CrackMe #1 By Nitrus -------------------- Tools Used: SoftIce --- Protection: Code --- First, you need to have MSVBVM60.DLL loaded in your S-ICE exports. Start the crackme, enter a code and set a breakpoint on __vbaLenBstr and press enter, when softice pops up, and you have pressed F11 you should land here: :0040220D FF1510104000 CALL [MSVBVM60!__vbaLenBstr] ; eax = length of entered code :00402213 83F80A CMP EAX,0A ; check if it is 10 char long :00402216 0F850E050000 JNZ 0040272A ; if it is, jump :0040221C 8B13 MOV EDX,[EBX] ok, if you didn't enter a 10 char long code, you won't get further, so go out and enter a 10 char code, and try again, i entered 1234567890 well, go on until you reaches this part :0040225E 6A04 PUSH 04 :00402260 51 PUSH ECX :00402261 C745A401000000 MOV DWORD PTR [EBP-5C],00000001 :00402268 C7459C02000000 MOV DWORD PTR [EBP-64],00000002 :0040226F FF1548104000 CALL [MSVBVM60!rtcMidCharBstr] ; gets the 4th char :00402275 8B35CC104000 MOV ESI,[MSVBVM60!__vbaStrMove] :0040227B 8BD0 MOV EDX,EAX :0040227D 8D4DE4 LEA ECX,[EBP-1C] :00402280 FFD6 CALL ESI :00402282 8B3D94104000 MOV EDI,[MSVBVM60!rtcBstrFromAnsi]; gets the asc value of the 4th char :00402288 50 PUSH EAX :00402289 6A2D PUSH 2D ; pushes 2Dh = - :0040228B FFD7 CALL EDI :0040228D 8BD0 MOV EDX,EAX :0040228F 8D4DE0 LEA ECX,[EBP-20] :00402292 FFD6 CALL ESI :00402294 50 PUSH EAX :00402295 FF155C104000 CALL [MSVBVM60!__vbaStrCmp] ; compares the entered char 4 with - and stores the value in eax, 0=true 1=false Ok, so now we have found out that the fourth char should be a - so now our serial is 123-567890 go on until you reaches this part :00402310 6A09 PUSH 09 :00402312 50 PUSH EAX :00402313 C745A401000000 MOV DWORD PTR [EBP-5C],00000001 :0040231A C7459C02000000 MOV DWORD PTR [EBP-64],00000002 :00402321 FF1548104000 CALL [MSVBVM60!rtcMidCharBstr] ; gets the 9th char :00402327 8BD0 MOV EDX,EAX :00402329 8D4DE4 LEA ECX,[EBP-1C] :0040232C FFD6 CALL ESI :0040232E 50 PUSH EAX :0040232F 6A2D PUSH 2D ; pushes 2Dh = - :00402331 FFD7 CALL EDI :00402333 8BD0 MOV EDX,EAX :00402335 8D4DE0 LEA ECX,[EBP-20] :00402338 FFD6 CALL ESI :0040233A 50 PUSH EAX :0040233B FF155C104000 CALL [MSVBVM60!__vbaStrCmp] ; compares the entered char 9 with - and stores the value in eax, 0=true 1=false Woot, another step further, the 9th char should also be a - now our serial is 123-5678-0 go on until you reach this part :004023B2 6A03 PUSH 03 ; the 3 first chars :004023B4 52 PUSH EDX :004023B5 FF15C4104000 CALL [MSVBVM60!rtcLeftCharBstr]; gets the 3 first chars :004023BB 8BD0 MOV EDX,EAX :004023BD 8D4DD4 LEA ECX,[EBP-2C] :004023C0 FFD6 CALL ESI :004023C2 50 PUSH EAX :004023C3 6A30 PUSH 30 ; pushes 30h = 0 :004023C5 FFD7 CALL EDI :004023C7 8BD0 MOV EDX,EAX :004023C9 8D4DE4 LEA ECX,[EBP-1C] :004023CC FFD6 CALL ESI :004023CE 50 PUSH EAX :004023CF 6A35 PUSH 35 ; pushes 35h = 5 :004023D1 FFD7 CALL EDI :004023D3 8BD0 MOV EDX,EAX :004023D5 8D4DE0 LEA ECX,[EBP-20] :004023D8 FFD6 CALL ESI :004023DA 50 PUSH EAX :004023DB FF1524104000 CALL [MSVBVM60!