Tutorial Number 11 Written by Etenal Bliss Email: Eternal_Bliss@hotmail.com Website: http://crackmes.cjb.net http://surf.to/crackmes Date written: 5th Mar 1999 Program Details: Name: Crackme v1.0 Author: MiZ Language: Visual Basic Tools Used: Hexeditor, Softice, SmartCheck Cracking Method: Looking at String Data Reference Viewing Method: Use Notepad with Word Wrap switched on Screen Area set to 800 X 600 pixels (Optional) __________________________________________________________________________ About this protection system No disabled function. Protection is based on a code you enter. This code is converted using a routine and the final answer is compared to the correct one which is coded into the CrackMe. There is an anti-SmartCheck routine which is similar to Borna Janes' CrackMe v3.0a. I've written a tutorial for it as well. It is my tutorial 8. __________________________________________________________________________ The Essay In this essay, when I write type "d edx" or similar commands in Softice, I mean it without the quotes. I won't go into SmartCheck configuration anymore because it can be found in many of my previous tutorials. __________________________________________________________________________ Running with SmartCheck The anti-SmartCheck routine is placed differently from Borna's. It is placed at the start of the crackme. So, if you run SC with it, it will get you nowhere. __________________________________________________________________________ Softice to the Rescue If you have read my tutorial 8, you will know that to break this protection, you have to breakpoint on __vbastrcomp. Set this breakpoint before running the CrackMe. **breakpoint is set by typing "bpx __vbastrcomp" Now, Start the crackMe. You will break into the program. The aim of using Softice here is because the Anti-SmartCheck routine written by MiZ is dependent on time. This means that after going through the routine, if the time taken is very long, it will mean that SmartCheck is used. Now that you are in Softice, we need to go to the main program code to see where is the Anti-SmartCheck routine... Press F10 until you see Crackmev10!... below the code window in Softice. I've cut out the main part of the anti-SmartCheck code here... :0040570E 3BC3 CMP EAX,EBX <--start of big loop :00405710 0F84BF000000 JZ 004057D5 <--Jump out of big loop .. .. __________Snip___________ .. :00405765 FF156C814000 CALL [0040816C] :0040576B 3BC3 CMP EAX,EBX <--start of small loop :0040576D 7449 JZ 004057B8 <--Jump out of small loop :0040576F 68FC404000 PUSH 004040FC :00405774 68FC404000 PUSH 004040FC :00405779 FF159C814000 CALL [0040819C] :0040577F 85C0 TEST EAX,EAX <--This is where you land :00405781 751B JNZ 0040579E .. .. __________Snip___________ . :004057B0 FF1518824000 CALL [00408218] :004057B6 EBB3 JMP 0040576B <--Jump to start of small loop .. .. __________Snip___________ .. :004057CA FF1518824000 CALL [00408218] :004057D0 E939FFFFFF JMP 0040570E <--Jump to start of big loop If you keep tracing using F10 you will notice that you go around in circles for a long long time... You must disable your breakpoint now or you will keep breaking... **That is how I found out that this part of the code is the Anti-SmartCheck code. Refering to the above code, you will notice that I have labelled 2 loops. A small one inside a bigger one. If you try jumping out of the small loop at :0040576D, you will encounter the big loop and you will be brought back into the small loop again. So, to solve this, you will need to jump out of the big loop at :00405710. Now, if you have been thinking, you will probably know that if we were to run this CrackMe in SmartCheck if you set a breakpoint at :00405710, you can force the program to jump out of the big loop and you can continue to use