MCSE MCNE tests - BeachFront Quizzer
(Visual Basic: the weak point inside VBRUN300.DLL)


by +drlan
(7 November 1997)


project8
Visual Basic reversing
Courtesy of reverser's page of reverse engineering

Well, an 'add-on to Razzia's tutorial with a very interesting trick ("another twist on cracking VB" as +drlan writes). Here is what +drlan (who is the author -inter alia- of an important essay about MKS Toolkit Release 5.2) wrote to me:
Reverser+,

The enclosed essay doesn't present any new rocket science to our art but 
it does combine a few tricks that may be of use to folks.  It highlights 
an area where I had difficulty early on and presents an easy way to get 
around it.  This will make it more enjoyable for the students and save 
them some of the pains I encountered.

Enjoy,

+drlan


Target Program : BeachFront Quizzer Protection : demo, serial numbers to unlock tests Cracked by : drlan [ME97] Location : http://www.bfquiz.com Tools needed: - SoftICE Win95 - Hex Editor (I like PSEdit and Hex Workshop) Conventions used: > denotes a SoftICE command This program is designed to help students prepare to take the Sylvan/ Prometric (formerly Drake) tests for Microsoft and Novell products. It is similar to CNE Quizzer, Transcender, etc. BeachFront has an entire library of self-tests for both Microsoft and Novell. So, if you want to take some of your MCSE or MCNE tests, these are great study aids. Let me say right up front that this is a tutorial only. I am not going to hand out serial numbers here for lamers. The intent of this tutorial is to provide you (the cracker) with another approach for defeating those damn Visual Basic apps. So, if you're just looking for serials, then go elsewhere. If you want to learn another twist on cracking VB, then please read on! Download the target (the testing module) and a few of the self-tests. Run it a few times to get a feel for what's going on. You'll notice that the only test you can actually try is the "demo" one with limited questions. When you try to run one of the real tests, it asks you to enter a 12 digit "database key." I already mentioned that this is a VB application, so our standard approach of dis-assembling or playing in SoftICE will not work (or at least will not be all that much fun). I want to take a moment here to extend a very warm thank you to Razzia. It was Razzia who did the hard work which makes this essay possible. His essay on cracking VB apps is one of the best I've ever read. However, early on in my cracking career, for some reason I had trouble following the essay and I just had a hell of a time trying to crack VB programs. I fully understand it now and appreciate it for what it is. My intent here is to save some of the newbie crackers from losing hair over VB apps and to save Razzia from people asking too many questions about his wonderful essay. So here goes... We know from Razzia's work that VB apps typically do their comparisons like this: [borrowed from Razzia's essay] Step 8: Now we have found the code where the VB3 dll does the comparing we can now place a breakpoint there and disable the other breakpoints. We won't need them anymore. We HAVE FOUND the place where things get compared in VB3. What you see is this : :The_VB3_compare_snippet : 8BCA mov cx, dx : F3A6 repz cmpsb ;<- here the strings in ds:si and es:di : 7401 je 8CB6 ; are being compared : 9F lahf : 92 xchg ax,dx : 8D5E08 lea bx, [bp+08] : E80E06 call 92CB Just before the REPZ CMPSB if you do a 'ed si' and a 'ed es:di', you will see what is compared with what. Now that we know where VB 3 does its string comparing, we know "where" to set our breakpoint. Then we can see what it compares (the right string) with the string we entered. Razzia suggests using SoftICE to do a search for the hex values of the instructions (while you're in the code of the VBRUN300.DLL) and this is what I always had trouble with. I could never get sICE to find the code segment this way. However, I know a little trick that I learned from my good friend josephco that will allow me to do exactly what I need to do here and that is break in right on that MOV CX, DX. The trick is to hex edit the file and stick in some instruction that we know we can break on (like an INT 3). The hex value for an INT 3 is CC. So, make a backup copy of your VBRUN300.DLL... Then open it in your favorite hex editor and search for the above code block. This search string will be unique: 8BCAF3A674019F928D5E08E80E06 Once you've