         Ŀ
	                                                              Ŀ
	    
	          
	          
	                                               
	                                               
	                                   
	                                   
	                                   
	                                                
	                                                
	                       
	                       
	                 
	                                                                  
	                                                                  
	                         
	                 p r o u d l y     p r e s e n t s                
	                         
	                                                                  
	Ŀ                                            www.tscube.cjb.net
	  


                      ͻ
                        Tutorial for webmasta's crackme #1   
                      ͼ



Ŀ
1.Intro 


A VB crackme with a keyfile protection... it might be interesting ;)



Ŀ
2. Let's start with WDASM 


Smartcheck only tells us that the crackme looks for a keyfile named 'key3.dat', this is not
enough for us so we'll start with a little bit of WDASM ('VB patched version' of course ;) :

<-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><->
* Reference To: MSVBVM60.__vbaFileOpen, Ord:0000h
                                  |
:0040A1D2 8B3DA0104000            mov edi, dword ptr [004010A0]

* Possible StringData Ref from Code Obj ->"key3.dat"
                                  |
:0040A1D8 686C9C4000              push 00409C6C -> keyfile name (amazing isn't it ? ;)
:0040A1DD 6A01                    push 00000001
:0040A1DF 33F6                    xor esi, esi
:0040A1E1 6AFF                    push FFFFFFFF
:0040A1E3 6A04                    push 00000004
:0040A1E5 8975DC                  mov dword ptr [ebp-24], esi
[SNIP]
:0040A251 89B580FEFFFF            mov dword ptr [ebp+FFFFFE80], esi
:0040A257 FFD7                    call edi
:0040A259 6A01                    push 00000001

* Reference To: MSVBVM60.__vbaFileClose, Ord:0000h
                                  |
:0040A25B FF1560104000            Call dword ptr [00401060]

* Possible StringData Ref from Code Obj ->"key3.dat"
                                  |
:0040A261 686C9C4000              push 00409C6C
:0040A266 6A01                    push 00000001
:0040A268 6AFF                    push FFFFFFFF
:0040A26A 6A01                    push 00000001
:0040A26C FFD7                    call edi

* Reference To: MSVBVM60.rtcFileLength, Ord:023Ah
                                  |
:0040A26E 8B3DA4104000            mov edi, dword ptr [004010A4]
:0040A274 6A01                    push 00000001
:0040A276 FFD7                    call edi -> gets length of keyfile
:0040A278 85C0                    test eax, eax
:0040A27A 0F8444080000            je 0040AAC4 -> FUCK OFF (file doesn't exist)

:0040A280 6A01                    push 00000001
:0040A282 FFD7                    call edi
:0040A284 83F851                  cmp eax, 00000051 -> 81 bytes
:0040A287 0F8C37080000            jl 0040AAC4 -> FUCK OFF (file not long enough)

first conclusion : the keyfile must be at least 81 bytes long

* Reference To: MSVBVM60.__vbaLineInputVar, Ord:0000h
                                  |
:0040A28D 8B3D24104000            mov edi, dword ptr [00401024]
:0040A293 8D459C                  lea eax, dword ptr [ebp-64]
:0040A296 6A01                    push 00000001
:0040A298 50                      push eax
:0040A299 FFD7                    call edi -> reads 1st line from keyfile

when returning, EAX points to the first line. By the way, the keyfile is only a text file, 
so you can use NOTEPAD to create/modify it.

* Reference To: MSVBVM60.__vbaVarTstNe, Ord:0000h
                                  |
:0040A29B 8B1DC0104000            mov ebx, dword ptr [004010C0]
:0040A2A1 8D4D9C                  lea ecx, dword ptr [ebp-64]
:0040A2A4 8D95F8FEFFFF            lea edx, dword ptr [ebp+FFFFFEF8]
:0040A2AA 51                      push ecx
:0040A2AB 52                      push edx

* Possible StringData Ref from Code Obj ->"<----webmasta's crackme #3---->"
                                  |
:0040A2AC C78500FFFFFF849C4000    mov dword ptr [ebp+FFFFFF00], 00409C84 -> 1st correct line
:0040A2B6 C785F8FEFFFF08800000    mov dword ptr [ebp+FFFFFEF8], 00008008
:0040A2C0 FFD3                    call ebx
:0040A2C2 6685C0                  test ax, ax
:0040A2C5 0F85F9070000            jne 0040AAC4 -> FUCK OFF (1st line not correct)

