CrackMe #2 By Adrnalin
-----------------------
Tools Used:
SoftIce

---
Protection:
Name/Serial

---
First, you need to have MSVBVM50.DLL loaded in your S-ICE exports.
Start the crackme, enter a name and serial and set a breakpoint on rtcAnsiValueBstr
and press the OK button, when S-ICE breaks you will land here:

:00402170  FF150C414000        CALL    [MSVBVM50!rtcAnsiValueBstr]
:00402176  6689854CFFFFFF      MOV     [EBP-00B4],AX
:0040217D  8D55CC              LEA     EDX,[EBP-34]
:00402180  8D8544FFFFFF        LEA     EAX,[EBP-00BC]

there we are, in the middle of the routine.. the whole routine is:

:00402132  85C0                TEST    EAX,EAX                     ; EAX = counter
:00402134  0F849C000000        JZ      004021D6                    ; checks if all chars is processed
:0040213A  8D5594              LEA     EDX,[EBP-6C]
:0040213D  8D45DC              LEA     EAX,[EBP-24]
:00402140  52                  PUSH    EDX
:00402141  50                  PUSH    EAX
:00402142  C7459C01000000      MOV     DWORD PTR [EBP-64],00000001
:00402149  895D94              MOV     [EBP-6C],EBX
:0040214C  FF1590414000        CALL    [MSVBVM50!__vbaI4Var]
:00402152  8D4DBC              LEA     ECX,[EBP-44]
:00402155  50                  PUSH    EAX
:00402156  8D5584              LEA     EDX,[EBP-7C]
:00402159  51                  PUSH    ECX
:0040215A  52                  PUSH    EDX
:0040215B  FF1538414000        CALL    [MSVBVM50!rtcMidCharVar]
:00402161  8D4584              LEA     EAX,[EBP-7C]
:00402164  8D4DA8              LEA     ECX,[EBP-58]
:00402167  50                  PUSH    EAX
:00402168  51                  PUSH    ECX
:00402169  FF1570414000        CALL    [MSVBVM50!__vbaStrVarVal]
:0040216F  50                  PUSH    EAX
:00402170  FF150C414000        CALL    [MSVBVM50!rtcAnsiValueBstr]; gets the asc value of the current char, and puts it into EAX
:00402176  6689854CFFFFFF      MOV     [EBP-00B4],AX
:0040217D  8D55CC              LEA     EDX,[EBP-34]
:00402180  8D8544FFFFFF        LEA     EAX,[EBP-00BC]
:00402186  52                  PUSH    EDX
:00402187  8D8D74FFFFFF        LEA     ECX,[EBP-008C]
:0040218D  50                  PUSH    EAX
:0040218E  51                  PUSH    ECX
:0040218F  899D44FFFFFF        MOV     [EBP-00BC],EBX
:00402195  FF1594414000        CALL    [MSVBVM50!__vbaVarAdd]     ; adds all values to one var
:0040219B  8BD0                MOV     EDX,EAX
:0040219D  8D4DCC              LEA     ECX,[EBP-34]
:004021A0  FFD6                CALL    ESI
:004021A2  8D4DA8              LEA     ECX,[EBP-58]
:004021A5  FF15B8414000        CALL    [MSVBVM50!__vbaFreeStr]
:004021AB  8D5584              LEA     EDX,[EBP-7C]
:004021AE  8D4594              LEA     EAX,[EBP-6C]
:004021B1  52                  PUSH    EDX
:004021B2  50                  PUSH    EAX
:004021B3  53                  PUSH    EBX
:004021B4  FFD7                CALL    EDI
:004021B6  83C40C              ADD     ESP,0C
:004021B9  8D8DE8FEFFFF        LEA     ECX,[EBP-0118]
:004021BF  8D95F8FEFFFF        LEA     EDX,[EBP-0108]
:004021C5  8D45DC              LEA     EAX,[EBP-24]
:004021C8  51                  PUSH    ECX
:004021C9  52                  PUSH    EDX
:004021CA  50                  PUSH    EAX
:004021CB  FF15AC414000        CALL    [MSVBVM50!__vbaVarForNext]; next char
