First Peid Check the shell
Delphi, no shell to say, od up language relationship is not too big.
First of all, run discovery has a nag, a key, a name/serial, a one to come. Specific blind online input to see the dialog box or something I will not pull ...
Nag:
Od run up, F8 or SHIFT+F8, find the role of these several call
In the position where the first nag pops up, F9 the past and then into call.
Constantly use F8 to find the specific location of the popup nag, the problem is quite pit, jump more, patience a little, finally find the position of this messageboxa function.
Take this messageboxa all to the dead, and blow the nag off smoothly.
Key:
Key is also relatively simple, generally only the input of a string will be hard-coded inside the program.
CRTL+F2 after restarting the program, F9 run, enter
Do not click OK, F12 will stop the program, go to Alk+k to the stack to find this dialog box call the MessageBox function
Because in the beginning of the Crtl+n Lookup reference module found in the function is a little more, I can not tell the role of each MessageBox function to do so, if there is only one MessageBox function can be directly crtl+n call the past good ...
Find out after show call and see this is a function
Push EBP
Move Ebp,esp
The process of creating a stack frame is too obvious at this point.
In the function head push EBP out down I'm going to find out where is the function called from
Note to F9 two times, re-enter, click Check it baby! ,
Find the most recent return statement in the lower-right corner of the stack:
0019F810 0042F509 返回到 Acid_bur.0042F509 来自 Acid_bur.0042A170
Right-click Follow in DISASSM. (disassembly follows), go to the call position and turn upside down (this is a good habit ...)
See the key is really hard coding in the program, 12345 is the key we entered, then Hello dude should be the correct key, check:
The last is a little bit of name/serial, the reason why it is hard, because it is not difficult, because even I have made it ...
Again, use F9 and enter the serial number to find the call to the MessageBox:
Show call, and the same structure in the function head push EBQ out the breakpoint, to find calling this MessageBox function
(Let's call it that, because it's the function of popping up a dialog box)
The call
Found, the first can be exploded, the call directly to NOP off:
After the blasting how we input will succeed, however, this is too low, so we go to find the algorithm:
Constant F7,F8,F9 in the next breakpoint to analyze the above program (you do not know how long it took me as a novice) to analyze the above assembler program:
First of all, we are
0042FB32 |. E8 39A6FFFF call Acid_bur.0042A170
Up and down breakpoints, without popping the error dialog box, analyze the above assembly code:
See
So, try this serial, he should be based on the name I entered to generate.
It worked.
Change a name, found that only the middle of the string has changed, and so on the CW and so on the letter has not changed, from the above analysis can be seen, the correct serial is stitched out.
Show Code:
0042fa52 |. E8 D96EFDFF Call Acid_bur.004069300042fa57 |. 83F8 CMP eax,0x4; Compares whether the length of a string is greater than or equal to 40042FA5A | 7D 1D jge Short acid_bur.0042fa790042fa5c |. 6A Push 0x00042fa5e |. B9 74fb4200 mov ecx,acid_bur.0042fb74; ASCII, "Ry again!" 0042fa63 |. BA 80fb4200 mov edx,acid_bur.0042fb80; ASCII, "Orry, the serial is Incorect!" 0042fa68 |. A1 480a4300 mov eax,dword ptr ds:[0x430a48]0042fa6d |. 8B00 mov eax,dword ptr ds:[eax]; acid_bur.004240900042fa6f |. E8 fca6ffff call acid_bur.0042a170; String length less than 4 return to 0042a170 position, wrong error dialog box 0042fa74 |. E9 BE000000 jmp acid_bur.0042fb370042fa79 |> 8d55 F0 Lea edx,[local.4]0042fa7c |. 