160个练手CrackMe-039
2017-12-11 15:51
253 查看
1、ASP壳,Delphi
①单步法:②ESP定律:OD载入后F8一步,发现只有ESP有变化,可以用ESP定律法,输入命令:dd esp。断点->硬件访问->DWord。F9。(win10上脱出来无法运行,xp上成功,但是查壳还显示ASP)
2、DeDark无效
OD载入,定位到消息处理函数。004010DE |. /0F84 C5010000 je damn_unp.004012A9 ; Button_LOCKED 004010E4 |. |66:3D F203 cmp ax,0x3F2 004010E8 |.^|74 BE je Xdamn_unp.004010A8 004010EA |. |66:3D ED03 cmp ax,0x3ED 004010EE |. |74 15 je Xdamn_unp.00401105 ; Button_Register 004010F0 |. |66:3D EB03 cmp ax,0x3EB 004010F4 |. |74 2C je Xdamn_unp.00401122 ; Name 004010F6 |. |66:3D EC03 cmp ax,0x3EC 004010FA |. |74 4B je Xdamn_unp.00401147 ; Key
关键点在Key。
00401147 |> \6A 22 push 0x22 ; /Count = 22 (34.) 00401149 |. 68 21234000 push damn_unp.00402321 ; | 0040114E |. 68 EC030000 push 0x3EC ; |ControlID = 3EC (1004.) 00401153 |. FF35 91234000 push dword ptr ds:[0x402391] ; |hWnd = 00040AB2 ('DAMN's TryMe - CRACKED!',class='#32770') 00401159 |. E8 A1020000 call <jmp.&user32.GetDlgItemTextA> ; \GetDlgItemTextA 0040115E |. A3 8D234000 mov dword ptr ds:[0x40238D],eax 00401163 |. E8 8B010000 call damn_unp.004012F3 ; 判断函数 00401168 |. 50 push eax ; /Enable 00401169 |. FF35 85234000 push dword ptr ds:[0x402385] ; |hWnd = 00010B24 ('Register',class='Button',parent=00040AB2) 0040116F |. E8 79020000 call <jmp.&user32.EnableWindow> ; \EnableWindow 00401174 |. 33C0 xor eax,eax ; 使能Register按钮
函数call_004012F3() 返回1,则使能注册按钮。
004012F3 /$ 90 nop 004012F4 |. 8B0D 89234000 mov ecx,dword ptr ds:[0x402389] ; len(Name) 004012FA |. 85C9 test ecx,ecx 004012FC |. 74 71 je Xdamn_unp.0040136F 004012FE |. 49 dec ecx 004012FF |. 8BF1 mov esi,ecx 00401301 |. BF 53234000 mov edi,damn_unp.00402353 ; Name 00401306 |. BB 4E4D4144 mov ebx,0x44414D4E 0040130B |. 33D2 xor edx,edx 0040130D |. 8BCA mov ecx,edx ; ecx = i = 0 0040130F |> 33C0 /xor eax,eax 00401311 |. 8A040F |mov al,byte ptr ds:[edi+ecx] 00401314 |. 03D0 |add edx,eax ; sum += name[i] 00401316 |. D1CB |ror ebx,1 ; ebx >>= 1 00401318 |. D3CB |ror ebx,cl ; ebx >>= i 0040131A |. 33DA |xor ebx,edx ; ebx ^ sum 0040131C |. 3BCE |cmp ecx,esi 0040131E |. 74 03 |je Xdamn_unp.00401323 00401320 |. 41 |inc ecx 00401321 |.^ EB EC \jmp Xdamn_unp.0040130F 00401323 |> 81CB 10101010 or ebx,0x10101010 00401329 |. 87DA xchg edx,ebx 0040132B |. BF 21234000 mov edi,damn_unp.00402321 ; Key 00401330 |. 8B0D 8D234000 mov ecx,dword ptr ds:[0x40238D] ; len(Key) 00401336 |. 83F9 08 cmp ecx,0x8 00401339 |. 75 34 jnz Xdamn_unp.0040136F 0040133B |. 33C9 xor ecx,ecx ; ecx = i = 0 0040133D |> 33C0 /xor eax,eax 0040133F |. C1C2 08 |rol edx,0x8 00401342 |. 8AC2 |mov al,dl 00401344 |. 8AD8 |mov bl,al 00401346 |. 24 0F |and al,0xF 00401348 |. C0EB 04 |shr bl,0x4 0040134B |. 80E3 0F |and bl,0xF 0040134E |. 3C 0A |cmp al,0xA 00401350 |. 1C 69 |sbb al,0x69 00401352 |. 2F |das 00401353 |. 38444F 01 |cmp byte ptr ds:[edi+ecx*2+0x1],al 00401357 ^ 75 90 |jnz Xdamn_unp.004012E9 ; 不同直接返回0 00401359 |. 8AC3 |mov al,bl 0040135B |. 3C 0A |cmp al,0xA 0040135D |. 1C 69 |sbb al,0x69 0040135F |. 2F |das 00401360 |. 38044F |cmp byte ptr ds:[edi+ecx*2],al 00401363 ^ 75 90 |jnz Xdamn_unp.004012F5 ; 不同直接返回0 00401365 |. 41 |inc ecx 00401366 |. 83F9 04 |cmp ecx,0x4 00401369 |.^ 75 D2 \jnz Xdamn_unp.0040133D 0040136B |. 33C0 xor eax,eax 0040136D |. 40 inc eax ; 返回1 0040136E |. C3 retn 0040136F |> 33C0 xor eax,eax 00401371 \. C3 retn
3、爆破
注册机写得有些蓝瘦,爆破。两处返回0的地方直接nop覆盖(00401357、00401363)。相关文章推荐
- 160个练手CrackMe-019
- 160个练手CrackMe-020
- 160个练手CrackMe-021
- 160个练手CrackMe-038
- 160个练手CrackMe-001
- 160个练手CrackMe-009
- 160个练手CrackMe-027
- 160个练手CrackMe-045
- 160个练手CrackMe-046
- 160个练手CrackMe-002
- 160个练手CrackMe-022
- 160个练手CrackMe-028
- 160个练手CrackMe-032
- 160个练手CrackMe-040
- 160个练手CrackMe-047
- 160个练手CrackMe-003
- 160个练手CrackMe-010
- 160个练手CrackMe-029
- 160个练手CrackMe-048
- 160个练手CrackMe-004