"Smartchecking" VB Programs
Yet another stupid protection unearthed
Visual Basic
Visual Basic reversing
25 February 1998
by Hs2L
Courtesy of Reverser's page of reverse engineering
slightly edited
by reverser+
Well, I always said this: Smartcheck is the 'final cracker weapon'. You may want to have a look at my own essay An interesting tool: Numega's Smartcheck, written in November 1997, and at Snatch's essay: An interesting tool: Numega Smartcheck 5.0, written in October 1997
Hs2L's essay is a nice work and will have quite some interest for beginners AND for anyone among my readers that still does not use smartcheck. I like especially the list of alternative reversing methods at the end. I believe that it would ALWAYS be a good idea, writing an essay, to compare the 'innovative' solution you propose with the 'traditional' alternative cracking methods you know of.
And yes, by all means, use Smartcheck... and not only for visual basic programs... you won't regret it!
There is a crack, a crack in everything That's how the light gets in
(x)Beginner ( )Intermediate ( )Advanced ( )Expert

This is an easy crack using the powerful SmartCheck 5 VB debugger to unearth hidden code the programmer doesn't want you to see. Our target is VB Project Analyzer
An example of VB Cracking using SmartCheck
(as opposed to Softice or IDA)
Written by Hs2L

VB Project Analyzer is a Visual Basic code analyzer-not too usefull for 
most of us but a good demonstration of a bad protection scheme implemented 
by a greedy programmer 
Tools required
SmartCheck 5.0 - This is the only tool you'll (ever) need.

Target's URL/FTP
ftp://kgb.quarta.com/NTUtil/NuMega/smchk50.exe http://www.numega.com www.aivosto.com/vb.html

I dont think too many reverse engineers would find this target useful. 
This is mainly to demonstrate how fantastic Smartcheck is rather then 
how to undo a certain protection scheme.
For those who don't have smartcheck 5.0, I suggest you download it NOW 
and crack it using Softice (see Snatch's essay). 
This Visual Basic runtime debugger and flow analyzer has to be seen to be 
believed. After having used this tool, I just hope more people make their 
stupid shareware in VB 5 so we can reverse all of their code, automagically, 
using this wonderful tool : )
You actually get ALL the code events, even COMMENTED, with their ORIGINAL 
names!!! Just load your target into Smartcheck and sit back and watch it 
generate event after event!
I wish you luck in trying to get this tool from NuMega's web site
They're starting to become difficult to deal with. I suggest you do an
FTP search.
Well, that's enough about smartcheck

A friend had downloaded this target and I just copied the compressed 
file onto my disk. The program is , as the name suggests, a Visual Basic 
code analyzer. 

I'm assuming you have SmartCheck 5 and have it configured to get maximum
events. Here are the steps:
After loading Project Analyzer and BEFORE beginning, click on settings 
from the Program menu. Click on the "Reporting" tab and enable everything 
except "Mouse movement from OCX". 
Under the "File to check" tab, enable everything.
Under "Error detection"  in "Type of errors to check for" check everything
Check "Save settings" before exiting. 
When you run the program, select "Show all events" from the "View" menu 
as well as "Arguments" and "Sequence Numbers"

After installing, when you run the program you see a simple 
nag screen with a edit box with the words "Guess..." in it. Obviously 
this is the place where you enter the registration code. Also, there's an 
option which allows you to analyze multiple project files. This is 
called Super Analyzer and requires a seperate registration.
(shareware programmers never get too greedy) This too, displays a nag. 
Now that we've seen the program we can load SmartCheck with the program.
So once we're in, SC begins dishing all the code as it runs the program 
(if you have the setting set for Show all events, you've got an incredible 
quantity of code right about now) so now the nag screen is displayed in all 
its glory. 
For now press OK and clear it. Go to Project Analyzer's menu and select 
Add In-->Super Analyzer. A second nag screen asking you to register Super 
Analyzer pops up. Now, near the end of the code listing you should see 
something interesting

FreeFile(VARIANT:Missing) returns Integer:1
Visual Basic Runtime Error 53: File not found
Super_About (form) create

What's happening here? You have to know a minimum amout of Visual Basic 
to understand this code

FreeFile(VARIANT:Missing) returns Integer:1

		---->Free file returns a filenumber that isn't
 		     in used. It is an	integer and can be used 
		     to open files.In this case the Number returned 
		     is 1
                ----> Translated in Basic this means:
Open "c:\projectana\superpa.lic" for input as #1 

So, its looking for a file called superpa.lic 
(/projectana is the directory where I installed VBPA)
After this, Smartcheck returns a runtime error stating that the file 
couldn't be opened. 
After this we see

Super_About (form) create 
		----> The nag screen is created

The above code has "Protection routine" written all over it. Essentially 
whats happening is, when you load Super Analyzer, the program attempts to 
open a license file. If it doesn't find one, it loads the nag screen. 
So, we can safely assume that when the registration code is correct, 
a license file is automatically generated. So, now, we create a superpa.lic
file in the Project Analyzer Directory. We leave it as an empty file 
and restart Project Analyzer through Smartcheck. This time when we try to 
open the Super Analyzer, the nag screen still shows up and some new code 
in Smartcheck.

