[Disassembly exercise] 160 CrackMe 004(2)


Continue to the fourth of 160 CrackMe, Ckme. There are two files after decompression, one is exe file and the other is text. I took a look at the text file and realized that there are no buttons such as “OK”, and a picture will appear after the registration is successful, but it is not helpful to my own cracking. First check the shell, no shell, compiled with Delphi.

Try to enter www.moozoi1.cn first, it won’t work. The last two letters can’t be entered, so there seems to be a length limit. Then enter the registration code, a long string of “1”, there is no length limit. The input is complete without any movement. When the mouse moves around, there is a prompt. When the mouse enters the input box, a floating prompt “If the registration is successful, a beautiful picture of Miss Zhu Yin will appear in the program”; the mouse enters the rectangular shadow in the middle of the interface, and the mouse will display “?” , And there is a floating prompt “If the registration is successful, a beautiful photo of Miss Zhu Yin will appear in the program”. But nothing happens when I click it.

Drag into the OD and find the string of “registered successfully”:

First try to double-click to enter the CPU window, come here, look up, and see a jnz jump at address 00458092, but this jump is up, then continue to look up:

Soon there was another jump, at address 0045803B, jnz XCKme.004580B3, skipped the registration successfully,

Then this is likely to be a key jump, try Nop first:

At this time, OD showed that the status of the program was “running”, so I switched to the CKme program to check, and there was still no movement. Then click the gray picture frame with the mouse, and the picture of beautiful Miss Zhu Yin comes out! success! Save it quickly after blasting!

Okay, it’s time to chase the code again! I don’t know how long it will take this time!

Because the jump at 0045803B will skip the registration success, so the registration algorithm must be before this sentence.

Go up to the start address of the paragraph 00457FB8 to clear the breakpoint, reload the program, press F9 to run, enter the user name and registration code, click the position of the picture box with the mouse, and the program stops:

Press F8 to step down:

00457FB8 /. 55 push ebp
00457FB9 |. 8BEC mov ebp,esp
00457FBB |. B9 04000000 mov ecx,0x4
00457FC0 |> 6A 00 /push 0x0
00457FC2 |. 6A 00 |push 0x0
00457FC4 |. 49 |dec ecx
00457FC5 |.^ 75 F9 \jnz XCKme.00457FC0 ; Do the loop jump 4 times, don’t know what it means?
00457FC7 |. 51 push ecx
00457FC8 |. 53 push ebx
00457FC9 |. 56 push esi
00457FCA |. 8BF0 mov esi,eax
00457FCC |. 33C0 xor eax,eax
00457FCE |. 55 push ebp
00457FCF |. 68 FD804500 push CKme.004580FD
00457FD4 |. 64:FF30 push dword ptr fs:[eax]
00457FD7 |. 64:8920 mov dword ptr fs:[eax],esp
00457FDA |. 33DB xor ebx,ebx
00457FDC |> 8D55 F4 /lea edx,[local.3]
00457FDF |. 8B86 D4020000 |mov eax,dword ptr ds:[esi+0x2D4]
00457FE5 |. E8 5EB3FCFF |call CKme.00423348
00457FEA |. 8B45 F4 |mov eax,[local.3] ; Take username
00457FED |. E8 8ABBFAFF |call CKme.00403B7C
00457FF2 |. 83C0 1E |add eax,0x1E
00457FF5 |. 8D55 F8 |lea edx,[local.2]
00457FF8 |. E8 07FBFAFF |call CKme.00407B04
00457FFD |. FF75 F8 |push [local.2] ; 42?
00458000 |. 8D55 F0 |lea edx,[local.4]
00458003 |. 8B86 D4020000 |mov eax,dword ptr ds:[esi+0x2D4]
00458009 |. E8 3AB3FCFF |call CKme.00423348
0045800E |. FF75 F0 |push [local.4] ;
00458011 |. 8D55 EC |lea edx,[local.5]
00458014 |. 8BC3 |mov eax,ebx
00458016 |. E8 E9FAFAFF |call CKme.00407B04
0045801B |. FF75 EC |push [local.5]
0045801E |. 8D45 FC |lea eax,[local.1]
00458021 |. BA 03000000 |mov edx,0x3
00458026 |. E8 11BCFAFF |call CKme.00403C3C
0045802B |. 43 |inc ebx ;ebx adds 1 to 19
0045802C |. 83FB 13 |cmp ebx,0x13
0045802F |.^ 75 AB \jnz XCKme.00457FDC
00458031 |. 81BE 0C030000>cmp dword ptr ds:[esi+0x30C],0x85 ;Compare true and false
0045803B 75 76 jnz XCKme.004580B3 ; Skip successfully


