[Disassembly exercise] 160 CrackMe 003(2)


Program download

Program requirements: Go to the NAG window to find out the serial number algorithm

Speaking of going to the NAG window of this program, I have never studied it before. Some time ago, I downloaded a “Cracking from scratch using OllyDbg” tutorial and learned a bit. There is an article about going to the NAG window. It seems It is very useful for VB programs.
There is a name in the tutorial called 4C method. The original program starts with a NAG window, which will automatically close after a few seconds and open the main window.

OD loading procedure: at OEP


VB program has a characteristic-the entry point is a PUSH instruction, and then a CALL instruction, see JMP followed by MSVBVM50, it should be written in VB5.0. (If this is not the case, then the program may have been shelled), PUSH will be pushed onto the stack is 004067D4, and now we locate this address in the data window. Shown as follows:

4C is about to be used now, that is, offset 4C from the current location address, data window CRTL+G, enter 4067d4+4c, the display is as follows:

Continue to track the data window: DWORD value at 00406820, 00406868, the content is as follows:

Here we can see two pieces of similar data, each with a length of 50 (hexadecimal) bytes, and each block of data has a mark (the first one) at the 24th (hexadecimal) byte. Is 01, the second is 00). This flag specifies the order in which each piece of code (that is, the form to be loaded after the program starts) appears. First load 00, which is the NAG window we are going to, and then load 01, which is the main window. So here we reverse the values of the two flags, change 01 to 00, change 00 to 01, modify the binary, save the file, run the program to test it, and the NAG window is removed.

This method is also suitable for some restricted VB programs. After the program runs, a registration or restriction window will appear. You can only exit if you cannot register or remove the restriction. Use this method to start the main window first, and you can skip the restriction.



There are no reviews yet.

Be the first to review “[Disassembly exercise] 160 CrackMe 003(2)”

Your email address will not be published. Required fields are marked *