After succesfully opening the Superpa.lic file we see this:

Visual Basic Runtime Error :Input past end of file

So now, Project Analyzer (PA for short) is reading information sequentially
from the file and since the file is empty, we get an error message 
"Input past end of file"

That means, PA is not just seeing if the license file exists but checking 
the contents as well. That means we'll have to fill the contents of 
"SuperPA.lic" with something.

Now comes the incredible part. Just look at the line below in the
Smartcheck code and you should see something like this:

LCase(VARIANT:By Ref String:"norppa")

What does this mean? Yes, you guessed it. It's the string that's supposed 
to be compared with what's in the license file! What does this mean? 
It means we just put "norppa" on the first line in the license file and 
it becomes valid!! Go ahead and try it. You are now the proud owner of a 
fully registered Super Analyzer addin : )

Now lets try the same thing with the Project Analyzer itself:

Wait for the nag screen to show up and then in the Smartcheck code, do a 
search for "lic". You should end up in a series of string manipulations. 
Scroll down until you see something like the following:

RTrim$(String:"Lic")		---->removes spaces to the right of "Lic"
RTrim$(String:"Project")             these aren't important
Len(String:"Lic") returns LONG:3

...some irelevant stuff

OnError(long:-1)		----> Used for error handling
FreeFile(VARIANT:missing) returns integer:1
About (Form) created

So, now we know what to do. We simply create another license file, 
this time with something written in it. So we make a "project.lic" 
file and in the first 5 lines put "crap"

We fire up SmartCheck again and get this code:

LCase(VARIANT:ByRef String:"crap")  --->converts to lower case
LCase(VARIANT:ByRef String:"Tikannakit")
LCase(VARIANT:ByRef String:"crap")
LCase(VARIANT:ByRef String: "Sibelius")
Lcase(VARIANT:ByRef String:"crap")
LCase(VARIANT:ByRef String: "Ryppyotsa")
About(Form) created

Now, PA is checking if the file exists, then opening it a second time to 
input sequentially.Now this part is particularly interesting:

LCase(VARIANT:ByRef String:"crap")
LCase(VARIANT:ByRef String:"Tikannakit")
LCase(VARIANT:ByRef String:"crap")
LCase(VARIANT:ByRef String: "Sibelius")
Lcase(VARIANT:ByRef String:"crap")
LCase(VARIANT:ByRef String: "Ryppyotsa")

This looks like a direct case-insensitive string comparison which can only 
mean its comparing the contents of the license file with what it's supposed
to contain. So, we create the license file as we did above, first line 
being "Tikannakit" and second being "Sibelius" the third is "Ryppyotsa". 
With Smartcheck cracking this is almost a joke! With our new license file 
we simply load up PA again and this time we are fully registered!

Interestingly enough, if we attempt to analyse some Visual Basic code with 
SmartCheck running, we can clearly see just how the analyzer goes about 
reading and intepreting the files. An invaluable bonus to its usage as a 
reversing tool.

Inside this target there are a couple of other add-in tools (Graph and Printer) 
that also requre seperate registration (greedy programmers never learn)

For these procedures, as you will see, just work same as above.
1) Search for "lic"
2) Find the name of the license file to create.
3) Create it and add some junk in it
4) Run the program and see what it really needs

That's about it. I hope you understood this. You could have cracked this 
of course in many different ways:
1)	by scanning the code in the buttonclick event for the nag 
screen to see how it processes the registration code you entered and 
checks it against the real one but Smartcheck solves the problem in a much 
easier way.

2)	using filemon/regmon/vxdmon in order to check the manoeuvres of 
your target (and identifying that way the various *.lic the target was 
searching) but -again- Smartcheck solves the problem in a much easier 

3)	You might have done it following Razzia's excellent tutorial on 
cracking VB apps by setting break points and patching the runtime file but 
that was in the "pre-smartcheck" era : ) Now that this outstanding tool is 
available, you'll never have to think about even touching softice or IDA 

Final Notes
I personally don't know anyone who would purchase Project Analyzer in his 
right mind: The program costs over $100 and you have moreover to register 
any add-in tools seperatley. 
On top of this, just check out the bug list after having installed this program! 
I wouldn't distribute a freeware program that has so many bugs! 
Guess whoever made the program didn't have SmartCheck 5.0 to debug it!
(If (s)he had used SmartCheck, neither the protection nor the program 
itself would have been so weak! : ) 

Send your comments and insults to shivanan@ens.lk

Ob Duh
I wont even bother explaining you that you should BUY this target program if you intend to use its not allowed functionalities (use as opposed to study them). Should you want to STEAL this software instead, you don't need to crack its (pathetical) protection scheme at all: you'll find it on most Warez sites, complete and already regged, farewell.

You are deep inside reverser's page of reverse engineering, choose your way out:

Visual Basic
Back to Visual Basic reversing

redhomepage redlinks redsearch_forms red+ORC redstudents' essays redacademy database
redreality cracking redhow to search redjavascript wars
redtools redanonymity academy redcocktails redantismut CGI-scripts redmail_reverser
redIs reverse engineering legal?