SmartCheck without any problems at all. 8) But then, this means that you have to do it everytime you restart the CrackMe. __________________________________________________________________________ HexEditor as Support To permanently disable the Anti-SmartCheck routine, we will need to patch the conditional jump at :00405710. To do this, copy down the code for this jump (0F84BF000000) and open the CrackMe using a HexEditor. Search for this hex combination. There is only one location for it. Since the instruction is JZ 004057D5 if we want to reverse it, we can change it to JNZ 004057D5. So if you refer to an opcode reference, you will know that we need to change 0F84BF000000 to 0F85BF000000. Do it and save it as a different file. __________________________________________________________________________ Red Herring If you now re-activate the breakpoint __vbastrcomp and do nothing, you will still break into the CrackMe. Break due to BPX MSVBVM50!__vbaStrComp (ET=3.01 seconds) MSVBVM50!__vbaStrComp :7B2F3564 8BEC MOV EBP,ESP :7B2F3566 53 PUSH EBX :7B2F3567 56 PUSH ESI :7B2F3568 57 PUSH EDI :7B2F3569 837D1000 CMP DWORD PTR [EBP+10],00 :7B2F356D BE00000000 MOV ESI,00000000 :7B2F3572 7406 JZ 7B2F357A :7B2F357A 837D0C00 CMP DWORD PTR [EBP+0C],00 :7B2F357E BF00000000 MOV EDI,00000000 :7B2F3583 7406 JZ 7B2F358B (NO JUMP) :7B2F3585 8B4D0C MOV ECX,[EBP+0C] :7B2F3588 8B79FC MOV EDI,[ECX-04] :7B2F358B 3BFE CMP EDI,ESI at :7B2F3585 "d ecx" = You did it! You will get a message "You did it!NOW Try again! This is a red herring because when you click on "OK", it is still unregistered. __________________________________________________________________________ Calculation Analysis in SmartCheck Now, close the CrackMe and run Smartcheck with the CrackMe. The breakpoint must be disabled. Type in any code. For this tutorial, I used "12" as the code. Click on "Check it baby!" You will see "Better luck next time!!!" on the CrackMe. Look for cmdReg_Click. Click on the + sign to expand the thread. **You must be in "Show Errors and Specific Events" only. You will see this Len(String:"12") reutrns LONG:2 Mid$(String:"12", long:1, VARIANT:Integer:1) Asc(String:"1") returns Integer:49 Integer (206) -> Long (206) Chr$(Integer:206) Explanation: Now, where did "206" come from? click on Asc(String:"1") returns Integer:49 and Choose "Show all Events" in SC. You will see __vbaVarSub(VARIANT:Integer:49,VARIANT:Integer:255)... __vbaVarAbs(VARIANT:Integer:-206) So, what this means that 255 is suntracted from the decimal value for "1" which is 49. This gives you -206 __vbaVarAbs gives you the absolute value which means that -206 will give you 206. Chr$(Integer:206) means that the result (206) is converted back to the corresponding ascii char. "1" is then replaced by the character. "2" which is the 2nd char is then processed the same way. If you go back to "Show Errors and Specific Events" mode in SC and click on the Asc(String:"2") returns Integer:50 then choose "Show all Events", you will see __vbaVarSub(VARIANT:Integer:50,VARIANT:Integer:255)... __vbaVarAbs(VARIANT:Integer:-205) which is the same for "1" Still in "Show all Events" mode, scroll down until you see __vbaStrCmp(String:"XXX", String:"YY") ... where XXX is a bunch of weird charaters and YY is the converted char from "12" **__vbaStrCmp is used to compare two strings. This is the breakpoint "__vbastrcomp" which you use in Softice. Click on it. On the right window, you will see the whole string of the weird characters comparing to the converted "12" which we used for the code. Ok. It uses __vbaStrCmp. So back to Softice. __________________________________________________________________________ Softice code sniffing Now, enable the breakpoint "__vbastrcomp". You will break when you click on the "Check it baby!" button. Trace the code using F10 Break due to BPX MSVBVM50!