CrackMe #3 By Adrnalin
-----------------------
Tools Used:
SoftIce

---
Protection:
Code

---
First, you need to have MSVBVM50.DLL loaded in your S-ICE exports.
Start the crackme, enter a code and set breakpoints on rtcAnsiValueBstr and
__vbaStrComp and press the OK button, on the first break you will land here:

:00401FAA  FF1508414000        CALL    [MSVBVM50!rtcAnsiValueBstr] ; ax = ascii val of current char
:00401FB0  66050A00            ADD     AX,000A                     ; ax = ax + 10
:00401FB4  0F80B0020000        JO      0040226A

so it modifies our chars, hmm, interesting :)
disable the rtcAnsiValueBstr breakpoint and press F5, and you will break on the
__vbaStrComp step on until you come here:

:00402050  6685C0              TEST    AX,AX
:00402053  0F84C0000000        JZ      00402119

look up a bit and you'll see this

:00402036  C7855CFFFFFF8C1A4000MOV     DWORD PTR [EBP-00A4],00401A8C
:00402040  C78554FFFFFF08800000MOV     DWORD PTR [EBP-00AC],00008008
:0040204A  FF1540414000        CALL    [MSVBVM50!__vbaVarTstEq]
:00402050  6685C0              TEST    AX,AX
:00402053  0F84C0000000        JZ      00402119

hmm =), do a 'd 401a8c' and you'll see k.X.y.^.r.O.|.*.y.X.o.*.m.\.k.M.u.O.n.*.+
and because it's a VB prog, it's in widechar format, which means that the string
looks like this kXy^rO|*yXo*m\kMuOn*+ and take each char from this string and
sub 10 (Ah) from each char, and you'll get the right code, but i've coded a small
C program which does the calc much faster, so here is the source :

--- cut from here ---

int main(){
unsigned char name[21]={0x6b,0x58,0x79,0x5e,0x72,0x4f,0x7c,0x2a,0x79,0x58,0x6f,0x2a,0x6d,0x5c,0x6b,0x4d,0x75,0x4f,0x6e,0x2a,0x2b}; // kXy^rO|*yXo*m\kMuOn*+
int i;

clrscr();
printf("Adrnalin's Crackme3 Key-recovery by Klefz\n");

for(i=0;i<21;i++){
  name[i]=name[i]-0xa; // takes each char and sub's Ah from it
}
name[21]=0x00; // some small bug makes name[21] some strange char :)
               // so this makes it 00h
printf("\nThe registration code is: %s",name); // print out the result
getch();
return 0;  }

--- end of file ---

after compiling and running you'll get the code: aNoThEr oNe cRaCkEd !

not so Difficult after all :)
---
/Klefz - http://klefz.cjb.net