Categories
Uncategorized

Reverse break the 160 CrackMe – 026

CrackMe —— 026

160 CrackMe reverse is more suitable for novice learning to crack a collection of a total of 160 to be reverse to crack the program CrackMe

CrackMe: they are open to a number of others try to crack the small programs, people may be making crackme programmer, want to test their software protection technology, it could be a cracker, want to challenge the strength of other cracker to crack, but also It may be some people who are learning to crack, own small programs to their break.

CrackMe referred to as CM.
Download the program:点击我

Source <- Click="" to="" view<="" p=""/>

Numbering

Author

Protection

026 Colormaster Name/Serial(VB5)

 

 

 

tool

x32dbg

KeyMake

Start cracking tour

ON.1

Breaking method

First open the 026 program using x32dbg, right click on the search string

Here we see the correct information prompt status is 00,403,745

Enter the address, look up to the nearest one to jump at

= 0 the jump registers occurs when the ZF jump, jump to the correct message, we will address JE is modified at 004036EB NOP, F9 operation, any input data in the input frame

bingo ~ successful break

ON.2

Memory patch mode

Continues to look up the code, then we see the string comparison function x32dbg

0040369C | 8D4D C4                  | lea ecx,dword ptr ss:[ebp-0x3C]                         |
0040369F | FFD6                     | call esi                                                |
004036A1 | 50                       | push eax                                                |  在此处下断点
004036A2 | FF15 74104000            | call dword ptr ds:[<&__vbaStrCmp>]                      |  字符串对比函数
004036A8 | 8BF0                     | mov esi,eax                                             |
004036AA | 8D45 C4                  | lea eax,dword ptr ss:[ebp-0x3C]                         |
004036AD | 8D4D D8                  | lea ecx,dword ptr ss:[ebp-0x28]                         |
004036B0 | 50                       | push eax                                                |
004036B1 | 8D55 C8                  | lea edx,dword ptr ss:[ebp-0x38]                         |
004036B4 | 51                       | push ecx                                                |
004036B5 | F7DE                     | neg esi                                                 |
004036B7 | 8D45 CC                  | lea eax,dword ptr ss:[ebp-0x34]                         |
004036BA | 52                       | push edx                                                |
004036BB | 8D4D D4                  | lea ecx,dword ptr ss:[ebp-0x2C]                         |
004036BE | 50                       | push eax                                                |
004036BF | 1BF6                     | sbb esi,esi                                             |
004036C1 | 8D55 D0                  | lea edx,dword ptr ss:[ebp-0x30]                         |
004036C4 | 51                       | push ecx                                                |
004036C5 | 46                       | inc esi                                                 |
004036C6 | 52                       | push edx                                                |
004036C7 | 6A 06                    | push 0x6                                                |
004036C9 | F7DE                     | neg esi                                                 |
004036CB | FF15 C4104000            | call dword ptr ds:[<&__vbaFreeStrList>]                 |
004036D1 | 8D45 B0                  | lea eax,dword ptr ss:[ebp-0x50]                         |
004036D4 | 8D4D B4                  | lea ecx,dword ptr ss:[ebp-0x4C]                         |
004036D7 | 50                       | push eax                                                |
004036D8 | 8D55 B8                  | lea edx,dword ptr ss:[ebp-0x48]                         |
004036DB | 51                       | push ecx                                                |
004036DC | 52                       | push edx                                                |
004036DD | 6A 03                    | push 0x3                                                |
004036DF | FF15 20104000            | call dword ptr ds:[<&__vbaFreeObjList>]                 |
004036E5 | 83C4 2C                  | add esp,0x2C                                            |
004036E8 | 66:85F6                  | test si,si                                              |
004036EB | 0F84 AB000000            | je colormaster.40379C                                   |
004036F1 | 8B35 D4104000            | mov esi,dword ptr ds:[<&__vbaVarDup>]                   |
004036F7 | B9 04000280              | mov ecx,0x80020004                                      |

We breakpoint, F9 to run, click the button to check it, then stopped in at our breakpoint at 004036A1

0040369A | 8BD0                     | mov edx,eax                                             | edx:L"55493CDCDD8599459-CM", eax:L"55493CDCDD8599459-CM"
0040369C | 8D4D C4                  | lea ecx,dword ptr ss:[ebp-0x3C]                         | [ebp-3C]:L"55493CDCDD8599459-CM""
0040369F | FFD6                     | call esi                                                |
004036A1 | 50                       | push eax                                                | eax:L"55493CDCDD8599459-CM"
004036A2 | FF15 74104000            | call dword ptr ds:[<&__vbaStrCmp>]                      |
004036A8 | 8BF0                     | mov esi,eax                                             | eax:L"55493CDCDD8599459-CM"
004036AA | 8D45 C4                  | lea eax,dword ptr ss:[ebp-0x3C]                         | [ebp-3C]:L"55493CDCDD8599459-CM"
004036AD | 8D4D D8                  | lea ecx,dword ptr ss:[ebp-0x28]                         | [ebp-28]:L"1234"3CDCDD8599459-CM"
004036B0 | 50                       | push eax                                                | eax:L"55493CDCDD8599459-CM"
004036B1 | 8D55 C8                  | lea edx,dword ptr ss:[ebp-0x38]                         | [ebp-38]:L"55493CDCDD8599459"CM"
004036B4 | 51                       | push ecx                                                | ecx:&L"55493CDCDD8599459-CM"

At this point we see eax Department has a suspicious string, the string we fill Serial box, click on the button

bingo ~ no doubt confirm the registration code

Open our KeyMake, add the following data

Generate…

Open the register we generated, enter any Name, click the button

Dingtone ~ registration code pop out, crack success

 

Leave a Reply