Tutorial Number 10

Written by Etenal Bliss
Email: Eternal_Bliss@hotmail.com
Website: http://crackmes.cjb.net
         http://surf.to/crackmes
Date written: 24th Feb 1999

Program Details:
Name: Immortal Descendants CrackMe v3.0
Author: Volatility
Language: Visual Basic

Tools Used:
Softice

Cracking Method:
Tracing and Code Sniffing

Viewing Method:
Use Notepad with Word Wrap switched on
Screen Area set to 800 X 600 pixels (Optional)

__________________________________________________________________________


                        About this protection system

No disabled function. Protection is based on either entering correct serial
for UserName or a keyfile. "Register" button is not activated unless the
correct code is entered.

__________________________________________________________________________


                                 The Essay

I've written the important part of the codes here for easy reference. If you
want to fully understand the crackme, try tracing into the calls. 
For this crackme, this is actually not necessary.

In this essay, when I write type "d edx" or similar commands in Softice,
I mean it without the quotes.

__________________________________________________________________________


				Where to break?

First, we need to find a suitable breakpoint. Since the "Register" button
will only be activated when we enter the correct code, we can assume that
what we entered is compared with the correct code in "real" time.

So, the best breakpoint I could think of it Hmemcpy.

__________________________________________________________________________


			Tracing and Code Sniffing	

You must first run the CrackMe, enter a User Name. (I used Eternal Bliss)
Then Ctrl D to go into Softice and set a breakpoint using "bpx hmemcpy".

Then in the "Registration" textbox, type in just 1 number. (Any will do)

You will break into Softice. Disable the breakpoint by typing "bd *"
Keep pressing F12 (10 of them) because there are nothing important there... 
until you reach the code where MSVBVM50! is seen under the code window.

From there, you type F10 which will move you line by line. 
You can display any changes in the registers by typing a "d" in front.
eg. "d eax", "d ebx" etc
To see the value of the registers, you can type a "?" in front.
eg "? eax", "? ebx" etc

I found nothing of importance until this part"

:00405153  8B4588              MOV     EAX,[EBP-78]
:00405156  8D8D70FFFFFF        LEA     ECX,[EBP-0090] 

Here, E.t.e.r.n.a.l. .B.l.i.s.s. is loaded into ecx. 
To see it, type "d ecx" and look at the data window.


A lot more lines later, 

:0040518A  FF15C4814000        CALL    [MSVBVM50!__vbaStrVarVal]
:00405190  50                  PUSH    EAX
:00405191  FF1548814000        CALL    [MSVBVM50!rtcAnsiValueBstr]

At 0040518A, after the call, you will see EAX changing colour which 
means that it has got a new value. Type "d EAX" and look at the 
data window. You will see "E" which is the 1st char
At 00405191, after the call, EAX changes again. 
This time, if you type "d EAX", you won't see anything much. 
You will need to type "? EAX" and you will see
00000045  0000000069  "E"
The value you need to see is 69 which is the decimal value for 
the ascii char "E"


More lines down,

:0040527D  FF15C4814000        CALL    [MSVBVM50!__vbaStrVarVal]
:00405283  50                  PUSH    EAX
:00405284  FF1548814000        CALL    [MSVBVM50!rtcAnsiValueBstr]

The same thing happens again. This time, after the 1st call, EAX contains
the 2nd char which is "t"
After the 2nd call, EAX has a value of 116 which is the decimal value for "t"

**note: all this code is in the main CrackMe. You don't have to trace into
  any calls at all.


More lines down,

:0040536B  FF15C4814000        CALL    [MSVBVM50!__vbaStrVarVal]
:00405371  50                  PUSH    EAX
:00405372  FF1548814000        CALL    [MSVBVM50!rtcAnsiValueBstr]

Same thing again. This time for "e" which is the 3rd char and has decimal
value of 101 which is seen by typing "? EAX" after the 2nd call.


More lines down,

:00405459  FF15C4814000        CALL    [MSVBVM50!__vbaStrVarVal]
:0040545F  50                  PUSH    EAX
:00405460  FF1548814000        CALL    [MSVBVM50!rtcAnsiValueBstr]

Get 4th char which is "r" and has value of 114


Yet more lines down,

:00405547  FF15C4814000        CALL    [MSVBVM50!__vbaStrVarVal]
:0040554D  50                  PUSH    EAX
:0040554E  FF1548814000        CALL    [MSVBVM50!rtcAnsiValueBstr]

This time the 5th char ("n") and has value of 110


Be patient and keep pressing F10 only... 
F8 is to trace INTO a call which is NOT needed here.

Get to this part

:004055EE  FFD6                CALL    ESI
:004055F0  8D8D50FFFFFF        LEA     ECX,[EBP-00B0]
:004055F6  8D9560FFFFFF        LEA     EDX,[EBP-00A0]

After the "CALL ESI", you will notice eax, ecx, edx changing colour.
You can try typing "d eax", "d "ecx", "d edx" etc
ECX will show in the data window as 6.9.1.1.6.1.0.1.1.1.4.1.1.0
Since VB uses W.I.D.E. .C.H.A.R.A.C.T.E.R that is what you will see.
In actual fact, it is 69116101114110

**Is the sequence of the numbers familiar to you? 8)
  You are getting somewhere hot... 


So be patient and more F10s till here...

