160 x Crackme 001 Acid Burn

Source: Internet
Author: User

First Peid Check the shell

Delphi, no shell to say, od up language relationship is not too big.

First of all, run discovery has a nag, a key, a name/serial, a one to come. Specific to the position of the name,serial blind input string look at the situation or something I will not rip ...

Od run up, F8 or SHIFT+F8, find the role of these several call

In the position where the first nag pops up, F9 the past and then into call.
Constantly use F8 to find the specific location of the popup nag, the problem is quite pit, jump more, patience a little, finally find the position of this messageboxa function.

Take this messageboxa all to the dead, and blow the nag off smoothly.

Key is also relatively simple, generally only the input of a string will be hard-coded inside the program.

CRTL+F2 after restarting the program, F9 run, enter

Do not click OK, F12 will stop the program, go to Alk+k to the stack to find this dialog box call the MessageBox function
Because in the beginning of the Crtl+n Lookup reference module found in the function is a little more, I can not tell the role of each MessageBox function to do so, if there is only one MessageBox function can be directly crtl+n call the past good ...

Find out after show call and see this is a function
Push EBP
Move Ebp,esp
This is too obvious to build the stack frame process.

In the function head push EBP out of the box, I'm going to find out where to call the function of this output error dialog

Note to F9 two times, re-enter, click Check it baby! ,
Find the most recent return statement in the lower-right corner of the stack:

0019F810   0042F509  返回到 Acid_bur.0042F509 来自 Acid_bur.0042A170

Right-click Follow in DISASSM. (disassembly follows), go to the call position and turn upside down (this is a good habit ...)

See the key is really hard coding in the program, 12345 is the key we entered, then Hello dude should be the correct key, check:

The last is a little bit of name/serial, the reason why it is hard, because it is not difficult, because even I have made it ...

Again, use F9 and enter the serial number to find the call to the MessageBox:

Show call, and the same structure in the function head push EBQ out the breakpoint, to find calling this MessageBox function
(Let's call it that, because it's the function of popping up a dialog box)
The call
Found, the first can be exploded, the call directly to NOP off:

After the blasting how we input will succeed, however, this is too low, so we go to find name/serial algorithm:

Constant F7,F8,F9 in the next breakpoint to analyze the above program (you do not know how long it took me as a novice) to analyze the above assembler program:
First of all, we are

0042FB32  |.  E8 39A6FFFF   call Acid_bur.0042A170

The upper and lower breakpoints, followed by input name:12345,seial=12345, with these two strings to analyze the assembly code, to get useful results.


So, try this serial, he should be based on my input name:12345 generated.

It worked.

For a name:54321, found that only the middle of the number of the string has changed, and so on the CW and so on the letter has not changed from the above analysis can be seen, the correct serial should be spliced out, in addition to the middle of the number of strings, the other content is hard coding good.

show Code:

