Simple Crackme (aescul) analysis

Source: Internet
Author: User
"Crack Author" analog "Author mailbox" yuchaochina@hotmail.com "use tool" ollydbgv1.10,peidv0.93 "crack Platform" WinXP "software Name" Aescul.exe (crackme) "Add shell Way "No" crack statement "I am a little rookie, I have a little experience, would like to share:"------------------------------------------------------------------------------- -"Cracked content" code snippet can be found at the beginning of DialogBoxParam00401024 |. 84314000 Push aescul.00403184 | Dlgproc = aescul.00403184 Window handler, the next breakpoint near the address 004030184 enter the registration name, registration code after the OK, to the following code snippet 0040320A > \833d F6444000 0>cmp DWORD PTR ds:[4044f6],1; Whether the data segment has since been modified by 00403211. Je short aescul.00403224; Modified to jump 00403213. Be 00404000 mov esi,aescul.0040400000403218. 8BFE mov edi,esi0040321a. B9 160b0000 mov ecx,0b160040321f. E8 41020000 call aescul.00403465; Self-modifying subroutine (Data section modification) 00403224 > 6A push 40; /count = 40 (64.) 00403226. BA414000 Push AESCUL.004041BA | Buffer = aescul.004041ba; registration name store Address 0040322B. E8030000 Push 3E8; | ControlID = 3E8 (1000.) 00403230. FF75-Push DWORD ptr ss:[ebp+8]; |hwnd00403233. E8 89020000 call <jmp.&user32. getdlgitemtexta>; \getdlgitemtexta; get a registerName 00403238. BF BA414000 mov edi,aescul.004041ba0040323d. 33c0 xor eax,eax0040323f. 83c9 FF or ecx,ffffffff00403242. F2:ae repne SCAs byte ptr es:[edi]00403244. F7d1 not ecx00403246. 2bf9 Sub edi,ecx00403248. 890D 064b4000 mov dword ptr ds:[404b06],ecx; Save the registered name length 0040324E. 803D BA414000 0>cmp byte ptr ds:[4041ba],0; Compares the first byte of the registration name to \000403255. 6A push 40; /count = 40 (64.) 00403257. BA424000 Push AESCUL.004042BA | Buffer = aescul.004042ba, registration code store address 0040325C. E9030000 Push 3E9; | ControlID = 3E9 (1001.) 00403261. FF75-Push DWORD ptr ss:[ebp+8]; |hwnd00403264. E8 58020000 call <jmp.&user32. getdlgitemtexta>; \getdlgitemtexta code 00403269. BF BA424000 mov edi,aescul.004042ba0040326e. 33c0 xor eax,eax00403270. 83c9 FF or ecx,ffffffff00403273. F2:ae repne SCAs byte ptr es:[edi]00403275. F7d1 not ecx00403277. 2bf9 Sub edi,ecx00403279. 890D 0a4b4000 mov dword ptr ds:[404b0a],ecx; The length of the deposit registration code is 0040327F. 803D BA424000 0>cmp byte ptr ds:[4042ba],0; Compare the first word of the registration codeWhether the section is \000403286. 0e4b4000 push aescul.00404b0e; /phandle = aescul.00404b0e0040328b. 6A Push 1; | Access = key_query_value0040328d. 6A Push 0; | Reserved = 00040328F. 00404000 Push aescul.00404000 | subkey = "Software\microsoft\windows\currentversion" 00403294. 02000080 push 80000002; |hkey = hkey_local_machine00403299. E8 71020000 call <JMP.&ADVAPI32. regopenkeyexa>; \regopenkeyexa Open registry subkey 0040329E. 124b4000 push aescul.00404b12; /pbufsize = aescul.00404b12004032a3. BC434000 Push AESCUL.004043BC | Buffer = aescul.004043bc004032a8. 6A push 0; |pvaluetype = null004032aa. 6A Push 0; | Reserved = Null004032ac. 33404000 Push aescul.00404033 | VALUENAME = "ProductId" 004032b1. FF35 0e4b4000 push DWORD ptr ds:[404b0e]; |hkey = ffffffff004032b7. E8 4d020000 call <JMP.&ADVAPI32. regqueryvalueexa>; \regqueryvalueexa the key value of 004032BC. BF BA434000 mov edi,aescul.004043ba004032c1. 33c0 xor eax,eax004032c3. 