A named author Arkantos in Crackmes.cf submitted a Crackme on (Crackme.de mirror site) site, the difficulty level is 1-very_easy_for_newbies. This entry-level Crackme fact, not enough to write a blog, but it's just the reverse process can use Process Monitor to finish writing this article as an example of Process Monitor on it.
The authors said categorically that he did not crackmes packers, however, after the discovery dragged into IDA with the UPX shell, then confirm with the investigation DIE shell, and she brought UPX shell! Author is daylight ... how to analyze this Crackme after we look at the shelling.
The crackmes after shelling dragged into IDA, greeted the start of the API function calls some file operations:
This level of CM, encounters a file operation, is likely to build and run the bat file in the tmp directory, and ultimately verify the serial number is also done by the bat file. In this case, as long as the CM observation of behavior, you should be able to get the bat file, so I run ProcMon and set the following filter, and then start monitoring the process of running CM:
This level of CM few network / registry operations So, in ProcMon window to monitor these two items unselected to reduce output:
I guess the CM will generate bat file, so the file should be concerned about the operation of the program calls CreateFile behavior, select an event, right in the Operation, the pop-up menu, choose to keep the CreateFile while filtering other file operations:
Hmmm, output window suddenly relaxed a lot! Browsing output, mostly in order to load the necessary system dll file open operation to do, except there is a particularly dazzling in the% TMP% directory swells b2e.exe files become entitled! Ah, in the Path column, select the event b2e.exe row, right-click menu ---- "jump to" navigate to the path where the b2e.exe ready to parse the file.
难道这个CM是通过exe来验证序列号?不过,既然我都在监测程序的行为了,那就顺带把这个新生成的程序的行为一起监测了。重新设置过滤器,然后运行b2e.exe,仍然检测程序的CreateFile行为,得到下列输出:
果然,真的在%TMP%目录下创建bat文件,再次右键菜单--"jump to",定位到该bat文件:
查看bat的内容,的确和屏幕上的输出一致
@echo off
echo off
color 4
title Crackme2.exe
cls
:Main3
set a=e@s\/
set b=h@rd
set c=57f8s+-
set d=1a2f5-+
set e=oneld-561-fc
set as=12as5789w
set ad=123fa4v5bw
set aj=51236fs4578951235
set ja=1as23fa4
set na=6n6o8t4h4i6n4g
cls
ECHO ...............................................
ECHO Please enter your username
echo To crack This Rubbish Enter Five Serials..
ECHO ...............................................
ECHO.
set /p u=Type your username here:
if u==' goto pass
goto pass
:pass:
echo.
echo.
echo.
set /p P=Type your First password here:
if %P%==%u%%c%%a% goto second
if %p%==%u%%d%%a% goto second
goto no
:second
echo.
echo.
echo.
set /p Q=Type your Serial here:
if %Q%==%p%%e%%b% goto last
if %Q%==%p%%as%%b% goto last
goto no2
echo.
echo.
echo.
:last
echo.
echo.
echo.
set /p R=Type your Reg Code here:
if %R%==%u%%ad%%b% goto four
if %R%==%p%%aj% goto four
if %R%==%p%%ja%%a% goto four
goto NO3
:four
echo.
echo.
echo.
set /p F=Type Fourth Code Here:
if %F%==%b%%a%%na%%p% goto five
if %F%==%u%+-%p%-+%r% goto five
if %F%==%a%%p%%b% goto five
goto no4
:five
echo.
echo.
echo.
set /p T=Type Last password here:
if %T%==%u%%p%%b%%q% goto yes
if %T%==%p%%F%%a%%b% goto yes
goto no4
echo.
echo.
echo.
:yes
echo Hi %u% Congratulation!!! you've beaten my Second crackme
pause
exit
echo.
echo.
echo.
:no
echo No, wrong Pass Please try again later...
pause
goto main3
:no2
echo No ,wrong Serial. Try again....
pause
goto main3
:no3
echo nope, wrong Reg Code. Try again Later...
pause
goto main3
:no4
echo No man!!! It's Wrong???
pause
goto main3
嗯,接下来的工作不难了,我就略过了~
