MCSE MCNE tests - BeachFront Quizzer
(Visual Basic: the weak point inside VBRUN300.DLL)


by +drlan
(7 November 1997)


project8
Visual Basic reversing
Courtesy of fravia's page of reverse engineering

Well, an 'add-on to Razzia's tutorial with a very interesting trick ("another twist on cracking VB" as +drlan writes). Here is what +drlan (who is the author -inter alia- of an important essay about MKS Toolkit Release 5.2) wrote to me:
Fravia+,

The enclosed essay doesn't present any new rocket science to our art but 
it does combine a few tricks that may be of use to folks.  It highlights 
an area where I had difficulty early on and presents an easy way to get 
around it.  This will make it more enjoyable for the students and save 
them some of the pains I encountered.

Enjoy,

+drlan



Target Program : BeachFront Quizzer
Protection     : demo, serial numbers to unlock tests
Cracked by     : drlan [ME97]
Location       : http://www.bfquiz.com

Tools needed:
- SoftICE Win95
- Hex Editor (I like PSEdit and Hex Workshop)

Conventions used:
> denotes a SoftICE command

This program is designed to help students prepare to take the Sylvan/
Prometric (formerly Drake) tests for Microsoft and Novell products.  It
is similar to CNE Quizzer, Transcender, etc.  BeachFront has an entire
library of self-tests for both Microsoft and Novell.  So, if you want to
take some of your MCSE or MCNE tests, these are great study aids.

Let me say right up front that this is a tutorial only.  I am not going
to hand out serial numbers here for lamers.  The intent of this tutorial
is to provide you (the cracker) with another approach for defeating those
damn Visual Basic apps.  So, if you're just looking for serials, then go
elsewhere.  If you want to learn another twist on cracking VB, then please
read on!

Download the target (the testing module) and a few of the self-tests.  Run
it a few times to get a feel for what's going on.  You'll notice that the
only test you can actually try is the "demo" one with limited questions.
When you try to run one of the real tests, it asks you to enter a 12 digit
"database key."

I already mentioned that this is a VB application, so our standard approach
of dis-assembling or playing in SoftICE will not work (or at least will not
be all that much fun).

I want to take a moment here to extend a very warm thank you to Razzia.  It
was Razzia who did the hard work which makes this essay possible.  His essay
on cracking VB apps is one of the best I've ever read.  However, early on in
my cracking career, for some reason I had trouble following the essay and I
just had a hell of a time trying to crack VB programs.  I fully understand
it now and appreciate it for what it is.  My intent here is to save some of
the newbie crackers from losing hair over VB apps and to save Razzia from
people asking too many questions about his wonderful essay.

So here goes...

We know from Razzia's work that VB apps typically do their comparisons like
this:

   [borrowed from Razzia's essay]
   Step 8: Now we have found the code where the VB3 dll does the comparing
   we can now place a breakpoint there and disable the other breakpoints. We
   won't need them anymore. We HAVE FOUND the place where things get compared
   in VB3. What you see is this :

:The_VB3_compare_snippet
   : 8BCA         mov cx, dx
   : F3A6         repz cmpsb  ;

Now that we know where VB 3 does its string comparing, we know "where" to
set our breakpoint.  Then we can see what it compares (the right string)
with the string we entered.  Razzia suggests using SoftICE to do a search
for the hex values of the instructions (while you're in the code of the
VBRUN300.DLL) and this is what I always had trouble with.  I could never
get sICE to find the code segment this way.

However, I know a little trick that I learned from my good friend josephco
that will allow me to do exactly what I need to do here and that is break
in right on that MOV CX, DX.  The trick is to hex edit the file and stick
in some instruction that we know we can break on (like an INT 3).  The hex
value for an INT 3 is CC.  So, make a backup copy of your VBRUN300.DLL...
Then open it in your favorite hex editor and search for the above code
block.  This search string will be unique:

8BCAF3A674019F928D5E08E80E06

Once you've found it, change the 8B into CC.  Now we have an INT 3 stuck in
right at the beginning of the compare routine.  We definately do not want
this instruction to execute, so before you do anything else, go into sICE
and set a breakpoint on int 3.

