http://wormholetravel.net/
In this part we'll start analysis Cracks,where the serial number is variable and is calculated on the basis of the name, which we are introducing.
In this part we'll start analysis Cracks,where the serial number is variable and is calculated on the basis of the name, which we are introducing.
Let's start with a search for the correct serial number in Ckacks. Open it in OllyDbg.
Make Run.
We are located at the entry point into the program.
See which API-functions are used for the entered serial number
Let's try to establish BP for this function to stop at the place where it will read the name and serial number.
After pressing the OK ourselves on api-functions and parameters are visible in the stack.
The buffer, which stores the entered text, starting with 4001287, look through the DUMP, that there is - right click and FOLLOW IN DUMP on line, which provides information on the buffer.
There's nothing here, because the API-function is not performed, so that perform DEBUG-EXECUTE TILL RETURN, and when the RET is exerted on, press the F7, to return to the program.
We see that in the buffer kept my name, to continue to make the appropriate operations and create the correct key for it. If we want to make the crack, we must examine the algorithm that runs the program for the calculation of the key name, but for now just let the program generate it and try to see where it is compared with the serial number entered by us.
We meet the same API-function for the second time. It uses the new buffer to fit the entered serial number. Let's see it through the dump.
Note the dates of bytes, right click - BREAKPOINT - MEMORY ON ACCESS, and RUN.
We see that there was a stop where the program reads the first byte of the wrong serial number, and moves it to the BL. Press F7.
BL - Base Law
The BL is 39 - the value of the first byte. We needed to catch what the program does with it and, if possible, write down any math program over it commits.
Here is checking out whether it is zero, and if so - it is the end of the line and will exit the loop.
Since zero is not equal to the first byte, the transition does not take place and get to the SUB BL, 30.
After 30 has been subtracted, remaining 9 BL. On the next line, EDI is multiplied by EAX.
These registers are initialized to the following values: at the beginning of the procedure was placed in EAX 0A, EDI and before entering the loop is equated to zero via XOR EDI, EDI instructions.
By pressing the F7, as we know, based on the definition IMUL instructions with two operands, in this case, they will be multiplied by taking into account the sign, and the result stored in the first operand, ie, in EDI.
Thus, EDI is still zero, which became the result of the previous operation. Then there is the addition of EDI with the value in EBX.
As a result, EDI is still 9, but on the next line, the statement is executed INC ESI, which increases the ESI, to then return to the beginning of the loop and read the next byte incorrect registration number.
It is enough to set a breakpoint on the way out of the cycle and press F9 when the stop occurs, we see what is EDI.
If you double-click on EDI.
Meaning EDI - a hexadecimal value in the second field, see it in the decimal number system, and this value corresponds to the serial number entered by me, ie, after exiting the cycle EDI provides serial in hex.
Those. summarizing briefly: If you type the word 98989898, it will be transformed into a decimal number 98989898 or hexadecimal 5E6774A.
On the next line, EDI xor'itsya 1234.
We see that coming through the RET, we were at the EAX comparison with EBX, ie where there is a transition, decisive, correct or not the serial number
And we see that compared to the calculated value in the EBX with EAX, which contains 5447.
Since EAX is determined by the program, and EBX - is calculated, it is obvious that, since my serial number is incorrect, then the values of these registers will not be equal.
If EBX would be equal to EAX, the program would have made the right move, so we need to analyze why there registers inequality.
EBX = (hex value of the wrong serial number) XOR 1234.
I need to EBX was equal to EAX, then check for equality will give the desired result
If EAX = EBX
Replace EBX on EAX, ie that they are equal.
EAX = (hex value of a correct serial number) XOR 1234
Under this condition, entered serial number is correct.
Reformulate.
EAX XOR = 1234 (hex value of a correct serial number)
And since there EAX value (5447), we can replace it EAX.
