ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿ ³ ÛÛÛÛÛÛÛÛ ÛÛÛÛÛÛÛÛ ³± ³ ÛÛÛÛÛÛÛÛ° ÛÛÛÛÛÛÛÛ° ³±° ³ ÛÛ°°°°ÛÛ° ÛÛ°°°°°°° GenocideCrew ³±° ³ ÛÛ° °° ÛÛ° www.genocidecrew.cjb.net ³±° ³ ÛÛ° ÛÛ° ³±° ³ ÛÛ° ÛÛÛ ÛÛ° Author : balitog ³±° ³ ÛÛ° ÛÛ° ÛÛ° Target : crackme2.exe (vb5) ³±° ³ ÛÛÛÛÛÛÛÛ° ÛÛÛÛÛÛÛÛ Protection: name/serial ³±° ³ ÛÛÛÛÛÛÛÛ° ÛÛÛÛÛÛÛÛ° ³±° ³ °°°°°°°° °°°°°°°° ³±° ³ ³±° ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ±° ±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±° °°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°° Intro ------------------------------------------------------------------------------------------------- I'm back! After 3 weeks of absence in the cracking scene I was finally able to give a quality time in cracking. This fourth tutorial is actually a continuation of the third (Duh!). I mean cracking vb using a different approach. Basically most cracker would rely on SC to break vb coded procedure. Unfortunately, cracking in sc would not give you much challenge nor will it expand your knowledge. And most crackme's are now p-code (psuedo code for optimization). This is sc's limitation, it wont show you much if it is freaking p-coded!. We will try to crack a crackme written in vb to show you how easy it is (or maybe in this case just this crackme). Tools Needed ------------------------------------------------------------------------------------------------- SoftIce Edit sice's winice.dat (located in the same dir where you installed sice) and add these lines: AF4="^s 0 l ffffffff 56,57,8B,7C,24,10,8B,74,24,0C,8B,4C,24,14,33,C0,F3,66,A7;" EXP=c:\windows\system\msvbvm50.dll EXP=c:\windows\system\msvbvm60.dll crackme2.exe <--- www.fr1c.cjb.net (vb crackme2) Let's Rock ------------------------------------------------------------------------------------------------- With sice's symbol loader in the background, run our crackme. When it breaks due to symbol loader, type our breakpoint. :bpx __vbastrcomp <======== this is a call within the procedure to compare two strings Next, step out of sice. Our crackme should now be in our screen. We type in our usual name and serial (try "Balitog" and "123456") then we click "Check." You should now be in sice. -------- snip --------- MSVBVM50!__vbaStrComp 999:99999999 PUSH EDI 999:99999999 MOV EBP,ESP 999:99999999 PUSH EBX -------- snip --------- Press F11 once then clear our bpx then press ALT-F4. You should receive a message like this: Pattern found at 999:99999999 (99999999) <----- this address varries, look at your own Place a bpx on this location then step out of sice. :bpx 999:99999999 :x By now the bad boy message should appear. Ignore this and retype our Name and serial. Click check once more and you should be back in sice again. -------- snip --------- 999:99999999 RET 0004 <----- You sould land here. 999:99999999 PUSH ESI 999:99999999 PUSH EDI 999:99999999 MOV EDI,[ESP+10] <----- THIS IS THE LOCATION OF YER SERIAL! 999:99999999 MOV ESI,[ESP+0C] <----- MOVE PAST HERE AND NOTE THAT EDI IS NOW LIGHTED -------- snip --------- Still in sice, after pressing f10 to pass the mov edi instruction, type d edi. In the data window you will see this in the right most part: 9.8.8.5.3.5... This is the serial for Balitog! Now try your name. Greetz ------------------------------------------------------------------------------------------------- GC, Jonah and Jeramheel of AOL, to my beautiful wife, Corbio (ey! man i need yer help), and to all the ppl who made cracking possible ---> Carpe Diem! Fr1c, tnx for the info in yer ezine. ------------------------------------------------------------------------------------------------- mail me ===>>> balitog@joymail.com (so I will know somebody loves me =()