Shulou(Shulou.com)06/01 Report--

This is the first in the 160crackme series. I will put the download link at the end of the article. Interested friends can play and have a look.

Let's open the file first.

Coming up is a blatant provocation, and we must kill him later.

There are three buttons. It looks like the one on the right is simpler. Just click on him.

At this time, we must have a train of thought on the general structure of the software, although we can not directly get the flag, but it will be of great help to the analysis of the program. So to analyze the program, the part of the button on the left is probably based on the input Name field to generate Serial, and this part should be a fixed registration code.

According to the usual practice, pull it into PEID to check the shell first.

No, it doesn't matter. Take a look at Baidu and see what it is.

Fortunately, it's not a shell but a language, so you don't have to take a look at it in ODB.

The general difficulty of crackme, which is complicated in this kind of interface, is how to find the main function. Let's right-> Chinese search engine-> Intelligent search, ctrl+f to find the serial string.

In this way, we found the part of the string we need. From the result, there are two prompts for input errors, 42FA5E and 42FB21, so let's make a breakpoint at these two points and run the program.

This dialog box pops up first, and let's put up with him for a while.

Or click the option on the right, just type something.

The emmm is not broken. This time we take Failed as the standard. The next breakpoint is at 42F4F3.

This time we broke it, so the two Try again we broke at the beginning should be the left button. Regardless of him, let's analyze this code: in fact, there is nothing to analyze, there is only a key jump we need to pay attention to, so we want it to "congratulate" our words, just drop the key jump Del in 42F4D5 and ok it.

And then run it again.

Of course, we want to do much more than that, in the software update, the registration code will often change, but the encryption algorithm of the software registration code generally will not change, so the usual practice is to continue to find his encryption function. For the button on the right, it should be just a fixed string, so our task is much simpler. Let's restore this part first, and then look up the code to see what makes the jump execute.

As you can see, the string we entered is stored at EAX, so EDX should be the fixed string we are looking for.

Let's cancel the breakpoint and let the program run to see if the string is correct.

So we finished this part! Let's go back to the main screen and take a look at the button on the left.

Break at the position of the previous two breakpoints, both of which have "Try again" fields. Let's analyze the jump of these two positions in turn, starting with the first breakpoint:

We see that this will only return an error prompt but no correct prompt, and there is a cmp instruction in front of the jump at 42FA5A to compare EAX with 0x4, so this should be to limit the length of the string. If the length is less than 4, it will directly return Try again, so let's look at the second breakpoint.

This part is very familiar, exactly the same as the button on the right. Let's take a look at the content at 42FAFB.

This is obviously the registration code we are looking for. Let's start a new process to try it out.

Correct, so let's find his encryption part, and before we do that, let's guess the flow of this part:

Input-> Test length-> encryption-> compare-> output result

So if it's what we think, the encryption should be between the two breakpoints. Let's find out.

Not far from the first breakpoint, we found a very suspicious code that operated on the string we entered and was related to some of the strings of the registration code we found earlier, so this is probably the encrypted part we are looking for. We rerun the program at the 42FA87 to analyze this code.

In this way, we have parsed the encrypted code and wrote a python script to reproduce the code.

So we've finished parsing the program, and let's do some other things, such as the original dialog box.

Right-click-> Chinese search engine-> Intelligent search to find the string on the dialog box

It's easy for us to find it. Let's find a way to get rid of this prompt box. At this time, we have two ways of thinking, one is to del the code that calls this function, the other is to modify the code that calls this function, adjust it to 42f79c, and let it jump out as soon as it enters the function. No matter which kind of operation, we must carefully keep the stack balance, otherwise the program will collapse. So let's take a breakpoint at 42F784 and get the program running.

At this point, there is the address of the code that calls this function on the stack.

This is it, because there is no stack operation in this place, so we can just del it, and then right-> copy to the executable-> Select something like this will pop up.

Right-> Save the file and save it, and we'll open it again to try the effect.

It pops up directly and the elimination dialog box is successful!

Link: https://pan.baidu.com/s/1PxBttyWn_6ZZNIe9bqJrnQ

Extraction code: Z14n

END

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.