Crackme #2 By BuLLeT [TOL '98]
------------------------------

Solution written by Prophecy [tNO '98] (August '98)
email: prophecy_@usa.net, or catch me in iRC eFNET #cracking4newbies

This is a good example of using visual basic functions to detect the code.  
With VB5 there are 2 functions used to compare strings : __vbastrcmp and
__vbastrcomp.  I'm not saying ALL VB apps use these in their protections,
just a lot :).  This CrackMe uses __vbastrcomp.

So do a "bpx __vbastrcomp".  Softice will break. DON'T press F11 yet.  First
type DD ESP, which will show you what was pushed to the stack, ie what two
strings are being compared.  Typing dd esp will reveal this in SoftIce:

xxxx:yyyyyyyy   aaaaaaaa  bbbbbbbb  cccccccc  dddddddd

aaaaaaaa , as with all functions is the return address.
the remaining 'bbbbbbbb' etc are the paramters the function is going to use.
as it happens 'cccccccc' is the address of the good string, and 'dddddddd'
is the address of your modified bogus code.  Typing "d cccccccc" in softice
reveals the good code!  Simple shit eh?

You'll find the code is : 2rK4HJ4-7n8RgT09IW6a7kSlg33

Note you'll need to edit your winice.dat file to include the msvbvm50.dll
file - otherwise you won't be able to bpx on VB5 commands.

Greetz:
------

As usual, out to the #cracking4newbies crew.  For a full list of my greetz
see proph.home.ml.org

Conclusion:
----------

A trivial protection, however some good tips for newbies in this tut.

-Prophecy.

Veni Vedi Veci.

