Crackme023

Time:2019-10-23

Crackme023 reverse analysis

1. Program observation

Crackme023
When the sequence number entered is correct, the following state should change.

2. Simple shell check

Crackme023
Written in assembly language, no shell.

3. Program analysis

Using OD loader, search string
Crackme023

You can see that the string in the status bar appears inside, and we go into the corresponding code space
Crackme023

There is a comparison statement at address 004012B3. If the value of eax is 0x10, the program jumps to the correct prompt. If the value of eax is not equal to 0x10, the program jumps to the error message.

So this is the key comparison, so where does eax come from?
As you can see at address 00401299, the program assigns the value of memory 403166 to eax.
So the question is, how do we get the value at 403166?

We look for the constant 403166 in the program
Crackme023

There are eight statements related to memory 403166, and four commands add 4 to the value of memory 403166.
Because the previous comparison was to compare the value of 403166 to 0x10, all four commands need to be executed.
These four, respectively, are used to get the user name, get the serial number, calculate the serial number, verify the serial number.

Get the user name:
Crackme023

The program first gets the user name entered, and then gets the length of the user name. A loop is then used to clear the value of a certain length after the user name. Finally, if the length of user name is 0, the value of memory 403166 will be cleared. If it is not 0, add 0x4 to the value of memory 403166.

Obtain the serial number:
Crackme023
The program USES the function to get the input sequence number. If the function returns a value of 0, which means the sequence number is empty, it will return directly. If the sequence number is not empty, add 0x4 to the value of memory 403166.

Calculate the serial number:
Crackme023
This is a loop. The loop number is 0x10, and the value at memory 403166 will be added 0x4.
In the loop:

  1. The program gets the user name
  2. User name left shift I bit, I is the number of cycles
  3. Get the input serial number
  4. Increment the serial number by 1
  5. Make the sequence number and the displaced user name xor
  6. Store the calculated value in memory at 403188

Verify serial number:
Crackme023
Take out the serial number at memory 401388, add 0x9112478, and see if the result is 0. If it’s 0, it’s true; If it’s not zero, it’s wrong. So the calculated serial number must be 0-0x9112478 = 0xF6EEDB88.

4. Register machine

#include <stdio.h>
#include <string.h>
#include <Windows.h>

int Key()
{
    unsigned long serial = 0xF6EEDB88;
    char szName[20] = { 0 };
    unsigned long* p;

    Printf (" please enter username :");
    scanf_s("%s", szName, 20);

    for (int i = 15; i >= 0; i--)
    {
        p = (unsigned long*)& szName[i];
        serial ^= *p;
        serial--;
    }

    printf("%u", serial);
    return 0;
}

int main(int argc, char* argv[])
{
    Key();
    return 0;
}

Crackme023

The files are on my Github