[Disassembly exercise] 160 CrackMe 002

Tools Download and series of articles

160 crackme training for novice crackers

 

1. Tools and environment:
WinXP SP3 + OD + PEID + compilation cheat.
Note:
1. The Win7 system enables the function of random initial addresses for modules and programs, which will bring a great burden to the analysis, so it is not recommended to use Win7 for analysis.
2. The above tools are all original programs, NOD32 does not report viruses, and I promise that I will never carry out any content related to Trojan horse viruses.

2. Program analysis:

To crack a program, you must first understand the program. Therefore, in the cracking process, the analysis of the initial program is very important, it can help us understand the author’s purpose and intention, especially the processing details of the registration code, so as to facilitate our backward tracking and derivation.
As in the previous section, open CHM, select the second Afkayas, and save it. Run the program. Missing msvbvm50.dll, the program cannot run. No way, search for one on the Internet, put it in the same level directory of the program, run it again, OK. The program interface is as follows:

This is a standard Name/Serial registration code method, first test it with a pseudo code:
Name: 111222 Serial: 3334444
Click OK, an error dialog pops up, You Get Wrong, Try again!
3. Thinking analysis and cracking process:
First of all, according to experience, a program with a dialog box can find the call location through the stack. The method is as follows: enter the pseudo code, click OK, an error dialog box pops up, don’t close this dialog box at this time, switch to OD, click to pause the program, and then Ctrl+K to the stack view, as follows:

I’m basically confused when I get here, it’s not ordinary C/C++ code. Look at the Called from behind, mostly from msvbvm50, user32, searched based on the name, and found that it was written using a VB module. Looking at the red part again, on the surface, only msvbvm50.rtcmsgbox and user32.MessageBoxIndirectA are related to the dialog box. The most important thing is that the call of msvbvm50.rtcMsgBox comes from AfKayas_.0040261C, so we can basically conclude that rtcMsgBox is related to the pop-up dialog box in Vb. Something, don’t hesitate to select it, right click ->show call.

 

01
02
03
04
05
06
07
08
09
10
11
12
13
14
15
16
17
18
19
20
21
22
004025E3   . /EB 56         jmp short 0040263B
004025E5   > |68 C81B4000   push 00401BC8                           ;  UNICODE "You Get Wrong"
004025EA   . |68 9C1B4000   push 00401B9C                           ;  ASCII "\r"
004025EF   . |FFD7          call edi
004025F1   . |8BD0          mov edx,eax
004025F3   . |8D4D E8       lea ecx,dword ptr ss:[ebp-0x18]
004025F6   . |FFD3          call ebx
004025F8   . |50            push eax
004025F9   . |68 E81B4000   push 00401BE8                           ;  UNICODE "Try Again"
004025FE   . |FFD7          call edi
00402600   . |8945 CC       mov dword ptr ss:[ebp-0x34],eax
00402603   . |8D45 94       lea eax,dword ptr ss:[ebp-0x6C]
00402606   . |8D4D A4       lea ecx,dword ptr ss:[ebp-0x5C]
00402609   . |50            push eax
0040260A   . |8D55 B4       lea edx,dword ptr ss:[ebp-0x4C]
0040260D   . |51            push ecx
0040260E   . |52            push edx
0040260F   . |8D45 C4       lea eax,dword ptr ss:[ebp-0x3C]
00402612   . |6A 00         push 0x0
00402614   . |50            push eax
00402615   . |C745 C4 08000>mov dword ptr ss:[ebp-0x3C],0x8
0040261C   . |FF15 10414000 call dword ptr ds:[<&MSVBVM50.#595>]    ;  msvbvm50.rtcMsgBox

Look up the code a little bit, and find that there are prompts of “Try again” and “You get wrong” in the nearest place, and we can basically conclude that it is here. Continue upward and see where the logical part of the judgment is:

