Tutorial #SLS0D
Adressen (C) by Alltags
13 AUG
2001 
by Skizo
13 AUG
2001 
* SkiZo^ Lost Soul * member of Da Breaker Crew *

About Adressen 2001.08.1411

Adressen is a german software, used to store addresses, and other contact informations.
At least is what I think, coz I already said it's german ;-ž

In the cold of the night, in the warmth of the breeze,
I'll come cracking around, with tutorials like this! ;-)

Skill Level
[  ] None - [  ] Easy - [X] Medium - [  ] Hard - [  ] Punishment 
Skill Level
HUMANITAS IUSTITIAM NOSQUAM RENUIT
GRANDEM MALIGNITATEM COGNOSCENDO



Introduction 

Today we're gonna learn how to crack this software. Protection is not so hard, but since |NUKEM| found some probz with it, I thought I had to tutorialize ;-)
I already used in one of my tutorials the interaction between SmartCheck and other tools, such as IDA or Win32Dasm. Today we will use our WONDERFUL Sice. As WONDERFUL as POWERFUL



Required Tools 
 - SmartCheck 6.03 (You can find it with a bit of luck)
 - SoftIce 4.05 (Same)
 - Win32Dasm 8.93 (Idem)


Program's URL 
 http://www.alltag.com/adressen.htm


The Essay 


Since part of this program was cracked by NUKEM, I will use his name to start the lesson. Anyway you do a good job, bro.

Here we go...
Load our powerful SmartCheck, this sweeeeeeet tool that allows us to crack VB software. If you don't use the settings in the #SLS04, you could be in trouble. So read it first and then keep reading this tutorial.
All done? Damm, you're speedy :)
Run the prog with SmartCheck, then run the registration dialog: to do so click on "Hilfe", "Registrierungsformular" and then on the button with the key, called "Freischaltung". Use NUKEM as name and 1234 as number (Name, Nummer). A message box will popup sayin you're a lameass cracker. But the prog doesn't know we're just trying ;) Back in SmartCheck, stop the program execution and look at the loads of useless shit we got. Do you dare to start reading in order to find the algo? The thought scares me enough, so I decided to find the MsgBox call and go to the top from the bottom. I guess it's the faster way. Can you see a list of names? I think it's a list of crackers name, and if your name is in that list you won't be registered. Let's muahahaha at the coders of this protection.
Before that list you should be able to see the call

  __vbaStrCmp(String:"NUKEM, 1234", String:"NUKEM, 6622")

My Zen feeling says that 6622 is the right serial. What about your? We don't have enough time to talk, so let's go ahead. Let's look above for "6622" value. The call you landed into is a __vbaStrCat, the one supposed to create "NUKEM, 6622" string. We are gonna find the algo. Take a look at the above lines, and you will see "m", "e", "k", "u", "n" (mekun, but just coz we are reading from the bottom to the top :). This is the algo, but it's not all, coz we have to know what he does before the algo. You should get it does something, because you should see a string manipulation in the above lines. The think you should see is

  InStr(long:1, String:"0123456789abcdefghijklmnopqrstuvwxyz.", String:"n", Integer:0)

with some following __vbaStrCat, which will create "n", "nu", "nuk", "nuke", "nukem". So we already know that in order to generate a valid key, we have to keep just numbers, letters and dots. Remember that the name has to be converted into small letters, so "ABC" and "abc" are equal. Now we can crack the algo :)

  InStr(long:1, String:"abcdefghijklmnopqrstuvwxyz0123456789.", String:"n", Integer:0)

This function returns 14, and it's right of course :)
Now you can see a multiplication of 14 by 1 (14 * 1 = 14) but then you can see 154. Let's say that 14 * 11 = 154. In the next letter ("u") there's a mutliplication between 21 (the position of U in the string) and 2. 21 * 2 = 42. Then we can see 462, which is 42 * 11. Now we know that multiplicates the position in the string by 11, and then by the position in the name. The result is mutliplicated by the position in the string.


  InStr("abcdefghijklmnopqrstuvwxyz0123456789.","n") = 14         14 * 11 * 1 * 1 =  154
  InStr("abcdefghijklmnopqrstuvwxyz0123456789.","u") = 21         21 * 11 * 2 * 2 =  924
  InStr("abcdefghijklmnopqrstuvwxyz0123456789.","k") = 11         11 * 11 * 3 * 3 = 1089
  InStr("abcdefghijklmnopqrstuvwxyz0123456789.","e") =  5          5 * 11 * 4 * 4 =  880
  InStr("abcdefghijklmnopqrstuvwxyz0123456789.","m") = 13         13 * 11 * 5 * 5 = 3575
                                                                                    ----
                                                                                    6622

Well... that's it. This is how the algo works, but there's something more, and it's the point where Nukem lost the release ;-ž
Now you have to use "1234567890123456789012345678901234567890123456789012345678901234567890" as name: you may wonder why, and here's the explanation. For longer names, the algo doesn't work, and that's not a kool thing. I forgot that the name can't be longer than 70 chars, coz the coders wanted it this way ;)
Now repeat all the things you did before, but there's a prob: SmartCheck removes part of the strings if they are too long, so we don't know what's the right serial. That's where Sice is needed. Look for the __vbaStrCmp call, where the serial is checked, highlight it and look at the RVA.

