			Tutorial Number 17

Written by Etenal Bliss
Email: Eternal_Bliss@hotmail.com
Website: http://crackmes.cjb.net
         http://surf.to/crackmes
Date written: 28th Mar 1999

Program Details:
Name: Crackme 1.2
Author: Nitrus

Tools Used:
SoftIce

Cracking Method:
Code sniffing

Viewing Method:
Use Notepad with Word Wrap switched on
Screen Area set to 800 X 600 pixels (Optional)

__________________________________________________________________________


                        About this protection system

No disabled function. Protection is based on a serial which is calculated
from the Name you enter.

__________________________________________________________________________


                                 The Essay

In this essay, when I write type "d edx" or similar commands in Softice,
I mean it without the quotes. 

_________________________________________________________________________


				SoftIce

Since this is a VB crackme, we might as well try using the few common 
breakpoints:
1) bpx msvbvm60!__vbavartsteq
2) bpx msvbvm60!__vbastrcomp

**I add in msvbvm60! because it is written in VB6.

Run the CrackMe and click on the first icon to get the register screen.

Enter Name as "Eternal Bliss" and serial as "12345"

Click on the picture of the key.

You will break on msvbvm60!__vbastrcomp

Break due to BPX MSVBVM60!__vbaStrComp  (ET=2.44 seconds)
MSVBVM60!__vbaStrComp
:66060A85  0F8499F00200        JZ      6608FB24                  (NO JUMP)
:66060A8B  6801000300          PUSH    00030001
:66060A90  FF742408            PUSH    DWORD PTR [ESP+08]
:66060A94  FF742410            PUSH    DWORD PTR [ESP+10]
:66060A98  FF742418            PUSH    DWORD PTR [ESP+18]
:66060A9C  FF1510001166        CALL    [OLEAUT32!VarBstrCmp]
**Go into this call using F8

==========================================================================
OLEAUT32!VarBstrCmp
:653C0227  8BEC                MOV     EBP,ESP
:653C0229  51                  PUSH    ECX
:653C022A  53                  PUSH    EBX
:			__________Snip___________
:
:653C025C  8B7D0C              MOV     EDI,[EBP+0C]
:653C025F  8B7508              MOV     ESI,[EBP+08]
:653C0262  8B4D10              MOV     ECX,[EBP+10]

When you go into :653C0227 (OLEAUT32!VarBstrCmp), just keep pressing F10
to trace along the code. Whenever any register changes, type "d register"
to see what is the new value.
**register in "d register" is eax, ebx, ecx, edx, edi, esi
  so don't email me saying that you get an error from Softice when you type
  "d register"

I am only showing the interesting codes.

After :653C025C, you will see edi having a new value. type "d edi"
You should see
:004271C4 34 00 35 00 37 00 34 00-36 00 35 00 37 00 32 00  4.5.7.4.6.5.7.2.
:004271D4 36 00 45 00 36 00 31 00-36 00 43 00 32 00 30 00  6.E.6.1.6.C.2.0.
:004271E4 34 00 32 00 36 00 43 00-36 00 39 00 37 00 33 00  4.2.6.C.6.9.7.3.
:004271F4 37 00 33 00 34 00 35 00-37 00 34 00 36 00 35 00  7.3.

After :653C025F, you will see esi having a new value. type "d esi"
You should see
:00421FA8 31 00 32 00 33 00 34 00-35 00 00 00 6C 00 20 00  1.2.3.4.5...l. .


Now, 12345 is the serial we entered and is now in w.i.d.e. .c.h.a.r.a.c.t.e.r
format because this is a VB program.

It is compared with something in edi later. So, when you type "d edi",
you will see the value of edi in the data window.

Lets get the "normal" value of edi.
457465726E616C20426C697373

Disable all your breakpoints and type that as your serial using 
"Eternal Bliss" as the Name.

You will be registered. 8)

Ok. That's code sniffing for you.

Now, take a look at the serial. Do you see "7373" at the end?
"Eternal Bliss" has got "ss" at the end.

Now, if you convert "73" (hex value) to ascii, you will get "s"
**Use Crackers' Tool coded by Borna Janes and I. It can be found on my 
  website.

So, if you convert every single character of the Name into Hex, you will
get 457465726E616C20426C697373 which is the serial!


CrackMes Cracked!!

__________________________________________________________________________


                             After-thoughts

After cracking this CrackMe, I decided to use SmartCheck. To my surprise,
it is even easier. 8)

Try it. Just look for the following lines...

Mid(x)
Hex(x)
__vbaStrCopy(x)
and finally,
__vbaStrCmp(x)

where x can be any values.

You will know what I mean.


__________________________________________________________________________


                             Final Notes

This tutorial is dedicated to all the newbies like me.

And because I'm a newbie myself, I may have explained certain things wrongly
So, if that is the case, please forgive me. Email me if there is anything 
you are not clear about.


My thanks and gratitude goes to:-

The Sandman
All the writers of Cracks tutorials and CrackMes