Make up for the regret of CCDebuger

Source: Internet
Author: User

Author: Author
==========================================
Most of my friends have read the OllyDBG getting started series by the CCDebuger masterpiece. From Chapter 1 to Chapter 7, it is a classic article. Of course, his articles have also helped me a lot. When I see the article "OllyDBG entry series (V)-message breakpoint and RUN tracking" (AddressHttp://bbs.pediy.com/showthread.php? T = 21532) At the end of the article, CCDebuger left the following sentence: "This crackme is complicated only when the tracking algorithm is ready. I will not write the specific algorithm, there are not so many detailed tracking times ". It is possible that prawns are too busy, so I want to analyze this CrackMe Algorithm in my free time, which makes up for the regrets left by prawns.
After an hour, I found that this algorithm is indeed difficult, and I didn't have much time to write perfect algorithm registration machines (or I didn't have that ability ), however, I found a small BUG. It is no longer a problem to write a registration machine. Next I will share my ideas with you.
The previous issue CCDebuger has been very clear. If you have any questions, read the article. We directly open the RUN trace, add the "entry to all function processes", and return to the "Check" button in the program. In this case, open the RUN trace record in OllyDBG to find the key location, then you can break down at this position. The program is broken here.

004010E2 |. 8BFE mov edi, ESI
User name is sent to edi
004010E4 |. 03F8 add edi, EAX
004010E6 |. FC CLD
004010E7 |. F3: A4 rep movs byte ptr es: [EDI], byte ptr ds: [ESI]
004010E9 |. 33C9 xor ecx, ECX
; Clear 0, set the cycle counter
004010EB |. BE 71214000 mov esi, cycle.00402171
; The registration code is sent to ESI
004010F0 |> 41/INC ECX
004010F1 |. AC | lods byte ptr ds: [ESI]
; Take each character of the registration code
004010F2 |. 0AC0 | or al, AL
004010F4 |. 74 0A | je short cycle.00401100
004010F6 |. 3C 7E | cmp al, 7E
Determines whether the character is non-ASCII.
004010F8 |. 7F 06 | jg short cycle.00401100
004010FA |. 3C 30 | cmp al, 30
; Determine if it is less than 30 H
004010FC |. 72 02 | jb short cycle.00401100
004010FE |. ^ EB F0 jmp short cycle.004010F0
00401100 |> 83F9 11 cmp ecx, 11
; Compare the number of registrars, which must be 17 digits. But here the program calculates the last 0x00, in fact, the registration code only needs to be 16 characters long.

At this point, the program mainly limits the points mentioned above and processes the user name. It uses the replication method to expand to 16 bits. For example, if I enter kyo327, the extension will be kyo327kyo327kyo3. Next, press F8 to go to the following code.

00401105 |. E8 E7000000 CALL cycle.004011F1
; Algorithm CALL
0040110A |. B9 01FF0000 mov ecx, 0FF01
0040110F |. 51 PUSH ECX
00401110 |. E8 7B000000 CALL cycle.00401190
Algorithm CALL. If ECX is not equal to 1, it will fail to jump.
00401115 |. 83F9 01 cmp ecx, 1
00401118 |. 74 06 je short cycle.00401120
0040111A |> E8 47000000 CALL cycle.00401166
0040111F |> C3 RET
00401120 |> A1 68214000 mov eax, dword ptr ds: [402168]
; Take the username 9th to 12th = user [9-12]
00401125 |. 8B1D 6C214000 mov ebx, dword ptr ds: [40216C]
; Take the username 13th to 16th = user [13-16]
0040112B |. 33C3 xor eax, EBX
; User [9-12] xor user [13-16]
0040112D |. 3305 82214000 xor eax, dword ptr ds: [402182]
00401133 |. 0D 40404040 or eax, 40404040
00401138 |. 25 77777777 and eax, 77777777
0040113D |. 3305 79214000 xor eax, dword ptr ds: [402179]
; Eax xor registration code 9th to 12th characters
00401143 |. 3305 7D214000 xor eax, dword ptr ds: [40217D]
; Eax xor registration code 13th to 16th bits, after XOR, only EAX = 0 can jump to success
00401149 |. ^ 75 cf jnz short cycle.0040111A
0040114B |. E8 2B000000 CALL cycle.0040117B
00401150. C3 RET

