			Tutorial Number 29

Written by Etenal Bliss
Email: Eternal_Bliss@hotmail.com
Website: http://crackmes.cjb.net
         http://surf.to/crackmes
Date written: 21st Jul 1999

Program Details:
Name: Execution Crackme v0.1 by The Ghost[Execution 1999]

Tools Used:
SoftIce

Cracking Method:
Serial Sniffing

Viewing Method:
Use Notepad with Word Wrap switched on
Screen Area set to 800 X 600 pixels (Optional)

__________________________________________________________________________


                        About this protection system

This program requires a Code which is based on your name that is converted
to Upper Case.

_________________________________________________________________________


                        About this tutorial

This is a very short tutorial to show what serial fishing is like and
how easy it can be in VB5. The aim of this tutorial is to show you that 
sometimes you need not trace into all the calls you see. 

_________________________________________________________________________


				SoftIce

Run the CrackMe. Enter any Name/Code you want. 
Name: Eternal Bliss
Code: 123456789

Go into SoftIce and set the breakpoint __vbastrcomp
This particular bp is very common in VB.
__vbaStrComp means String Compare
thus, it does what it is named after... Comparing String.

Click on Register. You will break and will see something like below...
It is quite a typical tracing. So, it is beneficial if you know this
piece of code well...

MSVBVM50!__vbaStrComp
:797C3564  8BEC                MOV       EBP,ESP
:797C3566  53                  PUSH      EBX
:797C3567  56                  PUSH      ESI
:797C3568  57                  PUSH      EDI
:797C3569  837D1000            CMP       DWORD PTR [EBP+10],00
:797C356D  BE00000000          MOV       ESI,00000000
:797C3572  7406                JZ        797C357A                (NO JUMP)
:797C3574  8B4510              MOV       EAX,[EBP+10]

After the mov eax, type "d eax" to see the contents of eax.
You will see in the data window,
:00421938 31 00 32 00 33 00 34 00-35 00 36 00 37 00 38 00  1.2.3.4.5.6.7.8.
:00421948 39 00 00 00 49 00 53 00-53 00 00 00 B1 E6 0F A0  9...I.S.S.......

The code I typed...hmmm

Continue tracing,
:797C3577  8B70FC              MOV       ESI,[EAX-04]
:797C357A  837D0C00            CMP       DWORD PTR [EBP+0C],00
:797C357E  BF00000000          MOV       EDI,00000000
:797C3583  7406                JZ        797C358B                (NO JUMP)
:797C3585  8B4D0C              MOV       ECX,[EBP+0C]

After the mov ecx, type "d ecx" to see the contents of ecx.
You will see in the data window,
:00520FE4 33 00 30 00 31 00 36 00-30 00 00 00 00 00 00 00  3.0.1.6.0.......
:00520FF4 00 00 00 00 DC 0F 52 00-00 00 00 A0 ?? ?? ?? ??  ......R.........

hmmm 30160... Looks like serial?
You must know now that VB strings are always converted to
w.i.d.e. .c.h.a.r.a.c.t.e.r format.

Now, replace 123456789 with 30160
Name: Eternal Bliss
Code: 123456789

CrackMe Cracked!

__________________________________________________________________________


                             Additional Points

Try making a KeyGen for this.

__________________________________________________________________________


                             Final Notes

This tutorial is dedicated to all the newbies like me.

My thanks and gratitude goes to:-

All the writers of Cracks tutorials and CrackMes
and also to all the crackers that have been supporting my site and project forum.