>BPINT 3

Okay, now you can run the target.  It will break on the INT 3 because it
must be doing some other string comparison work.  IMPORTANT: when it does
break, you must assemble back in the original instruction (MOV CX, DX) so
it does not execute the INT 3.  If you skip this step, your system will
crash!  So, after SoftICE breaks on the INT 3, assemble back in the old
instruction.

>A
>MOV CX, DX
>press ESC

Let's "clear" all existing breakpoints now.

>BC *

Now, set a new breakpoint on the MOV CX, DX line.  You can do this by just
double clicking on the line if you have mouse support enabled.  Or, type
BPX ssss:oooooooo (where ssss is the segment and oooooooo is the offset).
So, now we have the original instruction assembled back in place and we
have a breakpoint set there so we can pop in right before the magic moment.

Before you toggle back over to the program (using Ctrl-D or F5), let's go
ahead and "disable" this breakpoint for now (otherwise it will pop several
times before we really need it).

>BD *

Okay, now toggle back over and select a self-test.  Type in a 12 digit key
but don't click OK yet.  Toggle back in to SoftICE (Ctrl-D) and "enable"
the breakpoint.

>BE *

Toggle back to the app (Ctrl-D or F5) and now click on OK.  You should be
staring at a SoftICE screen now and sitting on the MOV CX, DX line.

We know (again from Razzia) that VB 3 is about to compare what's in ES:DI
with what's in DS:SI. So, let's "display" what's there in memory.  In this
case ES == DS, so:

>D di    ; should be the 12 digit number you entered

>D si    ; yeeha; the correct number!  (only the first 12 digits)

You can save yourself a few keystrokes by editing your breakpoint and
making it do the "D si" for you.  To do this:

>BPE 0   ; edit breakpoint 0

Remove the # in front of your address and add this to the end of the line:

DO "d si"

So, your new breakpoint should look something like this (if you do a BL).

00)   BPX #2B67:00008CAF  DO "d si"

You'll want to "disable" it before you toggle back to the program to try
a different test module, otherwise it will break several times and slow
you down.  Then once you're ready to find another key, just toggle back
to sICE (Ctrl-D) and "enable" the breakpoint.

Since you already have your breakpoint set, you can loop through all the
tests you want and find out all the correct "database keys."  Again, I am
not going to list any of them here.  Sorry, lamers...

VERY IMPORTANT: Do not forget to restore your backup copy of the VB dll
(VBRUN300.DLL).  You may want to save your debug version as vbrun300.cc
just in case you need to do another exercise like this sometime. :-)

I use this same trick a lot when I know where I want to break in on a
target but have troulbe pin pointing it.  I just stick in an INT 3 and
BPINT 3, then re-assemble the old instruction back in.  It works quite
well and can save a considerable amount of time when you're "seeking the
needle in the haystack."

This same technique should work equally well for VB4 (and perhaps 5).
From Razzia's earlier essay, we know VB 4 usually does its compares like
this:

   [borrowed from Razzia's essay]
   I have done all the hard work for you and found the VB4 dll code
   that compares two strings (in WideChar format !).
   Heres the listing :

   : 56            push esi
   : 57            push edi
   : 8B7C2410      mov edi, [esp + 10]
   : 8B74240C      mov esi, [esp + 0C]
   : 8B4C2414      mov ecx, [esp + 14]
   : 33C0          xor eax, eax
   : F366A7        repz cmpsw  ;

So, just stick an INT 3 (CC) in place of the push esi (56) and you're on
the track...

That's it for this lesson.  Hope this was fun and instructional.

Disclaimer: THIS ESSAY IS FOR EDUCATIONAL PURPOSES ONLY.  ANY USE, MIS-USE
OR ILLEGAL ACTIVITY IS THE SOLE RESPONSIBILITY OF THE READER.

Personal GreetZ: Razzia, josephco, niabi, fravia+, +gthorne and +ORC!

drlan
(c) +drlan. All rights reversed
You are deep inside fravia's page of reverse engineering, choose your way out:

redproject8
redhomepage redlinks redanonymity +ORC redstudents' essays redacademy database
redtools redcocktails redantismut CGI-scripts redsearch_forms redmail_fravia
redIs reverse engineering legal?