[Disassembly exercise] 160 CrackMe 003

Category:

To crack a program, you must first understand the program. Therefore, in the cracking process, the analysis of the original program is very important. It can help us understand the author’s purpose and intention, especially the processing details of the registration code, so as to facilitate our backward tracking and derivation.
As in the previous section, open CHM, select the third Afkayas, and save it. Run the program, the program interface is as follows:

This is a standard Name/Serial registration code method, first test with a pseudo code:
Name: 3333 Serial: 44445555
Click OK, an error dialog box pops up, You Get Wrong, Try again!

Thinking analysis and cracking process:

First, open the program from the OD. This time the program will prompt that there may be compressed content, so we have to use PEID to see if there is a shell. The PEID view is as follows:

There is compressed content, but there is no shell, which is good. Use OD to open it with confidence, just click yes.
According to experience, a program with a dialog box can find the call location through the stack. The method is as follows: enter the pseudo code, click OK, an error dialog box pops up, don’t close this dialog box at this time, switch to OD, click to pause the program, and then Ctrl+K to the stack view, as follows:

Let’s not talk about a more specific analysis, see 002, directly the last rtcMsgBox, right click ->show call.

Look up the code directly and find the key jump, JE, the code is as follows:

00408665 . 66:85F6 test si,si
00408668 . 8945 94 mov dword ptr ss:[ebp-0x6C],eax
0040866B . 894D AC mov dword ptr ss:[ebp-0x54],ecx
0040866E . 8945 A4 mov dword ptr ss:[ebp-0x5C],eax
00408671 . 894D BC mov dword ptr ss:[ebp-0x44],ecx
00408674 . 8945 B4 mov dword ptr ss:[ebp-0x4C],eax
00408677 74 62 je short 004086DB ; // The key to brute force
00408679 . 8B35 14B14000 mov esi,dword ptr ds:[<&MSVBVM50.__vbaSt>; msvbvm50.__vbaStrCat
0040867F . 68 C06F4000 push 00406FC0 ; UNICODE “You Get It”
00408684 . 68 DC6F4000 push 00406FDC ; ASCII “\r”
00408689 . FFD6 call esi ; <&MSVBVM50.__vbaStrCat>
0040868B . 8BD0 mov edx,eax
0040868D . 8D4D E8 lea ecx,dword ptr ss:[ebp-0x18]
00408690 . FF15 94B14000 call dword ptr ds:[<&MSVBVM50.__vbaStrMo>; msvbvm50.__vbaStrMove
00408696 . 50 push eax
00408697 . 68 E86F4000 push 00406FE8 ; UNICODE “KeyGen It Now”
0040869C . FFD6 call esi
0040869E . 8945 CC mov dword ptr ss:[ebp-0x34],eax
004086A1 . 8D45 94 lea eax,dword ptr ss:[ebp-0x6C]
004086A4 . 8D4D A4 lea ecx,dword ptr ss:[ebp-0x5C]
004086A7 . 50 push eax
004086A8 . 8D55 B4 lea edx,dword ptr ss:[ebp-0x4C]
004086AB . 51 push ecx
004086AC . 52 push edx
004086AD . 8D45 C4 lea eax,dword ptr ss:[ebp-0x3C]
004086B0 . 6A 00 push 0x0
004086B2 . 50 push eax
004086B3 . C745 C4 08000>mov dword ptr ss:[ebp-0x3C],0x8
004086BA . FF15 24B14000 call dword ptr ds:[<&MSVBVM50.#595>] ; msvbvm50.rtcMsgBox
004086C0 . 8D4D E8 lea ecx,dword ptr ss:[ebp-0x18]
004086C3 . FF15 A8B14000 call dword ptr ds:[<&MSVBVM50.__vbaFreeS>; msvbvm50.__vbaFreeStr
004086C9 . 8D4D 94 lea ecx,dword ptr ss:[ebp-0x6C]
004086CC . 8D55 A4 lea edx,dword ptr ss:[ebp-0x5C]
004086CF . 51 push ecx
004086D0 . 8D45 B4 lea eax,dword ptr ss:[ebp-0x4C]
004086D3 . 52 push edx
004086D4 . 8D4D C4 lea ecx,dword ptr ss:[ebp-0x3C]
004086D7 . 50 push eax
004086D8 . 51 push ecx
004086D9 . EB 60 jmp short 0040873B
004086DB > 8B35 14B14000 mov esi,dword ptr ds:[<&MSVBVM50.__vbaSt>; msvbvm50.__vbaStrCat
004086E1 . 68 08704000 push 00407008 ; UNICODE “You Get Wrong”
004086E6 . 68 DC6F4000 push 00406FDC ; ASCII “\r”
004086EB . FFD6 call esi ; <&MSVBVM50.__vbaStrCat>
004086ED . 8BD0 mov edx,eax
004086EF . 8D4D E8 lea ecx,dword ptr ss:[ebp-0x18]
004086F2 . FF15 94B14000 call dword ptr ds:[<&MSVBVM50.__vbaStrMo>; msvbvm50.__vbaStrMove
004086F8 . 50 push eax
004086F9 . 68 28704000 push 00407028 ; UNICODE “Try Again”
004086FE . FFD6 call esi
00408700 . 8945 CC mov dword ptr ss:[ebp-0x34],eax
00408703 . 8D55 94 lea edx,dword ptr ss:[ebp-0x6C]
00408706 . 8D45 A4 lea eax,dword ptr ss:[ebp-0x5C]
00408709 . 52 push edx
0040870A . 8D4D B4 lea ecx,dword ptr ss:[ebp-0x4C]
0040870D . 50 push eax
0040870E . 51 push ecx
0040870F . 8D55 C4 lea edx,dword ptr ss:[ebp-0x3C]
00408712 . 6A 00 push 0x0
00408714 . 52 push edx
00408715 . C745 C4 08000>mov dword ptr ss:[ebp-0x3C],0x8
0040871C . FF15 24B14000 call dword ptr ds:[<&MSVBVM50.#595>] ; msvbvm50.rtcMsgBox

