

        SiFLyiNG's
                Tutorial #3

____________________________________________________________________________

Target          : CupOfCoffee Crackme 1 in VB
                  d/l it on Eternal Bliss Site : http://crackmes.cjb.net
Protection type : Code, VB
Level           : the author says it's a little tricky but easy
Tools needed    : SoftIce 3.xx
                  Some basis of VB cracking
____________________________________________________________________________

Before Beginning...

        First, you run the crackme... type any serial you want. First
observation : wingdings 2 font, so what you type appears as a nonsence.
But that's not a problem... i think there is nothing else to say.

____________________________________________________________________________

The essay...

        This crackme is programmed in VB, so we can use breakpoints on
functions like : MultiByteToWideChar ( converts a string to wide char, ie
the chars of the string are separated by null char ), __vbaStrCmp or
__VbaStrComp. Let's use __VbaStrCmp. So you type in Sice 'Bpx __vbaStrCmp'.
        Come back to the prog, and type '123456' for example. Press 'check'
and you're back to SoftIce. There you press F11 to return from the call to
the routine. Then you see :

CALL [MSVBVM50!__vbaStrCmp]

but if you trace up a bit the code you see :

MOV ECX, [EBP-18]
PUSH ECX
PUSH 00401BE4
CALL [MSVBVM50!__vbaStrCmp]

        Hummm, there must the solution here. Disable your breakpoints by
'Bd *' then make a breakpoint on the line PUSH ECX just before the call (just
double-click on the line).
        Exit from SoftIce, and press 'Check it' another time. Then you're
back in SoftIce and you see:

PUSH ECX
PUSH 00401BE4
CALL [MSVBVM50!__vbaStrCmp]

Press 'd ECX' and you should see '1.2.3.4.5.6' where the points represent
null char (our fake code has been converted to WideChar). So, our fake code
converted to WideChar is pushed just before the Call __vbaStrCmp. It means
that it will be compared with the other string pushed before the Call which
MUST be the real code. So 00401BE4 must be the adress where the real code is
stored. So we try : 'd 401BE4' but what can we see ???

2E 00 2E 00 2E 00 2E 00 - 2E 00 2E 00 2E 00 2E 00   ................
2E 00 2E 00 00 00 00 00 - 24 00 00 00 49 00 6E 00   ........$...I.n.

What's that ??? our string is compared with null char ??? no no. Just open
your eyes and you'll see the truth :)
We know that our code is in WideChar... so it must be compared with a widechar
string. And look at the hexa display :

2E 00 2E 00 2E 00 2E 00 - 2E 00 2E 00 2E 00 2E 00   ................
2E 00 2E 00 00 00 00 00 - 24 00 00 00 49 00 6E 00   ........$...I.n.

Isn't this WideChar ? of course it is ! But what's these 2E ? 2E is simply
the ascii code for the '.' So the code might be '..........'
Count the number of 2E : there are 10 so there are 10 '.' in the code.

Disable all breakpoints, exit from SoftIce and enter '..........' then press
the check button : cool :)

____________________________________________________________________________

        The end...

        Voil, it's finished... we found the only correct code for this
crackme. The author had reason : 'little tricky but easy'
        
        SiFLyiNG
                siflying@ifrance.com

Greetz : Eternal Bliss, Acid Burn, Lucifer48, Skymarshall, Gluconzip, Earwax
         all the french crackers, all writers of tutorial...


