Tutorial Number 22

Written by Etenal Bliss
Email: Eternal_Bliss@hotmail.com
Website: http://crackmes.cjb.net
         http://surf.to/crackmes
Date written: 31st May 1999

Program Details:
Name: Crack Me! #1
Author: DaRkShAdOw
Language: Visual Basic 4

Tools Used:
Softice

Cracking Method:
Code Sniffing

Viewing Method:
Use Notepad with Word Wrap switched on
Screen Area set to 800 X 600 pixels (Optional)

__________________________________________________________________________


                        About this protection system

This CrackMe contains a hardcoded code which is 12 characters long. It 
doesn't use the 2 common breakpoints (__vbaStrComp and __vbaVarTstEq)
to check the input.


_________________________________________________________________________


				About the tutorial

For this tutorial, I'll only be using Softice. And when I say "d eax", do
it without the quotes. And since this is a VB program, there are a lot of
"rubbish" codes while tracing. I'll only be showing the relevant parts.
When you traced through it yourself, don't expect it to be that clear. 8P


_________________________________________________________________________


				Softice

First, run the CrackMe. You will be told that the code is 12 char long.
So, enter any 12 chars. I chose "123456789012"

Then, we have to choose the breakpoints to use. Because it is a VB program,
I have tried using __vbaStrComp and __vbaVarTstEq. Both of which are the
commonest bp used to break into a VB prog. But in this CrackMe, although
__vbaStrComp does break, the function is not used to compare the input. So,
no point in trying them.

Well, we have to have a bp right?? Another bp that is possible is 
multibytetowidechar. This function will change a string to s.t.r.i.n.g and 
is common as well. Not sure why VB has to do this for a string, but maybe
microsoft wants a reason to make big and bloated programs. 8P

Anyway, set the bp by typing "bpx multibytetowidechar"

If you don't click on any button, the bp will still break. But to get into
the location where the compare is done, we must click on the 
"Go!, let's see if your code number is correct!!!" button.

You will break on the function. Press F12 to go out of it and back
to the code that called the function.

I've pasted a bit of the codes below.

:0F738BC1  FF1500C27B0F        CALL    [KERNEL32!MultiByteToWideChar]
:0F738BC7  8BD8                MOV     EBX,EAX		<<you land here after F12
:0F738BC9  83FEFF              CMP     ESI,-01
:0F738BCC  7501                JNZ     0F738BCF
:0F738BCE  4B                  DEC     EBX
:0F738BCF  53                  PUSH    EBX
:0F738BD0  6A00                PUSH    00
:0F738BD2  FF1518C97B0F        CALL    [OLEAUT32!SysAllocStringLen]
:0F738BD8  8BE8                MOV     EBP,EAX
:0F738BDA  85ED                TEST    EBP,EBP
:0F738BDC  0F845B260100        JZ      0F74B23D
:0F738BE2  43                  INC     EBX
:0F738BE3  53                  PUSH    EBX
:0F738BE4  55                  PUSH    EBP
:0F738BE5  56                  PUSH    ESI
:0F738BE6  57                  PUSH    EDI
:0F738BE7  6A00                PUSH    00
:0F738BE9  6A00                PUSH    00
:0F738BEB  FF1500C27B0F        CALL    [KERNEL32!MultiByteToWideChar]
:0F738BF1  8BC5                MOV     EAX,EBP
:0F738BF3  5D                  POP     EBP

After 0F738BF1, if you do a "d eax" to display the content of the register,
you will see 1.2.3.4.5.6.7.8.9.0.1.2
So, we are right about the CrackMe changing 123456789012 to that.

We will now have to trace further... Like I said, there are a lot of 
"rubbish" codes floating around. So, be patient. Trace through the codes
using F10. At a certain point, you will notice this piece of code...

:0F7A2CFF  6A00                PUSH    00
:0F7A2D01  E894F6F7FF          CALL    0F72239A
:0F7A2D06  6683F800            CMP     AX,00		<<interesting...
:0F7A2D0A  B800000000          MOV     EAX,00000000
:0F7A2D0F  0F94C0              SETZ    AL
:0F7A2D12  F7D8                NEG     EAX
:0F7A2D14  50                  PUSH    EAX
:0F7A2D15  0FB706              MOVZX   EAX,WORD PTR [ESI]
:0F7A2D18  83C602              ADD     ESI,02
:0F7A2D1B  FF2445F4997B0F      JMP     [EAX*2+0F7B99F4]

There is a CALL at 0F7A2D01 and then a "CMP AX,00" in the next line...
Let's presume that the call is to check our input. So, at 0F7A2D01, press
F8 and trace into the call.

