			VBCrackMe 2 explained

Written by Etenal Bliss
Email: Eternal_Bliss@hotmail.com
Website: http://crackmes.cjb.net
         http://surf.to/crackmes
Date written: 14th April 1999

Program Details:
Language: Visual Basic

Learning Method:
Code Explanation
SmartCheck functions

Viewing Method:
Use Notepad with Word Wrap switched OFF
Screen Area set to 800 X 600 pixels (Optional)

__________________________________________________________________________

			    About the Essay

This is the second of the series of explanation on how coding in VB will
affect the cracking process. In these essays, I'll also show you how crackmes
are generally written in VB. I've included my thought processes that went
through my mind while coding for this crackme.

If you have missed the first essay, go to my website and get it. 
Read it first before reading this because there are some parts 
which I will not repeat here again.

To fully understand what I am describing, it would help if you have the 
CrackMe running and testing certain stuff out while you read.

__________________________________________________________________________

			    About the Protection

This crackme uses a hard-coded code which is hidden using another method
different from the 1st CrackMe.

This is what I wrote in the textfile for this CrackMe:
"Find the correct hardcoded code in this CrackMe. I've disabled the __vbastrcomp breakpoint in
 Softice and have made sure that the code is not seen explicitly in SmartCheck or in Hexeditor.

 Since this is more of a practice and taste of VB cracking, I'll give you a few hints:
 1) In SmartCheck, although you will not see the REAL code, if you observe carefully, you will
    see how the real code is constructed.
 2) It is possible to trace in Softice."

__________________________________________________________________________

		A brief explanation on how VB coding is done...

Other than the things I mentioned in the first essay, I'd like to add some
more commands that are frequently used.

Mid("word",2,1) - To get the 2nd char out of the 1st parameter ie "o"
**In SmartCheck, you will see Mid() commands as well and it works the same way

Asc(x) - x can be any of the 255 characters in ascii format. It will be changed
         to decimal values. Eg Asc("E") = 69
**Asc() commands are also seen in SmartCheck.

& - joins up 2 strings eg "I Love " & "Cracking" = "I Love Cracking"
**One possible line you will see in SC is __vbaVarCat and is followed by
  __vbaVarMove. This two functions are used when the author uses "&" 
  to join 2 strings together

Val - get the numbers contained in a string as a numeric value
**You will see it exactly the same in SC.

For...Next - is a loop with a counter. Examples will be shown below
**You will see __vbaVarForInit (initialise the loop) and __vbaVarForNext
  in SmartCheck. No kidding!
  
__________________________________________________________________________


				Main Code

I've copied and pasted the main routine found in this crackme which is
the protection scheme, the heart of the crackme. In the next section, I'll
go into the explanation of some of the lines.


Private Sub Command1_Click()
Dim x As Variant, num As Variant, tru As Variant
c = "10511532"
f = "10132"
On Error GoTo err2
a = "116104"
g = "1141019911632"
x = 1
b = "84104"
d = "99111"
e = "114"
h = "100101"

If Text1.Text = "" Then
Text1.Text = "You have to enter something!"
GoTo err1
End If

For k = 1 To 5
num = num & Asc(Mid(Text1.Text, k, 1))
Next k

tru = b & c

x = Val(num) - Val(tru)
If x = 0 Then
x = 1
num = 0
GoTo next1
Else
GoTo err2
End If

next1:
For k = 6 To 8
num = num & Asc(Mid(Text1.Text, k, 1))
Next k

tru = c

x = Val(num) - Val(tru)
If x = 0 Then
x = 1
num = 0
GoTo next2
Else
GoTo err2
End If

next2:
For k = 9 To 12
num = num & Asc(Mid(Text1.Text, k, 1))
Next k

tru = a & f

x = Val(num) - Val(tru)
If x = 0 Then
x = 1
num = 0
GoTo next3
Else
GoTo err2
End If

next3:
For k = 13 To 20
num = num & Asc(Mid(Text1.Text, k, 1))
Next k

tru = d & e & g

x = Val(num) - Val(tru)
If x = 0 Then
x = 1
num = 0
GoTo next4
Else
GoTo err2
End If

next4:
For k = 21 To Len(Text1.Text)
num = num & Asc(Mid(Text1.Text, k, 1))
Next k

tru = d & h

x = Val(num) - Val(tru)
If x = 0 Then
Text1.Text = "You have solved it! Good Work!"
Text1.Enabled = False
Command1.Enabled = False
Command3.Enabled = True
Command3.Caption = "&Again!"
Command2.SetFocus
GoTo err
Else
GoTo err2
End If

err2:
Text1.Text = "Wrong! Try Again!!"
err1:
Text1.Enabled = False
Command1.Enabled = False
Command3.Enabled = True
Command3.SetFocus
err:
End Sub


__________________________________________________________________________


				Code Explanation

1) Dim x As Variant, num As Variant, tru As Variant
===================================================
x, num and tru are variables. Variables are like containers that can contain
values. Depending on the type of values required, the "containers" will
have to be initialised to make sure that they can contain the values required.
Using "Dim", x, num and tru are initialised to contain values of Variant type.
This will be useful later.


2) c = "10511532"
   f = "10132"
   On Error GoTo err2
   a = "116104"
   g = "1141019911632"
   x = 1
   b = "84104"
   d = "99111"
   e = "114"
   h = "100101"
============================================
These lines are actually the answer to the CrackMe. Doesn't look like it, right?
That is what I meant when I said I hide the hardcoded code using another method.
The numbers shown here are actually decimal values of the correct code.
Therefore,
c = "is "
f = "e "
a = "th"
g = "rect "
b = "Th"
d = "co"
e = "r"
h = "de"

The value of x is 1 and will be used later.


