160 CrackMe-001(2)

Category: Tag:

160 crackme training for novice crackers

 

This program provides two functions, one in the form of account password and one in the form of directly entering KEY.
Blast account password form: Serial/Name

Error message: Sorry, The serial is incorect! Don’t worry about it. Step directly in the OD, the first function returned after stepping out of the MessageBox function, here is not the key point. Because there is no special jump instruction, continue to run out of this layer of functions and return to the upper layer. After returning, look up the disassembly code.

If you want to skip this error message, you need to drop the JNZ at 0042F803 to nop. After the nop is off, press F9 to let the program run, and then click [Check it Baby!] again. The OD continues to be interrupted at the MessageBox. And the program pops up a GOOD window.
In this function, there will be an error prompt box if the account is less than 4 characters~~! Remember to set the MessageBox breakpoint first when you click [Check it Baby!].

Interrupt OD and return to the upper two levels. When returning to the first level, if you don’t see any jump instructions, then continue to the upper level.

If the length of the account you want to enter is not greater than 4, just change JGE to JMP to force it to jump! ! !

Blasting input KEY Serial

In the same way, first click the MessageBox breakpoint~, and then just type in, and click [Check it Baby!] to pop up the message: Try Again!!. OD is interrupted in MessageBox. As usual, after exiting MessageBOx, check if there is any jump, if there is, check where to jump to, if not, continue to return to the upper level.

 

Modify the above JNZ to NOP here, and go down no matter what you return. Press F9 to run the program after modification! The blasting was successful.
This function only needs to enter KEY. Unexpectedly try to find out what the correct KEY is! ! Now that you know the correct and incorrect jump locations, try to see what the CALL parameter is in the next INT3 of the jump point.
The function does not use push to pass in parameters, but uses two memory data to the two registers EAX and EDX. This situation is obviously not __stdcall or __cdecl. Let’s take a look at what the value given by the register is.

EAX entered the string SSSSS for me, then EDX is another string, is it the decrypted KEY? Enter the content of EDX to know.

Analyze the Serial/Name algorithm

. Serial/Name blasting is over, just blasting.

If you want to find the registration algorithm, you must first find the blasting point of successful registration.

01
02
03
04
05
06
07
08
09
10
11
12
13
14
15
0042FAFE  |.  E8 F93EFDFF   call Acid_bur.004039FC ; The return value of this CALL
0042FB03  |.  75 1A         jnz XAcid_bur.0042FB1F  ; If the return value of the previous CALL is not equal to 0, jump to the error message
0042FB05  |.  6A 00         push 0x0
0042FB07  |.  B9 CCFB4200   mov ecx,Acid_bur.0042FBCC
0042FB0C  |.  BA D8FB4200   mov edx,Acid_bur.0042FBD8
0042FB11  |.  A1 480A4300   mov eax,dword ptr ds:[0x430A48]
0042FB16  |.  8B00          mov eax,dword ptr ds:[eax]
0042FB18  |.  E8 53A6FFFF   call Acid_bur.0042A170
0042FB1D  |.  EB 18         jmp XAcid_bur.0042FB37 ; Force jump, skip the error display.
0042FB1F  |>  6A 00         push 0x0
0042FB21  |.  B9 74FB4200   mov ecx,Acid_bur.0042FB74
0042FB26  |.  BA 80FB4200   mov edx,Acid_bur.0042FB80
0042FB2B  |.  A1 480A4300   mov eax,dword ptr ds:[0x430A48]
0042FB30  |.  8B00          mov eax,dword ptr ds:[eax]
0042FB32  |.  E8 39A6FFFF   call Acid_bur.0042A170 ; MessageBox is called in the function to display an error

If call Acid_bur.004039FC returns 0 for the judgment function, the registration code is true. So let’s take a look at it here. This procedure is directly compared in plain text. By observing the register, I can see the password 4567 I entered and the calculated password. .

Tested by myself, directly input account 1234 and password CW-4018-CRACKED to display GOOD, correct. But what I want is an algorithm. Check the plaintext KEY: CW-4018-CRACKED shows that it is composed of strings, numbers, and strings. Then, we can try IDA. Search IDA for the existence of CRACKED strings.