__vbaStrComp (ET=688.85 milliseconds) MSVBVM50!__vbaStrComp :7B2F3564 8BEC MOV EBP,ESP :7B2F3566 53 PUSH EBX :7B2F3567 56 PUSH ESI :7B2F3568 57 PUSH EDI :7B2F3569 837D1000 CMP DWORD PTR [EBP+10],00 :7B2F356D BE00000000 MOV ESI,00000000 :7B2F3572 7406 JZ 7B2F357A (NO JUMP) :7B2F3574 8B4510 MOV EAX,[EBP+10] **If you type "d eax" here, you will see this in your data window :00411950 CE 00 CD 00 00 00 00 00-65 64 00 64 00 68 65 63 ^^ ^^ CE = 206 in Hex which is your 1st converted char CD = 205 in Hex which is your 2nd converted char Keeping tracing :7B2F357A 837D0C00 CMP DWORD PTR [EBP+0C],00 :7B2F357E BF00000000 MOV EDI,00000000 :7B2F3583 7406 JZ 7B2F358B (NO JUMP) :7B2F3585 8B4D0C MOV ECX,[EBP+0C] **here, if you type "d ecx", you will see this in your data window :00411998 B2 00 13 20 A5 00 DF 00-BC 00 90 00 8F 00 20 20 ^^ ^^ ^^ ^^ ^^ ^^ ^^ ^^ :004119A8 8D 00 13 20 DC 02 14 20-39 20 DF 00 CE 00 C6 00 ^^ ^^ ^^ ^^ ^^ ^^ ^^ ^^ :004119B8 C6 00 C6 00 D1 00 DF 00-19 20 9D 00 CC 00 CB 00 ^^ ^^ ^^ ^^ ^^ ^^ ^^ ^^ :004119C8 C9 00 C9 00 C7 00 CB 00-D1 00 ^^ ^^ ^^ ^^ ^^ So, what we typed is converted into something else and compared with what is in ecx. (I've placed " " to show the values used) ^^ **because this is a VB program, values are presented in a w.i.d.e. .c.h.a.r.a.c.t.e.r. .f.o.r.m.a.t Conversion routine explained: 1) 1st char is converted to it's decimal format. 2) It is then subtracted by 255 to give a negative answer but is then converted to absolute number. 3) The result is converted back to ascii char using Chr() and replaces the 1st char. The whole code you type is converted in this way. __________________________________________________________________________ Code Calculation Using an ascii table, and a calculator, convert the values B2, 13, A5, DF, BC etc **These are the values you saw when you type "d ecx" after :7B2F3585 original | Change | subtracted | converted values | to | by | back to in ecx | Decimal | 255 | ascii format _________|__________|____________|___________________ B2 178 77 M 13 19 236 ì A5 165 90 Z DF 223 32 Space BC 188 67 C 90 144 111 o 8F 143 112 p 20 32 223 ß 8D 141 114 r 13 19 236 ì DC 220 35 # 14 20 235 ë 39 41 214 Æ DF 223 32 Space CE 206 49 1 C6 198 57 9 C6 198 57 9 C6 198 57 9 D1 209 46 . DF 223 32 Space 19 25 230 æ 9D 157 98 b CC 204 51 3 CB 203 52 4 C9 201 54 6 C9 201 54 6 C7 199 56 8 CB 203 52 4 D1 209 46 . So, correct code is: MìZ Copßrì#ëÆ 1999. æb346684. which is wrong... Explanation: I've email to MiZ and because of unknown reasons, (he didn't know why either), there was corruption in the data in ecx. If you had looked carefully at the data shown, you will notice that instead of 00 in some places, they are replaced by 20 or 02 :00411998 B2 00 13 20 A5 00 DF 00-BC 00 90 00 8F 00 20 20 ^^ ^^ :004119A8 8D 00 13 20 DC 02 14 20-39 20 DF 00 CE 00 C6 00 ^^ ^^ ^^ ^^ :004119B8 C6 00 C6 00 D1 00 DF 00-19 20 9D 00 CC 00 CB 00 ^^ :004119C8 C9 00 C9 00 C7 00 CB 00-D1 00 As seen above, those corrupted values (which are the ones just before the 20 or 02 that I've highlighted) coincide with the weird characters we got. The correct code should be MiZ Copyright 1999. mb346684. We got MìZ Copßrì#ëÆ 1999. æb346684. If you enter the correct code, you will get a congratulations message and the "Unregistered" word is changed to "Registered". CrackMe Cracked!! __________________________________________________________________________ Final Notes This tutorial is dedicated to all the newbies like me. And because I'm a newbie myself, I may have explained certain things wrongly So, if that is the case, please forgive me. Email me if there is anything you are not clear about. My thanks and gratitude goes to:- The Sandman All the writers of Cracks tutorials and CrackMes