160 x Crackme 077 FIREWORK2

Source: Internet
Author: User

First of all, Peid check the shell

is a Delphi program

Pseudo Code test:

The error dialog box pops up, so go to OD and look for the text string:

You can see that the string in OD is a bit garbled, and sure enough OD is not suitable for processing Delphi program.

Recommend an extremely powerful Delphi disassembly tool Dede.
Our idea is to use it to open the program, find the key point of the program, and then the OD dynamic debugging, crack program.
OK, open the program with Dede: Click Process:
About the use of Dede
Find a key location:

Button1Click corresponding to the user click OK button, double-click after we can see the code in Dede:

It's hard to analyze the serial number algorithm just by looking at the code, so let's put it in OD and find the entry address for the function:

004416EC   55                     push    ebp

Od crtl+g in the past:

In the function head F2 down, and then F9 run up, enter the pseudo-code

Start F8 to analyze the code, note that each call command as a black box, analysis of the program's approximate process is as follows:

00441706 |.  8d55 FC Lea edx,[local.1]00441709 |.  8b83 C8020000 mov eax,dword ptr ds:[ebx+0x2c8]0044170f |.  E8 901AFEFF call fireworx.004231a4;  ; Calculates the length of the serial 00441714 |.  8b45 FC mov eax,[local.1]00441717 |.  Push eax00441718 |.  8d55 F4 Lea edx,[local.3]0044171b |.  8b83 C4020000 mov eax,dword ptr ds:[ebx+0x2c4]00441721 |.  E8 7e1afeff call fireworx.004231a4;  ; Calculates the length of the name string 00441726 |.  FF75 F4 push [local.3]00441729 |.  8d55 F0 Lea edx,[local.4]0044172c |.  8b83 C4020000 mov eax,dword ptr ds:[ebx+0x2c4]00441732 |.  E8 6d1afeff Call fireworx.004231a400441737 |.  FF75 F0 push [local.4]0044173a |.  BC174400 push FIREWORX.004417BC;  ASCII, "0044173F" |.  C8174400 push Fireworx.004417c8;  UNICODE "G" 00441744 |.  D4174400 push fireworx.004417d4;  UNICODE "Wish" 00441749 |. 8D45 F8 Lea eax,[local.2]0044174C |.  BA 05000000 mov edx,0x500441751 |.  E8 9E23FCFF call Fireworx.00403af4;  ; Serial number generation algorithm 00441756 |.  8B55 F8 mov edx,[local.2];  ; the correct string after the Serila algorithm 00441759 |.  EAX pop;  The user input string 0044175A |.  E8 E523FCFF call fireworx.00403b44;  string comparison 0044175F jnz short fireworx.00441778; The return value equals 0 indicates that the match was successful, not equal to 0 description failed
This part of the stack, OD recognition is a bit messy, we follow through the data window, get the value.
0044173A  |.  68 BC174400   push fireworx.004417BC                   ;  ASCII 36,"25"  6250044173F  |.  68 C8174400   push fireworx.004417C8                   ;  UNICODE "g"   g00441744  |.  68 D4174400   push fireworx.004417D4                   ;  UNICODE "祝"  72

We then enter the serial number generation algorithm:

00403af7.  Push Eax00403af8.  89D3 mov Ebx,edx00403afa.  31c0 XOR Eax,eax;  Loop variable edx=5 into the loop 00403AFC > 8b4c94 mov ecx,dword ptr ss:[esp+edx*4+0x10]00403b00.  85C9 test ecx,ecx;  Fireworx.0041e53000403b02.  The JE short fireworx.00403b0700403b04.  0341 FC add Eax,dword ptr ds:[ecx-0x4]00403b07 > 4 a Dec edx;  ; edx--00403b08 ^ F2 jnz short fireworx.00403afc00403b0a.  E8 69FDFFFF call fireworx.0040387800403b0f.  Push EAX00403B10.  89C6 mov esi,eax00403b12 > 8b449c mov eax,dword ptr ss:[esp+ebx*4+0x14]00403b16.  89F2 mov edx,esi;  , the cyclic variable ebx=5 into the cyclic 00403b18.  85C0 Test Eax,eax00403b1a.  0A JE Short fireworx.00403b2600403b1c. 8B48 FC mov ecx,dword ptr ds:[eax-0x4]00403b1f.  01CE add esi,ecx;  Fireworx.0041e53000403b21.  E8 86ECFFFF call Fireworx.004027ac;  ; string concatenation function 00403b26 > 4 b Dec ebx;  ; ebx--00403b27 ^ E9 jnz short fireworx.00403b1200403b29.  5 a pop edx;  ; The serial number has been generated 00403b2a.  EAX pop;  0018f4a400403b2b.  85D2 Test edx,edx00403b2d.  Je short fireworx.00403b32; ; Organize the data in the stack

To tell you the truth, see this I was a bit ignorant B, after a few sets of pseudo-code test, I found the law after the analysis of the code is relatively simple, the importance of the compilation basis.
The algorithm is name*2+625g72, is a concatenation of the string operation, but not encapsulated into a function, frighten people just.

Write the Registration machine:

name=raw_input("Please input your name")serial=name+name+‘625g72‘print serial


160 x Crackme 077 FIREWORK2

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.