MiZ Crackme 2

What are the protections ?

there are 2 protections in this crackme :

1)anti Smart check
2)Serial

1)how to defeat anti smart check protection ?

the anti smartcheck protection is placed at the start of the crackme
and when the crackme is ran, it check smart check with a timer !
After i see with soft-ice that the smart check protection was based
on the check of "NMSCWM50" string which is the ID of the SmartCheck
window i have looked at the Crackme with an hexeditor for this string
and i found them.but if you look at NMSCWM50 you will not found this
because it is a vb program so :
w.i.d.e. .c.h.a.r.a.c.t.e.r. .f.o.r.m.a.t
look at 4E004D00530043004D005700350030 in hex (who it is the string in hex
with the wide format.(00 between caracteres))
Cool! you find it ! overwritte all this by 0's for exemple and save.
Now the smart check protection eliminated !
we can run smartcheck on it !!

2)Find the serial !

Run smart check on the proggy , and enter a serial like 123456
and press check.now, click on exit.
you will go in the SC window , and you will see timer and after:

label3_Click
but there is nothing good here...
but when i have seen getvolumeinforamtionA i thought that the serial is
maybe PC dependant ! we will see that later ..

we will try to find it with Sice because there is nothing good with SC!
in vb proggy, the bpx __vbastrcomp is use often , so we will try it !
ctrl + D and type bpx __vbastrcomp. F5 to back at the proggy and type 123456
as serial.
click on check and we are in Sice cool !!!
you have to press F12 for go in the __vbastrcomp function !
you must see esp in color , it is good !
now type dd esp (to display memory at esp)
you will see : aaaaaaaa bbbbbbbb cccccccc dddddddd

try to do d aaaaaaaa , and you won't have interesting things in the
data window.
so , try d bbbbbbbb , and you will obtain for in data window: a phrase that
is not the serial , and you will see __vbar8str.
hey !! it is a break points ? lets try it !!
ctrl+D and type bc * for kill all bpx.
type __vbar8str and press F5.
enter 123456 as serial and press on check !
cool we are in softice !!!
now press WF for look at floating point stack window.
you see : ST0 empty ST4 empty
ST1 empty ST5 empty
ST2 empty ST6 empty
ST3 empty ST7 empty

start to trace with F12 for go in the __vbaR8str function !
we must see: ST0 123456 !!
cool , continue with F10 and ST0 become : 892935893 !!! <== what is this ?
lets try it !! bd * for disable all bpx and enter this number !
And the message box appears : Mail the solution to : ...
Cool crackme Cracked !!!

But wait , we see in smart check that it was maybe PC dependant with
getvolumeinforamtionA !!
Ok, i will try this number on my second computer and it doesn't work !!!
i was Ok !! the number depend of the machine !!
so this number will not work on yours , try to find it , it is a good way to see
if you understand all this !!!
Have fun and happy cracking !

I hope you understand all in this essay
iif you have a problem you can mail me at : [email protected]

have fun and happy cracking !

ACiD BuRN [ReFleXZ'99]