Tutorial Number 15 Written by Etenal Bliss Email: Eternal_Bliss@hotmail.com Website: http://crackmes.cjb.net http://surf.to/crackmes Date written: 25th Mar 1999 Program Details: Name: VB Crackme 1,2,3 Author: Andrenalin Tools Used: SmartCheck SoftIce Crackers' Tool (available on my website) Cracking Method: CrackMe 1 & 2 - Code sniffing CrackMe 3 - Calculation analysis Code sniffing Viewing Method: Use Notepad with Word Wrap switched on Screen Area set to 800 X 600 pixels (Optional) __________________________________________________________________________ About this protection system No disabled function. CrackMe 1 and 3 are based on a code, CrackMe 2 is based on Name and Serial. __________________________________________________________________________ The Essay I've decided to write this tutorial for the 3 CrackMes written by Andrenalin because I think they are quite easy and I shouldn't waste time writing 3 different tutorials. In this essay, when I write type "d edx" or similar commands in Softice, I mean it without the quotes. At the same time, I'll not go into the settings and how to configure SmartCheck anymore. If this is the first time you are reading my tutorials, I suggest you download the first few that use SmartCheck. ========================================================================== CrackMe 1 SmartCheck Run the crackme using SmartCheck. **Make sure that SC is in "Show Errors and Specific Events" mode. Type in 123456 in the textbox and click on OK. You will get an error message with a big red cross. I don't understand what it says but I know I am not lucky enough to register it with "123456". 8P Now, in SC, You will see Command1_Click. Click on the + sign next to it. you will only see Text1.Text and MsgBox(). Well, not enough for us. Now, select the line Text1.Text by clicking on it. And then choose "Show All Events" in SC. Just below the Text1.Text, you will see __vbaStrCmp(String:"SynTaX2...",String:"123456") returns... Now, click on that line and look in the right window. You will see the full length of "SynTaX 2..." __vbaStrCmp is the function in VB to compare two strings. So SynTaX 2oo1 is compared to 123456 which we entered. Why would it compare with what we entered? The only reason is because it is the real code! So, enter SynTaX 2oo1 in the textbox and click on OK. You will get a message box with titlebar saying that "Successful" and something... CrackMe 2. I take that we are suppose to crack CrackMe 2 now since CrackMe 1 has been cracked. 8) **You can use Softice and bp on __vbastrcomp and you will get the correct answer after a bit of tracing. ========================================================================== CrackMe 2 SmartCheck Run the crackme using SmartCheck. **Make sure that SC is in "Show Errors and Specific Events" mode. Enter "Eternal Bliss" as the Name and "123456" as the Key. Click on OK. You will get an error message again. Now look for Command1_Click again. Expand the thread. More stuff this time. You will see a lot of Mid and Asc. Explanation: 1) Mid(VARIANT:String:"Eternal ...",long:2, VARIANT:Integer:1) is to get the 2nd char from the string "Eternal Bliss" 2) Asc(String:"t") returns Integer:116 To convert the ascii "t" into decimal notation which is 116 After every Asc, you will see __vbaVarAdd() this is to add up all the decimal notations of our Name which is equal to 1256 After the last __vbaVarAdd, a few lines below, you will see __vbaVarMul(VARIANT:Integer:1256, VARIANT:Long:1234567890) returns... This is to multiple the sum of our Name with 1234567890. Answer to that is 1550617269840 which is seen a line below __vbaVarMul on __vbaVarMove The next two lines are Mid(VARIANT:Double:1.55062e+012, Long:4, Long:1, VARIANT:String"-") Mid(VARIANT:String:"155-6172..", Long:9, Long:1, VARIANT:String"-") These two lines are to replace the 4th and the 9th char of 1550617269840 so that the result is 155-6172-9840 You can now choose "Show All Events" in SC. Click on the last Mid() first. Few lines later, you will see the function __vbaVarTstEq This is a function to compare two Variants. In this case: 155-6172-9840 and our Key we entered. So, Key for "Eternal Bliss" is 155-6172-9840 **Note, if you set bp in Softice using __vbaVarTstEq, and trace a bit, you will find the correct code as well. ========================================================================== CrackMe 3 SmartCheck Time for the last CrackMe. Run it with SC. And enter 123456 and click on OK. Error message. **You must be in "Show Errors and Specfic Events" mode only. Look for Command1_Click again. Expand the thread. Things you will see: Mid() Asc() Chr$() This three functions keep repeating for the key we entered. (123456) EG. 1) Mid(VARIANT:String"123456", long:1, VARIANT:Integer:1) 2) Asc(String:"1") returns Integer:49 3) Chr$(Integer:59) Explanation: 1) Get 1st char 2) Convert to decimal notation 3) Add 10 to the decimal notation and convert the result back to Ascii format. The reason why I know step 3 is because I look at the rest of the Chr$() The Integer in the Chr$() is always 10 more than the Asc() result. Ok. We know how the Key we entered is being converted. But all of a sudden, it comes to an end. Click on the last Chr$() just before the MsgBox and choose "Show All Events" in SC. 2 lines after it, you will see __vbaVarMove(VARIANT:String:";<=>?