20F7 .... heiii ... u can relax now ... 'coz i'll show u the greatest magic you've ever seen .... ... Keep pressing F5 until you see the valid reg code in data window ( ... just like a slide show or a movie isn't it ?! ... everytime we push F5 .. data window updated char by char copy from "Michael Kreyling" strings .... after no more char to copy from "Michael Kreyling" ... then we have 'a commercial break' ... keep pressing F5 ... #bOOm# ... finally ... data window shows 97652288 in wide char format ... NO NEED TO SCROLL DOWN DATA WINDOW.... ) .... u can try with different entry ... soon you'll see that my new method will always shows the valid reg code .... aahh .... i'm satisfied now ... r u thinkin' somethin' ... ?! .. Yeah ... the valid reg code has 2 version ... Pgs97 version 'n Pgs98 version ... so the valid reg code for name : CrackZ is 98652288 or 97652288 ... both are works fine .... ... hmm ... now i have one more question in my mind .... r u thinkin' wht i'm thinkin' .. !? ... kewl .. AGAINNN !!!?? ... what if we enter "Michael Kreyling" as name ... though we saw 974309568 in data window ... still we can't make it registered .... seems that Thomas Warfield has blacklist this guyz ...?!? ... (anyone knows who is Michael Kreyling ?!) ... ... heiii ... r u sayin' somethin' ... ?! .... ThankGod my parents didn't gave me name "Michael Kreyling" ...???
|
| Pam v1.13 |
| Author | : Michael Doering |
| : pam@tindrum.oche.de michael.doering@post.rwth-aachen.de | |
| Homepage | : http://www.rwth-aachen.de/fsarch/Ww/members/doelf/pam/ http://www.fs2.RWTH-Aachen.DE/doelf/pam/ |
| Overview |
| The full featured multi audio player : pal skins, playlist editor, timer, karaoke, id3tag, lyrics 1.0 & 2.0, plays mp3, wav ,mid .... |
| Protection system |
| Registration
is via selecting "About Pam" - Register ... we're asked to enter :
name
:
The registration code is based on what you type in for name 'n e-mail. 1. Deep within your System Registry it uses the following branch to store it's license data. HKEY_CURRENT_USER\Software\OhBugger\Pam 2. It's a 42
day, time limited program that will 'expire' after 42 days of being installed.
|
| The essay |
| ... Heei
another VB programs ... this is good .... we're gonna test my new method.
Use the following entry as example :
Name
: widYa@cL 2011
... DO NOT push [register PAM] yet ....CTRL+D ... BPX __VbaStrCat [ENTER]
. [register PAM] ...
#bOOm# .... press ALT+F5 ,,, In my case Softice reported :
BC* [ENTER]
BPX 017F:7B2F20F5
... #bOOm# ... we're
here :
BPX 7B2F20F7 ... now let's enjoy
the movie presented by Visual basic ..... Keep pressing F5 until you see
the good serial form in wide format ... after pushing F5 for about 62 times
.. data window displays :
Name
: widYa@cL 2011
... #bOOm# ... Registered to widYa@cL 2011 - Thank You! ... You're Welcome! .... ... Wow .. the longest serial i've ever seen ... |
| Final notes |
| ... that's all for now guys ... pitty .. i only have 2 programs written in vb ... i wish i can test it in more programs ... Well .. i'm sure you have one ... please test my new method on your VB (4/5) programs which using serial prot schemes .. 'n don't be lame ... let me know for the result or if u have any comments/suggestions/critics ... |
| Greetz : |
| SandMan,CrackZ,tKC/All PC members, tHATDUDE, UCF, Torn@do, The Immortal Descendants, +ORC, MiB , Iczelion, GCG, ED!SON, Razzia, +Xoanon, iCECREAM, FraVia, Lord Caligo, Buckaroo Banzai, +gthorne , Mexelite , Corn2, Vizion, Manson69, nIabI, Cyborg, ^pain^, intruder, Yaan, Laxity, JoGy, nIabI [C4N/ME], MR NICK, NaTzGUL [REVOLT], Qapla', The _RudeBoy_ , BigMoM, Aphex Twin [Vandals], vûltû_ë, eXact, YOSHi, Volatility, ZeroDay, Aescu, _CbD_, Gavin Estey, DR. Encryption, Joshua Auerbach, Klee8084, masta_, Chuck Nelson, _HaK_, Nemrod and ReN, R. DeYoung, Hugo Perez, lownoise, Hayras, YOU ..... |
| Special Thanks: |
| Thomas Warfield, Michael Doering ... for giving a serial prot schemes chalenge ... u had force me to improve my skills a 'little bit ' |
| Written / Design bY | : widYa-cL 2011 |
| Page Created | : 23 February 1999 |