Cracking BiSHoP's VB Crackme #5 with ManKind ============================================= This is another easy crackme with an easy name/serial algo. This essay is most suitable for newbies to learn the basic of keygenning, understand about keygenneration routines and apply both of those mentioned on a Visual Basic program with SmartCheck as our main tool(of course some basic SmartCheck usage will be here too). We will use SmartCheck(6.x will do) on it. I hope you have configured SmartCheck correctly, else visit Eternal Bliss's wonderful site at http://vipatcher.cjb.net and make use of the useful stuffs there. I dont't wanna waste any time and I assume that you know how to use SmartCheck(if you don't, one same thing to do is to visit Eternal Bliss's site and search for tutorials on using SmartCheck at http://crktutse.cjb.net), so below is the listing of SmartCheck(with my comment, that starts with an arrow) when I load the crackme with SmartCheck, run it, enter my name(ManKind) and serial(23199981) and click the Register button: (the below listing is the best of my effort to make it similar to the original one in SmartCheck) (the _Click event has been expanded) [-] _Click Len returns LONG:7 <-- length of my name Mid <-- get ascii value of the first char in my name Asc returns Integer:77 <-- ascii value of "M" Val returns double:5929(displayed as single-precision floating point) <-- where 5929 comes from? do in your calculator 77 * 77 and you will get 5929 Val returns double:5929(displayed as single-precision floating point) <-- add the calculated value to a variable(i'll refer it as finalserial) Mid <-- get ascii of second char of name Asc returns Integer:97 <-- ascii of "a" Val returns double:9409(displayed as single-precision floating point) <-- 97 * 97 Val returns double15338(displayed as single-precision floating point) <-- add 9409 to finalserial Mid <-- get the ascii of the third char of name Asc returns Integer:110 <-- ascii of "n" Val returns double:12100(displayed as single-precision floating point) <-- 110 * 110 Val returns double:27438(displayed as single-precision floating point) <-- add 12100 to finalserial Mid <-- get ascii of 4th char of name Asc returns Integer:75 <-- ascii of "K" Val returns double:5625(displayed as single-precision floating point) <-- 75 * 75 Val returns double:33063(displayed as single-precision floating point) <-- add 5625 to finalserial Mid <-- get ascii of 5th char of name Asc returns Integer:105 <-- ascii of "i" Val returns double:11025(displayed as single-precision floating point) <-- 105 * 105 Val returns double:44088(displayed as single-precision floating point) <-- add 11025 to finalserial Mid <-- get ascii of 6th char of name Asc returns Integer:110 <-- ascii of "n" Val returns double:12100(displayed as single-precision floating point) <-- 110 * 110 Val returns double:56188(displayed as single-precision floating point) <-- add 12100 to finalserial Mid <-- get the 7th char of name Asc returns Integer:100 <-- ascii of "d" Val returns double:10000(displayed as single-precision floating point) <-- 100 * 100 Val returns double:66188(displayed as single-precision floating point) <-- add 10000 to finalserial Val returns double:4.38092e+009(displayed as single-precision floating point) <-- this looks strange because calculation is based on double type(with decimal point) variable. Look in the right window and you shall see the correct serial for my name -> 4380917532 MsgBox returns Integer:1 <-- return value of messagebox(unimportant to us now) [-] _Click Lot's of code there. But you should see that it's quite simple. You might have some questions. How do you know that every ascii value of a char in the name must be powered by 2(that's same as -> variable * variable) to produce the values which will all be added up to variable finalserial? Well, it's no ZEN here, it's just trial-and-error and some clever assumption, and you should find a better explanation at the end of my tutorial. How is the finalserial(assuming that all the required values have been added up) related to the correct code of a name? That's what is really important here. Let's try finalserial * finalserial, what will you get? 66188 * 66188 = 438051344 @ 66188 ^ 2 = 438051344 That's quite near to the correct serial, ain't it? Let us see how far away we are from the correct serial: correct serial - (finalserial * finalserial) 4380917532 - 438051344 = 66188 Now it should be quite clear. The following should make you really understand: finalserial * finalserial + finalserial = correct serial After understanding the whole routine, let's summarize it: 