I don’t know what the two loops are for in this period, especially the next one, 18 times!
Repeated searches in this paragraph, but never found how to calculate the registration code based on the username! ! ! ! ! I only saw a string like 42www.52poje.18 in the stack window. Is it the registration code? Are 42 and 18 calculated based on user names?

First try the username www.52poje. and the registration code 42www.52poje.18, which is incorrect!
And when comparing cmp dword ptr ds:[esi+0x30C], 0x85 has nothing to do with the above loop!

Do I have to continue the calculation below to finally get the registration code?

The idea is stuck!

Turning up the code in the disassembly window, I suddenly saw two ascii strings appearing, suspicious: “Sun Bird” and “dseloffc-012-OK”.

Continue to look up: there are two assignment statements, the two strings you just saw are automatically annotated, and there are two more “black heads”!

Continuing upward, I saw the string again: “CKM”, “Tform1”, “Panel1Click”, “Panel1DblClick”, “KeyUp”, “chkcode”, “FormCreate”, “Label6”, “Panel1” Label4 Image1 Edit2 Edit1, etc. . I guess these are the names of controls and events used in Delphi programming, commonly used labels Label1 to 6, text edit boxes Edit1 and Edit2, pictures, etc. The chkcode is the most doubtful, what code should be checked? It should be the registration code!

But I searched it several times in the OD, and only found a “chkcode” name in the memory, there is no other place.
I can’t find it only from OD, so use a dedicated tool. Find E2A from the toolkit, open it, import Ckme.exe, right-click on Form1 to select all forms, click on the small plus sign in front of the events and controls you think, and finally as shown in the figure, write down the events address:

Go back to the OD, press Ctrl+G, enter 00457C40, OK, and come to the beginning of the chkcode event, delete the original breakpoint first, then break here, press F9 to run, enter the user name, and just click the registration code In the text box, the program stops here before entering any characters!

Single step to run, come to 00457CB6 address, see the following content in the information bar! Is this the registration code? Copy it down and have a try:

Copy it to the text box of the registration code, click on the form, and it breaks again, press F9 to run it, and it breaks here!

Forgot to cancel the breakpoint! Quickly press F2 to switch to cancel the breakpoint, then press F9 to run, the registration is successful! After clicking the mouse several times, the program is too insensitive. Is there any problem?

In the registration code, I saw the four strings “black head SUN Bird”, “17”, “dseloffc-012-OK”, and “www.52pojie.”. Two of them are the original ones in the program memory and one is the input user The name, and where did you see a “17”? How did this 17 come out? Have to look for it.

Clear the breakpoint at 00457C40 and restart the operation. I feel that it is broken at the beginning of the paragraph as soon as the registration code is entered. It means that as long as there is a registration code, it will start to judge the true and false code, then the true code should be generated when the user name comes out Up. Run it first, to address 00457C6F, “Black Sun Bird” is stored in the stack; at address 00457C7F, push [local.2]; The value in the stack is 17, but it is not assigned here! At address 00457C82, “dseloffc-012-OK” is stored in the stack, and “www.52pojie.” is stored in the stack at address 00457C96. To address 00457CB6, the stack is already the generated registration code “Blackhead Sun Bird17dseloffc-012″ -OKwww.52pojie.”
Go back and see where the bottom is. Reload the program, press F9 to run, paste “www.52pojie.” into the user name, and then click the text box of the registration code, the program stops again. 17 is before 00457C7F, this time you must carefully observe:

To the address 00457C66, the result of the mov esi,dword ptr ds:[ebx+0x2F8] instruction is esi=0xc; the next sentence is esi=esi+0x5=0x11, then the hexadecimal 11 is converted to decimal 17 ! I know the origin of 17, but where does 0xc (12 in decimal) come from? There was a username length in the previous crackme, isn’t this? Count it, it really is 12 characters! ! !

