Tutorial Number 13 Written by Etenal Bliss Email: Eternal_Bliss@hotmail.com Website: http://crackmes.cjb.net http://surf.to/crackmes Date written: 13th Mar 1999 Program Details: Name: VB Crackme v1.0 Author: EinZtein Tools Used: SmartCheck SoftIce Cracking Method: Calculation analysis Code sniffing Viewing Method: Use Notepad with Word Wrap switched on Screen Area set to 800 X 600 pixels (Optional) __________________________________________________________________________ About this protection system No disabled function. Protection is based on a Name, Registration Number and Unlock Code. A routine is used to calculate a final number which must be equal to 123456789 __________________________________________________________________________ The Essay In this essay, when I write type "d edx" or similar commands in Softice, I mean it without the quotes. At the same time, I'll not go into the settings and how to configure SmartCheck anymore. If this is the first time you are reading my tutorials, I suggest you download the first few that use SmartCheck. __________________________________________________________________________ SmartCheck Start SmartCheck and run the CrackMe. Enter the following :- Name: EternalBliss (no space in between) Registration Number: 12 Unlock Code: 144 Click on Register. You will see "Too bad, give it another try" in the Status box. Stop the CrackMe and lets look at what SmartCheck has to show... You will see Command1_Click **You must be in "Show Errors and Specific Events" mode Expand the thread by clicking on the + sign Click on Serial1.Text and choose "Show All Events" You will see Len(String:"EternalB...") returns LONG:12 **this is to get the length of your name A few lines below, you will see Serial2.Text Len(String:"12") returns LONG:2 **this is to get the length of the Registration Number A few more lines down, you will see __VbaVarDiv(VARIANT:String:"144", VARIANT:Long:12)... __VbaVarMul(VARIANT:Double:12,VARIANT:Integer:2)... __VbaVarSub(VARIANT:Double:24,VARIANT:Integer:12)... This few steps are explained as: 1) Unlock Code(144) divided by length of Name(12) = 12 2) result(12) multipled by length of Reg number(2) = 24 3) result(24) minus 12 = 12 After the second Serial2.Text, you will see __vbaVarMul(VARIANT:Double:12,VARIANT:String:"12")... __vbaVarDiv(VARIANT:Double:144, VARIANT:Integer:2)... __vbaVarTstEq(VARIANT:Double:72, VARIANT:Const String:"")... This few steps are explained as: 4) result(12) multiplied by Reg Number(12) = 144 5) result(144) divided by 2 = 72 6) result(72) is compared with something. Too bad that something is not shown... Well, we need Softice now. _________________________________________________________________________ SoftIce Notice __vbaVarTstEq in SmartCheck? Well, it is one of the common breakpoints to be used. So, lets use it. Set the breakpoint by typing "bpx __vbaVarTstEq" (same as __vbavartsteq) You will break in Softice after you click on Register. Before you go on, I would like to say that it is quite a long way to trace and I've shorten the listing to show only the important parts as a guide. To trace without going into calls, use F10 To trace and go into calls, use F8 I've commented on certain things in the code. Break due to BPX MSVBVM50!__vbaVarTstEq MSVBVM50!__vbaVarTstEq :7B3FB9A2 FF742408 PUSH DWORD PTR [ESP+08] :7B3FB9A6 6A00 PUSH 00 :7B3FB9A8 E8E74AFFFF CALL 7B3F0494 **Go into this call using F8 ========================================================================== :7B3F0494 55 PUSH EBP :7B3F0495 8BEC MOV EBP,ESP :7B3F0497 83EC44 SUB ESP,44 :7B3F049A 833D64F03F7B00 CMP DWORD PTR [7B3FF064],00 :7B3F04A1 53 PUSH EBX :7B3F04A2 56 PUSH ESI :7B3F04A3 57 PUSH EDI : __________Snip___________ : :7B3F6EF5 6A05 PUSH 05 :7B3F6EF7 FF7508 PUSH DWORD PTR [EBP+08] :7B3F6EFA FF750C PUSH DWORD PTR [EBP+0C] :7B3F6EFD 53 PUSH EBX :7B3F6EFE E8F1480000 CALL 7B3FB7F4 **Go into this call using F8 ========================================================================== :7B3FB7F4 55 PUSH EBP :7B3FB7F5 8BEC MOV EBP,ESP :7B3FB7F7 83EC30 SUB ESP,30 : __________Snip___________ : :7B3FB82A 56 PUSH ESI :7B3FB82B E803CDFCFF CALL MSVBVM50!__vbaStrVarCopy **Go into this call using F8 ========================================================================== MSVBVM50!