Application of disassembly 1-software cracking

The following cases mainly describe the application value of disassembly, that is, the application of software encryption and decryption, and the application of basic assembly commands in practice, you can also recognize the power of ollydbg in software debugging.

The optional example program crackme.exe comes from the "use ollydbg cracking from scratch" series of the snow forum. This document is intended only for learning and communication purposes, and is not intended for any other purposes.

 

The following project is started:

1. mongoollydbgopen crackme.exe with the command: F3;

2. if the registration is correct or not, the program will pop up and the window will contain strings. Here we use the correct or not strings as the clue; command: right-click search for all referred strings;

3. Find the following string: Great work, mate! Now try the next crackme! ", And double-click to go to the place where the string is called;

4. As you can see, the following two pop-up windows will display the registration information right and wrong reminder windows. Take the two as the clues to see where the two functions are redirected to the start of the two function calls;

5. move the cursor over PUSH 30. The following observation window is displayed: Local call from 0040124c;

That is, it means that the PUSH 30 points are redirected from the 4C point; then, view the command;

6. Here, the key command is in section 401241. Through the command comparison, determine whether the subsequent serial number is correct or not, and then select the next hop.

7. By hitting a breakpoint in CMP eax and 0, we run the program F9 and the registration window pops up. We enter:

Then press OK, and the whole program stops at the place where we place the breakpoint. As shown in,

8. according to the comments on the right, the above process is very clear. The instructions at section 401228 press the ABC string address of the user name into the address, and then process it and save the result in eax, the subsequent statement also processes the serial number 123; you can guess that the result of the serial number operation should be output in EBX, so that the subsequent CMP eax and EBX statements can be used to make sense;

9. We can call the function of 40122d in a single step of F7, and see the following processing process:

After a simple tracking, we can find that the above Code is equivalent to the following C language code:

int nameCrack(char* str){char t;int sum = 0;while(*str){int t = (int)(*str);if(t > 0x5A)sum += (int)(t-0x20);str++;}sum = sum ^ 0x5678;return sum;}

For our input ABC, the output of the above function is 0x56be;

10. Similarly, we also track and debug the commands at 401238:

The above code is equivalent to the following C code:

int numCrack(char* str){int sum = 0;while(*str){int c = (int)*str - 0x30;sum = 10*sum + c;str++;}return (sum ^ 0x1234);}

11. According to debugging, the values of eax and EBX are 56be and 124f, respectively. The two are different, so decryption fails. To make the two the same, we keep ABC unchanged and change the serial number.

12. 56be, 0x1234, or the decimal value after the operation is 17546. Therefore, you only need to input the string operation value sum to 17546. Because the assic code of numbers starts from "0x31,

In the code, there is an operation minus 0x30. Therefore, we only need to enter 17546 numbers.

Application of disassembly 1-software cracking