Nothing beats a concrete example to illustrate what a decompiler reveals. Here we take a "CrackMe" — a small program designed as a reverse engineering challenge — and show how VBReFormer lays bare its validation mechanism. The goal is educational: learning how to read decompiled code.

What decompilation reveals

Once the binary is opened, analysis shows that the validation key is generated from three elements: the user's name, the current date and the current time. The algorithm combines these inputs to produce a time-sensitive key. We also spot a Label4 control displaying "Registered user!" on success, and a Timer1 that checks every second for a debugger.

The core of the logic

The Command1_Click() function contains the whole validation. Here is the code reconstructed by the decompiler:

Private Sub Command1_Click()
    var_pv10 = Text1.Text
    var_pv13 = Date$ & " " & Time$
    For var_pv14 = 1 To Len(var_pv13) Step 1
        If IsNumeric(Mid$(var_pv13, CLng(var_pv14), 1)) Then
            var_pv15 = Asc(Mid$(var_pv13, CLng(var_pv14), 1))
            If var_pv14 <= Len(var_pv10) Then
                var_pv16 = Str(Asc(Mid$(var_pv10, CLng(var_pv14), 1)))
                var_pv16 = Right$(var_pv16, 1)
                var_pv16 = Val(var_pv16)
            End If
            var_pv18 = var_pv18 & Chr$(CLng(var_pv15 + 17 + var_pv16))
            var_pv18 = var_pv18 & Chr$(CLng(var_pv15 + 17 + var_pv16 * 2))
        End If
    Next var_pv14

    For var_pv14 = 1 To 24 Step 4
        var_pv19 = var_pv19 & Mid$(var_pv18, CLng(var_pv14), 4) & "-"
    Next var_pv14

    var_pv20 = Len(var_pv19) - 1
    var_pv19 = Mid$(var_pv19, 1, var_pv20)
    Text2.Text = var_pv19
End Sub

Variable names like var_pv10 are generated by the decompiler, since compiled binaries carry no symbolic names — but the logical structure is perfectly readable: you can follow the key being built character by character, then formatted into blocks of four separated by dashes.

The security lesson

The analysis also reveals a classic weakness: validation compares strings using VB's Like operator. But that operator interprets wildcards. Entering * as the key therefore satisfies the pattern regardless of the name and at any time. A useful reminder: pattern matching is never a reliable authentication check.

What this example demonstrates

Beyond the challenge, the value is seeing firsthand what Native Code decompilation makes possible: reconstructing complete, readable, annotatable business logic from the executable alone. That's exactly what companies need when they have to maintain a VB6 application whose source code is gone.

This article is provided for educational purposes, analyzing a program built and published for that exercise. Always make sure you hold the necessary rights to the software you analyze.