Tutorial Number 16 Written by Etenal Bliss Email: Eternal_Bliss@hotmail.com Website: http://crackmes.cjb.net http://surf.to/crackmes Date written: 28th Mar 1999 Program Details: Name: CrackMe 1 Author: Nitrus Tools Used: SoftIce Cracking Method: Code sniffing Viewing Method: Use Notepad with Word Wrap switched on Screen Area set to 800 X 600 pixels (Optional) __________________________________________________________________________ About this protection system No disabled function. A 10 char serial protection __________________________________________________________________________ The Essay In this essay, when I write type "d edx" or similar commands in Softice, I mean it without the quotes. __________________________________________________________________________ SoftIce Since this is a VB crackme, we might as well try using the few common breakpoints: 1) bpx msvbvm60!__vbavartsteq 2) bpx msvbvm60!__vbastrcomp **I add in msvbvm60! because it is written in VB6. Run the crackme, type in "12345678" and then set your breakpoints. When you hit Enter, you will break in MSVBVM60!__vbaVarTstEq Break due to BPX MSVBVM60!__vbaVarTstEq (ET=792.07 milliseconds) MSVBVM60!__vbaVarTstEq :004021F4 8D4D9C LEA ECX,[EBP-64] Press F12 to get out of this function. This is because I didn't find anything useful in it. You can trace it if you want. 8) You will land below: :004021F7 668BF8 MOV DI,AX :004021FA FF150C104000 CALL [MSVBVM60!__vbaFreeVar] :00402200 663BFE CMP DI,SI :00402203 0F8472050000 JZ 0040277B (NO JUMP) :00402209 8B4B34 MOV ECX,[EBX+34] :0040220C 51 PUSH ECX :0040220D FF1510104000 CALL [MSVBVM60!__vbaLenBstr] :00402213 83F80A CMP EAX,0A The function at :0040220D (MSVBVM60!__vbaLenBstr) is to get the length of the serial we entered. Note the compare after it. EAX is the length of the serial we entered. It is compared to 0A. 0A is the hex value for 10 So, our serial must be 10 characters. F5 to return to the crackme. Now, type in "1234567890" for our serial. opps. forgot to tell you to disable your breakpoints first. 8) Disable your breakpoints or you will keep breaking every time you type something. Now, reset your 2 breakpoints. When you break at MSVBVM60!__vbaVarTstEq, press F5 to return to the crackme. But since it is of the correct length, you will break into MSVBVM60!__vbaStrComp. Break due to BPX MSVBVM60!__vbaStrComp (ET=2.78 seconds) MSVBVM60!__vbaStrComp :66060A85 0F8499F00200 JZ 6608FB24 (NO JUMP) :66060A8B 6801000300 PUSH 00030001 :66060A90 FF742408 PUSH DWORD PTR [ESP+08] :66060A94 FF742410 PUSH DWORD PTR [ESP+10] :66060A98 FF742418 PUSH DWORD PTR [ESP+18] :66060A9C FF1510001166 CALL [OLEAUT32!VarBstrCmp] **Go into this call using F8 ========================================================================== OLEAUT32!VarBstrCmp :653C0227 8BEC MOV EBP,ESP :653C0229 51 PUSH ECX :653C022A 53 PUSH EBX :653C022B 56 PUSH ESI :653C022C 8B7508 MOV ESI,[EBP+08] : __________Snip___________ : :653C025C 8B7D0C MOV EDI,[EBP+0C] :653C025F 8B7508 MOV ESI,[EBP+08] :653C0262 8B4D10 MOV ECX,[EBP+10] <--set bp here When you go into :653C0227 (OLEAUT32!VarBstrCmp), just keep pressing F10 to trace along the code. Whenever any register changes, type "d register" to see what is the new value. **register in "d register" is eax, ebx, ecx, edx, edi, esi so don't email me saying that you get an error from Softice when you type "d register" I am only showing the interesting codes. After :653C025C, you will see edi having a new value. type "d edi" You should see :00510FE4 2D 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 -............... After :653C025F, you will see esi having a new value. type "d esi" You should see :00510F9C 34 00 00 00 33 00 34 00-35 00 36 00 37 00 38 00 4...3.4.5.6.7.8. Now, where would "-" or "4" come from? Let's presume that 4 is part of the serial we typed (1234567890). So, "-" would be the correct serial in that location! So, part of the correct serial would be 123-567890 After tracing again and again, I find that I always come to this part of the code. So, you can just type "bpx xxxx::653C0262" and disable the rest of your bp. xxxx will depend on your computer when you are inside OLEAUT32!VarBstrCmp **bpx here will let edi and esi get the new values. So, when you break, you just need to type "d edi" and "d esi" to see the values. So, press F5. You will break again Break due to BPX #0177:653C0262 (ET=78.66 microseconds) 0177:653C0262 8B4D10 MOV ECX,[EBP+10] 017F:00510FE4 2D 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 -............... 017F:00510F9C 39 00 00 00 33 00 34 00-35 00 36 00 37 00 38 00 9...3.4.5.6.7.8. Part of the correct serial would be 123-5678-0 **If you don't know why, look at the explanation above. Press F5 again. You will break Break due to BPX #0177:653C0262 (ET=168.52 microseconds) 0177:653C0262 8B4D10 MOV ECX,[EBP+10] 017F:00510F88 30 00 35 00 33 00 00 00-80 0F 51 00 24 00 00 A0 0.5.3.....Q.$... 017F:00510F9C 31 00 32 00 33 00 00 00-35 00 36 00 37 00 38 00 1.2.3...5.6.7.8. Part of the correct serial would be 053-5678-0 Press F5 again. You will break Break due to BPX #0177:653C0262 (ET=208.70 microseconds) 0177:653C0262 8B4D10 MOV ECX,[EBP+10] 017F:004100C8 33 00 33 00 38 00 37 00-00 00 DB DB 15 02 00 A0 3.3.8.7......... 017F:00510FE4 35 00 36 00 00 00 00 00-00 00 00 00 00 00 00 00 5.6............. Part of the correct serial would be 053-33xx-0 **xx can be of any values. Press F5 again. You will break Break due to BPX #0177:653C0262 (ET=199.57 microseconds) 0177:653C0262 8B4D10 MOV ECX,[EBP+10] 017F:004100A0 37 00 00 00 00 00 00 00-42 01 00 00 3D 02 00 A0 7.......B...=... 017F:00510FE4 30 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 0............... Note, our last digit is "0" and is compared to "7" So, the final correct code is 053-33xx-7 You can place any values in xx and you will get the title of the crackme to change from "crackme..." to "cracked" CrackMe Cracked! __________________________________________________________________________ Final Notes This tutorial is dedicated to all the newbies like me. And because I'm a newbie myself, I may have explained certain things wrongly So, if that is the case, please forgive me. Email me if there is anything you are not clear about. My thanks and gratitude goes to:- The Sandman All the writers of Cracks tutorials and CrackMes