160 crackme training for novice crackers
1. Demolition
2. Find Algorithm
One: Blasting procedure
This program is a VB program, and I have not been exposed to programs other than C++ before. When the program is loading, neither BP MessageBoxA nor MessageBoxW can break the pop-up window.
Temporarily look at the VB program of “Encryption and Decryption III” and learn that the dialog box function of VB is: rtcMsgBox. There are VB function breakpoints in the OD plug-in, click to clear the rtcMsgBox breakpoint. Then enter the account tqdn password 1234 and click the control OK to let the program run.
After the program ran, it was broken in the dynamic link library of MSVBVM50. This should be the scope of the rtcMsgBox function. Just press F8 to get out of this function, a message box will pop up and display “You Get Wrong Try Again” as you go down, it should be an error message.
After stepping out of the function, return to the following.
|
01
02
03
04
05
06
07
08
09
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
|
004025E1 . 51 push ecx004025E2 . 52 push edx004025E3 . EB 56 jmp XAfkayas_.0040263B ; Skipped wrong display004025E5 > 68 C81B4000 push Afkayas_.00401BC8 ; UNICODE "You Get Wrong"004025EA . 68 9C1B4000 push Afkayas_.00401B9C ; ASCII "\r"004025EF . FFD7 call edi004025F1 . 8BD0 mov edx,eax004025F3 . 8D4D E8 lea ecx,dword ptr ss:[ebp-0x18]004025F6 . FFD3 call ebx004025F8 . 50 push eax004025F9 . 68 E81B4000 push Afkayas_.00401BE8 ; UNICODE "Try Again"004025FE . FFD7 call edi00402600 . 8945 CC mov dword ptr ss:[ebp-0x34],eax00402603 . 8D45 94 lea eax,dword ptr ss:[ebp-0x6C]00402606 . 8D4D A4 lea ecx,dword ptr ss:[ebp-0x5C]00402609 . 50 push eax0040260A . 8D55 B4 lea edx,dword ptr ss:[ebp-0x4C]0040260D . 51 push ecx0040260E . 52 push edx0040260F . 8D45 C4 lea eax,dword ptr ss:[ebp-0x3C]00402612 . 6A 00 push 0x000402614 . 50 push eax00402615 . C745 C4 08000>mov dword ptr ss:[ebp-0x3C],0x80040261C . FF15 10414000 call dword ptr ds:[<&MSVBVM50.#595>] ; Function to display error message box00402622 . 8D4D E8 lea ecx,dword ptr ss:[ebp-0x18] ; Current EIP location |
Looking up at the current EIP, the nearest one is a JMP instruction. Clicking on this instruction on the OD directly skips the function that displays the error message. Then look up again. Are there any jump instructions.
|
01
02
03
04
05
06
07
08
09
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
|
00402569 . 83C4 0C add esp,0xC0040256C . B9 04000280 mov ecx,0x8002000400402571 . B8 0A000000 mov eax,0xA00402576 . 894D 9C mov dword ptr ss:[ebp-0x64],ecx00402579 . 66:85F6 test si,si ; 比较SI是否为00040257C . 8945 94 mov dword ptr ss:[ebp-0x6C],eax0040257F . 894D AC mov dword ptr ss:[ebp-0x54],ecx00402582 . 8945 A4 mov dword ptr ss:[ebp-0x5C],eax00402585 . 894D BC mov dword ptr ss:[ebp-0x44],ecx00402588 . 8945 B4 mov dword ptr ss:[ebp-0x4C],eax0040258B . 74 58 je XAfkayas_.004025E5 ; If SI is equal to 0 then jump to the wrong display0040258D . 68 801B4000 push Afkayas_.00401B80 ; UNICODE "You Get It"00402592 . 68 9C1B4000 push Afkayas_.00401B9C ; ASCII "\r"00402597 . FFD7 call edi00402599 . 8BD0 mov edx,eax0040259B . 8D4D E8 lea ecx,dword ptr ss:[ebp-0x18]0040259E . FFD3 call ebx004025A0 . 50 push eax004025A1 . 68 A81B4000 push Afkayas_.00401BA8 ; UNICODE "KeyGen It Now"004025A6 . FFD7 call edi004025A8 . 8D4D 94 lea ecx,dword ptr ss:[ebp-0x6C]004025AB . 8945 CC mov dword ptr ss:[ebp-0x34],eax004025AE . 8D55 A4 lea edx,dword ptr ss:[ebp-0x5C]004025B1 . 51 push ecx004025B2 . 8D45 B4 lea eax,dword ptr ss:[ebp-0x4C]004025B5 . 52 push edx004025B6 . 50 push eax004025B7 . 8D4D C4 lea ecx,dword ptr ss:[ebp-0x3C]004025BA . 6A 00 push 0x0004025BC . 51 push ecx004025BD . C745 C4 08000>mov dword ptr ss:[ebp-0x3C],0x8004025C4 . FF15 10414000 call dword ptr ds:[<&MSVBVM50.#595>>; msvbvm50.rtcMsgBox004025CA . 