<html>

<head>
<meta http-equiv="Content-Type"
content="text/html; charset=iso-8859-1">
<meta name="Author" content="The Sandman">
<meta name="Classification" content="Reverse Code Engineering">
<meta name="Description"
content="Step by step guide to cracking AI Picture Explorer V1.0">
<meta name="KeyWords"
content="How to crack AI Picture Explorer V1.0">
<meta name="GENERATOR" content="Microsoft FrontPage Express 2.0">
<title>visual_J++2</title>
</head>

<body bgcolor="#C0C0C0" text="#001010" link="#FF0000"
vlink="#CC0000" alink="#FFFFFF">

<p><font face="Arial,Helvetica">&nbsp;</font> <br>
&nbsp; </p>

<table border="1" width="100%" 22">
    <tr>
        <td width="15%" bgcolor="#FFFFFF"><font
        face="Arial,Helvetica"><b>March 1999</b></font>&nbsp;</td>
        <td width="100%" bgcolor="#FFFFFF"><font size="5"
        face="Arial,Helvetica">&quot;Microsoft's Visual J ++ 6.0
        Professional Edition&quot;</font> </td>
        <td width="30%" bgcolor="#FFFFFF"><font
        face="Arial,Helvetica"><b>Win '95 PROGRAM</b></font> <font
        color="#808080" face="Arial,Helvetica">Win Code Reversing</font>&nbsp;<font
        color="#808080" face="Arial,Helvetica">&nbsp;</font>&nbsp;</td>
    </tr>
    <tr>
        <td width="15%" bgcolor="#FFFF99"><font color="#890000"
        face="Arial,Helvetica">&nbsp;</font>&nbsp;</td>
        <td bgcolor="#FFFF99"><font face="Arial,Helvetica">by </font><font
        size="6" face="Arial,Helvetica">The Hobgoblin</font>&nbsp;
        </td>
        <td width="30%" bgcolor="#FFFF99">&nbsp;</td>
    </tr>
    <tr>
        <td width="15%" bgcolor="#999900"><font
        face="Arial,Helvetica">&nbsp;</font>&nbsp;</td>
        <td bgcolor="#999900"><font face="Arial,Helvetica">Code
        Reversing For Beginners&nbsp;</font>&nbsp;</td>
        <td width="30%" bgcolor="#999900"><font
        face="Arial,Helvetica">&nbsp;</font>&nbsp;<font
        face="Arial,Helvetica">&nbsp;</font>&nbsp;</td>
    </tr>
    <tr>
        <td width="15%" bgcolor="#C0C0C0">&nbsp;</td>
        <td bgcolor="#C0C0C0"><font face="Arial,Helvetica"><b>Program
        Details</b></font>&nbsp; <font face="Arial,Helvetica"><b>Program
        Name:</b></font>Visual J++ 6.0 Professional Edition <font
        face="Arial,Helvetica"><b>Program Type:</b> Java
        development program</font>&nbsp; <font
        face="Arial,Helvetica"><b>Program Location:</b>Found it
        on a cover disc</font> <font face="Arial,Helvetica"><b>Program
        Size: </b>unknown&nbsp;</font>&nbsp;<font
        face="Arial,Helvetica">&nbsp;</font> </td>
        <td width="30%" bgcolor="#C0C0C0">&nbsp;</td>
    </tr>
    <tr>
        <td width="15%" bgcolor="#C0C0C0">&nbsp;</td>
        <td bgcolor="#C0C0C0"><font face="Arial,Helvetica"><b>&nbsp;</b></font>
        <font face="Arial,Helvetica"><b>Tools Used:</b></font>&nbsp;<font
        face="Arial,Helvetica"> Softice V3.23 - W32Dasm V8.93 -
        Disassembler</font> - Borland Resource Workshop- HIEW
        6.02 </td>
        <td width="30%" bgcolor="#C0C0C0">&nbsp;</td>
    </tr>
    <tr>
        <td bgcolor="#C6E7C6"><font color="#0000FF"
        face="Arial,Helvetica"><b>Rating</b></font>&nbsp;</td>
        <td bgcolor="#C6E7C6"><font color="#0000FF" size="2"
        face="Arial,Helvetica"><b>Easy ( X )&nbsp; Medium (
        )&nbsp; Hard ( )&nbsp; Pro (&nbsp;&nbsp;&nbsp; )</b></font><font
        size="2" face="Arial,Helvetica"><b>&nbsp;</b></font>&nbsp;
        </td>
        <td width="30%" bgcolor="#999900">&nbsp;</td>
    </tr>
</table>

