Tutorial Number 10 Written by Etenal Bliss Email: Eternal_Bliss@hotmail.com Website: http://crackmes.cjb.net http://surf.to/crackmes Date written: 24th Feb 1999 Program Details: Name: Immortal Descendants CrackMe v3.0 Author: Volatility Language: Visual Basic Tools Used: Softice Cracking Method: Tracing and Code Sniffing Viewing Method: Use Notepad with Word Wrap switched on Screen Area set to 800 X 600 pixels (Optional) __________________________________________________________________________ About this protection system No disabled function. Protection is based on either entering correct serial for UserName or a keyfile. "Register" button is not activated unless the correct code is entered. __________________________________________________________________________ The Essay I've written the important part of the codes here for easy reference. If you want to fully understand the crackme, try tracing into the calls. For this crackme, this is actually not necessary. In this essay, when I write type "d edx" or similar commands in Softice, I mean it without the quotes. __________________________________________________________________________ Where to break? First, we need to find a suitable breakpoint. Since the "Register" button will only be activated when we enter the correct code, we can assume that what we entered is compared with the correct code in "real" time. So, the best breakpoint I could think of it Hmemcpy. __________________________________________________________________________ Tracing and Code Sniffing You must first run the CrackMe, enter a User Name. (I used Eternal Bliss) Then Ctrl D to go into Softice and set a breakpoint using "bpx hmemcpy". Then in the "Registration" textbox, type in just 1 number. (Any will do) You will break into Softice. Disable the breakpoint by typing "bd *" Keep pressing F12 (10 of them) because there are nothing important there... until you reach the code where MSVBVM50! is seen under the code window. From there, you type F10 which will move you line by line. You can display any changes in the registers by typing a "d" in front. eg. "d eax", "d ebx" etc To see the value of the registers, you can type a "?" in front. eg "? eax", "? ebx" etc I found nothing of importance until this part" :00405153 8B4588 MOV EAX,[EBP-78] :00405156 8D8D70FFFFFF LEA ECX,[EBP-0090] Here, E.t.e.r.n.a.l. .B.l.i.s.s. is loaded into ecx. To see it, type "d ecx" and look at the data window. A lot more lines later, :0040518A FF15C4814000 CALL [MSVBVM50!__vbaStrVarVal] :00405190 50 PUSH EAX :00405191 FF1548814000 CALL [MSVBVM50!rtcAnsiValueBstr] At 0040518A, after the call, you will see EAX changing colour which means that it has got a new value. Type "d EAX" and look at the data window. You will see "E" which is the 1st char At 00405191, after the call, EAX changes again. This time, if you type "d EAX", you won't see anything much. You will need to type "? EAX" and you will see 00000045 0000000069 "E" The value you need to see is 69 which is the decimal value for the ascii char "E" More lines down, :0040527D FF15C4814000 CALL [MSVBVM50!__vbaStrVarVal] :00405283 50 PUSH EAX :00405284 FF1548814000 CALL [MSVBVM50!rtcAnsiValueBstr] The same thing happens again. This time, after the 1st call, EAX contains the 2nd char which is "t" After the 2nd call, EAX has a value of 116 which is the decimal value for "t" **note: all this code is in the main CrackMe. You don't have to trace into any calls at all. More lines down, :0040536B FF15C4814000 CALL [MSVBVM50!__vbaStrVarVal] :00405371 50 PUSH EAX :00405372 FF1548814000 CALL [MSVBVM50!rtcAnsiValueBstr] Same thing again. This time for "e" which is the 3rd char and has decimal value of 101 which is seen by typing "? EAX" after the 2nd call. More lines down, :00405459 FF15C4814000 CALL [MSVBVM50!__vbaStrVarVal] :0040545F 50 PUSH EAX :00405460 FF1548814000 CALL [MSVBVM50!rtcAnsiValueBstr] Get 4th char which is "r" and has value of 114 Yet more lines down, :00405547 FF15C4814000 CALL [MSVBVM50!