Numega Smartcheck 5.0

Beginners Guide


Target:
Braga.exe - Braga's Little Crackme 1 in Visual Basic 5

Tools:
Smartcheck 5.  ftp search for smchk50.exe

While there are a few tutorials on Smartcheck at fravia.org, they didn't
really help me to get started with SC, hopefully this tutorial will help you
in learning this fantastic tool. This tut is to help you figure the basics, rather than
just telling you how to complete braga's crackme.

For those of you who are not familiar with SC, and what it is, heres a description
from the Main Help File:

SmartCheck is a run-time debugging tool that addresses the most problematic conditions encountered by Visual Basic developers:

·	Fatal run-time errors that are cryptic and hard-to-solve
·	Problems that result from a sequence of events
·	Incorrect Windows API Usage from Visual Basic
·	Bad values passed to built-in Visual Basic functions
·	Problematic value coercions
·	Errors in components, such as ActiveX controls, used by your program

heh heh, well, not only can you use smartcheck for finding errors in your
Visual Basic programs, you can also use SC to find out exactly what somebody
elses program is doing, whether it is written in Visual Basic or not.Infact, 
heres news for all you crackers out there that hate cracking VB5 apps:
SC makes it FUN!!


Ok, enough of the intro.  After you have run the setup program (and found
the required password using sice)  start Smartcheck.  In the File menu, select
open, and open braga.exe.  Then, in the Program menu, select settings.
Change whatever you have to this:

All the chack boxes in the Error Detection tab should be checked.

In Advanced, in the Error Detection tab, the first 4 checkboxes should
be checked, the rest shouldnt be checked.  Make sure 'Suppress API Calls' is NOT checked.

In the Reporting tab, everything except 'Report mousemove events from
OCX' should be checked.

Phew! Ok, now, press the green 'play' button and let the fun begin.  Hopefully,
a new window will be opened in SC, split into three sections.  The bottom section, we dont
have to worry about, because we normally wont have the Source Code of our
targets programs.  In this should read: "No source file".

In the section above that, on the left hand side, you should have many lines of
function calls, clicking on one reveals more details in the right hand section.
One of the function calls you should see, the first one on the list, is
InitializeCriticalSection(PTR: xxxxxxxx)
If you look down the very bottom right hand corner of the main SC window, you
should see how many program events have occured.  I have 1360, from just loading
braga.exe.  In the View menu, select Show All Events.  When you get to know sc more,
you can experiment with the Specific Events (The Object Events is usually good
for our needs.) 

OK, Braga's crackme should have loaded, so enter a dummy name and serial, and
click Register.  You will probably now have a Dlg box saying "Keep Trying :)))"
Well, lets see what Smartcheck has given us.  Search for the first 4 characters of whatever 
name you entered (for me, i entered night_mastah[mgm], so i searched for nigh).

The Program Results section should now be sitting at a 
__vbaVarMove(VARIANT:String:"night_m",VARIANT:Empty) returns DWORD:63F35C

Well, it doesnt exactly take a genius to figure out whats happening here.  You can see, your name has
been taken and placed at mem location 63F35C or whatever.  Follow the Program Results down, and it should
really speak for itself.

It gets your serial, and keeps it for later.  It then finds the LENgth of
your name, then finds the LEFTmost character, for me it was 'n'. It then finds
the Ascii value for that letter, then changes this to HEX (6E).  Then, the program finds the first 4 letters
of your name, although I dont think what happens next is what Braga intended.  I think, 
by looking at the output from SC, he intended to find the ascii value for the first 4 letters
of your name, but all the program does is (again) find the Ascii value for the first letter. It then changes this to
to HEX aswell.

Scrolling down further, you should come to the __vbaVarCat section, where the crackme works out
the correct serial.  Again, its fairly easy to work out whats happening, but if its not, let me explain:
1) It takes the hex value for the first letter of your name, then adds a '-'
2)On the end of that, it adds the string 'Pt-Cracker', and another '-' (the string is now 'xx-Pt-Cracker-'  where xx is the hex val etc.
3)It then adds the HEX value again for the first letter of your name (although I dont think he meant that, maybe...) 'xx-Pt-Cracker-xx
4)Then, another '-' is added to the string. 'xx-Pt-Cracker-xx-'
5)Finally, he adds 12345 to the string. The Final String is: 'xx-Pt-Cracker-xx-12345'

Scroll down another few lines, and you will find __vbaVarTstEq(VARIANT:String:"111222333444555", VARIANT:String:"6E-Pt-Cracker-6E-12345")
 										^^^^^^^^^^^^^ or whatever you entered as your serial.

Again, no prizes for guessing what thats about.  If you favour patching the crackme, in Wdasm, the address you should start looking at is
!0040239E (__vbaVarTstEq() location)
To convert the address from SC to Wdasm, if the address has 000, change that to: 004.

Hopefully this small tutorial has helped you figure out the basics of Smartcheck 5.0.

If you this tutorial has helped you, please repay the favour by saying "Hi" to me (night_mas)
on #Cracking4newbies or #Magnum on Effnet.

See ya

night mastah
magnum 98