The last time the article (not cracking article, it is a broken article) lost, I will add behind this post. This time, it is intermediate, in fact, it is only difficult to get a little, CMP you, master JZ Offset NextPage. Ok, come back. Or that series, download address: http://opencrackmes.crackmes.de/ope...ckmes/k4n2.zip run, huh, oh, the appearance is exactly the same. Confluence, the front part is almost exactly the same, getdlgitem, getWindowText, I don't write, directly look at it, pay attention to [EBP-2C] is the length of the username. (You can jump in the back of the description.)
Code:
: 004010ED 837DD403 CMP DWORD PTR [EBP-2C], 00000003
: 004010F1 0F8E38010000 JLE 0040122F; The username must be greater than 3 digits
: 004010F7 33D2 XOR EDX, EDX
: 004010F9 33DB XOR EBX, EBX
: 004010FB 8B55D4 MOV EDX, DWORD PTR [EBP-2C]
: 004010FE 0155C4 Add DWORD PTR [EBP-3C], EDX
: 00401101 0155C4 Add DWORD PTR [EBP-3C], EDX; calculated [EBP-3C]
: 00401104 8BC2 MOV EAX, EDX
00401106 83C005 Add Eax, 00000005
: 00401109 8945B8 MOV DWORD PTR [EBP-48], EAX; Calculated [EBP-48]
: 0040110C 33C0 XOR EAX, EAX
: 0040110E 8BCF MOV ECX, EDI
0040110 83C104 Add ECX, 00000004
: 00401113 894DB4 MOV DWORD PTR [EBP-4C], ECX; calculated [EBP-4C]
: 00401116 33C9 XOR ECX, ECX
: 00401118 0155BC Add DWORD PTR [EBP-44], EDX
004011B 017DBC Add DWORD PTR [EBP-44], EDI; Calculated [EBP-44]
0040111 6BFF03 Imul EDI, 00000003
: 00401121 897DC0 MOV DWORD PTR [EBP-40], EDI; Calculated [EBP-40]
0040124 33FF XOR EDI, EDI
0040126 0FBE8C0544FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFET [EBP EAX-000000BC]
: 0040112E 83F961 CMP ECX, 00000061
: 00401131 7C07 JL 0040113A: 00401133 90 NOP
00401134 90 NOP
00401135 90 NOP
00401136 90 NOP
: 00401137 83E920 SUB ECX, 00000020
* Reference by A (u) Nconditional OR (C) ONDITIONAL JUMP AT ATDRESS:
|: 00401131 (C)
|
: 0040113A 8BF1 MOV ESI, ECX
: 0040113C 03DE Add EBX, ESI
: 0040113E 0FAFD9 Imul EBX, ECX
: 00401141 4A DEC EDX
* Reference by A (u) Nconditional OR (C) ONDITIONAL JUMP AT ATDRESS:
|: 00401178 (C)
|
: 00401142 0FBE8C2F44FFFFFFFFFFFFFFFFFFFMSX ECX, BYTE PTR [EDI EBP-000000BC]
: 0040114A 0fbeb42f45fffffff mb ESI, Byte PTR [EDI EBP-000000BB]
: 00401152 83F961 CMP ECX, 00000061
: 00401155 7D12 JGE 00401169
: 00401157 90 NOP
00401158 90 NOP
: 00401159 90 NOP
0040115A 90 NOP
* Reference by A (u) Nconditional OR (C) ONDITIONAL JUMP AT ATDRESS:
|: 0040116C (U)
|
: 0040115B 83FE61 CMP ESI 00000061
0040115E7D0E JGE 0040116E
: 00401160 90 NOP
: 00401161 90 NOP
00401162 90 NOP
: 00401163 90 NOP
: 00401164 EB0B JMP 00401171
00401166 90 NOP
00401167 90 NOP
: 00401168 90 NOP
* Reference by A (u) Nconditional OR (C) ONDITIONAL JUMP AT ATDRESS:
|: 00401155 (C)
|
0040019-00220 Sub ECX, 00000020
: 0040116C EBED JMP 0040115B
* Reference by A (u) Nconditional or (c) ONDitional Jump at address: |: 0040115E (c)
|
00401118: 0040116E 83EE20 SUB ESI, 00000020
* Reference by A (u) Nconditional OR (C) ONDITIONAL JUMP AT ATDRESS:
|: 00401164 (U)
|
00401171 47 Inc EDI
: 00401172 03DE Add EBX, ESI
: 00401174 0FAFD9 Imul EBX, ECX
: 00401177 4A DEC EDX
00401775 JNE 00401142
: 0040117A 895DC8 MOV DWORD PTR [EBP-38], EBX; Calculated [EBP-38]
: 0040117D 33C9 XOR ECX, ECX
: 0040117F 33D2 XOR EDX, EDX
: 00401181 33DB XOR EBX, EBX