found it, change the 8B into CC. Now we have an INT 3 stuck in right at the beginning of the compare routine. We definately do not want this instruction to execute, so before you do anything else, go into sICE and set a breakpoint on int 3. >BPINT 3 Okay, now you can run the target. It will break on the INT 3 because it must be doing some other string comparison work. IMPORTANT: when it does break, you must assemble back in the original instruction (MOV CX, DX) so it does not execute the INT 3. If you skip this step, your system will crash! So, after SoftICE breaks on the INT 3, assemble back in the old instruction. >A >MOV CX, DX >press ESC Let's "clear" all existing breakpoints now. >BC * Now, set a new breakpoint on the MOV CX, DX line. You can do this by just double clicking on the line if you have mouse support enabled. Or, type BPX ssss:oooooooo (where ssss is the segment and oooooooo is the offset). So, now we have the original instruction assembled back in place and we have a breakpoint set there so we can pop in right before the magic moment. Before you toggle back over to the program (using Ctrl-D or F5), let's go ahead and "disable" this breakpoint for now (otherwise it will pop several times before we really need it). >BD * Okay, now toggle back over and select a self-test. Type in a 12 digit key but don't click OK yet. Toggle back in to SoftICE (Ctrl-D) and "enable" the breakpoint. >BE * Toggle back to the app (Ctrl-D or F5) and now click on OK. You should be staring at a SoftICE screen now and sitting on the MOV CX, DX line. We know (again from Razzia) that VB 3 is about to compare what's in ES:DI with what's in DS:SI. So, let's "display" what's there in memory. In this case ES == DS, so: >D di ; should be the 12 digit number you entered >D si ; yeeha; the correct number! (only the first 12 digits) You can save yourself a few keystrokes by editing your breakpoint and making it do the "D si" for you. To do this: >BPE 0 ; edit breakpoint 0 Remove the # in front of your address and add this to the end of the line: DO "d si" So, your new breakpoint should look something like this (if you do a BL). 00) BPX #2B67:00008CAF DO "d si" You'll want to "disable" it before you toggle back to the program to try a different test module, otherwise it will break several times and slow you down. Then once you're ready to find another key, just toggle back to sICE (Ctrl-D) and "enable" the breakpoint. Since you already have your breakpoint set, you can loop through all the tests you want and find out all the correct "database keys." Again, I am not going to list any of them here. Sorry, lamers... VERY IMPORTANT: Do not forget to restore your backup copy of the VB dll (VBRUN300.DLL). You may want to save your debug version as vbrun300.cc just in case you need to do another exercise like this sometime. :-) I use this same trick a lot when I know where I want to break in on a target but have troulbe pin pointing it. I just stick in an INT 3 and BPINT 3, then re-assemble the old instruction back in. It works quite well and can save a considerable amount of time when you're "seeking the needle in the haystack." This same technique should work equally well for VB4 (and perhaps 5). From Razzia's earlier essay, we know VB 4 usually does its compares like this: [borrowed from Razzia's essay] I have done all the hard work for you and found the VB4 dll code that compares two strings (in WideChar format !). Heres the listing : : 56 push esi : 57 push edi : 8B7C2410 mov edi, [esp + 10] : 8B74240C mov esi, [esp + 0C] : 8B4C2414 mov ecx, [esp + 14] : 33C0 xor eax, eax : F366A7 repz cmpsw ;<-- here the (WideChar) strings at ds:esi : 7405 je 0F79B362 ; and es:edi get compared : 1BC0 sbb eax, eax : 83D8FF sbb eax, FFFFFFFF : 5F pop edi : 5E pop esi : C20C00 ret 000C So, just stick an INT 3 (CC) in place of the push esi (56) and you're on the track... That's it for this lesson. Hope this was fun and instructional. Disclaimer: THIS ESSAY IS FOR EDUCATIONAL PURPOSES ONLY. ANY USE, MIS-USE OR ILLEGAL ACTIVITY IS THE SOLE RESPONSIBILITY OF THE READER. Personal GreetZ: Razzia, josephco, niabi, reverser+, +gthorne and +ORC! drlan
(c) +drlan. All rights reversed
You are deep inside reverser's page of reverse engineering, choose your way out:

redproject8
redhomepage redlinks redanonymity +ORC redstudents' essays redacademy database
redtools redcocktails redantismut CGI-scripts redsearch_forms redmail_fravia
redIs reverse engineering legal?