Now that VBReFormer is a well advanced decompiler for Visual Basic application, I was searching for some unsolved crackmes in order to made sample of decompiling for learning purpose.

The website Crackmes.de contains an impressive number of crackmes applications, a perfect source of samples.

For the first sample of CrackMe solving with VBReFormer Professional I decided to take “Step 2” from yudi (more informations).

I will show you, step by step, how it’s simple to solve the yudi’s Step 2 using VBReFormer Professional.

• Running the application:

We can see that a serial is generated using the name of the user.

How the serial is generated? See the following step.

• Now we just open the “Step 2.exe” file with VBReFormer Professional and getting the following result:

• We will now take a look to the first method loaded on Visual Basic application.

We can see on this capture that the “Label4” visibility is set to False (not visible) at the beginning of the application.

Take a look to that control in the resource editor of VBReFormer and you will agree that it’s the control that show the message “Registered user!”

We now need to know where the “Label4” control visibility is set to true, and what does the “Timer1” control.

• The analysis of the Timer1 control is interesting but not very useful for the following of this tutorial.

We can see here that the “Timer1_Timer” function is called every second by “Timer1” control in order to check that no debuggers, and if one is running, to close it.

We can note that it also close any MessageBox windows.

• Now we are looking for the code under the “Try” button which check if the key match with the name.

That “Try” button is the “Command1” button in VBReFormer:

Then just look to the Command1_Click() function in order to see the algorithm of key checking:

The algorithm seems a little complicated for newbie, but complete and without any syntax and source code error from VBReFormer.

That’s a great thing for us; we will be able to test the application into the Visual Basic IDE later (to make a key generator for example).

By analyzing the code we can see the following:

This part of code is showing us that the key is generated from the Name, but also with the Date and the Time !

That’s meaning it’s almost impossible to generate a key that does not expire the following second.

• In order to made the Key Generator, save the project with VBReFormer, and open it with Visual Basic 6.

When it’s opened into the Visual Basic IDE, remove the debugger watching functions and just keep the following:

o Command1_Click

o Command2_Click

Now remove the following conditions block from Command1_Click function:

These block are showing an alert when the “Name” field and when the “Key” field are empty, but it’s not usefull for a keygen.

At the end of the Command1_Click function we can see the serial check condition:

That code is checking that the serial (stored in var_pv19 variable) generated from the name with the algorithm is the same than the one entered in the “Serial” field (Text2.Text).

To show the generated serial, we just need to replace that condition block by the following line of code:

You must also remove the following line of code which remove the content of the both fields:

After all change and simplifications, we have the following keygen code:

• We now have to test our keygen:

• The first window is the windows of our KeyGen created from the original crackme, and the second window is the one of the original Crackme, with the key from the KeyGen.

The result is that our keygen work perfectly!

Just note that the use of date and time make your key valid for only 1 minute after having generated it.

Is it possible to bypass that limitation?

Yes it is ! In fact, to get the “Registered user!” message you even don’t need a key generator. By reading the code you can see that the operator used to perform a comparison between the both string key is the “Like” operator.

The “like” operator allows to comparate a string and a pattern…

Then you just can set “*” into the serial field and you will have a key which will be valid at anytime, with any name:

Source code of the key generator can be downloaded here:

http://www.decompiler-vb.net/documentation/crackmes/step_2.zip

Enjoy it !

I’m proud to announce the release and availability of VBReFormer Professional 5.4 (for licensed users).

The updated version of VBReFormer can be downloaded from your client account!
http://www.decompiler-vb.net/account.aspx

What’s new in VBReFormer Professional 5.4 ?

1. The analysis engine for disassembling and decompiling has been modified to recover language structure information (in order to decompile If/End If/Do/Loop/While blocks).

Then VBReFormer is now able to decompile simple conditions block like If/End If and Do/Loop/While conditions block.

2. The event name from controls is now back and shown on the code.

3. Conditions with Variant type and floating points type (Single and Double) is now supported because we included lot of news Visual Basic Virtual Machine functions:

__vbaVarTstEq
__vbaVarTstGe
__vbaVarTstGt
__vbaVarTstLe
__vbaVarTstLt
__vbaVarTstNe

4. An important bugfix has been applied. The problem was that VBReFormer sometime crashed on loading application on Windows XP, and was not showing every code from Visual Basic objects (vb6.old library was not properly setup).

