KeyGen Studio 2002

home *** CD-ROM | disk | FTP | other *** search

/ KeyGen Studio 2002 / KeyGen_Studio_2002.iso / Tutorials / Eternal bliss / DEBUG2.ZIP / vbcrackme2.txt < prev next >

Wrap

Text File | 1999-04-14 | 12.2 KB | 391 lines

VBCrackMe 2 explained Written by Etenal Bliss Email: Eternal_Bliss@hotmail.com Website: http://crackmes.cjb.net http://surf.to/crackmes Date written: 14th April 1999 Program Details: Language: Visual Basic Learning Method: Code Explanation SmartCheck functions Viewing Method: Use Notepad with Word Wrap switched OFF Screen Area set to 800 X 600 pixels (Optional) __________________________________________________________________________ About the Essay This is the second of the series of explanation on how coding in VB will affect the cracking process. In these essays, I'll also show you how crackmes are generally written in VB. I've included my thought processes that went through my mind while coding for this crackme. If you have missed the first essay, go to my website and get it. Read it first before reading this because there are some parts which I will not repeat here again. To fully understand what I am describing, it would help if you have the CrackMe running and testing certain stuff out while you read. __________________________________________________________________________ About the Protection This crackme uses a hard-coded code which is hidden using another method different from the 1st CrackMe. This is what I wrote in the textfile for this CrackMe: "Find the correct hardcoded code in this CrackMe. I've disabled the __vbastrcomp breakpoint in Softice and have made sure that the code is not seen explicitly in SmartCheck or in Hexeditor. Since this is more of a practice and taste of VB cracking, I'll give you a few hints: 1) In SmartCheck, although you will not see the REAL code, if you observe carefully, you will see how the real code is constructed. 2) It is possible to trace in Softice." __________________________________________________________________________ A brief explanation on how VB coding is done... Other than the things I mentioned in the first essay, I'd like to add some more commands that are frequently used. Mid("word",2,1) - To get the 2nd char out of the 1st parameter ie "o" **In SmartCheck, you will see Mid() commands as well and it works the same way Asc(x) - x can be any of the 255 characters in ascii format. It will be changed to decimal values. Eg Asc("E") = 69 **Asc() commands are also seen in SmartCheck. & - joins up 2 strings eg "I Love " & "Cracking" = "I Love Cracking" **One possible line you will see in SC is __vbaVarCat and is followed by __vbaVarMove. This two functions are used when the author uses "&" to join 2 strings together Val - get the numbers contained in a string as a numeric value **You will see it exactly the same in SC. For...Next - is a loop with a counter. Examples will be shown below **You will see __vbaVarForInit (initialise the loop) and __vbaVarForNext in SmartCheck. No kidding! __________________________________________________________________________ Main Code I've copied and pasted the main routine found in this crackme which is the protection scheme, the heart of the crackme. In the next section, I'll go into the explanation of some of the lines. Private Sub Command1_Click() Dim x As Variant, num As Variant, tru As Variant c = "10511532" f = "10132" On Error GoTo err2 a = "116104" g = "1141019911632" x = 1 b = "84104" d = "99111" e = "114" h = "100101" If Text1.Text = "" Then Text1.Text = "You have to enter something!" GoTo err1 End If For k = 1 To 5 num = num & Asc(Mid(Text1.Text, k, 1)) Next k tru = b & c x = Val(num) - Val(tru) If x = 0 Then x = 1 num = 0 GoTo next1 Else GoTo err2 End If next1: For k = 6 To 8 num = num & Asc(Mid(Text1.Text, k, 1)) Next k tru = c x = Val(num) - Val(tru) If x = 0 Then x = 1 num = 0 GoTo next2 Else GoTo err2 End If next2: For k = 9 To 12 num = num & Asc(Mid(Text1.Text, k, 1)) Next k tru = a & f x = Val(num) - Val(tru) If x = 0 Then x = 1 num = 0 GoTo next3 Else GoTo err2 End If next3: For k = 13 To 20 num = num & Asc(Mid(Text1.Text, k, 1)) Next k tru = d & e & g x = Val(num) - Val(tru) If x = 0 Then x = 1 num = 0 GoTo next4 Else GoTo err2 End If next4: For k = 21 To Len(Text1.Text) num = num & Asc(Mid(Text1.Text, k, 1)) Next k tru = d & h x = Val(num) - Val(tru) If x = 0 Then Text1.Text = "You have solved it! Good Work!" Text1.Enabled = False Command1.Enabled = False Command3.Enabled = True Command3.Caption = "&Again!" Command2.SetFocus GoTo err Else GoTo err2 End If err2: Text1.Text = "Wrong! Try Again!!" err1: Text1.Enabled = False Command1.Enabled = False Command3.Enabled = True Command3.SetFocus err: End Sub __________________________________________________________________________ Code Explanation 1) Dim x As Variant, num As Variant, tru As Variant =================================================== x, num and tru are variables. Variables are like containers that can contain values. Depending on the type of values required, the "containers" will have to be initialised to make sure that they can contain the values required. Using "Dim", x, num and tru are initialised to contain values of Variant type. This will be useful later. 2) c = "10511532" f = "10132" On Error GoTo err2 a = "116104" g = "1141019911632" x = 1 b = "84104" d = "99111" e = "114" h = "100101" ============================================ These lines are actually the answer to the CrackMe. Doesn't look like it, right? That is what I meant when I said I hide the hardcoded code using another method. The numbers shown here are actually decimal values of the correct code. Therefore, c = "is " f = "e " a = "th" g = "rect " b = "Th" d = "co" e = "r" h = "de" The value of x is 1 and will be used later. 