Tutorial Number 30 Written by Etenal Bliss Email: Eternal_Bliss@hotmail.com Website: http://crackmes.cjb.net http://surf.to/crackmes Date written: 23rd Oct 1999 Program Details: Name: VBCrackMe 11 by Eternal Bliss Tools Used: SmartCheck W32Dasm Cracking Method: Patching Viewing Method: Use Notepad with Word Wrap switched on Screen Area set to 800 X 600 pixels (Optional) Special Thanks to: Volatility for compiling this CrackMe in VB5. __________________________________________________________________________ About this protection system There are 5 different disabled protections that you need to patch. I coded the crackme such that you get to see what makes a button enabled and what makes it disabled. Using such comparison method, you will be able to patch the crackme to enable every single protection. This CrackMe is coded in VB5 because VB6 uses a different method of enabling and disabling buttons etc and I have not figured out how to patch them yet. 8P _________________________________________________________________________ About this tutorial I presume that you have seen all my tutorials and know how to use SmartCheck and W32Dasm. _________________________________________________________________________ SmartCheck and W32Dasm Disassemble the CrackMe with W32Dasm. Run SmartCheck and load the CrackMe with it. When the CrackMe has finish loading, you can press the Stop button. In the left window of SmartCheck, you will see Form1_Load. Click on the + sign next to it to expand the thread. There are 9 lines in this thread... Command1.Enabled <-- False (Boolean) Command3.Enabled <-- True (Boolean) Text1.Enabled <-- False (Boolean) Text2.Enabled <-- True (Boolean) Label3.Visible <-- False (Boolean) Disabled.Enabled <-- False (Boolean) Enable.Enabled <-- True (Boolean) Invisible.Visible <-- False (Boolean) Visiblee.Visible <-- True (Boolean) Command1 and Command 3 are the two buttons. You figure out the rest... 8) --------------------------------------------- 1) Command1.Enabled <-- False (Boolean) This is the button with "Disabled" on it. Command3.Enabled <-- True (Boolean) This is the button with "Enabled" on it and when you click it, you will get a message. Click on the line "Command1.Enabled <-- False (Boolean)" You will see on the right window of SmartCheck: VBCRACKME11.EXE!00004C34 (no debug info) * SmartCheck is telling you that at this offset, the program is disabling the button. To see the codes in W32Dasm, add 00400000 to 00004C34. You get 00404C34. Thus in W32dasm, goto Code Location 404C34. Do you see the following lines? :00404C2D 6A00 push 00000000 :00404C2F 50 push eax :00404C30 8945E4 mov dword ptr [ebp-1C], eax :00404C33 FF928C000000 call dword ptr [edx+0000008C] Click on Command3.Enabled <-- True (Boolean) You will see on the right window of SmartCheck: VBCRACKME11.EXE!00004C72 (no debug info) * SmartCheck is telling you that at this offset, the program is enabling the button. Using W32Dasm, you go to the Code Location using the method I mentioned above... You will see: :00404C6B 6AFF push FFFFFFFF :00404C6D 50 push eax :00404C6E 8945E4 mov dword ptr [ebp-1C], eax :00404C71 FF918C000000 call dword ptr [ecx+0000008C] Compare the 2 different codes... The first set is to disable a button. The 2nd set is to enable another button. Now... What is the difference between them? It's push 00000000 or push FFFFFFFF Time to see if we have used correctly a Cracker's instinct or zen... Make a copy of the CrackMe and open it with a Hexeditor. Click in W32DAsm, the line ":00404C2D 6A00 push 00000000" Look at the offset and go to it in the Hexeditor. It is at offset 402D. Now, what bytes should we replace 6A00 with? Looking at "push FFFFFFFF", you will see it is 6AFF. heh... Replace 6A00 with 6AFF then... Save it and run it... See if the button has been enabled... Viola! 8) On with the next protection! --------------------------------------------- 2) Text1.Enabled <-- False (Boolean) Text2.Enabled <-- True (Boolean) Using the same method like what I have described, look at both the disabling and enabling codes... I have copied them down below: Disabled -------- :00404CA9 6A00 push 00000000 :00404CAB 50 push eax :00404CAC 8945E4 mov dword ptr [ebp-1C], eax :00404CAF FF918C000000 call dword ptr [ecx+0000008C] Enabled ------- :00404CE7 6AFF push FFFFFFFF :00404CE9 50 push eax :00404CEA 8945E4 mov dword ptr [ebp-1C], eax :00404CED FF918C000000 call dword ptr [ecx+0000008C] heh... Spot the difference... VB is really lame, huh? hehe Check out where the offset is for "push 00000000" again. It is 40A9. Go and patch it in the Hexeditor and see if you can type in the disabled textbox now... 8) Viola! heh On with the 3rd protection. --------------------------------------------- 3) Click on "Label3.Visble <-- False (Boolean)" in SmartCheck and see the location that you need to go for W32Dasm. Do you see the following code in W32Dasm? :00404D25 6A00 push 00000000 :00404D27 50 push eax :00404D28 8945E4 mov dword ptr [ebp-1C], eax :00404D2B FF919C000000 call dword ptr [ecx+0000009C] And do you see the "push 00000000" again? hehehe Patch what you need as above and run the CrackMe again... Viola!!! You are now "Registered" !!! On with the next protection. --------------------------------------------- 4) The 4th protection is to disable a Menu Option which is common for Demo programs... I called the Menu Options "Disabled" and "Enable" for easy reference. Using the method I described above, you will see this in W32Dasm: :00404D63 6A00 push 00000000 :00404D65 50 push eax :00404D66 8945E4 mov dword ptr [ebp-1C], eax :00404D69 FF5174 call [ecx+74] This is for the disabled Menu Option... Patch it as before... Do you see the disabled Menu Option is now enabled??? hehe Next please... --------------------------------------------- 5) The last protection is a Menu Option that is now shown at all... thus you saw "Invisible.Visible <-- False (Boolean)" If you have followed my previous few examples, you will know that you only need to see the disabling code... and change 6A00 to 6AFF. In W32DAsm, you will see that the codes is: :00404DD3 6A00 push 00000000 :00404DD5 50 push eax :00404DD6 8945E4 mov dword ptr [ebp-1C], eax :00404DD9 FF515C call [ecx+5C] Patch it. 8) Now, run the CrackMe and see if you can see the Menu Option that was invisible... hehehe... CrackMe Cracked! __________________________________________________________________________ Additional Points In VB5 programs, if you ever come across such disabled buttons or Menu Options, just use SmartCheck and W32Dasm together... With my method, you will easily patch the protection... An example of such programs is TweakDun. For certain Nag screens, you can apply similar method. Just NOP out the call that makes the Nag. Make sure that it is not the VB dll that you have to patch... __________________________________________________________________________ Final Notes This tutorial is dedicated to all the newbies like me. My thanks and gratitude goes to:- All the writers of Cracks tutorials and CrackMes and also to all the crackers that have been supporting my site and project forum.