CrackMe —— 031
160 CrackMe reverse is more suitable for novice learning to crack a collection of a total of 160 to be reverse to crack the program CrackMe
CrackMe: they are open to a number of others try to crack the small programs, people may be making crackme programmer, want to test their software protection technology, it could be a cracker, want to challenge the strength of other cracker to crack, but also It may be some people who are learning to crack, own small programs to their break.
| Numbering | Author | Protection |
| 030 | cracking4all | Serial(VB5) |
tool
x32dbg
VB Decompiler Pro
Start cracking tour
ON.1
Blasting
Use x32dbg open 031 program, right search string
At this point we see the correct character prompt message and error character message, enter the correct address for the message 00,403,005 , double-click to enter the address, look up
00402FAE | C785 28FFFFFF 08.8 million | MOV DWORD PTR SS: [EBP-D8], 8008 | 00402FB8 | FF15 4C614000 | Call DWORD PTR DS: [<& __ vbaVarTstEq>] | 00402FBE | 66 : 85C0 | Test AX, AX | 00402FC1 | 0F84 8F000000 | je cracking4all. 2 . 403 056 | here to jump, to verify the password 00402FC7 | B8 04.00028 million |mov eax,80020004 | 00402FCC | 8D95 18FFFFFF | lea edx,dword ptr ss:[ebp-E8] | edx:EntryPoint 00402FD2 | 8D4D 88 | lea ecx,dword ptr ss:[ebp-78] | 00402FD5 | 8985 70FFFFFF | mov dword ptr ss:[ebp-90],eax | 00402FDB | 899D 68FFFFFF | mov dword ptr ss:[ebp-98],ebx | 00402FE1 | 8945 80 | mov dword ptr ss:[ebp-80],eax | 00402FE4 | 899D 78FFFFFF | mov dword ptr ss:[ebp-88],ebx | 00402FEA | C785 20FFFFFF 68264000 | mov dword ptr ss:[ebp-E0],cracking4all. | 402668:L"Valid" 00402FF4 | 89BD 18FFFFFF | mov dword ptr ss:[ebp-E8],edi | 00402FFA | FFD6 | call esi | 00402FFC | 8D95 28FFFFFF | lea edx,dword ptr ss:[ebp-D8] | edx:EntryPoint 00403002 | 8D4D 98 | lea ecx,dword ptr ss:[ebp-68] | 00403005 | C785 30FFFFFF 2C264000 | mov dword ptr ss:[ebp-D0],cracking4all. | 40262C:L"Password correct, hehe, :-)" 0040300F | 89BD 28FFFFFF | mov dword ptr ss:[ebp-D8],edi |
At this point we see 00402FC1 place there is a jump over 00402FB8 call matching function, the verify equal, jump here jump to password authentication, and modify it as NOP us test
bingo ~ successful break
ON.2
Chase mode code
Use VB Decompiler Pro Open 031 program, we select Code on the left -> password -> Command1_Click, and the right side shows the code disassembly
We can see that we get the length of the function input, while circulating the ASCII code for each character ecx XORed with the last and "VeiajeEjbavwij" comparison
So who is it ecx, we can see that by x32dbg string " 2000 " cycle, each read one, read cycle, the same procedure as No. 030
Then the following exclusive-OR 4 where they come from what we can see at the 4 push 00402D02
The following codes are calculated PASSWORD
