[Article Title]: RSACrackMe512 analysis process and compilation of registration machine source code
[Author]: coolstar14
[Tools]: IDA, BigInterCalc, RDLP
[Software name]: RSACrackMe512
[Software size]: 40 KB
[]: Http://bbs.pediy.com/attachment.php? Attachmentid = 7447 & d = 1187671766
[Software introduction]: Uses RSA512 as the CrackMe of the verification algorithm.
[Author's statement]: I am only interested and have no other purpose. For errors, please enlighten us!
--------------------------------------------------------------------------------
Detailed process:
IDA disassembly, string reference, directly locate the key code:
. Text: 00402F18
. Text: 00402F18 loc_402F18:; code xref: DialogFunc + 140j
. Text: 00402F18 lea eax, [ebp + dst_buffer]
. Text: 00402F1E lea ecx, [ebp + rsa_n]
. Text: 00402F24 push eax; dst_buffer
. Text: 00402F25 push ecx; rsa_n
. Text: 00402F26 lea edx, [ebp + input_sn]
. Text: 00402F2C push offset s_10001; "10001"
. Text: 00402F31 push edx; input_sn
. Text: 00402F32 mov [ebp + var_4], 0
. Text: 00402F39 call sub_402BC0; key function, follow up
. Text: 00402F39
. Text: 00402F3E test eax, eax
. Text: 00402F40 jnz short loc_402F68; eax is not equal to 0. jump to the next judgment. Otherwise, an error is prompted.
. Text: 00402F40
. Text: 00402F42 push 40 h; uType
. Text: 00402F44 push offset Caption; "registration prompt"
. Text: 00402F44
. Text: 00402F49
. Text: 00402F49 loc_402F49:; code xref: DialogFunc + 1D8j; registration prompt
. Text: 00402F49 push offset s_VSIAGm; "incorrect registration code. Continue! "
....
. Text: 00402F64 mov esp, ebp
. Text: 00402F66 pop ebp
. Text: 00402F67 retn
. Text: 00402F67
. Text: 00402F68 ;---------------------------------------------------------------------------
. Text: 00402F68
. Text: 00402F68 loc_402F68:; code xref: DialogFunc + comment J
. Text: 00402F68 lea eax, [ebp + dst_buffer]
. Text: 00402F6E lea ecx, [ebp + String2]
. Text: 00402F74 push eax; lpString1
. Text: 00402F75 push ecx; lpString2
. Text: 00402F76 call sub_402CE0; comparison function, which can be viewed in memory. eax and ecx are the buffer obtained after the decryption sn and the user name we entered respectively.
. Text: 00402F76
. Text: 00402F7B add esp, 8
. Text: 00402F7E cmp eax, 1
. Text: 00402F81 push 40 h; uType
. Text: 00402F83 push offset Caption; "registration prompt"
. Text: 00402F88 jnz short loc_402F49; the previous comparison function returned value eax is not equal to 1 to jump to failed, otherwise the registration is successful.
. Text: 00402F88
. Text: 00402F8A push offset s_ZUgmVSI; "congratulations, the registration code is correct! "
. Text: 00402F8F push esi; hWnd
. Text: 00402F90 call ds: MessageBoxA
. Text: 00402F96 xor eax, eax
The 402F39 function has four parameters. You can check the memory to confirm that there is a serial number for our input and a 10001 string, which is the most common e in RSA public key pairs, there is also a string with a length of 128, which can easily be suspected to be n in the RSA public key pair. another one will use it in the following comparison function, which is the result output buffer.
Function: sub_402BC0
. Text: 00402BC0; Attributes: bp-based frame
. Text: 00402BC0
. Text: 00402BC0; int _ stdcall sub_402BC0 (int input_sn, int rsa_e_10001, int rsa_n, LPSTR dst_buffer)
. Text: 00402BC0 sub_402BC0 proc near; code xref: DialogFunc + 189 p
. Text: 00402BC0
. Text: 00402BC0 String2 &