			Tutorial Number 14

Written by Etenal Bliss
Email: Eternal_Bliss@hotmail.com
Website: http://crackmes.cjb.net
         http://surf.to/crackmes
Date written: 19th Mar 1999

Program Details:
Name: cRACKME #2
Author: lEK/tOL

Tools Used:
SoftIce
Crackers' Tools written by Borna Janes and I

Cracking Method:
Code sniffing

Viewing Method:
Use Notepad with Word Wrap switched on
Screen Area set to 800 X 600 pixels (Optional)

__________________________________________________________________________


                        About this protection system

No disabled function. Protection is based on a password.

__________________________________________________________________________


                                 The Essay

In this essay, when I write type "d edx" or similar commands in Softice,
I mean it without the quotes. This is a very simple CrackMe, so I won't be
explaining much.

__________________________________________________________________________


				SoftIce

Like I said in my 2 essays on general VB cracking, there are 2 main 
"popular" breakpoints used in VB programs to check serial/password.
They are:
__vbastrcomp
__vbavartsteq

Well, since this CrackMe is written in VB, let's try our luck.
Set the two breakpoints by typing "d __vbastrcomp" and "d __vbavartsteq"

Run the CrackMe. Type in "12345678" for the password. Click on "cHECK"...

Did you break into SoftIce on __vbastrcomp?? Well, I did. 8P

Here is a dump from Softice...

MSVBVM50!__vbaStrComp
:7B2F3564  8BEC                MOV     EBP,ESP
:7B2F3566  53                  PUSH    EBX
:7B2F3567  56                  PUSH    ESI
:7B2F3568  57                  PUSH    EDI
:7B2F3569  837D1000            CMP     DWORD PTR [EBP+10],00
:7B2F356D  BE00000000          MOV     ESI,00000000
:7B2F3572  7406                JZ      7B2F357A                  (NO JUMP)
:7B2F3574  8B4510              MOV     EAX,[EBP+10]
:7B2F3577  8B70FC              MOV     ESI,[EAX-04]
:7B2F357A  837D0C00            CMP     DWORD PTR [EBP+0C],00
:7B2F357E  BF00000000          MOV     EDI,00000000
:7B2F3583  7406                JZ      7B2F358B                  (NO JUMP)
:7B2F3585  8B4D0C              MOV     ECX,[EBP+0C]
:7B2F3588  8B79FC              MOV     EDI,[ECX-04]
:7B2F358B  3BFE                CMP     EDI,ESI

Just these few lines is enough for you to crack the CrackMe.

			------------------------

Right after :7B2F3574, if you do a "d eax", you will see this in your
code window...

:004118E8 31 00 32 00 33 00 34 00-35 00 36 00 37 00 38 00  1.2.3.4.5.6.7.8.

This looks like the password we entered right?? Since it is VB, the password
has been converted to w.i.d.e. .c.h.a.r.a.c.t.e.r

And just after :7B2F3577, if you type "? esi" you will see
00000010  0000000016  ""
in your command window (the place where you do your typing)

What does this mean?? Well, your password is 8 char. But because it is 
converted to wide char, it is now double the length, therefore, 16 in Dec
and 10 in Hex.

**You can actually see that esi=00000010 in the register window.

			------------------------

Right after :7B2F3585, if you do a "d ecx", you will see this in your
code window...

:00401E18 57 00 67 00 FF 00 31 00-2E 00 6B 00 36 00 2E 00  W.g...1...k.6...
:00401E28 23 00 FF 00 FF 00 FF 00-FF 00 24 00 20 00 00 00  #.........$. ...

And just after :7B2F3588, if you type "? edi" you will see
0000001E  0000000030  ""
in your command window.

**You can actually see that edi=0000001E in the register window.

So, following what I said for esi, since edi=0000001E, when converted to Dec,
it is 30. To get the correct length, divide it by 2 and you will get 15.

			------------------------

So, our correct password is 15 char. Now, look at the code window after you
typed "d ecx". The Hex values (30 of them) are:

57 00 67 00 FF 00 31 00-2E 00 6B 00 36 00 2E 00  
23 00 FF 00 FF 00 FF 00-FF 00 24 00 20 00

Ignoring the 00s since they are added in VB, you will have
57 67 FF 31 2E 6B 36 2E 23 FF FF FF FF 24 20

**Count the number of Hex values... it will be 15.

Use Crackers' Tools (the proggie I coded with Borna Janes) to convert
the Hex values to Ascii. You will get

"Wgے1.k6.#ےےےے$ "

**After the "$", there is a space. Ignore the quotations.
**Also, if you just look at the ascii shown in SoftIce, you will get the
  wrong password. Compare what you converted with what is shown!

Now, type in the string you converted from the Hex values. 
You will get a message saying that you have made it!

CrackMe Cracked!!

__________________________________________________________________________


                             Final Notes

This tutorial is dedicated to all the newbies like me.

And because I'm a newbie myself, I may have explained certain things wrongly
So, if that is the case, please forgive me. Email me if there is anything 
you are not clear about.


My thanks and gratitude goes to:-

The Sandman
All the writers of Cracks tutorials and CrackMes