change in VB EXE file.

[ivanov]

Hi again,

I only have made a single change from JNE to JMP (jump to Good-Guy code) in an .EXE file compiled by Visual Basic 6.0. The program runs, but in some part, error happens when showing a Form (window dialog). I thought this is a PE-related problem. I tried to re-adjust the TimeStamp, but still the problem occurs. My question, how can I fixed the file after change made?

[JMI]

ivanov:

You are not "Releasing Software" and your post does not belong in that Forum. It really is mostly a Request, but there is some "Discussion," so I moved it here.

Regards,

[Shub-Nigurrath]

dear ivanov,

you haven't told if it's a native VB app or a p-code one, anyway changing VB apps isn't anything different than normal applications, the only difference is that there's a more frequent access to the VB runtime dlls, which complicates to follow the program's flow.
Generally speaking the only things you shouldn't change (up to you don't know what are you doing) are the jmps tables, which are used to find message handler in the program..

The behaviour you told can be due to some crc-like checks, try to see with Peid and the Karnal plug if there's one..

You also didnt specify where in the vb code you changed a jump... If it is in a generated Form initialization routine... or something similar - you will have some issues

[ivanov]

I force the JNE jumps to PUSH 0000CC81 ("Professional Version" for About dialogbox). But, if the previous TEST EAX, EAX is Zero, next JMP to PUSH 0000CC82 ("Trial Version").

[bilbo]

Quote:

Originally Posted by Shub-Nigurrath

The behaviour you told can be due to some crc-like checks, try to see with Peid and the Karnal plug if there's one..

As far as I know, correct me if I am wrong, the plugin you are telling about is called KANAL, and it cannot detect CRC checks but simple crypto algorithms (by signatures).

Regards, bilbo

What is the specific error it throws... or does it crash without an error.

You should load your modified exe in IDA Pro and step through the code after your modified Jump to see if it is infact doing CRC checks or not and just go in and jump past those as well.

If you debug it you can see where in the code its erroring and for what specific reason, and take appropriate action. At the very least it will give ppl you ask a better clue as to what is going wrong.

[ivanov]

The errors occur when displaying a Form/(Window) Dialog which is not related with the modified JUMP (this JUMP is in About dialog box). But, nothing happens using the original EXE. I don't quite sure if it uses CRC Check. No crash, the program just shows an error dialog that are automatically reported to developer's Website.

[taos]

make a test, in the original EXE change a string and if you get another error then maybe a crc check, but if you have not error then you must study your cracked exe.

[ivanov]

right..right, I will try.

[Michel]

Quote:

I force the JNE jumps to PUSH 0000CC81 ("Professional Version" for About dialogbox). But, if the previous TEST EAX, EAX is Zero, next JMP to PUSH 0000CC82 ("Trial Version").

Are you sure the real test is not before this "test eax", and that the "jne" is not only the way to show the right message in the about-box ? If this is the case, another part of the prog may perform the test too and produce some incompatibility.
So, the first thing would be to be sure you have found the very ROOT of the Prof-Trial test, and patch that, not the message.
Other thing : you may try to leave the JNE and exchange the two PUCHs : no more crc-check problem, and see what happen...
Good luck.

Or perhaps you are fixing the check in the startup routine, but there is another/different check in the form initialization/startup/show code

Hi.. i suggest u to use SmartCheck as it's very good when u need to analize VB6 code (also in P-code) and it's quite simple to use.

RF

[ivanov]

SmartCheck crashes when loading this VB prog.

humm. what msvb60.dll version are u using? I suffered crashes once too, changed it and got it to work.

RF