Teaching the vegetables and birds write registration machine - Advanced (note that the senior saying this is just a difficulty for the occasion of the rookie) heya, I am coming again! Still the 3rd Crackme of the series. Download: http://opencrackmes.crackmes.de/ope...ckmes/k4n3.zip with W32DASM, (you can first explain later)
Code:
: 004011BF 6A45 Push 00000045
: 004011C1 50 Push EAX
004011C2 A4 MOVSB
* Reference to: user32.getdlgitemtexta, Ord: 0104h
|
: 004011C3 8B3DA8404000 MOV EDI, DWORD PTR [004040A8]; Note that the address is placed in EDI
* Possible Reference to Dialog: Dialogid_0065, Control_ID: 03E8, ""
|
004011C9 68E8030000 Push 000003E8
004011 CE 51 PUSH ECX
: 004011CF FFD7 Call EDI; actually Call getdlgitemtexta, get username
: 004011D1 8BF0 MOV ESI, EAX
: 004011D3 85F6 Test ESI, ESI
: 004011D5 0F844B010000 JE 00401326
: 004011DB 83FE40 CMP ESI, 00000040
004011DE 0F8742010000 JA 00401326
: 004011E4 8B4508 MOV EAX, DWORD PTR [EBP 08]
: 004011E7 8D5594 LEA EDX, DWORD PTR [EBP-6C]
004011116000013
: 004011EC 52 Push EDX
* Possible Reference to Dialog: Dialogid_0065, Control_ID: 03E9, ""
|
004011ED 68E9030000 Push 000003E9
: 004011F2 50 Push EAX
: 004011F3 FFD7 Call EDI; Call GetdlgiteMtext again to get the registration code
: 004011F5 6BC003 Imul Eax, 00000003; EAX is the length of the registration code
: 004011F8 C1E002 SHL EAX, 02; Left shift two
: 004011FB 05CD000000 Add Eax, 000000CD; Plus 0CD
: 00401200 8945FC MOV DWORD PTR [EBP-04], EAX
: 00401203 817DFCA5010000 CMP DWORD PTR [EBP-04], 000001A5; See if the calculation result is 1A5: 0040120A 0F85BC000000 JNE 004012CC; not death, can be reversed (1A5-0CD) >> 2 = 12
: 00401210 33c0 xor EAX, EAX; 即 registration code cannot be less than 12 h
: 00401212 8A4594 MOV AL, BYTE PTR [EBP-6C]
: 00401215 84C0 TEST Al, Al
004017 7413 JE 0040122C
: 00401219 8D4D94 LEA ECX, DWORD PTR [EBP-6C]
* Reference by A (u) Nconditional OR (C) ONDITIONAL JUMP AT ATDRESS:
|: 0040122A (c)
|
: 0040121C 3C30 CMP AL, 30
: 0040121E 0F82C6000000 JB 004012EA; Registration code must not be less than 30 h, ie '0'
: 00401224 8A4101 MOV Al, Byte PTR [ECX 01]
: 00401227 41 INC ECX
: 00401228 84C0 Test Al, Al
: 0040122A 75F0 JNE 0040121C
* Reference by A (u) Nconditional OR (C) ONDITIONAL JUMP AT ATDRESS:
|: 00401217 (C)
|
: 00401222C E8cffdffff Call 00401000; What is this? It seems to be important, go in and see!
: 00401231 8D852Cfffffff Lea Eax, DWORD PTR [EBP FFFFFF2C]
: 00401237 50 Push EAX
: 00401238 E843FeffFf Call 00401080; Conversion Process First, Follow
: 0040123D 8945FC MOV DWORD PTR [EBP-04], EAX
: 00401240 E8BBFDFFFF CALL 00401000; Is it still going? Yeah ... Don't hit me!
