Tutorial Number 8 Written by Etenal Bliss Email: Eternal_Bliss@hotmail.com Website:http://crackmes.cjb.net http://surf.to/crackmes Date written:17th Feb 1999 Program Details: Name: CrackMe v3.0a Author: Borna Janes Language: Visual Basic 6 Tools Used: Softice SmartCheck HexEditor Cracking Method: Patching, SmartCheck analysis Viewing Method: Use Notepad with Word Wrap switched on Screen Area set to 800 X 600 pixels (Optional) __________________________________________________________________________ About this protection system No disabled function. Protection is based on a serial number which is checked using two different routines and the results must be equal. __________________________________________________________________________ The Essay As this is a tutorial for newbies, I'll go into details about how I go about cracking the program. I suggest that you read this tutorial first. When you have completed the tutorial, leave this tutorial open and follow the instructions. Re-do it once more after you have completed the step by step guide... In this essay, when I write type "d edx" or similar commands in Softice, I mean it without the quotes. __________________________________________________________________________ Running with SmartCheck I'll not go into the settings and how to configure SmartCheck anymore. If this is the first time you are reading my tutorials, I suggest you download the first few that use SmartCheck. Run the program with SmartCheck. Type in any serial you want. I used 12121. Click on "Check it" You will notice that your computer is running like mad but nothing is showing in SmartCheck at all... Ok. Read the Readme.txt by Borna. You will see that he has added in an Anti-SmartCheck routine. And this is what you are experiencing. Don't worry. My computer is running like mad now while I'm typing this... 8P Finally, your computer has stopped running... You will see a message box saying "You have SmartCheck loaded!...Close it and try again!!!" So, we can't use SmartCheck... Nope... We still can. 8) __________________________________________________________________________ Softice to the Rescue Click on the "OK" button and stop the CrackMe in SmartCheck. Close SmartCheck and let it rest. Now, back to basics... Try the few breakpoints commonly used in VB programs. I started with "bpx msvbvm60!__vbastrcomp" **Note: You have to add in "msvbvm60!" because this is a VB 6 program. Run the CrackMe without using SmartCheck and type in any serial and click "Check it". You will break into the program. The aim of using Softice here is because the Anti-SmartCheck routine written by Borna is dependent on time. This means that after going through the routine, if the time taken is very long, it will mean that SmartCheck is used. Now that you are in Softice, we need to go to the main program code to see where is the Anti-SmartCheck routine... Press F10 until you see BJCM30A!... below the code window in Softice. You will be at location 00404401 This is something you will see: :00404391 3BC7 CMP EAX,EDI <--start of big loop :00404393 0F84C8000000 JZ 00404461 <--to jump out of big loop :00404399 B801000000 MOV EAX,00000001 .. .. __________Snip___________ .. :004043E1 899DF8FEFFFF MOV [EBP-0108],EBX :004043E7 899DE8FEFFFF MOV [EBP-0118],EBX :004043ED FF1538104000 CALL [MSVBVM60!__vbaVarForInit] :004043F3 3BC7 CMP EAX,EDI <--start of small loop :004043F5 744D JZ 00404444 <--to jump out of small loop :004043F7 68342A4000 PUSH 00402A34 :004043FC 68342A4000 PUSH 00402A34 :00404401 FF1568104000 CALL [MSVBVM60!__vbaStrCmp] <--break inside here :00404407 85C0 TEST EAX,EAX :00404409 751F JNZ 0040442A .. .. __________Snip___________ .. :0040443B 51 PUSH ECX :0040443C FF15E8104000 CALL [MSVBVM60!__vbaVarForNext] :00404442 EBAF JMP 004043F3 <--back to small loop :00404444 8D95A4FEFFFF LEA EDX,[EBP-015C] .. .. __________Snip___________ .. :00404455 51 PUSH ECX :00404456 FF15E8104000 CALL [MSVBVM60!