	  Ŀ
	                                                              Ŀ
	    
	          
	          
	                                               
	                                               
	                                   
	                                   
	                                   
	                                                
	                                                
	                       
	                       
	                 
	                                                                  
	                                                                  
	                         
	                 p r o u d l y     p r e s e n t s                
	                         
	                                                                  
	Ŀ                                            www.tscube.cjb.net
	  


                      ͻ
                       Tutorial for Plasma's comeback crackme 
                      ͼ



Ŀ
1.Intro 


Another VB crackme : this tutorial will show that using your brain can save a lot of time.



Ŀ
2. Time for Smartcheck 


Open 'Plasma.exe' in Smartcheck, run it, enter 'TSCube' for your name and '123456' for your
serial, click on CHECK and let's see what we get :

<-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><->
OnError(...)
Text1.text
Text2.text
String("123") -> double(123)
Len(String:"TSCube") returns LONG:6
Long(6) -> Integer(6)

Mid$(String:"TSCube",long:1,VARIANT:Integer:1)	
Asc(String:"T") returns Integer:84			-> get ASCII value of first letter from name
Mid$(String:"TSCube",long:2,VARIANT:Integer:1)
Asc(String:"S") returns Integer:83			-> get ASCII value of second letter from name
[...]
Mid$(String:"TSCube",long:6,VARIANT:Integer:1)
Asc(String:"e") returns Integer:101		-> get ASCII value of last letter from name

Len(String:"TSCube") returns LONG:6		-> strlen(name)
Double(3300) -> String("3300")			-> magic_value
Left$(String:"3300",long:1)
String("3") -> Integer:3				-> first digit from magic_value
Double(52848) -> String("52848")			-> correct_serial
String("52848") -> Double(52848)
Label4.Caption -> "Do you just guess?"
<-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><->

name : TSCube
serial : 52848

WARNING : this stupid crackme reboots your computer if the serial is correct !!!



Ŀ
3. The keygen (this is the brain part ;) 


First question : where does the magic_value come from ?
Second question : what's the relationship between the magic_value and the serial ?


	3.1. The magic_value
	

View -> 'Show All Events' won't tell us anything here, so we got 2 choices :

1) Trace like a fool with SICE to see how this magic_value is generated
2) Think a little (much harder huh ? ;)

I took the second choice, but you can trace if you prefer !

We know that : "TSCube" -> 3300

Let's try with other letters :
"A" -> 65
"B" -> 66
"AB" -> 262

If there's only one letter, the magic_value is the ASCII value if this letter... but what if it's
not the case ?

Look at this :

Len(String:"TSCube") returns LONG:6		-> strlen(name)
Double(3300) -> String("3300")			-> magic_value

Looks like the length of the name is used to compute the magic_value... eh wait :
262 = (65+66)*2 !!! (2 is length of "AB")

Let's check with "TSCube" :
3300 = (84 + 83 + 67 + 117 + 98 + 101) * 6

in 'C' in would look like :

int magic_value=0;
for (int i=0;i<strlen(name);i++) magic_value = magic_value + name[i];
magic_value = magic_value * strlen(name);


	3.2. The serial
	

Double(3300) -> String("3300")		-> magic_value
Left$(String:"3300",long:1)
String("3") -> Integer:3			-> first digit from magic_value
Double(52848) -> String("52848")		-> correct_serial

We must find a relationship between
- The magic_value
- The first digit of the magic value
- The serial

Let's see what we got with small names :

"A" => magic_value=65 => serial=1136 --+
                                       | +16
"B" => magic_value=66 => serial=1152 <-+
                                       | +16
"C" => magic_value=67 => serial=1168 <-+

"F" => magic_value=70 => serial=1232

" " => magic_value=32 => serial=560

Hum... this '16' value looks interesting, let's make some more maths :

'1136 / 16 = 71' and '71 - 65 = 6'
'1152 / 16 = 72' and '72 - 66 = 6'
'1232 / 16 = 77' and '77 - 70 = 7'
'560  / 16 = 35' and '35 - 32 = 3'

When I looked at these values, I immediatly saw the relationship :

'serial = 16*(magic_value + first_digit_of_magic_value)'

example : 52848 = 16*(3300 + 3)


	3.3. The keygen
	

Now you can easily make a keygen, look at my (C) Javascript keygen for more details



Ŀ
4. Outro 


Quote of the day : "Brain is cool".


    ________     _______     _______
   /__   __/\   /  ____/\   /  ____/\
   \_/  /\_\/  /  /\___\/  /  /\___\/
    /  / /    /  /_/_     /  / / 
   /  / /    /____  /\   /  / /
  /  / /     \___/ / /  /  / /
 /  / /     ____/ / /  /  /_/_
/  / /     /_____/ /  /______/\
\__\/      \_____\/   \______\/ 26/07/2000

www.tscube.cjb.net