Now that VBReFormer is a well advanced decompiler for Visual Basic application, I was searching for some unsolved crackmes in order to made sample of decompiling for learning purpose.

The website Crackmes.de contains an impressive number of crackmes applications, a perfect source of samples.

For the first sample of CrackMe solving with VBReFormer Professional I decided to take “Step 2” from yudi (more informations).

I will show you, step by step, how it’s simple to solve the yudi’s Step 2 using VBReFormer Professional.

• Running the application:

We can see that a serial is generated using the name of the user.

How the serial is generated? See the following step.

• Now we just open the “Step 2.exe” file with VBReFormer Professional and getting the following result:

• We will now take a look to the first method loaded on Visual Basic application.

We can see on this capture that the “Label4” visibility is set to False (not visible) at the beginning of the application.

Take a look to that control in the resource editor of VBReFormer and you will agree that it’s the control that show the message “Registered user!”

We now need to know where the “Label4” control visibility is set to true, and what does the “Timer1” control.

• The analysis of the Timer1 control is interesting but not very useful for the following of this tutorial.

We can see here that the “Timer1_Timer” function is called every second by “Timer1” control in order to check that no debuggers, and if one is running, to close it.

We can note that it also close any MessageBox windows.

• Now we are looking for the code under the “Try” button which check if the key match with the name.

That “Try” button is the “Command1” button in VBReFormer:

Then just look to the Command1_Click() function in order to see the algorithm of key checking:

The algorithm seems a little complicated for newbie, but complete and without any syntax and source code error from VBReFormer.

That’s a great thing for us; we will be able to test the application into the Visual Basic IDE later (to make a key generator for example).

By analyzing the code we can see the following:

Set var_pv2 = Me.Text1()
var_pv3 = var_pv2.Text()
var_pv10 = (var_pv3)
var_pv11 = (Date$) & (" ")
var_pv12 = (var_pv11) & (Time$)
var_pv13 = (var_pv12)

This part of code is showing us that the key is generated from the Name, but also with the Date and the Time !

That’s meaning it’s almost impossible to generate a key that does not expire the following second.

• In order to made the Key Generator, save the project with VBReFormer, and open it with Visual Basic 6.

When it’s opened into the Visual Basic IDE, remove the debugger watching functions and just keep the following:

o Command1_Click

o Command2_Click

Now remove the following conditions block from Command1_Click function:

If (var_num8) Then
    var_pv6 = ("Hey")
    var_pv7 = ("need something")
    var_pv9 = MsgBox(var_pv7, 4160, var_pv6)
End If

These block are showing an alert when the “Name” field and when the “Key” field are empty, but it’s not usefull for a keygen.

At the end of the Command1_Click function we can see the serial check condition:

Set var_pv2 = Me.Text2()
var_pv3 = var_pv2.Text()
var_pv21 = (var_pv3)
var_pv22 = ((var_pv19 Like var_pv21))
If (((var_pv22) = (True))) Then
    Set var_pv2 = Me.Label4()
    var_pv2.Visible() = True
End If

That code is checking that the serial (stored in var_pv19 variable) generated from the name with the algorithm is the same than the one entered in the “Serial” field (Text2.Text).

To show the generated serial, we just need to replace that condition block by the following line of code:

You must also remove the following line of code which remove the content of the both fields:

Set var_pv2 = Me.Text1()
var_pv2.Text() = ""
Set var_pv2 = Me.Text2()
var_pv2.Text() = ""
Set var_pv2 = Me.Text1()

After all change and simplifications, we have the following keygen code:

Private Sub Command1_Click()
    var_pv10 = Text1.Text
    var_pv13 = Date$ & " " & Time$
    For var_pv14 = 1 To Len(var_pv13) Step 1
        If IsNumeric(Mid$(var_pv13, CLng(var_pv14), 1)) Then
            var_pv15 = Asc(Mid$(var_pv13, CLng(var_pv14), 1))
            If var_pv14 <= Len(var_pv10) Then
                var_pv16 = Str(Asc(Mid$(var_pv10, CLng(var_pv14), 1)))
                var_pv16 = Right$(var_pv16, 1)
                var_pv16 = Val(var_pv16)
            End If

            var_pv18 = var_pv18 & Chr$(CLng(var_pv15 + 17 + var_pv16))
            var_pv18 = var_pv18 & Chr$(CLng(var_pv15 + 17 + var_pv16 * 2))
        End If
    Next var_pv14

    For var_pv14 = 1 To 24 Step 4
        var_pv19 = var_pv19 & Mid$(var_pv18, CLng(var_pv14), 4) & "-"
    Next var_pv14

    var_pv20 = Len(var_pv19) - 1
    var_pv19 = Mid$(var_pv19, 1, var_pv20)
    Text2.Text = var_pv19
End Sub

• We now have to test our keygen:

• The first window is the windows of our KeyGen created from the original crackme, and the second window is the one of the original Crackme, with the key from the KeyGen.