 

Needless to say about the blasting, directly select the JE statement, right click -> Binary -> Fill with NOPs. Try it, OK, the blasting is successful.

Exploration of the registered machine:

This program is basically the same as 002, there is no Name/Serial-related content near the jump, so go up to the beginning of this code, clear the breakpoint, and use F8 to record important information.

PS: Because this code is too long, only important fragments are taken out. Don’t worry when looking for the beginning, the code is really long. Need to pay special attention to the part related to Name/Serial.

Cleared breakpoint position:

 

004080F0 > \55 push ebp
004080F1 . 8BEC mov ebp,esp
004080F3 . 83EC 0C sub esp,0xC
004080F6 . 68 56104000 push <jmp.&MSVBVM50.__vbaExceptHandler> ; SE handler installation
004080FB . 64:A1 0000000>mov eax,dword ptr fs:[0]

 

Get the location of Name:

 

004081E3 . FF15 18B14000 call dword ptr ds:[<&MSVBVM50.__vbaHresu>; msvbvm50.__vbaHresultCheckObj
004081E9 > 8B95 50FFFFFF mov edx,dword ptr ss:[ebp-0xB0]
004081EF . 8B45 E4 mov eax,dword ptr ss:[ebp-0x1C]
004081F2 . 50 push eax ; // eax=3333 address
004081F3 . 8B1A mov ebx,dword ptr ds:[edx]
004081F5 . FF15 F8B04000 call dword ptr ds:[<&MSVBVM50.__vbaLenBs>; msvbvm50.__vbaLenBstr
004081FB . 8BF8 mov edi,eax ; // eax=4
004081FD . 8B4D E8 mov ecx,dword ptr ss:[ebp-0x18]
00408200 . 69FF 385B0100 imul edi,edi,0x15B38 ; // edi=edi*0x15B38
00408206 . 51 push ecx
00408207 . 0F80 B7050000 jo 004087C4
0040820D . FF15 0CB14000 call dword ptr ds:[<&MSVBVM50.#516>] ; msvbvm50.rtcAnsiValueBstr
00408213 . 0FBFD0 movsx edx,ax ; // edx = ANSI of the first character
00408216 . 03FA add edi,edx ; // edi=edi+edx
00408218 . 0F80 A6050000 jo 004087C4
0040821E . 57 push edi
0040821F . FF15 F4B04000 call dword ptr ds:[<&MSVBVM50.__vbaStrI4>; msvbvm50.__vbaStrI4
00408225 . 8BD0 mov edx,eax ; // eax = 355603 text
00408227 . 8D4D E0 lea ecx,dword ptr ss:[ebp-0x20]
0040822A . FF15 94B14000 call dword ptr ds:[<&MSVBVM50.__vbaStrMo>; msvbvm50.__vbaStrMove
00408230 . 8BBD 50FFFFFF mov edi,dword ptr ss:[ebp-0xB0]
00408236 . 50 push eax ; eax=355603
00408237 . 57 push edi ; edi=0091C5B4
00408238 . FF93 A4000000 call dword ptr ds:[ebx+0xA4]
0040823E . 85C0 test eax,eax ; // eax=0
00408240 . 7D 12 jge short 00408254