00402C5F | 0F8F EF000000 | jg cracking4all.2.402D54 | 00402C65 | 0FBFD0 | movsx edx,ax | 00402C68 | 8D4D 98 | lea ecx,dword ptr ss:[ebp-68] | 00402C6B | 8D45 D8 | lea eax,dword ptr ss:[ebp-28] | 00402C6E | 51 | push ecx | 00402C6F | 52 | push edx | 00402C70 | 8D4D 88 | lea ecx,dword ptr ss:[ebp-78] | 00402C73 | 50 | push eax | 00402C74 | 51 | push ecx | 00402C75 | C745 A0 01000000 | mov dword ptr ss:[ebp-60],1 | 00402C7C | C745 98 02000000 | mov dword ptr ss:[ebp-68],2 | 00402C83 | FFD3 | call ebx | 00402C85 | 8D95 78FFFFFF | lea edx,dword ptr ss:[ebp-88] | 00402C8B | 6A 01 | push 1 | 00402C8D | 8D85 68FFFFFF | lea eax,dword ptr ss:[ebp-98] | 00402C93 | 52 | push edx | 00402C94 | 50 | push eax | 00402C95 | C745 80 04000000 | mov dword ptr ss:[ebp-80],4 | 00402C9C | C785 78FFFFFF 02000000 | mov dword ptr ss:[ebp-88],2 | 00402CA6 | FF15 AC614000 | call dword ptr ds:[<&rtcLeftCharVar>] | 00402CAC | 8D8D 68FFFFFF | lea ecx,dword ptr ss:[ebp-98] | 00402CB2 | 8D55 AC | lea edx,dword ptr ss:[ebp-54] | 00402CB5 | 51 | push ecx | 00402CB6 | 52 | push edx | 00402CB7 | FFD7 | call edi | 00402CB9 | 50 | push eax | 00402CBA | FFD6 | call esi | 00402CBC | 0FBFD8 | movsx ebx,ax | 00402CBF | 8D45 88 | lea eax,dword ptr ss:[ebp-78] | 00402CC2 | 8D4D B0 | lea ecx,dword ptr ss:[ebp-50] | 00402CC5 | 50 | push eax | 00402CC6 | 51 | push ecx | 00402CC7 | FFD7 | call edi | 00402CC9 | 50 | push eax | 00402CCA | FFD6 | call esi | 00402CCC | 0FBFD0 | movsx edx,ax | 00402CCF | 33DA | xor ebx,edx | 00402CD1 | 8D85 58FFFFFF | lea eax,dword ptr ss:[ebp-A8] | 00402CD7 | 53 | push ebx | 00402CD8 | 50 | push eax | 00402CD9 | FF15 6C614000 | call dword ptr ds:[<&rtcVarBstrFromAnsi | 00402CDF | 8D4D C8 | lea ecx,dword ptr ss:[ebp-38] | 00402CE2 | 8D95 58FFFFFF | lea edx,dword ptr ss:[ebp-A8] | 00402CE8 | 51 | push ecx | 00402CE9 | 8D85 48FFFFFF | lea eax,dword ptr ss:[ebp-B8] | 00402CEF | 52 | push edx | 00402CF0 | 50 | push eax | 00402CF1 | FF15 78614000 | call dword ptr ds:[<&__vbaVarCat>] | 00402CF7 | 8BD0 | mov edx,eax | 00402CF9 | 8D4D C8 | lea ecx,dword ptr ss:[ebp-38] | 00402CFC | FF15 00614000 | call dword ptr ds:[<&__vbaVarMove>] | 00402D02 | 8D4D AC | lea ecx,dword ptr ss:[ebp-54] | 00402D05 | 8D55 B0 | lea edx,dword ptr ss:[ebp-50] | 00402D08 | 51 | push ecx | 00402D09 | 52 | push edx | 00402D0A | 6A 02 | push 2 | 00402D0C | FF15 94614000 | call dword ptr ds:[<&__vbaFreeStrList>] | 00402D12 | 83C4 0C | add esp,C | 00402D15 | 8D85 58FFFFFF | lea eax,dword ptr ss:[ebp-A8] | 00402D1B | 8D8D 68FFFFFF | lea ecx,dword ptr ss:[ebp-98] | 00402D21 | 8D95 78FFFFFF | lea edx,dword ptr ss:[ebp-88] | 00402D27 | 50 | push eax | 00402D28 | 51 | push ecx | 00402D29 | 8D45 88 | lea eax,dword ptr ss:[ebp-78] | 00402D2C | 52 | push edx | 00402D2D | 8D4D 98 | lea ecx,dword ptr ss:[ebp-68] | 00402D30 | 50 | push eax | 00402D31 | 51 | push ecx | 00402D32 | 6A 05 | push 5 | 00402D34 | FF15 08614000 | call dword ptr ds:[<&__vbaFreeVarList>] | 00402D3A | B8 01000000 | mov eax,1 | 00402D3F | 83C4 18 | add esp,18 | 00402D42 | 66:0345 C4 | add ax,word ptr ss:[ebp-3C] | 00402D46 | 0F80 A0030000 | jo cracking4all.2.4030EC | 00402D4C | 8945 C4 | mov dword ptr ss:[ebp-3C],eax | 00402D4F | E9 FEFEFFFF | jmp cracking4all.2.402C52 |
Python代码
dst_pwd = 'VeiajeEjbavwij' src_pwd = '' for k, v in enumerate(dst_pwd): src_pwd = src_pwd + chr((ord(v) ^ ord('2000'[k % 4])) ^ ord('4')) print(src_pwd)
结果为“PamelaAnderson”,带入到程序内