: 00401245 8D8D2Cfffffff LEA ECX, DWORD PTR [EBP FFFFFF2C]
0040124B 56 Push ESI
: 0040124C 51 Push ECX
: 0040124D E8Befdffff Call 00401010
: 00401252 83C40C Add ESP, 0000000C
: 00401255 33C9 XOR ECX, ECX
* Reference by A (u) Nconditional OR (C) ONDITIONAL JUMP AT ATDRESS:
|: 00401284 (C)
|
: 00401257 8B45FC MOV EAX, DWORD PTR [EBP-04] /: 0040125A 33D2 XOR EDX, EDX |
: 0040125C BE1A000000 MOV ESI, 0000001A |
: 00401261 F7F6 DIV ESI |
: 00401263 8A941510ffffff MoV DL, Byte PTR [EBP EDX-000000F0]
: 0040126A 88540DC8 MOV BYTE PTR [EBP ECX-38], DL |
: 0040126E 8B45FC MOV EAX, DWORD PTR [EBP-04] |
: 00401271 C1E003 SHL EAX, 03 | --- Two conversion processes
: 00401274 BA45230100 MOV EDX, 00012345 |
: 00401279 F7E8 Imul EAX |
: 0040127B 03C2 Add Eax, EDX |
: 0040127D 8945FC MOV DWORD PTR [EBP-04], EAX |
: 00401280 41 INC ECX |
: 00401281 83F912 CMP ECX, 00000012 |
: 00401284 72D1 JB 00401257 /
: 00401286 E875FDffff Call 00401000
: 0040128B 33c0 xor Eax, EAX
* Reference by A (u) Nconditional OR (C) ONDITIONAL JUMP AT ATDRESS:
|: 004012A2 (C)
|
: 0040128D 8A4C0594 MOV CL, BYTE PTR [EBP EAX-6C] /
00401291 8A5405C8 MOV DL, BYTE PTR [EBP EAX-38] |
: 00401295 80E930 SUB Cl, 30 |
: 00401298 32D1 XOR DL, CL | --- Transition process three
: 0040129A 885405C8 MOV BYTE PTR [EBP EAX-38], DL |
: 0040129E 40 Inc EAX |
: 0040129F 83F812 CMP EAX, 00000012 |
: 004012A2 72E9 JB 0040128D /
: 004012A4 E857FDFFFFFF CALL 00401000: 004012A9 8D55C8 LEA EDX, DWORD PTR [EBP-38]
: 004012AC 52 Push EDX
: 004012AD E85EFEFFFFFFFFFF CALL 00401110; Transition process four
: 004012B2 E849FDffff Call 00401000
: 004012B7 8D45C8 LEA EAX, DWORD PTR [EBP-38]
* Possible StringData Ref from data obj -> "keygenning4newbies"
|
: 004012BA 6814514000 Push 00405114; Fixed string "keygenning4newbies"
: 004012BF 50 Push Eax; String of the above conversion
: 004012C0 E86BFEFFF CALL 00401130; Comparison
: 004012C5 83C40C Add ESP, 0000000C
: 004012C8 85C0 Test Eax, EAX
: 004012CA 753C JNE 00401308; Key jump
Find a stroke reference, and then easily find the key jump. It can be found that it is judged to EAX, in general, this EAX is the return value of the above CALL. Look at the top of the call, there are two push, guess what? It should be compared to the string. It can be seen in the above, 405114 is a fixed string "keygennig4newbies". Dynamic follows Eax, it is, it is also a string of the same length. At this time, it is almost certain that this EAX is the result of our username and registration code for some kind of operation. Then we look at it and follow: From the front method, find the beginning of this function, start some initialized stuff, look down, you can find an API: getdlgitemtext this API is guess from the name, it is the getDlgitem we introduced. And getWindowText and "Meet" specifically explained the information, I don't write. It is worth mentioning that the program puts the address of this Call in EDI, and only Call EDI is used each time, this is the optimization method of the translator when calling the same API, pay attention! After calling this API, the return value is the length of the text, and then some calculations are performed on the length of the registration code (the comment is above), we can refer to the length of the registration code is 12 h (more than 12h bits can, Because only the first 12 h). Then a call 401000, I intuitive this is an important call, the result is followed by:! @ # $%, Just clear a few registers, this tells us: Intuitive will have an error, the code is only wrong It is the only standard for testing truth. One of the CALL 401080 below is in front of it is our username. I intuitive feelings have problems. Take a look, this is right:
Code:
* REFERENECED by A Call at address:
|: 00401238
|
: 00401080 55 Push EBP: 00401081 8BEC MOV EBP, ESP
0040108 51 PUSH ECX
00401084 53 PUSH EBX
00401085 56 PUSH ESI
: 00401086 57 Push EDI
* Possible stringdata ref from data obj -> "eheh"
|
004052: 004050 PUSH 00405080
0040108C 6A00 Push 00000000
: 0040108E E8adfffffff Call 00401040; This Call has a problem
00401088408 Add ESP 00000000008
: 00401096 8BD8 MOV EBX, EAX
: 00401098 E863FFFFF CALL 00401000
* Possible StringData Ref from data obj -> "is a whore."