 

The first calculation (floating point number):

 

004082D7 . FF15 18B14000 call dword ptr ds:[<&MSVBVM50.__vbaHresu>; msvbvm50.__vbaHresultCheckObj
004082DD > 8B8D 58FFFFFF mov ecx,dword ptr ss:[ebp-0xA8]
004082E3 . 8B55 E8 mov edx,dword ptr ss:[ebp-0x18]
004082E6 . 52 push edx ; // edx=355603
004082E7 . 8B19 mov ebx,dword ptr ds:[ecx]
004082E9 . FF15 74B14000 call dword ptr ds:[<&MSVBVM50.__vbaR8Str>; msvbvm50.__vbaR8Str
004082EF . D905 08104000 fld dword ptr ds:[0x401008] ; // 10.0
004082F5 . 833D 00904000>cmp dword ptr ds:[0x409000],0x0
004082FC . 75 08 jnz short 00408306
004082FE . D835 0C104000 fdiv dword ptr ds:[0x40100C] ; // 5.0, Do division==2。0
00408304 . EB 0B jmp short 00408311
00408306 > FF35 0C104000 push dword ptr ds:[0x40100C]
0040830C . E8 578DFFFF call <jmp.&MSVBVM50._adj_fdiv_m32>
00408311 > 83EC 08 sub esp,0x8
00408314 . DFE0 fstsw ax ; // Give the value to eax=3100
00408316 . A8 0D test al,0xD
00408318 . 0F85 A1040000 jnz 004087BF
0040831E . DEC1 faddp st(1),st ; // addition,355603 + 2
00408320 . DFE0 fstsw ax
00408322 . A8 0D test al,0xD
00408324 . 0F85 95040000 jnz 004087BF
0040832A . DD1C24 fstp qword ptr ss:[esp]
0040832D . FF15 48B14000 call dword ptr ds:[<&MSVBVM50.__vbaStrR8>; msvbvm50.__vbaStrR8
00408333 . 8BD0 mov edx,eax ; // eax = 355605 String
00408335 . 8D4D E4 lea ecx,dword ptr ss:[ebp-0x1C]
00408338 . FF15 94B14000 call dword ptr ds:[<&MSVBVM50.__vbaStrMo>; msvbvm50.__vbaStrMove
0040833E . 899D 34FFFFFF mov dword ptr ss:[ebp-0xCC],ebx
00408344 . 8B9D 58FFFFFF mov ebx,dword ptr ss:[ebp-0xA8]
0040834A . 50 push eax
0040834B . 8B85 34FFFFFF mov eax,dword ptr ss:[ebp-0xCC] ; // 355605
00408351 . 53 push ebx
00408352 . FF90 A4000000 call dword ptr ds:[eax+0xA4]
00408358 . 85C0 test eax,eax ; // eax=0,ecx=” ”
0040835A . 7D 12 jge short 0040836E

 

Second calculation (floating point number):

 