<p align="center"><font size="2" face="Arial,Helvetica">&nbsp;</font>&nbsp;<font
face="Arial,Helvetica">&nbsp;&nbsp;&nbsp;&nbsp;</font> </p>

<hr>

<p align="center"><font face="Arial,Helvetica">&nbsp;</font> <font
size="5" face="Arial,Helvetica">Microsoft's Visual J ++ 6.0
Professional Edition</font> <font color="#0B7FC1"
face="Arial,Helvetica">Written by The Hobgoblin</font>&nbsp;<font
face="Arial,Helvetica">&nbsp;</font> <font face="Arial,Helvetica">&nbsp;</font>
&nbsp; </p>

<table border="1" width="100%" height="22">
    <tr>
        <td bgcolor="#C6E7C6"><font color="#0000FF" size="5"
        face="Arial,Helvetica">Introduction</font>&nbsp; </td>
    </tr>
</table>

<p>Greetings to all crackers out there. </p>

<p>I'm an absolute newbie in the art of cracking, and this is my
first attempt in writing something about how to crack programs. I
hesitate to call this a tutorial. That's because in my opinion a
tutorial is a piece of writing where you actually can learn
something new about protection systems and how to reverse/crack
them. I don't think too many people out there will learn
something new by reading this, except that Microsoft once again
has provided us with a program that's almost unprotected and for
everyone to crack Don't this company want to make any money?
Well, actually (and unfortunately), that's exactly what they do.
That's why I write this essay. For some strange reason I just
love to crack (or more honestly, try to crack) their programs.:))
</p>

<p>Well, let's move on to the program. I found this program on a
cover disc included in the March issue of
&quot;Internet.Works&quot;. (The discs you get when you buy
magazines are pure gold for a cracker like me who struggle to
learn to master the art of reversed engineering. They are cheap,
contains a lot of shareware of all kinds, with all kinds of
various protection systems. And if you get mad and in an outburst
of anger and frustration erase the target, you can just install
it when the bloodpressure is back to normal again.:)) </p>

<p>This is what the magazine writes about this program: &quot;30
day trial version. Visual J++ is Microsoft's massive Java
development environment. It comes as a key component of <i>Visual
Studio</i> and is packed with everything a programmer needs.
However, there is a lot more to this than purely a programmer's
environment and if you have the urge to learn more about
programming, this is a good place to start. It has a
straightforward interface and there is plenty of onboard help at
hand. Price: Visual J++ Professional 395 + VAT &quot; <br>
&nbsp; </p>

<table border="1" width="100%" height="22">
    <tr>
        <td bgcolor="#C6E7C6"><font color="#3333FF" size="5"
        face="Arial,Helvetica">About this protection system</font>&nbsp;
        </td>
    </tr>
</table>

<p><font face="Arial,Helvetica">&nbsp;</font> This program has a
simple 30-day trial protection system. It's fully functional, but
after 30 days you'll get the usual nag saying: &quot;Your trial
period is over. Please install the full retail version.&quot; <br>
<font face="Arial,Helvetica">&nbsp;</font> (Or something like
that. I don't remember the exact wording.). And the program won't
open. <br>
&nbsp; </p>

<table border="1" width="100%" height="22">
    <tr>
        <td bgcolor="#C6E7C6"><font color="#0000FF" size="5"
        face="Arial,Helvetica">The Essay</font><font size="5"
        face="Arial,Helvetica">&nbsp;</font>&nbsp; </td>
    </tr>
</table>

<p><font face="Arial,Helvetica">&nbsp;</font> This will be more
like an essay on how I cracked this program, not a tutorial on
how to crack programs with this kind of protection systems.
That's well enough covered by far more experienced crackers. </p>

<p>The first thing I do after installing a program is to run it
several times, just to get a feeling of it, and to observe and
see if there are any signs telling me that this is a shareware
program, and not fully functional, and hopefully exactly what the
limitations are. When running this program I found no such signs.
Everything appeared to be normal. Then I exited out of the
program, and opened up the explorer to check out the files. Only
a couple of readme files was found, not important for me. No
clues. </p>

<p>I then fired up BRW (Borland Resource Workshop), and took a
look at a couple of what I thought were the main .exe-files and
.dll files. Still no clues. No stringreferences I could explore.
Usually, I get a lot of clues by doing this. Load the main .exe
and .dll files in the BRW and check out the string references. By
converting the number that accompanies the strings found in BRW
to hex-values, and then search for this in W32Dasm, has many
times lead me straight to the protection system within the code.
It's a good cracking routine. (If BRW can't be used, go on and
try Symantec Resource Editor or the Restorator. If one fails, you
can usually use on of the others). But in this case, no luck. So
what should I do? </p>