01
02
03
04
05
06
07
08
09
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
00402569   .  83C4 0C       add esp,0xC
0040256C   .  B9 04000280   mov ecx,0x80020004
00402571   .  B8 0A000000   mov eax,0xA
00402576   .  894D 9C       mov dword ptr ss:[ebp-0x64],ecx
00402579   .  66:85F6       test si,si
0040257C   .  8945 94       mov dword ptr ss:[ebp-0x6C],eax
0040257F   .  894D AC       mov dword ptr ss:[ebp-0x54],ecx
00402582   .  8945 A4       mov dword ptr ss:[ebp-0x5C],eax
00402585   .  894D BC       mov dword ptr ss:[ebp-0x44],ecx
00402588   .  8945 B4       mov dword ptr ss:[ebp-0x4C],eax
0040258B   .  74 58         je short 004025E5              ; It should be here, right?
0040258D   .  68 801B4000   push 00401B80                           ;  UNICODE "You Get It"
00402592   .  68 9C1B4000   push 00401B9C                           ;  ASCII "\r"
00402597   .  FFD7          call edi
00402599   .  8BD0          mov edx,eax
0040259B   .  8D4D E8       lea ecx,dword ptr ss:[ebp-0x18]
0040259E   .  FFD3          call ebx
004025A0   .  50            push eax
004025A1   .  68 A81B4000   push 00401BA8                           ;  UNICODE "KeyGen It Now"
004025A6   .  FFD7          call edi
004025A8   .  8D4D 94       lea ecx,dword ptr ss:[ebp-0x6C]
004025AB   .  8945 CC       mov dword ptr ss:[ebp-0x34],eax
004025AE   .  8D55 A4       lea edx,dword ptr ss:[ebp-0x5C]
004025B1   .  51            push ecx
004025B2   .  8D45 B4       lea eax,dword ptr ss:[ebp-0x4C]
004025B5   .  52            push edx
004025B6   .  50            push eax
004025B7   .  8D4D C4       lea ecx,dword ptr ss:[ebp-0x3C]
004025BA   .  6A 00         push 0x0
004025BC   .  51            push ecx
004025BD   .  C745 C4 08000>mov dword ptr ss:[ebp-0x3C],0x8
004025C4   .  FF15 10414000 call dword ptr ds:[<&MSVBVM50.#595>]    ;  msvbvm50.rtcMsgBox
004025CA   .  8D4D E8       lea ecx,dword ptr ss:[ebp-0x18]
004025CD   .  FF15 80414000 call dword ptr ds:[<&MSVBVM50.__vbaFreeS>;  msvbvm50.__vbaFreeStr
004025D3   .  8D55 94       lea edx,dword ptr ss:[ebp-0x6C]
004025D6   .  8D45 A4       lea eax,dword ptr ss:[ebp-0x5C]
004025D9   .  52            push edx
004025DA   .  8D4D B4       lea ecx,dword ptr ss:[ebp-0x4C]
004025DD   .  50            push eax
004025DE   .  8D55 C4       lea edx,dword ptr ss:[ebp-0x3C]
004025E1   .  51            push ecx
004025E2   .  52            push edx
004025E3   .  EB 56         jmp short 0040263B
004025E5   >  68 C81B4000   push 00401BC8                           ;  UNICODE "You Get Wrong"
004025EA   .  68 9C1B4000   push 00401B9C                           ;  ASCII "\r"
004025EF   .  FFD7          call edi
004025F1   .  8BD0          mov edx,eax
004025F3   .  8D4D E8       lea ecx,dword ptr ss:[ebp-0x18]
004025F6   .  FFD3          call ebx
004025F8   .  50            push eax
004025F9   .  68 E81B4000   push 00401BE8                           ;  UNICODE "Try Again"
004025FE   .  FFD7          call edi

Is it simple? There is a JE jump directly next to “You get it”. In the OD view, if the jump is realized, it will prompt an error, and if it is not realized, the prompt will be correct. The blasting begins! Select the je line, right click ->Binary->Fill with NOPs. At this time, try typing in the program at will, haha, the blasting is successful!