:0040A2CB 8D855CFFFFFF            lea eax, dword ptr [ebp+FFFFFF5C]
:0040A2D1 6A01                    push 00000001
:0040A2D3 50                      push eax
:0040A2D4 FFD7                    call edi -> reads 2nd line from keyfile
:0040A2D6 8D4DCC                  lea ecx, dword ptr [ebp-34]
:0040A2D9 6A01                    push 00000001
:0040A2DB 51                      push ecx
:0040A2DC FFD7                    call edi -> reads 3rd line from keyfile
:0040A2DE 8D558C                  lea edx, dword ptr [ebp-74]
:0040A2E1 6A01                    push 00000001
:0040A2E3 52                      push edx
:0040A2E4 FFD7                    call edi -> reads 4th line from keyfile
:0040A2E6 8D458C                  lea eax, dword ptr [ebp-74]
:0040A2E9 8D8DF8FEFFFF            lea ecx, dword ptr [ebp+FFFFFEF8]
:0040A2EF 50                      push eax
:0040A2F0 51                      push ecx

* Possible StringData Ref from Code Obj ->"<----webmasta's crackme #3---->"
                                  |
:0040A2F1 C78500FFFFFF849C4000    mov dword ptr [ebp+FFFFFF00], 00409C84 -> 4th correct line
:0040A2FB C785F8FEFFFF08800000    mov dword ptr [ebp+FFFFFEF8], 00008008
:0040A305 FFD3                    call ebx
:0040A307 6685C0                  test ax, ax
:0040A30A 0F85B4070000            jne 0040AAC4 -> FUCK OFF (4th line not correct)
<-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><->

We know that the keyfile must be at least 81 bytes long, that it has 4 lines and that it looks 
like :

<----webmasta's crackme #3---->
TSCube
123456
<----webmasta's crackme #3---->

Now we can create this keyfile and run Smartcheck.



Ŀ
3. Let's continue with Smartcheck... and make a keygen


This WDASM idea was good because Smartcheck tells us much more things (view -> Show All Events) :

<-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><->
[...]
Mid(VARIANT:String:"TSCube",long:1,VARIANT:Integer:1)
_vbaStrVarVal(...)
Asc(String:"T") returns Integer:84
_vbaVarAdd(VARIANT:Empty,VARIANT:Integer:33)
_vbaVarAdd(VARIANT:Integer:33,VARIANT:Integer:84)
[...]
Mid(VARIANT:String:"TSCube",long:2,VARIANT:Integer:1)
_vbaStrVarVal(...)
Asc(String:"S") returns Integer:83
_vbaVarAdd(VARIANT:117,VARIANT:Integer:33)
_vbaVarAdd(VARIANT:Integer:150,VARIANT:Integer:83)
_vbaVarMove(...)
_vbaFreeStr(...)
<-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><->

in 'C', it looks like :

int serial=0;
for (int i=0;i<strlen(name);i++) serial = serial + name[i] + 33;

Let's see the end of the serial_check routine :

<-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><->
_vbaVarAdd(VARIANT:Integer:748,VARIANT:Long:3425456)   -> serial = serial * 3425456
_vbaVarMove(...)
Right(VARIANT:Long:3426204,long:1)
_vbaVarMove(...)
_vbavarMul(VARIANT:Long:3426204,VARIANT:String:"4")    -> serial = serial * last_digit_of_serial
_vbaVarMove(...)
_vbaVarMul(VARIANT:Double:1.37...,VARIANT:Integer:2)   -> serial = serial * 2
[...]
_vbaVarTstNe(VARIANT:String:"123456",VARIANT:String:"27409632") -> comparison
<-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><->

Now you can easily make a keygen (look at my keygen sources for more details)

Just be sure that the generated keyfile is at least 81 bytes long (you can use
padding if you want).



Ŀ
4. Intro 


Anything to ask ? no ? ok ! ;)

    ________     _______     _______
   /__   __/\   /  ____/\   /  ____/\
   \_/  /\_\/  /  /\___\/  /  /\___\/
    /  / /    /  /_/_     /  / / 
   /  / /    /____  /\   /  / /
  /  / /     \___/ / /  /  / /
 /  / /     ____/ / /  /  /_/_
/  / /     /_____/ /  /______/\
\__\/      \_____\/   \______\/ 27/07/2000

www.tscube.cjb.net