<p>If there is a 30-day trial, then after that period you'll get
a message that's usually tells you that the trial period is over.
That's the text I, without luck, was searching for. </p>

<p>I then set the date on my computer 3 months time ahead, and
then tried to open the program. There it was, the usual nag
screen. I closed it again, and then entered Softice. My thinking
was that I would try to use the getlocaltime routine to get
control over the program, and then search for the part of the
code that deals with the time check. When I started Visual J++
again, Softice broke and I started to trace. But I could not find
anything interesting. </p>

<p>After some tracing I decided to try another approach.I entered
a bpx messageboxa in Softice, and started Visual J++.Softice
broke, I hit F11, and then pushed ok on the nagscreen that
appeared. I ended up at adress :5E0E16BB. </p>

<p>I also noticed that I was in the file named MSENV.DLL (on my
computer located in the catalog: Microsoft Visual
Studio/Common/Ide/Ide98/) </p>

<p>I pushed F10 three times and ended up here :5E0E1777. </p>

<p>This was just a couple of F10's above a ret-command, so I
scrolled upwards to check for conditional jumps that would bypass
the call at :5E0E1772. I found two conditional jumps, but none of
them could bypass the call. I pushed F12 to return to wherever
this routine was called from, and landed at :5E0945B8. I went
through the same checking and found a conditional jump at
:5E094585. I entered a breakpoint at this jump in Softice, and
tried to run Visual J++. Softice broke, and indicated a jump. I
typed r fl z at the Softice command line to change it into no
jump, then pushed F11. Nag screen again. I found three other
conditional jump within this routine, but the result was the same
every time. I then pushed F12 again, and when the nagscreen
appeared, I pushed ok. And then I was back in softice at
:5E081530 </p>

<p>Referenced by a (U)nconditional or (C)onditional Jump at
Address: </p>

<p>:5E0AD0FD(U) </p>

<p>:5E081520 5F pop edi </p>

<p>:5E081521 5E pop esi </p>

<p>:5E081522 5D pop ebp </p>

<p>:5E081523 5B pop ebx </p>

<p>:5E081524 81C414020000 add esp, 00000214 </p>

<p>:5E08152A C3 ret </p>

<p>* Referenced by a (U)nconditional or (C)onditional Jump at
Address: </p>

<p>:5E081371(C) </p>

<p>:5E08152B E81BF0F9FF call 5E02054B </p>

<p>:5E081530 85C0 test eax, eax (-------------------- I landed
here) </p>

<p>:5E081532 0F8D3FFEFFFF jnl 5E081377 </p>

<p>:5E081538 E9C5BA0200 jmp 5E0AD002 </p>

<p><font color="#000000" face="Arial,Helvetica">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;</font>
<br>
<font face="Arial,Helvetica">&nbsp;</font> I set a breakpoint at
the call at adress :5E08152B and tried to run visual J++ again.
Softice broke, and after hitting F10 once the nagscreen poped up
again. Looking at the codesnippet I realized that this routine
started with the call to the nagscreen. So what called this call?
At this time I opened W32Dasm and loaded MSENV.DLL and went to
the adress for the call. And as you can see from the code listed
above, the call was a result of a conditional jump at the adress
:5E081371. </p>

<p>This is the code at that adress: </p>

<p>* Reference To: KERNEL32.SetErrorMode, Ord:0213h </p>

<p>:5E081349 FF153812005E Call dword ptr [5E001238] </p>

<p>:5E08134F E8E52EF8FF call 5E004239 </p>

<p>:5E081354 33FF xor edi, edi </p>

<p>:5E081356 85C0 test eax, eax </p>

<p>:5E081358 0F84A4BC0200 je 5E0AD002 </p>

<p>:5E08135E FF35CCD1175E push dword ptr [5E17D1CC] </p>

<p>:5E081364 E888020000 call 5E0815F1 </p>

<p>:5E081369 A124D1175E mov eax, dword ptr [5E17D124] </p>

<p>:5E08136E 39785C cmp dword ptr [eax+5C], edi </p>

<p>:5E081371 0F84B4010000 je 5E08152B (---------- this is the
jump) </p>

<p>&nbsp; </p>

<p>* Referenced by a (U)nconditional or (C)onditional Jump at
Address: </p>

<p>:5E081532(C) </p>

<p>:5E081377 6A01 push 00000001 </p>

<p>:5E081379 5E pop esi </p>

<p>5E08137A 893598D2175E mov dword ptr [5E17D298], </p>

<p>:5E081380 E878020000 call 5E0815FD </p>

<p>:5E081385 E8A7020000 call 5E081631 </p>

<p>:5E08138A A140F4175E mov eax, dword ptr [5E17F440] </p>

<p>and so on.... </p>

<p>&nbsp; </p>

<p>So what I did was to set a breakpoint at :5E081371, and tried
to run Visual J++ once more.Bam, I was back in Softice, and
Softice indicated a jump. I changed that to no jump, and pushed
F11. And guess what happened?.......Exactly! </p>