8b83 DC010000 mov eax,dword ptr ds:[ebx+0x1dc]0042fa82 |. E8 D1affeff Call Acid_bur.0041aa580042fa87 |. 8b45 F0 mov eax,[local.4]0042fa8a |. 0fb600 movzx eax,byte ptr ds:[eax] ; Remove the first character in the name string 0042fa8d |. f72d 50174300 Imul dword ptr ds:[0x431750]; Multiply 0x29 (address 431750) 0042fa93 |. A3 50174300 mov dword ptr ds:[0x431750],eax0042fa98 |. A1 50174300 mov eax,dword ptr ds:[0x431750]0042fa9d |. 0105 50174300 add DWORD ptr ds:[0x431750],eax; Multiply 2 again to exist 0x4317500042faa3 |. 8D45 FC Lea Eax,[local.1]0042faa6 |. BA ACFB4200 mov Edx,acid_bur.0042fbac0042faab |. E8 583CFDFF Call Acid_bur.004037080042fab0 |. 8D45 F8 Lea Eax,[local.2]0042fab3 |. BA b8fb4200 mov edx,acid_bur.0042fbb80042fab8 |. E8 4B3CFDFF Call Acid_bur.004037080042fabd |. FF75 FC push [LOCAL.1]; acid_bur.0042fbac0042fac0 |. c8fb4200 push Acid_bur.0042fbc8; UNICODE "-" 0042fac5 |. 8d55 E8 Lea Edx,[local.6]0042fac8 |. A1 50174300 mov eax,dword ptr DS:[0X431750]0042FACD |. E8 466CFDFF call acid_bur.00406718; The content of this call function is to generate a part of the serial middle number string 0042fad2 |. FF75 E8 push [LOCAL.6]; LOCAL.6 is the intermediate generated password digital string 0042fad5 |. c8fb4200 push Acid_bur.0042fbc8; UNICODE "-" 0042FADA |. FF75 F8 push [LOCAL.2]; Acid_bur.0042fbb80042fadd |. 8D45 F4 Lea Eax,[local.3]0042fae0 |. BA 05000000 mov edx,0x50042fae5 |. E8 C23EFDFF call Acid_bur.004039ac; String Stitching 0042FAEA |. 8d55 F0 Lea Edx,[local.4]0042faed |. 8b83 E0010000 mov eax,dword ptr ds:[ebx+0x1e0]0042faf3 |. E8 60AFFEFF call acid_bur.0041aa58; get the Right Password0042faf8 |. 8B55 F0 mov edx,[local.4]; The Input PASSWORD:123450042FAFB |. 8B45 F4 mov eax,[local.3]; The Right Password0042fafe |. E8 F93EFDFF call ACID_BUR.004039FC; It's obviously a two string comparison. 0042fb03 | 1 a jnz short acid_bur.0042fb1f
Each call we do not need to go in, think of him as a black box, to understand his function on it.
The first is to determine the length of the string, then take the first character, multiplied by the value of the address 0x431750 (0x431750 in the data area Crtl+g find)
Then multiply by 2, you get that number, the key generation code is:
0042FAC5 |. 8D55 E8 lea edx,[local.6]0042FAC8 |. A1 50174300 mov eax,dword ptr ds:[0x431750]0042FACD |. E8 466CFDFF call Acid_bur.00406718 ; 这个call函数中的内容就是生成serial中间数字串的部分0042FAD2 |. FF75 E8 push [local.6] ; local.6是中间生成的password数字串
Let's also go down the breakpoint:
The real pit came, went in and found a lot of jumps, I only know that every character has been operated, but jump too much, did not understand his implementation process (the slag ...), but make sure this is the location of the string, so I took him as a black box.
After entering name:12345, we get 0X0FB2 after the 0x431750 memory operation, and then generate the number string: 4018, OK, I guessed:
16 binary to 10 binary number string, this is the function of the whole call ...
OK, the algorithm is the name of the input after the first generation of a number string based on the above results, and then the other letters, symbols splicing, into the final serial. This is the process of calculating the name/serial algorithm ...
Be able to write the registration machine:
#include <iostream>#include <cstdio>#include <cstring>#define N 10000using namespace std;int main(){ char buffer[N]; short int c; cout<<"please input name:\n"; gets(buffer); if(strlen(buffer)<4) //判断序列号长度 { cout<<"Error!"<<endl; } else { c=buffer[0]; c=c*0x29; c=c*2; cout<<"serial:"<<endl; printf("Serial: CW-%4d-CRACKED\r\n",c); } return 0;}
To tell the truth, the topic is not difficult, but nag,name/serial,key all involved, as a novice I also scrap some kung fu ... The process is very detailed, more detailed than the other (verbose).
160 x Crackme 001 Acid Burn