	  Ŀ
	                                                              Ŀ
	    
	          
	          
	                                               
	                                               
	                                   
	                                   
	                                   
	                                                
	                                                
	                       
	                       
	                 
	                                                                  
	                                                                  
	                         
	                 p r o u d l y     p r e s e n t s                
	                         
	                                                                  
	Ŀ                                            www.tscube.cjb.net
	  



                      ͻ
                        Tutorial for Laokoon crackme #1   
                      ͼ



Ŀ
1. Intro 


Let's see what Laokoon says : "Should be quite hard to crack. [...] If you crack in short time, 
I must have missed something out or I am just stupid."

Is one hour fast enough for you ? You're not stupid, you just thought the others would not be
smart enough ;)

By the way, the crackme crashes if you click on 'Check' without entering any informations.



Ŀ
2. what does Smartcheck tells us ? 


You can see that the crackme plays a lot with our name and company and generates a magic_value 
from them :

Name : TSCube
Company : [CB] (Cracker's Belin ;)
Serial : 123456

<-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><->
[...]
Asc(String:"TSCube") returns Integer:84
Len(String:"[CB]") returns LONG:4
Len(String:"[CB]") returns LONG:4
_vbaVarMove(VARIANT:Long:1696,VARIANT:Empty)
<-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><->

Of course, it justs looks like a magic_value, because if you scroll down, you'll see that this
value is used a little after to create another magic_value.

Yes, it justs looks like a magic_value... but in fact it's the SERIAL !!!

Laokoon wanted to fool the Smartcheck users by making them think it was just a temp value, but 
it didn't work with me ;)

Name : TSCube
Company : [CB]
Serial : 1696



Ŀ
3. The keygen 


Well, we'll have to finish our Smartcheck session here because we don't have enough information
to make a keygen.

note : if somewhere, you find a tutorial by a guy saying he used ZEN cracking to make a keygen
with Smartcheck, you can be sure he's the biggest liar in the universe ;)

We'll use WDASM ('VB patched version') to see what's going on. The dead listing looks quite long
because Laokoon used another nasty trick : he does a lot of useless computations to hide the 
real serial_generation routine (which is of course VERY easy)

Just follow the listing and you'll see what i mean (name = TSCube and company = [CB])

<-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><->
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00409291(C)
|
:004092A1 8B4DA8                  mov ecx, dword ptr [ebp-58] -> company

* Reference To: MSVBVM50.__vbaLenBstr, Ord:0000h
                                  |
:004092A4 8B350CB14000            mov esi, dword ptr [0040B10C]
:004092AA 51                      push ecx
:004092AB FFD6                    call esi
:004092AD 8B55AC                  mov edx, dword ptr [ebp-54] -> name
:004092B0 8BD8                    mov ebx, eax
:004092B2 52                      push edx
:004092B3 FFD6                    call esi

* Reference To: MSVBVM50.rtcAnsiValueBstr, Ord:0204h
                                  |
:004092B5 8B3D20B14000            mov edi, dword ptr [0040B120]
:004092BB 03D8                    add ebx, eax

EBX = strlen(name) + strlen(company)

:004092BD 8B45A4                  mov eax, dword ptr [ebp-5C]
:004092C0 50                      push eax
:004092C1 0F80B7050000            jo 0040987E
:004092C7 FFD7                    call edi
:004092C9 8B55B0                  mov edx, dword ptr [ebp-50]
:004092CC 0FBFC8                  movsx ecx, ax
:004092CF 03D9                    add ebx, ecx

EBX = strlen(name) + strlen(company) + 'T' (ASCII value of 'T' of course ;)

:004092D1 52                      push edx
:004092D2 0F80A6050000            jo 0040987E
:004092D8 FFD7                    call edi
:004092DA 899D2CFEFFFF            mov dword ptr [ebp+FFFFFE2C], ebx
:004092E0 0FBFD8                  movsx ebx, ax

EBX = strlen(name) + strlen(company) + 'T' + 'C'

:004092E3 8B45BC                  mov eax, dword ptr [ebp-44] -> company
:004092E6 50                      push eax
:004092E7 FFD6                    call esi
:004092E9 8B8D2CFEFFFF            mov ecx, dword ptr [ebp+FFFFFE2C]
:004092EF 8B55C0                  mov edx, dword ptr [ebp-40]
:004092F2 03D8                    add ebx, eax

EBX = strlen(company) + '['

:004092F4 52                      push edx
:004092F5 0F8083050000            jo 0040987E
:004092FB 2BD9                    sub ebx, ecx

EBX = (strlen(company) + '[') - (strlen(name) + strlen(company) + 'T' + 'C')

:004092FD 0F807B050000            jo 0040987E
:00409303 FFD7                    call edi
:00409305 899D28FEFFFF            mov dword ptr [ebp+FFFFFE28], ebx
:0040930B 668BD8                  mov bx, ax
:0040930E 8B45C4                  mov eax, dword ptr [ebp-3C] -> name
:00409311 50                      push eax
:00409312 FFD7                    call edi
:00409314 8B4DC8                  mov ecx, dword ptr [ebp-38]
:00409317 668BF8                  mov di, ax
:0040931A 662BFB                  sub di, bx

DI = 0 (DI is ALWAYS equals to 0)

:0040931D 51                      push ecx
:0040931E 0F805A050000            jo 0040987E

