[Disassembly exercise] 023 of 160 crackme

[Disassembly exercise] 023 of 160 crackme.

The purpose of this series of articles is to try to crack all the 160 crackme step by step from a novice who has no experience (in fact, I am myself, write something similar to a registration machine in any way.

The article is organized according to the following logic (to solve the following problems ):

1. Environment and tools used

2. Program Analysis

3. Train of Thought Analysis and Cracking Process

4. Exploration of registration Machine

----------------------------------

Remind AUDIENCE:If you cannot understand the logic in the article, you must have never done it yourself! The redirection prompt in OD is very powerful. As long as you track it, you can understand it without looking at the code!

----------------------------------

1. Tools and environment:

WINXP SP3 + 52pojie 6 anniversary edition OD + peid + Assembly Gold finger.

Package 160 crackme files.

: Http://pan.baidu.com/s/1xUWOY password: jbnq

Note:

1. The Random Initial address function is enabled for modules and programs in win7 system, which will cause a great burden on analysis. Therefore, we do not recommend using win7 for analysis.

2. The above tools are all the original programs under the 52pojie Forum. NOD32 does not report any viruses, and I personally promise not to conduct any content related to Trojan viruses.

2. program analysis:

To crack a program, you must first understand the program. Therefore, in the process of cracking, the analysis of the initial program is very important. It can help us understand the author's purpose and intention, especially the details of the registration code, this facilitates reverse tracking and derivation.

As in the previous section, open CHM, select 23rd chafe.1.exe, and save it. Run the program. The program interface is as follows:

 

Note: There is no error message box, And the pop-up message box is the "about" button.

 

3. Train of Thought Analysis and Cracking Process

Peid: masm32/tasm32

Steps:

1. Open the OD, drag the EXE to the OD window, and wait until the program is paused. Click the run button (F9). ignore this.

2. Enter name: bbdxf key: 123123 in exe.

3. In the OD Disassembly window, right-click the Chinese search engine and choose intelligent search.

We can easily find the correct text prompt: Yes! You found your serial!

Right-click and choose follow. Roughly browse the Code:

00401294 |. e8 ba010000 call 00401453; Case 113 (wm_timer) of switch 0040123f00401299 |. 0fbe05 663140> movsx eax, byte ptr ds: [0x403166]; // 4004012a0 |. 3a05 67314000 CMP Al, byte ptr ds: [0x403167] 004012a6 |. 75 06 jnz short 004012ae004012a8 |. 33c0 XOR eax, eax004012aa |. c9 leave004012ab |. c2 1000 retn 0x10; // return to USER32 module 004012ae |> A2 67314000 mov byte ptr ds: [0x403167], al004012b3 |. 83f8 10 CMP eax, 0x10004012b6 |. 74 16 je short 004012ce; // key jump 004012b8 |. 68 65304000 push 00403065;/your serial is not valid.004012bd |. ff35 7c314000 push dword ptr ds: [0x40317c]; | hwnd = 000f01ea ('your serial is not valid. ', class = 'edit', parent = 0007011c) 004012c3 |. e8 66020000 call <JMP. & user32.setwindowtexta>; \ setwindowtexta004012c8 |. 33c0 XOR eax, eax004012ca |. c9 leave004012cb |. c2 1000 re TN 0x10004012ce |> 68 7f304000 push 0040307f;/Yes! You found your serial !! 004012d3 |. ff35 7c314000 push dword ptr ds: [0x40317c]; | hwnd = 000f01ea ('your serial is not valid. ', class = 'edit', parent = 0007011c) 004012d9 |. e8 50020000 call <JMP. & user32.setwindowtexta>; \ setwindowtexta004012de |. 33c0 XOR eax, eax004012e0 |. c9 leave004012e1 |. c2 1000 retn 0x10

Is it easy to find the key jump !! (PS: the number of code written in a pure assembly is really small. just flip it up and down, and the code is finished! )

Select je short 004012ce, press the Space key, change to force redirect JMP 004012ce, then return to the EXE program, enter the name and key at will, haha, success!

