160 crackme training for novice crackers
This program provides two functions, one in the form of account password and one in the form of directly entering KEY.
Blast account password form: Serial/Name
Error message: Sorry, The serial is incorect! Don’t worry about it. Step directly in the OD, the first function returned after stepping out of the MessageBox function, here is not the key point. Because there is no special jump instruction, continue to run out of this layer of functions and return to the upper layer. After returning, look up the disassembly code.
If you want to skip this error message, you need to drop the JNZ at 0042F803 to nop. After the nop is off, press F9 to let the program run, and then click [Check it Baby!] again. The OD continues to be interrupted at the MessageBox. And the program pops up a GOOD window.
In this function, there will be an error prompt box if the account is less than 4 characters~~! Remember to set the MessageBox breakpoint first when you click [Check it Baby!].
Interrupt OD and return to the upper two levels. When returning to the first level, if you don’t see any jump instructions, then continue to the upper level.
If the length of the account you want to enter is not greater than 4, just change JGE to JMP to force it to jump! ! !
Blasting input KEY Serial
In the same way, first click the MessageBox breakpoint~, and then just type in, and click [Check it Baby!] to pop up the message: Try Again!!. OD is interrupted in MessageBox. As usual, after exiting MessageBOx, check if there is any jump, if there is, check where to jump to, if not, continue to return to the upper level.
Modify the above JNZ to NOP here, and go down no matter what you return. Press F9 to run the program after modification! The blasting was successful.
This function only needs to enter KEY. Unexpectedly try to find out what the correct KEY is! ! Now that you know the correct and incorrect jump locations, try to see what the CALL parameter is in the next INT3 of the jump point.
The function does not use push to pass in parameters, but uses two memory data to the two registers EAX and EDX. This situation is obviously not __stdcall or __cdecl. Let’s take a look at what the value given by the register is.
EAX entered the string SSSSS for me, then EDX is another string, is it the decrypted KEY? Enter the content of EDX to know.
Analyze the Serial/Name algorithm
. Serial/Name blasting is over, just blasting.
If you want to find the registration algorithm, you must first find the blasting point of successful registration.
01
02
03
04
05
06
07
08
09
10
11
12
13
14
15
|
0042FAFE |. E8 F93EFDFF call Acid_bur.004039FC ; The return value of this CALL 0042FB03 |. 75 1A jnz XAcid_bur.0042FB1F ; If the return value of the previous CALL is not equal to 0, jump to the error message 0042FB05 |. 6A 00 push 0x0 0042FB07 |. B9 CCFB4200 mov ecx ,Acid_bur.0042FBCC 0042FB0C |. BA D8FB4200 mov edx ,Acid_bur.0042FBD8 0042FB11 |. A1 480A4300 mov eax , dword ptr ds :[0x430A48] 0042FB16 |. 8B00 mov eax , dword ptr ds :[ eax ] 0042FB18 |. E8 53A6FFFF call Acid_bur.0042A170 0042FB1D |. EB 18 jmp XAcid_bur.0042FB37 ; Force jump, skip the error display. 0042FB1F |> 6A 00 push 0x0 0042FB21 |. B9 74FB4200 mov ecx ,Acid_bur.0042FB74 0042FB26 |. BA 80FB4200 mov edx ,Acid_bur.0042FB80 0042FB2B |. A1 480A4300 mov eax , dword ptr ds :[0x430A48] 0042FB30 |. 8B00 mov eax , dword ptr ds :[ eax ] 0042FB32 |. E8 39A6FFFF call Acid_bur.0042A170 ; MessageBox is called in the function to display an error |
If call Acid_bur.004039FC returns 0 for the judgment function, the registration code is true. So let’s take a look at it here. This procedure is directly compared in plain text. By observing the register, I can see the password 4567 I entered and the calculated password. .
Tested by myself, directly input account 1234 and password CW-4018-CRACKED to display GOOD, correct. But what I want is an algorithm. Check the plaintext KEY: CW-4018-CRACKED shows that it is composed of strings, numbers, and strings. Then, we can try IDA. Search IDA for the existence of CRACKED strings.
