One-way inquiry automatic water dispenser Cracking Analysis

Text/figure December
==========================================
All the way to inquiry? It is not really a question. It is a forum name! All the way to irrigation, of course, is all the way to irrigation, otherwise where is so much irrigation crazy? This time, the goal was to create a forum for Automatic Water Filling Machine. I believe many people have used this type of Water Filling Machine. There is nothing to worry about. I accidentally found such a Water Filling Machine. Naturally, I want to see its registration and verification mechanism, so I have this article.
I will not talk about the use of this program. If you like it, go to its official website to find a detailed tutorial. The program is thrown into PEiD and the shell with tElock 0.98b1 is detected. An Overlay, as shown in 1, may be a program written in easy language, let's take a shell and see if it works!
 
Figure 1

Shelling Process
After loading the program with OD, stop at the following code.
00473BD6 A> ^ E9 25E4FFFF jmp Ask_Love.00472000
00473BDB 0000 add byte ptr ds: [eax], al
After loading tElock 0.98b1, most of the first line is JMP. Use a secondary memory breakpoint to remove it. Enable "Memory" in OD. The shortcut key is "Alt + M". You can see the "DATA" section and set "memory write breakpoint". As shown in figure 2, after "Shift + F9, the memory breakpoint has an effect. When it is written to 00407000, It is interrupted. Clear the memory breakpoint, continue to enable "Memory", and set "Memory Access breakpoint" in the "CODE" section ", 3. Note that the memory breakpoints in figure 2 and Figure 3 are different and do not confuse them. After "Shift + F9", we found that it was just parked at the OEP.

Figure 2

Figure 3

0040389F 55 push ebp
004038A0 8BEC mov ebp, esp
004038A2 6A FF push-1
004038A4 68 F8724000 push Ask_Love.004072F8
The entrance is 0040389F, which is a special entrance for easy language. Just like starting conjecture, it can be seen that a large number of practical exercises are very useful for Shell cracking. According to this entry, the easy language version should be the latest version, which is not found in versions earlier than 4.03. I will not talk much about the problem. Now that we have reached the OEP, we will naturally Dump it out, start LORDPE, select the program process, right-click and choose "dump full", as shown in 4. After Dump, the program cannot run normally. you need to fix it. Start ImportREC1.6, fill in 389F in OEP, click "automatically find IAT", and then click "Get input table". N functions cannot be identified, but it doesn't matter, you can use "tracking Level 3" to find out the correct function. Finally, you can find a function that cannot be identified and Cut it down, as shown in Figure 5.

Figure 4

 
Figure 5
After the repair, an error dialog box will pop up when you run the shell program. This is caused by the addition of data. Many people do not know much about this feature in easy language, so most people think it is self-verification. Next, add the additional data, drop the program after shelling into PEiD, select the "add data v1.0" plug-in, and select the program before shelling on the "resource file, select the program after shelling on the "target file", and click "Copy additional data" to complete the additional data.

Cracking Process
Run the program after shelling and find the prompt whether to register. Click "yes" and register it as needed, as shown in figure 6. Is there a prompt? It's really too much, huh, huh!

Figure 6
Load with OD, use the plug-in to search for strings, and no prompts in the figure are found. Therefore, go down the breakpoint. Next breakpoint: "bp MessageBoxA", it will be interrupted immediately, but this is not the result we want. If we run it again, a registration box will appear, which is what we need, after you register it, You can interrupt it.

77D5058A u> 8BFF mov edi, edi
; Here the interruption is
77D5058C 55 push ebp
77D5058D 8BEC mov ebp, esp
77D5058F 833D BC04D777> cmp dword ptr ds: [77D704BC], 0
77D50596 74 24 je short user32.77D505BC

Cancel the breakpoint and return.