5. New preference setting: You can now choose if you want to show only assembly code, only Visual Basic code, or the both.

In the year 2002, while I was working on my Visual Basic decompiler, VBReFormer, I discovered an interesting way on how to bypass the startup login form of any secured Visual Basic 6.0 application.

Any information presented here is only for learning purposes.

This is an important issue for the following reasons:

• This issue affects almost 100% of Visual Basic applications secured by a startup security form or startup license form
• This issue is common to Visual Basic 4.0 to Visual Basic 6.0
• This issue does not need any assembler knowledge to be applied, really quick and fast to apply

In this article, I will show you how your application can be bypassed by this vulnerability, and how you can secure your application against this issue.

Description of the vulnerability:

The internal Visual Basic application structure provides a table in which each form configuration properties are stored.

The main data of each user form, user control and designer are stored on a table of form header which provides the following information: signature, unique identifier, startup attribute, address of the form, and reserved bytes.

The issue is that the startup attribute is really easy to change in order to make the main form of an application the startup form of your application.

Scenario of attack:

We will work with a hexadecimal editor in order to analyze and edit the application. It's the only needed tool.

In the following scenario, the sample application we will bypass has two form called "frmMain" and "frmLicense". The "frmMain" form is the Main form, and the "frmLicense" form is a form asking licensing information in order to access to the Main form, then the application is secured by a "frmLicense" form which is the startup form.

First of all, you must search and found the Visual Basic Header, which contains all important information of your application. To find it, just search the Visual Basic Header signature ("VB5!") into the binary:

Note that the Visual Basic header has a length of 0x68 bytes, but this is not the most important information because we only need 2 bytes from this header to continue.

The information we need is the address of the Form Header Table, stored at the offset 0x4D of the Visual Basic Header.

Here we can read the address 0x0040123C. This is the Virtual Address of the Form Header Table, and we must convert it into a real address.

Basically, if your software is a Visual Basic 6.0 application, it mean that the Form Header Table is stored at the real address 0x0000123C = (0x0040123C - 0x00400000) in your application.

We now have to go to the address 0x123C to see the Form Header Table:

We can see on the above sample there is a table of two "Form Header", one header per form: "frmLicense" and "frmMain".

A Form Header starts with the 0x50000000 signature, and has a length of 0x50 bytes.

The information we need, here highlighted in blue is the Control Flag.

The Control Flag can take the following values:

The above example show that the "frmLicense" Control Flag is set to 0x0010 (SDI Form [startup]) and the "frmMain" Startup Flag is set to 0x0000 (SDI Form [no startup]) meaning the "frmLicense" form is the startup form of the application.

The objective being to bypass the "frmLicense" form, we now have to exchange the startup flag of the both forms in order to make the "frmMain" form the startup form of the application.

This is so simple to apply, just one byte to change, and the "frmMain" form is set to startup form of the application.

Now, when you start the application, you have a direct access to the "frmMain" form, bypassing the "frmLicense" form.

How to protect your application against this vulnerability ?

We have seen on the above scenario that all Visual Basic 4.0 to 6.0 applications are potentially affected by this issue; there are existing applications, commonly called "Visual Basic Universal Cracker" which allows making this work on automatic way, just with one click.

Then it's very important, when you write your application, to think about this issue in order to prevent against applying it on your application. There are different ways to setup protection your application against the application of this issue.

The different solutions are grouped into two categories, which are the code side solutions, and the binary side solutions.

Binary side solutions are applied after the application has been compiled, like packers, compressors, or external solutions of licensing.

Code source side solutions are directly applied on the source code of your application. For example you can define a simple global variable which will be checked during all the execution of your application, and on each form. Another solution is to define the startup form on the Sub Main() procedure of your application. Of course, that is not sufficient to secure your application against advanced crackers, but on this way you will protect your software against a common and simple vulnerability.

Introduction

This article has been written to provide a better and essential information to users of decompilers since I got many complaints from customers of others Visual Basic decompilers because their application weren’t recovered by these decompilers.

The reason is, when you write a Visual Basic 6.0 application you may choose a P-Code or Native code compilation, then your application will be compiled to P-Code or Native code which are very different approaches of compilation, so the decompilation will be different too.

There is a question you may absolutely ask yourself when you need a decompiler for a specific application: Is my application compiled into native or P-Code mode ?