<p>Visual J++ started as normal! </p>

<p>Well, the rest was plain patching. I opened W32dasm again, and
wrote down the offset for adress :5E081371, opened HIEW, searched
for the offset and changed </p>

<p>:05E081371 0F84B4010000 </p>

<p>to </p>

<p>:5E081371 0F85B4010000 </p>

<p>(I tried to change it to an unconditional jump, but that
didn't work. I got an error message, and the program crashed).</p>

<p>Pushed F9 to update the program, and exit HIEW. </p>

<p>I later on ran Visual J++ after altering the date 6 months
forwards and backwards on my computer. No problems. </p>

<p>Program cracked, and Microsoft fooled again.:) </p>

<p>A couple of weeks later I found a similar Microsoft program
called <strong>Microsoft Visual Interdev 6.0</strong> on a cd-rom
form the same magazine. I cracked it using exactly the same
procedure. (The only difference I found between the protection
systems was that the Visual Interdev 6.0 had a 90 day trial
period instead of 30 days).The conditional jump we have to change
was located in the same file <strong>and at the same adress</strong>.
Both these programs are parts of the Microsoft Visual Studio
program-suite. Besides from these two programs, it includes the
Microsoft Visual C++ Professional Edition and the Microsoft
Visual Basic Professional Edition.And I think there is one or
more items that I don't recall as I write this.</p>

<p>It could be really interesting to see whether the rest of the
programs in this suite have the same weak protection system,
don't you think?</p>

<p>Maybe somebody out there have any knowledge of this?</p>

<p>Good Luck.</p>

<p>The Hobgoblin.:))<br>
&nbsp; </p>

<table border="1" width="100%" height="22">
    <tr>
        <td bgcolor="#C6E7C6"><font color="#0000FF" size="5"
        face="Arial,Helvetica">Final Notes</font><font size="5"
        face="Arial,Helvetica">&nbsp;</font>&nbsp; </td>
    </tr>
</table>

<p>Well, this is it. Hopefully I will come back with some other
stuff some day. </p>

<p>Take care out there, fellow crackers! Keep the information
available! </p>

<p>Thank you Sandman, for your website and everything else.You're
an inspiration for a lot of coming crackers! </p>

<p>Thanks also goes to the rest of you guys who take the time and
effort to keep the information and the necessart tools available
on the net.<br>
&nbsp; </p>

<table border="1" width="100%" height="22">
    <tr>
        <td bgcolor="#C6E7C6"><font color="#0000FF" size="5"
        face="Arial,Helvetica">Ob Duh</font><font
        face="Arial,Helvetica">&nbsp;</font>&nbsp; </td>
    </tr>
</table>

<p><font face="Arial,Helvetica"><i>&nbsp;</i></font> Finally, I
totally agree with the following statement: </p>

<p><i>Do I really have to remind you all that by buying and NOT
stealing the software you use will ensure that these software
houses will be encouraged to producing even *better* software for
us to use and enjoy.</i> </p>

<p><i>Ripping off software through serials and cracks is for
lamers..</i> <br>
&nbsp; <br>
<i>If your looking for cracks or serial numbers from these pages
then your wasting your time, try searching elsewhere on the Web
under Warze, Cracks etc.</i> <br>
<font face="Arial,Helvetica">&nbsp;</font> <br>
</p>

<hr size="3">

<p align="center"><font face="Arial,Helvetica">&nbsp;</font> <font
face="Arial,Helvetica">&nbsp;</font> </p>
<div align="center"><center>

<table border="2">
    <tr>
        <td><font face="Arial,Helvetica">&nbsp;</font><a
        href="students.html"><font face="Arial,Helvetica"><b>Return</b></font></a><font
        face="Arial,Helvetica"><b>&nbsp;</b></font></td>
    </tr>
</table>
</center></div>

<p align="center"><font size="4" face="Arial,Helvetica"><b>&nbsp;</b></font>
</p>

<hr size="3">
</body>
</html>
