Welcome to Gizmo's Cracking Tutorial #11! Toolz required: =============== SmartCheck 6.0x Win32Dasm Hiew Target: ======= Datei Memo v1.00 - http://www.matthiasrusche.de Let's r0ck! =========== Ok, thiz is a shitty program, but who cares? We wanna learn cracking and so we gonna crack thiz fucking prog. K, let's look at the program... it's VB! yeah.. Smartcheck... But what's that? if we start the program by running the DateiMemo.exe a messagebox appears: Falscher Aufruf! Datei Fehlt! Rufen sie das Programm bitte aus dem Dateikontext (Rechtsklick) auf. Hmm, this means that it only can be started with a right-click on a file by chosing DateiMemo in the context-menu. K, what now? We wanna crack it with smartcheck (cause i don't like softice so much then smartcheck), but in Smartcheck we can't run it, cause we can't open the EXE... So we gonna patch thiz shit, so that it starts by clicking the exe and not by right-clicking... Make a copy of DateiMemo.exe (CTRL + C, CTRL + V). Fire up Win32Dasm... Open the copy of DateiMemo.exe and wait till it finished disassembling... Ok, in the String Ref we only find shit references like VB5! argh.. k, let's have a look at the imports... Hehe, what's that... sounds good =) MSVBVM50.__vbaStrCmp k, double-click on it... hmm, no interesting code... double-click again... Ahh, looks better! ------------------------- Cut of Code -------------------------------------- * Reference To: MSVBVM50.__vbaStrCmp, Ord:0000h | :0040CAC5 FF15F4A24100 Call dword ptr [0041A2F4] :0040CACB 85C0 test eax, eax :0040CACD 0F8586000000 jne 0040CB59 :0040CAC3 B804000280 mov eax, 80020004 :0040CAC8 89857CFFFFFF mov dword ptr [ebp+FFFFFF7C] ------------------------- Cut of Code -------------------------------------- Hmm, this jump at 0040CACD looks interesting... open Hiew and load DateiMemo.exe. Goto offset [BECD] and change following bytes: 0F8586000000 to 0F8486000000 k, now the jne is a je.. we have reversed the jump. Let's try it.. open DateiMemo.exe and Tataa! we can open it with a double-click.. NOTE: There are more references from MSVBVM50.__vbaStrCmp. You're lucky that u patched the right one ;) ... but that had to be the one to patch, because it was the first one in the code. And our compare was made by starting the prog.. so it had to be the 1st compare... Ok, Step 1 finished... let's crack thiz shit... Fire up SmartCheck... i hope u have already used thiz prog.. otherwise you have to change some settings: - click "Program", "Settings" - click Register "Error Detection" - in "Type of Errors to check for" enable ALL - "Report Errors immediately" disable - "Advanced" click - "Report errors caused by other errors" enable - "Report errors even if no source code is available" enable - "Report each error only once" enable - "Check all heap functions on each memory call" enable - under "Performance Optimizations" ALL must be DISABLED!!! - click "OK" - click Register "Reporting" - "Start event reporting when starting this program" enable - "Report handled VB Runtime Errors" disable - "Report Mouse move events from OCX Controls" disable - "Report Windows Messages" enable - "Report callback and hook functions" enable - click "OK"! (and don't forget to save your settings ;)) BTW: Greetz to Andrenalin... thiz settings are from his tutor (i just translated them)... Ok, open DateiMemo.exe in Smartcheck... Then click on the green arrow (play)... If there's a window which bugs you with trial shit... just fire up softice and set a bpx on messageboxa.. Enter a serial and click ok.. back in Softice.. Press F11 and scroll up a bit.. there must be a ADD ESP, 04 ... set a bpx on that... change so smartcheck and click ok once more... back in s-ice... type "d esp" and you have you're serial! Ok, that for now. Let SmartCheck load the program and when it finished, click on "?" then on "Freischalten"... K, the program wants a name and a serial from us... let's give him one... Name: Gizmo Serial: 9876543210 Now DON'T click ok.. change back to SmartCheck and click on the red button [STOP]... Scroll down till the end of the code which is: cmdOK_Click <-- you see, our click on ok in the serial window Ok, now click on the yellow button (SHOW ALL EVENTS)... if you're still at "cmdOK_Click", stay there :) .. if not, search for cmdOK_Click... found it? ok, let's continue: Now you should see this: (after clicking on the "+" left of "cmdOK_Click") cmdOK_Click - Silly commands.... - txtPassword.Text <- sound nice, eh ;) - Mid <- takes the 1st letter from our name (G) - __vbaStrVarVal returns DWORD:520FE8 - Asc returns Integer: 71 <- Ascii value of the letter (G = 71) - Hex <- Hex value of it - Mid <- takes the 2nd letter from our name (i) - __vbaStrVarVal returns DWORD:520FE8 - Asc returns Integer: 105 <- Ascii value of the letter (i = 105) - Hex <- Hex value of it - Mid <- takes the 3rd letter from our name (z) - __vbaStrVarVal returns DWORD:520FE8 - Asc returns Integer: 122 <- Ascii value of the letter (i = 122) - Hex <- Hex value of it - __vbaVarCat returns DWORD:64F304 <- uninteresting - __vbaVarCat returns DWORD:64F2F4 <- uninteresting - __vbaVarCat returns DWORD:64F294 <- uninteresting - __vbaVarTstEq returns DWORD:0 <- interesting!!! have a look at the right window and you'll discover the real serial Nr. (4769-7A) K, now we have a serial.. but it's pretty easy to code a keygen... What happenes? G -> 71 -> 47 i -> 105 -> 69 z -> 122 -> 7A hmm, the serial is: 4769-7A ah, the - is pushed between the 2nd and the 3rd hex value... so, here's the source for a keygen: -------- Cut Here -------- ' Gizmo's DateiMemo Keygen source... For i = 1 To 2 X = Hex(Asc(Mid$(Text1.Text, i, 1))) S = S + X Next i S = S + "-" S = S + Hex(Asc(Mid$(Text1.Text, 3, 1))) Text2.Text = S -------- Cut Here -------- That was it! have phun with your keygen... Contact me on EFnet at #TbC, #learn2crack, #odt or e-mail me: e-mailGIZMO@gmx.net BTW: If you want to enter your own serial just edit following key in the registry: HKEY_USERS -> .DEFAULT -> software -> VB And VBA Program Settings -> DateiMemo -> Settings Greetz: To my groups: C.i.A, BEC and to following dudes: aDENOZiN, ACiD_BuRN, cheekey, CrackMagic, fLAIEr, Ghostman 1999, sEVanD0, zikariuz, Berserka, Crackwarrior, Flagg, PlAyEr, Prof_X, Professor, scarabaeus, skorpien, sn00pee, sToReMaStEr, SiONiDE, The AntiXryst, WeaxWeasel, Berserka, Flagg, Prof_X, skorpien, sn00pee, The AntiXryst, [iNC] If you're not in here.. sorry, a lot of ppl to greet ;) Bye bye