Written by:
Eternal Bliss
Email: Eternal_Bliss@hotmail.com
Website: http://crackmes.cjb.net
Date Released:
23rd Jan 1999
Foreword:
I'd like to say that I'm a new cracker and I'll be updating this whenever I find any new information. If you have other useful information about SmartCheck that you think will benefit Newbies, please email me.
Introduction:
Have you ever wanted to crack a VB program but not sure where to start?
Have you ever tried right-clicking on the program file and choose QuickView to see what breakpoints you can set and to your horror, there are tons of them?
Have you tried going through every single one of them hoping to hit the "JackPot"?
Well, I experienced all of the above...
This is where SmartCheck comes in handy. It is something like a deadlisting debugger that will keep a record when it is running a program and will let you go through the information at your leisure.
The disadvantage is that you must know how to use and interpret what is shown to fully understand the power of it.
I'll be showing how to use SmartCheck and a bit of interpretation of the information shown in it. This is by no means a comprehensive guide and will only serve as the start of your VB cracking "career".
SmartCheck One-Time Configuration:
Under Program Settings:-
Error Detection: "tick" all boxes except "Report errors immediately". Click here to see a picture of it.
Advanced: "tick" first 4 boxes. Click here to see a picture as well.
Make sure "Suppress system API and OLE calls" is not "ticked".
Reporting: All boxes "ticked" except for "Report MouseMove events from OCX controls". Click here for picture.
How to Run the Program You Want to Crack with SmartCheck
1) Start SmartCheck first.
2) Using "File", "Open", choose the file you want to run with SC.
3) To run the program, press F5. Or you may choose "Program", "Start".
4) To stop the program, choose "Program", "End".
It best if you fiddle around with the buttons in SC especially those on the toolbar and you will know how to control SC.
What you see after running the program with SmartCheck
1) You should have 3 small windows.
2) The main window you want to see is called "Program Results window". This is the window on the left with lines added to it when you are running a program.
3) The right window can be important as well because sometimes, you might just see the correct code in it.
Program Results window
After stopping the program, you would have to analyze the information given. Before that, you must select the relevant line and then choose "View", "Show All Events". For a more detailed instruction, please refer to the "General advice on VB Cracking" section in my essay "Compare Methods and Breakpoints". In this essay, I've written some of the more common lines that you will see.
SmartCheck Information
I've used BOLD words to show that it is what you'll see in SC. Words in RED means that you have to take special note of them.
****.Text eg. Text1.Text
If you click on the "+" sign next to it, you will get other lines under it. Look for SysAllocStringLen.
eg. SysAllocStringLen(PTR:00000000, DWORD:00000029) returns LPVOID:410584
Explanation:
Get the input you typed in the TextBox and placed it in memory location 00410584
This means that you will remove the need to do a "s 30 l" search in softice. To confirm, make sure your softice is running, then run the program in SC again and check the location again. Break into the program using Softice while running the program in SC. Then type "d 00410584". If you do it correctly, you will see what you typed in that memory location.
This will not work if you run the program alone without SC because the memory location might be changed.
Another instance this will not work is when the memory location is "released".
__vbasrtcmp(String:"zzzzz",String:"yyyyy")returns DWORD:0
Explanation:
__vbastrcmp -- used for comparing Strings eg. "zzzzz" and "yyyyy"
Note: you might see your correct code compared to what you keyed in!
returns DWORD:0 -- In Softice, you will see that after this comparison, eax = 0
__vbafreestr(LPBSTR:0063F3F0)
Click on the "+" sign next to it and look for SysFreeString
eg. SysFreeString(BSTR:00410584)
Explanation:
The String located at memory location 00410584 is cleared.
__vbaVarCopy(VARIANT:String:"12345", VARIANT:Empty) returns DWORD:63FA30
Click on the "+" sign next to it and look for SysAllocStringByteLen
eg. SysAllocStringByteLen(LPSTR:004023F0, DWORD:0000000C) returns LPVOID:4103CC
Explanation:
"12345" is copied to memory location 004103CC
This is similar to __vbaVarMove
__vbaVarForInit(VARIANT:Empty, PTR:0063F920, PTR:0063F91.....)
Explanation:
Set up a For...Next Loop
There will usually be __vbaVarForNext somewhere below as well.
Mid(VARIANT:String:"abcdefg", long:1, VARIANT:Integet:1)
Explanation:
Get the 1st character in the string "abcdefg" starting from location 1.
Click on the "+" sign next to it and look for SysAllocStringByteLen
eg. SysAllocStringByteLen(LPSTR:004103F0, DWORD:00000002) returns LPVOID:410434
Explanation:
"a" is copied to memory location 00410434
It is usually followed by __vbaStrVarVal(VARIATN:String"a") returns DWORD:410434
Asc(String:"T") returns Integer:84
Explanation:
Get the DEC value of T which is 84
SysFreeString(BSTR:004103F0)
Explanation:
Free memory location 004103F0
These lines are especially good for "serial fishing" because when you click on them and look at the right window, you will see what Strings are being freed. Correct codes/serials are sometimes shown here.
__vbaVarCat(VARIANT:String:"aa", VARIANT:String:"bb") returns DWORD:63F974
Explanation:
Join "bb" to "aa" to form "aabb"
__vbaFreeVar(VARIANT:String:"abcdefg")
Click on the "+" sign next to it and look for SysFreeString
eg. SysFreeString(BSTR:0041035C)
Explanation:
Free "abcdefg" from memory location 0041035C
Here, if you click on the line and look at the right window, you can also see what is being freed.
__vbaVarTstEq(VARIANT:****, VARIANT:****) returns DWORD:0
Explanation:
__vbaVarTstEq is used to compare variants. If they are not the same, DWORD=0 (so eax=0)
If they are the same, DWORD will be FFFFFFFF (so eax=FFFFFFFF)
Similar to __vbaVarCmpEq
Len(String:"Cracker") returns LONG:7
Explanation:
Get length of String "Cracker" which is 7
****.Text <-- "Wrong! Try Again!!" (String)
Explanation:
To display the String "Wrong! Try Again!!" in the Textbox
__vbaVarAdd(VARIANT:Integer:2, VARIANT:Integer:97) returns .....
Explanation:
Add 2 and 97, gives you 99
But if both are Strings instead of Integers, you will get 297 instead.
__vbaVarDiv(VARIANT:Integer:97, VARIANT:Long:1) returns.....
Explanation:
Divide 97 by 1
__vbaVarMul(VARIANT:String:"1", VARIANT:String:"2") returns ...
Explanation:
Multiply 1 by 2
__vbaVarSub(VARIANT:String:"2", VARIANT:String:"34") returns ...
Explanation:
Subtract 34 from 2, gives you -32
MsgBox(VARIANT:String:"Nope! That's not right", Integer:0, VARIANT:String:"Wrong",VARIANT.....)
Explanation:
Create a Message Box with title "Wrong" and message "Nope! That's not right"