004083E3 . FF15 18B14000 call dword ptr ds:[<&MSVBVM50.__vbaHresu>; msvbvm50.__vbaHresultCheckObj
004083E9 > 8B8D 58FFFFFF mov ecx,dword ptr ss:[ebp-0xA8]
004083EF . 8B55 E8 mov edx,dword ptr ss:[ebp-0x18] ; // 355605
004083F2 . 52 push edx
004083F3 . 8B19 mov ebx,dword ptr ds:[ecx]
004083F5 . FF15 74B14000 call dword ptr ds:[<&MSVBVM50.__vbaR8Str>; msvbvm50.__vbaR8Str
004083FB . DC0D 10104000 fmul qword ptr ds:[0x401010] ; // 355605 * 3 = 1066815.0
00408401 . 83EC 08 sub esp,0x8
00408404 . DC25 18104000 fsub qword ptr ds:[0x401018] ; // 1066815 – 2 = 1066813
0040840A . DFE0 fstsw ax ; // ax = 3900
0040840C . A8 0D test al,0xD
0040840E . 0F85 AB030000 jnz 004087BF
00408414 . DD1C24 fstp qword ptr ss:[esp]
00408417 . FF15 48B14000 call dword ptr ds:[<&MSVBVM50.__vbaStrR8>; msvbvm50.__vbaStrR8
0040841D . 8BD0 mov edx,eax ; // eax=1600133
0040841F . 8D4D E4 lea ecx,dword ptr ss:[ebp-0x1C]
00408422 . FF15 94B14000 call dword ptr ds:[<&MSVBVM50.__vbaStrMo>; msvbvm50.__vbaStrMove
00408428 . 899D 2CFFFFFF mov dword ptr ss:[ebp-0xD4],ebx
0040842E . 8B9D 58FFFFFF mov ebx,dword ptr ss:[ebp-0xA8]
00408434 . 50 push eax ; 1066813
00408435 . 8B85 2CFFFFFF mov eax,dword ptr ss:[ebp-0xD4]
0040843B . 53 push ebx
0040843C . FF90 A4000000 call dword ptr ds:[eax+0xA4]
00408442 . 85C0 test eax,eax
00408444 . 7D 12 jge short 00408458

 

The third calculation (floating point number):

 

004084CD . FF15 18B14000 call dword ptr ds:[<&MSVBVM50.__vbaHresu>; msvbvm50.__vbaHresultCheckObj
004084D3 > 8B8D 58FFFFFF mov ecx,dword ptr ss:[ebp-0xA8]
004084D9 . 8B55 E8 mov edx,dword ptr ss:[ebp-0x18]
004084DC . 52 push edx
004084DD . 8B19 mov ebx,dword ptr ds:[ecx]
004084DF . FF15 74B14000 call dword ptr ds:[<&MSVBVM50.__vbaR8Str>; msvbvm50.__vbaR8Str
004084E5 . DC25 20104000 fsub qword ptr ds:[0x401020] ; // 1066813.0 – (-15.0) = 1066828
004084EB . 83EC 08 sub esp,0x8
004084EE . DFE0 fstsw ax
004084F0 . A8 0D test al,0xD
004084F2 . 0F85 C7020000 jnz 004087BF
004084F8 . DD1C24 fstp qword ptr ss:[esp]
004084FB . FF15 48B14000 call dword ptr ds:[<&MSVBVM50.__vbaStrR8>; msvbvm50.__vbaStrR8
00408501 . 8BD0 mov edx,eax ; // 1066828
00408503 . 8D4D E4 lea ecx,dword ptr ss:[ebp-0x1C]
00408506 . FF15 94B14000 call dword ptr ds:[<&MSVBVM50.__vbaStrMo>; msvbvm50.__vbaStrMove

 

Our Serial appeared:

 

