home *** CD-ROM | disk | FTP | other *** search
/ Cracking 2 / Cracking II..iso / Texty / crackme / nitrus_crackme1.txt < prev    next >
Encoding:
Text File  |  2000-01-24  |  8.6 KB  |  186 lines
  1. CrackMe #1 By Nitrus
  2. --------------------
  3. Tools Used:
  4. SoftIce
  5.  
  6. ---
  7. Protection:
  8. Code
  9.  
  10. ---
  11. First, you need to have MSVBVM60.DLL loaded in your S-ICE exports.
  12. Start the crackme, enter a code and set a breakpoint on __vbaLenBstr
  13. and press enter, when softice pops up, and you have pressed F11
  14. you should land here:
  15.  
  16. :0040220D  FF1510104000        CALL    [MSVBVM60!__vbaLenBstr] ; eax = length of entered code
  17. :00402213  83F80A              CMP     EAX,0A                  ; check if it is 10 char long
  18. :00402216  0F850E050000        JNZ     0040272A                ; if it is, jump
  19. :0040221C  8B13                MOV     EDX,[EBX]
  20.  
  21. ok, if you didn't enter a 10 char long code, you won't get further, so
  22. go out and enter a 10 char code, and try again, i entered 1234567890
  23.  
  24. well, go on until you reaches this part
  25.  
  26. :0040225E  6A04                PUSH    04
  27. :00402260  51                  PUSH    ECX
  28. :00402261  C745A401000000      MOV     DWORD PTR [EBP-5C],00000001
  29. :00402268  C7459C02000000      MOV     DWORD PTR [EBP-64],00000002
  30. :0040226F  FF1548104000        CALL    [MSVBVM60!rtcMidCharBstr]     ; gets the 4th char
  31. :00402275  8B35CC104000        MOV     ESI,[MSVBVM60!__vbaStrMove]
  32. :0040227B  8BD0                MOV     EDX,EAX
  33. :0040227D  8D4DE4              LEA     ECX,[EBP-1C]
  34. :00402280  FFD6                CALL    ESI
  35. :00402282  8B3D94104000        MOV     EDI,[MSVBVM60!rtcBstrFromAnsi]; gets the asc value of the 4th char
  36. :00402288  50                  PUSH    EAX
  37. :00402289  6A2D                PUSH    2D                            ; pushes 2Dh = -
  38. :0040228B  FFD7                CALL    EDI
  39. :0040228D  8BD0                MOV     EDX,EAX
  40. :0040228F  8D4DE0              LEA     ECX,[EBP-20]
  41. :00402292  FFD6                CALL    ESI
  42. :00402294  50                  PUSH    EAX
  43. :00402295  FF155C104000        CALL    [MSVBVM60!__vbaStrCmp]        ; compares the entered char 4 with - and stores the value in eax, 0=true 1=false
  44.  
  45. Ok, so now we have found out that the fourth char should be a -
  46. so now our serial is 123-567890
  47.  
  48. go on until you reaches this part
  49.  
  50. :00402310  6A09                PUSH    09
  51. :00402312  50                  PUSH    EAX
  52. :00402313  C745A401000000      MOV     DWORD PTR [EBP-5C],00000001
  53. :0040231A  C7459C02000000      MOV     DWORD PTR [EBP-64],00000002
  54. :00402321  FF1548104000        CALL    [MSVBVM60!rtcMidCharBstr]   ; gets the 9th char
  55. :00402327  8BD0                MOV     EDX,EAX
  56. :00402329  8D4DE4              LEA     ECX,[EBP-1C]
  57. :0040232C  FFD6                CALL    ESI
  58. :0040232E  50                  PUSH    EAX
  59. :0040232F  6A2D                PUSH    2D                          ; pushes 2Dh = -
  60. :00402331  FFD7                CALL    EDI
  61. :00402333  8BD0                MOV     EDX,EAX
  62. :00402335  8D4DE0              LEA     ECX,[EBP-20]
  63. :00402338  FFD6                CALL    ESI
  64. :0040233A  50                  PUSH    EAX
  65. :0040233B  FF155C104000        CALL    [MSVBVM60!__vbaStrCmp]      ; compares the entered char 9 with - and stores the value in eax, 0=true 1=false
  66.  