@",.....)... This is the converted Key we get when we enter 123456. **You can do the conversion I mentioned above using Crackers' Tool coded by Borna and I. It can be found on my website. A few more lines down, you will see __vbaVarTstEq(VARIANT:String";<=>?@",VARIANT:Const String:"") returns... This is comparing our converted key with a constant string... But the constant string is not shown!! Have to use Softice now. _________________________________________________________________________ SoftIce Notice __vbaVarTstEq in SmartCheck? Well, it is one of the common breakpoints to be used. So, lets use it. Set the breakpoint by typing "bpx __vbaVarTstEq" (same as __vbavartsteq) You will break in Softice after you click on OK. Before you go on, I would like to say that it is quite a long way to trace and I've shorten the listing to show only the important parts as a guide. To trace and go into calls, use F8 In this case, it is tracing into EVERY FIRST CALL after the break. I've commented on certain things in the code. Break due to BPX MSVBVM50!__vbaVarTstEq (ET=962.85 milliseconds) MSVBVM50!__vbaVarTstEq :7B3FB9A2 FF742408 PUSH DWORD PTR [ESP+08] :7B3FB9A6 6A00 PUSH 00 :7B3FB9A8 E8E74AFFFF CALL 7B3F0494 **Go into this call using F8 ========================================================================== :7B3F0494 55 PUSH EBP :7B3F0495 8BEC MOV EBP,ESP :7B3F0497 83EC44 SUB ESP,44 :7B3F049A 833D64F03F7B00 CMP DWORD PTR [7B3FF064],00 : __________Snip___________ : :7B3F062F 8B550C MOV EDX,[EBP+0C] :7B3F0632 FF7308 PUSH DWORD PTR [EBX+08] :7B3F0635 FF7208 PUSH DWORD PTR [EDX+08] :7B3F0638 FF7508 PUSH DWORD PTR [EBP+08] :7B3F063B E8BC3FF0FF CALL 7B2F45FC **Go into this call using F8 ========================================================================== :7B2F45FC 66837C240400 CMP WORD PTR [ESP+04],00 :7B2F4602 B800000000 MOV EAX,00000000 :7B2F4607 0F85D9F20500 JNZ 7B3538E6 (NO JUMP) :7B2F460D FF74240C PUSH DWORD PTR [ESP+0C] :7B2F4611 FF74240C PUSH DWORD PTR [ESP+0C] :7B2F4615 50 PUSH EAX :7B2F4616 E848EFFFFF CALL MSVBVM50!__vbaStrComp **Go into this call using F8 ========================================================================== MSVBVM50!__vbaStrComp :7B2F3564 8BEC MOV EBP,ESP :7B2F3566 53 PUSH EBX :7B2F3567 56 PUSH ESI :7B2F3568 57 PUSH EDI :7B2F3569 837D1000 CMP DWORD PTR [EBP+10],00 :7B2F356D BE00000000 MOV ESI,00000000 :7B2F3572 7406 JZ 7B2F357A (NO JUMP) :7B2F3574 8B4510 MOV EAX,[EBP+10] <-- d eax :7B2F3577 8B70FC MOV ESI,[EAX-04] <-- esi = 0000000C :7B2F357A 837D0C00 CMP DWORD PTR [EBP+0C],00 :7B2F357E BF00000000 MOV EDI,00000000 :7B2F3583 7406 JZ 7B2F358B (NO JUMP) :7B2F3585 8B4D0C MOV ECX,[EBP+0C] <-- d ecx :7B2F3588 8B79FC MOV EDI,[ECX-04] <-- edi = 0000002A :7B2F358B 3BFE CMP EDI,ESI After stepping past :7B2F3574, you will see eax changing colour in the register window. Type "d eax" and you will see this in the data window in Softice. :00510F70 3B 00 3C 00 3D 00 3E 00-3F 00 40 00 00 00 00 00 ;.<.=.>.?.@..... :00510F80 00 00 00 00 00 00 00 00-00 00 00 00 14 00 00 A0 ................ Notice ;.<.=.>.?.@. Because this is VB, our converted key ;<=>?@ is converted to w.i.d.e. .c.h.a.r.a.c.t.e.r If you step pass one more line in SoftIce, you will see that esi = 0000000C C is the hex value of 12. Which is the length of the converted key in VB. Should be 6 char but because it is now in wide character, the length is 12. If you step pass :7B2F3585, you will see ecx changing colour. Type "d ecx" to see what is in ecx. The data window should show :00401A8C 6B 00 58 00 79 00 5E 00-72 00 4F 00 7C 00 2A 00 k.X.y.^.r.O.|.*. :00401A9C 79 00 58 00 6F 00 2A 00-6D 00 5C 00 6B 00 4D 00 y.X.o.*.m.\.k.M. :00401AAC 75 00 4F 00 6E 00 2A 00-2B 00 00 00 64 00 00 00 u.O.n.*.+...d... Step through one more line and you will see edi = 0000002A 2A is the hex value of 42. Since it is VB, the actual length of the hidden key is 21. So, pick out the 21 chars from the data window ignoring the "." I've shown it below. Also, since we know how the key we entered is converted, we can reverse what is in the data window to get the key we are suppose to enter. So, the reversed step will be: 1) Asc() 2) Minus 10 from the decimal result 3) Chr() to convert the result back to Ascii. Data | Asc | minus | Char Window | | 10 | k 107 97 a X 88 78 N y 121 111 o ^ 94 84 T r 114 104 h O 79 69 E | 124 114 r * 42 32 " " <--Space y 121 111 o X 88 78 N o 111 101 e * 42 32 " " <--Space m 109 99 c \ 92 82 R k 107 97 a M 77 67 C u 117 107 k O 79 69 E n 110 100 d * 42 32 " " <--Space + 43 33 ! Correct Key: aNoThEr oNe cRaCkEd ! CrackMes Cracked!! __________________________________________________________________________ After-thoughts In CrackMe 3, you can probably set a bp using __vbaStrComp because this function is called. And there will be less tracing in Softice. But then, who would know that it is used? SmartCheck didn't tell us. 8) __________________________________________________________________________ Final Notes This tutorial is dedicated to all the newbies like me. And because I'm a newbie myself, I may have explained certain things wrongly So, if that is the case, please forgive me. Email me if there is anything you are not clear about. My thanks and gratitude goes to:- The Sandman All the writers of Cracks tutorials and CrackMes