[Disassembly exercise] 033 of 160 crackme

[Disassembly exercise] 033 of 160 crackme.

The purpose of this series of articles is to try to crack all the 160 crackme step by step from a novice who has no experience (in fact, I am myself, write something similar to a registration machine in any way.

The article is organized according to the following logic (to solve the following problems ):

1. Environment and tools used

2. Program Analysis

3. Train of Thought Analysis and Cracking Process

4. Exploration of registration Machine

----------------------------------

Remind AUDIENCE:If you cannot understand the logic in the article, you must have never done it yourself! The redirection prompt in OD is very powerful. As long as you track it, you can understand it without looking at the code!

----------------------------------

1. Tools and environment:

WINXP SP3 + 52pojie 6 anniversary edition OD + peid + Assembly Gold finger.

Package 160 crackme files.

: Http://pan.baidu.com/s/1xUWOY password: jbnq

Note:

1. The Random Initial address function is enabled for modules and programs in win7 system, which will cause a great burden on analysis. Therefore, we do not recommend using win7 for analysis.

2. The above tools are all the original programs under the 52pojie Forum. NOD32 does not report any viruses, and I personally promise not to conduct any content related to Trojan viruses.

2. program analysis:

To crack a program, you must first understand the program. Therefore, in the process of cracking, the analysis of the initial program is very important. It can help us understand the author's purpose and intention, especially the details of the registration code, this facilitates reverse tracking and derivation.

In the example, open chmand select the 33crucruehead.1.exe and save it. Run the program. The program interface is as follows:

There is a message box, very good.

Peid: masm32/tasm32 [overwrite]

Compile the program! Ah! It's either very easy or very difficult!

 

3. Train of Thought Analysis and Cracking Process

1. Open the OD, drag the EXE to the OD window, and wait until the program is paused. Click the run button (F9). ignore this.

2. Click about-> Register and enter the pseudo code bbdxf 123123 at will. Click OK to bring up the information box. Do not close it and return to OD.

3. Press Ctrl + k to view the stack information:

 

Right-click "cruehead.0040137e" and choose "show CILS ".

0040137e/$8b7424 04 mov ESI, dword ptr ss: [esp + 0x4] 00401382 |. 56 push ESI; // "bbdxf" 00401383 |> 8a06/mov Al, byte ptr ds: [esi] 00401385 |. 84c0 | test Al, al00401387 |. 74 13 | je short 0040139c00401389 |. 3C 41 | CMP Al, 0x41; "a" 0040138b |. 72 1f | JB short 004013ac0040138d |. 3C 5A | CMP Al, 0x5a; "Z" 0040138f |. 73 03 | JNB short 0040139400401391 |. 46 | Inc esi00401392 |. ^ eb ef | JMP short 004013830 0401394 |> E8 39000000 | call 004013d2; // handle (+ 0x20) 00401399 if between A-Z |. 46 | Inc esi0040139a |. ^ EB E7 \ JMP short 004013830040139c |> 5E pop esi0040139d |. e8 20000000 call 004013c2; // processing is completed here. Process 004013a2 |. 81f7 78560000 xor edi, 0x5678; // compare 004013a8 |. 8bc7 mov eax, edi004013aa |. EB 15 JMP short 004013c1004013ac |> 5E pop esi004013ad |. 6a 30 push 0x30;/style = mb_ OK | mb_iconexclamation | Mb_applmodal004013af |. 68 60214000 push 00402160; | Title = "no luck! "004013b4 |. 68 69214000 push 00402169; | text =" no luck there, mate! "004013b9 |. ff75 08 push [arg.1]; | howner004013bc |. E8 79000000 call <JMP. & user32.messageboxa>; \ messageboxa004013c1 \> C3 retn

This Code only processes the name analysis. If it fails, the jump fails.

We select this code header, that is, at the address of 0040137e. The OD prompt is as follows:

Local call from 0040122d

Go to address 0040122d. The Code nearby is as follows:

00401228. 68 8e214000 push 0040218e; ASCII "bbdxf" 0040122d. e8 4c010000 call 0040137e00401232. 50 push eax; // come here after comparison 00401233. 68 7e214000 push 0040217e; ASCII "123123" 00401238. e8 9b010000 call 004013d80040123d. 83c4 04 add ESP, 0x4; // 00401240 after processing again. 58 pop eax00401241. 3bc3 CMP eax, ebx00401243. 74 07 je short 0040124c00401245. e8 18010000 call 004013620040124a. ^ EB 9A JMP short 004011e60040124c> E8 fc000000 call 0040134d; // The prompt 00401251 is displayed when the jump is successful. ^ EB 93 JMP short 004011e6