|
: 0040109D BF70504000 MOV EDI, 00405070
: 004010A2 83C9FF or ECX, ffffffffF
: 004010A5 33C0 XOR EAX, EAX
: 004010A7 F2 REPNZ
004010A8 AE SCASB
: 004010A9 F7D1 NOT ECX
: 004010AB 2BF9 SUB EDI, ECX
: 004010AD 8BF7 MOV ESI, EDI
004010AF 8B7D08 MOV EDI, DWORD PTR [EBP 08]
: 004010B2 8BD1 MOV EDX, ECX
: 004010B4 83C9FF or ECX, ffffffffff
: 004010B7 F2 RepNZ
004010B8 AE SCASB
: 004010B9 8BCA MOV ECX, EDX
: 004010BB 4F Dec Edi
: 004010BC C1E902 SHR ECX, 02
: 004010BF F3 REPZ
: 004010C0 A5 MOVSD
: 004010C1 8BCA MOV ECX, EDX
004010, China: 004010
: 004010C6 F3 REPZ
: 004010C7 A4 MOVSB
: 004010C8 33FF XOR EDI, EDI: 004010CA 33F6 XOR ESI, ESI; above this section is not a little dizzy, it doesn't matter, just look
* Reference by A (u) Nconditional OR (C) ONDITIONAL JUMP AT ATDRESS:
| 004010F6 (C)
|
: 004010CC 8B4508 MOV EAX, DWORD PTR [EBP 08]
: 004010CF 50 Push Eax; D EAX here is what is, Roba Is A Whore.
: 004010D0 56 PUSH ESI; ESI each time plus 4, starting from the first ESI
: 004010D1 E86AFFFFFFFFFFFFFFF CALL 00401040; Or above
: 004010D6 8B8E30504000 MOV ECX, DWORD PTR [ESI 00405030]; This is also a table, from the inside
: 004010DC 83C408 Add ESP, 00000008
: 004010DF 33CF XOR ECX, EDI
: 004010E1 03C1 Add Eax, ECX
: 004010E3 8945FC MOV DWORD PTR [EBP-04], EAX
: 004010E6 C145FC07 ROL DWORD PTR [EBP-04], 07; ROL is a "scrolling" shift
: 004010EA 8B45FC MOV EAX, DWORD PTR [EBP-04]
: 004010ED 83C604 Add ESI 0000004
004010F0 33D8 XOR EBX, EAX; Do some operations, EBX was originally "EHEH" = 68656865
: 004010F2 47 Inc EDI
: 004010F3 83FE40 CMP ESI, 00000040; ESI each time plus 4, so this is calculated 10H = 16 times
: 004010F6 7CD4 JL 004010CC; Here is a cycle calculation
: 004010F8 5F POP EDI
: 004010F9 8BC3 MOV EAX, EBX
004010FB 5E POP ESI
: 004010FC 5B POP EBX
: 004010FD 8BE5 MOV ESP, EBP
: 004010FF 5D POP EBP
: 00401100 C3 RET
Oh, don't be afraid, this is the most complicated operation of the entire program. It's just a simple one to press it in a "EHEH", one 0, then a call 401040, I follow up. . . . Don't worry, what is the return value? Well, EAX = 68656865. I have practiced so much, is your "death" to practice? How does this EAX have such a don't say, it is "EHEH" to fall. 'e' = 65h, 'h' = 68h. Of course, if you don't see it, keep it more insurance. Town down, a string "is a whore." (Whore means, my English is too dish) Next, it is faltering. Remember that REPNZ SCASB / RepNZ MOVSD is often calculated by strings. We don't count three or two, first walk, see how the results are seen. Down to 4010CF when D EAX. Oh, it is "Roba IS A Whore." (What does it mean? It is not yelling at me). It can be seen that the above is to connect the user name to a "is a whore.", So that you don't understand may wish to jump in the past, but it is often very clear. Next is a loop. Also used Call 401040. This time is the value from the string "Roba IS A Whore.", The second parameter ESI adds 4, it can be seen that it is controlled from the first few characters. It can be seen from the end of the cycle to be