Visual Basic 5 Cracking Tutorial
--------------------------------
by The Krazy Nomad [MEX/C4N'98]
krazy@scenelink.org


Hello there! Im glad you decided to take a look at this tutorial. You may
have been wondering what the hell is the deal with a VB program? Why is this
subject so controversial? The truth is, as you might have heard, that Visual
Basic executables are not REAL EXE files. In fact, they rely on a DLL in
order to function correctly. This is where we can take advange on such a
protection. At its heart! I have coded a small Crack-Me in Visual Basic 5
with a simple protection. This will be our target.

Tools Used:
W32dasm v8.9
SoftICE v3.22


Ok, lets first take a look at the program in w32dasm, so open up the crack-me
and wait till its finished disassembling. First thing to do it look at the
Imported Funtions so we can see what we will be dealing with in SoftICE.
Ahhh, as we said, everything will be interacting with MSVBVM50.DLL. So before
we go any further, lets add msvbvm50.dll to our winice.dat if you have not
done so already (if you do not know how to do this, refer to ED!SON's
wonderful cracking tutorial) and reboot. Now lets get back to the imported
functions.


Hmm, __vbaR8Str looks very intresting, lets see is anything happens if we
set a breakpoint on this. So, lets enter a bogus registration number in the
dialog box the go to SoftICE, set the "bpx __vbaR8Str", then go back to the
app and click ok. Now we should be in SoftICE. Press F11 to go to the calling
function. We should be at the following code:


00402163 FF75E0            push [ebp-20]       ; push entered serial on
                                               ; stack as string

* Reference To: MSVBVM50.__vbaR8Str, Ord:0000h ; convert string to a real or
                                               ; floating point number...

00402166 E885EFFFFF        Call 004010F0       ; after this call ST(0) should
                                               ; contain the entered serial
                                               ; as number

0040216B DC1D28104000      fcomp qword ptr [00401028] ; float compare : ST(0)
                                                      ; =? X - and X is
                                                      ; located at 401028

00402171 DFE0              fstsw ax            ; ? set flag;

00402173 9E                sahf                ; ? test flag

00402174 7503              jne 00402179        ; good/bad jump


Ok, we see the address where its comparing the serial at, lets take a look
and see whats behind the curtain. In SoftICE, we type in "dl 401028" and what
do you know, the serial is sitting right there for you. Clear your
breakpoints and go back to the crack-me and enter the serial and it will now
give you the "Thank you for Registering" Dialog. Nice work!

I hope you learned something about how *some* Visual Basic programmers go
about protecting thier apps. If you did learn something, email me and let me
know. It would make me glad. :)
