|About this tutorial:
Tutorial:Keygenning with SmartCheck
Target:Visi Font Gold 2.0(http://www.dcmsoftware.bizland.com/)
Tools:SoftICE 3.24, SmartCheck 6.xx(these are good softwares, worth buying)
Date:6th April 2000(Last updated on 13th April 2000)
Descriptions&Comments:In this tutorial, I will show you the power of SmartCheck as we will be doing a keygen with SmartCheck as the only tool. This is a Microsoft Visual Basic 5 program. Please do register this program(and also other good programs by the author) because the author is a kind fellow who only charge the users $5.00 for each of his softwares. He is not greedy at all, and I think the $5.00 charge will only at most support his life and gives him a ride or two in the recreation park, not more, not less. A little note to the author, if you happen to be reading this document, please do not blame me, instead, contact me and I would be more than willing to help a kind fellow like you to implement a better protections on your softwares...
Disclaimer:This file is used for educational purposes only. Any misuse of the information presented here is not my responsibility.
Copyright information:This tutorial is copyright © ManKind
Start Visi Font Gold. I am not really sure what it does but I know it has something to do with font, its usage is not what we are interested in, its protection is... Choose Option -> Register and you will be presented with a small register window, enter your Name and Unlock Code in the text fields as below:
We know that this a VB5 program. We will try to break in SoftICE when the program is comparing the fake Unlock Code to the real one to get the real Unlock Code and the most(not really, but I believe quite a sum of softwares are) used function to compare two or more strings in VB5 is __vbaStrCmp(note that there are two(2) underscores there(_)). So let's go into SoftICE and set a breakpoint on that function so that we could proceed with our plan of fishing a real Unlock Code for our name like below:
Leave SoftICE, press the Unlock button, SoftICE will pop up due to the breakpoint we set on the __vbaStrCmp function. Press F11 once to return to the caller of the function and you will be thrown to the following code:
:0042CAF6 CALL [MSVBVM50!__vbaStrCmp]
:0042CAFC MOV ESI,EAX <-- you land here
Let's see whether the strings that is compared is still kept in one of the registers, dump the content of the EDX register by doing the following command:
What do you see in the data window of SoftICE? That looks like the real Unlock Code for our name in wide-char format(don't ask me what it is, ask in #cracking4newbies on EFNET server if you really want to know, just ignore the dots(.) and you will get the string in multibyte-char). I don't show the Unlock Code of my name here because I think that the author of this program is kind enough to offer his software at $5.00, so, everyone who wishes to use it MUST register it especially those lamers and the main purpose of this essay is not to destroy the author or his income(or maybe his family).
Keygenning with SmartCheck:
Unregister the program if you have registered it(use regedit, its in "My Computer\HKCU\Software\VB and VBA Program Settings\Visi Font Gold 2.0\Font Viewer\" just in case if you can't find it and contact me if you are really lame to not know how to edit those values(heh)). We can leave SoftICE alone now and proceed to use SmartCheck as our main tool because tracing with SoftICE inside VB programs is always an unpleasant experience(not to mention unpleasant results, hehe). I use SmartCheck 6.01 but I think any version starting from 6.xx should work. Make sure you have configured SmartCheck correctly for cracking purposes before following this part, you should visit Eternal Bliss's site and get his tutorials if you haven't configured it(well, not only for configuration purpose actually, there are other priceless stuffs there by Eternal Bliss). Let's start now. Start SmartCheck, open(load) the visigold.exe into SmartCheck(a window will pop up) and go to the menu Program -> Start(another window will pop up displaying events of the program, maximise it, we will work with this window). After some events, the main window of Visi Font Gold will pop up, so, go choose Options -> Register like the first part, enter ManKind as Nmae and 23199981 as Unlock Code into the text fields and finally press the Unlock button. The bad_cracker_message will pop up, just press Ok, switch back to SmartCheck and go to the menu Program -> End and the program will be terminated. Look at the Events and find the registration event(usually after a button is pressed, in this example, Unlock is that button, but SmartCheck will not refer it as the caption of the button but its internal name instead, like Command1). You should come to this(what you see in SmartCheck is highlighted in green while the black text is comment):
Expand it by double-clicking on the plus(+) sign and more events will be showed:
| Text1.Text <-- input field of Name
| LTrim$ <-- get the Name
| Len returns LONG:7 <-- get the length of name
| Mid$ <-- get the first byte of name
| Asc returns Integer:77 <-- ascii of first byte
| Double (5929) --> Long (5929) <-- 77 * 77 = 5929
| Mid$ <-- get second byte of name
| Asc returns Integer:97 <-- ascii of second byte
| Double (24747) --> Long (24747) <-- (97 * 97 * 2) + 5929 = 24747
| Mid$ <-- get the third byte of name
| Asc returns Integer:110 <-- ascii of third byte
| Double (61047) --> Long (61047) <-- (110 * 110 * 3) + 24747 = 61047
| Mid$ <-- get the fourth byte
| Asc returns Integer:75 <-- ascii of fourth byte
| Double (83547) --> Long (83547) <-- (75 * 75 * 4) + 61047 = 83547
| Mid$ <-- get the fifth byte of name
| Asc returns Integer:105<-- ascii of fifth byte
| Double (138672) --> Long (138672) <-- (105 * 105 * 5) + 83547 = 138672
| Mid$ <-- get the sixth byte
| Asc returns Integer:110 <-- ascii of sixth byte
| Double (211272) --> Long (211272) <-- (110 * 110 * 6) + 138672 = 211272
| Mid$ <-- get the seventh byte of name
| Asc returns Integer:100 <-- ascii of seventh byte
| Double (281272) --> Long (281272) <-- (100 * 100 * 7) + 211272 = 281272
| MsgBox returns Integer:1 <-- bad_cracker_message
I think you got the idea now but I still have to explain a little(don't I?). Here's the conclusion about the algo:
The ascii of a byte must be powered to itself and multiply by its position and added to the previously calculated value to generate correct Unlock Code
Here are some of the questions you might ask:
1. how do you know that 77 * 77 = 5929?
