[Disassembly exercise] 160 CrackMe 004


Program description: There are no buttons, only two text boxes, one is the user name and the other is the registration code. The author prompts: If the registration is successful, a beautiful picture of Miss Zhu Yin will appear in the program.

After the program runs, the interface is as follows:

After entering the user name and registration code, the program does not respond. Clear breakpoints: GetDlgItemTextA, GetDlgItemTextW, GetWindowTextA, GetWindowTextW are invalid, TranslateMessage breakpoints, set condition key events can be successfully broken, but traced several times and found no useful code.

Let’s use DeDe to decompile it.

There are very few procedures called by the program, only the Edit2 event (chkcode) and the panel1 two events (click event and double click event.) are useful.

According to the decompilation event address in DeDe, first clear the breakpoint on the Edit2 event (chkcode) code. After tracking, a jump in the code is the key jump.

00457D2C |. 8B45 E0 mov eax,[local.8]; The serial number entered

00457D2F |. 8B93 18030000 mov edx,dword ptr ds:[ebx+0x318]; Blackhead Sun Bird11dseloffc-012-OK+username

00457D35 |. E8 52BFFAFF call CKme.00403C8C The serial number is compared in this CALL,

00457D3A |. 75 0A jnz short CKme.00457D46; The key comparison, this place will write the “correct” sign

00457D3C |. C783 0C030000>mov dword ptr ds:[ebx+0x30C],0x3E
These codes can already be seen, the correct registration code of the program is: Blackhead Sun Bird11dseloffc-012-OK+user name, after the correct input, the variable value of [ebx+0x30C] is changed to 0x3E, but the picture is not displayed.

Next, the two events of panel1 (click event and double-click event.) code to clear the breakpoints respectively, click panel1 to trigger:



00458031 |. 81BE 0C030000>cmp dword ptr ds:[esi+0x30C],0x85; Compare the registration marks, if correct, call the display picture code

0045803B |. 75 76 jnz short CKme.004580B3
0045803D |. 33DB xor ebx,ebx

Here compare whether [esi+0x30C] is 0x85, and the value in chkcode before is 0x3E, so the program has no response. Next, cancel the breakpoint of the click event, double-click panel1, and break it.

00457EF5 |. 83BE 0C030000>cmp dword ptr ds:[esi+0x30C],0x3E; Check the registration mark, if it is 3E, do not jump, change to 85

00457EFC |. 75 0A jnz short CKme.00457F08
00457EFE |. C786 0C030000>mov dword ptr ds:[esi+0x30C],0x85; Change to 85

This time, I understand that if the address value of [esi+0x30C] is 0x3E in the double-click event, it is changed to 0x85, which just meets the check of the address value of [esi+0x30C] in the single-click event. Next, continue the program, click on panel1, the picture is displayed.

These programs have been cracked and the registration code is: Sun Bird11dseloffc-012-OK + the username you entered. Entering the registration code must trigger a keyboard event (paste is invalid), and then double-click the picture box. If the breakpoint is cleared on the click event in the OD, the double-click event cannot be triggered, and the registration flag cannot be changed to 0x85. Can’t reach the final step of registration, maybe this is what the author said “In addition, this CKme also made some other tricks”, only after the double-click event is triggered successfully, click the picture box to complete the final registration effect, the point of this program is not The registration code algorithm, but the registration process.




There are no reviews yet.

Be the first to review “[Disassembly exercise] 160 CrackMe 004”

Your email address will not be published. Required fields are marked *