Log in

View Full Version : advanced Crackme

XFlorian
January 25th, 2005, 06:43
Hello! Here's a german Crackme. I want to know how to set the Breakpoint und how I calculate the serial rountine. Just rename the file from .jpg in .exe

http://mitglied.lycos.de/dbautozug/Crackme2.jpg

When you got the message "Wearscht......" you have cracked it.
evaluator
January 25th, 2005, 08:29
that is shame VB6 crackme. learn about VB6 & go on.. search how to debug
bilbo
January 25th, 2005, 09:17
Well, it's a native app (not P-coded), so it does not require special techniques and it is not so advanced as you said...

The initial breakpoint will be told you by some tool such as VBDE (search for VBDE085).
It will tell you that Command2_Click routine starts at RVA 002470: this means that the initial breakpoint must be put at address 0x402470.

Next you have to learn the API exported by the Visual Basic runtime (google for them).

Good luck, bilbo
XFlorian
January 26th, 2005, 08:40
ok thanks. And how can I calculate the serial routine?
bilbo
January 26th, 2005, 09:46
Quote:
[Originally Posted by XFlorian]ok thanks. And how can I calculate the serial routine?

Quote:
[Originally Posted by FAQ] Do not ask for help without showing you made an effort. This includes asking *lameass* questions in the Newbies Forum.


Regards, bilbo
JMI
January 26th, 2005, 12:17
Well said Master bilbo.

Regards,
blabberer
January 27th, 2005, 10:16
seems to fail at __vbaR8Str() which calls
VarR8FromStr
Converts a variant of type OLECHAR* to double.

HRESULT VarR8FromStr(
OLECHAR * strIn,
LCID lcid,
unsigned long dwFlags,
double * pdblOut
);

DISP_E_TYPEMISMATCH return value

so stack is unwound and Msvbvm SehJumps to 0x402f00
the seh that is called doesnt seem to do some usefull work
well but i may be wrong is anyone looking at this crackme ??
bilbo
January 28th, 2005, 02:47
blabberer,

sure enough if you try to convert a date string (in the format "1/27/2005" or "27/01/2005" depending on the nationality of your Windows) to a float you will generate an exception, due to the slashes used as separators...

but do not forget that they are Germans...
try to set a german-mode date...

you will get a string in the form "27012005": this makes sense, isn't it?

regards, bilbo
blabberer
January 28th, 2005, 03:28
sure it would make sense bilbo i was thinking of memory modifying the result of getuserlcid() which returns 409 on my computer to some compatible result but before that i quickly changed my time setting to german time but still i saw it was returning it with / so i never went into control panel to change regional settings but posted my little quip above
any way thanks for clarifiaction but would you consider it a bug or not
bilbo
January 28th, 2005, 12:13
Quote:
[Originally Posted by blabberer]but would you consider it a bug or not

well, after having seen evaluator's "cryptic" crackme (as you said) everything looks better...

best regards, bilbo
blabberer
January 28th, 2005, 12:29
hehe i was commenting on his reply to the isDebuggerPresent cmp with 0 will return 0
i did not understand it and i didnt know if he meant i patch the kernel32.dll in w9x
and sure his cryptic crackme is for sure cryptic i passed the 7e8 still it wont run
so dropped looking at it for now