160 x Crackme 028 cosh.2

First Peid Check the shell:

No shell, bit code verification:

An error string was found, and the reference text string in OD was followed up:

Find the appropriate branching structure in OD:

The above function in the head of the breakpoint, single-step Typing, analysis code: Simple, skip, and finally found that the actual no algorithm, is serial hard code, the 16 into ASCII code can be converted.

004014CA.  ESI004014CB push.  8BF1 mov esi,ecx004014cd.  EDI004014CE push.  8DBE A0000000 Lea Edi,dword ptr ds:[esi+0xa0]004014d4.  8BCF mov ecx,edi004014d6.  E8 6f030000 call <jmp.&mfc42. #3876 >004014db. 8b1d FC214000 mov ebx,dword ptr ds:[<&user32.  Postquitmessage>]; User32.  Postquitmessage004014e1.  83F8-CMP eax,0x5;  ; Gets the length of the name string and determines whether it is greater than 5004014E4.  7E Jle Short cosh_2.00401536;  ; string length is less than or equal to 5, error 004014E6.  8d6e Lea Ebp,dword ptr ds:[esi+0x60]004014e9.  8BCD mov ecx,ebp004014eb.  E8 5a030000 call <jmp.&mfc42. #3876 >;  ; Gets the length of the serial string 004014f0.  83F8-CMP eax,0x5;  ; Judge whether it is greater than 5004014f3.  7E Jle Short cosh_2.00401536;  ; string length is less than or equal to 5, error 004014F5. 8d86 E0000000 Lea Eax,dword ptr ds:[esi+0xe0]004014fb.  8BCF mov ecx,edi004014fd.  Push Eax004014fe.  E8 41030000 call <jmp.&mfc42. #3874 >00401503.  8DBE E4000000 Lea Edi,dword ptr ds:[esi+0xe4]00401509.  8BCD mov ecx,ebp0040150b.  EDI0040150C push.  E8 33030000 call <jmp.&mfc42. #3874 >00401511.  8B07 mov eax,dword ptr ds:[edi]00401513.  8038-CMP byte ptr ds:[eax],0x36;  ; Serila's first comparison with 0x36 was 00401516.  1E jnz short cosh_2.0040153600401518.  8078-CMP byte ptr ds:[eax+0x1],0x32;  ; The second character of Serila is 0040151C compared to 0x32.  JNZ short cosh_2.004015360040151e.  8078, CMP byte ptr ds:[eax+0x2],0x38;  ; The third character of Serila is compared with 0x38 00401522.  JNZ short cosh_2.0040153600401524.  8078 Notoginseng cmp byte ptr ds:[eax+0x3],0x37; ; Serila's fourth character compares with 0x37 00401528.  0C jnz short cosh_2.004015360040152a.  8078 2D cmp byte ptr ds:[eax+0x4],0x2d;  The fifth character of Serila is 0040152E compared to 0x2d.  JNZ short cosh_2.0040153600401530.  8078, CMP byte ptr ds:[eax+0x5],0x41;  The sixth character of Serila is compared with 0x41 00401534.  Je short cosh_2.0040154d00401536 > 6A push 0x000401538.  64304000 push cosh_2.00403064;  ASCII "ERROR" 0040153D.  38304000 push cosh_2.00403038;  ASCII "One of the Details you entered is wrong" 00401542.  8BCE mov ecx,esi00401544.  E8 F5020000 call <jmp.&mfc42. #4224 >00401549.  6A. Push 0x00040154b.  FFD3 call ebx; User32.  postquitmessage0040154d > 8d8e E0000000 lea ecx,dword ptr ds:[esi+0xe0]00401553.  8d5424 Lea Edx,dword ptr ss:[esp+0x14]00401557. 51 Push ecx00401558.  2c304000 push cosh_2.0040302c;  ASCII "Well-done," 0040155D.  EDX0040155E push. E8 D5020000 call <jmp.&mfc42. #926 >

Check the serial:
6287-a

Finally, write the registration machine according to the program process
C++:

#include <iostream>#include <cstring>using namespace std;#define N 100int main(){    char name[N];    char serial_true[N]={0x36,0x32,0x38,0x37,0x2D,0x41};    char serial_false[N];    cout<<"Please input your name:"<<endl;    cin>>name;    cout<<"Please input your serial:"<<endl;    cin>>serial_false;    if(strlen(name)<=5||strlen(serial_false)<=5)    {        cout<<"Error!"<<endl;        return 0;    }    else    {        cout<<"True serial is only behind the string:"<<endl;        for(int i=0;i<=6;i++)        {            cout<<serial_true[i];        }        cout<<endl;    }    return 0;}

Operation Result:

It's a water problem.

160 x Crackme 028 cosh.2