CrackMe —— 017
160 CrackMe reverse is more suitable for novice learning to crack a collection of a total of 160 to be reverse to crack the program CrackMe
CrackMe: they are open to a number of others try to crack the small programs, people may be making crackme programmer, want to test their software protection technology, it could be a cracker, want to challenge the strength of other cracker to crack, but also It may be some people who are learning to crack, own small programs to their break.
| Numbering | Author | Protection |
| 017 | bjanes | Serial(VB5) |
tool
x32dbg
VB Decompiler Pro
Start cracking tour
ON.1
Blasting
First use x32dbg open 017 program, right search string
We found the whole fault prompts and error string
Enter the error message string, look up
00404ED7 | 51 is | Push ECX | 00404ED8 | 52 is | Push EDX | 00404ED9 | E9 A8000000 | JMP bjcm30a.4 04F86 | 00404EDE | the BE 08000000 | MOV ESI, 0x8 | enters from the address 00404EE3 | 8B1D CC104000 | MOV EBX, DWORD PTR DS :[<&__vbaVarDup>] | 00404EE9 | B9 04000280 | mov ecx,0x80020004 | 00404EEE | 898D 20FFFFFF | mov dword ptr ss:[ebp-0xE0],ecx | 00404EF4 | B8 0A000000 | mov eax,0xA | A:'\n' 00404EF9 | 898D 30FFFFFF | mov dword ptr ss:[ebp-0xD0],ecx | 00404EFF | 8D95 F8FEFFFF | lea edx,dword ptr ss:[ebp-0x108] | 00404F05 | 8D8D 38FFFFFF | lea ecx,dword ptr ss:[ebp-0xC8] | 00404F0B | 8985 18FFFFFF | mov dword ptr ss:[ebp-0xE8],eax | 00404F11 | 8985 28FFFFFF | mov dword ptr ss:[ebp-0xD8],eax | 00404F17 | C785 00FFFFFF 102A4000 | mov dword ptr ss:[ebp-0x100],bjcm30a.402A10 | 402A10:L"Wrong serial!" 00404F21 | 89B5 F8FEFFFF | mov dword ptr ss:[ebp-0x108],esi | 00404F27 | FFD3 | call ebx | 00404F29 | 8D95 08FFFFFF | lea edx,dword ptr ss:[ebp-0xF8] | 00404F2F | 8D8D 48FFFFFF | lea ecx,dword ptr ss:[ebp-0xB8] | 00404F35 | C785 10FFFFFF D82B4000 | mov dword ptr ss:[ebp-0xF0],bjcm30a.402BD8 | 402BD8:L"Sorry, try again!" 00404F3F | 89B5 08FFFFFF | mov dword ptr ss:[ebp-0xF8],esi | 00404F45 | FFD3 | call ebx |
At this point came to the entrance into the error string, find 00404EDE address, right-Search -> Current Module -> constant, enter 00404EDE searched two references place of the string, respectively breakpoint
Enter any data in the input box, click on the button Check it, the program stopped at the 0040459F place, we heard press F9 to run the program 00,404,941 at this time Description 0040459F at a breakpoint is to validate the input data format, 00,404,941 at the breakpoint is verified data, we have to step down F8
At this point we see the right to skip the prompt, indicating that determine where we will 00404E30 place instead NOP , F9 to run
bingo ~ program successful break
ON.2
RI way
We use VB Decompiler Pro Open 017 program, we found that compared with the previous two versions here has made significant changes
More out of hextode and hexfunc two functions, does not affect our analysis, these two functions should be transferred hex function
We click into Command1_Click, came to the bottom to see where the registration code generation
And we found the first two as program code
We attach the code of Fillmore
code = '' for i in range(1, 10): a = i ^ 2 code = code + str(a)[-1] print(code)
得出结果为301674501我们输入到输入框内,点击Check it按钮
bingo ~ 破解成功