: 00401183 33C0 XOR EAX, EAX
: 00401185 837DD432 CMP DWORD PTR [EBP-2C], 00000032
: 00401189 0F8DA0000000 JNL 0040122F
* Reference by A (u) Nconditional OR (C) ONDITIONAL JUMP AT ATDRESS:
|: 0040119F (c)
|
: 0040118F 0fbe840d44ffffffffff Movsx Eax, Byte PTR [EBP ECX-000000BC]
: 00401197 03C1 Add Eax, ECX
: 00401199 03D8 Add EBX, EAX
: 0040119B 41 Inc ECX
: 0040119C 3B4DD4 CMP ECX, DWORD PTR [EBP-2C]
0040119F 75ee JNE 0040118F
: 004011A1 D1C0 ROL EAX, 1
0040100
: 004011A8 8945B0 MOV DWORD PTR [EBP-50], EAX; Calculated [EBP-50]
: 004011AB 33C9 XOR ECX, ECX
: 004011AD 33D2 XOR EDX, EDX
004011AF 33DB XOR EBX, EBX
: 004011B1 33C0 XOR EAX, EAX
* Reference by A (u) Nconditional OR (C) ONDITIONAL JUMP AT ATDRESS:
|: 004011C6 (C)
|
: 004011B3 0FBE840D44FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFE] ECX-000000BC]: 004011
: 004011BE 33C2 XOR EAX, EDX
: 004011C0 03D8 Add EBX, EAX
: 004011C2 41 INC ECX
: 004011C3 3B4DD4 CMP ECX, DWORD PTR [EBP-2C]
: 004011C6 75eb JNE 004011B3
: 004011C8 035DB0 Add EBX, DWORD PTR [EBP-50]
: 004011CB 895DAC MOV DWORD PTR [EBP-54], EBX; Calculated [EBP-54]
: 004011 CE FF75C0 PUSH [EBP-40]
: 004011D1 FF75C4 PUSH [EBP-3C]
: 004011D4 FF75BC PUSH [EBP-44]
: 004011D7 FF75C8 Push [EBP-38]
: 004011DA FF75B4 PUSH [EBP-4C]
: 004011DD FF75B8 PUSH [EBP-48]
: 004011E0 FF75AC Push [EBP-54]
: 004011E3 FF75B0 PUSH [EBP-50]
* Possible StringData Ref from Data Obj -> "% lx% lu-% lu% lx-% lu% lu-% lx% lx"
|
00440 PUSH 0040B438
: 004011EB 8D857CFEFFFF LEA EAX, DWORD PTR [EBP FFFFE7C]
: 004011F1 50 Push EAX
: 004011F2 E88D3D0000 Call 00404F84; WSPRINF ()
: 004011F7 83C428 Add ESP, 00000028
: 004011FA 8D957CFEFFFF LEA EDX, DWORD PTR [EBP FFFFFE7C]
00401200 52 Push EDX
: 00401201 8D8DE0Feffff Lea ECX, DWORD PTR [EBP FFFFFEE0]
00401207 51 PUSH ECX
* Reference to: kernel32.lstrcmpa, ORD: 0000H
|
: 00401208 E8399C0000 Call 0040ae46; Comparison
: 0040120D 85C0 Test Eax, EAX
: 0040120F 750F JNE 00401220; Key jump
Use the method introduced by my last article to find a stroke reference, then find the key jump up. If you don't say the specific process, see if you are looking for. Yes, it is 40120F. Look up, there is a lstrcmp, last time, this is a string comparison. It can be seen that there are two PUSHs in front of it as a comparison string, here to break down, see what two strings are? D ECX is a fake registration code we entered, D Edx is a long string, of course, is a real registration code. Well, look at this registration code again: Code:
: 004011 CE FF75C0 PUSH [EBP-40]
: 004011D1 FF75C4 PUSH [EBP-3C]
: 004011D4 FF75BC PUSH [EBP-44]
: 004011D7 FF75C8 Push [EBP-38]
: 004011DA FF75B4 PUSH [EBP-4C]
: 004011DD FF75B8 PUSH [EBP-48]
: 004011E0 FF75AC Push [EBP-54]
: 004011E3 FF75B0 PUSH [EBP-50]
* Possible StringData Ref from Data Obj -> "% lx% lu-% lu% lx-% lu% lu-% lx% lx"
|
00440 PUSH 0040B438
: 004011EB 8D857CFEFFFF LEA EAX, DWORD PTR [EBP FFFFE7C]
: 004011F1 50 Push EAX; Results [EBP FFFFFE7C]
: 004011F2 E88D3D0000 Call 00404F84; This CALL is actually WSPRINF
: 004011F7 83C428 Add ESP, 00000028
