What's new
RevTeam.Re - Reverse Engineering Team

Welcome Guest! Register a free account today to become a member! Once signed in, you'll be able to participate on this site by adding your own topics and posts, as well as connect with other members through your own private inbox! Register and wait for our approve!

Solved Need crack Vbacompiler version 1.9.8(Solved)

Solved Request

Sygmund Oose

Well-known member
Joined
Jul 10, 2023
Messages
57
Reaction score
45
Please, Log in to view URLs content!

I released a video that shows the use of the original program, without modifications.

When there are no problems with the public key in the license file, it seems to me that the program follows the path described in the video. If hash or MD5 corruption occurs, etc., it follows a different path and does not activate.

It's clear that "test eax, eax" has to be zero, and the routine that makes it zero is simple, but what is happening in the memory swap to achieve this?
Once the zeroflag is set to 1 using only the license file, and without using any patches, I'm almost certain the program will compile without errors.

Patches cause CRC errors, as I believe they check the integrity of the certificate.
 
Last edited:

Corvus@206

Active member
Joined
Feb 25, 2025
Messages
31
Reaction score
13
ah, you didn't make any progress by now too.
you are still searching for nothing but nonsense in this time too, just like when you were looking for a public key.
sorry but i don't know you well, but i think you are fully amateur in reversing and cryptography field.

i haven't enough time for teaching you more details but i'll let you know only one thing.
your that function is named as CryptoPP::Integer::Compare() and is called in CryptoPP__PK_Verifier::VerifyMessage() function.

2.jpg

1.jpg
CryptoPP::Integer::Compare(), this function itself is never important.
the most important thing is just return value of CryptoPP__PK_Verifier::VerifyMessage() function.

CryptoPP__PK_Verifier::VerifyMessage() function verifies message signed by developer's private key with compiler's hard-coded public key.
in here, message signed by developer's private key means encrypted user details information of license key file.
and verifying of message means to check whether user details information of license key file is signed and encrypted by developer's private key or not.

because you can never see developer's private key and you can use only your own private key, you also can never get return value 1 from this CryptoPP__PK_Verifier::VerifyMessage() function without replacing compiler's hard-coded public key with your own public key.

that's why patching is needed necessarily.

and of course there are MD5 hash checking and Whirlpool hash checking of executable's integrity. so these are also solved by patching.
Whirlpool hash checking problem isn't solved by simple bypassing or patching, because output dlls need some correct function pointer indexes array for their normal execution and this function pointer indexes array is decided by Whirlpool hash value calculated.

i let you know once again, everything isn't so simple and easy like you are thinking currently.
 
Last edited:

Corvus@206

Active member
Joined
Feb 25, 2025
Messages
31
Reaction score
13
thx.
and because i think you can confuse something related with user name, mail, license type, and expire date, i write additional one sentence.

don't think everything is ok if about dialog shows correct your user name, mail, license type and expire date properly when you did something.
as you already know, license key file has 2 information parts which include user name, mail, license type, and expire date.
one is a part signed and encrypted by developer's private key.
another is a part encrypted by simple conversion algorithm, not DSA crypto algorithm.

things to be displayed in about dialog are from decryption of information encrypted by this 2nd simple conversion.
things to be needed in normal execution practically are just ones which decrypted by correct private key.

so don't think that your private key and public key were accepted by compiler or they did some correct operations in compiler because about dialog shows above all information correctly when you modified return value of VerifyMessage() or Integer::Compare() function into 1(true).

about dialog's correct showing is meaningless fully.
 
Last edited:

Sygmund Oose

Well-known member
Joined
Jul 10, 2023
Messages
57
Reaction score
45
I realized that, and therefore used the same keys in the license file.
---------------------------------------------------
#Processar a chave
block = bytearray()
for i, char in enumerate(key):
shift = (i + 1) & 7 # numero de deslocamento = (indice + 1) % 8
if i % 2 == 0: # Indice par: Deslocar circularmente para a esquerda
block.append(rol(ord(char), shift))
else: # Indice impar: deslocamento circular para a direita
block.append(ror(ord(char), shift))
# Etapa 2: ofuscar dados de entrada
result = bytearray()
block_size = len(block)
d_index = 1
for i, byte in enumerate(data):
k_index = d_index % block_size
shift = k_index + i # Calcula o numero do turno
key_byte = block[k_index] # Obter caracteres da chave processada

if i % 2 == 0: #Indice par: Deslocar circularmente para a direita
shifted_byte = ror(byte, shift & 7)
else: # Indice impar: deslocamento circular para a esquerda
shifted_byte = rol(byte, shift & 7)

# Confusao XOR
result.append(shifted_byte ^ key_byte)
d_index = k_index+1

return bytes(result)
------------------------------------------------------
Msg2 is only encrypted with this algorithm.

msg2=f'{user}|{mail}|{product}|{dsa_private}|{dsa_public}|'.encode()
key2=dsa_sign_data_sha1(private_key,msg2).hex().upper()
-------------------------------------------------------------

msg3=f'{mail}|{mid3}|{dtf}|{dtt}'.encode()
key3=dsa_sign_data_sha1(private_key,msg3).hex().upper()
-------------------------------------------------------------

The information appearing in the "ABOUT" section is useless because it doesn't translate even if the program is complete. At most, it will be possible to create .rkey files.
 