In order to be more accurate, continue to experiment: to breakpoint 00457C66, first enter 12 “1” as the user name, and then enter the registration code at will, and it is broken! Run it in a single step again, and the registration code has been displayed in the information column to the following figure. It really is a combination of the two strings inherent in the program and the length of the user name plus five, the user name string. Copy this registration code into the program text box, click the mouse, the registration is successful!

Try another registration name, this time use the four Chinese characters “I love crack” as the user name: this time at address 00457C66, ds:[00951C6C]=00000008, one Chinese character occupies two characters, So it’s not 4 but 8. The result of the next sentence is 8+5=13, continue down, the registration code comes out again, it is “Blackhead Sun Bird13dseloffc-012-OK I love to crack”:

Then copy it into the text box, run it, and click the mouse many times, and the registration is successful!

Then the code to generate the registration code is as follows:

00457C66 |. 8BB3 F8020000 mov esi,dword ptr ds:[ebx+0x2F8] ; esi=0xc,Hexadecimal value of username length
00457C6C |. 83C6 05 add esi,0x5 ; 0xc+0x5=0x11,The hexadecimal number 11 is converted to the decimal number 17!
00457C6F |. FFB3 10030000 push dword ptr ds:[ebx+0x310] ; ds:[00951C84]=00951F24, (ASCII “BlackheadSun Bird”)
00457C75 |. 8D55 F8 lea edx,[local.2]
00457C78 |. 8BC6 mov eax,esi
00457C7A |. E8 85FEFAFF call CKme.00407B04
00457C7F |. FF75 F8 push [local.2] ; ss:[0012FC90]=00955F9C, (ASCII “17”)
00457C82 |. FFB3 14030000 push dword ptr ds:[ebx+0x314] ; ds:[00951C88]=00951F40, (ASCII “dseloffc-012-OK”)
00457C88 |. 8D55 F4 lea edx,[local.3]
00457C8B |. 8B83 D4020000 mov eax,dword ptr ds:[ebx+0x2D4]
00457C91 |. E8 B2B6FCFF call CKme.00423348
00457C96 |. FF75 F4 push [local.3] ; ss:[0012FC8C]=009557D8, (ASCII “www.52pojie.”)
00457C99 |. 8D83 18030000 lea eax,dword ptr ds:[ebx+0x318]
00457C9F |. BA 04000000 mov edx,0x4
00457CA4 |. E8 93BFFAFF call CKme.00403C3C ; Don’t understand what call
00457CA9 |. 33D2 xor edx,edx
00457CAB |. 8B83 F4020000 mov eax,dword ptr ds:[ebx+0x2F4]
00457CB1 |. E8 AAB5FCFF call CKme.00423260
00457CB6 |. 8B93 18030000 mov edx,dword ptr ds:[ebx+0x318] ; ds:[00951C8C]=009557F4, (ASCII “BlackheadSun Bird17dseloffc-012-OKwww.52pojie.”)


The registration algorithm is very simple. Four strings are connected: “Blackhead Sun Bird” + “Username Length + 5” + “dseloffc-012-OK” + Username!
The registrar should be compiled with VB. Delphi programming does not know how to program it, so use VB first!

Copy the registration machine of crackme003 directly and modify it: Find the length attribute MaxLength in the attribute column of text1 on the form, and fill in the value of 12, which means that only 12 characters can be filled in
The code of the button event is as follows:


Private Sub Command1_Click()
‘The type of variable is not considered,
Dim str1, lend, str2, str3
If Text1.Text <> “” Then
str1 = (Text1.Text)
lend = LenB(StrConv(Str1,vbFormUnicode)) ‘lend = len(Str1),The original len recognizes both Chinese and English as 1 character
str2 = lend + 5
str3 = “blackheadSun Bird” & str2 & “dseloffc-012-OK” & str1
Text2.Text = str3
Else: MsgBox (“Username can not be empty”)
End If
End Sub


After running, the problem was quickly discovered. VB regarded 1 Chinese character as 1 character, but Ckme regarded Chinese characters as 2 characters, which caused an error in the length of the middle number user name, which made it impossible to register. I found a function in VB from the Internet, changed it to LenB, added parameters, and used pure Chinese characters and other strings as user names.

OK, this exercise is over! ! !




There are no reviews yet.

Be the first to review “[Disassembly exercise] 160 CrackMe 004(2)”

Your email address will not be published. Required fields are marked *