4. Explore the registration machine:

Since we didn’t find anything similar to the registration code near the jump, we need to press F8 to track the content of this block, and take a look at those places that may be related to the registration code. We look up and place a breakpoint at the beginning of this program (that is, to find the nearest retn, the beginning below is usually push ebp, etc.):
00402310> \55 push ebp // block header
Single-step F8 tracking, add notes to important information, especially things related to Name/Serial, the code after analysis is as follows:

001
002
003
004
005
006
007
008
009
010
011
012
013
014
015
016
017
018
019
020
021
022
023
024
025
026
027
028
029
030
031
032
033
034
035
036
037
038
039
040
041
042
043
044
045
046
047
048
049
050
051
052
053
054
055
056
057
058
059
060
061
062
063
064
065
066
067
068
069
070
071
072
073
074
075
076
077
078
079
080
081
082
083
084
085
086
087
088
089
090
091
092
093
094
095
096
097
098
099
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
00402403   .  FF15 04414000 call dword ptr ds:[<&MSVBVM50.__vbaHresultChec>;  MSVBVM50.__vbaHresultCheckObj
00402409   >  8B95 50FFFFFF mov edx,dword ptr ss:[ebp-0xB0]
0040240F   .  8B45 E4       mov eax,dword ptr ss:[ebp-0x1C]
00402412   .  50            push eax                                      ;  //eax=111222,name
00402413   .  8B1A          mov ebx,dword ptr ds:[edx]
00402415   .  FF15 E4404000 call dword ptr ds:[<&MSVBVM50.__vbaLenBstr>]  ;  MSVBVM50.__vbaLenBstr
0040241B   .  8BF8          mov edi,eax                                   ;  edi=6
0040241D   .  8B4D E8       mov ecx,dword ptr ss:[ebp-0x18]               ;  ecx=1111222地址
00402420   .  69FF FB7C0100 imul edi,edi,0x17CFB                          ;  // 乘法,edi*0x17CFB
00402426   .  51            push ecx
00402427   .  0F80 91020000 jo 004026BE
0040242D   .  FF15 F8404000 call dword ptr ds:[<&MSVBVM50.#516>]          ;  MSVBVM50.rtcAnsiValueBstr
00402433   .  0FBFD0        movsx edx,ax
00402436   .  03FA          add edi,edx                                   ;  // edi=edi+edx(0x31)
00402438   .  0F80 80020000 jo 004026BE
0040243E   .  57            push edi
0040243F   .  FF15 E0404000 call dword ptr ds:[<&MSVBVM50.__vbaStrI4>]    ;  MSVBVM50.__vbaStrI4
00402445   .  8BD0          mov edx,eax                                   ;  // eax=585235
00402447   .  8D4D E0       lea ecx,dword ptr ss:[ebp-0x20]
0040244A   .  FF15 70414000 call dword ptr ds:[<&MSVBVM50.__vbaStrMove>]  ;  MSVBVM50.__vbaStrMove
00402450   .  8BBD 50FFFFFF mov edi,dword ptr ss:[ebp-0xB0]
00402456   .  50            push eax                                      ;  // 585235
00402457   .  57            push edi                                      ;  // 0091B51C
00402458   .  FF93 A4000000 call dword ptr ds:[ebx+0xA4]
0040245E   .  85C0          test eax,eax                                  ;  // ==0
00402460   .  7D 12         jge short 00402474
00402462   .  68 A4000000   push 0xA4
00402467   .  68 5C1B4000   push 00401B5C
0040246C   .  57            push edi
0040246D   .  50            push eax
