Tutorial Number 17
Written by Etenal Bliss
Email: Eternal_Bliss@hotmail.com
Website: http://crackmes.cjb.net
http://surf.to/crackmes
Date written: 28th Mar 1999
Program Details:
Name: Crackme 1.2
Author: Nitrus
Tools Used:
SoftIce
Cracking Method:
Code sniffing
Viewing Method:
Use Notepad with Word Wrap switched on
Screen Area set to 800 X 600 pixels (Optional)
__________________________________________________________________________
About this protection system
No disabled function. Protection is based on a serial which is calculated
from the Name you enter.
__________________________________________________________________________
The Essay
In this essay, when I write type "d edx" or similar commands in Softice,
I mean it without the quotes.
_________________________________________________________________________
SoftIce
Since this is a VB crackme, we might as well try using the few common
breakpoints:
1) bpx msvbvm60!__vbavartsteq
2) bpx msvbvm60!__vbastrcomp
**I add in msvbvm60! because it is written in VB6.
Run the CrackMe and click on the first icon to get the register screen.
Enter Name as "Eternal Bliss" and serial as "12345"
Click on the picture of the key.
You will break on msvbvm60!__vbastrcomp
Break due to BPX MSVBVM60!__vbaStrComp (ET=2.44 seconds)
MSVBVM60!__vbaStrComp
:66060A85 0F8499F00200 JZ 6608FB24 (NO JUMP)
:66060A8B 6801000300 PUSH 00030001
:66060A90 FF742408 PUSH DWORD PTR [ESP+08]
:66060A94 FF742410 PUSH DWORD PTR [ESP+10]
:66060A98 FF742418 PUSH DWORD PTR [ESP+18]
:66060A9C FF1510001166 CALL [OLEAUT32!VarBstrCmp]
**Go into this call using F8
==========================================================================
OLEAUT32!VarBstrCmp
:653C0227 8BEC MOV EBP,ESP
:653C0229 51 PUSH ECX
:653C022A 53 PUSH EBX
: __________Snip___________
:
:653C025C 8B7D0C MOV EDI,[EBP+0C]
:653C025F 8B7508 MOV ESI,[EBP+08]
:653C0262 8B4D10 MOV ECX,[EBP+10]
When you go into :653C0227 (OLEAUT32!VarBstrCmp), just keep pressing F10
to trace along the code. Whenever any register changes, type "d register"
to see what is the new value.
**register in "d register" is eax, ebx, ecx, edx, edi, esi
so don't email me saying that you get an error from Softice when you type
"d register"
I am only showing the interesting codes.
After :653C025C, you will see edi having a new value. type "d edi"
You should see
:004271C4 34 00 35 00 37 00 34 00-36 00 35 00 37 00 32 00 4.5.7.4.6.5.7.2.
:004271D4 36 00 45 00 36 00 31 00-36 00 43 00 32 00 30 00 6.E.6.1.6.C.2.0.
:004271E4 34 00 32 00 36 00 43 00-36 00 39 00 37 00 33 00 4.2.6.C.6.9.7.3.
:004271F4 37 00 33 00 34 00 35 00-37 00 34 00 36 00 35 00 7.3.
After :653C025F, you will see esi having a new value. type "d esi"
You should see
:00421FA8 31 00 32 00 33 00 34 00-35 00 00 00 6C 00 20 00 1.2.3.4.5...l. .
Now, 12345 is the serial we entered and is now in w.i.d.e. .c.h.a.r.a.c.t.e.r
format because this is a VB program.
It is compared with something in edi later. So, when you type "d edi",
you will see the value of edi in the data window.
Lets get the "normal" value of edi.
457465726E616C20426C697373
Disable all your breakpoints and type that as your serial using
"Eternal Bliss" as the Name.
You will be registered. 8)
Ok. That's code sniffing for you.
Now, take a look at the serial. Do you see "7373" at the end?
"Eternal Bliss" has got "ss" at the end.
Now, if you convert "73" (hex value) to ascii, you will get "s"
**Use Crackers' Tool coded by Borna Janes and I. It can be found on my
website.
So, if you convert every single character of the Name into Hex, you will
get 457465726E616C20426C697373 which is the serial!
CrackMes Cracked!!
__________________________________________________________________________
After-thoughts
After cracking this CrackMe, I decided to use SmartCheck. To my surprise,
it is even easier. 8)
Try it. Just look for the following lines...
Mid(x)
Hex(x)
__vbaStrCopy(x)
and finally,
__vbaStrCmp(x)
where x can be any values.
You will know what I mean.
__________________________________________________________________________
Final Notes
This tutorial is dedicated to all the newbies like me.
And because I'm a newbie myself, I may have explained certain things wrongly
So, if that is the case, please forgive me. Email me if there is anything
you are not clear about.
My thanks and gratitude goes to:-
The Sandman
All the writers of Cracks tutorials and CrackMes