A friend of mine asked me to crack this program. It a newsscanner that downloads pictures from newsgroups, probably written for porno lusers. Anyway I didn't know that Pluckit was written with Visual Basic. So this was my first attempt at a visual basic program.

I never liked Visual Basic or delphy, I don't see the point in using a language that produce bad code. The obvious way shuld be to try to write as small and efficent programs as possible and to do that -as you all know- you have to write tha meain routines in pure assembler. Anyway I don't mind people using Visual Basic as an introduction language to computer programming. Most of us learned basic as a start on the first home computers like Zx80 or Sinclair Spectrum and C64. But, programs that are written in toy languages like this should be free for all people.

Applications that are slow and filled with bugs should not be commercial, they should be freeware (this is valid for word an Excel as well, btw). Unfortunatley the author of this lame crap has another idea about this. On startup there is an ugly nagscreen with some text inside it and an "ok_ button" and a "cancel_button". After the nagscreen is a register screen where you can input a serialnumber, if you don't have a serial# you'll only be able to download 15 files. We will focus on the serial#.

Step I: loading the target through smartcheck.

As I mentioned this is my first attempt to crack a VB program. In my first approach I changed some jumps in memory, but there were too many jumps to change so I decided to go for the serialnumber. I'm not gonna cover how to set up smartcheck cause Fravia+ has already done that. Well lets fire smartcheck...

On startup you'll get two 'invalid arguments' errors, like I said, this crap is filled with bugs. Proceed to the registration screen and type in any#. In smartcheck choose view "specific events.. " so you can easily navigate and find what we are looking for.

After the "invalid..." dialogbox appears, terminate Pluckit3 and go to smartcheck and look around. At sequence# 16745 you'll see your false serial number. Now what follows is:

16752	Trim (variant: string"false#")	4d4260
16763	Val (string"false": 	
	| 
	|
16931	msgbox
-----

Now it's time to choose view "All events". I reached this point after 3 seconds, and What you'll see now is the first barricade of the protection scheme. The last things that are done before the messagebox as you'll see (if you chosen view all events) is :

16926	__VbaVarOr()		
16927	__VbaBoolVarNull()	Return dword FFFFF
16928	_vbaVarDup(VARIANT: string "invalid", Variant boolean false)
----

1 A letter 
2 A char ie "%" or whatever
3 both of them

So start all over again and this time enter your name as registration#. Remeber to choose view "specific events and errors" if you want to skip alot of unimportant "code".

There are some significant changes, first obvious one is we passed the __vbaBoolVarNull and second the sequence numbers has shrinked !!? The messagebox is now at sequence# 14764. But what's more interesting is the lines above 14764. From 14731 ---> 14758 are a bunch of Integer(#)-->Long(#) where # is starting from 0 and ending at 9. View all events and you'll see that under each Integer(#) there is a a different number that is tested against a variable called double:0. The values that are tested against double:0 are:

55276
39824
68684
75268
12367
59826
48927
65826
34096
15824

This means that double:0 should have a value equal to one of these numbers and the registration code must contain a letter(s) for us to pass __vbaBoolVarNull(). We also know that double:0 is zero when we only entered letters. So the registration code must have some numbers and one or more letters

step II

Start again (I know this begins to be boring but we are almost finished). This time we must use systematical inputs. Lets begin with 123A and see what happens what value is given to double:0. Hmmn we didn't pass the __vbaBoolVarNull() function with 123A. Well my experience in registration codes tells me that the letter may be a separator of two numbers. Lets try 123A123.

Great (balls of fire) we passed the evil __vbaBoolVarNull(), lets find out if double:0 has a value. Just click on one of the __vbaVarTestEq at sequence# 14909 for example wich is the first one. As you'll see double:0 has the value of 15129 and is therefore called double:15129 instead of double:0. How did it get that value?

14347 __vbaVarMull(variant:double:123, variant:double:123) returns dword 6FF714

Well 123*123=15129 and thats where double:15129 got it's value from. So the form of the regisration code is #####X#####=Y where # is a number and X is a letter and Y any of the valid numbers that our double:15129 is tested against. Lets pic one of the valid numbers and use them in our code like this:

55276A1000 = 55276*1000 = 55276000

Since such a visual programmer is assumed to be a moron, he will probably only check the five first numbers but hey, should he check all numbers we still have the equation... so it would be really easy to solve it. But lets first try the above to see how dumb such a "programmer" can be... Could you believe that? It worked at once! What a moron programmer!

Numega deserves all credits for its Smartcheck, this is truly an amazing tool. Thats it for now.