considered for 10 h. After the four characters are removed from the strings, then from a value from [405030], some calculations are performed from a value, and the results are performed with EBX, (EBX was originally 68656865). The value returned by this Call is EBX calculated by 10 h. (This is more chaotic, it is not very good, you will understand how you follow, please see how my registrar is realized. Or directly find me) Ok, let's come out, go down, Return to [EBP-4], clear some registers, and come to a loop. (Process 2) code:
: 00401257 8B45FC MOV EAX, DWORD PTR [EBP-04]; initial here is the result of the above process
: 0040125A 33D2 XOR EDX, EDX
0040125C BE1A000000 MOV ESI @0000001A
: 00401261 F7F6 DIV ESI; divide 1ah = 26
: 00401263 8A941510FFFFFFFFFFF DL, BYTE PTR [EBP EDX-000000F0]; according to the remainder from the table
: 0040126A 88540DC8 MOV BYTE PTR [EBP ECX-38], DL; Make the obtained value into a string
: 0040126E 8B45FC MOV EAX, DWORD PTR [EBP-04]
00401271 C1E003 SHL Eax, 03
: 00401274 BA45230100 MOV EDX, 00012345
: 00401279 F7E8 Imul EAX
: 0040127B 03C2 Add Eax, EDX; Do some calculations, ready for the next time: 0040127D 8945FC MOV DWORD PTR [EBP-04], EAX
: 00401280 41 INC ECX; ECX is a cyclic variable
: 00401281 83F912 CMP ECX, 00000012; A total of 12h = 18 times
: 00401284 72D1 JB 00401257
Let's talk about the DIV division operation. It puts the merchants in Eax, the remainder is placed in EDX. Here we can see divided by 1AH 26. [EBP-F0] See is why, haha is a character table "AbcdefghijklmnopqrStuvwxyz". The remainder is removed from this table (just divided by 26). Then put the removed characters in the [EBP ECX-38], because ECX is incremented, which forms a new string. There is also a point for the following calculations. Imul eax, two 32-bit number multiply, which will be 64-bit, and the result of the high 32 bits are placed in EDX, and the low 32 is put into EAX, must pay attention! Let's go to the process three:
Code:
: 0040128D 8A4C0594 MOV CL, BYTE PTR [EBP EAX-6C]; loop take fake registration code
: 00401291 8A5405C8 MOV DL, BYTE PTR [EBP EAX-38]; Result Strings
: 00401295 80E930 SUB CL, 30
: 00401298 32D1 XOR DL, CL
: 0040129A 885405C8 MOV BYTE PTR [EBP EAX-38], DL
: 0040129E 40 Inc EAX; EAX is a cyclic variable
: 0040129F 83F812 CMP EAX, 00000012; Or 18
: 004012A2 72E9 JB 0040128D
Another loop, EAX is a loop variable, [EBP-38] Remember what is the new string that the process is obtained. [EBP-6C], in far, it is our fake registration code. Use EAX to control a character each time, then (false code character -30h) xor new string of characters, the generated new string is also placed in [EBP-38]. Ok, don't halt, below: LEA EDX, [EBP-38]. At this time, EDX is a new string of process three generations, and then presses, and then Call 401110. Follow-up process four:
Code:
: 00401110 8B4C2404 MOV ECX, DWORD PTR [ESP 04]; [ESP 4] is the string of the above push
: 00401114 33C0 XOR EAX, EAX
* Reference by A (u) Nconditional OR (C) ONDITIONAL JUMP AT ATDRESS:
|: 00401122 (C)
|
: 00401116 8A1408 MOV DL, BYTE PTR [EAX ECX]; new strings generated in the process three: 00401119 32D0 XOR DL, Al; and cyclic variable xor
: 0040111B 881408 MOV BYTE PTR [EAX ECX], DL; put the result
: 0040111E 40 Inc EAX
: 0040111F 83F812 CMP EAX, 00000012; EAX is a cyclic variable, calculated 12H = 18 times
0040112 72F2 JB 00401116
: 00401124 C3 RET
This is relatively simple. Cheers! The final result is finally out, and then judges that this final result is not a fixed string. Of course, our harsh input can't get the string "Keygenning4Newbies". So what should I do? Process one and process two are calculations for usernames, which is not reversible. That is to say, from the username N to calculate a new string K, we can't calculate N (I think so, even if it should be reversible), it can be expressed as F12 (N) = k. Then the new strings K and the registration code S are referenced, and a new string K 'is obtained. This is the process three, this calculation can be reversible (do not understand? I have finally explained). F3 (k, s) = k '. Then, a k '' is obtained from K '(the process four, and it is also reversible). Finally, it is determined that this k '' is equal to the fixed string, that is, it is determined whether f4 (k ') = k' '= "keyning4newbies". When we write a registration machine, since the process one and two (F12) are irreversible, we will pick it up to get K, then you can follow "Keygenning 4Newbies" reverse ("keygenning4newbies") = k ' '. Final F2 can be reversible, so F3 '(k, k, k, k, k, k,) = s can be obtained. This, the registration code S is obtained according to the user name. (I don't know if you understand, I have said that I am fainted. This symbol indicates true trouble. In fact, just think I want to find it very simple.) Registrar: (c, write is very bad, you will be)
Code:
#include
#include
#include
void main ()
{
Unsigned int iex, IEBX, I;
Char st [] = "keygenning4newbies";
Char alpha [] = "abcdefghijklmnopqrstuvwxyz"; // process two tables used
CHAR Name [70] = {0};
INT ST1 [] = {
0x12, 0x5c, 0x34, 0x22, 0xAb, 0x9d, 0x54, 0x00,
0x66, 0x31, 0x78, 0x73, 0xcf // process
}
CHAR ST2 [20] = {0};
Char Password [20] = {0};
Printf ("" "," ",", "% s", name);
STRCAT (Name, "IS A Whore.");
IEBX = 0x68656865;
For (i = 0; i <16; i )
{
IEAX = (Name [i * 4]) | (Name [i * 4 1] << 8) |
(Name [i * 4 2] << 16) | (Name [i * 4 3] << 24);
IEAX = (ST1 [i] ^ i);
IEAX = (IEAX << 7) | (IEAX >> 25); // I use this to repose ROL
IEBX ^ = IEAX;
} // process one
IEAX = IEBX;
For (i = 0; i <0x12; i )
{
INT K = IEAX% 26;
ST2 [I] = alpha [k];
__ASM
{
MOV EAX, IEAX
SHL EAX, 3
Mov EDX, 12345H
Imul EAX
Add Eax, EDX
MOV IEAX, EAX
} // use compilation
} // process two
For (i = 0; i <18; i )
ST [i] = ST [i] ^ i; // process four counter
For (i = 0; i <18; i )
{
Password [i] = ST2 [i] ^ ST [i];
Password [i] = 0x30;
} // process three inverse accounting, get the registration code
Printf ("Your Serial Number IS: / N% S / N", Password);
Printf ("Keygen By Roba / Nenjoy CRACKING! / N");
}