The result is that our keygen work perfectly!

Just note that the use of date and time make your key valid for only 1 minute after having generated it.

Is it possible to bypass that limitation?

Yes it is ! In fact, to get the “Registered user!” message you even don’t need a key generator. By reading the code you can see that the operator used to perform a comparison between the both string key is the “Like” operator.

The “like” operator allows to comparate a string and a pattern…

Then you just can set “*” into the serial field and you will have a key which will be valid at anytime, with any name:

Source code of the key generator can be downloaded here:

http://www.decompiler-vb.net/documentation/crackmes/step_2.zip

Enjoy it !

In the year 2002, while I was working on my Visual Basic decompiler, VBReFormer, I discovered an interesting way on how to bypass the startup login form of any secured Visual Basic 6.0 application.

Any information presented here is only for learning purposes.

This is an important issue for the following reasons:

• This issue affects almost 100% of Visual Basic applications secured by a startup security form or startup license form
• This issue is common to Visual Basic 4.0 to Visual Basic 6.0
• This issue does not need any assembler knowledge to be applied, really quick and fast to apply

In this article, I will show you how your application can be bypassed by this vulnerability, and how you can secure your application against this issue.

Description of the vulnerability:

The internal Visual Basic application structure provides a table in which each form configuration properties are stored.

The main data of each user form, user control and designer are stored on a table of form header which provides the following information: signature, unique identifier, startup attribute, address of the form, and reserved bytes.

The issue is that the startup attribute is really easy to change in order to make the main form of an application the startup form of your application.

Scenario of attack:

We will work with a hexadecimal editor in order to analyze and edit the application. It's the only needed tool.

In the following scenario, the sample application we will bypass has two form called "frmMain" and "frmLicense". The "frmMain" form is the Main form, and the "frmLicense" form is a form asking licensing information in order to access to the Main form, then the application is secured by a "frmLicense" form which is the startup form.

First of all, you must search and found the Visual Basic Header, which contains all important information of your application. To find it, just search the Visual Basic Header signature ("VB5!") into the binary:

Note that the Visual Basic header has a length of 0x68 bytes, but this is not the most important information because we only need 2 bytes from this header to continue.

The information we need is the address of the Form Header Table, stored at the offset 0x4D of the Visual Basic Header.

Here we can read the address 0x0040123C. This is the Virtual Address of the Form Header Table, and we must convert it into a real address.

Basically, if your software is a Visual Basic 6.0 application, it mean that the Form Header Table is stored at the real address 0x0000123C = (0x0040123C - 0x00400000) in your application.

We now have to go to the address 0x123C to see the Form Header Table:

We can see on the above sample there is a table of two "Form Header", one header per form: "frmLicense" and "frmMain".

A Form Header starts with the 0x50000000 signature, and has a length of 0x50 bytes.

The information we need, here highlighted in blue is the Control Flag.

The Control Flag can take the following values:

The above example show that the "frmLicense" Control Flag is set to 0x0010 (SDI Form [startup]) and the "frmMain" Startup Flag is set to 0x0000 (SDI Form [no startup]) meaning the "frmLicense" form is the startup form of the application.

The objective being to bypass the "frmLicense" form, we now have to exchange the startup flag of the both forms in order to make the "frmMain" form the startup form of the application.

This is so simple to apply, just one byte to change, and the "frmMain" form is set to startup form of the application.

Now, when you start the application, you have a direct access to the "frmMain" form, bypassing the "frmLicense" form.

How to protect your application against this vulnerability ?

We have seen on the above scenario that all Visual Basic 4.0 to 6.0 applications are potentially affected by this issue; there are existing applications, commonly called "Visual Basic Universal Cracker" which allows making this work on automatic way, just with one click.

Then it's very important, when you write your application, to think about this issue in order to prevent against applying it on your application. There are different ways to setup protection your application against the application of this issue.

The different solutions are grouped into two categories, which are the code side solutions, and the binary side solutions.

Binary side solutions are applied after the application has been compiled, like packers, compressors, or external solutions of licensing.

Code source side solutions are directly applied on the source code of your application. For example you can define a simple global variable which will be checked during all the execution of your application, and on each form. Another solution is to define the startup form on the Sub Main() procedure of your application. Of course, that is not sufficient to secure your application against advanced crackers, but on this way you will protect your software against a common and simple vulnerability.