:00405634  FF1588814000        CALL    [MSVBVM50!rtcMidCharVar]
:0040563A  8D9560FFFFFF        LEA     EDX,[EBP-00A0]
:00405640  8D4DDC              LEA     ECX,[EBP-24]
:00405643  FFD6                CALL    ESI

After this call at 00405634, if you don't have to type anything,
just look at edx. You will see edx=00000014
**count the number of chars in ecx a few lines above...

Then, after the "CALL ESI", if you type "d ecx", you will see
9.1.1.6.1.0.1.1.1.4 in the data window.
So, ecx is 9116101114.

**Does this look familiar to you again?? 8)
  Hotter...

If you trace into the call at 00405643, you might see how this number
is generated.


More lines down... (remember, no tracing into any calls here)

:0040568A  8B4588              MOV     EAX,[EBP-78]
:0040568D  33C9                XOR     ECX,ECX

After F10 pass 0040568A, you will see EAX changing colour.
If you type "d eax", you will see the serial YOU entered.

**In fact, the correct serial is already out... Take a look above.
  But if you want to confirm, look further on...

You will need to turn on your "floating window" in Softice by typing
"wf". You will see 2 column with ST(0) to ST(7)

:004056B0  C78570FFFFFF08000000MOV     DWORD PTR [EBP-0090],00000008
:004056BA  C78530FFFFFF02800000MOV     DWORD PTR [EBP-00D0],00008002
:004056C4  FF1524814000        CALL    [MSVBVM50!__vbaVarSub]  <-- trace into this call

MSVBVM50!__vbaVarSub
:7B3F24CE  33C0                XOR     EAX,EAX
:7B3F24D0  8BEC                MOV     EBP,ESP

			__________Snip___________

:7B3F8B63  56                  PUSH    ESI
:7B3F8B64  E88C64F1FF          CALL    MSVBVM50!__vbaR8Var
:7B3F8B69  DD5DF4              FSTP    REAL8 PTR [EBP-0C]
:7B3F8B6C  66BE0500            MOV     SI,0005
:7B3F8B70  57                  PUSH    EDI
:7B3F8B71  E87F64F1FF          CALL    MSVBVM50!__vbaR8Var
:7B3F8B76  DC6DF4              FSUBR   REAL8 PTR [EBP-0C]
:7B3F8B79  DD5B08              FSTP    REAL8 PTR [EBX+08]
:7B3F8B7C  E89782FFFF          CALL    7B3F0E18

After the call at 7B3F8B64, you will notice ST(0) containing the number 
you typed in the "Registration" textbox.
The next line (FSTP REAL8 PTR [EBP-0C]) is to store the value in memory
location [EBP-0C] for later use.

Then at 7B3F8B71, there is another similar call... for the correct serial
and after this call, ST(0) contains the correct serial.
Next line (FSUBR REAL8 PTR [EBP-0C]) is to subtract the value in [EBP-0C]
which is what you entered, by the correct serial which is in ST(0).
After this substraction, you will have a negative number in ST(0)
(provided that you only entered 1 number in the textbox)

The next line is to store the new value in memory location [ebx+08]


To double-re-confirm, breakpoint on 
:004056C4  FF1524814000        CALL    [MSVBVM50!__vbaVarSub]

This time, enter the correct serial number... and trace into the call again.
You will notice that after the subtraction in line 7B3F8B76, you will 
have ST(0) = 0

F5 out of Softice. You will have the "Register" button enabled. 
Click on it and you will have a nice message from Volatility and a keyfile
generated for you in the directory you place the CrackMe in.

You can try with other UserNames and you will find that the correct
serial is generated from the 2nd to 12th char after "joining" up all
the decimal numbers of your UserName. 
Therefore, it will only be 10 digits.

CrackMe cracked!!

__________________________________________________________________________


			SmartCheck impossible?

It is possible to use SmartCheck but the main aim of the CrackMe will be 
lost.

To do this, open the CrackMe using a HexEditor and look for
N.u.M.e.g.a. .S.m.a.r.t.C.h.e.c.k
Then carefully, overwrite the chars only... Try not to disturb the "dots".
I'm not sure what the effects will be if you do so.
You can just "space out" the chars to become
 . . . . . . . . . . . . . . . . 

Then, you can run the CrackMe without any "side effects". 8)


__________________________________________________________________________


                             Final Notes

This tutorial is dedicated to all the newbies like me.

And because I'm a newbie myself, I may have explained certain things wrongly
So, if that is the case, please forgive me. Email me if there is anything 
you are not clear about.


My thanks and gratitude goes to:-

The Sandman
All the writers of Cracks tutorials and CrackMes