0040246E   .  FF15 04414000 call dword ptr ds:[<&MSVBVM50.__vbaHresultChec>;  MSVBVM50.__vbaHresultCheckObj
00402474   >  8D45 E0       lea eax,dword ptr ss:[ebp-0x20]
00402477   .  8D4D E4       lea ecx,dword ptr ss:[ebp-0x1C]
0040247A   .  50            push eax
0040247B   .  8D55 E8       lea edx,dword ptr ss:[ebp-0x18]
0040247E   .  51            push ecx
0040247F   .  52            push edx
00402480   .  6A 03         push 0x3
00402482   .  FF15 5C414000 call dword ptr ds:[<&MSVBVM50.__vbaFreeStrList>;  MSVBVM50.__vbaFreeStrList
00402488   .  83C4 10       add esp,0x10
0040248B   .  8D45 D4       lea eax,dword ptr ss:[ebp-0x2C]
0040248E   .  8D4D D8       lea ecx,dword ptr ss:[ebp-0x28]
00402491   .  8D55 DC       lea edx,dword ptr ss:[ebp-0x24]
00402494   .  50            push eax
00402495   .  51            push ecx
00402496   .  52            push edx
00402497   .  6A 03         push 0x3
00402499   .  FF15 F4404000 call dword ptr ds:[<&MSVBVM50.__vbaFreeObjList>;  MSVBVM50.__vbaFreeObjList
0040249F   .  8B06          mov eax,dword ptr ds:[esi]
004024A1   .  83C4 10       add esp,0x10
004024A4   .  56            push esi
004024A5   .  FF90 04030000 call dword ptr ds:[eax+0x304]
004024AB   .  8B1D 0C414000 mov ebx,dword ptr ds:[<&MSVBVM50.__vbaObjSet>] ;  MSVBVM50.__vbaObjSet
004024B1   .  50            push eax
004024B2   .  8D45 DC       lea eax,dword ptr ss:[ebp-0x24]
004024B5   .  50            push eax
004024B6   .  FFD3          call ebx                                      ;  <&MSVBVM50.__vbaObjSet>
004024B8   .  8BF8          mov edi,eax
004024BA   .  8D55 E8       lea edx,dword ptr ss:[ebp-0x18]
004024BD   .  52            push edx
004024BE   .  57            push edi
004024BF   .  8B0F          mov ecx,dword ptr ds:[edi]
004024C1   .  FF91 A0000000 call dword ptr ds:[ecx+0xA0]
004024C7   .  85C0          test eax,eax                                  ;  eax=0,zf=1
004024C9   .  7D 12         jge short 004024DD
004024CB   .  68 A0000000   push 0xA0
004024D0   .  68 5C1B4000   push 00401B5C
004024D5   .  57            push edi
004024D6   .  50            push eax
004024D7   .  FF15 04414000 call dword ptr ds:[<&MSVBVM50.__vbaHresultChec>;  MSVBVM50.__vbaHresultCheckObj
004024DD   >  56            push esi
004024DE   .  FF95 40FFFFFF call dword ptr ss:[ebp-0xC0]
004024E4   .  50            push eax
004024E5   .  8D45 D8       lea eax,dword ptr ss:[ebp-0x28]
004024E8   .  50            push eax
004024E9   .  FFD3          call ebx
004024EB   .  8BF0          mov esi,eax
004024ED   .  8D55 E4       lea edx,dword ptr ss:[ebp-0x1C]
004024F0   .  52            push edx
004024F1   .  56            push esi
004024F2   .  8B0E          mov ecx,dword ptr ds:[esi]
004024F4   .  FF91 A0000000 call dword ptr ds:[ecx+0xA0]
004024FA   .  85C0          test eax,eax                                  ;  eax=0
004024FC   .  7D 12         jge short 00402510
004024FE   .  68 A0000000   push 0xA0
00402503   .  68 5C1B4000   push 00401B5C
00402508   .  56            push esi
00402509   .  50            push eax
0040250A   .  FF15 04414000 call dword ptr ds:[<&MSVBVM50.__vbaHresultChec>;  MSVBVM50.__vbaHresultCheckObj
