			Tutorial Number 19

Written by Etenal Bliss
Email: Eternal_Bliss@hotmail.com
Website: http://crackmes.cjb.net
         http://surf.to/crackmes
Date written: 9th Apr 1999

Program Details:
Name: CrackMe 3
Author: MiZ
Language: Visual Basic

Tools Used:
SoftIce

Cracking Method:
Code sniffing

Viewing Method:
Use Notepad with Word Wrap switched on
Screen Area set to 800 X 600 pixels (Optional)

__________________________________________________________________________


                        About this protection system

Protection is based on a code which is calculated from the Name you enter.
There is anti-SmartCheck routine which will stop SmartCheck usage.


__________________________________________________________________________


                               The Essay

In this essay, when I write type "d edx" or similar commands in Softice,
I mean it without the quotes. 

_________________________________________________________________________


				Softice

Since there is anti-SmartCheck routine, we will try to use Softice only.
As this is a Visual Basic CrackMe, we will use the two common breakpoints
first.

Run the CrackMe, type in "Eternal Bliss" for the Name and "123456" for the
Code.

Set the two breakpoints as below:
1) bpx __vbastrcomp
2) bpx __vbavartsteq

Click on the "Check" picture.

You will break into Softice with __vbastrcomp. Disable the breakpoints now.

Before you go on, I'd have to say that I've listed out only some parts 
for easy reference. There are a few conditional jumps around but 
just follow the jumps.
What you need to do is to F10 your way around until the call at :7B2F35A6
Then trace into it.

**This is a very common place for visual basic programs. So, if you have cracked
  enough VB programs, you will more or less recognise the codes.

Break due to BPX MSVBVM50!__vbaStrComp  (ET=1.26 seconds)
MSVBVM50!__vbaStrComp
:7B2F3564  8BEC                MOV     EBP,ESP
:7B2F3566  53                  PUSH    EBX
:7B2F3567  56                  PUSH    ESI
:7B2F3568  57                  PUSH    EDI
:			__________Snip___________
:
:7B2F359F  50                  PUSH    EAX
:7B2F35A0  FF750C              PUSH    DWORD PTR [EBP+0C]
:7B2F35A3  FF7510              PUSH    DWORD PTR [EBP+10]
:7B2F35A6  E83FA40000          CALL    7B2FD9EA
**Go into this call using F8

==========================================================================
:7B2FD9EA  56                  PUSH    ESI
:7B2FD9EB  57                  PUSH    EDI
:7B2FD9EC  8B7C2410            MOV     EDI,[ESP+10]

After this line, you will notice edi having a new value. 
Type "d edi" and you will see something like this in your data window.

:00411B50 75 00 36 00 2D 00 33 00-31 00 7D 00 20 00 3C 00  u.6.-.3.1.}. .<.
:00411B60 2C 00 41 00 2C 00 35 00-30 00 00 00 29 00 00 A0  ,.A.,.5.0...)...

F10 one more line so that :7B2FD9F0 has been processed.
:7B2FD9F0  8B74240C            MOV     ESI,[ESP+0C]

You will see esi having a new value as well.
Type "d esi" and see what is in esi.

:00411AAC 31 00 32 00 33 00 34 00-35 00 36 00 00 00 20 00  1.2.3.4.5.6... .

Does 1.2.3.4.5.6 look familiar to you? Because this is visual basic, things
get "bigger" using w.i.d.e. .c.h.a.r.a.c.t.e.r format. So, in fact, esi 
contains the code you entered. So, what do you think is in edi? 8)

Ok, I know the problem. So what if I can see the value in edi. 
Where do the correct code stop?

Take the hex values of edi and see...

75 00 36 00 2D 00 33 00-31 00 7D 00 20 00 3C 00  u.6.-.3.1.}. .<.
   ^^    ^^    ^^    ^^    ^^    ^^    ^^    ^^
2C 00 41 00 2C 00 35 00-30 00 00 00 29 00 00 A0  ,.A.,.5.0...)...
   ^^    ^^    ^^    ^^    ^^ ^^ ^^

Do you see all the 00s in between other values? And on the second line,
there is 3 sets of 00 together? That's where the correct code stops.

Now, we need to get the correct code from the hex values. You can just use
the ascii values in the data window. Remove the "." that is in between and 
you will get u6-31} <,A,50

**There is a space between "}" and "<"

Now, re-enter "u6-31} <,A,50" as the code and click on the "Check" picture.

You will get the message "You made it! Now write up an essay and send it
to: ReFleXZ@fcmail.com"

That is what I am doing. 8P

CrackMe Cracked!!

__________________________________________________________________________


                             Final Notes

This tutorial is dedicated to all the newbies like me.

And because I'm a newbie myself, I may have explained certain things wrongly
So, if that is the case, please forgive me. Email me if there is anything 
you are not clear about.


My thanks and gratitude goes to:-

The Sandman
All the writers of Cracks tutorials and CrackMes