Cracking 2

home *** CD-ROM | disk | FTP | other *** search

/ Cracking 2 / Cracking II..iso / Texty / crackme / SiFLyiNG_3.txt < prev next >

Wrap

Text File | 1999-07-25 | 3.5 KB | 92 lines

SiFLyiNG's Tutorial #3 ____________________________________________________________________________ Target : CupOfCoffee Crackme 1 in VB d/l it on Eternal Bliss Site : http://crackmes.cjb.net Protection type : Code, VB Level : the author says it's a little tricky but easy Tools needed : SoftIce 3.xx Some basis of VB cracking ____________________________________________________________________________ Before Beginning... First, you run the crackme... type any serial you want. First observation : wingdings 2 font, so what you type appears as a nonsence. But that's not a problem... i think there is nothing else to say. ____________________________________________________________________________ The essay... This crackme is programmed in VB, so we can use breakpoints on functions like : MultiByteToWideChar ( converts a string to wide char, ie the chars of the string are separated by null char ), __vbaStrCmp or __VbaStrComp. Let's use __VbaStrCmp. So you type in Sice 'Bpx __vbaStrCmp'. Come back to the prog, and type '123456' for example. Press 'check' and you're back to SoftIce. There you press F11 to return from the call to the routine. Then you see : CALL [MSVBVM50!__vbaStrCmp] but if you trace up a bit the code you see : MOV ECX, [EBP-18] PUSH ECX PUSH 00401BE4 CALL [MSVBVM50!__vbaStrCmp] Hummm, there must the solution here. Disable your breakpoints by 'Bd *' then make a breakpoint on the line PUSH ECX just before the call (just double-click on the line). Exit from SoftIce, and press 'Check it' another time. Then you're back in SoftIce and you see: PUSH ECX PUSH 00401BE4 CALL [MSVBVM50!__vbaStrCmp] Press 'd ECX' and you should see '1.2.3.4.5.6' where the points represent null char (our fake code has been converted to WideChar). So, our fake code converted to WideChar is pushed just before the Call __vbaStrCmp. It means that it will be compared with the other string pushed before the Call which MUST be the real code. So 00401BE4 must be the adress where the real code is stored. So we try : 'd 401BE4' but what can we see ??? 2E 00 2E 00 2E 00 2E 00 - 2E 00 2E 00 2E 00 2E 00 ................ 2E 00 2E 00 00 00 00 00 - 24 00 00 00 49 00 6E 00 ........$...I.n. What's that ??? our string is compared with null char ??? no no. Just open your eyes and you'll see the truth :) We know that our code is in WideChar... so it must be compared with a widechar string. And look at the hexa display : 2E 00 2E 00 2E 00 2E 00 - 2E 00 2E 00 2E 00 2E 00 ................ 2E 00 2E 00 00 00 00 00 - 24 00 00 00 49 00 6E 00 ........$...I.n. Isn't this WideChar ? of course it is ! But what's these 2E ? 2E is simply the ascii code for the '.' So the code might be '..........' Count the number of 2E : there are 10 so there are 10 '.' in the code. Disable all breakpoints, exit from SoftIce and enter '..........' then press the check button : cool :) ____________________________________________________________________________ The end... Voilà, it's finished... we found the only correct code for this crackme. The author had reason : 'little tricky but easy' SiFLyiNG siflying@ifrance.com Greetz : Eternal Bliss, Acid Burn, Lucifer48, Skymarshall, Gluconzip, Earwax all the french crackers, all writers of tutorial...