Howdy gang!!

This really isn't a tute, but more of a reference on what to do and look for.
The easiest way that i know of is to "rip" code.  I won't be giving any
specific program names, but some of these were found in some pretty stupid
"protections" :)


Program 1:
address: (excode)name

4BC811: (6c)ILdRf                     -- ILdRf  : Pushes an address
4BC814: (1b)LitStr: 34395             -- LitStr : Pushes a string literal
4BC817: (fb)Lead0/(30)EqStr           -- Eqxxxx : Compares 2 things (strings,numbers,????)
4BC819: (2f)FFree1Str                 -- FFreexx: Frees used memory
4BC81C: (1a)FFree1Ad                  --          Frees used memory
4BC81F: (1c)BranchF: 4BC91F           -- Branchx: If previous compare is this, then do:
4BC822: (4)FLdRfVar
4BC825: (21)FLdPrThis
4BC826: (f)VCallAd 7b3fc368           -- VCallAd: Calls code in MSVBVM50.DLL
4BC829: (19)FStAdFunc
4BC82C: (8)FLdPr
4BC82F: (d)VCallHresult               -- VCall..: Calls code in MSVBVM50.DLL
4BC834: (3e)FLdZeroAd
4BC837: (fd)Lead2/(59)PopTmpLdAdStr
4BC83B: (1b)LitStr: String Value1 
4BC83E: (43)FStStrCopy
4BC841: (4)FLdRfVar
4BC844: (1b)LitStr: HKEY_LOCAL_MACHINE 
4BC847: (43)FStStrCopy
4BC84A: (4)FLdRfVar
4BC84D: (4)FLdRfVar
4BC850: (a)ImpAdCallFPR4:  4bbca4     -- ImpAdCallFPR4:  "Calls" other blocks of code stored in executable
4BC855: (32)FFreeStr
4BC85E: (1a)FFree1Ad
4BC861: (35)FFree1Var
4BC864: (4)FLdRfVar
4BC867: (21)FLdPrThis
4BC868: (f)VCallAd 7b3fc360
4BC86B: (19)FStAdFunc
4BC86E: (8)FLdPr
4BC871: (d)VCallHresult
4BC876: (6c)ILdRf 
4BC879: (50)CI4Str
4BC87A: (59)PopTmpLdAdStr
4BC87D: (1b)LitStr: DWORD2 Value 
4BC880: (43)FStStrCopy
4BC883: (4)FLdRfVar
4BC886: (1b)LitStr: HKEY_LOCAL_MACHINE 
4BC889: (43)FStStrCopy
4BC88C: (4)FLdRfVar
4BC88F: (4)FLdRfVar
4BC892: (a)ImpAdCallFPR4:  4bb9ac
4BC897: (32)FFreeStr
4BC8A0: (1a)FFree1Ad
4BC8A3: (35)FFree1Var
4BC8A6: (27)LitVar_Missing
4BC8A9: (27)LitVar_Missing
4BC8AC: (27)LitVar_Missing
4BC8AF: (f5)LitI4:  0x0  0  (....)
4BC8B4: (1b)LitStr: Thanks for registering 
4BC8B7: (1b)LitStr:   
4BC8BA: (2a)ConcatStr
4BC8BB: (23)FStStrNoPop
4BC8BE: (4)FLdRfVar
4BC8C1: (21)FLdPrThis
4BC8C2: (f)VCallAd 7b3fc368
4BC8C5: (19)FStAdFunc
4BC8C8: (8)FLdPr
4BC8CB: (d)VCallHresult
4BC8D0: (6c)ILdRf 
4BC8D3: (2a)ConcatStr
4BC8D4: (46)CVarStr
4BC8D7: (a)ImpAdCallFPR4:  ffffffff
4BC8DC: (32)FFreeStr
4BC8E3: (1a)FFree1Ad
4BC8E6: (36)FFreeVar
4BC8F1: (27)LitVar_Missing
4BC8F4: (27)LitVar_Missing
4BC8F7: (27)LitVar_Missing
4BC8FA: (f5)LitI4:  0x0  0  (....)            -- LitI4: Pushes a number
4BC8FF: (3a)LitVarStr:  Now you must restart Professional Studio to enable all features.
4BC904: (4e)FStVarCopyObj
4BC907: (4)FLdRfVar
4BC90A: (a)ImpAdCallFPR4:  ffffffff
4BC90F: (36)FFreeVar
4BC91A: (fc)Lead1/(c8)End             -- End: Terminates program
4BC91C: (1e)Branch: 4bc948
4BC91F: (27)LitVar_Missing
4BC922: (27)LitVar_Missing
4BC925: (27)LitVar_Missing
4BC928: (f5)LitI4:  0x0  0  (....)
4BC92D: (3a)LitVarStr:  Invalid Registration Key, Please Try Again!
4BC932: (4e)FStVarCopyObj
4BC935: (4)FLdRfVar
4BC938: (a)ImpAdCallFPR4:  ffffffff
4BC93D: (36)FFreeVar
4BC948: (13)ExitProcHresult                 -- ExitProc*:  Exits this procedure and returns to caller
4BC949: (13)ExitProcHresult


