|
||
2001 |
|
2001 |
|
||
About Adressen 2001.08.1411 |
||
In the cold of the night, in the warmth of the breeze, |
||
|
|
|
GRANDEM MALIGNITATEM COGNOSCENDO |
Introduction |
Today we're gonna learn how to crack this software. Protection is not so hard, but since |NUKEM|
found some probz with it, I thought I had to tutorialize ;-)
I already used in one of my tutorials the interaction between SmartCheck and other tools, such as
IDA or Win32Dasm. Today we will use our WONDERFUL Sice. As WONDERFUL as POWERFUL
Required Tools |
- SmartCheck 6.03 (You can find it with a bit of luck) - SoftIce 4.05 (Same) - Win32Dasm 8.93 (Idem)
Program's URL |
http://www.alltag.com/adressen.htm
The Essay |
__vbaStrCmp(String:"NUKEM, 1234", String:"NUKEM, 6622") My Zen feeling says that 6622 is the right serial. What about your? We don't have enough time to talk, so let's go ahead. Let's look above for "6622" value. The call you landed into is a __vbaStrCat, the one supposed to create "NUKEM, 6622" string. We are gonna find the algo. Take a look at the above lines, and you will see "m", "e", "k", "u", "n" (mekun, but just coz we are reading from the bottom to the top :). This is the algo, but it's not all, coz we have to know what he does before the algo. You should get it does something, because you should see a string manipulation in the above lines. The think you should see is InStr(long:1, String:"0123456789abcdefghijklmnopqrstuvwxyz.", String:"n", Integer:0) with some following __vbaStrCat, which will create "n", "nu", "nuk", "nuke", "nukem". So we already know that in order to generate a valid key, we have to keep just numbers, letters and dots. Remember that the name has to be converted into small letters, so "ABC" and "abc" are equal. Now we can crack the algo :)
InStr(long:1, String:"abcdefghijklmnopqrstuvwxyz0123456789.", String:"n", Integer:0) This function returns 14, and it's right of course :) InStr("abcdefghijklmnopqrstuvwxyz0123456789.","n") = 14 14 * 11 * 1 * 1 = 154 InStr("abcdefghijklmnopqrstuvwxyz0123456789.","u") = 21 21 * 11 * 2 * 2 = 924 InStr("abcdefghijklmnopqrstuvwxyz0123456789.","k") = 11 11 * 11 * 3 * 3 = 1089 InStr("abcdefghijklmnopqrstuvwxyz0123456789.","e") = 5 5 * 11 * 4 * 4 = 880 InStr("abcdefghijklmnopqrstuvwxyz0123456789.","m") = 13 13 * 11 * 5 * 5 = 3575 ---- 6622
Well... that's it. This is how the algo works, but there's something more, and it's the point where
Nukem lost the release ;-ž
-- NEWBIES CORNER ---------------------------------------------- OK, now we need to break into Sice with something, but how? What about the msgbox? Load the "MSVBVM50.DLL" library with the loader, then press CTRL+D (I hope you loaded Sice) and set a breakpoint to msgbox (bpx rtcMsgBox). Write the name, a fake serial and press Ok. Sice will popup, so press F11 one time and after you press ok in the messagebox you will land in the program. Now set a breakpoint to 4AD3B8 with bpx 4AD3B8 (Read the newbies corner), disable or delete the breakpoint on msgbox (in this case BD 0, or BC 0) and press ok again. :004ABACA 50 push eax ;The right serial * Reference To: MSVBVM50.__vbaStrCmp, Ord:0000h | :004ABACB FF15D4B56600 Call dword ptr [0066B5D4] ;Call to cmp :004ABAD1 F7D8 neg eax ;You land here You can figure out that in eax is stored the right serial very very easily:
just type "d eax" in Sice, and you will get the whole string, but in unicode ("1" + chr(0)
+ "2" + chr(0) + "3" + chr(0) + "4" + chr(0) and so on). The most important thing is the end,
because it's "[...]67890, 883929". So now we know the right serial. 406655240 - 33887700 = 6777540 33887700 - 28239750 = 5647950 ;Not equal 406655240 / 33887700 = 1.2 33887700 / 28239750 = 1.2 ;Sounds good ;) [...] 1060715 / 883929 = 1.2 Now we have to know where it stops. Click on a conversion, RVA should be ADRESSEN.EXE!000AD4FE, so virtual address it's 4AD4FD. Load the program in Win32Dasm, and jump into that location. * Reference To: MSVBVM50.__vbaFpI4, Ord:0000h | :004AD4FD FF156CB76600 Call dword ptr [0066B76C] ;Conversion :004AD503 8945B8 mov dword ptr [ebp-48], eax :004AD506 EBA3 jmp 004AD4AB ;Loop _____________________________________| | :004AD4AB C745FC11000000 mov [ebp-04], 00000011 :004AD4B2 817DB840420F00 cmp dword ptr [ebp-48], 000F4240 ;F4240h = 1000000 :004AD4B9 7E4D jle 004AD508 ;Jumps if valid Please note that the second part it's the first one, and the first it's
the second one (4AD4FD > 4ADB9). This means that the jump at the line 4AD4B9 will jump a line
after the division algo. So it quits if the serial is lower or equal than 1000000. |
The VB Keygen |
Private Sub Text1_Change() Dim Lista As String, intZähler1 As Double, intZähler2 As Double Lista = "abcdefghijklmnopqrstuvwxyz0123456789." Temp = LCase(Text1) If Len(Temp) = 0 Then Text2 = "": Exit Sub For C = 1 To Len(Temp) If InStr(Lista, Mid(Temp, C, 1)) > 0 Then Wandel1 = Wandel1 + Mid(Temp, C, 1) End If Next For intZähler1 = 1 To Len(Wandel1) intZähler2 = InStr(Lista, Mid(Wandel1, intZähler1, 1)) intSum = intZähler2 * intZähler1 ^ 2 * 11 + intSum Next intZähler1 Do While CLng(intSum) > 1000000 intSum = intSum / 1.2 Loop Text2 = CLng(intSum) Exit Sub End Sub
Final Notes |
This program wasn't so hard to crack, don't you
think? I find hard to think that crackers like NUKEM can't crack it, but let me see that he's
just lazy... NEXT TIME USE LONGER NAMES ;-ž
Last note: this tutorials goes to my sweet babe who wants to learn how to crack. I love you
honey
SEE YOU SPACE COWBOY...