Good luck, I found it. Well. At memory address 0042FAB3. In OD, it used to be very close to the blasting point~~~ The blasting point was at 0042FB03. Then we can look at what the function does here. The value ranges from 0042FA79 to 0042FAFE. Because 0042FA79 calculates the jump point of account length >=4 and the 0042FAFE function call.
01
02
03
04
05
06
07
08
09
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
|
0042FA79 |> \8D55 F0 lea edx ,[ local .4] 0042FA7C |. 8B83 DC010000 mov eax , dword ptr ds :[ ebx +0x1DC] 0042FA82 |. E8 D1AFFEFF call Acid_bur.0041AA58 ; Get the account, string, and the first address of the string is stored at EBP-0X10 0042FA87 |. 8B45 F0 mov eax ,[ local .4] 0042FA8A |. 0FB600 movzx eax , byte ptr ds :[ eax ] ; DWORD DATA = (DWORD)buff[0]; 0042FA8D |. F72D 50174300 imul dword ptr ds :[0x431750] ; DATA * 0x43175 == DATA * 0x29 0042FA93 |. A3 50174300 mov dword ptr ds :[0x431750], eax ; 0x431750 = DATA * 0x29; 0042FA98 |. A1 50174300 mov eax , dword ptr ds :[0x431750] 0042FA9D |. 0105 50174300 add dword ptr ds :[0x431750], eax ; 0x431750 *= 2 0042FAA3 |. 8D45 FC lea eax ,[ local .1] 0042FAA6 |. BA ACFB4200 mov edx ,Acid_bur.0042FBAC 0042FAAB |. E8 583CFDFF call Acid_bur.00403708 ; Store the first address of the CW string at EBP-0x4 0042FAB0 |. 8D45 F8 lea eax ,[ local .2] 0042FAB3 |. BA B8FB4200 mov edx ,Acid_bur.0042FBB8 ; CRACKED 0042FAB8 |. E8 4B3CFDFF call Acid_bur.00403708 ; Store the string address at EBP-0X8 0042FABD |. FF75 FC push [ local .1] 0042FAC0 |. 68 C8FB4200 push Acid_bur.0042FBC8 ; UNICODE "-" 0042FAC5 |. 8D55 E8 lea edx ,[ local .6] 0042FAC8 |. A1 50174300 mov eax , dword ptr ds :[0x431750] 0042FACD |. E8 466CFDFF call Acid_bur.00406718 ; Convert the hexadecimal stored in 0x431750 into a string, and the address is stored at EBP-0x18 0042FAD2 |. FF75 E8 push [ local .6] 0042FAD5 |. 68 C8FB4200 push Acid_bur.0042FBC8 ; UNICODE "-" 0042FADA |. FF75 F8 push [ local .2] 0042FADD |. 8D45 F4 lea eax ,[ local .3] 0042FAE0 |. BA 05000000 mov edx ,0x5 0042FAE5 |. E8 C23EFDFF call Acid_bur.004039AC ; String splicing. (EBP-0X4)+(EBP-0X18)+(EBP-0X8) is stored in ebp-0xC 0042FAEA |. 8D55 F0 lea edx ,[ local .4] 0042FAED |. 8B83 E0010000 mov eax , dword ptr ds :[ ebx +0x1E0] 0042FAF3 |. E8 60AFFEFF call Acid_bur.0041AA58 ; Get the entered password 0042FAF8 |. 8B55 F0 mov edx ,[ local .4] 0042FAFB |. 8B45 F4 mov eax ,[ local .3] 0042FAFE |. E8 F93EFDFF call Acid_bur.004039FC ; Compare the entered password with the KEY calculated by the program 0042FB03 |. 75 1A jnz XAcid_bur.0042FB1F ; If the return value of the previous CALL is not equal to 0, jump to the error message |
Then converted to C language is
1
2
3
4
5
6
7
8
9
|
void Decryption( char * mima) { char szBuff[260]; unsigned long data = (unsigned long )mima[0]; data *= 0X29; data *= 2; sprintf (szBuff, "CW-%d-CRACKED" , data); printf ( "%s \r\n" , szBuff); } |
Because when calculating the KEY, only the first letter of the user is used, and the last three digits are useless. Therefore, the KEY used by the accounts abcd and aaaa is the same.
Reviews
There are no reviews yet.