Reverse engineering Combat--acid Burn

0x00 Preamble

This is the second time to crack Crackme small program, feel significantly better than the first time, the crack process is very smooth, almost minutes to find the right serial, but our goal is to crack the calculation process, the following will be described in detail.

0x01 First Run

Just start getting Crackme run the program first to see what the obvious features are, or what tasks need to be done:

Double-click on the box after the program, obviously the first task is to get rid of this box, we continue to run:

This little program is more complicated than the last one, there are two serial, we first look at the left:

No accident, guess wrong, there are obvious bullets and failure strings as a feature, we continue to look to the right:

No accident, failure again, still a frame.

0x02 Start Debugging

1. Clear goals
Through the above run analysis, we need to kill the first frame, as well as the subsequent two serial. At the same time we found that the common feature of the three is the frame, so first intercept the frame function:
Right-click the code area and select "Serach for" and "all Intermodules calls":

In the new window, enter MessageBoxA, right-click, select "Set breakpoint on every call to MessageBoxA":

This allows us to place a breakpoint on all calls to the box function, and then go back to the code area to run the program.

2. Caller
Press F9 to execute to the box function, we found that at this point the top of the stack is the first time the box is the address of the string, so we need to find the call box function function, called the caller. Here we look up and find the current entry for this function and drop the breakpoint:

Then we Ctrl + F2 reload the program, F9 execution to the entry just below the breakpoint:

At this point the top of the stack is the return point saved when the caller executes the call instruction, we look for this address in the Code area (42f79c), and click the code area and press Ctrl + G to find:

See, this is the function, only a few lines of code, and then we will destroy it.

3. Remove the bullet frame
Call the function to the box, our idea is to let it not call the function, then directly let the function return is the simplest way, so we put the function at the entrance of the first instruction to change to RETN :
Click the command, press the SPACEBAR to modify:

At this point we can save the changes to the file:
Right-click the command, select "Copy to Executable" and "selection":

Right-click on "Save file" in the new window:

Then Save:

Run a new program to discover that the first time the bullet box was successfully disappeared.

4. Crack right Serial
Next we go to the serial on the right, enter any string, and then click the button:
We found that the program stopped at the entrance to the box function:

The value at the top of the stack should be the return address of the parent function:

We continue to search this address in the Code area (42f509):

Find out, there are judging conditions, you can see is a string comparison function, we set breakpoints, F9 run to the end after the re-click button:

The program stops at the breakpoint and looks at the stack area and finds the string in the arguments to the function:

It's really easy to crack, the string is fixed: Hello dude!

5. Crack left Serial
We continue to run, go to the left, enter any string and then click the button:
Find the caller return address according to the way just now: 42fb37

To find the code area:

Find the string comparison function and the next breakpoint, and look at the stack area:

Then look up the code area:

We can infer that serial is "cw-" + a number + "cracked", the middle number is the target we need to find.

6, the real goal
We give serial the entry of the function to the next breakpoint, and then click the button again to run to the breakpoint F8 one step at a walk:

Two pieces of code are found in the middle:

EAX = name[07 + name[10x10;

EAX = name[30xB + name[20xE

Continue running down and discover another piece of code:

Below the function entry is an obscure code:

The two combinations are:

EAX = name[00x292;

Later we find that the value of the EAX is set to the value of that memory cell before invoking the string output function:

It is obvious that the third piece of code is what we want to continue to debug the results.

0x03 Double Detection

1. Simple and rude C language
The code is as follows:

#include <stdio.h>int main(){    char name[1024];    printf("Input your name: ");    scanf("%s", name);    printf("Serial: CW-%d-CRACKED\n", name[00x292);    return0;}

Operation Result:

2, the original procedure test

0x04 Summary

The serial on the left side of this applet is related to the first character of name, and the string length cannot be less than 4.

Reverse engineering Combat--acid Burn