hello, Fravia;)
some days ago i was to try to do some crack ,
the program PhoneTax,from http://itsoft.icl.kazan.su/
the program seems to be intended for viewing databases from mini automatic thelephone stations
from Panasonic :calls ,times,phone numbers etc.
as it happens not so often the program was coded in VB 3.0
if you do not know it is 16-bit .
so i started my exploration of the target code.
all my expirience (not so big) was of no use.P-code of visual basic is true mistery for me .
but i have Internet!some searching and i do have two interesting things.
VB 3.0 decompiler and some tutoria from rassia about VB cracking.
The ways of cracking from the tutorial is good,but strange -cracking of interpreter dll .
So i desided to do some crack of target exe.
But what is the begining of the end which finishes the beginnig?
i have decompiled the target and with simple text search found some fulish protection:
in module frmmain.bas
listing 1
*********************************
.....
Call sub097C(Me.hWnd, False)
L2A67E:
If Not fn09F0() Then
If fn0A11("Íàðóøåíà ëèöåíçèÿ!" & Chr$(10) & Chr$(13) & "Õîòèòå çàðåãåñòðèðîâàòüñÿ ?") = mc0086 Then
If fn09DE() Then
GoTo L2A67E
End If
End If
Call sub0801
Unload Me
Exit Sub
End If
Call sub1710
.......
********************************
in module module4.bas
listing 2
*******************************
....
Function fn09DE () As Integer
On Error Resume Next
If gv0326.M3874 <> 0 Then fn09DE = extfn1035(gv0326.M3874)
End Function
Function fn09F0 () As Integer
Dim l0238 As Integer
Dim l023A As Integer
Dim l023C As Integer
On Error Resume Next
l023A = True
l023C = False
If gv0326.M3874 <> 0 Then
l0238 = extfn1043(gv0326.M3874)
If l0238 = gv0326.M3881 Then
fn09F0 = l023A
Else
fn09F0 = l023C
End If
End If
End Function
Sub sub0A01 ()
Dim l0240 As String
Dim l0242 As String
Dim l0246 As String * 160
Dim l0248 As Integer
Dim l024A As String
On Error Resume Next
gv038E = App.Path
gv0392 = "ITSoft Phonetax"
gv0456 = False
gv0458 = False
l0240 = fn08B2("intl", "sDecimal", "", "win.ini")
l0242 = fn08B2("intl", "sThousand", "", "win.ini")
gv044E = fn08B2("database", "patharc", "", "phonetax.ini")
gv0452 = fn08B2("report", "path", "", "phonetax.ini")
l0248 = extfn07D4(0, "PT~", 0, l0246)
Kill l0246
*********************************************************
the weird symbols in
If fn0A11("Íàðóøåíà ëèöåíçèÿ!" & Chr$(10) & Chr$(13) & "Õîòèòå çàðåãåñòðèðîâàòüñÿ ?") =
are
if fn0A11("License violation!" & Chr$(10) & Chr$(13) & "Do you wanna to register?")
in russian language.
so we 'd easely crack the program ,if we know where the hell in the Phonetax.exe is the
function
fn09F0 () As Integer
so ,let's begin to search.
Some tecnical facts:
VB 3.0 is interpreter language, not a compiler, so all strings are in the p-code in the order of usage.That is why i have inserted such a big piece of module4.bas.
so go to Hiew or other binary editor and let us search for the strings:
"ITSoft Phonetax"
"intl"
"sDecimal" one not far from another.
