160个练手CrackMe-024
2017-11-06 20:46
316 查看
1、无壳,TASM / MASM
上一个的2.0版本,2、OD载入
搜索字符串,定位事件00401273 . 6A 00 push 0x0 ; /IsSigned = FALSE 00401275 . 8D45 FC lea eax,dword ptr ss:[ebp-0x4] ; | 00401278 . 50 push eax ; |pSuccess 00401279 . 6A 64 push 0x64 ; |ControlID = 64 (100.) 0040127B . FF35 50314000 push dword ptr ds:[0x403150] ; |hWnd = 00010E94 ('TEXme v2.0',class='CTEX') 00401281 . E8 BC010000 call <jmp.&USER32.GetDlgItemInt> ; \GetDlgItemInt 00401286 . 837D FC 00 cmp dword ptr ss:[ebp-0x4],0x0 ; 读Serial,转int 0040128A . 74 5F je XChafe_2.004012EB 0040128C . 50 push eax 0040128D . 6A 14 push 0x14 ; /Count = 14 (20.) 0040128F . 68 6C314000 push Chafe_2.0040316C ; |Buffer = Chafe_2.0040316C 00401294 . FF35 54314000 push dword ptr ds:[0x403154] ; |hWnd = 00010E98 (class='Edit',parent=00010E94) 0040129A . E8 AF010000 call <jmp.&USER32.GetWindowTextA> ; \GetWindowTextA 0040129F . 85C0 test eax,eax ; 读Name 004012A1 . 74 48 je XChafe_2.004012EB 004012A3 . A1 0B304000 mov eax,dword ptr ds:[0x40300B] 004012A8 . BB 6C314000 mov ebx,Chafe_2.0040316C 004012AD > 0303 add eax,dword ptr ds:[ebx] 004012AF . 43 inc ebx 004012B0 . 81FB 7C314000 cmp ebx,Chafe_2.0040317C 004012B6 .^ 75 F5 jnz XChafe_2.004012AD 004012B8 . 5B pop ebx 004012B9 . 03C3 add eax,ebx 004012BB . 3105 D9124000 xor dword ptr ds:[0x4012D9],eax ; [0x4012D9] = 00584554 004012C1 . C1E8 10 shr eax,0x10 004012C4 . 66:2905 D9124>sub word ptr ds:[0x4012D9],ax 004012CB . BE EC114000 mov esi,Chafe_2.004011EC 004012D0 . B9 3E000000 mov ecx,0x3E 004012D5 . 33DB xor ebx,ebx 004012D7 . EB 04 jmp XChafe_2.004012DD 004012D9 > 54 push esp ; [0x4012D9~DC]自修改 004012DA 45 db 45 ; CHAR 'E' 004012DB 58 db 58 ; CHAR 'X' 004012DC 00 db 00 004012DD > AD lods dword ptr ds:[esi] 004012DE . 33D8 xor ebx,eax 004012E0 . 49 dec ecx 004012E1 .^ 75 FA jnz XChafe_2.004012DD 004012E3 . 81FB FBCFFCAF cmp ebx,0xAFFCCFFB ; 关键比较 004012E9 .^ 74 EE je XChafe_2.004012D9 004012EB > 68 59304000 push Chafe_2.00403059 ; /Your serial is not valid. 004012F0 . FF35 5C314000 push dword ptr ds:[0x40315C] ; |hWnd = 00010E9C ('Your serial is not valid.',class='Edit',parent=00010E94) 004012F6 . E8 7D010000 call <jmp.&USER32.SetWindowTextA> ; \SetWindowTextA 004012FB . 33C0 xor eax,eax 004012FD . C9 leave 004012FE . C2 1000 retn 0x10 00401301 . 68 73 30 40 0>ascii "hs0@",0 ; YES! You found your serial!! 00401306 . FF35 5C314000 push dword ptr ds:[0x40315C] ; |hWnd = 00010E9C ('Your serial is not valid.',class='Edit',parent=00010E94) 0040130C . E8 67010000 call <jmp.&USER32.SetWindowTextA> ; \SetWindowTextA 00401311 . 33C0 xor eax,eax 00401313 . C9 leave 00401314 . C2 1000 retn 0x10
转成C语言大概是:
int main(){ int i, j; char name[20]={0}; //[0x40316C] char serial[20]={0}; // char m[4]={0x54, 0x45, 0x58, 0x00}; char *m; char n[] = {0x55, 0x8b, 0xec, 0x83, 0xc4, 0xfc, 0x8b, 0x45, 0xc, 0x83, 0xf8, 0x10, 0x75, 0xd, 0x6a, 0x0, 0xe8, 0x6b, 0x2, 0x0, 0x0, 0x33, 0xc0, 0xc9, 0xc2, 0x10, 0x0, 0x83, 0xf8, 0xf, 0x75, 0xe, 0x8b, 0x45, 0x8, 0xe8, 0x18, 0x1, 0x0, 0x0, 0x33, 0xc0, 0xc9, 0xc2, 0x10, 0x0, 0x83, 0xf8, 0x1, 0x75, 0x6, 0x33, 0xc0, 0xc9, 0xc2, 0x10, 0x0, 0x3d, 0x11, 0x1, 0x0, 0x0, 0xf, 0x85, 0xe7, 0x0, 0x0, 0x0, 0x8b, 0x45, 0x14, 0x3b, 0x5, 0x60, 0x31, 0x40, 0x0, 0x75, 0x1a, 0x6a, 0x0, 0x68, 0x96, 0x30, 0x40, 0x0, 0x68, 0xa7, 0x30, 0x40, 0x0, 0xff, 0x75, 0x8, 0xe8, 0x17, 0x2, 0x0, 0x0, 0x33, 0xc0, 0xc9, 0xc2, 0x10, 0x0, 0x3b, 0x5, 0x58, 0x31, 0x40, 0x0, 0x74, 0xc, 0x3b, 0x5, 0x54, 0x31, 0x40, 0x0, 0xf, 0x85, 0xae, 0x0, 0x0, 0x0, 0xc7, 0x5, 0xd9, 0x12, 0x40, 0x0, 0x54, 0x45, 0x58, 0x0, 0x6a, 0x0, 0x8d, 0x45, 0xfc, 0x50, 0x6a, 0x64, 0xff, 0x35, 0x50, 0x31, 0x40, 0x0, 0xe8, 0xbc, 0x1, 0x0, 0x0, 0x83, 0x7d, 0xfc, 0x0, 0x74, 0x5f, 0x50, 0x6a, 0x14, 0x68, 0x6c, 0x31, 0x40, 0x0, 0xff, 0x35, 0x54, 0x31, 0x40, 0x0, 0xe8, 0xaf, 0x1, 0x0, 0x0, 0x85, 0xc0, 0x74, 0x48, 0xa1, 0xb, 0x30, 0x40, 0x0, 0xbb, 0x6c, 0x31, 0x40, 0x0, 0x3, 0x3, 0x43, 0x81, 0xfb, 0x7c, 0x31, 0x40, 0x0, 0x75, 0xf5, 0x5b, 0x3, 0xc3, 0x31, 0x5, 0xd9, 0x12, 0x40, 0x0, 0xc1, 0xe8, 0x10, 0x66, 0x29, 0x5, 0xd9, 0x12, 0x40, 0x0, 0xbe, 0xec, 0x11, 0x40, 0x0, 0xb9, 0x3e, 0x0, 0x0, 0x0, 0x33, 0xdb, 0xeb, 0x4, 0x54, 0x45, 0x58, 0x0, 0xad, 0x33, 0xd8, 0x49, 0x75, 0xfa, 0x81, 0xFB, 0xFB, 0xCF, 0xFC}; // DWROD D9 = 0x00584554; scanf("%s", name); scanf("%s", serial); DWORD x = 0x58455443; //[0x40300B] for(i=0; i<16; i++){ x += *(DWORD *)(name + i); } // printf("%X\n", x); x += int(Serial); // printf("%X\n", *(DWORD *)m); m = n+237; printf("%X\n", *(DWORD *)m); *(DWORD *)m ^= x; x >>= 0x10; *(WORD *)m -= x; printf("%X\n", *(DWORD *)m); // *(DWORD *)m = 0x585426EB; // 关键值 DWORD ebx = 0, eax = 0; for(j=0; j<0x3E; j++){ eax = *(DWORD *)(n + j*4); ebx ^= eax; // printf("%02X, %08X, %08X\n", 0x3E - j, eax, ebx); } // printf("%X\n", ebx); if(ebx == 0xAFFCCFFB) 跳向成功; else 失败; return 0; }
n 是 0x4011EC到0x4012E3的字节数组。
m是 [0x4012D9~DC]会被修改的地方。
第一个for循环:从name数组循环取值相加,再加上基础值 x (0x58455443),然后加上 int(serial)。
第二个for循环:从0x4011EC开始,取DWORD与ebx做异或运算,结果存到ebx中。
最后ebx与0xAFFCCFFB比较。
逆向目标是求int(serial)。
分析过程有点绕,表达的不是很清晰,跳过了。
3、注册机
void Decrypt(){ char name[20] = {0}; printf("Name:"); scanf("%s", name); DWORD x = 0x58455443; for(int i=0; i<16; i++){ x += *(DWORD *)(name + i); } printf("Serial:%u", 0x580C3BA3-x); return; }
相关文章推荐
- 160个练手CrackMe-009
- 160个练手CrackMe-021
- 160个练手CrackMe-033
- 160个练手CrackMe-040
- 160个练手CrackMe-046
- 160个练手CrackMe-027
- 160个练手CrackMe-034
- 160个练手CrackMe-047
- 160个练手CrackMe-028
- 160个练手CrackMe-048
- 160个练手CrackMe-010
- 160个练手CrackMe-022
- 160个练手CrackMe-029
- 160个练手CrackMe-035
- 160个练手CrackMe-049
- 160个练手CrackMe-011
- 160个练手CrackMe-030
- 160个练手CrackMe-036
- 160个练手CrackMe-050
- 160个练手CrackMe-001