83C9 FF or ecx,ffffffff004032c6. F2:ae repne SCAs byte ptr es:[edi]004032c8. F7d1 not ECX004032CA. 2bf9 Sub edi,ecx004032cc. 890D BC444000 mov dword ptr ds:[4044bc],ecx004032d2. 833D FA444000 0>cmp dword ptr ds:[4044fa],1; FLAG, 1 indicates that the code has been modified 004032D9. Je short aescul.004032ec; Not 1 jumps to 004032DB. Be 50304000 mov esi,aescul.00403050004032e0. 8BFE mov edi,esi004032e2. B9 34010000 mov ecx,134004032e7. E8 8E010000 call aescul.0040347a; Self-modifying subroutine (code snippet Self modification) 004032EC > E9 8f000000 jmp aescul.00403380; Jump to EndDialog below is the self Modified subroutine: (Simple loop left-shift encryption) 00403465/$ 33c0 xor Eax,eax; qing eax value 00403467 |. AC lods byte ptr ds:[esi]; Fetch byte 00403468 |. d2c0 Rol al,cl; Al Cycle left cl secondary 0040346A |. F6d0 not Al; Al Take Anti 0040346C |. AA STOs byte ptr es:[edi]; The code is saved back to 0040346D |. ^ E2 F6 loopd Short aescul.00403465; Cycle 0040346F |. C705 F6444000 0>mov dword ptr ds:[4044f6],100403479 | C3 retn0040347a |$ 33c0 xor Eax,eax; Code Self Modified 0040347C |. AC lods byte ptr ds:[esi]; Fetch bytes 0040347D |. d2c0 Rol al,cl; Al Cycle left cl secondary 0040347F |. F6d0 not Al; Al Take Anti 00403481 |. AASTOs byte ptr es:[edi]; The code is saved back to 00403482 |. ^ E2 E1 loopd Short aescul.00403465; Circulation 00403484 |. C705 FA444000 0>mov dword ptr ds:[4044fa],10040348e \. C3 retn00401000. /eb jmp short aescul.<moduleentrypoint>00401002. |58344000 DD aescul.0040345800401006. |5c344000 DD aescul.0040345c0040100a. |8f344000 DD aescul.0040348f0040100e. |9e344000 DD aescul.0040349e00401012. | A0344000 DD aescul.004034a000401016 a>/$ \6a push 0; /pmodule = NULL00401018 |. E8 CE240000 call <jmp.&kernel32. getmodulehandlea>; \getmodulehandlea0040101d | A3 87414000 mov dword ptr ds:[404187],eax00401022 |. 6A push 0; /lparam = NULL00401024 |. 84314000 Push aescul.00403184 | Dlgproc = aescul.00403184 00401029 |. 6A push 0; |howner = null0040102b |. 6A |ptemplate = 650040102D | FF35 87414000 push DWORD ptr ds:[404187]; |hinst = FFFFFFFF00401033 |. E8 7d240000 call <jmp.&user32. dialogboxparama>; \dialogboxparama00401038 | NOP; EndDialog back to this 00401039 |. nop0040103a |. NOP by EndDialog back to the system DLL after half a day to jump to this through the N many NOP to 00403038, is just after the code section of SMC, MessageBox also in this, blasting is not a 00403038 |. 33c0 xor eax,eax0040303a |. 93334000 Push aescul.004033930040303f |. 64:FF30 push dword ptr fs:[eax]00403042 |. 64:8920 mov dword ptr fs:[eax],esp00403045 |. 9C pushfd00403046 |. 9C pushfd00403047 |. EAX pop; eax=246h00403048 | 0D 00010000 or eax,100; eax=346h0040304d | Push eax0040304e |. 9D popfd0040304f |. nop00403050 |. 33f6 XOR Esi,esi; Empty Register 00403052 |. 33FF XOR Edi,edi; Empty Register 00403054 |. 33d2 XOR Edx,edx; Empty Register 00403056 |. 8b2d 124b4000 mov ebp,dword ptr ds:[404b12]; Cycle Times 240040305C |. BF 02454000 mov edi,aescul.00404502; The address of the correct registration code after the transformation is 00403061 |> 55/push ebp00403062 |. |push edi00403063 | |push esi00403064 | BD C0444000 |mov ebp,aescul.004044c0; ASCII "0i5lz7g123rxcv9opas6tbn48yuhjkdf0qwem" (String 2) 00403069 |. BB BA434000 |mov ebx,aescul.004043ba; ASCII "ws55661-640-0059266-23364" 0040306E |. 8a0433 |mov al,byte ptr Ds:[ebx+esi] ; Take a byte of the "WS" +productid to the al00403071 |. C1f8 |sar eax,4; EAX arithmetic Right shift 4 times 00403074 |. 