Aquí algo para ayudar
Serial válido: howyoudidit?
tutorial es de alex_ls
******************************************
* Target: Virt by NeoN *
* Release date: 26. Aug, 2007 *
* Solution by: alex_ls *
* Coded in: C++ *
* Difficulty: 6 *
* Protection: Obfuscated code *
* Tools: Just softice and a little brain *
******************************************
- VALID SERIAL IS "howyoudidit?"
- I part (How I did it?)
I tried to dissasemble this crackme but the code is very obfuscated
and I had no time to work on it,
So let's set breakpoint at GetDlgItemTextA, input random serial and click "Check" button.
Let's trace it from 004016b9
.text:004016B9 push offset String ; our random string
.text:004016BE push 100h
.text:004016C3 push offset word_403000;offset to VM tab
.text:004016C8 call CheckSerial ;main function
.text:004016CD or eax, eax ; check for exit type
.text:004016CF jnz short loc_4016E1
.text:004016D1 push 10h ; uType
.text:004016D3 push 0 ; lpCaption
.text:004016D5 push offset aSorryWrongKeyT ; lpText
.text:004016DA push 0 ; hWnd
.text:004016DC call MessageBoxA
The main function that realises Virtual Machine algorythm is - call CheckSerial(.text:004016C8)
Tracing this function it becomes clear that VM-algo is based on the table by the address(403000)
So I'll describe some nodes of the table:
.403190 28F3FFFFFF - opcode:Our Key length + F3FFFFFF
.40319F 29A9010000 - opcode:If Our Key Length !=0 Jump to .4031a4
.4031a4 2600000000 - opcode:Exit
Analyzing this stuff I got the valid length of the serial:
SERIALLENGTH-0XD=0 so the length of the serial must be 0Ch, because
algo uses the end of the string - 0h.
After reversing some instructions, I've got the main table nodes (28h,2ch,29h,26h) with
the opcodes:
- 28h - adding stuff
- 2ch - substruction stuff
- 29h - checking for 0
- 26h - exit
I set the breakpoints at opcodes that processing this nodes:
opcode .401388 (node - 29h)
opcode .401457 (node - 28h)
And I've got the final string for 20 minutes!
word1=0xb75ede4e-0x23432342-0x98304283-0x82740921;
word2=0x46bb1982-0x34283203-0xa92e7210;
word3=0x453ab788-0xd3a329e2-0x32232442;
where word1="howy",word2="oudi",word3="dit?"
OUR SERIAL:
howyoudidit?
And the last message string:
word1+=0xc0fbf1e8;
word2+=0x0904e0b1;
word3+=0x2ced0c10;
OUR MESSAGE:
Pas: Virtual
- II part (CONCLUSION )
OK, we have a valid serial - howyoudidit?
So try it to check if it works!
-
I liked the VM algorythm, but the opcode table is very short.
In particular I've resolved it for 2 hours!!!
-
My greetings to all!
(В особенности Neon-у и всем хакерам из стран СНГ!)
Crt2Base
//----------------------------------------------
// Crt2Base - extract text from Dino2's hlam!!!
//----------------------------------------------
#include <stdio.h>
#include <stdlib.h>
#include <windows.h>
//----------------------
//Name: Main()
//----------------------
int main(int argc,char *argv[])
{
char p_name[0xC];
DWORD word1,word2,word3;
word1=0xb75ede4e-0x23432342-0x98304283-0x82740921;
word2=0x46bb1982-0x34283203-0xa92e7210;
word3=0x453ab788-0xd3a329e2-0x32232442;
strncpy(p_name+0,(char*)&word1,4);
strncpy(p_name+4,(char*)&word2,4);
strncpy(p_name+8,(char*)&word3,4);
p_name[0xc]=0;
printf("Serial Key is: %s\n", p_name);
word1+=0xc0fbf1e8;
word2+=0x0904e0b1;
word3+=0x2ced0c10;
strncpy(p_name+0,(char*)&word1,4);
strncpy(p_name+4,(char*)&word2,4);
strncpy(p_name+8,(char*)&word3,4);
p_name[0xc]=0;
printf("Final String is: %s\n",p_name);
printf("\npress any key for exit!\n");
getchar();
return 0;
}
Autor
En línea