Oh, a "% lx% lu-% lu% lx-% lu% lu-% lx% lx". Remember the last example, then a "% lx", this back has a complex. Don't worry, it is still very simple. Last time, "% lx" is a capital form of hexadecimal, then "% Lu" is a normal decimal form. Look at the front Push entered a bunch of parameters, these [EBP-XX] forms are partial variables in the function, where they expressed them in different forms, which is true registration code. The next goal, of course, how to calculate these 8 variables. Remember what these variables are. From the beginning:
Code:
: 004010FB 8B55D4 MOV EDX, DWORD PTR [EBP-2C]; EDX = [EBP-2C] is the length n of the username
: 004010FE 0155C4 Add DWORD PTR [EBP-3C], EDX; [EBP-3C] But an important variable,
: 00401101 0155C4 Add DWORD PTR [EBP-3C], EDX; [EBP-3C] = 2N, see no
: 00401104 8BC2 MOV EAX, EDX: 00401106 83C005 Add Eax, 00000005
: 00401109 8945B8 MOV DWORD PTR [EBP-48], EAX; [EBP-48] = N 5, is also an important variable
: 0040110C 33C0 XOR EAX, EAX
: 0040110E 8BCF MOV ECX, EDI; EDI is a constant 64F4F0
0040110 83C104 Add ECX, 00000004
: 00401113 894DB4 MOV DWORD PTR [EBP-4C], ECX; [EBP-4C] = 64F4F4
: 00401116 33C9 XOR ECX, ECX
: 00401118 0155BC Add DWORD PTR [EBP-44], EDX
004011B 017DBC Add DWORD PTR [EBP-44], EDI; [EBP-44] = 64F4F0 N
0040111 6BFF03 Imul EDI, 00000003
: 00401121 897DC0 MOV DWORD PTR [EBP-40], EDI; [EBP-40] = 64F4F0 * 3
These calculations are relatively simple, and there are 5 variables have been fixed. I really didn't understand what is related to our input. I changed the user name and registration code. It will not change, so I think this is a constant. If you don't give your high finger.
Code:
: 00401126 0FBE8C0544FFFFFFFFFFFFFFFMSX ECX, Byte PTR [EBP EAX-BC]; [EBP-BC] is a username, EAX is used as a pointer
: 0040112E 83F961 CMP ECX, 00000061
: 00401131 7C07 JL 0040113A; If it is less than 61, 'a' is jump
: 00401137 83E920 SUB ECX, 00000020; If it is more than 20, for letters, it is lowercase
* Reference by A (u) Nconditional OR (C) ONDITIONAL JUMP AT ATDRESS:
|: 00401131 (C)
|
: 0040113A 8BF1 MOV ESI, ECX; ECX is the first character of the username
: 0040113C 03DE Add EBX, ESI; EBX = ECX
: 0040113E 0FAFD9 Imul EBX, ECX; actually EBX = ECX * ECX
: 00401141 4A DEC EDX; EDX is a loop variable 1
* Reference by A (u) Nconditional OR (C) ONDITIONAL JUMP AT ATDRESS:
|: 00401178 (C)
|
0fbe8c2f44fffffff Movsx ECX, Byte PTR [EDI EBP-000000BC]; Previous character
: 0040114A 0FBEB42F45FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFET · The following characters; EDI is also a pointer to control the character, which is equivalent to extracting two characters each time, the front one is placed in ESI, then placed in ESI
: 00401152 83F961 CMP ECX, 00000061
* Reference by A (u) Nconditional OR (C) ONDITIONAL JUMP AT ATDRESS:
|: 0040116C (U)
|
: 0040115B 83FE61 CMP ESI 00000061
: 0040115E 7D0E JGE 0040116E; the same conversion is performed on characters
: 00401164 EB0B JMP 00401171
* Reference by A (u) Nconditional OR (C) ONDITIONAL JUMP AT ATDRESS:
|: 00401155 (C)
|
0040019-00220 Sub ECX, 00000020
: 0040116C EBED JMP 0040115B
* Reference by A (u) Nconditional OR (C) ONDITIONAL JUMP AT ATDRESS:
|: 0040115E (C)
|
00401118: 0040116E 83EE20 SUB ESI, 00000020
: 00401171 47 Inc EDI; EDI this pointer 1
: 00401172 03DE Add EBX, ESI; EBX is accumulated result, plus the latter character
: 00401174 0FAFD9 Imul EBX, ECX; multiplying the previous character
: 00401177 4A DEC EDX
: 00401178 75C8 JNE 00401142; Is it finished?