Now, the code above analyzes the conditions for successful program registration.
1) (User [9-12] xor user [13-16]) xor ds: [00402182] = X1
2) (X1 or 40404040) and 77777777) xor sn [9-12]) xor sn [13-16] = Y1
Therefore, only Y1 = 0 can be successfully registered. However, there are still many unknowns. First, ds: [00402182] is unknown, and sn [9-12] and sn [13-16] are also unknown. Now assume that ds: [00402182] is known and set to P1, as long as the equation (X1 or 40404040) and 77777777 = sn [9-12]) if xor sn [13-16] is set up, it will be OK. Now it is imperative to look for ds: [00402182] Where did it come from.
Drag the code up and find the following sentence in 402182 bytes C: "mov dword ptr ds: [], fedcba98". It seems that a value is given first. Enter "dd 00402182" in the Command box. You can see that the HEX data is fedcba98, Which is the value assigned by the program just now. Then press F8 to see where the value will change. After walking to 00401115, I found that the fedcba98 changed because it passed "call 00401190 ". It seems that you have to add F7 to "call 00401190" to find the answer. After entering the CALL, two parameters are found. eax and ebx are assigned to a register value respectively, and then involved in the operation. The values of these two parameters are also inexplicable. Next, let's look at it. This makes it clear that call is an important algorithm called "CALL 004011f1". It is only after this CALL that eax and ebx have two inexplicable values. Now I 've been there from the beginning. At 00401105, F7 went in and checked it out.

004011F1/$ A1 60214000 mov eax, dword ptr ds: [402160]
; Take the first 4 digits of the user name = user [1-4]
004011F6 |. 8B1D 64214000 mov ebx, dword ptr ds: [402164]
; Take the username 5th to 8th characters
004011FC |. 3305 71214000 xor eax, dword ptr ds: [402171]
; User [1-4] xor sn [1-4] = k1
00401202 |. 331D 75214000 xor ebx, dword ptr ds: [402175]
; User [5-8] xor sn [5-8] = k2
00401208 |. 25 0F1F3F7F and eax, 7F3F1F0F
; K1 and 7f3f1f0f = p1
0040120D |. 81E3 00010307 and ebx, 7030100
; K2 and 7030100 = p2
00401213 |. 33C9 xor ecx, ECX
; Use ECX for Loop
00401215 |> 8BF0/mov esi, EAX
00401217 |. 8BFB | mov edi, EBX
00401219 |. D3E6 | shl esi, CL
0040121B |. D3E7 | shl edi, CL
0040121D |. 81E6 80808080 | and esi, 80808080
00401223 |. 81E7 80808080 | and edi, 80808080
00401229 |. 8BD6 | mov edx, ESI
0040122B |. C0EE 07 | shr dh, 7
0040122E |. 66: C1E2 07 | shl dx, 7
00401232 |. C1EA 08 | shr edx, 8
00401235 |. C0EE 07 | shr dh, 7
00401238 |. 66: C1E2 07 | shl dx, 7
0040123C |. C1EA 08 | shr edx, 8
0040123F |. C0EE 07 | shr dh, 7
00401242 |. 66: D1EA | shr dx, 1
00401245 |. 8BF2 | mov esi, EDX
00401247 |. 8BD7 | mov edx, EDI
00401249 |. C0EE 07 | shr dh, 7
0040124C |. 66: C1E2 07 | shl dx, 7
00401250 |. C1EA 08 | shr edx, 8
00401253 |. C0EE 07 | shr dh, 7
00401256 |. 66: C1E2 07 | shl dx, 7
0040125A |. C1EA 08 | shr edx, 8
0040125D |. C0EE 07 | shr dh, 7
00401260 |. 66: C1EA 05 | shr dx, 5
00401264 |. 8BFA | mov edi, EDX
00401266 |. 33FE | xor edi, ESI
00401268 |. 8BD7 | mov edx, EDI
0040126A |. 81E2 FF000000 | and edx, 0FF
Above all p1 p2 involved in the operation
00401270 |. 51 | PUSH ECX
00401271 |. 52 | PUSH EDX
00401272 |. BA 08000000 | mov edx, 8
00401277 |. 91 | xchg eax, ECX
00401278 |. 83F8 03 | cmp eax, 3
004010000b |. 7F 0F | jg short cycle.0040128C
0040127D |. F6E2 | MUL DL
0040366f |. 5A | POP EDX
00401280 |. 83C0 08 | add eax, 8
00401283 |. 91 | xchg eax, ECX
00401284 |. D3C0 | rol eax, CL
00401286 |. 33C2 | xor eax, EDX
00401288 |. D3C8 | ror eax, CL
0040128A |. EB 0D | jmp short cycle.00401299
0040128C |> 83E8 03 | sub eax, 3
0040128F |. F6E2 | MUL DL
00401291 |. 5A | POP EDX
00401292 |. 91 | xchg eax, ECX
00401293 |. D3C3 | rol ebx, CL
00401295 |. 33DA | xor ebx, EDX
00401297 |. D3CB | ror ebx, CL
00401299 |> 59 | POP ECX
0040129A |. 41 | INC ECX
0040129B |. 83

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.