Most of my friends have read the OllyDBG getting started series by the CCDebuger masterpiece. From Chapter 1 to Chapter 7, it is a classic article. Of course, his articles have also helped me a lot. When I see the article "OllyDBG entry series (V)-message breakpoint and RUN tracking" (AddressHttp://bbs.pediy.com/showthread.php? T = 21532) At the end of the article, CCDebuger left the following sentence: "This crackme is complicated only when the tracking algorithm is ready. I will not write the specific algorithm, there are not so many detailed tracking times ". It is possible that prawns are too busy, so I want to analyze this CrackMe Algorithm in my free time, which makes up for the regrets left by prawns. After an hour, I found that this algorithm is indeed difficult, and I didn't have much time to write perfect algorithm registration machines (or I didn't have that ability ), however, I found a small BUG. It is no longer a problem to write a registration machine. Next I will share my ideas with you. The previous issue CCDebuger has been very clear. If you have any questions, read the article. We directly open the RUN trace, add the "entry to all function processes", and return to the "Check" button in the program. In this case, open the RUN trace record in OllyDBG to find the key location, then you can break down at this position. The program is broken here.
004010E2 |. 8BFE mov edi, ESI User name is sent to edi 004010E4 |. 03F8 add edi, EAX 004010E6 |. FC CLD 004010E7 |. F3: A4 rep movs byte ptr es: [EDI], byte ptr ds: [ESI] 004010E9 |. 33C9 xor ecx, ECX ; Clear 0, set the cycle counter 004010EB |. BE 71214000 mov esi, cycle.00402171 ; The registration code is sent to ESI 004010F0 |> 41/INC ECX 004010F1 |. AC | lods byte ptr ds: [ESI] ; Take each character of the registration code 004010F2 |. 0AC0 | or al, AL 004010F4 |. 74 0A | je short cycle.00401100 004010F6 |. 3C 7E | cmp al, 7E Determines whether the character is non-ASCII. 004010F8 |. 7F 06 | jg short cycle.00401100 004010FA |. 3C 30 | cmp al, 30 ; Determine if it is less than 30 H 004010FC |. 72 02 | jb short cycle.00401100 004010FE |. ^ EB F0 jmp short cycle.004010F0 00401100 |> 83F9 11 cmp ecx, 11 ; Compare the number of registrars, which must be 17 digits. But here the program calculates the last 0x00, in fact, the registration code only needs to be 16 characters long.
At this point, the program mainly limits the points mentioned above and processes the user name. It uses the replication method to expand to 16 bits. For example, if I enter kyo327, the extension will be kyo327kyo327kyo3. Next, press F8 to go to the following code.
00401105 |. E8 E7000000 CALL cycle.004011F1 ; Algorithm CALL 0040110A |. B9 01FF0000 mov ecx, 0FF01 0040110F |. 51 PUSH ECX 00401110 |. E8 7B000000 CALL cycle.00401190 Algorithm CALL. If ECX is not equal to 1, it will fail to jump. 00401115 |. 83F9 01 cmp ecx, 1 00401118 |. 74 06 je short cycle.00401120 0040111A |> E8 47000000 CALL cycle.00401166 0040111F |> C3 RET 00401120 |> A1 68214000 mov eax, dword ptr ds: [402168] ; Take the username 9th to 12th = user [9-12] 00401125 |. 8B1D 6C214000 mov ebx, dword ptr ds: [40216C] ; Take the username 13th to 16th = user [13-16] 0040112B |. 33C3 xor eax, EBX ; User [9-12] xor user [13-16] 0040112D |. 3305 82214000 xor eax, dword ptr ds: [402182] 00401133 |. 0D 40404040 or eax, 40404040 00401138 |. 25 77777777 and eax, 77777777 0040113D |. 3305 79214000 xor eax, dword ptr ds: [402179] ; Eax xor registration code 9th to 12th characters 00401143 |. 3305 7D214000 xor eax, dword ptr ds: [40217D] ; Eax xor registration code 13th to 16th bits, after XOR, only EAX = 0 can jump to success 00401149 |. ^ 75 cf jnz short cycle.0040111A 0040114B |. E8 2B000000 CALL cycle.0040117B 00401150. C3 RET
Now, the code above analyzes the conditions for successful program registration. 1) (User [9-12] xor user [13-16]) xor ds: [00402182] = X1 2) (X1 or 40404040) and 77777777) xor sn [9-12]) xor sn [13-16] = Y1 Therefore, only Y1 = 0 can be successfully registered. However, there are still many unknowns. First, ds: [00402182] is unknown, and sn [9-12] and sn [13-16] are also unknown. Now assume that ds: [00402182] is known and set to P1, as long as the equation (X1 or 40404040) and 77777777 = sn [9-12]) if xor sn [13-16] is set up, it will be OK. Now it is imperative to look for ds: [00402182] Where did it come from. Drag the code up and find the following sentence in 402182 bytes C: "mov dword ptr ds: [], fedcba98". It seems that a value is given first. Enter "dd 00402182" in the Command box. You can see that the HEX data is fedcba98, Which is the value assigned by the program just now. Then press F8 to see where the value will change. After walking to 00401115, I found that the fedcba98 changed because it passed "call 00401190 ". It seems that you have to add F7 to "call 00401190" to find the answer. After entering the CALL, two parameters are found. eax and ebx are assigned to a register value respectively, and then involved in the operation. The values of these two parameters are also inexplicable. Next, let's look at it. This makes it clear that call is an important algorithm called "CALL 004011f1". It is only after this CALL that eax and ebx have two inexplicable values. Now I 've been there from the beginning. At 00401105, F7 went in and checked it out.