-try 5929 / 77 and you will get what should be multiply to 77 to get 5929
-if you do Show All Events in SmartCheck you will see that __vbaPowerR8 function is called after the "Asc returns Integer:77" line where it is used to calculate a number POWER by something...
- actually, the calculation for this should be 77 * 77 * 1 = 5929
2. how do you know that the ascii of a byte must be powered to itself
and multiply by its position and added to the previously calculated value
to generate correct Unlock Code?
- trial and error
- because if the second calculated value(24747) minus previous calculated value(5929), it equals to two times of 97 * 97(97 is the ascii of the current byte)
-the same thing happen to the other values, so, I conclude that a byte must be powered to itself and multiple its current position and then added to the previously calculated value...
I think it is really clear to you now and I need not explain about the algo anymore(its good if you don't understand completely yet, because that makes you THINK). As usual, for my keygenning tutorial, I would include a keygen source but this time I would only show you the calculation part source. Since the program is coded in VB 5, I shall code the source in Visual Basic too and here's the calculation part source(comment highlighted in green as in VB itself):
|For i = 1 to Len(Text1.Text) 'i
is counter, Text1.Text refers to the name's text field, loop until byte
of name finish
name1 = Asc(Mid(Text1.Text, i, 1)) 'get a byte of name name2 = (name1 ^ 2) * i 'the main algo here(ascii of byte 'power by two multiple by current position of byte)
name2 = (name1 ^ 2) * i 'main algo here(ascii of byte power by 2 and multiplied to current position of byte)
name3 = name3 + name2 'sum up all the calculated values
Next i 'loop again
Text2.Text = name3 'Text2.Text refers to the text field where you would show user his/her Unlock Code for the specified name, show user the final calculated value which is the correct Unlock Code
As a little note for the keygen, I would like to state that IF any other programming languages(probably not all, but I tried Assembly and QBasic) are used to code the keygen for Visi Font Gold other than Visual Basic(I tried VB5), it would be messed up when dealing with special characters like î, é and many more(that's why I choose to show you the calculation source in VB).
Lastly, my little opinion and comment on SmartCheck and its usage:
- could be VERY useful for cracking VB programs
- when trying to keygen, its totally different from SoftICE and normal approach where you got to see, feel and execute the asm instructions, while in here, you have to guess, think, try, figure out and so on...
- very good tool for crackers and programmers
- useful for newbies to do quick crack(serial fishing)...
- lame(its protections and the fact that it is developed by a company called Microsoft, hehe, joking only...)
- no more at the moment...
There, my first tutorial which totally relies on SmartCheck. I would really like to do more tutorials on using SmartCheck(which is pretty rare compared to those using SoftICE) especially on harder targets with harder protections and keygen algo(thanks to webm4sta for commenting:i know the algo of this target is pretty simple, but should be good enough for beginners to KNOW SmartCheck).That's all for now. Hope to see you soon on my next tutorial. As usual, contact me if I make any mistake, give me your feedback, comments, suggestions and opinions about this tutorial and my way of presenting it.
Thanks and greetz to:
+ORC, +HCU, Sandman, HarvestR, tKC, ytc_, Punisher, Kwai_Lo, TORN@DO, CrackZ, cLUSTER, LaZaRuS, mISTER fANATIC, yes123, WhizKiD, Volatility, ACiD BuRN, Eternal Bliss, R!SC, Kwazy Webbit, +Mammon, MisterE, Shadow, ^tCM^, WaJ, Borna Janes, Kathras, AB4DS(Death), douby, Steinowitz, Lord Soth, Latigo, Lucifer48, NeuRaL_NoiSE, Fravia+, Latigo, Duelist, Alpine, flag eRRatum, Nitrus, +Frog's Print, Muad`Dib, Iczelion, Razzia, Warezpup, Bomber Monkey, llama and other crackers, individuals and organisations who have helped me, either directly or indirectly.
Service for Mankind
ebp, byte ptr [eax+edx+00426264] 2.