"Turn" hack source Insight 3.5.0072 process attached: install software + keygen

Reprint Address: http://blog.csdn.net/qs_hud/article/details/8884867

Keygen and software: http://download.csdn.net/detail/huhu1544/5330869

Effect:

A few Zhou Yuchun brother said in trying to crack source Insight 3.5, always take crackme do experiment I also unavoidably preface to practice practiced hand (by the way to my love mixed an invitation code), just dragged into the Od saw GetTickCount function, thought there is sung test it ( Now think of the estimate is to check the number of days used), at that time, anti-anti-debugging has not how to practice, on hold for a few days, and then saw a few days shelling commonly used anti-debugging means began to do, nonsense do not say, see analysis it.

First run the view error prompt:

Use OD string search to check "you typed":

Obviously, double-click the View code and scroll up to find the key call (00408BD9):

Go inside this call and look at:

Look at 00448f3a first call 00448e53 (it turns out it's probably a big hole!!!) , had been in the pit for n hours before going out), directly on Ida to see the flowchart, relatively clear (I have added a note):

Which one do you want to jump to? Originally wanted to eax eventually should return 1, roughly see a few eyes sub_449030 content, and really like, let Sub_448e53 return 1 into sub_449030 tracking see, how to let Sub_448e53 function return 1? Look at the code:

Also want to continue to see sub_1602, no way, continue to see sub_1602 bar (although this is a hole, but this function behind the use of more, you can look at the code):

This code is very simple, Es3us is the parameter, input the first five characters and es3us the same capitalization will return to Eax=1, enter the first five is es3us false code into the above mentioned sub_449030 look (originally in OD, it took a lot of time to realize that may be in the pit, Just intercept some of the code and look at it roughly):

After executing sub_448e7e, the return value should be 0 to continue the following validation, but the last remaining function is completed after the completion of 1 to register successfully, the sub_448e7e function content is the input string of various validation, the return value of the validation is 1, With the return value of this function required 0 contradiction, that is to say, if you enter any of the SUB_448E7E function is not satisfied with the validation of the false verification code can be returned 0, continue the following the remaining several functions of the verification, there are many, to pass the subsequent verification with arbitrary construction of false code is difficult, So estimate this whole function is a pit (random construction of the registration code can pass sub_448e7e, return 0, but the subsequent validation estimates are not enough, if there are different views, welcome to discuss the Exchange ha), this road is not feasible, so continue to look at the first image of the function:

Since you can not walk sub_449030 this way, then look at 00448f5c sub_448f5c Bar, in fact, this function and sub_449030 function verification is similar, but the key is not the same ah, go inside to see:

is not a bit familiar with, is to judge the first five-digit capitalization is not si3us only, enter the first five is si3us false code, let it jump to loc_448f89:

Again, the function sub_448e7e, the above mentioned in the pit of the verification function, but this time is in accordance with the function of the various validation to return 1 to continue the following validation, go inside to see the verification of it (or use IDA flowchart to see it, OD figure too long bad cut):

First of all to exist "-" character to continue, OD directly modify their fake code this one for "-" on the line, but still recommend again, after all, after all the road is very long, very troublesome amount (⊙o⊙) ..., continue:

Judge just the "-" position is not and si3us next to each other (PS: Real toss, direct call back to the specific position of the function on the line, but also to STRCHR () minus the base address, is the compiler optimized??? Indeterminate amount), continue:

Again this thing,, intercept "-" character the second occurrence of the position, to determine the middle of the length of the registration code is not 6, the middle with and XX 0 instructions to the "-" character of the second occurrence of the position is set to 0, equivalent to the character truncated ( and finally back up), only the remaining part of the middle section ( The first si3us has been disposed of with the pointer offset, here only the middle of the 6-bit registration code), enter a registration code similar to SI3US-XXXXXX-XXX to continue to see:

Specific copy of what do not remember, forget the comments, now do not remember, remember Strlen is the last registration code length, see the length is not 5, to this registration code format is clear, is the si3us-xxxxxx-xxxxx type, continue to see Ah, really toss:

After the five-bit registration code into an integer value (deposited into the eax, eventually saved into the arg_8 space), because the Atoi function processing string when there is a non-numeric character to stop conversion, the first character is not a number returned 0, in order to insure, or the last five-bit string input into a digital type, Let it all converted into numbers, "12345" turned into 12345, see it also god horse tricks, finally return 1, don't worry, there is verification, after all, have not verified the middle and the final registration code correctness AH, execute to function end, continue go:

Execute to the red box and jump to 00449075, then execute sub_428e8a, follow in:

This code actually does not use, very does not have the language, is verifies the intermediate six digit registration code first bit is not and the latter five is equal, the attention Red Line code is very interesting, many compilers in optimizes the choice statement, especially resembles the A>B?B:C statement when frequently uses the similar code (is interested can see "C + + Disassembly and reverse disclosure, many of the rules of the compiler optimization, and then continue to say the meaning of this code, guess is not a small pit, prevent like me lazy input middle 6 bit the same false registration code, too underestimate people, cheat also come a slightly higher point of, 6-bit all equal can cheat I entered the fake code middle 6 is "123456"?

(Below the next one is really a slightly higher point of the Pit, my "123456" is really a pit ╮ (╯_╰) ╭)

Keep looking, no chatter, the above returned EAX to 1 after jumping to 448FC1:

Look at 00408fea there are 1e=30 times comparison, compare what? 53c468 up 30 4 bytes of data, in fact, the registration code in the middle 6 bits from the atoi to the integer value and 30 values in turn, there are equal words to go back to 0, and finally lead to verification failure, in the Od see 53c468 at the data can only see some 16 binary values, Using Ida's calculator, you can calculate these decimal numbers, where the second time compared to the input intermediate 6-bit registration code is the integer value of the "123456" I entered ... In the recruit, really wretched verification, (but it doesn't matter, change the flag bit not let it jump away, but the last write algorithm registration machine will pay attention to, in case the registration code generated in the 30 or 6 of the same registration will not be registered) 30 times after the comparison, Jumped into the red box the last validation function, the last one, the return value of 1 OK, follow in:

(Beautify the layout of what I really not good, make a look at it.) )

Although the code is a bit messy, actually verify the algorithm good water, write the pseudo-code to remove the variable definition left a few lines to calculate the code, take my input si3us-123456-54321, make k=123456 (value), and then "123456" (Word Fu Cha) With the storage of several constants (in the code of the temp array, there are 10, only 6), the result and the results of the addition of k*4 and then stored in K, 6 times just, (good water, the algorithm is simple not to say, the logic is clear point is OK, altogether six cycles, 004f3ed3 The loop variable is also considered to be over 10 o'clock re-assigned to 0, blind! )。

The algorithm is clear, write the registration machine, look at the code:

Casually write, generate 6-bit random number, calculate the last 5 bits (sometimes after the result may not be five bits, can not be used, until the result is 5 bits), the final si3us, the middle of 6 bits, the result of the 5-bit stitching is over, of course, there are many small problems, such as the random number generated by a large number Generally not more than 130000, so good, the result is difficult in that 30 comparison of the number and the total equal number of the range, the function is almost on the line, the register machine finished just 12 o'clock, originally intended to write the broken text after sleeping, the results, hehe ...

O (∩_∩) O.

"Turn" hack source Insight 3.5.0072 process attached: install software + keygen