Log in

View Full Version : crackme using vbaVarTstEq


apfelsaft
April 8th, 2005, 06:56
Hello, i have a little crackme here, where i have to find the correct password. the programm is using the function "vbaVarTstEq". does anybody how to find out the password, when i have code like this here:

...
00401DF1 . 50 PUSH EAX
00401DF2 . 56 PUSH ESI
00401DF3 . 897D E8 MOV DWORD PTR SS:[EBP-18],EDI
00401DF6 . C745 D4 088000>MOV DWORD PTR SS:[EBP-2C],8008
00401DFD . FF15 50104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaVarTs>; MSVBVM60.__vbaVarTstEq
00401E03 . 8D4D E4 LEA ECX,DWORD PTR SS:[EBP-1C]
00401E06 . 8BF0 MOV ESI,EAX
00401E08 . FF15 A8104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeO>; MSVBVM60.__vbaFreeObj
00401E0E . 8D4D D4 LEA ECX,DWORD PTR SS:[EBP-2C]
00401E11 . FF15 0C104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeV>; MSVBVM60.__vbaFreeVar
00401E17 . B9 04000280 MOV ECX,80020004
00401E1C . B8 0A000000 MOV EAX,0A
00401E21 . 66:3BF7 CMP SI,DI
00401E24 . 894D AC MOV DWORD PTR SS:[EBP-54],ECX
00401E27 . 8945 A4 MOV DWORD PTR SS:[EBP-5C],EAX
00401E2A . 894D BC MOV DWORD PTR SS:[EBP-44],ECX
00401E2D . 8945 B4 MOV DWORD PTR SS:[EBP-4C],EAX
00401E30 . 894D CC MOV DWORD PTR SS:[EBP-34],ECX
00401E33 . 8945 C4 MOV DWORD PTR SS:[EBP-3C],EAX
00401E36 . 74 43 JE SHORT crackme.00401E7B

Ricardo Narvaja
April 8th, 2005, 13:55
First you are correct this is a point of the comparation of good pass with the fake?

Well can be compare, other things.

Look in the stack, [esp+4] and [esp+8] , right click ih the in this values and FOLLOW IN DUMP in each value, and you see the values compared.
If i´m wrong (memory fail) make follow in dump from [esp], and the [esp+X] values and you found.

Ricardo Narvaja

kittmaster
April 8th, 2005, 19:24
Ricardo.........can you contact me chris@kittmaster.com. I have a question I need to ask

Thanks
Chris

Ricardo Narvaja
April 9th, 2005, 04:23
write me to my mail ricnar456@yahoo.com.ar

Ricardo Narvaja

apfelsaft
April 11th, 2005, 09:44
Hi and thx so far.

i followed in dump and get this 2 lines for the 2 arguments of the vbaVarTstEq function.

0012F59C 08 80 00 00 01 00 00 00 3C AB 13 00 01 00 00 00
0012F5AC 02 00 00 00 38 9E 13 00 B4 00 F7 77 00 00 00 00

from this tutorial (http://www.caesum.com/handbook/rev.htm) i know for the first line that the first byte "08" means that it is a string variable type and byte 12 to 8 is the address where it is stored (0013AB3C). there i found the (wrong) string i entered.

so the second line points to the right value. but how can i find out the value?

Ricardo Narvaja
April 12th, 2005, 04:14
no you can make the same in the next value of the stack not in the dump.

Ricardo