This program provides two functions, one in the form of account password and one in the form of directly entering KEY.
Blast account password form: Serial/Name
Error message: Sorry, The serial is incorect! Don’t worry about it. Step directly in the OD, the first function returned after stepping out of the MessageBox function, here is not the key point. Because there is no special jump instruction, continue to run out of this layer of functions and return to the upper layer. After returning, look up the disassembly code.
If you want to skip this error message, you need to drop the JNZ at 0042F803 to nop. After the nop is off, press F9 to let the program run, and then click [Check it Baby!] again. The OD continues to be interrupted at the MessageBox. And the program pops up a GOOD window.
In this function, there will be an error prompt box if the account is less than 4 characters~~! Remember to set the MessageBox breakpoint first when you click [Check it Baby!].
Interrupt OD and return to the upper two levels. When returning to the first level, if you don’t see any jump instructions, then continue to the upper level.
If the length of the account you want to enter is not greater than 4, just change JGE to JMP to force it to jump! ! !
Blasting input KEY Serial
In the same way, first click the MessageBox breakpoint~, and then just type in, and click [Check it Baby!] to pop up the message: Try Again!!. OD is interrupted in MessageBox. As usual, after exiting MessageBOx, check if there is any jump, if there is, check where to jump to, if not, continue to return to the upper level.
Modify the above JNZ to NOP here, and go down no matter what you return. Press F9 to run the program after modification! The blasting was successful.
This function only needs to enter KEY. Unexpectedly try to find out what the correct KEY is! ! Now that you know the correct and incorrect jump locations, try to see what the CALL parameter is in the next INT3 of the jump point.
The function does not use push to pass in parameters, but uses two memory data to the two registers EAX and EDX. This situation is obviously not __stdcall or __cdecl. Let’s take a look at what the value given by the register is.
EAX entered the string SSSSS for me, then EDX is another string, is it the decrypted KEY? Enter the content of EDX to know.
Analyze the Serial/Name algorithm
. Serial/Name blasting is over, just blasting.
If you want to find the registration algorithm, you must first find the blasting point of successful registration.
If call Acid_bur.004039FC returns 0 for the judgment function, the registration code is true. So let’s take a look at it here. This procedure is directly compared in plain text. By observing the register, I can see the password 4567 I entered and the calculated password. .
Tested by myself, directly input account 1234 and password CW-4018-CRACKED to display GOOD, correct. But what I want is an algorithm. Check the plaintext KEY: CW-4018-CRACKED shows that it is composed of strings, numbers, and strings. Then, we can try IDA. Search IDA for the existence of CRACKED strings.
Good luck, I found it. Well. At memory address 0042FAB3. In OD, it used to be very close to the blasting point~~~ The blasting point was at 0042FB03. Then we can look at what the function does here. The value ranges from 0042FA79 to 0042FAFE. Because 0042FA79 calculates the jump point of account length >=4 and the 0042FAFE function call.
Then converted to C language is
Because when calculating the KEY, only the first letter of the user is used, and the last three digits are useless. Therefore, the KEY used by the accounts abcd and aaaa is the same.