* Reference To: MSVBVM50.rtcAnsiValueBstr, Ord:0204h
                                  |
:00409324 FF1520B14000            Call dword ptr [0040B120]
:0040932A 660FAFF8                imul di, ax

DI = 0

:0040932E 0F804A050000            jo 0040987E
:00409334 0FBFD7                  movsx edx, di
:00409337 8BBD28FEFFFF            mov edi, dword ptr [ebp+FFFFFE28]
:0040933D 8B45A0                  mov eax, dword ptr [ebp-60]
:00409340 0FAFFA                  imul edi, edx

EDI = 0

:00409343 50                      push eax
:00409344 0F8034050000            jo 0040987E
:0040934A FFD6                    call esi
:0040934C 0FAFF8                  imul edi, eax

EDI = 0 (boring huh ? ;)

:0040934F 0F8029050000            jo 0040987E
:00409355 6BFF02                  imul edi, 00000002
:00409358 8B4DD0                  mov ecx, dword ptr [ebp-30]
:0040935B 0F801D050000            jo 0040987E
:00409361 51                      push ecx
:00409362 89BD24FEFFFF            mov dword ptr [ebp+FFFFFE24], edi

* Reference To: MSVBVM50.rtcAnsiValueBstr, Ord:0204h
                                  |
:00409368 FF1520B14000            Call dword ptr [0040B120]
:0040936E 8B55CC                  mov edx, dword ptr [ebp-34]
:00409371 52                      push edx
:00409372 0FBFF8                  movsx edi, ax
:00409375 FFD6                    call esi
:00409377 0FAFF8                  imul edi, eax

EDI = 'T' * strlen(company)

:0040937A 8B45D4                  mov eax, dword ptr [ebp-2C]
:0040937D 50                      push eax
:0040937E 0F80FA040000            jo 0040987E
:00409384 FFD6                    call esi
:00409386 8B4DD8                  mov ecx, dword ptr [ebp-28]
:00409389 8BD8                    mov ebx, eax
:0040938B 51                      push ecx
:0040938C FFD6                    call esi
:0040938E 03D8                    add ebx, eax

EBX = strlen(company) + strlen(name)

:00409390 0F80E8040000            jo 0040987E
:00409396 03FB                    add edi, ebx

EDI = 'T'*strlen(company) + strlen(company) + strlen(name)

:00409398 8B9D24FEFFFF            mov ebx, dword ptr [ebp+FFFFFE24]
:0040939E 0F80DA040000            jo 0040987E
:004093A4 03DF                    add ebx, edi
:004093A6 0F80D2040000            jo 0040987E
:004093AC 8B559C                  mov edx, dword ptr [ebp-64]
:004093AF 52                      push edx
:004093B0 FFD6                    call esi
:004093B2 03D8                    add ebx, eax

EBX = 'T'*strlen(company) + strlen(company) + strlen(name) + strlen(name)

:004093B4 8B4594                  mov eax, dword ptr [ebp-6C]
:004093B7 50                      push eax
:004093B8 0F80C0040000            jo 0040987E

* Reference To: MSVBVM50.rtcAnsiValueBstr, Ord:0204h
                                  |
:004093BE FF1520B14000            Call dword ptr [0040B120]
:004093C4 8B4D98                  mov ecx, dword ptr [ebp-68]
:004093C7 51                      push ecx
:004093C8 0FBFF8                  movsx edi, ax
:004093CB FFD6                    call esi
:004093CD 0FAFF8                  imul edi, eax

EDI = 'T' * strlen(company)

:004093D0 8B5590                  mov edx, dword ptr [ebp-70]
:004093D3 52                      push edx
:004093D4 0F80A4040000            jo 0040987E
:004093DA FFD6                    call esi
:004093DC 0FAFF8                  imul edi, eax

EDI = 'T' * strlen(company) * strlen(company)

:004093DF 0F8099040000            jo 0040987E
:004093E5 03DF                    add ebx, edi

EBX = 'T'*strlen(company) + strlen(company) + strlen(name) + strlen(name)
       + 'T' * strlen(company) * strlen(company)

and this is our SERIAL !

:004093E7 8D95FCFEFFFF            lea edx, dword ptr [ebp+FFFFFEFC]
:004093ED 0F808B040000            jo 0040987E
:004093F3 8D4DDC                  lea ecx, dword ptr [ebp-24]
:004093F6 899D04FFFFFF            mov dword ptr [ebp+FFFFFF04], ebx
:004093FC C785FCFEFFFF03000000    mov dword ptr [ebp+FFFFFEFC], 00000003

* Reference To: MSVBVM50.__vbaVarMove, Ord:0000h
                                  |
:00409406 FF1504B14000            Call dword ptr [0040B104]
<-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><->

I don't know why, but I made a keygen for this crackme... maybe because Laokoon said "I do NOT 
want ANY serialz or patches". Well, here is my (C) L33t Javascript keygen ;)



Ŀ
4. Outro 


2:00 am ? Maybe I should sleep now ;)


    ________     _______     _______
   /__   __/\   /  ____/\   /  ____/\
   \_/  /\_\/  /  /\___\/  /  /\___\/
    /  / /    /  /_/_     /  / / 
   /  / /    /____  /\   /  / /
  /  / /     \___/ / /  /  / /
 /  / /     ____/ / /  /  /_/_
/  / /     /_____/ /  /______/\
\__\/      \_____\/   \______\/ 30/07/2000

www.tscube.cjb.net


