home *** CD-ROM | disk | FTP | other *** search
- __________________________________
- / "Surprise, surprise..." \
- .:how to crack plasma's vb crackme:.
- \________^heiko[BLiZZARD]__________/
-
- Crackme name: Comeback
- Crackme by: Plasma
- Date: 4/28/2000
- Type: Name/Serial (VB)
-
- Toolz: Smartcheck v6.03
- Wdasm v8.93 (with widecharstrings enabled)
-
- hi folks,
-
- today i want you to show how to crack plasmas vb crackme in three lessons:
- cracking it, fishing one real serial and get the algorithm for keygening
- it.
-
- LESSON 1: crack it
-
- Start the crackme and enter the info you like most, i used:
-
- name: ^heiko[BLiZZARD]
- serial 112233
- (you have to enter numbers as serial, any other input wont be accepted:
- "You have to fill out the given fields!")
-
- now click on the "CHECK"-button...Hrmm, it says:
-
- "Do you just guess?", hehe its right, but not for long, promised!!
-
- Load the crackme into your fixed wdasm and search for the "looser" string:
-
-
- * Referenced by a (U)nconditional or (C)onditional Jump at Address:
- |:00402EAD(C) <---- interesting!!
- |
- :00402F16 FF9014030000 call dword ptr [eax+00000314]
- :00402F1C 50 push eax
- :00402F1D 8D4D90 lea ecx, dword ptr [ebp-70]
- :00402F20 51 push ecx
-
- * Reference To: MSVBVM60.__vbaObjSet, Ord:0000h
- |
- :00402F21 FF1538104000 Call dword ptr [00401038]
- :00402F27 8BF0 mov esi, eax
- :00402F29 8B16 mov edx, dword ptr [esi]
-
- * Possible StringData Ref from Code Obj ->"Do you just guess?" <---- it's here!!
- |
- :00402F2B 685C274000 push 0040275C
- :00402F30 56 push esi
-
- noticed the reference ??? lets have a look at <402EAD>:
-
-
- :00402EAD 7467 je 00402F16 <---- serial ok?
- :00402EAF FF9014030000 call dword ptr [eax+00000314]
- :00402EB5 50 push eax
- :00402EB6 8D4D90 lea ecx, dword ptr [ebp-70]
- :00402EB9 51 push ecx
-
- snipp (...) snipp
-
- * Possible StringData Ref from Code Obj ->"You got it, here's your surprise..."
- |
- :00402EC6 68F0264000 push 004026F0
-
- Huh, there it is. we could patch the conditional jump at <402EAD> something like
- this: je 00402F16 -> NOP, NOP (exchange bytes 74h,67h with 90h,90h).
-
- With this, the serial is right, everytime.
- curious about the surprise, plasma mentioned?? then start patching and stop
- the further reading.
- but if you were a real good cracker (like me..hahaha) you sure want to find
- one real serial for your name or maybe code some keygen, dont you??
-
- Ah, good, so lets try to:
-
- LESSON 2: Find one real serial
-
- Start Smartcheck and open the crackme.
- make sure that you had choosen the following settings:
-
- error detection: all checked
- \-> "Advanced" all checked, except the last three
- reproting: all checked, except "perform analysis of handeld vb ..."
-
- run the program and confirm all error messages till "comeback" pop up!
- enter your name and any serial and press "Check". goto smartcheck and end the
- program.
-
- select "show errors and specific events" and click on "_click" for highlighting
- that line. now select "show all events". expand the branch by clicking on the +.
- scroll down the tree until you see something like this:
- until you see something like this:
-
- MID$ <-- gets the first character of the name ("^" for me)
- ....
- ASC returns Integer: 94 <-- gets its ord-number ORD('^') = 94
- decimal
-
- MID$ <-- gets the second character of the name
- ....
- ASC returns Integer: 104 <-- gets its ord-number ORD('h') = 104
- decimal
-
- MID$ <-- gets the third character of the name
- ....
- ASC returns Integer: 101 <-- gets its ord-number ORD('e') = 101
- decimal
-
-
- ..and so on..
-
- it accumulates all the ord-number of the entered name!
-
- result: Double(23168) --> String(23168)
-
- if you entered "ab" as name, the result will be:
-
- ord("a") + ord ("b") = 97 + 98 = 195 ! got that????
-
- you may now ask: "hey, is that the real serial??" Try, but you will be
- dissappointed...we have to go further.
-
- just some lines after the last mid$,asc section there's this smelly line:
-
- Double(370720) --> String(370720)
-
- hrmm...it may...IT IS !! THATS THE f****** SERIAL! So, for
-
- name: ^heiko[BLiZZARD]
- serial: 370720
-
- will regged this crackme and reveals its surprise to you..;-)
- (please close and save all open projects before entering the good serial!
- i've warned you...its plasmas surprise..;)
-
- the serial is (of coz) a different one, if you entered YOUR name..*duh*! ;-)
-
- STEP 3: understand the algorithm
-
- I still wasn't satisfied at this moment. i wanted to find the algorithm,
- so that i could do a keygen. i tried some calculations and found the
- algorithm with some ZEN (see sandman's great homepage for further info!).
-
- serial := 0
- for i:=1 to len(name) do begin
- serial:= serial + ord(name[i]);
- end;
- serial := serial * len (name);
- serial := serial + strtoint(inttostr(serial)[1]); <-- hehe, here the first number of
- serial := serial * 16; ; \- the 'interim' serial is added
-
-
- Now its your turn...go and code a keygen!!!!! Iam to tired now...;)
-
- Send me your comments and keygens!
- Hope you learned something by this tutorial...
-
- hAVE pHUN'! ^heiko[BLiZZARD]
- mail: heiko@blizzard.st
-
- 06/26/2000 - gREETZ to aLL @ BLZ!! STEALTHLABS !! TheoTraXX !!
-
-
- ...end of tutorial...
-
-
