ACiD BuRN's first VB crackme.. half a tutorial 

Tutorial by : R!SC -- risc@notme.com -- http://csir.cjb.net 
Date : 12th june 1999


hi.. my second VB crackme cracked.. i wanted to learn, and i did!!

i knew only __vbastrcomp, now i know a bit more :O

right, after wading through several vb tutorials, and getting nowhere
(well, one mentioned __vbar4str / __vbar4var, which helped me a lot..
 so i did get somewhere with them..)
 
well, i decided to WDasm msvbm50.dll, and get every exported funtion
there was, to help me along.. :)

__vbar4str is something to do with real numbers, floating point ones..


enter your name, first name, and company..

name: notme
first: risc
company: evc


then enter a fake serial, i tried numbers only.. 1111 2222 3333

okay, so i bpx on __vbar4str, __vbar4var, __vbar8str, __vbar8var

and softice breaks and breaks and breaks. (on the __vbar8str...)
i have no idea wtf is going on, so i try tracing through the call, and
keep on displaying the registers, 'dl eax' 'dl ecx' '? eax' etc, while
tracing, and hey! i keep seeing my numbers, but they also keep changing.

my numbers, and some other numbers.. :(  hmm, study the code.. makes no
sense to me, but i see er.. lots of floating point asm, so i toggle the
FP window 'wf', something that i never used before.. :) gee, i love 
learning

upon having the fp registers displayed, i saw lots of other numbers, and
whilst tracing through the code, after it breaks on __vbar8str, i noticed
another function i could break on, __vbaI4Str..

clear all breakpoints, and set one on __vbaI4Str.. this one was groovy..

every time it breaks, st0=one of my numbers, either '1111' '2222' or '3333'
i hit F11 to exit to the caller, then traced with F10, watching the FP 
registers.. :)

suddenly, my number from st0 would move to st1, and another number
appeared in st0 (ready for some action ?)


015F:7B3ED5F5  DB0424              FILD    DWORD PTR [ESP]  <-- this made the new number
015F:7B3ED5F8  58                  POP     EAX
015F:7B3ED5F9  33C0                XOR     EAX,EAX
015F:7B3ED5FB  8A06                MOV     AL,[ESI]
015F:7B3ED5FD  46                  INC     ESI
015F:7B3ED5FE  FF248594ED3E7B      JMP     [EAX*4+7B3EED94] <-- this call's the routine below

015F:7B3EEAE2  E837010000          CALL    7B3EEC1E <-- tracing into this, we find a compare
015F:7B3EEAE7  EB0B                JMP     7B3EEAF4


015F:7B3EEC1E  D9C9                FXCH    ST(1)    <-- swaps st0 & st1, 
015F:7B3EEC20  DED9                FCOMPP           <-- compares them 
015F:7B3EEC22  DFE0                FSTSW   AX       <-- sets a bit in ax if equal?
015F:7B3EEC24  A80D                TEST    AL,0D
015F:7B3EEC26  0F857AB50000        JNZ     7B3FA1A6
015F:7B3EEC2C  A80D                TEST    AL,0D
015F:7B3EEC2E  0F8572B50000        JNZ     7B3FA1A6
015F:7B3EEC34  9E                  SAHF
015F:7B3EEC35  C3                  RET


okay, when st0=1111, the other number that appeared was 97680
when st0=2222, the other number that appeared was 177156
when st0=3333, the other number that appeared was 22422


so i thought, maybe, just maybe, my serial: 97680 177156 22422


bc*, tried these numbers as the serial, BOOM!, the register button
works, hehheh, job done..


my second VB crackme cracked.. quite easy, just needed the right bpx..


R!SC -- risc@notme.com

name: notme
first: risc
company: evc
serial: 97680 177156 22422

name: a
first: b
company: c
serial: 86136 152292 21978

:) starting to like VB.. (not!) 

p.s. on patching the nag, fuckit, its a crackme, not a application, and
if i register it, the nag shouldnt be displayed anyway... i doubt you can
patch the NAG, as its VB, and the 'exe isnt compiled with real instructions
inside of it.. just VB info..  if anyone wants to try..... just notme..

p.p.s.. extra info, short & sweet.. (yah, i spoke to ACiD BURN, he said 
my code is wrong, mentioned something about the date, used in the serial algo..
so i reversed it some more, and made a keygen, to keep him happy :O)

enter fake code, 1111-2222-3333, 'wf' 'bpx __vbar8str' 'x', watch the numbers,
F5 / F11, keep watching the numbers, try tracing with F10, you will find a
multiply, for the day_of_the_month, and a divide, for the month..
the first number to appear is your fake code, then the ascii value from the
first letter of text, then the ??? number, then the day_of_month number...


015F:7B3EDFCB  DEC9                FMULP   ST(1),ST     <-- the multiply routine
015F:7B3EDFCD  33C0                XOR     EAX,EAX
015F:7B3EDFCF  8A06                MOV     AL,[ESI]
015F:7B3EDFD1  46                  INC     ESI
015F:7B3EDFD2  FF248594ED3E7B      JMP     [EAX*4+7B3EED94]


015F:7B3EE001  59                  POP     ECX
015F:7B3EE002  58                  POP     EAX
015F:7B3EE003  99                  CDQ
015F:7B3EE004  F7F9                IDIV    ECX          <-- the division routine
015F:7B3EE006  50                  PUSH    EAX
015F:7B3EE007  33C0                XOR     EAX,EAX
015F:7B3EE009  8A06                MOV     AL,[ESI]
015F:7B3EE00B  46                  INC     ESI
015F:7B3EE00C  FF248594ED3E7B      JMP     [EAX*4+7B3EED94]


see the third number that appears, '444' or '777' or '111'? 
get text length, decrease it by 1, divide it by 5, multiply answer with 111,
add it to either '444' for first text, '777' for third text or '111' for
second text...

i.e.

    mov     [mnum1],444
    dec     eax         <-- eax== text length (of name..)
    mov     ecx, 05
    cdq
    idiv    ecx
    mov     ecx, 111
    imul    ecx
    add     [mnum1], eax
    
    
code is calculated like so... 
code#1= ascii#1 * xxx#1 * day_of_month / month 
code#2= ascii#2 * xxx#3 * day_of_month / month 
code#3= ascii#3 * xxx#2 * day_of_month / month 

or something.. heh..

R!SC -- risc@notme.com

