home *** CD-ROM | disk | FTP | other *** search
- CrackMe #3 By AdrΘnalin
- -----------------------
- Tools Used:
- SoftIce
-
- ---
- Protection:
- Code
-
- ---
- First, you need to have MSVBVM50.DLL loaded in your S-ICE exports.
- Start the crackme, enter a code and set breakpoints on rtcAnsiValueBstr and
- __vbaStrComp and press the OK button, on the first break you will land here:
-
- :00401FAA FF1508414000 CALL [MSVBVM50!rtcAnsiValueBstr] ; ax = ascii val of current char
- :00401FB0 66050A00 ADD AX,000A ; ax = ax + 10
- :00401FB4 0F80B0020000 JO 0040226A
-
- so it modifies our chars, hmm, interesting :)
- disable the rtcAnsiValueBstr breakpoint and press F5, and you will break on the
- __vbaStrComp step on until you come here:
-
- :00402050 6685C0 TEST AX,AX
- :00402053 0F84C0000000 JZ 00402119
-
- look up a bit and you'll see this
-
- :00402036 C7855CFFFFFF8C1A4000MOV DWORD PTR [EBP-00A4],00401A8C
- :00402040 C78554FFFFFF08800000MOV DWORD PTR [EBP-00AC],00008008
- :0040204A FF1540414000 CALL [MSVBVM50!__vbaVarTstEq]
- :00402050 6685C0 TEST AX,AX
- :00402053 0F84C0000000 JZ 00402119
-
- hmm =), do a 'd 401a8c' and you'll see k.X.y.^.r.O.|.*.y.X.o.*.m.\.k.M.u.O.n.*.+
- and because it's a VB prog, it's in widechar format, which means that the string
- looks like this kXy^rO|*yXo*m\kMuOn*+ and take each char from this string and
- sub 10 (Ah) from each char, and you'll get the right code, but i've coded a small
- C program which does the calc much faster, so here is the source :
-
- --- cut from here ---
-
- int main(){
- unsigned char name[21]={0x6b,0x58,0x79,0x5e,0x72,0x4f,0x7c,0x2a,0x79,0x58,0x6f,0x2a,0x6d,0x5c,0x6b,0x4d,0x75,0x4f,0x6e,0x2a,0x2b}; // kXy^rO|*yXo*m\kMuOn*+
- int i;
-
- clrscr();
- printf("Adrénalin's Crackme3 Key-recovery by Klefz\n");
-
- for(i=0;i<21;i++){
- name[i]=name[i]-0xa; // takes each char and sub's Ah from it
- }
- name[21]=0x00; // some small bug makes name[21] some strange char :)
- // so this makes it 00h
- printf("\nThe registration code is: %s",name); // print out the result
- getch();
- return 0; }
-
- --- end of file ---
-
- after compiling and running you'll get the code: aNoThEr oNe cRaCkEd !
-
- not so Difficult after all :)
- ---
- /Klefz - http://klefz.cjb.net