00402510   >  8B45 E8       mov eax,dword ptr ss:[ebp-0x18]               ;  eax=3334444
00402513   .  8B4D E4       mov ecx,dword ptr ss:[ebp-0x1C]               ;  ecx=585235
00402516   .  8B3D 00414000 mov edi,dword ptr ds:[<&MSVBVM50.__vbaStrCat>] ;  MSVBVM50.__vbaStrCat
0040251C   .  50            push eax                                      ;  eax=3334444
0040251D   .  68 701B4000   push 00401B70                                 ;  UNICODE "AKA-"
00402522   .  51            push ecx                                      ;  ecx=585235
00402523   .  FFD7          call edi                                      ;  <&MSVBVM50.__vbaStrCat>
00402525   .  8B1D 70414000 mov ebx,dword ptr ds:[<&MSVBVM50.__vbaStrMove>>;  MSVBVM50.__vbaStrMove
0040252B   .  8BD0          mov edx,eax                                   ;  edx=eax=AKA-585235
0040252D   .  8D4D E0       lea ecx,dword ptr ss:[ebp-0x20]
00402530   .  FFD3          call ebx                                      ;  <&MSVBVM50.__vbaStrMove>
00402532   .  50            push eax
00402533   .  FF15 28414000 call dword ptr ds:[<&MSVBVM50.__vbaStrCmp>]   ;  MSVBVM50.__vbaStrCmp
00402539   .  8BF0          mov esi,eax                                   ;  eax=-1
0040253B   .  8D55 E0       lea edx,dword ptr ss:[ebp-0x20]
0040253E   .  F7DE          neg esi                                       ;  取补
00402540   .  8D45 E8       lea eax,dword ptr ss:[ebp-0x18]
00402543   .  52            push edx
00402544   .  1BF6          sbb esi,esi
00402546   .  8D4D E4       lea ecx,dword ptr ss:[ebp-0x1C]
00402549   .  50            push eax
0040254A   .  46            inc esi
0040254B   .  51            push ecx
0040254C   .  6A 03         push 0x3
0040254E   .  F7DE          neg esi
00402550   .  FF15 5C414000 call dword ptr ds:[<&MSVBVM50.__vbaFreeStrList>;  MSVBVM50.__vbaFreeStrList
00402556   .  83C4 10       add esp,0x10
00402559   .  8D55 D8       lea edx,dword ptr ss:[ebp-0x28]
0040255C   .  8D45 DC       lea eax,dword ptr ss:[ebp-0x24]
0040255F   .  52            push edx
00402560   .  50            push eax
00402561   .  6A 02         push 0x2
00402563   .  FF15 F4404000 call dword ptr ds:[<&MSVBVM50.__vbaFreeObjList>;  MSVBVM50.__vbaFreeObjList
00402569   .  83C4 0C       add esp,0xC
0040256C   .  B9 04000280   mov ecx,0x80020004
00402571   .  B8 0A000000   mov eax,0xA
00402576   .  894D 9C       mov dword ptr ss:[ebp-0x64],ecx
00402579   .  66:85F6       test si,si                                    ;  esi=0,ZF=1
0040257C   .  8945 94       mov dword ptr ss:[ebp-0x6C],eax
0040257F   .  894D AC       mov dword ptr ss:[ebp-0x54],ecx
00402582   .  8945 A4       mov dword ptr ss:[ebp-0x5C],eax
00402585   .  894D BC       mov dword ptr ss:[ebp-0x44],ecx
00402588   .  8945 B4       mov dword ptr ss:[ebp-0x4C],eax
0040258B      74 58         je short 004025E5                             ;  // Blasting key jump, NOP
0040258D   .  68 801B4000   push 00401B80                                 ;  UNICODE "You Get It"
00402592   .  68 9C1B4000   push 00401B9C                                 ;  ASCII "\r"
00402597   .  FFD7          call edi

