	  Ŀ
	                                                              Ŀ
	    
	          
	          
	                                               
	                                               
	                                   
	                                   
	                                   
	                                                
	                                                
	                       
	                       
	                 
	                                                                  
	                                                                  
	                         
	                 p r o u d l y     p r e s e n t s                
	                         
	                                                                  
	Ŀ                                            www.tscube.cjb.net
	  


                      ͻ
                        Tutorial for mogul crackme #1 
                      ͼ



Ŀ
1.Intro 


This is my first tutorial for a Visual Basic crackme, so I'll make it as clear and complete as
possible... (as usual ;)



Ŀ
2. The power of Smartcheck 


<<
As you run a program (EXE), SmartCheck runs in the background monitoring it continuously, and 
capturing program events and errors. SmartCheck automatically searches for errors in your 
program executable as well as the dynamic-link libraries, third-party modules, and OLE components
used by your program. It can also find errors in programs for which you do not have source code 
(yeah, that can be useful for us ;), though we recommend that you have source code with debugging 
information to maximize errordetection and diagnosis. SmartCheck checks all API calls, memory 
allocations and deallocations, Windows messages, and other significant program events.
>>

Smartcheck is able to produce a "commented movie" (Fravia's words) of all operations, making it
possible to see (or deduce) the various operations made by the program without using a debugger.

But before starting our work, Smartcheck must be correctly configured. I suggest you have a look
at 'smart_conf.txt' which describes a way of configurating this great tool and a description
of commons VB functions (this text is from AcidBurn).

Done it ? Great ! Now for the good news : we are going to write a keygen for this crackme simply
by using Smartcheck. Yes : NO Sice, NO Wdasm, NO IDA, just Smartcheck.



Ŀ
3. An overview of the protection scheme 



	3.1. A small part of the protection scheme
	

Run smartcheck, open 'CrackMe1.exe' and select Program -> Start.

When the main window of the crackme appears, type 'TSCube' for your name, and '123456' for your
serial, then click on 'Check it!' Hum 'Try again' ? Ok, I'll try again, but next time, the serial 
will be correct ;)

Look in Smartcheck's 'Program Results' window; the last infos are :

[+] frmMain_Activate
[+] cmdCheck_Click

Click on the [+] from cmdCheck_Click to expand it :

<-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><->
txtName.text
txtSerial.text
Len(String,"TSCube") returns LONG:6
Len(String,"TSCube") returns LONG:6

Mid(VARIANT:ByRef String:"TSCube", long:1, VARIANT:Integer:1) -> gets first letter of name
Asc(String:"T") returns Integer:84                            -> converts it to ASCII value
Long(3) -> Integer(3)                                         -> converts Long to Integer
Str(VARIANT:ByRef Integer:3)                                  -> converts Integer to string
Trim(VARIANT:String: " 3"                                     -> delete spaces of string

Mid(VARIANT:ByRef String:"TSCube", long:2, VARIANT:Integer:1) }
Asc(String:"S") returns Integer:83                            }
Long(4) -> Integer(4)                                         } same thing with second letter
Str(VARIANT:ByRef Integer:4)                                  } of name
Trim(VARIANT:String: " 4"                                     }

[...]

MsgBox(VARIANT:String:"Try again"...)
<-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><->

Hum... all we can say is that the crackme takes the letters of our name one by one, converts
them to their ASCII values and... thats all.

Look at these 2 lines :

Asc(String:"T") returns Integer:84
Long(3) -> Integer(3)

Obviously, something is happening between these lines; and we must find out how the value '84'
suddenly becomes '3' ;)


	3.2. A valid serial
	

If something is missing, it's because you asked Smartcheck to only 'Show errors and Specific
Events' (aren't you ashamed of yourself ? ;).
Now, we are going to have a look at all the protection scheme; click on 'cmdCheck_Click' to 
highlight it, then :

View -> Show all Events

Again, click on the [+] from cmdCheck_Click to expand it... looks better huh ? ;)

Scroll down until you reach the end of the listing :

<-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><->
[...]
    _vbaStrcmp(String:"123456", String"343043") returns DWORD:1)
[+] _vbaVarDup(...)
[+] _vbaVarDup(...)
    MsgBox(VARIANT:String:"Try again"...)
<-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><->

Well, the crackme simply uses the _vbaStrcmp function to compare our serial ("123456") with
the correct serial "343043"

Name : TSCube
Serial : 343043

Et voila, the crackme is cracked, it was easy, cu next time for my next tutorial and greetz to
my groups, to all the people I know etc...