3) If Text1.Text = "" Then
   Text1.Text = "You have to enter something!"
   GoTo err1
   End If
==============================================
This part of the code is to make sure the the user enter something.
If the text in textbox 1 is blank, it will be considered "".
Then, "You have to enter something!" will be shown in the textbox.
"GoTo err1" just tells the CrackMe to go to the end of the code where the pointer
"err1:" is found. That will end the whole routine.
Notice that this uses the String compare routine and will break on __vbaStrComp


4) For k = 1 To 5
   num = num & Asc(Mid(Text1.Text, k, 1))
   Next k
==============================================
This is a loop set to run 5 times ("For k = 1 To 5")
The next line is actually contains 3 functions:
a) Mid(Text1.Text, k, 1)
   To get the kth char from the text you entered. 
   "1" is to signify the number of char to retrieve starting from the kth
b) Asc()
   Since a char would have been retrieved in the Mid() function, 
   Asc() will convert that to its decimal value.
c) num = num & Asc()
   What this does is to join up the result of converting the char to decimal value
   with anything in the "num" variable.

So, the overall function of this 3 lines is to
convert the 1st to the 5th char of what you entered to their decimal values
and join them up. eg. ABCDE = 6566676869

Now, do you understand why I convert them to decimal? Do you remember that I had the
correct code in decimal values? Instead of converting the correct value into ascii format
and directly compares with what you entered, it would be slightly more difficult 
if I change what YOU type into something else. So, you will NEVER see the correct code in
ascii format! 8)


5) tru = b & c
==============================================
Now that "num" contains what you typed. 
"tru" will actually contain the correct 1st 5 chars.
notice it is "b & c" which will combine 84104 and 10511532 together.
Note: it is not ADDITION but just joining to form 8410410511532
If I were to convert it to ascii format, it will be "This "

6) x = Val(num) - Val(tru)
   If x = 0 Then
   x = 1
   num = 0
   GoTo next1
   Else
   GoTo err2
   End If
==============================================
This is the comparison routine with a twist.

Instead of comparing "num" with "tru" using "If num = tru Then" line,
I get the value of "num" and "tru" and subtract them against each other.
The effect? Well, if they are the same, the result in "x" will be 0!

Then "If x = 0 Then" line actually implies that if value in "num" is
equal to value in "tru", then proceed to the pointer "next1:"
otherwise ("Else") go to the pointer "err2:" to be shown a message.
And followed by a "End If" to show that it is the end of this query.

Remember that at the start, I initialised "x" to be a container carrying
Variant type data? When I used "If x = 0 Then", I am calling the function
to compare variants and will result in the breakpoint __vbaVarTstEq to break
in Softice. Since it is vb6, you will have to type msvbvm60! in front. 
In SC, you will see lines with __vbaVarTstEq too. 8)

I said I have disabled __vbaStrComp, this is what I meant. I simply did not
use the String comparison routine. 8)

Now, since I know that this breakpoint works, if I were to use
"If num = tru Then" line instead of subtracting them first and comparing
the result with 0, when a cracker breaks using __vbaVarTstEq, 
he would be able to sniff out the value of num and tru because they are
comparing directly with each other!

That is the reason why I code this comparison routine this way...
Subtracting the entered value with the correct value to see if the result is 0.
So, even if you were to break using this function, you will see some value compared
with 0 but never the correct characters. Nice? 8P


The next few sections in the code mirrors what I have described in 5 and 6.
Comparing word by word for the correct code. When the word is incorrect,
the crackme will jump to the "err2:" pointer and the textbox will show
"Wrong! Try Again!!"

If every word is correct, you will continue smoothly down the lines until
you are shown "You have solved it! Good Work!".

__________________________________________________________________________

		How to Crack such VB protection schemes

In the first CrackMe, it used String compare thus __vbaStrComp is the 
breakpoint. In this CrackMe, Variant Compare is used and thus __vbaStrComp
will not break on the compare routine although it will at the line
"If Text1.Text = "" Then".

In VB, the function to compare variants is __vbaVarTstEq (VARiant TeST EQual)
So, in Softice, setting the breakpoint using "bpx msvbvm60!__vbaVarTstEq" 
(or msvbvm60!__vbaVarTstEq)
will cause Softice to break when the Cracker click on the "Register" button.
msvbvm60! is added in front because this CrackMe is written in VB6.

The codes used in the dll for this compare will also be the same so, it will
be quite useful if you get used to them.

There are functions such as __vbaVarTstGt, __vbaVarTstNe and I leave it up
to you to discover what they mean. Just looking at them would give you a hint.
8)

__________________________________________________________________________

			Additional points


For other breakpoints and compare methods, you can get my two essays on VB
cracking found on my website.

SmartCheck logfile with the source is included together with this textfile
"Debug2.zip". Unzip everything in it and double click on the debug2.sce file. 

If you have installed SmartCheck, SmartCheck will open up and the usual
lot of information is shown. However, in this case, since the source code is
included, when you click on threads in Command1_Click line, you will see
how the source code is processed and how it is presented in SmartCheck.
A definite learning experience for those who are struggling with SmartCheck usage.
The first Command1_Click shows the lines processed when the correct code is
entered. The second Command1_Click shows the lines processed when the code
entered is wrong.

__________________________________________________________________________

				End of File

I would like to thank Jeff for giving me this idea of writing essays on how
I created my CrackMe, what commands will result in what breakpoints to use
in Softice and how SmartCheck's usefulness is exploited.

All the best to those reading this essay in VB cracking!


