Riijj crackme 10 anniversary algorithm analysis

[Detailed process]
This is a pure entertainment crackme. It was presented to all colleagues who attended the snow Forum as a Christmas gift on the riijj TV platform. At the beginning, the level was not enough. I saw that the floating point Command head was too big to even crack the command. I am unwilling to think about it. Based on some clues provided by the warshon brothers, I will make a simple analysis on the registration process.

1. Search for key code

Run PEiD check. The program is not shelled and is a Microsoft Visual C ++ 6.0 program. Open the analysis with IDA, create a MAP file, load it with OD, and import the MAP file.
According to riijj, we know that this Crackme is registered by checking the key file at startup. Next breakpoint bp CreateFileA and then F9 run. Let's take a look at the stack:

0012FD28 00420957/CALL to CreateFileA from riijjcm1.00420951
0012FD2C 0042A0B0 | FileName = "dinner. bin"
0012FD30 80000000 | Access = GENERIC_READ
0012FD34 00000003 | memory mode = file_0000_read | file_0000_write
0012FD38 0012FD54 | pSecurity = 0012FD54
0012FD3C 00000003 | Mode = OPEN_EXISTING
0012FD40 00000080 | Attributes = NORMAL
0012fd4400000000 hTemplateFile = NULL
0012FD48 00424552 riijjcm1.000000552

Here we know that the key file name is dinner. bin. Create a blank text file, enter some text, name it dinner. bin, and copy it to the folder where Crackme is located.
Ctrl + F2 run the program again, and then run the breakpoint bp ReadFile and F9. Stack after disconnection:

0012FD20 0041F9C5/CALL to ReadFile from riijjcm1.0041F9BF
0012FD24 00000080 | hFile = 00000080 (window)
0012FD28 008D33C0 | Buffer = 008D33C0
0012FD2C 00001000 | BytesToRead = 1000 (4096 .)
0012FD30 0012FD44 | pBytesRead = 0012FD44
0012FD34 00000000 pOverlapped = NULL

From this we can see that the program reads data from the key file and stores the read data in a memory address. Continue to Ctrl + F9 back after we come here.

004011C1> |> 56 push esi
004011C2 |. 55 push ebp
004011C3 |. 8D4C24 40 lea ecx, dword ptr [esp + 40]
004011C7 |. E8 E4020000 call <sub_4014B0>; here we return
004011CC |. 8D4C24 40 lea ecx, dword ptr [esp + 40]
004011D0 |. E8 8B1A0000 call <sub_40260>; closefile
004011D5 |. 85C0 test eax, eax
004011D7 |. 75 13 jnz short <loc_4011EC>
004011D9 |. 50 push eax
004011DA |. 8B4424 3C mov eax, dword ptr [esp + 3C]
004011DE |. 6A 02 push 2
004011E0 |. 8B48 04 mov ecx, dword ptr [eax + 4]
004011E3 |. 8D4C0C 40 lea ecx, dword ptr [esp + ecx + 40]
004011E7 |. E8 54020000 call <sub_401440>
004011EC> |> B9 0A000000 mov ecx, 0A
004011F1 |. 8BF5 mov esi, ebp; The ebp here points to the data we just read from the key file.
004011F3 |. 8DBC24 C80000> lea edi, dword ptr [esp + C8]; buffer
004011FA |. F3: A5 rep movs dword ptr es: [edi], dword p>; copy 40 read bytes to buffer

There are a lot of floating point commands below, and the key code segment is below. Here we can see that the program actually uses only the first 40 bytes in the key file.

Ii. Algorithm Analysis

004011EC> |> B9 0A000000 mov ecx, 0A
004011F1 |. 8BF5 mov esi, ebp; The ebp here points to the data we just read from the key file.
004011F3 |. 8DBC24 C80000> lea edi, dword ptr [esp + C8]; buffer
004011FA |. F3: A5 rep movs dword ptr es: [edi], dword p>; copy 40 read bytes to buffer
004011FC |. DD05 D8414200 limit qword ptr [<dbl_1_1d8>]; 0.0
00401202 |. DD5424 18 fst qword ptr [esp + 18]; n2 = 0
00401206 |. DD05 D8414200 1_qword ptr [<dbl_1_1d8>]; 0.0
0040120C |. DD5424 10 fst qword ptr [esp + 10]; n1 = 0
00401210 |. 0FBF9424 C800> movsx edx, word ptr [esp + C8]; get the first two bytes of buffer (len)
00401218 |. 8BCA mov ecx, edx
0040121A |. 8DB424 CA0000> lea esi, dword ptr [esp + CA]
00401221 |. 8BC1 mov eax, ecx
00401223 |. 8D7C24 20 lea edi, dword ptr [esp + 20]
00401227 |. C1E9 02 shr ecx, 2
0040122A |. F3: A5 rep movs dword ptr es: [edi], dword p>
0040122C |. 8BC8 mov ecx, eax
0040122E |. 33C0 xor eax, eax; I = 0
00401230 |. 83E1 03 and ecx, 3
00401233 |. 85D2 test edx, edx
00401235 |. F3: A4 rep movs byte ptr es: [edi], byte ptr>
00401237 |. 0F8E 2B010000 jle <loc_401368>

This code first initializes two floating point numbers n1 and n2, so that all of them are 0, and then takes the first two (len) in the buffer. In fact, the first two in the buffer represent the length, that is, the length of the user name. Then, the buffer starts from 3rd bits and the bytes with the length of len are copied to another place in the memory for use.
In fact, the first two digits of the buffer represent the length of the user name len, and the length of the len data starting from 3rd digits represents the name of the user name.

0040123D> |>/0FBE4C04 20/movsx ecx, byte ptr [esp + eax + 20]; name (I)
00401242 |. | 894C24 0C | mov dword ptr [esp + C], ecx
00401246 |. | 40 | inc eax; I ++
00401247 |. | DB4424 0C | fild dword ptr [esp + C]
0040124B |. | 3BC2 | cmp eax, edx
0040124D |. | D9C0 | primary st
0040124F |. | DEC3 | faddp st (3), st
00401251 |. | D9CA | fxch st (2)
00401253 |. | DC0D D0414200 | fmul qword ptr [<dbl_1_1d0>]; 1.2
00401259 |. | D9CA | fxch st (2)
0040125B |. | DEC1 | faddp st (1), st
0040125D |. | DC0D C8414200 | fmul qword ptr [<dbl_rj1c8>]; 1.3
00401263 |. ^ 7C D8 jl short <loc_40123D>
00401265 |. DD5C24 10 fstp qword ptr [esp + 10]; n1
00401269 |. DD5C24 18 fstp qword ptr [esp + 18]; n2