__vbaStrVarVal] :0040554D 50 PUSH EAX :0040554E FF1548814000 CALL [MSVBVM50!rtcAnsiValueBstr] This time the 5th char ("n") and has value of 110 Be patient and keep pressing F10 only... F8 is to trace INTO a call which is NOT needed here. Get to this part :004055EE FFD6 CALL ESI :004055F0 8D8D50FFFFFF LEA ECX,[EBP-00B0] :004055F6 8D9560FFFFFF LEA EDX,[EBP-00A0] After the "CALL ESI", you will notice eax, ecx, edx changing colour. You can try typing "d eax", "d "ecx", "d edx" etc ECX will show in the data window as 6.9.1.1.6.1.0.1.1.1.4.1.1.0 Since VB uses W.I.D.E. .C.H.A.R.A.C.T.E.R that is what you will see. In actual fact, it is 69116101114110 **Is the sequence of the numbers familiar to you? 8) You are getting somewhere hot... So be patient and more F10s till here... :00405634 FF1588814000 CALL [MSVBVM50!rtcMidCharVar] :0040563A 8D9560FFFFFF LEA EDX,[EBP-00A0] :00405640 8D4DDC LEA ECX,[EBP-24] :00405643 FFD6 CALL ESI After this call at 00405634, if you don't have to type anything, just look at edx. You will see edx=00000014 **count the number of chars in ecx a few lines above... Then, after the "CALL ESI", if you type "d ecx", you will see 9.1.1.6.1.0.1.1.1.4 in the data window. So, ecx is 9116101114. **Does this look familiar to you again?? 8) Hotter... If you trace into the call at 00405643, you might see how this number is generated. More lines down... (remember, no tracing into any calls here) :0040568A 8B4588 MOV EAX,[EBP-78] :0040568D 33C9 XOR ECX,ECX After F10 pass 0040568A, you will see EAX changing colour. If you type "d eax", you will see the serial YOU entered. **In fact, the correct serial is already out... Take a look above. But if you want to confirm, look further on... You will need to turn on your "floating window" in Softice by typing "wf". You will see 2 column with ST(0) to ST(7) :004056B0 C78570FFFFFF08000000MOV DWORD PTR [EBP-0090],00000008 :004056BA C78530FFFFFF02800000MOV DWORD PTR [EBP-00D0],00008002 :004056C4 FF1524814000 CALL [MSVBVM50!__vbaVarSub] <-- trace into this call MSVBVM50!__vbaVarSub :7B3F24CE 33C0 XOR EAX,EAX :7B3F24D0 8BEC MOV EBP,ESP __________Snip___________ :7B3F8B63 56 PUSH ESI :7B3F8B64 E88C64F1FF CALL MSVBVM50!__vbaR8Var :7B3F8B69 DD5DF4 FSTP REAL8 PTR [EBP-0C] :7B3F8B6C 66BE0500 MOV SI,0005 :7B3F8B70 57 PUSH EDI :7B3F8B71 E87F64F1FF CALL MSVBVM50!__vbaR8Var :7B3F8B76 DC6DF4 FSUBR REAL8 PTR [EBP-0C] :7B3F8B79 DD5B08 FSTP REAL8 PTR [EBX+08] :7B3F8B7C E89782FFFF CALL 7B3F0E18 After the call at 7B3F8B64, you will notice ST(0) containing the number you typed in the "Registration" textbox. The next line (FSTP REAL8 PTR [EBP-0C]) is to store the value in memory location [EBP-0C] for later use. Then at 7B3F8B71, there is another similar call... for the correct serial and after this call, ST(0) contains the correct serial. Next line (FSUBR REAL8 PTR [EBP-0C]) is to subtract the value in [EBP-0C] which is what you entered, by the correct serial which is in ST(0). After this substraction, you will have a negative number in ST(0) (provided that you only entered 1 number in the textbox) The next line is to store the new value in memory location [ebx+08] To double-re-confirm, breakpoint on :004056C4 FF1524814000 CALL [MSVBVM50!__vbaVarSub] This time, enter the correct serial number... and trace into the call again. You will notice that after the subtraction in line 7B3F8B76, you will have ST(0) = 0 F5 out of Softice. You will have the "Register" button enabled. Click on it and you will have a nice message from Volatility and a keyfile generated for you in the directory you place the CrackMe in. You can try with other UserNames and you will find that the correct serial is generated from the 2nd to 12th char after "joining" up all the decimal numbers of your UserName. Therefore, it will only be 10 digits. CrackMe cracked!! __________________________________________________________________________ SmartCheck impossible? It is possible to use SmartCheck but the main aim of the CrackMe will be lost. To do this, open the CrackMe using a HexEditor and look for N.u.M.e.g.a. .S.m.a.r.t.C.h.e.c.k Then carefully, overwrite the chars only... Try not to disturb the "dots". I'm not sure what the effects will be if you do so. You can just "space out" the chars to become . . . . . . . . . . . . . . . . Then, you can run the CrackMe without any "side effects". 8) __________________________________________________________________________ Final Notes This tutorial is dedicated to all the newbies like me. And because I'm a newbie myself, I may have explained certain things wrongly So, if that is the case, please forgive me. Email me if there is anything you are not clear about. My thanks and gratitude goes to:- The Sandman All the writers of Cracks tutorials and CrackMes