0042fa52 |.  E8 D96EFDFF Call Acid_bur.004069300042fa57 |.  83F8 CMP eax,0x4;  Compares whether the length of a string is greater than or equal to 40042FA5A |  7D 1D jge Short acid_bur.0042fa790042fa5c |.  6A Push 0x00042fa5e |.  B9 74fb4200 mov ecx,acid_bur.0042fb74; ASCII, "Ry again!"  0042fa63 |.  BA 80fb4200 mov edx,acid_bur.0042fb80; ASCII, "Orry, the serial is Incorect!"  0042fa68 |.  A1 480a4300 mov eax,dword ptr ds:[0x430a48]0042fa6d |.  8B00 mov eax,dword ptr ds:[eax];  acid_bur.004240900042fa6f |.  E8 fca6ffff call acid_bur.0042a170;  String length less than 4 return to 0042a170 position, wrong error dialog box 0042fa74 |.  E9 BE000000 jmp acid_bur.0042fb370042fa79 |> 8d55 F0 Lea edx,[local.4]0042fa7c |.  8b83 DC010000 mov eax,dword ptr ds:[ebx+0x1dc]0042fa82 |.  E8 D1affeff Call Acid_bur.0041aa580042fa87 |.  8b45 F0 mov eax,[local.4]0042fa8a |.           0fb600 movzx eax,byte ptr ds:[eax]   ;  Remove the first character in the name string 0042fa8d |.  f72d 50174300 Imul dword ptr ds:[0x431750];  Multiply 0x29 (address 431750) 0042fa93 |.  A3 50174300 mov dword ptr ds:[0x431750],eax0042fa98 |.  A1 50174300 mov eax,dword ptr ds:[0x431750]0042fa9d |.  0105 50174300 add DWORD ptr ds:[0x431750],eax;  Multiply 2 again to exist 0x4317500042faa3 |.  8D45 FC Lea Eax,[local.1]0042faa6 |.  BA ACFB4200 mov Edx,acid_bur.0042fbac0042faab |.  E8 583CFDFF Call Acid_bur.004037080042fab0 |.  8D45 F8 Lea Eax,[local.2]0042fab3 |.  BA b8fb4200 mov edx,acid_bur.0042fbb80042fab8 |.  E8 4B3CFDFF Call Acid_bur.004037080042fabd |.  FF75 FC push [LOCAL.1];  acid_bur.0042fbac0042fac0 |.  c8fb4200 push Acid_bur.0042fbc8;  UNICODE "-" 0042fac5 |.  8d55 E8 Lea Edx,[local.6]0042fac8 |.  A1 50174300 mov eax,dword ptr DS:[0X431750]0042FACD |.  E8 466CFDFF call acid_bur.00406718; The content of this call function is to generate a part of the serial middle number string 0042fad2 |.  FF75 E8 push [LOCAL.6];  LOCAL.6 is the intermediate generated password digital string 0042fad5 |.  c8fb4200 push Acid_bur.0042fbc8;  UNICODE "-" 0042FADA |.  FF75 F8 push [LOCAL.2];  Acid_bur.0042fbb80042fadd |.  8D45 F4 Lea Eax,[local.3]0042fae0 |.  BA 05000000 mov edx,0x50042fae5 |.  E8 C23EFDFF call Acid_bur.004039ac;  String Stitching 0042FAEA |.  8d55 F0 Lea Edx,[local.4]0042faed |.  8b83 E0010000 mov eax,dword ptr ds:[ebx+0x1e0]0042faf3 |.  E8 60AFFEFF call acid_bur.0041aa58; get the Right Password0042faf8 |.  8B55 F0 mov edx,[local.4];  The Input PASSWORD:123450042FAFB |.  8B45 F4 mov eax,[local.3];  The Right Password0042fafe |.  E8 F93EFDFF call ACID_BUR.004039FC;  It's obviously a two string comparison. 0042fb03 | 1 a jnz short acid_bur.0042fb1f

Each call we do not need to go in, think of him as a black box, to understand his function on it.
The first is to determine the length of the string, then take the first character, multiplied by the value of the address 0x431750 (0x431750 in the data area Crtl+g find)

Then multiply by 2, you get that number, the key generation code is:

0042FAC5  |.  8D55 E8       lea edx,[local.6]0042FAC8  |.  A1 50174300   mov eax,dword ptr ds:[0x431750]0042FACD  |.  E8 466CFDFF   call Acid_bur.00406718                   ;  这个call函数中的内容就是生成serial中间数字串的部分0042FAD2  |.  FF75 E8       push [local.6]                           ;  local.6是中间生成的password数字串

Let's also go down the breakpoint:
The real pit came, went in and found a lot of jumps, I only know that every character has been operated, but jump too much, did not understand his implementation process (the slag ...), but make sure this is the location of the string, so I took him as a black box.

After entering name:12345, 0X0FB2 is obtained after the 0x431750 memory operation, and the resulting number string is: 4018

So I tried it with a computer:

Well, I guessed it:

16 binary to 10 binary number string, this is the function of the whole call ...

OK, the algorithm is the name of the input after the first generation of a number string according to the above, and then with the other letters, symbols splicing, resulting in the final serial. This is the process of calculating the name/serial algorithm ...

Be able to write the registration machine:

#include <iostream>#include <cstdio>#include <cstring>#define N 10000using namespace std;int main(){    char buffer[N];    short int c;    cout<<"please input name:\n";    gets(buffer);    if(strlen(buffer)<4)  //判断序列号长度    {        cout<<"Error!"<<endl;    }    else    {        c=buffer[0];        c=c*0x29;        c=c*2;        cout<<"serial:"<<endl;        printf("Serial: CW-%4d-CRACKED\r\n",c);    }    return 0;}

To tell the truth, the topic is not difficult, but nag,name/serial,key all involved, as a novice I also scrap some kung fu ... The process is very detailed, more detailed than the other (verbose).

160 x Crackme 001 Acid Burn

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.