PluckIt 3.0 A visual Basic Program

Defeated by Numegas Smartcheck

By Indian_trail


Well, we are now leaving the beginner phase and moving on to the next level. We have learned the basics of assembly language and softice, We are at this time able to crack simple protection and it's time to study more complicated protections. We will however start with a very simple target with a very extremely easy protedtion scheme, but the approach needed to defeat it is very new < SmartChecker >. Fetch it from Numegas site. If you wanna know more about this wonderful tool, read the essays at fravia. If you wanna crack it: just choose purchase and fill in the boxes and put a BPX Lstrcmp(a) I don't remeber exactly wich Lstrcmp API function it used but you'll have no problems cracking it. And if you are having trouble cracking it, read the essay at fravia.

I will not include alot of code in the intermediate essay's, only the important code. This is because you should by now be able to locate and navigate inside applications with Winice without any problems. The purpose is with these essay's to show you how to think & feel when you crack. Ok here we go:

Tools used:

W32Dasm
Smartcheck

Intro: A friend of mine asked me to crack this program. It a newsscanner that downloads pictures from newsgroups, probably written for porno lusers. Anyway I didn't know that Pluckit was writen in Visual Basic. So this is my first attempt at a visual basic program.

I never liked Visual Basic or delphy, I don't see the point in using a language that produce bad code, the obvious would be to try to write as small and effient programs as possible and to do that as you all know you'll have to write some routines in pure assembler. Anyway I don't mind people using Visual Basic as an intructionary language to computer programming. Most of us learned basic as a start on the first home computers (ZX81, SinCalir Spectrum 48k, Vic-20 and commodre 64 etc). But, programs that are written in toy languages should be free for all people.

Applications that are slow and filled with buggs should not be comercial, it should be freeware. Unfortunatley the author of this lame crap has another idea about this. On startup there is an ugly nagscreen with some text inside it and an "ok_ button" and a "cancel_button". After the nagscreen is a register screen where you can input a serialnumber, if you don't have a serial# you'll only be to download 15 files. We will focus on the serial#.

Step I loading it through smartcheck.


Load it in Smartchecker and execute it.
On startup you'll get two 'invalid arguments' errors, like I said filled with bugs. Proceed to the registration screen and type in any number. In smartcheck choose view "specific events.. " so you can easily navigate and find what you are looking for.

After the "invalid..." dialoguebox appears, terminate Pluckit3 and go to smartcheck and look around. At sequence# 16745 you'll see your false serial number. Now what follows is:

16752	Trim (variant: string"false#")	4d4260
16763	Val (string"false": 	
	| 
	|
16931	msgbox
-----

Now it's time to choose view "All events". I reached this point after 3 seconds, and What you'll see now is the protection scheme. The last things that are done before the messagebox as you'll see (if you chosen view all events) is :

16926	__VbaVarOr()		
16927	__VbaBoolVarNull()	Return dword FFFFF
16928	_vbaVarDup(VARIANT: string "invalid", Variant boolean false)
----

This looks very strange, no manipulations at all so far execpt from the basic ones ie calculate length of string and so on. I don't know what __vbaVrOr or __vbaBoolVarNull does exactly but judging from their names they must check something from beeing either true or false. That was what I thought when I first glanced at it. But what could it be? It could be three things:

  1. A letter
  2. A char ie % or whatever
  3. both of them

So start all over again and this time enter your name as registration#. Remeber to choose view "specific events and errors" if you want to skip alot of unimportant "code".

There are some significant changes, first obvious one is we passed the __vbaBoolVarNull and second the sequence numbers has shrinked !!? The messagebox is now at sequence# 14764. But what's more interesting is the lines above 14764. From 14731 ---> 14758 are a bunch of Integer(#)-->Long(#) where # is starting from 0 and ending at 9. View all events and you'll see that under each Integer(#) there is a a different number that is tested against a variable called double:0. The values that are tested against double:0 are:
55276
39824
68684
75268
12367
59826
48927
65826
34096
15824

This means that double:0 should have a value equal to one of these numbers and the registration code must contain a letter for us to pass __vbaBoolVarNull(). We also know that double:0 is zero when we only entered letters. So the registration code must have some numbers and a leter

step II


Start again (I know this begins to be boring but we are almost finished). This time we must use systematical inputs. Lets begin with 123A and see what happens what value is given to double:0. Hmmn we didn't pass the __vbaBoolVarNull() function with 123A. Well my experience in registration codes tells me that the letter may be a separator of two numbers. Lets try 123A123.

Great (balls of fire) we passed the evil __vbaBoolVarNull(), lets find out if double:0 has a value. Just click on one of the __vbaVarTestEq at sequence# 14909 for example wich is the first one. As you'll see double:0 has the value of 15129 and is therefore called double:15129 instead of double:0. How did it get that value?

14347 __vbaVarMull(variant:double:123, variant:double:123) returns dword 6FF714


Well 123*123=15129 and thats where double:15129 got it's value from. So the form of the regisration code is #####X#####=Y where # is a number and X is a letter and Y any of the valid numbers that our double:15129 is tested against. Lets pic one of the valid numbers and use them in our code like this:

55276A1000=55276000



Since the programmers is assumed to be a moron or ten years old, he probably only checks the five first numbers but hey, should he check all numbers we still have the equation so it really easy to solve it. But lets first try the above to see how dumb the programmer is.

Could you beleive that it worked what a moron to programmer.

Numega deserves all credits for smartcheck, this is truly an amazing tool. Thats it for now.

Indian_Trail (Saddle all the horses far on the Indian Trail, 'til it's time to change the key and jump to a different scale...a boogie woogie on the run)

Afterburner

As you saw the protection scheme was very easy and cracking it as well. Yet should you have used only Softice you wouldn't have gotten very far. Infact there's a million of compares all the time inside the code wich deals with our input wich makes it very hard to keep track of everything that has been made. Of course you could do it and write down every copy and manipulation but it would NOT be as easy as it was with Smartchecker . Please try it and you'll see. Hope you enjoyed the first steps towards intermediate. 1