004011F1/$ A1 60214000 mov eax, dword ptr ds: [402160] ; Take the first 4 digits of the user name = user [1-4] 004011F6 |. 8B1D 64214000 mov ebx, dword ptr ds: [402164] ; Take the username 5th to 8th characters 004011FC |. 3305 71214000 xor eax, dword ptr ds: [402171] ; User [1-4] xor sn [1-4] = k1 00401202 |. 331D 75214000 xor ebx, dword ptr ds: [402175] ; User [5-8] xor sn [5-8] = k2 00401208 |. 25 0F1F3F7F and eax, 7F3F1F0F ; K1 and 7f3f1f0f = p1 0040120D |. 81E3 00010307 and ebx, 7030100 ; K2 and 7030100 = p2 00401213 |. 33C9 xor ecx, ECX ; Use ECX for Loop 00401215 |> 8BF0/mov esi, EAX 00401217 |. 8BFB | mov edi, EBX 00401219 |. D3E6 | shl esi, CL 0040121B |. D3E7 | shl edi, CL 0040121D |. 81E6 80808080 | and esi, 80808080 00401223 |. 81E7 80808080 | and edi, 80808080 00401229 |. 8BD6 | mov edx, ESI 0040122B |. C0EE 07 | shr dh, 7 0040122E |. 66: C1E2 07 | shl dx, 7 00401232 |. C1EA 08 | shr edx, 8 00401235 |. C0EE 07 | shr dh, 7 00401238 |. 66: C1E2 07 | shl dx, 7 0040123C |. C1EA 08 | shr edx, 8 0040123F |. C0EE 07 | shr dh, 7 00401242 |. 66: D1EA | shr dx, 1 00401245 |. 8BF2 | mov esi, EDX 00401247 |. 8BD7 | mov edx, EDI 00401249 |. C0EE 07 | shr dh, 7 0040124C |. 66: C1E2 07 | shl dx, 7 00401250 |. C1EA 08 | shr edx, 8 00401253 |. C0EE 07 | shr dh, 7 00401256 |. 66: C1E2 07 | shl dx, 7 0040125A |. C1EA 08 | shr edx, 8 0040125D |. C0EE 07 | shr dh, 7 00401260 |. 66: C1EA 05 | shr dx, 5 00401264 |. 8BFA | mov edi, EDX 00401266 |. 33FE | xor edi, ESI 00401268 |. 8BD7 | mov edx, EDI 0040126A |. 81E2 FF000000 | and edx, 0FF Above all p1 p2 involved in the operation 00401270 |. 51 | PUSH ECX 00401271 |. 52 | PUSH EDX 00401272 |. BA 08000000 | mov edx, 8 00401277 |. 91 | xchg eax, ECX 00401278 |. 83F8 03 | cmp eax, 3 004010000b |. 7F 0F | jg short cycle.0040128C 0040127D |. F6E2 | MUL DL 0040366f |. 5A | POP EDX 00401280 |. 83C0 08 | add eax, 8 00401283 |. 91 | xchg eax, ECX 00401284 |. D3C0 | rol eax, CL 00401286 |. 33C2 | xor eax, EDX 00401288 |. D3C8 | ror eax, CL 0040128A |. EB 0D | jmp short cycle.00401299 0040128C |> 83E8 03 | sub eax, 3 0040128F |. F6E2 | MUL DL 00401291 |. 5A | POP EDX 00401292 |. 91 | xchg eax, ECX 00401293 |. D3C3 | rol ebx, CL 00401295 |. 33DA | xor ebx, EDX 00401297 |. D3CB | ror ebx, CL 00401299 |> 59 | POP ECX 0040129A |. 41 | INC ECX 0040129B |. 83 |