VBCrackMe 1 explained Written by Etenal Bliss Email: Eternal_Bliss@hotmail.com Website: http://crackmes.cjb.net http://surf.to/crackmes Date written: 13th April 1999 Program Details: Language: Visual Basic Learning Method: Code Explanation Viewing Method: Use Notepad with Word Wrap switched OFF Screen Area set to 800 X 600 pixels (Optional) __________________________________________________________________________ About the Essay I've known that VB cracking has been a curse to newbies. When I started cracking, I decided to go into what most people hated. What I believe was that to crack something, it is best to know how the author thinks, how the language used will affect the cracking process. So, I took up VB programming. In the end, I realised that I learnt quite a lot about VB coding and how useful/limited the language is. This is the first of the series of explanation on how coding in VB will affect the cracking process. In these essays, I'll also show you how crackmes are generally written in VB. I've included my thought process which went through my mind while coding for this crackme. __________________________________________________________________________ About the Protection This crackme uses a hard-coded code which is hidden among other strings. A string is a "sentence" comprising of words and letters and in a certain way, is treated like a sentence in VB programs. The reason why the code is hidden among other strings is because such strings can be seen using a Hex Editor. So, if I had used a unique code such as "reg-192834-code", you will see it easily in a Hex Editor as "r.e.g.-.1.9.2.8.3.4.-.c.o.d.e". Now, it won't take much to realise that it is the correct code required, right? 8) __________________________________________________________________________ A brief explanation on how VB coding is done... When you start a new VB project in microsoft, you will get to choose different types of programs you are going to code for. A standard exe is what I used to create this CrackMe. You will then be given a blank window (so called "form") and from there, it is up to you to code for anything you want. The main thing is to add in the controls eg Textboxes (for you to fill in things), Buttons (for you to click) When you create a textbox, it will be named automatically as "Text1" for the first textbox you create and "Text2" for the second and so on and so forth. Creating buttons involves the same naming system but in this case, the first button is called "Command1". The names of these controls can be seen in your properties window. Labels are another type of control which can be used to show words in the window or display words such as "Registered" etc. Naming system is the same, "Label1" for the first label etc. After creating all the controls you need (you might want to create for some more as you go), you will need to make the CrackMe start the registration calculation when the Cracker clicks on the "register" button. To do this, double click on the involved button. In this particular essay, it will be the first button I created, so named "Command1". When you double click on it, you will be shown a blank page with "Private Sub Command1_Click()" at the start and "End Sub" at the end. This is the routine that is called when a Cracker clicks on the first button. To make the CrackMe function, we are left to add in the codes BETWEEM these two lines. __________________________________________________________________________ Main Code I've copied and pasted the main routine found in this crackme which is the protection scheme, the heart of the crackme. In the next section, I'll go into the explanation of some of the lines. Private Sub Command1_Click() On Error GoTo err If Text1.Text = "Enter the Code..." Then Text1.Text = "You have to enter something!" Text1.Enabled = False Command1.Enabled = False Label2.Enabled = False Label3.Enabled = False Label4.Enabled = False GoTo err End If If Text1.Text <> "use hexeditor to look for hardcoded codes" Then If ((Text1.Text = "Use bpx __vbastrcomp to break with Softice") Or (Text1.Text = "Use hexeditor to look for hardcoded codes") Or (Text1.Text = "Use SmartCheck to look for the code")) Then Text1.Text = "It's not that easy!!" Text1.Enabled = False Command1.Enabled = False Label2.Enabled = False Label3.Enabled = False Label4.Enabled = False GoTo err End If Text1.Text = "Wrong! Try Again!!" Text1.Enabled = False Command1.Enabled = False Label2.Enabled = False Label3.Enabled = False Label4.Enabled = False Else Text1.Text = "Yes! You have solved it!!" Text1.Enabled = False Command1.Enabled = False Label2.Enabled = False Label3.Enabled = False Label4.Enabled = False Command2.Caption = "Once More!" End If err: End Sub __________________________________________________________________________ Code Explanation 1) On Error GoTo err ==================== This tells the CrackMe to go to the pointer named "err" which is just one line above the "End Sub" and is effectively ending the whole routine whenever an error occurs. 2) If Text1.Text = "Enter the Code..." Then Text1.Text = "You have to enter something!" Text1.Enabled = False Command1.Enabled = False Label2.Enabled = False Label3.Enabled = False Label4.Enabled = False GoTo err ============================================ This small section of code is used because If you had run my CrackMe, you would have noticed that the textbox shows "Enter the Code..." "Text1.Text" tells the CrackMe to look at the text in the 1st textbox So, if the text in it is "Enter the Code...", then it means that the Cracker did not enter anything and had just click on the 1st button (which is to register) A message "You have to enter something!" will be shown in the textbox. At the end of this section, there is the "GoTo err" code which tells the CrackMe to stop processing the rest of the codes and go to the pointer I mentioned above. 3) If Text1.Text <> "use hexeditor to look for hardcoded codes" Then ==================================================================== This is the most important line of all because it compares the correct code "use hexeditor to look for hardcoded codes" with what is in textbox 1. <> means not equal. So, in "human" terms, it means if the text in textbox 1 is not equal to "use hexeditor to look for hardcoded codes", then do the following lines. 