-Softice (I'm using v3.2)
Blackwidow is an off-line browser and I find it pretty kewl
it at Tucows or any other shareware archive), but has some limitations.
This is a VB5 proggie, the exe is about 400 kb and has lots
of calls to the the big, fat mama: Msvbvm50.dll.
First i will crack the _blackwidow.exe (no browser) and _bwds.exe (this exe is called to download the selected files), since this program as two more exe files (the others, blackwidow.exe and bwds.exe, allow you to browse through the downloaded files.
Now run the proggie a couple of times and check the protection type, have u checked?
Ok there is a stupid nag window that tells you how many days you have left to evaluate ("You have XX days left ")**, and you can download a maximum of 50 files each time (this really pisses me off), why can't they let us evaluate the full working proggie, grrrrrrrrr, but we have the possibility to register the proggie if we want to, it's a S/N protection.
Now change the date, say one month forward, now run the proggie again, can u see the nag that tells u that your evaluation is over ("Your evaluation period has expired ..")***? And if u try to explore any site , the same nag will pop up and ask you to register.
How do we crack this one?
You can use razzi's techniques of hmemcpy and MultiBytetoWidechar but you will get in some huge encryption and checksum routines, damn there must be another way!!!
I lost a couple of days trying to crack the S/N and finally I decided to try another approach.
I'll use a different approach, one that i've never seen in any essay. (For the moment, just remember, that in vb4 proggies and vb5 as well, strings are in wide format).
Let's crack! First thing is to get a disassembled list of _blackwidow.exe. Have u got it? Good, let's go on. Can you see the huge amount of calls? (damn VB programmers).
Now check the imports hmm interesting name rtcMsgBox, __vbalenBstr, .etc., since we are going to use softice don't forget to load Msvbvm50.dll exports into softice.
Ok now run blackwidow, can u see the nag? now we will set a breakpoint on blackwidow code, press Ctrl+D to get into softice and type bpx __vbalenBstr (you can try any bpx you fancy on other functions, but this one will work for sure), now Ctrl+D to get out of softice and just try to register the proggie (just press the OK button) and Softice will pop up at the beginning of __vbalenBstr, press F11 to get out of the call and you will be inside blackwidow code.
Now here's the approach, we are going to search for the message in the nag, remember - "You have XX days left ", but don't forget that the string is in wide format. So we will search for "You have "
softice will probably find some memory locations with this string but only one will be inside blackwidow data, check the line that separates the data window from the window above if something like this appears:
then you found your string!!!!!!
Now just write down them mem location, mine is 411C0C, now disable the breakpoint you set and go to your disassembled list and search for '411C0C' (ATTENTION: ignore the code line with the offset '411C0C' we are looking for the code where data offset '411C0C' is used, not code offset) .....there is only one place where this address is used, look at the code:
* Referenced by a Jump at Address:0044486B(C)
:00444BCA 680C1C4100 push 00411C0C ;<----here 'You have % days left.....'