1. get ascii value of char, power that by 2 and add it to a variable(finalserial) 2. loop 1 till all chars of name are involved 3. calculate correct serial by doing finalserial * finalserial + finalserial Next, we should create a program that can automate the task of calculating the correct serial for every name and we will name that utility keygen. Below is an example keygen source for this target in Turbo Pascal: ------------------ start of source ---------------- Program keygen ; uses crt ; var name : string ; temp1, temp2, temp3, i : longint ; begin clrscr ; Writeln('BiSHoP VB Crackme #5 KeyGen by ManKind') ; Writeln('======================================') ; Write('Name: ') ; Readln(name) ; if length(name) > 0 then begin for i := 1 to length(name) do begin temp1 := Ord(name[i]) ; temp1 := temp1 * temp1 ; temp2 := temp2 + temp1 ; end ; temp3 := (temp2 * temp2) + temp2 ; Write('Serial: ') ; Writeln(temp3) ; end ; if length(name) < 1 then begin Writeln('Invalid name!') ; end ; readln ; end. ----------------- end of source--------------------------- As you might have known, I am not a good coder. So, if you could improve and optimize this code, by all means, do it! By the way, there's one more thing we have to deal with. The nag. Look back into SmartCheck's window. Before the _Click event, you should see the Timer event, click on the first event(not expand, just highlight). Now, look at the right window and you should see CRACKME5.EXE!0020094. What's the use of that? It tells us where in the crackme the Timer event starts(this is to determine how long should the nag stay on). Disassemble the crackme with W32Dasm, go to address 00420094(ImageBase + 20094, where ImageBase for the crackme is 00400000) and scroll down a little to the following code: 00402138 0F8432010000 je 00420270 <-- if it jumps, it will continue to show the nag till the full time has reached I wanna concentrate on the name/serial protection in this crackme and so, I will just tell you to nop out the above je so that at the first verification(after a second, I think) whether full time has been reached for the display of the nag, it will end the increment of time, adding of time to the total interval that has been reached, etc. and display the other window where we can enter our name and our serial. By nopping it out, the nag still shows but the period of it appearing on the screen has been decreased(to 1 second, I think). This is good enough for me though maybe the author and other people may think that this is an uncomplete crack and wanna flame me. Anyway, you should of course try to investigate about the Timer event and trace in SoftICE(yeah, you got me right!) before deciding where to patch to produce a better crack. Below is the much awaited explanations, thoughts and opinions about the usage of SmartCheck in VB cracking...('Well, it's no ZEN here, it's just trial-and-error and some clever assumption, and you should find a better explanation at the end of my tutorial') You might wonder, how I know how some algo work SmartCheck didn't show it(like ascii1 * ascii1 and finalserial * finalserial + finalserial = correct serial). I didn't change the listing of SmartCheck to show all events, it too isn't ZEN and is truly trial-and-error and some clever assumption. That is really required unless if you want to view the huge listings of the 'show all events' option or even worse end up tracing in SoftICE. Those two ways doesn't serve the real purpose of SmartCheck that is to be quite efficient, quick and simple. For real efficiency in VB cracking, I wouldn't recommend SmartCheck but SoftICE, probably better with the help of a disassembler and SmartCheck(but the most important and efficient remains to be SoftICE) and now probably ExDec by JosephCo/C4N can really helps a lot in P-CODE compiled VB programs.... That's all for now. Hope you like my tutorial and see you soon in another tutorial. Ending: Thanks and greetz to: +ORC, +HCU, Sandman, HarvestR, tKC, ytc_, Punisher, Kwai_Lo, TORN@DO, CrackZ, cLUSTER, LaZaRuS, mISTER fANATIC, yes123, WhizKiD, Volatility, ACiD BuRN, Eternal Bliss, R!SC, Kwazy Webbit, +Mammon, MisterE, Shadow, ^tCM^, WaJ, egis, Borna Janes, CyberBlade, josephCo, Kathras, tsehp, Predator, AB4DS(Death), douby, Steinowitz, Lord Soth, Latigo, Lucifer48, Mercution, NeuRaL_NoiSE, Fravia+, [dshadow], Duelist, Alpine, flag eRRatum, Nitrus, +Frog's Print, Muad`Dib, Acid_Cool_178, Iczelion, Razzia, Warezpup, Bomber Monkey, XMen, llama and other crackers, individuals and organisations who have helped me, either directly or indirectly. Service for Mankind ManKind mankind001@bigfoot.com