CrackMe —— 029
160 CrackMe reverse is more suitable for novice learning to crack a collection of a total of 160 to be reverse to crack the program CrackMe
CrackMe: they are open to a number of others try to crack the small programs, people may be making crackme programmer, want to test their software protection technology, it could be a cracker, want to challenge the strength of other cracker to crack, but also It may be some people who are learning to crack, own small programs to their break.
| Numbering | Author | Protection |
| 029 | Cosh | Name/Serial |
tool
x32dbg
Start cracking tour
ON.1
Blasting
The first to use x32dbg open 029 program, the search string
Here we see the correct information and prompt an error message prompt
Prompt, enter the correct information address 004015E0 at
0040159A | 8B45 F0 | mov eax,dword ptr ss:[ebp-10] | 0040159D | 8A18 | mov bl,byte ptr ds:[eax] | 0040159F | 32D9 | xor bl,cl | 004015A1 | 8818 | mov byte ptr ds:[eax],bl | 004015A3 | 41 | inc ecx | 004015A4 | 40 | inc eax | 004015A5 | 8038 00 | cmp byte ptr ds:[eax],0 | 004015A8 | 75 F3 | jne cosh.3.40159D | 004015AA | 8B45 E4 | mov eax,dword ptr ss:[ebp-1C] | 004015AD | 8B55 F0 | mov edx,dword ptr ss:[ebp-10] | edx:EntryPoint 004015B0 | 33C9 | xor ecx,ecx | 004015B2 | 8A18 | mov bl,byte ptr ds:[eax] | 004015B4 | 8A0A | mov cl,byte ptr ds:[edx] | edx:EntryPoint 004015B6 | 3AD9 | cmp bl,cl | 004015B8 | 75 09 | jne cosh.3.4 015C3 | Verify here Jump 004015BA | 40 | INC. Eax | 004015BB | 42 | INC. Edx | edx: EntryPoint 004015BC | 8038 00 | cmp byte ptr ds: [eax], 0 | 004015BF | 75 EF | JNE cosh. 3 .4 015B0 | Verify here Jump 004015C1 | EB 16 | jmp cosh. 3 .4 015D9 | 004015C3 | 6A 00 | the Push 0 | 004015C5 | 68 6C304000 | the Push cosh. 3 .4 0306C | 4 0306C : " ERROR " 004015CA | 68 40.304 million | the Push cosh.3.403040 | 403040:"One of the Details you entered was wrong" 004015CF | 8B4D E0 | mov ecx,dword ptr ss:[ebp-20] | 004015D2 | E8 BB020000 | call <JMP.&Ordinal#4224> | 004015D7 | EB 14 | jmp cosh.3.4015ED | 004015D9 | 6A 00 | push 0 | 004015DB | 68 34304000 | push cosh.3.403034 | 403034:"YOU DID IT" 004015E0 | 68 20304000 | push cosh.3.403020 | 403020:"Well done,Cracker" 004015E5 | 8B4D E0 | mov ecx,dword ptr ss:[ebp-20] | 004015E8 | E8 A5020000 | call <JMP.&Ordinal#4224> | 004015ED | 6A 64 | push 64 | 004015EF | FF15 00204000 | call dword ptr ds:[<&Sleep>] |
We see in the address 004015BF place after JMP come to the right prompt, this is the place to verify the validity of the registration code, continue to look up, there are also verified address 004015B8 , where validation fails will jump to the wrong place
We address these two modifications to NOP, F9 to run arbitrary character input button click check
bingo ~ successful break
At the top there will be many verification judgment as to whether the correct input format
ON.2
Chase mode code
We saw 00,401,580 address to 00,401,587 method of calculation address Name
Using Python code
name = 'lonenysky' value = [] for i, key in enumerate(name): value.append(chr(ord(key) ^ (i + 1))) print('name is %s' % ''.join(value)) value = [] for i, key in enumerate(name): value.append(chr(ord(key) ^ (i + 0x0a))) print('serial is %s' % ''.join(value))
bingo ~ successful break
During the chase code in when we do not know the value of cl can watch the bottom of the window inferred