83E0 0F |and eax,0f; EAX and 0F do with operations (take this byte high four bits) 00403077 |. E8 BF000000 |call aescul.0040313b0040307c | 8807 |mov byte ptr ds:[edi],al0040307e |. 8a0c33 |mov cl,byte ptr Ds:[ebx+esi]; Take a byte of the "WS" +produceid to the cl00403081 |. 83E1 0F |and ecx,0f; Take the lower four bits of the ECX (four-bit low for this byte) 00403084 |. 8BC1 |mov eax,ecx; Move to eax00403086 |. E8 B0000000 |call aescul.0040313b0040308b | 8847 |mov byte ptr ds:[edi+1],al0040308e |. 5E |pop esi0040308f | 5F |pop edi00403090 | 5D |pop ebp00403091 | |inc esi00403092 | 83c7 |add edi,200403095 |. 3BEE |cmp ebp,esi00403097 | ^ C8 \jnz short aescul.0040306100403099 |. 33f6 XOR Esi,esi; The following sequence of code comparison 0040309B |. 8b86 BA424000 mov eax,dword ptr ds:[esi+4042ba]; Registration Code 004030A1 |. 8b9e 02454000 mov ebx,dword ptr ds:[esi+404502]; The changed string 004030a7 3bc0 cmp eax,eax; Compare 004030A9 for the first time |. JNZ Short Aescul.004030f0004030ab |. 83c6 Add Esi,4004030ae |. 8b86 BA424000 mov eax,dword ptr ds:[esi+4042ba]004030B4 | 8b9e 02454000 mov ebx,dword ptr ds:[esi+404502]004030ba | 3BC3 CMP eax,ebx; The second comparison 004030BC JE short aescul.004030f0; Different then Jump 004030BE |. 83c6 Add Esi,4004030c1 |. 8b86 BA424000 mov eax,dword ptr ds:[esi+4042ba]004030c7 | 8b9e 02454000 mov ebx,dword ptr ds:[esi+404502]004030cd | 3BC3 CMP eax,ebx; The third time compares 004030CF 1F JE short aescul.004030f0; Do not jump 004030d1 | 83c6 Add Esi,4004030d4 |. 8b86 BA424000 mov eax,dword ptr ds:[esi+4042ba]004030da | 8b9e 02454000 mov ebx,dword ptr ds:[esi+404502] 004030E0 |. 3BC3 CMP eax,ebx; The fourth time compares 004030E2 0C JE short aescul.004030f0; Do not jump 004030E4 |. C705 F2444000 0>mov dword ptr ds:[4044f2],1; Registration Success Sign 1004030EE |. EB 0A jmp short aescul.004030fa004030f0 |> C705 F2444000 0>mov dword ptr ds:[4044f2],0; Set 0 (indicates registration failure) 004030FA |> 9D popfd004030fb |. 33c0 xor EAX,EAX004030FD |. 64:8f00 pop dword ptr fs:[eax]00403100 |. 83C4 Add esp,400403103 |. 833D F2444000 0>cmp dword ptr ds:[4044f2],1; 0040310A | JNZ shORT aescul.004031210040310c | 6A push 40; /style = mb_ok| mb_iconasterisk| mb_applmodal0040310e | 3d404000 Push aescul.0040403d | Title = "Congratulations ..." 00403113 |. AB414000 Push Aescul.004041ab | Text = "Registered To:yuchao" 00403118 |. 6A push 0; |howner = null0040311a |. E8 A8030000 call <jmp.&user32. messageboxa>; \messageboxa Registration Success 0040311F |. EB jmp Short aescul.0040313400403121 |> 6A push 30; /style = mb_ok| mb_iconexclamation| mb_applmodal00403123 | 50404000 Push aescul.00404050 | Title = "Error" 00403128 |. 56404000 Push aescul.00404056 | Text = "Wrong Serial number!" 0040312D |. 6A push 0; |howner = null0040312f |. E8 93030000 call <jmp.&user32. messageboxa>; \messageboxa Registration failure 00403134 |> 6A push 0; /exitcode = 000403136 \. E8 C8030000 call <jmp.&kernel32. exitprocess>; \exitprocess0040313b/$ 8935 EE444000 mov dword ptr ds:[4044ee],esi00403141 | 8B15 EA444000 mov edx,dword ptr ds:[4044ea]; Read the Last SavedLocation Record 00403147 |. 8b0d E6444000 mov ecx,dword ptr ds:[4044e6]; String Length 370040314D |. 3BD1 CMP edx,ecx; Last call when there was no traversal of the string 0040314F |. JB Short aescul.00403153; Iterate over the 00403151 |. 33d2 xor edx,edx00403153 |> 0fbe7415 00/movsx esi,byte ptr ss:[ebp+edx]; Take the string 2 byte 00403158 |. 81E6 0f000080 |and esi,8000000f; Take ESI's low four-bit 0040315E |. |jns short aescul.00403165; The sign bit is 0 o'clock jump 00403160 |. 