 

4. Exploration of registration Machine

As mentioned in about, this program really wants to crack the registration code instead of cracking it! Let's try:

First, according to the text prompt Case 113 (wm_timer) of switch 0040123f, we know that it is triggered by the timer. We will disband it here and track the f8:

Call 00401453 content: 00401453/$55 push EBP; // ontimer response function 00401454 |. 8bec mov EBP, esp00401456 |. 83c4 FC add ESP,-0x400401459 |. 8925 a0314000 mov dword ptr ds: [0x4031a0], esp0040145f |. 8d25 52314000 Lea ESP, dword ptr ds: [0x403152]; // function header 00401465 |. 0fbe05 663140> movsx eax, byte ptr ds: [0x403166] 0040146c |. 03e0 add ESP, eax0040146e \. c3 retndd 0x40315200403152 0040146f chafe_1.0040146f00403156 0 0401063 chafe_1.004010930040315a 00401361 chafe_1.004013610040315e 0040149c chafe_1.0040149c00403692 004014ba chafe_1.004014bacall RET returned here: 00401361. 8d3d 8c314000 Lea EDI, dword ptr ds: [0x40318c]; bbdxf00401367. 0fbe05 683140> movsx eax, byte ptr ds: [0x403168]; \ n0040136e. 03f8 add EDI, eax00401370. fe05 68314000 Inc byte ptr ds: [0x403168] 00401376. a1 88314000 mov eax, dword ptr ds: [0x403188] 0 040137b. 8b25 a0314000 mov ESP, dword ptr ds: [0x4031a0] 00401381. 40 Inc eax00401382. ff05 88314000 Inc dword ptr ds: [0x403188] 00401388. 3307 XOR eax, dword ptr ds: [EDI] 0040138a. a3 88314000 mov dword ptr ds: [0x403188], eax0040138f. 803d 68314000> CMP byte ptr ds: [0x403168], 0x1000401396. 75 07 jnz short 0040139f00401398. 8005 66314000> Add byte ptr ds: [0x403166], 0x40040139f> C9 leave004013a0. C3 retn is returned to this end: 00401299 |. 0fbe05 663140> movsx eax, byte ptr ds: [0x403166]; // 4004012a0 |. 3a05 67314000 CMP Al, byte ptr ds: [0x403167] 004012a6 |. 75 06 jnz short 004012ae004012a8 |. 33c0 XOR eax, eax004012aa |. c9 leave004012ab |. c2 1000 retn 0x10; // return to USER32 module 004012ae |> A2 67314000 mov byte ptr ds: [0x403167], al004012b3 |. 83f8 10 CMP eax, 0x10004012b6 |. 74 16 je short 004012ce; // key jump 00401 2b8 |. 68 65304000 push 00403065;/your serial is not valid.004012bd |. ff35 7c314000 push dword ptr ds: [0x40317c]; | hwnd = 000f01ea ('your serial is not valid. ', class = 'edit', parent = 0007011c) 004012c3 |. e8 66020000 call <JMP. & user32.setwindowtexta>; \ setwindowtexta004012c8 |. 33c0 XOR eax, eax004012ca |. c9 leave004012cb |. c2 1000 retn 0x10004012ce |> 68 7f304000 push 0040307f;/Yes! You found your serial !! 004012d3 |. ff35 7c314000 push dword ptr ds: [0x40317c]; | hwnd = 000f01ea ('your serial is not valid. ', class = 'edit', parent = 0007011c) 004012d9 |. e8 50020000 call <JMP. & user32.setwindowtexta>; \ setwindowtexta004012de |. 33c0 XOR eax, eax004012e0 |. c9 leave004012e1 |. c2 1000 retn 0x10

A large number of global variables such as 0x403188 are used here, but their meaning and content are not very clear. Although the process is clear, they still do not quite understand what it means. So, no algorithm is available now!

By stupid d Happy