It is found that a large number of calls are called here. Let's analyze them one by one (the comments have been analyzed ):

Call 0040137e content: 0040137e/$8b7424 04 mov ESI, dword ptr ss: [esp + 0x4] 00401382 |. 56 push ESI; // "bbdxf" 00401383 |> 8a06/mov Al, byte ptr ds: [esi] 00401385 |. 84c0 | test Al, al00401387 |. 74 13 | je short 0040139c00401389 |. 3C 41 | CMP Al, 0x41; "a" 0040138b |. 72 1f | JB short 004013ac0040138d |. 3C 5A | CMP Al, 0x5a; "Z" 0040138f |. 73 03 | JNB short 0040139400401391 |. 46 | Inc esi00401392 |. ^ eb ef | JM P short 0040138300401394 |> E8 39000000 | call 004013d2; // process (+ 0x20) 00401399 if between A-Z |. 46 | Inc esi0040139a |. ^ EB E7 \ JMP short 004013830040139c |> 5E pop esi0040139d |. e8 20000000 call 004013c2; // processing is completed here. Process 004013a2 |. 81f7 78560000 xor edi, 0x5678; // compare 004013a8 |. 8bc7 mov eax, edi004013aa |. EB 15 JMP short 004013c1004013ac |> 5E pop esi004013ad |. 6a 30 push 0x30;/style = mb_ OK | MB _ Iconexclamation | mb_applmodal004013af |. 68 60214000 push 00402160; | Title = "no luck! "004013b4 |. 68 69214000 push 00402169; | text =" no luck there, mate! "004013b9 |. ff75 08 push [arg.1]; | howner004013bc |. e8 79000000 call <JMP. & user32.messageboxa>; \ messageboxa004013c1 \> C3 retn where the call 004013d2 content: 004013d2/$ 2C 20 sub Al, 0x20004013d4 |. 8806 mov byte ptr ds: [esi], al004013d6 \. c3 retn: Call 004013c2: 004013c2/$ 33ff xor edi, edi004013c4 |. 33db xor ebx, ebx004013c6 |> 8a1e/mov BL, byte ptr ds: [esi] 004013c8 |. 84db | test BL, bl004013ca |. 74 05 | je short 004013d1004013cc |. 03fb | add EDI, EBX; // EDI = cyclic sum 004013ce |. 46 | Inc esi004013cf |. ^ EB F5 \ JMP short 004013c6004013d1 \> C3 retncall 004013d8 content: 004013d8/$33c0 XOR eax, eax004013da |. 33ff xor edi, edi004013dc |. 33db xor ebx, ebx004013de |. 8b7424 04 mov ESI, dword ptr ss: [esp + 0x4] 004013e2 |> B0 0a/mov Al, 0xa004013e4 |. 8a1e | mov BL, byte ptr ds: [esi]; // "123123" 004013e6 |. 84db | Test BL, bl004013e8 |. 74 0b | je short 004013f5004013ea |. 80eb 30 | sub BL, 0x30; // + 0x30004013ed |. 0faff8 | imul EDI, eax; // EDI/10004013f0 |. 03fb | add EDI, EBX; // EDI + ebx004013f2 |. 46 | Inc esi004013f3 |. ^ EB ed \ JMP short 004013e2004013f5 |> 81f7 34120000 xor edi, 0x1234004013fb |. 8bdf mov EBX, edi004013fd \. c3 retncall 0040134d content: 0040134d/$ 6a 30 push 0x30;/style = mb_ OK | mb_iconexclama Tion | mb_applmodal0040134f |. 68 29214000 push 00402129; | Title = "Good work! "00401354 |. 68 34214000 push 00402134; | text =" great work, mate! Now try the next crackme! "00401359 |. ff75 08 push [arg.1]; | howner0040135c |. E8 d9000000 call <JMP. & user32.messageboxa>; \ messageboxa00401361 \. C3 retn

Haha, the general process is like this. Starting from address 00401228, the name and serial are respectively calculated through the call operation, through 00401241. compare 3bc3 CMP eax and EBX, and jump to different processing based on the result. Among them, 0040124c> E8 fc000000 call 0040134d indicates the correct processing process. Therefore, we only need to change 00401243. 74 07 je short 0040124c to JMP 0040124c and try:

 

4. Exploration of registration Machine

The algorithm processing is as follows:

1, name string, first judge whether in the A-Z, then each character anⅱ value plus 0x20, then the sum of the calculated value, and finally different from 0x5678 or.

2. Serial string. Add 0x30 to the anⅱ value of each character, add the sum of the last and divide by 10 to a variable, continue to the next one, and finally it is different from 0x1234 or.

3. Compare the final result.

..... I can't think of two strings like this, so I can't calculate them!

 

By bbdxf