004085C8 . FF15 18B14000 call dword ptr ds:[<&MSVBVM50.__vbaHresu>; msvbvm50.__vbaHresultCheckObj
004085CE > 8B45 E8 mov eax,dword ptr ss:[ebp-0x18]
004085D1 . 50 push eax ; // Get Serial
004085D2 . FF15 74B14000 call dword ptr ds:[<&MSVBVM50.__vbaR8Str>; msvbvm50.__vbaR8Str
004085D8 . 8B4D E4 mov ecx,dword ptr ss:[ebp-0x1C] ; // 1066828
004085DB . DD9D 1CFFFFFF fstp qword ptr ss:[ebp-0xE4]
004085E1 . 51 push ecx
004085E2 . FF15 74B14000 call dword ptr ds:[<&MSVBVM50.__vbaR8Str>; msvbvm50.__vbaR8Str
004085E8 . 833D 00904000>cmp dword ptr ds:[0x409000],0x0
004085EF . 75 08 jnz short 004085F9
004085F1 . DCBD 1CFFFFFF fdivr qword ptr ss:[ebp-0xE4] ; // Do division
004085F7 . EB 11 jmp short 0040860A
004085F9 > \FFB5 20FFFFFF push dword ptr ss:[ebp-0xE0]
004085FF . FFB5 1CFFFFFF push dword ptr ss:[ebp-0xE4]
00408605 . E8 888AFFFF call <jmp.&MSVBVM50._adj_fdivr_m64>
0040860A > DFE0 fstsw ax ; // Send the result to ax
0040860C . A8 0D test al,0xD
0040860E . 0F85 AB010000 jnz 004087BF
00408614 . FF15 34B14000 call dword ptr ds:[<&MSVBVM50.__vbaFpR8>>; msvbvm50.__vbaFpR8
0040861A . DC1D 28104000 fcomp qword ptr ds:[0x401028]
00408620 . DFE0 fstsw ax ; //ax=20
00408622 . F6C4 40 test ah,0x40 ; // ah=40
00408625 . 74 07 je short 0040862E

 

The division operation and negation done later are used as the condition of JE in order to process the value of esi. We can actually try the calculated string “1066828” right here? Haha, it must be!

00408665 . 66:85F6 test si,si
00408668 . 8945 94 mov dword ptr ss:[ebp-0x6C],eax
0040866B . 894D AC mov dword ptr ss:[ebp-0x54],ecx
0040866E . 8945 A4 mov dword ptr ss:[ebp-0x5C],eax
00408671 . 894D BC mov dword ptr ss:[ebp-0x44],ecx
00408674 . 8945 B4 mov dword ptr ss:[ebp-0x4C],eax
00408677 74 62 je short 004086DB ; // The key to blasting
00408679 . 8B35 14B14000 mov esi,dword ptr ds:[<&MSVBVM50.__vbaSt>; msvbvm50.__vbaStrCat
0040867F . 68 C06F4000 push 00406FC0 ; UNICODE “You Get It”
00408684 . 68 DC6F4000 push 00406FDC ; ASCII “\r”
00408689 . FFD6 call esi ; <&MSVBVM50.__vbaStrCat>

 

At this point, the sequence number generation process has been analyzed. The constants designed in the process are all fixed values obtained by using fixed addresses such as [0040100A]. Don’t worry about them, we can use them directly.

To summarize: first calculate the length of Name nLen, then edi=edi*0x15B38+cName, cName is the ANSI code of the first character of Name. Then, calculate the floating point number 10.0/5.0=2.0, convert edi to a floating point number, add 2.0, then multiply the result by 3.0, then subtract 2, and then subtract -15, the value obtained is converted to text, which is correct Serial number.

C/CPP code:

 

// CrackMe160.cpp : Define the entry point of the console application.
// 003

#include “stdafx.h”
#include <stdio.h>
#include “iostream”

char buff[100] = {0};
int _tmain(int argc, _TCHAR* argv[])
{
printf(“160CrackMe-003 Name/Serial\r\n\r\n”);
printf(“Name:”);
gets_s(buff,100);
int nLen = strlen(buff);
if ( nLen > 0 )
{
int nRet = nLen * 0x15B38;
nRet += buff[0];
double dRet = (double)nRet;
dRet += (10.0/5.0);
dRet *= 3.0;
dRet -= 2;
dRet -= -15;
printf(“Serial:%d\r\n”,(int)dRet);
}else{
printf(“Input error!\r\n”);
}
system(“pause”);
return 0;
}

 

 

Reviews

There are no reviews yet.

Be the first to review “[Disassembly exercise] 160 CrackMe 003”

Your email address will not be published. Required fields are marked *