5447 XOR 1234 = (hexadecimal value right seriynika)
If the count result of XOR operation:
4673 = (hexadecimal value right seriynika)
If 4673 - a hexadecimal value, then the corresponding decimal, to be administered will be:
Decimal value -> 18035
After XOR:
0 = 0 0
0 1 = 1
0 1 = 1
1 1 = 0
5678h = 101011001111000
1234h = 1001000110100
5447h = 101010001000111
5447h XOR 1234h = 4673h
4673h = 100011001110011 = 18035
0 = 0 0
0 1 = 1
0 1 = 1
1 1 = 0
5678h = 101011001111000
1234h = 1001000110100
5447h = 101010001000111
5447h XOR 1234h = 4673h
4673h = 100011001110011 = 18035
How is the number of a name for comparison:
1) the name of the characters are converted to uppercase
2) the name of all the character codes are added
3) found the number XORitsya with constant 5678h
// KEYGEN TO CRACKS_ME Password variable quantity
// Main () function with the argument of
// Int argc -> from the argument count - the number of arguments
// Argv -> argument value - value arguments
/ * Generally speaking, stdin is used to read from the console (as is known, is the keyboard console + display), and
stdout and stderr - write to the console. In the role of pointers stdin stream file, stdout, and sdterr can be used in any function,
where the type FILE * variable is used. For example, you can write about such a call for input from the console line: fgets (); * /
// Main () function with the argument of
// Int argc -> from the argument count - the number of arguments
// Argv -> argument value - value arguments
/ * Generally speaking, stdin is used to read from the console (as is known, is the keyboard console + display), and
stdout and stderr - write to the console. In the role of pointers stdin stream file, stdout, and sdterr can be used in any function,
where the type FILE * variable is used. For example, you can write about such a call for input from the console line: fgets (); * /
#include <stdio.h>
#include <string.h>
#include <ctype.h>
#include <stdlib.h>
#define BSIZE 100
int main(int argc, char
*argv[]) //командная
строка, int argc -> от argument count - кол-во аргументов
//argv
-> argument value - значения аргументов
{
char name[BSIZE]; //инициализация
переменных
int serial;
int i, x, y;
int keynumber;
if (argc == 2) { //int argc
-> от argument count - количество аргументов
strcpy(name,
argv[1]); // strcpy() для
копирования из строки временного файла в пост.место
}
else if (argc == 1) {
fprintf(stderr, "Enter a name: "); //
stderr - для записи на консоль
scanf("%s", name);
}
else {
fprintf(stderr, "Usage: crackme_kg name
\n"); //
stderr - для записи на консоль
fprintf(stderr, " crackme \n");
return 1;
}
printf("nName: %s \n", name);
// make a key number
keynumber = 0;
for (i = 0; i != strlen(name); i++) { //strlen() функция перевода в строчный вид
if (name[i] < 0x041) {
break;
}
else if (name[i] < 0x05a) {
continue;
}
else {
name[i] = toupper(name[i]);
keynumber += name[i];
}
}
keynumber ^= 0x05678; //xor edi, 5678h
serial = keynumber ^ 0x01234; //xor edi, 1234h
printf("Serial: %d \n", serial);
getchar();
getchar();
return 0;
}
ВЫВОД НА ЭКРАН
Enter the name: angelina
name: angelina
Serial: 18035
Enter a name: Busina
nName: Busina
Serial:
17868
//KEYGEN НА CRACKS_ME Пароль
величина переменная
#include <stdio.h>
#include <string.h>
#include <ctype.h>
#include <stdlib.h>
#define BSIZE 100
int main (int argc, char
*argv[])
{
char name[BSIZE];
char serial[BSIZE];
char key[BSIZE];
char *HardCoded =
"HardCoded";
int i, r, c;
if (argc == 2) {
strcpy(name, argv[1]);
}
else if (argc == 1) {
fprintf(stderr, "Enter a
name: ");
scanf("%s", name);
}
else {
fprintf(stderr, "Usage:
splish name \n");
fprintf(stderr, " splish
\n");
return 1;
}
for (i = 0; i != strlen(name);
i++)
{
r = name[i] % 10;
r ^= i;
r += 2;
if (r >= 10) {
r -= 10;
}
key[i] = r;
}
for (i = 0; i != strlen(name);
i++) {
for (c = 'A'; ; c++) {
if (key[i] == (c%10))
{
serial[i] = c;
break;
}
}
}
serial[i] = '\0';
printf("nHard Corded: %s
\n", HardCoded);
printf("Name: %s
\n", name);
printf("Serial: %s
\n", serial);
return 0;
}
ВЫВОД НА ЭКРАН
Enter a name: angelina
nHard Corded: HardCoded
Name: angelina
Serial: EIIJJHDH
Enter a name: Businka
nHard Corded: HardCoded
Name: Businka
Serial: DDEDBJI
Комментариев нет:
Отправить комментарий