  67. Woot, another step further, the 9th char should also be a -
  68. now our serial is 123-5678-0
  69.  
  70. go on until you reach this part
  71.  
  72. :004023B2  6A03                PUSH    03                        ; the 3 first chars
  73. :004023B4  52                  PUSH    EDX
  74. :004023B5  FF15C4104000        CALL    [MSVBVM60!rtcLeftCharBstr]; gets the 3 first chars
  75. :004023BB  8BD0                MOV     EDX,EAX
  76. :004023BD  8D4DD4              LEA     ECX,[EBP-2C]
  77. :004023C0  FFD6                CALL    ESI
  78. :004023C2  50                  PUSH    EAX
  79. :004023C3  6A30                PUSH    30                        ; pushes 30h = 0
  80. :004023C5  FFD7                CALL    EDI
  81. :004023C7  8BD0                MOV     EDX,EAX
  82. :004023C9  8D4DE4              LEA     ECX,[EBP-1C]
  83. :004023CC  FFD6                CALL    ESI
  84. :004023CE  50                  PUSH    EAX
  85. :004023CF  6A35                PUSH    35                        ; pushes 35h = 5
  86. :004023D1  FFD7                CALL    EDI
  87. :004023D3  8BD0                MOV     EDX,EAX
  88. :004023D5  8D4DE0              LEA     ECX,[EBP-20]
  89. :004023D8  FFD6                CALL    ESI
  90. :004023DA  50                  PUSH    EAX
  91. :004023DB  FF1524104000        CALL    [MSVBVM60!__vbaStrCat]
  92. :004023E1  8BD0                MOV     EDX,EAX
  93. :004023E3  8D4DDC              LEA     ECX,[EBP-24]
  94. :004023E6  FFD6                CALL    ESI
  95. :004023E8  50                  PUSH    EAX
  96. :004023E9  6A33                PUSH    33                        ; pushes 33h = 3
  97. :004023EB  FFD7                CALL    EDI
  98. :004023ED  8BD0                MOV     EDX,EAX
  99. :004023EF  8D4DD8              LEA     ECX,[EBP-28]
  100. :004023F2  FFD6                CALL    ESI
  101. :004023F4  50                  PUSH    EAX
  102. :004023F5  FF1524104000        CALL    [MSVBVM60!__vbaStrCat]
  103. :004023FB  8BD0                MOV     EDX,EAX
  104. :004023FD  8D4DD0              LEA     ECX,[EBP-30]
  105. :00402400  FFD6                CALL    ESI
  106. :00402402  50                  PUSH    EAX
  107. :00402403  FF155C104000        CALL    [MSVBVM60!__vbaStrCmp]    ; compares our three first chars with 053
  108.  
  109. Great eh? :)
  110. now our serial is 053-5678-0
  111.  
  112. go on until you reaches this part
  113.  