:00444BCF 50 push eax
Hmm...interesting isn't it? Let's go on now we will search for the
that appears in the message when the evaluation period is over. We will
use the same method we used to find the first string, enable the
and repeat the same procedure, when you're inside blackwidow code just
search for the string in the nag. So we will search for "Your
period has now expired
search until you find the string we are looking for inside blackwidow data, check the line that separates the data window from the window above. Write down the adress and search for it inside the disassembled list, once again it will only appear once:
* Referenced by a Jump at Address:00444850(U) * Reference To: MSVBVM50.rtcGetTimer, Ord:0217h | :00444858 FF1590444600 Call dword ptr  :0044485E A128E04500 mov eax, dword ptr [0045E028] ;eax=days left :00444863 D91D30E04500 fstp dword ptr [0045E030] ;doesn't matter :00444869 3BC3 cmp eax, ebx ;cmp eax with ebx, ebx=0 :0044486B 0F8F59030000 jg 00444BCA ;jmp if any days left, this ;jump will lead you to the nag * Reference To: MSVBVM50.__vbaStrCopy, Ord:0000h | :00444871 8B3DD0444600 mov edi, dword ptr [004644D0] :00444877 BAB81B4100 mov edx, 00411BB8 ;<-----here :0044487C 8D4DEC lea ecx, dword ptr [ebp-14]We found the place where the program decides which nag should pop up, now let's take a look of the code just before this, this call to rtcGetTimer:
:0044471A 1BFF sbb edi, edi :0044471C F7DF neg edi :0044471E E8DD6A0100 call 0045B200 ;<---what is this?? :00444723 33D2 xor edx, edx ;edx=0 :00444725 3DDABF0202 cmp eax, 0202BFDA ;cmp eax with some checksum :0044472A 0F95C2 setne dl ;set dl=1 if not equal :0044472D 0BFA or edi, edx :0044472F 750D jne 0044473E ;jmp unregistered user-- :00444731 66391D78E04500 cmp word ptr [0045E078], bx :00444738 0F8403040000 je 00444B41 * Referenced by a Jump at Address:0044472F(C) :0044473E 833D28E0450001 cmp dword ptr [0045E028], 1 ;compare days left ** :00444745 0F8C07010000 jl 00444852 ;jmp if 0 days left :0044474B 8D4598 lea eax, dword ptr [ebp-68] :0044474E 50 push eax * Reference To: MSVBVM50.rtcGetDateVar, Ord:0262h | :0044474F FF1508454600 Call dword ptr  * Referenced by a Jump at Address:00444745(C) * Reference To: MSVBVM50.__vbaStrMove, Ord:0000h | :00444852 8B3544454600 mov esi, dword ptr ; <- here, if 0 days left * Referenced by a Jump at Address:00444850(U) * Reference To: MSVBVM50.rtcGetTimer, Ord:0217h | :00444858 FF1590444600 Call dword ptr  :0044485E A128E04500 mov eax, dword ptr [0045E028] ;eax=days left :00444863 D91D30E04500 fstp dword ptr [0045E030] ;doesn't matter :00444869 3BC3 cmp eax, ebx ;cmp eax with ebx, ebx=0 :0044486B 0F8F59030000 jg 00444BCA ;jmp if any days left, this jump ;will lead you to the nag * Reference To: MSVBVM50.__vbaStrCopy, Ord:0000h | :00444871 8B3DD0444600 mov edi, dword ptr [004644D0] :00444877 BAB81B4100 mov edx, 00411BB8 ;<-----"Your evaluation period..." :0044487C 8D4DEC lea ecx, dword ptr [ebp-14] ... * Referenced by a Jump at Address:0044486B(C) | :00444BCA 680C1C4100 push 00411C0C ;<---here 'You have % days left...' :00444BCF 50 push eax
As you can see after this strange call
the value in EAX is compared and DL is set to 1 if eax different of
if you are a registered user just go on, else check how many days are left , there are 2 checks for this, the first one will check if you can still use blackwidow and set it up, and the second one will decide which nag should pop up. The mem location that stores the number of days left (in my computer) is 45E028. So let's crack.... permanently, remember the strange call just before the registered user check? Now check that address (45b200 in my computer) and you'll see 9 calls to this routine, now write down those 9 addresses and check each one of these 9 locations. Can u see that after any of these call eax is compared with 202BFDA and that after that there is a 'setne dl'.
:00444723 33D2 xor edx, edx
:00444725 3DDABF0202 cmp eax, 0202BFDA
:0044472A 0F95C2 setne dl
so to permanently crack this one you'll just need to change all
<reg>' that appear after the call to 'sete <reg>'.
The 'sete <reg>' opcode is OF94XX". It's done. Now let's check _bwds.exe, this is the executable that _blackwidow.exe uses to download the files, and this exe also checks for the registered user (if you aren't a registered user you'll only be able to download a maximum of 50 files) and uses the same routine to do it, so just search for the value that is compared with eax after each call (0202BFDA), open your eax editor and search for 'DABF0202' and you will find two occurrences now just change the 0F95 bytes to 0F94. And you will be able to download as many files as you want.
It's CRACKED, now just register with some fake serial.
I've tried this 'live string search' approach in some others VB5 proggies and worked fine. Currently i'm doing a reference for Msvbvm50.dll functions (i'll try to release it in a couple of weeks) so if you have reversed any of those i would apreciate you could send it to me, to email@example.com.