4E |dec esi00403161 | 83CE F0 |or esi,fffffff000403164 |. |inc esi00403165 |> 3bf0 |cmp esi,eax; Find esi00403167 equal to EAX |. |je short aescul.00403172; Jump 00403169 |. |inc edx; Counter plus 10040316A |. 3BD1 |cmp edx,ecx; Whether 37 times 0040316C |. ^ 7C E5 |jl Short aescul.00403153; If not, jump back to 0040316E |. 33d2 |xor Edx,edx; Qing edx00403170 |. ^ EB E1 \jmp Short aescul.00403153; Jump Back Again Traversal (string 2) 00403172 |> 8915 EA444000 mov dword ptr ds:[4044ea],edx; Record the location of the found 00403178 |. 8b35 EE444000 mov esi,dword ptr ds:[4044ee]0040317e | 0fbe042a movsx eax,byte ptr ds:[edx+ebp]; Take That byte 00403182 |. EDX00403183 Inc. C3 RETN "Algorithm Summary" 1. Modify the data segment, which has the important data "0I5LZ7G123RXCV9OPAS6TBN48YUHJKDF0QWEM" (String 2), the registry subkey name key value name "ProductId" 2. Take the registration name entered, the registration code 3. Take the registry value ( The operating system's ProductID number), and precede it with the "WS" ==> (String 1) 4. To modify the code snippet, EndDialog5. Algorithm section: 1. Extract one byte from string 1 (ordinal from 1th to 24th characters) 2. Take the high four bit of the byte, Compares the lower four bits of the characters in the string 2, and the same records the position and the character 3. Takes the lower four bits of the byte, compares the string 2 record position backward and the character's low four-bit comparison, records the character (if not found after the comparison, compares from the start position of the array) 4. Repeat 123 (24 times) 5. Generates a 48-byte registration sequence of 6. The registration code compares only 128bit (16 bytes), so the registration code also as long as 16 "registration machine" #include <windows.h> #include <iostream.h>bool QueryValue (byte,char*,int); char szcode[17]={0};int nposition;int num;void Main () {char szproductid[26]={' W ', ' S '}; Char szproductidtemp[24]={0}; BYTE Bbyte=0,bbytetemp=0;char szbase[38]={' 0 ', ' I ', ' 5 ', ' L ', ' Z ', ' 7 ', ' G ', ' 1 ', ' 2 ', ' 3 ', ' R ', ' X ', ' C ', ' V ', ' 9 ', ' O ', ' P ', ' A ', ' S ', ' 6 ', ' T ', ' B ', ' N ', ' 4 ', ' 8 ', ' Y ', ' U ', ' H ', ' J ', ' K ', ' D ', ' F ', ' 0 ', ' Q ', ' W ', ' E ', ' M '};char szsubkey[]= ' software\\ Microsoft\\windows\\currentversion ";D word nlenght=sizeof (szproductidtemp); Hkey hresultkey;if (Error_success==regopenkeyex (Hkey_local_machine,szsubkey,0,key_query_value,&hresultkey)) if (error_success==regqueryvAlueex (Hresultkey, "ProductId", 0,0, (pbyte) szproductidtemp,&nlenght)) {strcat (szproductid,szproductidtemp); for (int i=0;i<8;i++) {bbyte=szproductid[i];bbytetemp= (bbyte&0xf0)/16; QueryValue (bbytetemp,szbase,nposition);bbytetemp=bbyte&0x0f; QueryValue (bbytetemp,szbase,nposition); Cout<<szcode<<endl}} BOOL QueryValue (BYTE bbyte,char* szbase,int npositiontemp) {for (int i=npositiontemp;i<37;i++) {if bbyte== (szBase[i ]&0x0f)) {Szcode[num++]=szbase[i];nposition=i;break} if (i==36) I=-1} return 0;} The Crackme train of thought is quite clear, also relatively simple and suitable for new recruits practiced (I?), the novice article inevitably wrong, million hope Master of the full text to be posted to all of you to ridicule!!! To force (0 Votes) Tempted (0 Votes) nonsense (0 Votes) Professional (0 Votes) title Party (0 Votes) passing (0 Votes) original text: Simple Crackme (aescul) analysis back to network security home

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.