The key to cracking this particular program is in this area:

4BC811: (6c)ILdRf                     -- ILdRf  : Pushes an address
4BC814: (1b)LitStr: 34395             -- LitStr : Pushes a string literal
4BC817: (fb)Lead0/(30)EqStr           -- Eqxxxx : Compares 2 things (strings,numbers,????)
4BC819: (2f)FFree1Str                 -- FFreexx: Frees used memory
4BC81C: (1a)FFree1Ad                  --          Frees used memory
4BC81F: (1c)BranchF: 4BC91F           -- Branchx: If previous compare is this, then do:

2 addresses are pushed and EqStr compares them.  If (4BC81F) is not equal,
then we branch to 4BC91F which brings us to a "bad guy" routine--VERY simple :)
If you want to test this theory, you can BPM 4bc811 and f10 untill you get to
4bc817.

A few things to know:

1) Everytime a block of "code" is called, the excode DoExDisp executes the first
   byte.  So a fast way to set a bpm on a certain area is to enter sice, type
   BPX DOEXDISP  and then run your program.  Just remember to load the symbols
   first!  Once DOEXDISP breaks, you can disable it, and bpm whatever address
   you desire.
2) Sometimes you have to enter calls to __vba* calls to get to the real compare.
3) A combination of EXDEC and sice will be your best bet to cracking a program.
4) When you see ffffffff, I can't determine where to call to.
5) If you would like to set a bpx on a particular excode, you have to add
   _lblex_ to the beginning of it.  For example: 4BC814: (1b)LitStr: 34395
   You would need to BPX _lblex_litstr.  Just remember that a LOT of the
   excodes are used for other purposes other than in the spot you want to
   bpx on.
6) Until I figure out how to find where most of the calls are going to,
   a really easy way to get to the block of code you are interested in
   (after your serial is read for instance).  Is to bpx hmemcpy, then hit
   <enter>.  When sice breaks, disable the break point, and bprw <program>,
   then hit f5.  You may need to skip through a few system calls, but  you
   will soon get to MSVBVM50.DLL or MSVBVM60.DLL.  Write down the value in
   ESI and then you can search for that address in the output of EXDEC.
7) To save EXDEC's output to a file you have to:
   Type: exdec >my.txt then hit <enter>
   On the next line, type the programs name then hit <enter>.
8) Load the symbols into sice with the symbol loader.  If you are cracking
   both vb5 and vb6, then the last symbols you loaded will be the ones that
   are used when you set any breakpoints.  To unload them, use symbol loader.
9) Email josephco_@hotmail.com with any comments/questions you may have.

* More tutorial coming soon *


joe