Last edited:

Sygmund Oose

Well-known member
Joined
Jul 10, 2023
Messages
57
Reaction score
45
I recorded a video that shows the following: Without applying a patch to the program and without changing anything in it, a license generated with two key pairs does not work, while another generated with only one key pair is accepted.

Well... this means that somehow the program recognizes the license as valid, but that's not all... unfortunately.

Please, Log in to view URLs content!
 
  • Like
Reactions: why

Sygmund Oose

Well-known member
Joined
Jul 10, 2023
Messages
57
Reaction score
45
This week is Carnival here in Brazil, and since I don't enjoy it, I took some time to have fun with this little program. :D

Next, I'll give some instructions for those trying to change the VBACompiler public key using a simple debugger...
After this change... and changing it this way, the generated files (cbinrtl.dll and xxx_xlsm_64.dll) will have this key incorporated during compilation.

Capturar1.PNG

Capturar2.PNG

Capturar3.PNG

This short tutorial is for you to observe the changes... However, these changes must be made at the following address: 0000000140842206
I'm still working on it...
 
Last edited:

Sygmund Oose

Well-known member
Joined
Jul 10, 2023
Messages
57
Reaction score
45
I'm having trouble validating the public key... It seems like this thing is metamorphic. And what's worse, I don't have any suitable tools.

Even the Ghidra isn't helping me... It's crashing.:LOL::LOL::LOL:
 

Sygmund Oose

Well-known member
Joined
Jul 10, 2023
Messages
57
Reaction score
45
The figures show the beginning of the addresses of the original public key in xxxx_xlsm_64.dll, cbinrtl.dll, and vbaclr4e.exe.

This is where we should inject the user's public key without damaging the offsets.

One strange thing is that when the spreadsheet opens and the public key is created in the assembly, xxxx_xlsm_64.dll transforms into cbinrtl.dll. So the two dlls become bit-identical for a period of time.
However, there is still some kind of metamorphosis in which the key hides in pieces...

Captura de tela 2026-02-21 223337.png


Captura de tela 2026-02-21 223423.png


Captura de tela 2026-02-21 223515.png



The next figure shows the user's public key embedded in the DLL.

Captura de tela 2026-02-21 232612.png
 
Last edited:

Sygmund Oose

Well-known member
Joined
Jul 10, 2023
Messages
57
Reaction score
45
The cbinrtl.dll file is created by teste_xlsm_64 when the spreadsheet is opened and the code runs. The cbinrtl.dll created in the temporary folder is identical to the one that had the user's public key injected. Therefore, it seems to me that it's not necessary to modify both DLLs; only the teste_xlsm_64.dll needs to be modified.


Captura de tela 2026-02-21 233820.png
 

Sygmund Oose

Well-known member
Joined
Jul 10, 2023
Messages
57
Reaction score
45
When we inject the user's key into vbaclr4e.exe and compile it, xxxx_xlsm_64.dll is also created with the user's key already inserted into it. This indicates that vbaclr4e.exe passes the key to it. It remains to be seen if it passes it in all instances.

The figure shows the end of the user key in the DLL created by the compiler.

Captura de tela 2026-02-22 001137.png
 

Sygmund Oose

Well-known member
Joined
Jul 10, 2023
Messages
57
Reaction score
45
The program work well on Windows 10, but there are errors on Windows 11 that I haven't been able to resolve yet. The memory access problem is also not fully resolved because it depends on how the API handles loading data into memory.
 
Last edited:

Gasmask

Member
Joined
Apr 1, 2023
Messages
12
Reaction score
2
is there a way to rename the dlls
for example

my_project_xlsm_32.dll
my_project_xlsm_64.dll
to

1.dll
2.dll
or
1.vlr
2.vlr


i know there is a command in paid version to create the dll names in the way you want
but in patched version????????

and one more thing
-----a personal question----
i posted a crack request about 1 week ago
but the admin didn't even watch it
the message on top of the post is this

Awaiting approval before being displayed publicly.
 
Last edited:

Gasmask

Member
Joined
Apr 1, 2023
Messages
12
Reaction score
2
the point is to hide the type of the *.dll
and change it to unknown type of file
 

Sygmund Oose

Well-known member
Joined
Jul 10, 2023
Messages
57
Reaction score
45
It was quite simple to manipulate the program so that it applied the correct value to the zero flag, simply by applying the correction at the appropriate time; in fact, it was quite simple, but somehow my mind...He refused to see the solution; in fact, we should only implement the program to verify the public key at the appropriate time.

Today I tried something different in the little program. I knew it was possible to get the value 1 from the zeroflag. Now I'm getting closer to compiling without errors. Despite someone giving incorrect instructions on how to use public keys, the correct result was found.

 
Top