:0F72239A  66837C240400        CMP     WORD PTR [ESP+04],00
:0F7223A0  B800000000          MOV     EAX,00000000
:0F7223A5  0F85DBB20100        JNZ     0F73D686
:0F7223AB  FF74240C            PUSH    DWORD PTR [ESP+0C]
:0F7223AF  FF74240C            PUSH    DWORD PTR [ESP+0C]
:0F7223B3  50                  PUSH    EAX
:0F7223B4  E899FEFFFF          CALL    0F722252	<<another call
:0F7223B9  C20C00              RET     000C

It looks like there is nothing there... Just a few pushes and a CALL.
But if you F10 pass the CALL at 0F7223B4, EAX will be equal to FFFFFFFF
and when it returns from the CALL from the above, EAX will be compared to
00. Bad news... So, let's pretend that the CALL at 0F7223B4 will check our
input. F8 into it.

:0F722252  83EC04              SUB     ESP,04
:0F722255  53                  PUSH    EBX
:0F722256  56                  PUSH    ESI
:0F722257  57                  PUSH    EDI
:0F722258  BB00000000          MOV     EBX,00000000
:0F72225D  8B7C241C            MOV     EDI,[ESP+1C]	<<"d edi"
:0F722261  55                  PUSH    EBP
:0F722262  85FF                TEST    EDI,EDI
:0F722264  7403                JZ      0F722269
:0F722266  8B5FFC              MOV     EBX,[EDI-04]
:0F722269  8B74241C            MOV     ESI,[ESP+1C]	<<"d esi"
:0F72226D  85F6                TEST    ESI,ESI
:0F72226F  0F84FAAA0100        JZ      0F73CD6F
:0F722275  8B46FC              MOV     EAX,[ESI-04]
:0F722278  89442410            MOV     [ESP+10],EAX
:0F72227C  8B6C2410            MOV     EBP,[ESP+10]
:0F722280  3BEB                CMP     EBP,EBX
:0F722282  7202                JB      0F722286
:0F722284  8BEB                MOV     EBP,EBX
:0F722286  837C241800          CMP     DWORD PTR [ESP+18],00
:0F72228B  0F8527AB0100        JNZ     0F73CDB8
:0F722291  85ED                TEST    EBP,EBP
:0F722293  0F85E3AA0100        JNZ     0F73CD7C                  (JUMP)
:0F73CD7C  8BC5                MOV     EAX,EBP
:0F73CD7E  D1E8                SHR     EAX,1
:0F73CD80  50                  PUSH    EAX
:0F73CD81  56                  PUSH    ESI
:0F73CD82  57                  PUSH    EDI
:0F73CD83  E8C0E50500          CALL    0F79B348		<<CALL and then TEST!!!
:0F73CD88  85C0                TEST    EAX,EAX
:0F73CD8A  0F851555FEFF        JNZ     0F7222A5

If you do a "d edi" at 0F722258 and "d esi" at 0F722269, you will see
"1.2.3.4.5.6.7.8.9.0.1.2" and "q.a.z.w.s.x.e.d.c.r.f.v" respectively...
Well, do you think "qazwsxedcrfv" is the correct code? It is 12 chars long. 8)

To see if we are correct, look at line 0F73CD83, there is a CALL, then
followed by a TEST. That is a classic thing that crackers must look out 
for as well.

Let's trace into that too... So, F8 when you reach 0F73CD83.

:0F79B348  56                  PUSH    ESI
:0F79B349  57                  PUSH    EDI
:0F79B34A  8B7C2410            MOV     EDI,[ESP+10]
:0F79B34E  8B74240C            MOV     ESI,[ESP+0C]
:0F79B352  8B4C2414            MOV     ECX,[ESP+14]
:0F79B356  33C0                XOR     EAX,EAX
:0F79B358  F366A7              REPZ CMPSW		<<see this??
:0F79B35B  7405                JZ      0F79B362                  (NO JUMP)
:0F79B35D  1BC0                SBB     EAX,EAX
:0F79B35F  83D8FF              SBB     EAX,-01
:0F79B362  5F                  POP     EDI
:0F79B363  5E                  POP     ESI
:0F79B364  C20C00              RET     000C


There is the compare we have been looking for at 0F79B358... 
and ECX=0000000C which is the length to compare... C(hex) = 12 (dec)
And edi and esi contain our input and the correct code respectively.

Notice the conditional jump at 0F79B35B? If you enter the correct code,
you will jump pass the 2 "SBB" lines. And EAX will be 00. 8)

CrackMe cracked!!

__________________________________________________________________________


                             Additional stuff

I suddenly remember about hardcoded codes...Maybe... Just Maybe...

Let's open up the CrackMe with a Hexeditor. Look through the whole file.
You will see "q.a.z.w.s.x.e.d.c.r.f.v" at file offset 25246h. 8P

Well, if you didn't know the correct code at the start, you will never know
that it is the one even if you had seen it in a Hexeditor.

__________________________________________________________________________


                             Final Notes

This tutorial is dedicated to all the newbies like me.

And because I'm a newbie myself, I may have explained certain things wrongly
So, if that is the case, please forgive me. Email me if there is anything 
you are not clear about.


My thanks and gratitude goes to:-

All the writers of Cracks tutorials and CrackMes
and also to all the crackers that have been supporting my site and project forum.