Just joking ;)



Ŀ
4. The keygen 


It's funny to see that a lot of newbies like making 20 lines tutorials explaining how they found 
a serial in 10 seconds... or worse, dare to pretend they cracked a crackme simply because they 
made a lame patch (oh yeah, very hard to change 'jne' to ' jmp' ;)
I would just like to say that otherwise mentioned, crackmes must NOT be patched and that
the real challenge is not to find serials, but rather to understand HOW the protection scheme 
works.

Now that everything is clear, let's see how the serial is generated ;)

Thanks to the 'Show all events', we can now see the missing lines that interest us :

<-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><->
[...]

Mid(VARIANT:ByRef String:"TSCube", long:1, VARIANT:Integer:1)        -> 1st letter of name : 'T'
Asc(String:"T") returns Integer:84                                   -> ASCII value (84)
_vbaFreeStr(...)
SysFreeString(...) 
_vbaVarMul(VARIANT:Integer:84, VARIANT Long:1) returns DWORD:65F3C8  -> 84 = 84 * 1
_vbaVarMod(VARIANT:Long:84, VARIANT Integer:9) returns DWORD:65F3B8  -> 3 = 84 MODULO 9
Long(3) -> Integer(3)                                               
Str(VARIANT:ByRef Integer:3)                                         
Trim(VARIANT:String: " 3"                                            -> first letter of serial !

[...]

Mid(VARIANT:ByRef String:"TSCube", long:2, VARIANT:Integer:1)        -> 2nd letter of name : 'S'
Asc(String:"S") returns Integer:83                                   -> ASCII value (83)
_vbaFreeStr(...)
SysFreeString(...)
_vbaVarMul(VARIANT:Integer:83, VARIANT Long:2) returns DWORD:65F3C8  -> 166 = 83 * 2
_vbaVarMod(VARIANT:Long:166, VARIANT Integer:9) returns DWORD:65F3B8 -> 4 = 166 MODULO 9                  
Long(4) -> Integer(4)                                    
Str(VARIANT:ByRef Integer:4)                                                          
Trim(VARIANT:String: " 4"                                            -> 2nd letter of serial !          

[...]

Mid(VARIANT:ByRef String:"TSCube", long:3, VARIANT:Integer:1)        -> 3rd letter of name : 'C'
Asc(String:"C") returns Integer:67                                   -> ASCII value (67)
_vbaFreeStr(...)
SysFreeString(...)
_vbaVarMul(VARIANT:Integer:67, VARIANT Long:3) returns DWORD:65F3C8  -> 201 = 67 * 3
_vbaVarMod(VARIANT:Long:201, VARIANT Integer:9) returns DWORD:65F3B8 -> 3 = 201 MODULO 9                  
Long(3) -> Integer(3)                                    
Str(VARIANT:ByRef Integer:3)                                                          
Trim(VARIANT:String: " 3"                                            -> 3rd letter of serial !

[...]

MsgBox(VARIANT:String:"Try again"...)
<-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><->

Nothing to add, the algo is pretty clear : just a loop, a serial generated by multipling the
ASCII values of the name with the loop_counter, a MODULO 9 and a conversion to a string.

Look at my (C) Javascript keygen for the more details.


Ŀ
5. Outro 


I'd like to dedicate this tutorial to AcidBurn, the almighty VB reverser ;)

    ________     _______     _______
   /__   __/\   /  ____/\   /  ____/\
   \_/  /\_\/  /  /\___\/  /  /\___\/
    /  / /    /  /_/_     /  / / 
   /  / /    /____  /\   /  / /
  /  / /     \___/ / /  /  / /
 /  / /     ____/ / /  /  /_/_
/  / /     /_____/ /  /______/\
\__\/      \_____\/   \______\/ 25/07/2000

www.tscube.cjb.net