4) If ((Text1.Text = "Use bpx __vbastrcomp to break with Softice") Or (Text1.Text = "Use hexeditor to look for hardcoded codes") Or (Text1.Text = "Use SmartCheck to look for the code")) Then ============================================================================================================================================================================================== This line will be processed if the Cracker entered the wrong code. It basically compares the text in the textbox with the few strings shown. If you had run my CrackMe, you would have seen these lines shown when you click on Task 1, Task 2 and Task 3. Notice the similarity between the second string and the correct code. The only difference is in the first character. The correct code is a "u" and the string you see when you click on task 1 is a "U". That is what I mean by hidding the correct code among the other strings. Using a Hexeditor, if you are not observant enough, you would have thought that they are the same! 8) What this line does is to compare the text you entered with the strings. If they are the same, the next few lines will be processed... 5) Text1.Text = "It's not that easy!!" Text1.Enabled = False Command1.Enabled = False Label2.Enabled = False Label3.Enabled = False Label4.Enabled = False GoTo err End If ====================================== As mentioned in 4, if the Cracker just clicks on one of the 3 tasks and click on the "Register" button (Command1), the text in textbox 1 will show "It's not that easy!!" and then there is the familiar "GoTo err" line, ending the routine. Note the "End If" line. This is essential to close this particular query. A "If...Then" line must always have a "End If" closing line. But you might have notice that in 3, there is no "End If". That is because in 4 and 5, they are inside the query used in 3. So, the "End If" for 3 has not yet been reached. 6) Text1.Text = "Wrong! Try Again!!" Text1.Enabled = False Command1.Enabled = False Label2.Enabled = False Label3.Enabled = False Label4.Enabled = False ==================================== Ok, so what if the Cracker entered other text which is not correct and is not the strings seen when he clicks on the Tasks? 6 is used to counter this situation. A message "Wrong! Try Again!!" will be shown in the textbox 1. A summary on 3-6 is like this: 3) check if it is the wrong code and proceed to the next line if wrong code 4) if it is wrong, check if it is one of the strings in the 3 Tasks 5) if the text entered is one of the strings, a message will be shown 6) if wrong code and not one of the strings, another message will be shown. 7) Else Text1.Text = "Yes! You have solved it!!" Text1.Enabled = False Command1.Enabled = False Label2.Enabled = False Label3.Enabled = False Label4.Enabled = False Command2.Caption = "Once More!" End If =========================================== Notice the "Else" line. This is a continuation of 3. If the code is not wrong, ie, it is the correct code, 4-6 will be skipped and 7 will be processed instead. So, when the correct code is entered, textbox 1 will show "Yes! You have solved it!!" Near the end of the codes, you will see "End If". It is just before the "err" pointer. This is the closing line for the first "If...Then" statement used in 3. So, the whole routine can be said to use this: If wrong Then If one of the strings Then show "It's not that easy!!" goto end of code End If show "Wrong! Try Again!!" (if wrong and not the strings) Else show "Yes! You have solved it!!" End If __________________________________________________________________________ How to Crack such VB protection schemes You should have realised that the whole protection routine uses nothing else but string comparision. This is the simplest comparison method used by a lot of sharewares. Even when the comparison involves only serial and not text, if the author chooses to use quotation marks " VB will consider it as a string and Presto! this string compare function is called. In VB, the function to compare strings is __vbaStrComp (STRing COMPare) So, in Softice, setting the breakpoint using "bpx msvbvm60!__vbaStrComp" (or msvbvm60!__vbastrcomp) will cause Softice to break when the Cracker click on the "Register" button. msvbvm60! is added in front because this CrackMe is written in VB6. If you keep tracing in this string compare function, you will notice that it is always the same code. So, it is definite something you must get to grips with. Notice that there are 5 string comparisons here. So, Softice will break 5 times on this breakpoint. Upon breaking, you just have to trace into the calls and sniff out the correct serial. Easy. 8) __________________________________________________________________________ Additional points For other breakpoints and compare methods, you can get my two essays on VB cracking found on my website. Some of my tutorials uses this breakpoint to crack the CrackMes as well so I'll not go into details here. Also, this CrackMe was used as a project in my forum and I've compiled the solutions written by various Crackers. So, download the whole project file and read the solutions. In the zipped file, I have included a SmartCheck logfile with the source included. It is in Debug1.zip found inside the project zip file. Unzip everything in it and double click on the debug1.sce file. If you have installed SmartCheck, SmartCheck will open up and the usual lot of information is shown. However, in this case, since the source code is included, when you click on threads in Command1_Click line, you will see how the source code is processed and how it is presented in SmartCheck. A definite learning experience for those who are struggling with SmartCheck usage. __________________________________________________________________________ End of File I would like to thank Jeff for giving me this idea of writing essays on how I created my CrackMe, what commands will result in what breakpoints to use in Softice and how SmartCheck's usefulness is exploited. Also, I'd like to thank all those Crackers who joined in the particular project when this CrackMe was used.