8D4D E8 lea ecx,dword ptr ss:[ebp-0x18]004025CD . FF15 80414000 call dword ptr ds:[<&MSVBVM50.__vba>; msvbvm50.__vbaFreeStr004025D3 . 8D55 94 lea edx,dword ptr ss:[ebp-0x6C]004025D6 . 8D45 A4 lea eax,dword ptr ss:[ebp-0x5C]004025D9 . 52 push edx004025DA . 8D4D B4 lea ecx,dword ptr ss:[ebp-0x4C]004025DD . 50 push eax004025DE . 8D55 C4 lea edx,dword ptr ss:[ebp-0x3C]004025E1 . 51 push ecx004025E2 . 52 push edx004025E3 . EB 56 jmp XAfkayas_.0040263B ; Skipped wrong display004025E5 > 68 C81B4000 push Afkayas_.00401BC8 ; UNICODE "You Get Wrong"004025EA . 68 9C1B4000 push Afkayas_.00401B9C ; ASCII "\r"004025EF . FFD7 call edi004025F1 . 8BD0 mov edx,eax004025F3 . 8D4D E8 lea ecx,dword ptr ss:[ebp-0x18] |
. Looking up and found a reliable jumping point:
. 0040258B je XAfkayas_.004025E5; If SI is equal to 0 then jump to the wrong display
. Try to modify the JE here to nop. Then run the program~~ Successful blasting!
2: Find out the algorithm
. First of all, if you want to find an algorithm, you should clear the breakpoint at the blasting point first, and run here.
|
01
02
03
04
05
06
07
08
09
10
11
12
13
14
15
16
|
00402561 . 6A 02 push 0x200402563 . FF15 F4404000 call dword ptr ds:[<&MSVBVM50.__vba>; msvbvm50.__vbaFreeObjList00402569 . 83C4 0C add esp,0xC0040256C . B9 04000280 mov ecx,0x8002000400402571 . B8 0A000000 mov eax,0xA00402576 . 894D 9C mov dword ptr ss:[ebp-0x64],ecx00402579 . 66:85F6 test si,si ; 比较SI是否为00040257C . 8945 94 mov dword ptr ss:[ebp-0x6C],eax0040257F . 894D AC mov dword ptr ss:[ebp-0x54],ecx00402582 . 8945 A4 mov dword ptr ss:[ebp-0x5C],eax00402585 . 894D BC mov dword ptr ss:[ebp-0x44],ecx00402588 . 8945 B4 mov dword ptr ss:[ebp-0x4C],eax0040258B . 74 58 je XAfkayas_.004025E5 ; If SI is equal to 0 then jump to the wrong display0040258D . 68 801B4000 push Afkayas_.00401B80 ; UNICODE "You Get It"00402592 . 68 9C1B4000 push Afkayas_.00401B9C ; ASCII "\r"00402597 . FFD7 call edi |
The jump of JE is controlled by TEST SI, SI, so we should find the instruction to assign SI there.
|
01
02
03
04
05
06
07
08
09
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
|
0040252D . 8D4D E0 lea ecx,dword ptr ss:[ebp-0x20]00402530 . FFD3 call ebx ; <&MSVBVM50.__vbaStrMove>00402532 . 50 push eax00402533 . FF15 28414000 call dword ptr ds:[<&MSVBVM50.__vba>; msvbvm50.__vbaStrCmp00402539 . 8BF0 mov esi,eax ; The return value of the vbaStrCmp string comparison function is given to ESI0040253B . 8D55 E0 lea edx,dword ptr ss:[ebp-0x20]0040253E . F7DE neg esi00402540 . 8D45 E8 lea eax,dword ptr ss:[ebp-0x18]00402543 . 52 push edx00402544 . 1BF6 sbb esi,esi00402546 . 8D4D E4 lea ecx,dword ptr ss:[ebp-0x1C]00402549 . 50 push eax0040254A . 46 inc esi0040254B . 51 push ecx0040254C . 6A 03 push 0x30040254E . F7DE neg esi00402550 . FF15 5C414000 call dword ptr ds:[<&MSVBVM50.__vba>; msvbvm50.__vbaFreeStrList00402556 . 83C4 10 add esp,0x1000402559 . 8D55 D8 lea edx,dword ptr ss:[ebp-0x28]0040255C . 8D45 DC lea eax,dword ptr ss:[ebp-0x24]0040255F . 52 push edx00402560 . 50 push eax00402561 . 6A 02 push 0x200402563 . FF15 F4404000 call dword ptr ds:[<&MSVBVM50.__vba>; msvbvm50.__vbaFreeObjList00402569 . 83C4 0C add esp,0xC0040256C . B9 04000280 mov ecx,0x8002000400402571 . B8 0A000000 mov eax,0xA00402576 . 894D 9C mov dword ptr ss:[ebp-0x64],ecx00402579 . 66:85F6 test si,si ; Compare whether SI is 00040257C . 8945 94 mov dword ptr ss:[ebp-0x6C],eax0040257F . 894D AC mov dword ptr ss:[ebp-0x54],ecx |
Looking up from TEST SI, SI, the return value of the vbaStrCmp string comparison function is given to ESI in a very close place. We clear the breakpoint at vbaStrCmp, and run OD to see what the comparison is. You can see in the observation stack that the function directly compares the password 1234 I entered with the KEY value calculated by the program in plain text.