ok, found match
.00073790: 45 49 9A 38-14 00 98 37-0F 00 49 54-53 6F 66 74 EIÚ8¶ Ø70 ITSoft
.000737A0: 20 50 68 6F-6E 65 74 61-78 00 FB 2D-A8 00 45 49 Phonetax v-è EI
.000737B0: E2 37 55 2D-4C 02 45 49-E2 37 55 2D-4E 02 45 49 ò7U-LOEIò7U-NOEI
.000737C0: B1 67 9A 38-0A 00 C8 37-04 00 69 6E-74 6C 00 00 -gÚ80 L7¦ intl
.000737D0: 63 6A 03 00-9A 38 0E 00-DA 37 08 00-73 44 65 63 cj¦ Ú8d -7• sDec
.000737E0: 69 6D 61 6C-00 00 63 6A-02 00 9A 38-06 00 F0 37 imal cjO Ú8¦ ¨7
.000737F0: 00 00 00 00-63 6A 01 00-9A 38 0C 00-FE 37 07 00 cjO Ú8+ ¦7•
.00073800: 77 69 6E 2E-69 6E 69 00-63 6A 00 00-A7 62 04 00 win.ini cj çb¦
.00073810: 0C 00 72 6A-04 00 00 00-9D 2F 40 02-45 49 B1 67 + rj¦ Ý/@OEI-g
.00073820: 9A 38 0A 00-26 38 04 00-69 6E 74 6C-00 00 63 6A Ú80 &8¦ intl cj
.00073830: 03 00 9A 38-0E 00 38 38-09 00 73 54-68 6F 75 73 ¦ Ú8d 880 sThous
.00073840: 61 6E 64 00-63 6A 02 00-9A 38 06 00-4E 38 00 00 and cjO Ú8¦ N8
.00073850: 00 00 63 6A-01 00 9A 38-0C 00 5C 38-07 00 77 69 cjO Ú8+ \8• wi
.00073860: 6E 2E 69 6E-69 00 63 6A-00 00 A7 62-04 00 0C 00 n.ini cj çb¦ +
.00073870: 72 6A 04 00-00 00 9D 2F-42 02 45 49-B1 67 9A 38 rj¦ Ý/BOEI-gÚ8
.00073880: 0E 00 84 38-08 00 64 61-74 61 62 61-73 65 00 00 d Ä8• database
.00073890: 63 6A 03 00-9A 38 0C 00-9A 38 07 00-70 61 74 68 cj¦ Ú8+ Ú8• path
....
going some higher and found
.00073750: 1F 49 A5 2C-3A 02 3B 2F-36 02 2F 49-FE 35 6E 37 ¡Iå, O; 6O I¦5n7
.00073760: 1F 49 A5 2C-3C 02 3B 2F-36 02 2F 49-EC 35 35 49 ¡Iå,:O; 6O Iü55I
.00073770: EC 35 4B 49-D9 65 5E 0E-5B 0E 4B 49-B6 7E FE FF ü5KI-e^d[dKI¦~¦
.00073780: 45 49 A7 4A-A0 01 09 4C-02 C0 A3 10-FB 2D A6 00 EIçJàO0LOLã>v-æ
.00073790: 45 49 9A 38-14 00 98 37-0F 00 49 54-53 6F 66 74 EIÚ8¶ Ø70 ITSoft
.000737A0: 20 50 68 6F-6E 65 74 61-78 00 FB 2D-A8 00 45 49 Phonetax v-è EI
.000737B0: E2 37 55 2D-4C 02 45 49-E2 37 55 2D-4E 02 45 49 ò7U-LOEIò7U-NOEI
.000737C0: B1 67 9A 38-0A 00 C8 37-04 00 69 6E-74 6C 00 00 -gÚ80 L7¦ intl
.000737D0: 63 6A 03 00-9A 38 0E 00-DA 37 08 00-73 44 65 63 cj¦ Ú8d -7• sDec
guess what the highlightet simbols are? right,you are
remember?
fn09F0 = l023A
Else
fn09F0 = l023C
so as lo23a=true then let as putch the code
.00073750: 1F 49 A5 2C-3A 02 3B 2F-36 02 2F 49-FE 35 6E 37 ¡Iå, O; 6O I¦5n7
.00073760: 1F 49 A5 2C-3A 02 3B 2F-36 02 2F 49-EC 35 35 49 ¡Iå,:O; 6O Iü55I
voila (as franchmen say(or almoust as))
no matter what the fextfn1043(gv0326.M3874) returns our func will return true.
as a reverse engineers ,what can we learn from the little crack?
local variables in VB have the pass-through numeration for all module and the numbers are used
in functions in the clear way, without encoding.
Happy cracking!
Staier from http://staier.cjb.net (russan language site).
P.S Again, Fravia thanks for your work, keep up...