VBReFormer has become an advanced decompiler for Visual Basic applications. In search of challenging crackmes for educational decompiling examples, I turned to Crackmes.de, which boasts a vast array of crackme applications.
I selected “Step 2” by yudi for my first crackme-solving demonstration using VBReFormer Professional. This guide will illustrate the straightforward process of deciphering yudi’s Step 2.
Running the Application:
Running yudi’s Step 2 reveals that a serial is generated based on the user’s name.
How is the Serial Generated?
To understand the serial generation process, we proceed to the next step.
Opening Step 2.exe with VBReFormer Professional, we get:
Our focus shifts to the first method loaded in the Visual Basic application:
This screenshot shows that Label4 is set to invisible at the start.
A glance at this control in VBReFormer’s resource editor confirms it displays the Registered user! message.
The next task is to find out when Label4 becomes visible and to understand the function of Timer1.
While Timer1 analysis provides insights, it’s not pivotal for this tutorial.
We discover Timer1_Timer is activated every second by Timer1 to detect and close debuggers and MessageBox windows.
Our interest now lies in the code behind the Try button, which is represented by the Command1 button in VBReFormer:
A look at the Command1_Click() function reveals the key verification algorithm:
Although complex for beginners, the algorithm is error-free and fully functional, courtesy of VBReFormer.
Set var_pv2 = Me.Text1()
var_pv3 = var_pv2.Text()
var_pv10 = (var_pv3)
var_pv11 = (Date$) & (" ")
var_pv12 = (var_pv11) & (Time$)
var_pv13 = (var_pv12)
This part of the code shows the key is generated from the Name, Date, and Time, making permanent key generation almost impossible.
For Key Generator creation, save the project with VBReFormer and open it in Visual Basic 6. Inside the IDE, exclude debugger monitoring functions, keeping:
Command1_ClickCommand2_Click
Omit the following alert block from the Command1_Click function for simplicity:
If (var_num8) Then
var_pv6 = ("Hey")
var_pv7 = ("need something")
var_pv9 = MsgBox(var_pv7, 4160, var_pv6)
End If
Focus on the serial check condition at the end of Command1_Click:
Set var_pv2 = Me.Text2()
var_pv3 = var_pv2.Text()
var_pv21 = (var_pv3)
var_pv22 = ((var_pv19 Like var_pv21))
If (((var_pv22) = (True))) Then
Set var_pv2 = Me.Label4()
var_pv2.Visible() = True
End If
This condition checks if the generated serial (var_pv19) matches the input in the Serial field (Text2.Text).
To display the generated serial, replace the check condition with this line:
Also, remove the code clearing both fields:
Set var_pv2 = Me.Text1()
var_pv2.Text() = ""
Set var_pv2 = Me.Text2()
var_pv2.Text() = ""
Set var_pv2 = Me.Text1()
Post-modifications, the keygen code simplifies to:
Private Sub Command1_Click()
var_pv10 = Text1.Text
var_pv13 = Date$ & " " & Time$
For var_pv14 = 1 To Len(var_pv13) Step 1
If IsNumeric(Mid$(var_pv13, CLng(var_pv14), 1)) Then
var_pv15 = Asc(Mid$(var_pv13, CLng(var_pv14), 1))
If var_pv14 <= Len(var_pv10) Then
var_pv16 = Str(Asc(Mid$(var_pv10, CLng(var_pv14), 1)))
var_pv16 = Right$(var_pv16, 1)
var_pv16 = Val(var_pv16)
End If
var_pv18 = var_pv18 & Chr$(CLng(var_pv15 + 17 + var_pv16))
var_pv18 = var_pv18 & Chr$(CLng(var_pv15 + 17 + var_pv16 * 2))
End If
Next var_pv14
For var_pv14 = 1 To 24 Step 4
var_pv19 = var_pv19 & Mid$(var_pv18, CLng(var_pv14), 4) & "-"
Next var_pv14
var_pv20 = Len(var_pv19) - 1
var_pv19 = Mid$(var_pv19, 1, var_pv20)
Text2.Text = var_pv19
End Sub
Testing Our Keygen:
Our KeyGen window is shown alongside the original Crackme, validating the KeyGen’s effectiveness.
It’s important to note that the key’s validity is limited to 1 minute post-generation due to the inclusion of date and time.
Bypassing the Limitation:
Indeed, bypassing this constraint is possible. The use of the Like operator for string comparison in the code allows pattern matching.
By entering * in the serial field, you get a universally valid key, irrespective of the name used:
Download the key generator’s source code here:
Download Key Generator
Dive in and enhance your understanding!