__vbaStrCat] :004023E1 8BD0 MOV EDX,EAX :004023E3 8D4DDC LEA ECX,[EBP-24] :004023E6 FFD6 CALL ESI :004023E8 50 PUSH EAX :004023E9 6A33 PUSH 33 ; pushes 33h = 3 :004023EB FFD7 CALL EDI :004023ED 8BD0 MOV EDX,EAX :004023EF 8D4DD8 LEA ECX,[EBP-28] :004023F2 FFD6 CALL ESI :004023F4 50 PUSH EAX :004023F5 FF1524104000 CALL [MSVBVM60!__vbaStrCat] :004023FB 8BD0 MOV EDX,EAX :004023FD 8D4DD0 LEA ECX,[EBP-30] :00402400 FFD6 CALL ESI :00402402 50 PUSH EAX :00402403 FF155C104000 CALL [MSVBVM60!__vbaStrCmp] ; compares our three first chars with 053 Great eh? :) now our serial is 053-5678-0 go on until you reaches this part :00402490 6A05 PUSH 05 :00402492 50 PUSH EAX :00402493 FF1548104000 CALL [MSVBVM60!rtcMidCharBstr]; start on the 5th char :00402499 8BD0 MOV EDX,EAX :0040249B 8D4DCC LEA ECX,[EBP-34] :0040249E FFD6 CALL ESI :004024A0 50 PUSH EAX :004024A1 6A33 PUSH 33 ; pushes 33h = 3 :004024A3 FFD7 CALL EDI :004024A5 8BD0 MOV EDX,EAX :004024A7 8D4DE4 LEA ECX,[EBP-1C] :004024AA FFD6 CALL ESI :004024AC 50 PUSH EAX :004024AD 6A33 PUSH 33 ; pushes 33h = 3 :004024AF FFD7 CALL EDI :004024B1 8BD0 MOV EDX,EAX :004024B3 8D4DE0 LEA ECX,[EBP-20] :004024B6 FFD6 CALL ESI :004024B8 50 PUSH EAX :004024B9 FF1524104000 CALL [MSVBVM60!__vbaStrCat] :004024BF 8BD0 MOV EDX,EAX :004024C1 8D4DDC LEA ECX,[EBP-24] :004024C4 FFD6 CALL ESI :004024C6 50 PUSH EAX :004024C7 6A38 PUSH 38 ; pushes 38h = 8 :004024C9 FFD7 CALL EDI :004024CB 8BD0 MOV EDX,EAX :004024CD 8D4DD8 LEA ECX,[EBP-28] :004024D0 FFD6 CALL ESI :004024D2 50 PUSH EAX :004024D3 FF1524104000 CALL [MSVBVM60!__vbaStrCat] :004024D9 8BD0 MOV EDX,EAX :004024DB 8D4DD4 LEA ECX,[EBP-2C] :004024DE FFD6 CALL ESI :004024E0 50 PUSH EAX :004024E1 6A37 PUSH 37 ; pushes 37h = 7 :004024E3 FFD7 CALL EDI :004024E5 8BD0 MOV EDX,EAX :004024E7 8D4DD0 LEA ECX,[EBP-30] :004024EA FFD6 CALL ESI :004024EC 50 PUSH EAX :004024ED FF1524104000 CALL [MSVBVM60!__vbaStrCat] :004024F3 8BD0 MOV EDX,EAX :004024F5 8D4DC8 LEA ECX,[EBP-38] :004024F8 FFD6 CALL ESI :004024FA 50 PUSH EAX :004024FB FF155C104000 CALL [MSVBVM60!__vbaStrCmp] ; compares our 5th, 6th, 7th and 8th chars with 3387 So what have we found out now? YES! now the serial looks like this: 053-3387-0 go further until you reaches this part :0040258A 6A01 PUSH 01 :0040258C 52 PUSH EDX :0040258D FF15D0104000 CALL [MSVBVM60!rtcRightCharBstr] ; get the last char :00402593 8BD0 MOV EDX,EAX :00402595 8D4DE4 LEA ECX,[EBP-1C] :00402598 FFD6 CALL ESI :0040259A 50 PUSH EAX :0040259B 6A37 PUSH 37 ; pushes 37h = 7 :0040259D FFD7 CALL EDI :0040259F 8BD0 MOV EDX,EAX :004025A1 8D4DE0 LEA ECX,[EBP-20] :004025A4 FFD6 CALL ESI :004025A6 50 PUSH EAX :004025A7 FF155C104000 CALL [MSVBVM60!__vbaStrCmp] ; compares the last char with 7 so the real serial is 053-3387-7 enter that and the Caption of the window should become Cracked... --- /Klefz - http://klefz.cjb.net