  114. :00402490  6A05                PUSH    05
  115. :00402492  50                  PUSH    EAX
  116. :00402493  FF1548104000        CALL    [MSVBVM60!rtcMidCharBstr]; start on the 5th char
  117. :00402499  8BD0                MOV     EDX,EAX
  118. :0040249B  8D4DCC              LEA     ECX,[EBP-34]
  119. :0040249E  FFD6                CALL    ESI
  120. :004024A0  50                  PUSH    EAX
  121. :004024A1  6A33                PUSH    33                       ; pushes 33h = 3
  122. :004024A3  FFD7                CALL    EDI
  123. :004024A5  8BD0                MOV     EDX,EAX
  124. :004024A7  8D4DE4              LEA     ECX,[EBP-1C]
  125. :004024AA  FFD6                CALL    ESI
  126. :004024AC  50                  PUSH    EAX
  127. :004024AD  6A33                PUSH    33                       ; pushes 33h = 3
  128. :004024AF  FFD7                CALL    EDI
  129. :004024B1  8BD0                MOV     EDX,EAX
  130. :004024B3  8D4DE0              LEA     ECX,[EBP-20]
  131. :004024B6  FFD6                CALL    ESI
  132. :004024B8  50                  PUSH    EAX
  133. :004024B9  FF1524104000        CALL    [MSVBVM60!__vbaStrCat]
  134. :004024BF  8BD0                MOV     EDX,EAX
  135. :004024C1  8D4DDC              LEA     ECX,[EBP-24]
  136. :004024C4  FFD6                CALL    ESI
  137. :004024C6  50                  PUSH    EAX
  138. :004024C7  6A38                PUSH    38                       ; pushes 38h = 8
  139. :004024C9  FFD7                CALL    EDI
  140. :004024CB  8BD0                MOV     EDX,EAX
  141. :004024CD  8D4DD8              LEA     ECX,[EBP-28]
  142. :004024D0  FFD6                CALL    ESI
  143. :004024D2  50                  PUSH    EAX
  144. :004024D3  FF1524104000        CALL    [MSVBVM60!__vbaStrCat]
  145. :004024D9  8BD0                MOV     EDX,EAX
  146. :004024DB  8D4DD4              LEA     ECX,[EBP-2C]
  147. :004024DE  FFD6                CALL    ESI
  148. :004024E0  50                  PUSH    EAX
  149. :004024E1  6A37                PUSH    37                       ; pushes 37h = 7
  150. :004024E3  FFD7                CALL    EDI
  151. :004024E5  8BD0                MOV     EDX,EAX
  152. :004024E7  8D4DD0              LEA     ECX,[EBP-30]
  153. :004024EA  FFD6                CALL    ESI
  154. :004024EC  50                  PUSH    EAX
  155. :004024ED  FF1524104000        CALL    [MSVBVM60!__vbaStrCat]
  156. :004024F3  8BD0                MOV     EDX,EAX
  157. :004024F5  8D4DC8              LEA     ECX,[EBP-38]
  158. :004024F8  FFD6                CALL    ESI
  159. :004024FA  50                  PUSH    EAX
  160. :004024FB  FF155C104000        CALL    [MSVBVM60!__vbaStrCmp]    ; compares our 5th, 6th, 7th and 8th chars with 3387
  161.  
  162. So what have we found out now? YES! now the serial looks like this:
  163. 053-3387-0
  164.  
  165. go further until you reaches this part
  166.  
  167. :0040258A  6A01                PUSH    01
  168. :0040258C  52                  PUSH    EDX
  169. :0040258D  FF15D0104000        CALL    [MSVBVM60!rtcRightCharBstr] ; get the last char
  170. :00402593  8BD0                MOV     EDX,EAX
  171. :00402595  8D4DE4              LEA     ECX,[EBP-1C]
  172. :00402598  FFD6                CALL    ESI
  173. :0040259A  50                  PUSH    EAX
  174. :0040259B  6A37                PUSH    37                          ; pushes 37h = 7
  175. :0040259D  FFD7                CALL    EDI
  176. :0040259F  8BD0                MOV     EDX,EAX
  177. :004025A1  8D4DE0              LEA     ECX,[EBP-20]
  178. :004025A4  FFD6                CALL    ESI
  179. :004025A6  50                  PUSH    EAX
  180. :004025A7  FF155C104000        CALL    [MSVBVM60!__vbaStrCmp]      ; compares the last char with 7
  181.  
  182. so the real serial is
  183. 053-3387-7
  184. enter that and the Caption of the window should become Cracked...
  185. ---
  186. /Klefz - http://klefz.cjb.net