__vbaStrVarCopy :7B3C8534 8B4C2408 MOV ECX,[ESP+08] :7B3C8538 8BEC MOV EBP,ESP :7B3C853A 83EC30 SUB ESP,30 : __________Snip___________ : :7B3C857C 50 PUSH EAX :7B3C857D 50 PUSH EAX :7B3C857E 6A08 PUSH 08 :7B3C8580 51 PUSH ECX :7B3C8581 52 PUSH EDX :7B3C8582 E80C2CF4FF CALL 7B30B193 **Go into this call using F8 ========================================================================== :7B30B193 55 PUSH EBP :7B30B194 33C0 XOR EAX,EAX : __________Snip___________ : :7B30B1E8 50 PUSH EAX :7B30B1E9 6800040000 PUSH 00000400 :7B30B1EE 56 PUSH ESI :7B30B1EF FF7508 PUSH DWORD PTR [EBP+08] :7B30B1F2 FF153C1A2F7B CALL [OLEAUT32!VariantChangeTypeEx] **F10 over this call and after it, EDX = 7.2. (type "d edx") 72 is the converted number we get from the Name, Reg Num and Unlock Code Since this is a VB program, 72 is shown in w.i.d.e. .c.h.a.r.a.c.t.e.r :7B30B1F8 8BD8 MOV EBX,EAX :7B30B1FA 66837DE800 CMP WORD PTR [EBP-18],00 : __________Snip___________ : :7B30B214 5D POP EBP :7B30B215 C21000 RET 0010 ========================================================================== **resume tracing after the call at :7B3C8582 :7B3C8587 50 PUSH EAX : __________Snip___________ : :7B3C8550 5D POP EBP :7B3C8551 C20400 RET 0004 ========================================================================== **resume tracing after the call at :7B3FB82B (CALL MSVBVM50!__vbaStrVarCopy) :7B3FB830 50 PUSH EAX :7B3FB831 8BF0 MOV ESI,EAX : __________Snip___________ : :7B2F460D FF74240C PUSH DWORD PTR [ESP+0C] :7B2F4611 FF74240C PUSH DWORD PTR [ESP+0C] :7B2F4615 50 PUSH EAX :7B2F4616 E848EFFFFF CALL MSVBVM50!__vbaStrComp **Go into this call using F8 ========================================================================== MSVBVM50!__vbaStrComp :7B2F3564 8BEC MOV EBP,ESP :7B2F3566 53 PUSH EBX :7B2F3567 56 PUSH ESI : __________Snip___________ : :7B2F359F 50 PUSH EAX :7B2F35A0 FF750C PUSH DWORD PTR [EBP+0C] :7B2F35A3 FF7510 PUSH DWORD PTR [EBP+10] :7B2F35A6 E83FA40000 CALL 7B2FD9EA **Go into this call using F8 ========================================================================== :7B2FD9EA 56 PUSH ESI :7B2FD9EB 57 PUSH EDI :7B2FD9EC 8B7C2410 MOV EDI,[ESP+10] <-edi = real code :7B2FD9F0 8B74240C MOV ESI,[ESP+0C] <-esi = 72 :7B2FD9F4 8B4C2414 MOV ECX,[ESP+14] : __________Snip___________ : :7B2FDA04 5F POP EDI :7B2FDA05 5E POP ESI :7B2FDA06 C20C00 RET 000C ========================================================================== ========================================================================== After tracing through all that, you will see that the real code is 123456789 So, lets have a summary before continuing... Name: EternalBliss (no space in between) Registration Number: 12 Unlock Code: 144 Conversion: 1) Unlock Code(144) divided by length of Name(12) = 12 2) result(12) multipled by length of Reg number(2) = 24 3) result(24) minus 12 = 12 4) result(12) multiplied by Reg Number(12) = 144 5) result(144) divided by 2 = 72 6) result(72) is compared with something. Now, we know that something = 123456789 _________________________________________________________________________ Calculation We can derive the formula below from these 6 steps: (((((x / 12) * 2) - 12) * 12) / 2) = 123456789 x = the real Unlock Code to be entered So, lets reverse step by step... **when you reverse the math, multiple becomes divide and vis versa subtraction becomes addition and vis versa 123456789 * 2 = 246913578 246913578 / 12 = 20576131 20576131 + 12 = 20576143 20576143 / 2 = 10288071 10288071 * 12 = 123456861 The Real Unlock Code is 123456861 Name: EternalBliss (no space in between) Registration Number: 12 Unlock Code: 123456861 CrackMe Cracked!! __________________________________________________________________________ Afterthought You might think that I am very lucky to have used 12 as the Reg Num and 144 as the Unlock Code. Well, that's not true... After many trials and errors, I discovered that the Reg Num must not be longer than 5 char and having seen the divisions, I decided to use 12 and 144. Notice also that my name is EternalBliss and not Eternal Bliss. That is to have 12 as the length instead of 13 which will make the calculation more difficult... Tracing through SoftIce wasn't easy either... I actually traced through every call. That is because I know that I am quite near the end of the whole routine. I only show you which are the calls you should take. If you want to investigate more, trace into all the calls. But once we found out that the converted number is compared to 123456789, we can change anything we want. __________________________________________________________________________ Final Notes This tutorial is dedicated to all the newbies like me. And because I'm a newbie myself, I may have explained certain things wrongly So, if that is the case, please forgive me. Email me if there is anything you are not clear about. My thanks and gratitude goes to:- The Sandman All the writers of Cracks tutorials and CrackMes