10062170 FF15 A0260C10 call dword ptr ds: [<& USER32.MessageB>; user32.MessageBoxA
10062176 5F pop edi; return here
10062177 83F8 03 cmp eax, 3

It turns out that 10062170 is the place where the failed dialog box is called. No matter what it is, the information here is of little use. Go straight one step and come to the following code.

00469CBE E8 DE4A0000 call Unpack.0046E7A1
; Machine code
00469CC3 83C4 10 add esp, 10
00469CC6 8945 FC mov dword ptr ss: [ebp-4], eax
00469CC9 68 DA6D4500 push Unpack.00456DDA
; ASCII "SHMILY"
00469CCE FF75 FC push dword ptr ss: [ebp-4]
00469CD1 B9 02000000 mov ecx, 2
00469CD6 E8 17B2FFFF call Unpack.00464EF2
; Machine code and fixed string SHMILY connected
00469CDB 83C4 08 add esp, 8
00469CDE 8945 F8 mov dword ptr ss: [ebp-8], eax
; Eax Save the result
00469CE1 8B5D FC mov ebx, dword ptr ss: [ebp-4]
.........
00469D48 B8 03000000 mov eax, 3
00469D4D E8 314A0000 call Unpack.0046E783
; Perform MD5 operations on the above connection results

Follow up on this call and you can find the following code.

02109BCB C742 4C 012345> mov dword ptr ds: [edx + 4C], 67452301
02366bd2 C742 50 89 ABCD> mov dword ptr ds: [edx + 50], EFCDAB89
02109BD9 C742 54 FEDCBA> mov dword ptr ds: [edx + 54], 98 BADCFE
02366be0 C742 58 765432> mov dword ptr ds: [edx + 58], 10325476

Here we can judge that the program uses the MD5 cryptography algorithm and continue to look at it.

00469D52 83C4 10 add esp, 10
00469D55 8945 F0 mov dword ptr ss: [ebp-10], eax
; Eax Save the result
......
00469D81 BB 50010000 mov ebx, 150
00469D86 E8 0A4A0000 call Unpack.0046E795
Converts lowercase letters to uppercase letters.
00469D8B 83C4 10 add esp, 10
......
00469DC9 83F8 00 cmp eax, 0
00469DCC B8 00000000 mov eax, 0
00469DD1 0F94C0 sete al
; Whether the detection condition is true or false
00469DD4 8945 E4 mov dword ptr ss: [ebp-1C], eax
00469DD7 8B5D E8 mov ebx, dword ptr ss: [ebp-18]
......
00469DF4 83C4 04 add esp, 4
00469DF7 837D E4 00 cmp dword ptr ss: [ebp-1C], 0
; Comparison
00469DFB 0F84 13010000 je Unpack.00469F14
If they are equal, they will jump to the registration failure location.
00469E01 6A FF push-1
......
00469E35 68 A86E4500 push Unpack.00456EA8
; ASCII "SOFTWAREaskloveautobbsame"
00469E3A 68 01030080 push 80000301
00469E3F 6A 00 push 0
......
00469E9A 6A 00 push 0
00469E9C 68 C66E4500 push Unpack.00456EC6
; ASCII "SOFTWAREaskloveautobbssn"
00469EA1 68 01030080 push 80000301
00469EA6 6A 00 push 0

Obviously, the above is the algorithm part of this program. Let's briefly describe it. The program connects the machine code obtained from the user's machine with the fixed string SHMILY, performs MD5 calculation, and converts it to uppercase, which is the registration code. The algorithm is very simple. If you want to crack it, you can consider it at 00469DFB. After successful registration, the registration information will be written to the registry, the machine code will be written to HKEY_LOCAL_MACHINESOFTWAREaskloveautobbsame, and the registration code will be written to HKEY_LOCAL_MACHINESOFTWAREaskloveautobbssn.

Postscript
The program algorithm is relatively simple, and I will not write it on the registration machine. If you are interested, you can study it on your own. Now that the program registration algorithm is done, I also use this item to visit the forum.