The main problem is that a lot of users got a P-Code decompiler in order to decompile their application, but released with Native Code…

In fact, P-Code decompiler are today almost useless because 90% of Visual Basic 6 application are released with Native Code mode. This article will explain first the difference between P-Code and Native code, and then explain why the rate of Native code application is so important compared to P-Code applications.

I. P-Code Versus Native Code

When you write a line of code in the IDE, Visual Basic breaks it down into expressions and encodes the expressions into a preliminary format called op-codes. In other words, each line is partially precompiled as it is written. Some lines contain shared information that cannot be precompiled independently (mainly Dim statements and procedure definitions). This is why you have to restart if you change certain lines in break mode. The opcodes are compiled into p-code instructions when you compile (in the background if you have the Compile On Demand and Background Compile options set).

At run time, the p-code interpreter works through the program, decoding and executing p-code instructions. These p-code instructions are smaller than equivalent native code instructions, thus dramatically reducing the size of the executable program. But the system must load the p-code interpreter into memory in addition to the code, and it must decode each instruction.

It’s a different story with native code. You start with the same opcodes, but instead of translating to p-code instructions, the compiler translates to native instructions. Because you’re not going to be expecting an instant response while stepping through native code instructions in the IDE, the compiler can look at code from a greater distance; it can analyze blocks of code and find ways to eliminate inefficiency and duplication. The compiler philosophy is that, since you compile only once, you can take as long as you want to analyze as much code as necessary to generate the best results possible.

These two approaches create a disjunction. How can you guarantee that such different ways of analyzing code will generate the same results? Well, you can’t. In fact, if you look at the Advanced Optimizations dialog box (available from the Compile tab of the Project Properties dialog box) you’ll see a warning: "Enabling the following optimizations might prevent correct execution of your program." This might sound like an admission of failure, but welcome to the real world of compilers. Users of other compiled languages understand that optimization is a bonus. If it works, great. If not, turn it off.

On the other hand, very few developers are going to be used to the idea of working in an interpreter during development but releasing compiled code. Most compilers have a debug mode for fast compiles and a release mode for fast code. Visual Basic doesn’t worry about fast compiles because it has a no-compile mode that is faster than the fastest compiler. You get the best of both worlds, but it’s going to take a little while for people to really trust the compiler to generate code that they can’t easily see and debug.

Source : http://vb.mvps.org/hardcore/html/p-codeversusnativecode.htm

II. Proportion of P-Code application in the world

The amount of P-Code developed application is very small compared to Native Code developed application (90% of Visual Basic 6 applications are compiled with Native Code setting -default setting in VB6-), that is one of the reason why I decided to develop VBReFormer more for Native Code than for P-Code.

The massive number of Visual Basic Native application compared to P-Code applications is probably more important due to the fact the default value in the compiler is set up to « Native Code », and of course because native application are almost fast than C++ applications contrary to P-Code applications.

Before choosing a decompiler you must know if it was released for Native application, or for P-Code applications, and if your application was released in P-Code or Native mode.

Note that P-Code is more easy to decompile than Native Code because of it’s high level property.

English:

One of the most exiting feature of VBReFormer is design edition mode for binaries Visual Basic applications.

I have done this webcast to show that we can easily edit and alter an executable written with Visual Basic 6 with help of my half-decompiler VBReFormer 2007 Professional Edition.

For more information about VBReFormer: http://www.decompiler-vb.net/.

French:

L'une des plus importante fonction de VBReFormer est la possibilité d'éditer le design de vos applications Visual Basic même une fois compilé.

J'ai donc réalisé ce petit webcast pour montrer que l'on peut facilement éditer un exécutable écrit en Visual Basic 6 avec l'aide de mon semi-décompilateur VBReFormer 2007 Professional Edition.

Pour plus de renseignements à propos de VBReFormer: http://www.decompiler-vb.net/ .

D'ailleurs, pour ceux que la traduction d'applications intéresse, je vous conseille d'aller visiter le site de la communauté des traducteurs francophones (http://www.toutfr.com/) qui est une communauté de passionnés très sympathique .

Hello, 

My name is Sylvain Bruyere, I'm a freelance/developer focused on Microsoft development languages, and I develop a native Visual Basic decompiler since the year 1999, called VBReFormer.

After years of research on decompiler technologies, I am glad to announce the opening of this blog that will focus on knowledge-depth development for Visual Basic, related to object modeling, compilation, decompilation, and security.

As you can guess, I will talk in this blog of my experiences with Visual Basic development, and others related experiences.