CarLitoZ bPe CrackMe v1.0
Visual Basic 5
Written by McCodEMaN

Introduction


Greetings and welcome to the noble art of reverse engineering!

To defeat this CrackMe you need to enter a valid serial, i will show you two methods. In the first approach i will use Smartcheck and for the second i use Softice.
Please note: If you want to remove the CrackMe from your computer, there is a file called                      MTR.DAT located in your windows directory!

VB5 programs uses a file called: msvbvm50.dll
so when you use softice in my second part, make sure that....

   EXP=C:\windows\system\msvbvm50.dll

is active in your softice.dat file.
If you don`t have this string you should add it!


You should also activate:

   EXP=C:\windows\system\shell32.dll
   EXP=C:\windows\system\shell232.dll
   EXP=C:\windows\system\advapi32.dll

To activate them, remove the semi-colons in front of them!



Tools required

Numega SmartCheck v6.x
Numega SoftIce v3.2x


Target's URL

http://crackmes.cjb.net



Essay



 
First Approach: Using SmatCheck!
 

Step1 Run Smartcheck and configure the settings, like this:

      Under Program/settings menu:

     *ERROR DETECTION: Check all boxes except 'Report errors immediately'

     *ADVANCED SETTINGS: Check the first four boxes. The others should be emty!

     *REPORTING: All boxes should be checked except the one for:
                                'Report Mouse Move events from ocx controls'
 
 
 

Step2 OK, now you are ready to fight!
 
 

Step3 Load bPe CrackMe.exe by click 'File' and 'Open', => open bPe CrackMe1.exe!
 
 

Step4 Run Bpe_cme1.exe in SmartCheck by pressing F5 or by pressing the runbuttom in the
          toolfield.
 
 

Step5 Ok, now you are going to type in a fake serial, i use: 1234567890,
         the program validates the serial and tell you that it was wrong.
         Now terminate bPe CrackMe1.exe by clicking on the stop buttom.
 
 

Step7 Ok, open:  Reg_Click by clicking the  ' + ' sign.
         This is a subroutine in Visual Basic that is called when you press the register buttom.
 
 

Step8 Go down to Text .Text and make sure its highlighted!
         Then choose: show all events under view
 
 

Step9 Now you should be able to see:
 
 Text . Text
 Mid
 Mid
 Mid
 Mid
 Mid
 Mid
 Mid
 Mid
 __vbaVarAdd   returns  DWORD:63F260
 
 Now, if you go to the first __vbaVarAdd you will see some inf in the right window and you will see:

                    örö <= The first char in our valid serial

                    ökö <= The second char in serial
 

        __vbaVarAdd  returns  DWORD:63F220 <= örkö  and add öhö          (add  variant to  string)

        __vbaVarAdd  returns  DWORD:63F1E0 <= örkhö and add ö1ö

        __vbaVarAdd  returns  DWORD:63F1A0 <= örkh1ö and add öoö

        __vbaVarAdd  returns  DWORD:63F160 <= örkh1oö and add öyö

        __vbaVarAdd  returns  DWORD:63F120 <= örkh1oyö and add öiö

        __vbaVarAdd  returns  DWORD:63F0E0 <= örkh1oyiö and add öeö

        __vbaVarTstEg  returns  DWORD:0 <= örkh1oyieö                                   (cmp two strings)
 
 

Step9 The fake serial can be found two strings down at: SysFree string => 1234567890 and the
          valid serial are once again exposed at the next string!
 
 
 

Second Approach: Using SoftIce!
 

Step1 Run bPe CrackMe1.exe and type in a fake seial.
 

Step2 Fireup SoftIce and place a bp on bpx__vbastrcomp, then return to bPe.exe and press
         [Register] and softice breaks due to MSVBVM50!__vbastrComp.
         Please note: after bpx comes two underscores!
 

Step3 F10 down to......

                 :0F003577      MOV   ESI , [EAX - 04]
 
          EAX = Fake serial!
 
 

Step3 Trace down to.......

                  :0F003588      MOV   EDI , [ECX-04]

          d  ecx-04 => .r.k.h.1.o.y.i.e. ( In wide char)
 
 
 

Ok,..... this CrackMe is Cracked!

 
 
 

Final Notes 



 
 
 I would like to thank: 
 
 Razzia, for making me interested in VB in the first place! 
 Jeff, for making me come back to the VB environment after a long vacation! 
 Eternal Bliss, for providing us with a great VB source! 
 
 
 
 
 
When ever there is a door, 
 there is an entrance. 
 And behind an entrance can no secret hide, 
 when a cracker takes his knowledge for a ride
 
 
 
 ObDuh á  
 

The information in this essay is for educational purpose only! 
 You are only allow to crack, reverse engineer, modify code and debugg programs that you legaly bought and then for personal use only!! 
 To ignore this warning is a criminell act and can result in lawful actions! 
 
 So please note! 
 I take no responebility for how you use the information in this essay, i take NO responebility for what might happen to you or your computer! You use this information on your own risk!! 
 
 What i mean is: Please buy the software! 
 
 
 
 
 
 
 
 
BACK
 
 
 
 
 
Essay written by McCodEMaN ⌐TRES2000. All Rights Reserved.