In fact, the code is very simple. After a trace, it basically came out. The key analysis parts are as follows:

01
02
03
04
05
06
07
08
09
10
11
12
13
14
15
00402412   .  50            push eax                                      ;  //eax=111222,name
00402413   .  8B1A          mov ebx,dword ptr ds:[edx]
00402415   .  FF15 E4404000 call dword ptr ds:[<&MSVBVM50.__vbaLenBstr>]  ;  MSVBVM50.__vbaLenBstr
0040241B   .  8BF8          mov edi,eax                                   ;  edi=6
0040241D   .  8B4D E8       mov ecx,dword ptr ss:[ebp-0x18]               ;  ecx=1111222address
00402420   .  69FF FB7C0100 imul edi,edi,0x17CFB                          ;  // multiplication,edi*0x17CFB
00402426   .  51            push ecx
00402427   .  0F80 91020000 jo 004026BE
0040242D   .  FF15 F8404000 call dword ptr ds:[<&MSVBVM50.#516>]          ;  MSVBVM50.rtcAnsiValueBstr
00402433   .  0FBFD0        movsx edx,ax
00402436   .  03FA          add edi,edx                                   ;  // edi=edi+edx(0x31)
00402438   .  0F80 80020000 jo 004026BE
0040243E   .  57            push edi
0040243F   .  FF15 E0404000 call dword ptr ds:[<&MSVBVM50.__vbaStrI4>]    ;  MSVBVM50.__vbaStrI4
00402445   .  8BD0          mov edx,eax                                   ;  // eax=585235

First, eax is the address of Name, and the length calculated by __vbaLenBstr is assigned to edi, then edi=edi*0x17CFB, then edi=edi+edx, and edx is the value of Ansi, the first character of the Name string, and finally _ _vbaStrI4 converts the integer value of edi into a decimal string of 585235.
Then down to track things related to the string 585235:

01
02
03
04
05
06
07
08
09
10
11
12
13
14
00402510   >  8B45 E8       mov eax,dword ptr ss:[ebp-0x18]               ;  eax=3334444
00402513   .  8B4D E4       mov ecx,dword ptr ss:[ebp-0x1C]               ;  ecx=585235
00402516   .  8B3D 00414000 mov edi,dword ptr ds:[<&MSVBVM50.__vbaStrCat>] ;  MSVBVM50.__vbaStrCat
0040251C   .  50            push eax                                      ;  eax=3334444
0040251D   .  68 701B4000   push 00401B70                                 ;  UNICODE "AKA-"
00402522   .  51            push ecx                                      ;  ecx=585235
00402523   .  FFD7          call edi                                      ;  <&MSVBVM50.__vbaStrCat>
00402525   .  8B1D 70414000 mov ebx,dword ptr ds:[<&MSVBVM50.__vbaStrMove>>;  MSVBVM50.__vbaStrMove
0040252B   .  8BD0          mov edx,eax                                   ;  edx=eax=AKA-585235
0040252D   .  8D4D E0       lea ecx,dword ptr ss:[ebp-0x20]
00402530   .  FFD3          call ebx                                      ;  <&MSVBVM50.__vbaStrMove>
00402532   .  50            push eax
00402533   .  FF15 28414000 call dword ptr ds:[<&MSVBVM50.__vbaStrCmp>]   ;  MSVBVM50.__vbaStrCmp
00402539   .  8BF0          mov esi,eax                                   ;  eax=-1

n this code, 585235 is connected by __vbaStrCat and “AKA-” to form the string “AKA-585235”, then the result is compared with our Serial through the __vbaStrCmp function, and finally the return value is put in eax, which is determined by the return value is it right or not. Combining the analysis here with the previous one, you can easily get the final registration code.

To summarize: first take out the length of the registration code, then take out the ANSI value cName of the first character of the registration code, and then calculate len*0x17CFB+cName, convert the calculated value into decimal text, and add “AKA-” in front, Then compose the final registration code.

The C/CPP code is as follows:

01
02
03
04
05
06
07
08
09
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
// CrackMe160.cpp : Define the entry point of the console application.
// 002
 
#include "stdafx.h"
#include <stdio.h>
#include "iostream"
 
char buff[100] = {0};
int _tmain(int argc, _TCHAR* argv[])
{
    printf("160CrackMe-002 Name/Serial\r\n\r\n");
    printf("Name:");
    gets_s(buff,100);
    int nLen = strlen(buff);
    if ( nLen > 0 )
    {
        int nRet = nLen * 0x17CFB;
        nRet += buff[0];
        printf("AKA-%d\r\n",nRet);
    }else{
        printf("Input error!\r\n");
    }
    system("pause");
    return 0;

 

Reviews

There are no reviews yet.

Be the first to review “[Disassembly exercise] 160 CrackMe 002”

Your email address will not be published. Required fields are marked *