Reverse Code Engineering - RepZ VB 5.0 CrackMe
Writing A Key Generator
Author: Volatility

Please Read The Disclaimer Before Continuing.

Target RepZ Visual Basic 5.0 CrackMe - (vb5goods.zip) - 12,914 bytes
Location http://members.xoom.com/Ryanosis/vb5goods.zip
Protection(s) User Name/Serial Number
Tools Needed NuMega SmartCheck (5.0 Or Above)
Level (X) Beginner ( ) Intermediate ( ) Advanced ( ) Expert

Many crackers consider Smartcheck a "lazy" or "cheaters" crack... I say bah!  A crack is a crack!  Especially when you can figure out a complete calculation to write a key generator.

Prepare To Crack:

Upon trying to disassemble this program, or running QuickView on it, we can see that it is written in Visual Basic 5.0, so we know that our favorite functions (GetWindowTextA and GetDlgItemTextA) won't work.  I usually run a Visual Basic program through SmartCheck once, to see if I can find anything of interest...  if nothing is found, I move on to Soft-Ice... but in this case, just SmartCheck will do.

Run SmartCheck, and open the program (vb5crkme.exe) "File", "Open", "vb5crkme.exe".  You'll get a message about the program being compiled in "P-Code".  Ignore this, and click "Continue Opening Program".

Now click the button with the green arrow on it in the toolbar to start the program.  Right after clicking the button, choose "View", then "Show All Events.

You must now QUICKLY enter a user name, and a serial number... after doing this, you can close the program by clicking on the "X".

NOTE:  You must enter your info quickly, because the "scrolling text" uses a timer, which will leave you with a TON of garbage in SmartCheck if you wait too long.  If your user name is at least five characters long, it will make the routine MUCH easier to calculate -- as you'll see, and as I found out the hard way.

Now that you've closed the program, choose "View", "Expand All"...  this allows you to see EVERYTHING that has happened.  Now you can begin to look for the calculation, or anything else of interest.

We know that we can ignore all the "Timer1_Timer" lines, as these were caused by the scrolling text.  Scroll down for a bit, and we will see some very interesting code!  It starts at the line "PWSerialTxt_Change".  This is where you entered your serial number.  If you scroll down further, you'll notice that for each character you entered for a serial number, this routine was repeated.  Each instance is exactly the same, so we only need to single out one.  My results are as follows:
  
PWSerialTxt_Change
PWNameTxt.Text
PWNameTxt.Text
PWNameTxt.Text
Left(VARIANT:String"Volatili...", long:1)
Right(VARIANT:String:"V", long1)
Asc(String:"V") returns Integer:86
Right(VARIANT:Integer:86, long:2
PWNameTxt.Text
Left(VARIANT:String"Volatili...", long:2)
Right(VARIANT:String:"Vo", long:1)
Asc(String:"o")returns Integer:111
Right(VARIANT:Integer:111, long:2)
*** Snip ***
Left(VARIANT:ByRef String:"21160508...", long:10)

For those of you who don't know any Visual Basic.... The routine first does the following:

1) Get the first character from the user name you entered ( PwNameTxt.Text )
2) Get the first character's decimal value ( Asc(String:"V") returns Integer:86 )
3) Get the furthest right two characters from this value ( Right(VARIANT:Integer:86, long:2 )
4) Move on the the next character of the user name ( PwNameTxt.Text )

I snipped out the rest, because the routine does the same thing for each character of the user name you entered.  At the end of the routine, you'll see the interesting line "Left(VARIANT:ByRef String:"21160508...", long:10)".  If you click on this line once, and look at the right window, you'll see a string of numbers.  If you're over-zealous like me, you'll try this number as your serial number, and see that it doesn't work... so we have to go back and see what the line does.

After analyzing a bit, we can deduce that all the values we got from the steps above, were concatenated together, to form this end value.  After a bit more analyzation, we can see that the routine gets the first 10 characters of this number "Left(VARIANT:ByRef String:"21160508...", long:10)".  Try these 10 numbers, and we're registered!

Now for the key generator calculation:
  
RegName = Text1.Text            'Put User Name Into "RegName" Variable                                                 
RegLength = Len(RegName)        'Get length of name
For c = 1 To RegLength          'Loop using length
RegChar = Mid(RegName, c, 1)    'Get one char at a time
AscReg = Asc(RegChar)           'Getdecimal value of the character
AscRegR2 = Right(AscReg, 2)     'Get the right two characters of the value
RegCode = AscRegR2 & RegCode    '"Join" the two numbers
Next                            'Repeat routine for the next character
RegCode = Left(RegCode, 10)     'Serial Number is the left 10 numbers of the end value
Text2.Text = RegCode            'Display the serial number

*** Disclaimer ***
This Essay Is For Knowledge Purposes Only. Neither We, Our ISP, Nor Any Persons Mentioned Shall Be Held Liable For Any Damages Improper Usage May Cause To Your Machine.

If You Successfully Crack A Program, You Must Delete It Immediately. If You Want To Keep The Program, Please BUY It! Support Shareware, This Is Our Learning Tool!

It Is Illegal To Continue To Use Cracked/Patched Software.
Copyright © 1999 Volatility And The Immortal Descendants. All Rights Reserved.