__vbaVarForNext] :0040445C E930FFFFFF JMP 00404391 <--back to big loop You must disable your breakpoint now or you will keep breaking... If you keep tracing using F10 you will notice that you go around in circles for a long long time... **That is how I found out that this part of the code is the Anti-SmartCheck code. Refering to the above code, you will notice that I have labelled 2 loops. A small one inside a bigger one. If you try jumping out of the small loop at 004043F5, you will encounter the big loop and you will be brought back into the small loop again. So, to solve this, you will need to jump out of the big loop at 00404393. Now, if you have been thinking, you will probably know that if we were to run this CrackMe in SmartCheck and before clicking on the "Check it" button, if you set a breakpoint at 00404393, you can force the program to jump out of the big loop and you can continue to use SmartCheck without any problems at all. 8) But then, this means that you have to do it everytime you restart the CrackMe. __________________________________________________________________________ HexEditor as Support To permanently disable the Anti-SmartCheck routine, we will need to patch the conditional jump at 00404393. To do this, copy down the code for this jump (0F84C8000000) and open the CrackMe using a HexEditor. Search for this hex combination. There is only one location for it. Since the instruction is JZ 00404461 if we want to reverse it, we can change it to JNZ 00404461. So if you refer to an opcode reference, you will know that we need to change 0F84C8000000 to 0F85C8000000. Do it and save it as a different file. __________________________________________________________________________ Time for the King Load the new patched file using SmartCheck. And type in the serial 12121 Click on "Check it". *Fingers crossed* Your computer didn't run like mad, did it?? 8) Now, click on the + sign next to Command1_Click to expand the threads. You will see a lot of Len, Asc, Hex$ and Mid$. This are basically the commands to get the characters from your serial. Explanation: Len - get the length of a string Asc - to convert the char into decimal number Hex$ - to convert the char into Hex Mid$ - to extract a char from a string base on the location UCase$ - Convert any lowercase letters into UPPERCASE Look at the lines within Command1_Click and try to "feel" what is happening. Most of the commands are described in my 2 essays on VB cracking which is available on my websites... You will observe that most of the lines seems to be repeating themselves... So look for something different. For the moment, you don't have to choose "Show All Events" in SC yet. Near the starting inside Command1_Click, you will see something like this: Mid$(String:"12121",long:?,VARIANT:Integer:1) Mid$(String:"12121",long:?+1,VARIANT:Integer:1) where ? increases from 1 to 5. **If you choose show all events here, you will each char is compared with the other in the next sequence. Next few lines (actually repeating 3 times) Text1.Text Len(String:"12121") returns LONG:5 **It just gets the length of the serial you entered Not sure why the author has to do it 3 times... Maybe so that you won't miss it!! 8P Then there is Left(VARIANT:VT_DISPATCH:....., long:1) Asc(String:"1") returns Integer:49 **This is to get your first char which is 1 and convert it to decimal number. So, 1 has the decimal number of 49 This is repeated a LOT of times inside the Command1_Click so you can't miss it. After the Asc line, if you count down, on the 21st line, you will see Hex$(VARIANT:Long:245) hmmm... where did 245 come from?? Ok. Click on the the line and then choose "Show All Events"... You will see a lot of __vbaStrCmp and at the start of it, a __vbaStrCopy(String:"*",....)... Just above the Hex$ line, you will see __vbaStrCmp(String:"*", String:"*") returns DWORD:0 ahh... a match... **The char * in VB means multiple. For the rest of the commands, you will have to refer to my 2 essays on VB cracking. No point in me writing them and repeating them again. So, something is multiplied with something else to get 245... Try multiplying 49 with 5... = 245!! Where do we get 49 and 5 then?? If you scroll up the tutorial abit, you will see that 5 is the length of the serial you entered, 49 is the decimal of the 1st char. After the Hex$ line and still in "Show All Events" mode, you will see __vbaStrMove(String:"F5",...)... Now, where did F5 comes from? Try converting 245 to Hex... You will get F5 !!!!! **I recommend Volatility's CrackersConvert v1.0 which can be found in http://www.ImmortalDescendants.com This is repeated a few times and is not useful anymore... Just remember the magic numbers 245 and F5 Now, go back to "Show Errors and Specific Events" to cut out the rubbish. Locate the 2nd Hex$(VARIANT:Long:245) The 3rd line after it, you will see Mid$(String:"12121",long:2,VARIANT:Integer:1) Asc(String:"2") returns Integer:50 Click on the Asc line and choose "Show All Events" again. The next line below is __vbaVarAdd(VARIANT:Integer:49,VARIANT:Integer:50)... **Adding 49(decimal value of 1) from above to 50(decimal value of 2) So, I hope you still remember where 49 comes from. 50 is the decimal value of 2. The next line is __vbaVarMove(VARIANT:Integer:99,VARIANT:Integer:49)... Replacing 49 by the total which is 99 in memory. 