Good luck, I found it. Well. At memory address 0042FAB3. In OD, it used to be very close to the blasting point~~~ The blasting point was at 0042FB03. Then we can look at what the function does here. The value ranges from 0042FA79 to 0042FAFE. Because 0042FA79 calculates the jump point of account length >=4 and the 0042FAFE function call.

01
02
03
04
05
06
07
08
09
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
0042FA79  |> \8D55 F0       lea edx,[local.4]
0042FA7C  |.  8B83 DC010000 mov eax,dword ptr ds:[ebx+0x1DC]
0042FA82  |.  E8 D1AFFEFF   call Acid_bur.0041AA58           ; Get the account, string, and the first address of the string is stored at EBP-0X10
0042FA87  |.  8B45 F0       mov eax,[local.4]
0042FA8A  |.  0FB600        movzx eax,byte ptr ds:[eax]      ;  DWORD DATA = (DWORD)buff[0];
0042FA8D  |.  F72D 50174300 imul dword ptr ds:[0x431750]     ;  DATA * 0x43175 == DATA * 0x29
0042FA93  |.  A3 50174300   mov dword ptr ds:[0x431750],eax  ;  0x431750 = DATA * 0x29;
0042FA98  |.  A1 50174300   mov eax,dword ptr ds:[0x431750]
0042FA9D  |.  0105 50174300 add dword ptr ds:[0x431750],eax  ;  0x431750 *= 2
0042FAA3  |.  8D45 FC       lea eax,[local.1]
0042FAA6  |.  BA ACFB4200   mov edx,Acid_bur.0042FBAC
0042FAAB  |.  E8 583CFDFF   call Acid_bur.00403708           ; Store the first address of the CW string at EBP-0x4
0042FAB0  |.  8D45 F8       lea eax,[local.2]
0042FAB3  |.  BA B8FB4200   mov edx,Acid_bur.0042FBB8        ;  CRACKED
0042FAB8  |.  E8 4B3CFDFF   call Acid_bur.00403708           ; Store the string address at EBP-0X8
0042FABD  |.  FF75 FC       push [local.1]
0042FAC0  |.  68 C8FB4200   push Acid_bur.0042FBC8           ;  UNICODE "-"
0042FAC5  |.  8D55 E8       lea edx,[local.6]
0042FAC8  |.  A1 50174300   mov eax,dword ptr ds:[0x431750]
0042FACD  |.  E8 466CFDFF   call Acid_bur.00406718           ; Convert the hexadecimal stored in 0x431750 into a string, and the address is stored at EBP-0x18
0042FAD2  |.  FF75 E8       push [local.6]
0042FAD5  |.  68 C8FB4200   push Acid_bur.0042FBC8           ;  UNICODE "-"
0042FADA  |.  FF75 F8       push [local.2]
0042FADD  |.  8D45 F4       lea eax,[local.3]
0042FAE0  |.  BA 05000000   mov edx,0x5
0042FAE5  |.  E8 C23EFDFF   call Acid_bur.004039AC           ; String splicing. (EBP-0X4)+(EBP-0X18)+(EBP-0X8) is stored in ebp-0xC
0042FAEA  |.  8D55 F0       lea edx,[local.4]
0042FAED  |.  8B83 E0010000 mov eax,dword ptr ds:[ebx+0x1E0]
0042FAF3  |.  E8 60AFFEFF   call Acid_bur.0041AA58           ; Get the entered password
0042FAF8  |.  8B55 F0       mov edx,[local.4]
0042FAFB  |.  8B45 F4       mov eax,[local.3]
0042FAFE  |.  E8 F93EFDFF   call Acid_bur.004039FC           ; Compare the entered password with the KEY calculated by the program
0042FB03  |.  75 1A         jnz XAcid_bur.0042FB1F           ; If the return value of the previous CALL is not equal to 0, jump to the error message

Then converted to C language is

1
2
3
4
5
6
7
8
9
void Decryption(char* mima)
{
    char szBuff[260];
    unsigned long data = (unsigned long)mima[0];
    data *= 0X29;
    data *= 2;
    sprintf(szBuff, "CW-%d-CRACKED", data);
    printf("%s \r\n", szBuff);
}

Because when calculating the KEY, only the first letter of the user is used, and the last three digits are useless. Therefore, the KEY used by the accounts abcd and aaaa is the same.

 

Reviews

There are no reviews yet.

Be the first to review “160 CrackMe-001(2)”

Your email address will not be published. Required fields are marked *