Author: riusksk
Time: 2009-10-27,13: 01
Chain: http://bbs.pediy.com/showthread.php? T = 100167
[Break text title] defend against a anti-debugging CM
[Author] riusksk (quange)
[Author email] riusksk@qq.com
[Author's homepage] http://riusksk.blogbus.com
[Cracking tool] OD
[Cracking platform] Windows Vista
[Software name] KGM1Tal.exe
[Software size] 4.00 KB
[Software Download] CM.rar
[Protection mode] No shell
[Software Overview] CM written by foreigners
[Cracking statement] It is purely an interest and has no other purpose. If any error occurs, please point it out!
[Cracking process] cracking
Open CM, enter the username riusksk, password: 78787878, and click "register". The system prompts "Try Again, something did not work right. "So after loading F9 with OD, use the" super character reference + "plug-in to search for a string and double-click the string" Try Again, something did not work right. ", search up,:
004014CE/$ BE 23304000 mov esi, KGM1Tal. 00403023
004014D3 |. A1 4A304000 mov eax, dword ptr ds: [40304A]
004014D8 |. 8A5E 09 mov bl, byte ptr ds: [ESI + 9]
004014DB |. 38D8 cmp al, BL
004014DD |. 75 16 jnz short KGM1Tal. 004014F5
004014DF |. B8 6C304000 mov eax, KGM1Tal. 0040306C; great job!
004014E4 |. 8BD8 mov ebx, EAX
004014E6 |. 83C3 0B add ebx, 0B
004014E9 |. 6A 00 PUSH 0;/Style = MB_ OK | MB_APPLMODAL
004014EB |. 50 push eax; | Title => "Great Job! "
004014EC |. 53 push ebx; | Text => "You have completed Key Gen Me #1 ."
004014ED |. 6A 00 PUSH 0; | hOwner = NULL
004014EF |. E8 B4000000 CALL <JMP. & user32.MessageBoxA>; MessageBoxA
004014F4 |. C3 RETN
004014F5 |> 6A 00 PUSH 0;/Style = MB_ OK | MB_APPLMODAL
004014F7 |. 68 C2304000 PUSH KGM1Tal. 004030C2; | not this time.
004014FC |. 68 99304000 PUSH KGM1Tal. 00403099; | try again, something did not work right.
00401501 |. 6A 00 PUSH 0; | hOwner = NULL
00401503 |. E8 A0000000 CALL <JMP. & user32.MessageBoxA>; MessageBoxA
00401508 |. 6A 00 PUSH 0;/ExitCode = 0
0040150A. E8 A5000000 CALL <JMP. & kernel32.ExitProcess>; ExitProcess
Because 004014CE comes from 004012ED, go to 004012ED and search up. Here:
004012AE. FF35 3C304000 push dword ptr ds: [40303C];/Count = 1E (30 .)
004012B4. 68 00304000 PUSH KGM1Tal. 00403000; | Buffer = KGM1Tal. 00403000
004012B9. 68 EC030000 PUSH 3EC; | ControlID = 3EC (1004 .)
004012BE. FF75 08 push dword ptr ss: [EBP + 8]; | hWnd
004012C1. E8 D6020000 CALL <JMP. & user32.GetDlgItemTextA>; GetDlgItemTextA, get the username
004012C6. FF35 40304000 push dword ptr ds: [403040];/Count = 14 (20 .)
004012CC. 68 23304000 PUSH KGM1Tal. 00403023; | Buffer = KGM1Tal. 00403023
004012D1. 68 ED030000 PUSH 3ED; | ControlID = 3ED (1005 .)
004012D6. FF75 08 push dword ptr ss: [EBP + 8]; | hWnd
004012D9. E8 BE020000 CALL <JMP. & user32.GetDlgItemTextA>; GetDlgItemTextA, get password
004012DE. E8 4F000000 CALL KGM1Tal. 00401332
004012E3. 68 53304000 PUSH KGM1Tal. 00403053; zwatrqlcghpsxyenvbjdfkmu
004012E8. E8 C9000000 CALL KGM1Tal. 004013B6
004012ED. E8 DC010000 CALL KGM1Tal. 004014CE
However, if you are disconnected from GetDlgItemTextA or 004012DE, the prompt box Indicating the previous failure will still pop up. Therefore, I will switch to message breakpoint here.
Reload CM, run F9, and view the window:
Certificate ----------------------------------------------------------------------------------------------------------------------------------------------------