Cracking Tutorial, (c) Lucifer48 / ID

VBCrackMe v9.0
by Eternal Bliss

Tutorial by Lucifer48 [Immortal Descendants]
(August 22th, 1999)

By reading the txt file with the crackme, i was a little intrigued:

Try cracking it. I've used a totally different compare routine that I have not seen in VB before.
You might be surprised after cracking it.

Then i put a bpx MSVBVM60!rtcInputBox, Soft-ice breaks here:

XXXX:004045C2  PUSH 10
XXXX:004045C4  LEA  EAX,[EBP-0124]
XXXX:004045CA  PUSH EAX
XXXX:004045CB  CALL [MSVBVM60!rtcInputBox]		;diplay the dialog box

I decided to come back in the code to find a test or something interesting (use CTRL+Up); i saw another call to rtcInputBox (probably the good messagebox), and my expecting test:

XXXX:00404392  LEA  EAX,[EBP-24]
XXXX:00404395  PUSH EAX
XXXX:00404396  LEA  EAX,[EBP-0124]
XXXX:0040439C  PUSH EAX
XXXX:0040439D  CALL MSVBVM60!__vbaVarTstEq		;compare two variants
XXXX:004043A2  MOVSX EAX,AX
XXXX:004043A5  TEST EAX,EAX				;if eax=0: bad code
XXXX:004043A7  JZ   004044D2

Usually (not always), you can see the two compared values by doing: d *(eax+8). Here nothing! Then i scrolled up again (CTRL+Up): i found the solution:

XXXX:004042FB  PUSH EAX					;my serial (wide chars)
XXXX:004042FC  LEA  EAX,[EBP-00BC]
XXXX:00404302  PUSH EAX					;EAX will contain the addess of the result
XXXX:00404303  CALL MSVBVM60!__vbaStrToAnsi		;wide chars to ansi (one char = one byte)
XXXX:00404308  PUSH EAX					;push my serial
XXXX:00404309  PUSH DWORD PTR [EBP-00B0]		;the good serial (wide chars)
XXXX:0040430F  LEA  EAX,[EBP-00B4]
XXXX:00404315  PUSH EAX					;EAX will contain the addess of the result
XXXX:00404316  CALL MSVBVM60!__vbaStrToAnsi		;same thing for the good serial
XXXX:0040431B  PUSH EAX					;push the good serial
XXXX:0040431C  CALL 00402A28				;comparison
XXXX:00404321  MOV  [EBP-0158], EAX			;EAX=0 (success) or EAX=-1 (fail)
XXXX:00404327  CALL MSVBVM60!__vbaSetSystemError

And what's in the call 00402A28 ?? It's ... [KERNEL32!lstrcmp] ! Wow :)
Let's come back to the registration. For my name, i get:

Name/ Lucifer48
Serial/ 13u18i3e6411
You can see that, only odd placed chars (i mean, 1st, 3rd, 5th, 7th ... chars) are modified.

    13u18i3e6411
      ^  ^ ^ ^
It means, that 13=L; 18=c; 3=f; 6=r...

Where do these numbers come from ? Well, just go up again in the code and you will find:

XXXX:004040D1  MOV  AX,[EBP-28]
XXXX:004040D5  ADD  AX,[EBP-6C]
XXXX:004040D9  JO   0040471C				;vb likes putting JO everywhere...
XXXX:004040DF  MOV  [EBP-28], AX

As you can see it is an add. It is located in a loop which browse the name.

Example: for the L char you can see 7+6=13 (and "L"=4Ch=76d)
         for the 8 char you can see 5+6=11 (and "8"=38h=56d)

17o9 40o8 6t ? Great Work...

Greetings: All ID members (Volatility, Torn@do, ...), Eternal Bliss, ACiD BuRN, Duelist, LaZaRuS, people on #cracking4newbies, french crackers, and other crackme makers.