160个练手CrackMe-034

1、无壳

FileKey类型

2、OD载入

00401016  |.  6A 00         push 0x0                                 ; /hTemplateFile = NULL
00401018  |.  68 80000000   push 0x80                                ; |Attributes = NORMAL
0040101D  |.  6A 03         push 0x3                                 ; |Mode = OPEN_EXISTING
0040101F  |.  6A 00         push 0x0                                 ; |pSecurity = NULL
00401021  |.  6A 03         push 0x3                                 ; |ShareMode = FILE_SHARE_READ|FILE_SHARE_WRITE
00401023  |.  68 000000C0   push 0xC0000000                          ; |Access = GENERIC_READ|GENERIC_WRITE
00401028  |.  68 D7204000   push Cruehead.004020D7                   ; |CRACKME3.KEY
0040102D  |.  E8 76040000   call <jmp.&KERNEL32.CreateFileA>         ; \CreateFileA
00401032  |.  83F8 FF       cmp eax,-0x1
00401035  |.  75 0C         jnz XCruehead.00401043
00401037  |>  68 0E214000   push Cruehead.0040210E                   ;  CrackMe v3.0
0040103C  |.  E8 B4020000   call Cruehead.004012F5                   ;  " - Uncracked"
00401041  |.  EB 6B         jmp XCruehead.004010AE
00401043  |>  A3 F5204000   mov dword ptr ds:[0x4020F5],eax          ;  文件句柄
00401048  |.  B8 12000000   mov eax,0x12
0040104D  |.  BB 08204000   mov ebx,Cruehead.00402008                ;  ASCII "              opqr"
00401052  |.  6A 00         push 0x0                                 ; /pOverlapped = NULL
00401054  |.  68 A0214000   push Cruehead.004021A0                   ; |pBytesRead = Cruehead.004021A0
00401059  |.  50            push eax                                 ; |BytesToRead => 12 (18.)
0040105A  |.  53            push ebx                                 ; |Buffer => Cruehead.00402008
0040105B  |.  FF35 F5204000 push dword ptr ds:[0x4020F5]             ; |hFile = 000001E8
00401061  |.  E8 30040000   call <jmp.&KERNEL32.ReadFile>            ; \ReadFile
00401066  |.  833D A0214000>cmp dword ptr ds:[0x4021A0],0x12         ;  读取长度 0x12
0040106D  |.^ 75 C8         jnz XCruehead.00401037
0040106F  |.  68 08204000   push Cruehead.00402008                   ;
00401074  |.  E8 98020000   call Cruehead.00401311                   ;  处理函数 1
00401079  |.  8135 F9204000>xor dword ptr ds:[0x4020F9],0x12345678
00401083  |.  83C4 04       add esp,0x4
00401086  |.  68 08204000   push Cruehead.00402008                   ;
0040108B  |.  E8 AC020000   call Cruehead.0040133C                   ;  处理函数 2
00401090  |.  83C4 04       add esp,0x4
00401093  |.  3B05 F9204000 cmp eax,dword ptr ds:[0x4020F9]          ;  比较
00401099  |.  0F94C0        sete al
0040109C  |.  50            push eax
0040109D  |.  84C0          test al,al
0040109F  |.^ 74 96         je XCruehead.00401037                    ;  跳向失败

int call_00401311(char *serial){
int sum = 0;

for(int i = 0; i < 0xE; i++){
serial[i] ^= 0x41 + i;
sum += serial[i];
if(serial[i] == 0)
break;
}

return sum ^ 0x12345678;
}

if(call_00401311(serial) == *(int *)(serial + 14))
"Y";
else
"N";

3、注册机

int call_00401311(char *serial){
int sum = 0;

for(int i = 0; i < 0xE; i++){
serial[i] ^= 0x41 + i;
sum += serial[i];
if(serial[i] == 0)
break;
}

return sum ^ 0x12345678;
}

int main(){
FILE *fp;
char serial[15];
int ret;

cout << "Please enter a string with a length of 14:" << endl;
cin >> serial;

fp = fopen("CRACKME3.KEY", "wb+");
fwrite(serial, 0x0E, 1, fp);
fflush(fp);
ret = call_00401311(serial);
fwrite(&ret, 0x04, 1, fp);
//  cout << hex << ret;

return 0;
}