99 is the result of 49 + 50 Choose "Show Errors and Specific Events" again. Ok. We have seen the CrackMe getting the 1st and 2nd char and converting them to decimal values and then adding them. What we need to look for is if the 3rd, 4th and 5th numbers are used as well. Look for Mid$(String:"12121",long:3,VARIANT:Integer:1) It is about 29 lines below Mid$(String:"12121",long:2,VARIANT:Integer:1) **You have to choose "Show Errors and Specific Events" or you will be lost. Mid$(String:"12121",long:3,VARIANT:Integer:1) **get the 3rd char from 12121 Asc(String:"1") returns Integer:49 Click on the Asc line and choose "Show All Events" again. The next 2 lines below are __vbaVarAdd(VARIANT:99, VARIANT:Integer:49)... **Adding 49(decimal value of 1) from above to 50(decimal value of 2) __vbaVarMove(VARIANT:Integer:148, VARIANT:99)... **actions similar to the above Choose "Show Errors and Specific Events" again. 29 lines after Mid$(String:"12121",long:3,VARIANT:Integer:1) you will see Mid$(String:"12121",long:4,VARIANT:Integer:1) **get the 4th char from 12121 Asc(String:"2") returns Integer:50 Click on the Asc line and choose "Show All Events" again The next 2 lines are very similar... __vbaVarAdd(VARIANT:Integer:148,VARIANT:Integer:50)... __vbaVarMove(VARIANT:Integer:198,VARIANT:Integer:148)... **actions similar to the above Do the same while looking for Mid$(String:"12121",long:5,VARIANT:Integer:1) About 29 lines down again, you will see Mid$(String:"12121",long:5,VARIANT:Integer:1) **get the 5th char from 12121 Asc(String:"1") returns Integer:49 You have to choose "Show All Events" again __vbaVarAdd(VARIANT:198, VARIANT:Integer:49)... __vbaVarMove(VARIANT:Integer:247, VARIANT:198)... **actions similar to the above Now, after seeing the lines, go back to "Show Errors and Specific Events" You will see 2 lines below Mid$(String:"12121",long:5,VARIANT:Integer:1) Hex$(VARIANT:Integer:247) If you click on this Hex$ line and choose "Show All Events" __vbaStrMove(String:"F7",...)... Now, something appears out of nowhere again... (I am refering to F7) Try converting 247 onto HEX. You will get F7 The next line is __vbaStrCopy(String:"=",...)... Looks interesting!!! Click on Hex$(VARIANT:Integer:247) and go back to "Show Errors and Specific Events". Between this line to the end, you will see a lot of F5 and F7 Do you still remember where F5 comes from? What about F7? Basically, the CrackMe is converting F5 and F7 to decimal again... (weird. since they were converted from decimal!!) So, you can ignore all that rubbish. Scroll all the way down, you will see Hex$(VARIANT:Boolean:False) Click on it and choose "Show All Events" Ahh... you will see a few __vbaStrCmp again and the start of these lines is __vbaStrCopy(String:"=",...)... __vbaStrCmp(String:"=",String"=")... is the last line before Hex$(VARIANT:Boolean:False) So, what do you think is happening? Think now... F5 - from the multiplication of the decimal of the 1st char with the length of serial then convert to HEX F7 - from the sum of all the decimal values of the serial then convert to HEX then now, there is an "=" sign... Lets give it a try... Suppose we don't change the value of F5. We must leave the 1st char as 1 and length as 5 We will need to change F7 to become F5. How? By reducing the sum of the values of the decimal of the serial by 2. So, instead of 12121 (49 + 50 + 49 + 50 + 49), we can try with 12020 (49 + 50 + 48 + 50 + 48) which is 245 and when converted to HEX = F5 Now, run the CrackMe without using SC. Try it on the original CrackMe. (I hope you have a backup before you patch it) You will get "Good job, tell me how you do that!" You can change the characters around except for the 1st one which must be always 1 Program Cracked... __________________________________________________________________________ Afterthought Looking at the complexity of the calculation routine, I can say that it is practically impossible to crack using Softice alone. That is why I have to resort to patching it to allow SC usage. Think cracking this is difficult? Try writing a tutorial on it. 8( __________________________________________________________________________ Final Notes This tutorial is dedicated to all the newbies like me. And because I'm a newbie myself, I may have explained certain things wrongly So, if that is the case, please forgive me. Email me if there is anything you are not clear about. My thanks and gratitude goes to:- The Sandman All the writers of Cracks tutorials and CrackMes