Let’s look up the disassembly code
|
01
02
03
04
05
06
07
08
09
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
|
004024E5 . 8D45 D8 lea eax,dword ptr ss:[ebp-0x28]004024E8 . 50 push eax004024E9 . FFD3 call ebx004024EB . 8BF0 mov esi,eax004024ED . 8D55 E4 lea edx,dword ptr ss:[ebp-0x1C]004024F0 . 52 push edx004024F1 . 56 push esi004024F2 . 8B0E mov ecx,dword ptr ds:[esi]004024F4 . FF91 A0000000 call dword ptr ds:[ecx+0xA0]004024FA . 85C0 test eax,eax004024FC . 7D 12 jge XAfkayas_.00402510004024FE . 68 A0000000 push 0xA000402503 . 68 5C1B4000 push Afkayas_.00401B5C00402508 . 56 push esi00402509 . 50 push eax0040250A . FF15 04414000 call dword ptr ds:[<&MSVBVM50.__vbaHresu>; msvbvm50.__vbaHresultCheckObj00402510 > 8B45 E8 mov eax,dword ptr ss:[ebp-0x18]00402513 . 8B4D E4 mov ecx,dword ptr ss:[ebp-0x1C]00402516 . 8B3D 00414000 mov edi,dword ptr ds:[<&MSVBVM50.__vbaSt>; msvbvm50.__vbaStrCat0040251C . 50 push eax0040251D . 68 701B4000 push Afkayas_.00401B70 ; UNICODE "AKA-"00402522 . 51 push ecx ; /String00402523 . FFD7 call edi ; \__vbaStrCat00402525 . 8B1D 70414000 mov ebx,dword ptr ds:[<&MSVBVM50.__vbaSt>; msvbvm50.__vbaStrMove0040252B . 8BD0 mov edx,eax0040252D . 8D4D E0 lea ecx,dword ptr ss:[ebp-0x20]00402530 . FFD3 call ebx ; <&MSVBVM50.__vbaStrMove>00402532 . 50 push eax00402533 . FF15 28414000 call dword ptr ds:[<&MSVBVM50.__vbaStrCm>; msvbvm50.__vbaStrCmp00402539 . 8BF0 mov esi,eax ; vbaStrCmp The return value of the string comparison function is given to ESI |
The first parameter of vbaStrCmp is given by the return value of vbaStrMove. Observe the disassembly
|
1
2
3
4
5
6
7
|
00402525 . 8B1D 70414000 mov ebx,dword ptr ds:[<&MSVBVM50.__vbaSt>; msvbvm50.__vbaStrMove0040252B . 8BD0 mov edx,eax0040252D . 8D4D E0 lea ecx,dword ptr ss:[ebp-0x20]00402530 . FFD3 call ebx ; <&MSVBVM50.__vbaStrMove>00402532 . 50 push eax00402533 . FF15 28414000 call dword ptr ds:[<&MSVBVM50.__vbaStrCm>; msvbvm50.__vbaStrCmp00402539 . 8BF0 mov esi,eax ; vbaStrCmp The return value of the string comparison function is given to ESI |
Did not see the instruction of PUSH parameter in vbaStrMove. Let’s clear the breakpoint here and go in to see what the implementation of vbaStrMove looks like.