-- NEWBIES CORNER ----------------------------------------------
In the main window, you can see a list of the calls executed,  a
list of the params, and a window with the sources  (if  you  are
debugging an your own program).  The  RVA  is located on the top
of the params list, and in this case it will look like          

ADRESSEN.EXE!000ABACC

To get the Virtual Address, you have to sum  AD3B9  to the IMAGE
BASE, which in this and most of cases is  400000.  Then you have
to remember that you are in VB and that  VB  does not use offset
starting from "0",  so you have to subtract "1", and the virtual
address you need is:                                            

4ABACB
--------------------------------------- END OF NEWBIES CORNER --

OK, now we need to break into Sice with something, but how? What about the msgbox? Load the "MSVBVM50.DLL" library with the loader, then press CTRL+D (I hope you loaded Sice) and set a breakpoint to msgbox (bpx rtcMsgBox). Write the name, a fake serial and press Ok. Sice will popup, so press F11 one time and after you press ok in the messagebox you will land in the program. Now set a breakpoint to 4AD3B8 with bpx 4AD3B8 (Read the newbies corner), disable or delete the breakpoint on msgbox (in this case BD 0, or BC 0) and press ok again.

  :004ABACA 50                      push eax                       ;The right serial

  * Reference To: MSVBVM50.__vbaStrCmp, Ord:0000h
                                    |
  :004ABACB FF15D4B56600            Call dword ptr [0066B5D4]      ;Call to cmp
  :004ABAD1 F7D8                    neg eax                        ;You land here

You can figure out that in eax is stored the right serial very very easily: just type "d eax" in Sice, and you will get the whole string, but in unicode ("1" + chr(0) + "2" + chr(0) + "3" + chr(0) + "4" + chr(0) and so on). The most important thing is the end, because it's "[...]67890, 883929". So now we know the right serial.
Now we just have to know where the hell this 883929 comes from :-\
From the last highlighted line, search for "abcde" string in upper lines, because we know that the "abcdefghijk..." string is used for the algo generation. You will land in the last step of the loop, and I know you are able to see conversions Double->Long. The serial we have after the algo is 40665240, and the serial we have to get is 883929. The first two conversion results are 33887700 and 28239750. Let's look for a relation between this three numbers.


  406655240 - 33887700 = 6777540
   33887700 - 28239750 = 5647950      ;Not equal

  406655240 / 33887700 = 1.2
   33887700 / 28239750 = 1.2          ;Sounds good ;)
      [...]
    1060715 /   883929 = 1.2

Now we have to know where it stops. Click on a conversion, RVA should be ADRESSEN.EXE!000AD4FE, so virtual address it's 4AD4FD. Load the program in Win32Dasm, and jump into that location.

  * Reference To: MSVBVM50.__vbaFpI4, Ord:0000h
                                    |
  :004AD4FD FF156CB76600            Call dword ptr [0066B76C]             ;Conversion
  :004AD503 8945B8                  mov dword ptr [ebp-48], eax
  :004AD506 EBA3                    jmp 004AD4AB                          ;Loop
   _____________________________________|
  |
  :004AD4AB C745FC11000000          mov [ebp-04], 00000011                
  :004AD4B2 817DB840420F00          cmp dword ptr [ebp-48], 000F4240      ;F4240h = 1000000
  :004AD4B9 7E4D                    jle 004AD508                          ;Jumps if valid

Please note that the second part it's the first one, and the first it's the second one (4AD4FD > 4ADB9). This means that the jump at the line 4AD4B9 will jump a line after the division algo. So it quits if the serial is lower or equal than 1000000.
That's really all now.



The VB Keygen 
Private Sub Text1_Change()
  Dim Lista As String, intZähler1 As Double, intZähler2 As Double
      Lista = "abcdefghijklmnopqrstuvwxyz0123456789."

  Temp = LCase(Text1)
  If Len(Temp) = 0 Then Text2 = "": Exit Sub
  For C = 1 To Len(Temp)
     If InStr(Lista, Mid(Temp, C, 1)) > 0 Then
       Wandel1 = Wandel1 + Mid(Temp, C, 1)
     End If
  Next

  For intZähler1 = 1 To Len(Wandel1)
     intZähler2 = InStr(Lista, Mid(Wandel1, intZähler1, 1))
     intSum = intZähler2 * intZähler1 ^ 2 * 11 + intSum
  Next intZähler1

  Do While CLng(intSum) > 1000000
    intSum = intSum / 1.2
  Loop
  Text2 = CLng(intSum)
  Exit Sub
End Sub



Final Notes 

This program wasn't so hard to crack, don't you think? I find hard to think that crackers like NUKEM can't crack it, but let me see that he's just lazy... NEXT TIME USE LONGER NAMES ;-ž
Last note: this tutorials goes to my sweet babe who wants to learn how to crack. I love you honey

SEE YOU SPACE COWBOY...




E-Mail: Skizo@DBC2000.ORG
URL: http://kickme.to/skizo