CrackMe No. 4
by AndrΘnalin
Tutorial by Lucifer48 [Immortal Descendants]
(August 25th, 1999)
The crackme is written in VB6 (in my view, i find it easier to crack than VB5). By using SmartCheck (or more
simply your brain), we can guess that there is a timer; which means: the serial is all the time tested
(like winamp). I enter few numbers: 1, 9, 9, 9,... and i put a bpx hmemcpy, F10, F10, we exit from
MSVBVM60!.text and we arrive at VB_CRKME4!.text:
CALL [EAX+000000A0]
CMP EAX,ESI
JGE ...
PUSH 00000A0
Hmemcpy breaks here few times at different places:
XXXX:0040B24F and XXXX:0040B320
XXXX:00406B2F and XXXX:00406B00
XXXX:00408EBF and XXXX:00408F90
(i have maybe forgotten an address ?)
If we look at the address, we can see that the timer launch differents routines: XXXX:0040B24F and
XXXX:0040B320 aren't very far each other, they belong to the same function (it is the same remark for
XXXX:00408EBF and XXXX:00408F90; ... ).
So, we have several procedure to study; and these previous address are located at the beginning of the
check routine; then we have to trace a little to see what's happen.
Let's study the first procedure breaked with hmemcpy (here in: XXXX:0040B24F):
XXXX:0040B3A1 MOV [EBP-00B4],ESI
XXXX:0040B3A7 MOV [EBP-00C4],ESI
XXXX:0040B3AD CALL [MSVBVM60!__vbaLenVar] ;d *(eax+8) to see your serial...
This is the main loop:
XXXX:0040B432 CALL [MSVBVM60!rtcMidCharCharBstr]
...
XXXX:0040B444 CALL [MSVBVM60!rtcAnsiValueBstr] ;result in al
...
XXXX:0040B469 FLD REAL8 PTR [EBP-030C] ;the ascii value
XXXX:0040B46F FADD REAL8 PTR [EBP-00CC] ;+1 (in my case)
...
XXXX:0040B489 CALL [MSVBVM60!rtcHexBstrFromVar] ;hexa conversion of the above ressult
...
XXXX:0040B505 CALL [MSVBVM60!__vbaVarForNext] ;NEXT (of the loop)
The loop browse each character of the serial, then a classic comparison:
XXXX:0040B51A PUSH EAX
XXXX:0040B51B MOV DWORD PTR [EBP-00AC], 00401E50
XXXX:0040B525 MOV DWORD PTR [EBP-00B4], 00008008
XXXX:0040B52F CALL [MSVBVM60!__vbaVarTstEq] ;equal ?
XXXX:0040B535 TEST AX,AX
Remark: This is what we can see in 00401E50:
"0817E747D7AFF7C7F82836D74RR7A7F7E7B7C7D826D81KE7B7C"
For my serial (1999), i get: 0323A3A3A
(the 0 is added, but the following hex-numbers, you should be able to understand...)
We know that the serial is the result of the function [MSVBVM60!rtcHexBstrFromVar], we can never have
a serial with "R" in it, conclusion the test is never true.
If we continue tracing the code, we see 15 times the same snippet (same loop), each time, the comparison with
[MSVBVM60!__vbaVarTstEq] fail because the string compared with our modified serial contains non-hexa
characters (R, K, W, Q, ...).
We must visit the other check routine... (it looks like the previous routine... few times lots lots of false comparison...)
and finaly, i found the right place:
XXXX:004065E3 PUSH ECX
XXXX:004065E4 MOV DWORD PTR [EBP-00AC], 00402390
XXXX:004065EE MOV DWORD PTR [EBP-00B4], 00008008
XXXX:004065F8 CALL [MSVBVM60!__vbaVarTstEq]
The string 00402390 is: "0817E747D7A7D7C7F82836D74747A7F7E7B7C7D826D817E7B7C",
it could work !
If you watch at the instruction FADD (in the loop just above), we see +19, i realize that's it doesn't
match ! We are far away from 82... However, i have browsed every string in memory, it is the only which can
match...
I decide to see, where does come from this +19, and finaly, i find:
XXXX:004064A2 CALL [MSVBVM60!__vbaVarForInit] ;FOR (beginning of the loop)
...
XXXX:004064C7 CALL [MSVBVM60!rtcR8ValFromBstr] ;read the first two characters.
XXXX:004064CD FSTP REAL8 PTR [EBP-00CC] ;pop
My 19 comes from my serial 1999. I must choose correctly the first two characters.
Remark: X* or X# gives X ( X={0,1,...,9} ).
We want to obtain: 81 7E (81-7E=3); we have 6 possibilities of couple:
4-1; 5-2; 6-3; 7-4; 8-5; 9-4
For obtaining 6D (the smallest value):
2Ah ("*") + 41d = 53h 23h ("#") + 41d = 4Ch
2Ah ("*") + 52d = 5Eh 23h ("#") + 52d = 57h
2Ah ("*") + 63d = 69h 23h ("#") + 63d = 62h
2Ah ("*") + 74d = 74h 23h ("#") + 74d = 6Dh YES!!!!!!
The serial begins with 74. We substract 74d (=4Ah), to the string (in 00402390):
0 37 34 2A 33 30 33 32 35 38 39 23 2A 2A 30 35 34 31 32 33 38 23 37 34 31 32
which gives:
Serial/ 74*3032589#**0541238#7412
REGISTRIERT !!! Sehr gut !!!!
Greetings: All ID members (Volatility, Torn@do, ...), Eternal Bliss, ACiD BuRN,
Duelist, LaZaRuS, people on #cracking4newbies, french crackers, ...
(c) Lucifer48. All rights reversed