|
01
02
03
04
05
06
07
08
09
10
11
12
13
14
15
16
|
Implementation of vbaStrMovevbaStrMove的实现7403F8DA > 56 push esi7403F8DB 57 push edi7403F8DC 8B01 mov eax,dword ptr ds:[ecx] ; ECX去一个DWORD给EAX7403F8DE 8BFA mov edi,edx ;EDX content to EDI7403F8E0 8BF1 mov esi,ecx ; ECX content to ESI7403F8E2 85C0 test eax,eax ; Determine whether the content of ECX is NULL7403F8E4 75 07 jnz Xmsvbvm50.7403F8ED7403F8E6 8BC7 mov eax,edi7403F8E8 893E mov dword ptr ds:[esi],edi ; ECX fetch content is not equal to NULL, store EDI in ECX7403F8EA 5F pop edi7403F8EB 5E pop esi7403F8EC C3 retn7403F8ED 50 push eax7403F8EE FF15 88190274 call dword ptr ds:[<&OLEAUT32.#6>] ; oleaut32.SysFreeString7403F8F4 ^ EB F0 jmp Xmsvbvm50.7403F8E6 ; Otherwise it will return directly |
By explaining the disassembly, we can know that vbaStrMove does not use the stack to pass parameters but uses two registers EDX and ECX. Combined with disassembly, EDX is given by the return value of vbaStrCat. ECX comes from ebp-0x20.
The two parameters of vbaStrCat are directly pushing a string “AKA-” and pushing an ECX, which points to a string “390240”. The KEY bit “AKA-390240” obtained by clearing the breakpoint at the blasting point at the beginning is very close to the algorithm. Our next step is to find out where ECX comes from. but failed. I am not familiar with VB, and the results given by the function here make me inexplicable.
So I decided to clear the breakpoint in the function header of the blasting point again, and then follow the process step by step. And pay attention to the return value and outgoing parameters of the function (lea EXX, ebp-XX, in this case, consider the outgoing parameter, check the current address directly in the hexadecimal window, and what is modified after the function is completed data!)
|
01
02
03
04
05
06
07
08
09
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
|
004023ED . FF90 A0000000 call dword ptr ds:[eax+0xA0] ; Get the account here004023F3 . 3BC7 cmp eax,edi004023F5 . 7D 12 jge XAfkayas_.00402409004023F7 . 68 A0000000 push 0xA0 ; If the return value is less than 0, go here004023FC . 68 5C1B4000 push Afkayas_.00401B5C00402401 . 53 push ebx00402402 . 50 push eax00402403 . FF15 04414000 call dword ptr ds:[<&MSVBVM50.__vbaHresultChec>; msvbvm50.__vbaHresultCheckObj00402409 > 8B95 50FFFFFF mov edx,dword ptr ss:[ebp-0xB0]0040240F . 8B45 E4 mov eax,dword ptr ss:[ebp-0x1C] ; vbaLenBstr gets the length of the account, eax returns the length00402412 . 50 push eax ; /String00402413 . 8B1A mov ebx,dword ptr ds:[edx] ; |00402415 . FF15 E4404000 call dword ptr ds:[<&MSVBVM50.__vbaLenBstr>] ; \__vbaLenBstr0040241B . 8BF8 mov edi,eax ; Account length is stored in EDI0040241D . 8B4D E8 mov ecx,dword ptr ss:[ebp-0x18]00402420 . 69FF FB7C0100 imul edi,edi,0x17CFB ; account length * 0x17CFB00402426 . 51 push ecx ; /String00402427 . 0F80 91020000 jo Afkayas_.004026BE ; |The calculated result >=0x80000000 is abnormal0040242D . FF15 F8404000 call dword ptr ds:[<&MSVBVM50.#516>] ; \rtcAnsiValueBstr00402433 . 0FBFD0 movsx edx,ax ; Returns the first character code of the account00402436 . 03FA add edi,edx ; The returned character code is added to the account length * 0x17CFB00402438 . 0F80 80020000 jo Afkayas_.004026BE ; If the result is greater than 0x80000000, it is abnormal0040243E . 57 push edi ; This function converts I4 to STR0040243F . FF15 E0404000 call dword ptr ds:[<&MSVBVM50.__vbaStrI4>] ; msvbvm50.__vbaStrI400402445 . 8BD0 mov edx,eax ; The return value is 390240 string |
The string is 390240, which passed the first failed trace. Then you can know that this place is where the integer string is calculated. For KEY, you only need to splice an “AKA-” before the string.
This algorithm is very simple, just like 001, only the first byte of the account is taken. However, this account is calculated by taking the account length. Therefore, the KEY calculated by an account can only get the correct result when the first letter and the account length are equal!
|
1
2
3
4
5
6
7
|
void Fun(char *ZhangHu){ char szBuff[256]; unsigned long data = strlen(ZhangHu) * 0x17CFB + (unsigned long)ZhangHu[0]; sprintf(szBuff, "AKA-%d", data); printf("%s \r\n", szBuff);} |
Reviews
There are no reviews yet.