3) If Text1.Text = "" Then Text1.Text = "You have to enter something!" GoTo err1 End If ============================================== This part of the code is to make sure the the user enter something. If the text in textbox 1 is blank, it will be considered "". Then, "You have to enter something!" will be shown in the textbox. "GoTo err1" just tells the CrackMe to go to the end of the code where the pointer "err1:" is found. That will end the whole routine. Notice that this uses the String compare routine and will break on __vbaStrComp 4) For k = 1 To 5 num = num & Asc(Mid(Text1.Text, k, 1)) Next k ============================================== This is a loop set to run 5 times ("For k = 1 To 5") The next line is actually contains 3 functions: a) Mid(Text1.Text, k, 1) To get the kth char from the text you entered. "1" is to signify the number of char to retrieve starting from the kth b) Asc() Since a char would have been retrieved in the Mid() function, Asc() will convert that to its decimal value. c) num = num & Asc() What this does is to join up the result of converting the char to decimal value with anything in the "num" variable. So, the overall function of this 3 lines is to convert the 1st to the 5th char of what you entered to their decimal values and join them up. eg. ABCDE = 6566676869 Now, do you understand why I convert them to decimal? Do you remember that I had the correct code in decimal values? Instead of converting the correct value into ascii format and directly compares with what you entered, it would be slightly more difficult if I change what YOU type into something else. So, you will NEVER see the correct code in ascii format! 8) 5) tru = b & c ============================================== Now that "num" contains what you typed. "tru" will actually contain the correct 1st 5 chars. notice it is "b & c" which will combine 84104 and 10511532 together. Note: it is not ADDITION but just joining to form 8410410511532 If I were to convert it to ascii format, it will be "This " 6) x = Val(num) - Val(tru) If x = 0 Then x = 1 num = 0 GoTo next1 Else GoTo err2 End If ============================================== This is the comparison routine with a twist. Instead of comparing "num" with "tru" using "If num = tru Then" line, I get the value of "num" and "tru" and subtract them against each other. The effect? Well, if they are the same, the result in "x" will be 0! Then "If x = 0 Then" line actually implies that if value in "num" is equal to value in "tru", then proceed to the pointer "next1:" otherwise ("Else") go to the pointer "err2:" to be shown a message. And followed by a "End If" to show that it is the end of this query. Remember that at the start, I initialised "x" to be a container carrying Variant type data? When I used "If x = 0 Then", I am calling the function to compare variants and will result in the breakpoint __vbaVarTstEq to break in Softice. Since it is vb6, you will have to type msvbvm60! in front. In SC, you will see lines with __vbaVarTstEq too. 8) I said I have disabled __vbaStrComp, this is what I meant. I simply did not use the String comparison routine. 8) Now, since I know that this breakpoint works, if I were to use "If num = tru Then" line instead of subtracting them first and comparing the result with 0, when a cracker breaks using __vbaVarTstEq, he would be able to sniff out the value of num and tru because they are comparing directly with each other! That is the reason why I code this comparison routine this way... Subtracting the entered value with the correct value to see if the result is 0. So, even if you were to break using this function, you will see some value compared with 0 but never the correct characters. Nice? 8P The next few sections in the code mirrors what I have described in 5 and 6. Comparing word by word for the correct code. When the word is incorrect, the crackme will jump to the "err2:" pointer and the textbox will show "Wrong! Try Again!!" If every word is correct, you will continue smoothly down the lines until you are shown "You have solved it! Good Work!". __________________________________________________________________________ How to Crack such VB protection schemes In the first CrackMe, it used String compare thus __vbaStrComp is the breakpoint. In this CrackMe, Variant Compare is used and thus __vbaStrComp will not break on the compare routine although it will at the line "If Text1.Text = "" Then". In VB, the function to compare variants is __vbaVarTstEq (VARiant TeST EQual) So, in Softice, setting the breakpoint using "bpx msvbvm60!__vbaVarTstEq" (or msvbvm60!__vbaVarTstEq) will cause Softice to break when the Cracker click on the "Register" button. msvbvm60! is added in front because this CrackMe is written in VB6. The codes used in the dll for this compare will also be the same so, it will be quite useful if you get used to them. There are functions such as __vbaVarTstGt, __vbaVarTstNe and I leave it up to you to discover what they mean. Just looking at them would give you a hint. 8) __________________________________________________________________________ Additional points For other breakpoints and compare methods, you can get my two essays on VB cracking found on my website. SmartCheck logfile with the source is included together with this textfile "Debug2.zip". Unzip everything in it and double click on the debug2.sce file. If you have installed SmartCheck, SmartCheck will open up and the usual lot of information is shown. However, in this case, since the source code is included, when you click on threads in Command1_Click line, you will see how the source code is processed and how it is presented in SmartCheck. A definite learning experience for those who are struggling with SmartCheck usage. The first Command1_Click shows the lines processed when the correct code is entered. The second Command1_Click shows the lines processed when the code entered is wrong. __________________________________________________________________________ End of File I would like to thank Jeff for giving me this idea of writing essays on how I created my CrackMe, what commands will result in what breakpoints to use in Softice and how SmartCheck's usefulness is exploited. All the best to those reading this essay in VB cracking!