:004021D1  E95CFFFFFF          JMP     00402132                  ; loop
:004021D6  8D4DCC              LEA     ECX,[EBP-34]
:004021D9  8D9554FFFFFF        LEA     EDX,[EBP-00AC]
:004021DF  51                  PUSH    ECX
:004021E0  8D4594              LEA     EAX,[EBP-6C]
:004021E3  52                  PUSH    EDX
:004021E4  50                  PUSH    EAX
:004021E5  C7855CFFFFFFD2029649MOV     DWORD PTR [EBP-00A4],499602D2;499602D2h=1234567890
:004021EF  C78554FFFFFF03000000MOV     DWORD PTR [EBP-00AC],00000003
:004021F9  FF155C414000        CALL    [MSVBVM50!__vbaVarMul]       ;multiply the sum of our name with 1234567890
:004021FF  8BD0                MOV     EDX,EAX
:00402201  8D4DCC              LEA     ECX,[EBP-34]
:00402204  FFD6                CALL    ESI
:00402206  8B1DA0414000        MOV     EBX,[MSVBVM50!__vbaMidStmtVar]
:0040220C  8D4DCC              LEA     ECX,[EBP-34]
:0040220F  51                  PUSH    ECX
:00402210  6A04                PUSH    04                           ;pos 4
:00402212  8D9554FFFFFF        LEA     EDX,[EBP-00AC]
:00402218  6A01                PUSH    01
:0040221A  52                  PUSH    EDX
:0040221B  C7855CFFFFFF341C4000MOV     DWORD PTR [EBP-00A4],00401C34;do a d 401c34 and you'll see a -
:00402225  C78554FFFFFF08000000MOV     DWORD PTR [EBP-00AC],00000008
:0040222F  FFD3                CALL    EBX                          ;check if there is a - at pos 4
:00402231  8D45CC              LEA     EAX,[EBP-34]
:00402234  8D8D54FFFFFF        LEA     ECX,[EBP-00AC]
:0040223A  50                  PUSH    EAX
:0040223B  6A09                PUSH    09                           ;pos 9
:0040223D  6A01                PUSH    01
:0040223F  51                  PUSH    ECX
:00402240  C7855CFFFFFF341C4000MOV     DWORD PTR [EBP-00A4],00401C34;do a d 401c34 and you'll see a -
:0040224A  C78554FFFFFF08000000MOV     DWORD PTR [EBP-00AC],00000008
:00402254  FFD3                CALL    EBX                          ;check if there is a - at pos 9
:00402256  8B4508              MOV     EAX,[EBP+08]
:00402259  50                  PUSH    EAX
:0040225A  8B10                MOV     EDX,[EAX]
:0040225C  FF9204030000        CALL    [EDX+00000304]
:00402262  50                  PUSH    EAX
:00402263  8D45A4              LEA     EAX,[EBP-5C]

so the routine is this, it takes each char from our name, and adds the asc value of them
into a var, then multiplys it with 1234567890, and checks if it is a - at the 4th and 9th
char of the entered serial.. so now let's code a keygen
---ADR2.C------BOF---

//Keygen by Klefz
int main(){
unsigned char name[50]={0},temp[100]={0};
int i,length=0;
long double sum=0;

clrscr();
tryagain:
length=0;
printf("Adrnalin's Crackme2 Keygen by Klefz\n");
printf("Enter your name: "); gets(name);

/* work out length (tnx prophecy ;) */
while (name[length] != '\0'){  	length++;  }
if(length==0){
	printf("\nYou must enter a name!");  	getch();
goto tryagain;  }

for(i=0;i<length;i++){
	 sum+=name[i]; //takes each char and adds the asc value to sum
}

sum*=1234567890; //multiply the sum with 1234567890

sprintf(temp,"%.Lf",sum); //convert sum to an string, so we can add the -'s

temp[3]=0x2D; //writes an - on pos 4
temp[8]=0x2D; //writes an - on pos 9

printf("\nThe registration code is: %s",temp); // print out the result
getch();
return 0;  }

---ADR2.C------EOF---

---
/Klefz - http://klefz.cjb.net