: 0040117A 895DC8 MOV DWORD PTR [EBP-38], EBX; Existence of accumulation [EBP-38]
This trouble is some, I don't understand, see that my registration machine code is clear. Look at the following:
Code:
: 0040118F 0fbe840d44fffffffforcesx Eax, Byte PTR [EBP ECX-000000BC]; loop
: 00401197 03C1 Add Eax, ECX; EAX = Each character ECX
: 00401199 03D8 Add EBX, EAX; accumulation to EBX
: 0040119B 41 INC ECX; cyclic variables are incremented
: 0040119C 3B4DD4 CMP ECX, DWORD PTR [EBP-2C]
: 0040119F 75ee JNE 0040118F; Continue if not taken
004011A1 D1C0 ROL Eax, 1; Eax left shift 1 bit
: 004011A3 3540E20100 xor Eax, 0001E240; EAX XOR 1E240
004011A8 8945B0 MOV DWORD PTR [EBP-50], EAX believes that you have been familiar with this form, [EBP-BC] This is the username, then use an ECX cycle to get every character, then look: Add Eax, ECX / Add EBX, EAX seems to be tired of the value of each character (ECX), huh, huh, the author opened a little joke. Look at the following operations, it is done to EAX, but the accumulated result is in EBX, in fact, EAX is the last character of the username plus the length of the user. What to say is ROL, this original "scrolling", but because Eax is certainly small, the highest bit is 0, so I simply use left shift SHL in the registration machine. The calculation results are placed in [EBP-50].
Code:
: 004011B3 0FBE840D44FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFET [EBP ECX-000000BC]
: 004011BB 6BD006 Imul EDX, Eax, 00000006
: 004011BE 33C2 XOR EAX, EDX
: 004011C0 03D8 Add EBX, EAX
: 004011C2 41 INC ECX
: 004011C3 3B4DD4 CMP ECX, DWORD PTR [EBP-2C]
: 004011C6 75eb JNE 004011B3
: 004011C8 035DB0 Add EBX, DWORD PTR [EBP-50]
: 004011CB 895Dac MOV DWORD PTR [EBP-54], EBX
This paragraph does not write, as a test, it should be understood, calculate the result is placed in [EBP-54]. The eight variables come out, and the registration machine is also easy.
Code:
#include
#include
#include
void main ()
{
INT LEN, I;
INT EBP_40, EBP_3C, EBP_44, EBP_38, EBP_4C, EBP_48, EBP_54, EBP_50
INT EDI = 0x64f4f0;
CHAR Name [50] = {0};
Printf ("please input your name:");
Scanf ("% s", name);
Len = Strlen (name);
EBP_3C = LEN * 2;
EBP_48 = LEN 5;
EBP_4C = EDI 4;
EBP_44 = EDI LEN;
EBP_40 = EDI * 3;
EBP_50 = ((Len-1 Name [len-1]) << 1);
EBP_50 ^ = 0x1e240;
EBP_54 = 0;
For (i = 0; i EBP_54 = ((Name [i] * 6) ^ Name [i]); EBP_54 = EBP_50; For (i = 0; i IF (Name [I]> = 'a') Name [i] - = 0x20; EBP_38 = Name [0] * Name [0]; For (i = 1; i EBP_38 = (EBP_38 NAME [I]) * Name [i-1]; Printf ("Your Password IS: LX% lu-% lu% lx-% lu% lu-% lx% lx / n", EBP_50, EBP_54, EBP_48, EBP_4C, EBP_38, EBP_44, EBP_3C, EBP_40); Printf ("Keygen By Roba Enjoy CRACKING! / N"); } A available registration code: Name: Robaserial: 1E288125744-964F4F4-29089574586616308-812EDED0
