Kstar SmartCheck of vbprogram and restart verification-type cracking instance

Text/fig tree
As we all know, VB is an interpreted and executed language, and the programs generated by VB are translated and executed. In earlier versions, due to the existence of the language interpreter, debugging tools such as OllyDbg that we used to track the vbprogram are often jumping around constantly, making you dizzy, this is because we have followed up on the interpreter's website and it is quite difficult to understand the content in it. However, the VB6 program is no longer simply interpreted and executed, and most of the content is replaced with the compiled code. Even so, it is still not as intuitive as the decompilation of VC and Delphi programs: press into a bunch of parameters that you cannot understand, call some processes that do not know what they mean, and errors and suspensions may occur. It is not convenient to use OD to follow up! What should we do? For Native Code programs (P-code is encapsulated Code or middleware pseudo code, the relative Native Code is the original code that does not use P-Code, this article does not involve P-code). We can use SmartCheck to deal with it easily.
The target of this attack is a website information collection tool. You can use PEiD to view the content of Microsoft Visual Basic 5.0/6.0. This indicates that the software is written in VB5 or a later version without shelling! It saves the trouble of shelling. Next we will go to the practical section.
Tool Configuration
Before starting the analysis, we need to configure SmartCheck (SC). This step is very important, otherwise some key events may not be guaranteed. Run SC, load the software to be cracked, click "program-> Settings" in the shortcut bar, and set the settings as shown in Figure 1 and figure 2. The default configurations can be used for the rest.
Figure 1
Figure 2
Preliminary analysis
After the settings are complete, press F5 to run the software. The first display is a window for entering the registration code. Here we can enter "1212121212" at will, after clicking "register", the program will quit without warning. It seems that it is a restart verification software. At this time, we can see the SC interface. The analysis has been terminated as the program exits. Otherwise, we have to stop the analysis by ourselves. At first glance, there seems to be a lot of things, but as long as the people who have written the VB program should not feel unfamiliar, even if they do not understand the VB, we will naturally understand what it means. The specific events are displayed from software startup to exit after entering the registration code. In Figure 3, click one by one in the window on the Left bar. (If you cannot see this interface, maximize the "program result" window, because the column is on the edge ).
Figure 3
Well, I found the serial number displayed in the registration window just now (this is equivalent to the machine code, which may be different on different computers). It is estimated that this is the process of calculating the serial number, but we don't have to worry about it, continue to look below. Expand the commandbench click process. If we find the registration code we entered, there is no doubt that this button event corresponds to the registration code algorithm, and the key is locked here. All the way down, there are a lot of VB Function calls, followed by a serial number, there is a string of numbers "2658271038273406817399346741" at the end of the process, as shown in 4.
Figure 4
Is this the registration code? Try again, run F5, enter this string of numbers, register, and exit. Run it again (don't forget to restart the validation type, even if the correct registration code needs to be run for the second time to know whether the registration is successful). Er, it seems wrong, it is still the hateful registration window. What exactly does this string of numbers mean?
Detailed analysis
We have been looking at the analysis results of specific events. Although it is faster to find the clear code, we need to track the process slowly if there is no clear code comparison. Then, enter the number string above. After registration and exit, select "View-> show all events" on the shortcut bar. There are a lot of things coming out here, the following is a comparison statement corresponding to the string in figure 4, as shown in Figure 5.
Figure 5
The comparison between the two strings seems to be the key here. Just now we have learned that the 28-digit number of String2 is incorrect. In general, the comparison statements compare whether the two are equal. If String1 = String2 is registered successfully, the first step is to figure out how String2 came from. Some friends may want to say: Why can't String1 "15185818151511" in Figure 5 be a registration code? Don't forget, we enter two different false registration codes to display the same String2 string. It can be seen that it is relatively fixed, while String1 changes every time. It can be seen that it is related to the entered registration code, so the String1 will not be the registration code at this time, and how the fake code we enter is converted to String2 (String1 = String2 registered successfully) is the key!
We pull the commandmediaclick icon to the top and read it one by one, as shown in figure 6. This is a detailed analysis, so if you are not familiar with the VB Function, you 'd better use the search engine to find out the function functions. This SC shows a lot of events. In order not to take up the layout, I will only pick the key points. I will talk about other things and you will be very clear about them by yourself. In the commandswan click process, space is allocated to form A character array. Here we call it T. The content is {C, A, J, K, E, 3, U, V, 4, q, X, 7, S, H, Y, P, 5, M, F, W}, then remove the first three false registration codes we entered, compare the remaining characters with the characters in the T array by bit. If the characters are equal, the character corresponding to the subscript Number of the array is generated. Assume that the entered registration code is xxxCAJKE, the "01234" character string is generated here ". The fake code "2658271038273406817399346741" we entered is converted to "11511581558118" after some computation. We set this to S1 first. Strange: How is it different from String1 in Figure 5? Let's look at the following: Oh, it turns out that S1 is divided into two segments by parity, and then reverse the even segment. The last two segments are connected to form string1. Okay. Let's figure out half of the keys. Next we just need to figure out how String2 "2658271038273406817399346741" came from and then push it back to get the registration code? After reading the String1 generation process (long and patient), the serial number finally appeared, as shown in 7.
Figure 6