[Disassembly exercise] 036 of 160 crackme

[Disassembly exercise] 036 of 160 crackme.

The purpose of this series of articles is to try to crack all the 160 crackme step by step from a novice who has no experience (in fact, I am myself, write something similar to a registration machine in any way.

The article is organized according to the following logic (to solve the following problems ):

1. Environment and tools used

2. Program Analysis

3. Train of Thought Analysis and Cracking Process

4. Exploration of registration Machine

----------------------------------

Remind AUDIENCE:If you cannot understand the logic in the article, you must have never done it yourself! The redirection prompt in OD is very powerful. As long as you track it, you can understand it without looking at the code!

----------------------------------

1. Tools and environment:

WINXP SP3 + 52pojie 6 anniversary edition OD + peid + Assembly Gold finger.

Package 160 crackme files.

: Http://pan.baidu.com/s/1xUWOY password: jbnq

Note:

1. The Random Initial address function is enabled for modules and programs in win7 system, which will cause a great burden on analysis. Therefore, we do not recommend using win7 for analysis.

2. The above tools are all the original programs under the 52pojie Forum. NOD32 does not report any viruses, and I personally promise not to conduct any content related to Trojan viruses.

2. program analysis:

To crack a program, you must first understand the program. Therefore, in the process of cracking, the analysis of the initial program is very important. It can help us understand the author's purpose and intention, especially the details of the registration code, this facilitates reverse tracking and derivation.

In the example, open chmand select the 35 cupofcoffe.2.exe and save it. Run the program. The program interface is as follows:

 

Peid: Microsoft Visual Basic 5.0/6.0

 

3. Train of Thought Analysis and Cracking Process

The previous one uses a string for search, but the information box is displayed, so it is paused. CTRL + K. You can also view the stack.

The specific steps are omitted! Author of this program ....

I don't know how this program is caused. VB decompilation tools and smartcheck cannot be tracked. Fortunately, our OD has a driver and general anti-debugging can be ignored! Haha!

(PS: Pro version 9.2 and above are all available. The code is included at the end)

0052167E   .  FF15 D4405200 call dword ptr ds:[<&MSVBVM50.__vbaHresu>;  msvbvm50.__vbaHresultCheckObj00521684   >  8B4D E8       mov ecx,dword ptr ss:[ebp-0x18]00521687   .  51            push ecx00521688   .  68 60054500   push 00450560                            ;  UNICODE ".........."0052168D   .  FF15 F8405200 call dword ptr ds:[<&MSVBVM50.__vbaStrCm>;  msvbvm50.__vbaStrCmp00521693   .  8BF0          mov esi,eax00521695   .  8D4D E8       lea ecx,dword ptr ss:[ebp-0x18]00521698   .  F7DE          neg esi0052169A   .  1BF6          sbb esi,esi0052169C   .  F7DE          neg esi0052169E   .  F7DE          neg esi005216A0   .  FF15 4C415200 call dword ptr ds:[<&MSVBVM50.__vbaFreeS>;  msvbvm50.__vbaFreeStr005216A6   .  8D4D E4       lea ecx,dword ptr ss:[ebp-0x1C]005216A9   .  FF15 50415200 call dword ptr ds:[<&MSVBVM50.__vbaFreeO>;  msvbvm50.__vbaFreeObj005216AF   .  66:3BF7       cmp si,di005216B2   .  74 6E         je short 00521722005216B4   .  B9 04000280   mov ecx,0x80020004005216B9   .  B8 0A000000   mov eax,0xA005216BE   .  894D AC       mov dword ptr ss:[ebp-0x54],ecx005216C1   .  894D BC       mov dword ptr ss:[ebp-0x44],ecx005216C4   .  894D CC       mov dword ptr ss:[ebp-0x34],ecx005216C7   .  8D55 94       lea edx,dword ptr ss:[ebp-0x6C]005216CA   .  8D4D D4       lea ecx,dword ptr ss:[ebp-0x2C]005216CD   .  8945 A4       mov dword ptr ss:[ebp-0x5C],eax005216D0   .  8945 B4       mov dword ptr ss:[ebp-0x4C],eax005216D3   .  8945 C4       mov dword ptr ss:[ebp-0x3C],eax005216D6   .  C745 9C 7C054>mov dword ptr ss:[ebp-0x64],0045057C     ;  UNICODE "Incorrect password"005216DD   .  C745 94 08000>mov dword ptr ss:[ebp-0x6C],0x8005216E4   .  FF15 38415200 call dword ptr ds:[<&MSVBVM50.__vbaVarDu>;  msvbvm50.__vbaVarDup005216EA   .  8D55 A4       lea edx,dword ptr ss:[ebp-0x5C]005216ED   .  8D45 B4       lea eax,dword ptr ss:[ebp-0x4C]005216F0   .  52            push edx005216F1   .  8D4D C4       lea ecx,dword ptr ss:[ebp-0x3C]005216F4   .  50            push eax005216F5   .  51            push ecx005216F6   .  8D55 D4       lea edx,dword ptr ss:[ebp-0x2C]005216F9   .  6A 10         push 0x10005216FB   .  52            push edx005216FC   .  FF15 E0405200 call dword ptr ds:[<&MSVBVM50.#595>]     ;  msvbvm50.rtcMsgBox

In addition to the interface, this is completely the same as the first one. If it is cracked or something, it will end at 10 points!

 

4. Exploration of registration Machine

10 points, same as the previous one.

 

Appendix VB decompilation code:

Pro version 9.2: private sub cmdok_click () '5215f0 loc_00521622: var_8 = & h401000 loc_00521630: Call me. addref 'ignore this (EDI, me, ESI) loc_0052164e: Call form1.txtpassword 'ignore this (me) loc_005216b2: If (checkobj(form1.txt password, 4523340,160) = ".......... ") = 0 Then goto loc_00521722 loc_005216be: var_54 = 80020004 H loc_005216c1: var_44 = 80020004 H leading: var_34 = 80020004 H loc_005216cd: var_5c = 10 leading: var_4c = 10 leading: var_3c = 10 rows: var_64 = "Incorrect password" loc_005216dd: var_6c = 8 rows: msgbox "Incorrect password", 16 rows: Call UNDEF 'ignore this '_ vbafreevarlist (var_5c) loc_0052171d: goto partition: var_6c = 2 rows: var_64 = 1 loc_0052178b: form2.show % X1, % X2 rows: goto partition rows: Call UNDEF 'ignore this '_ vbafreevarlist (var_5c) loc_005217e0: Exit sub loc_005217e1: Exit sub loc_005217e8: Call me. release 'ignore thisend sub

 

By stupid d Happy