-
-
[旧帖] [求助]我分析的第一个CRACKME,有好长一段代码不知道什么意思,希望高手给解释下 0.00雪花
-
发表于: 2010-6-1 21:43
-
之前没电脑,只能靠看书积累点知识,这是我第一次操作,发现比想象中难多了O(∩_∩)O~
这个Crackme是在论坛上下载的,据说是最简单的了,我研究了几天才理出点头绪
看来基础还是打得不够..
用OD打开这个东东,按Ctrl+N,找到函数GetDlgItemTextA,对其下断点,然后运行程序,输入用户名密码后,程序中止在GetDlgItemTextA函数处,代码如下:
这是我唯一能看懂的一段代码了,这段代码的意思应该是先获取用户名和用户名长度并将用户名存入缓冲区,如果用户名长度小于3,则直接跳转到注册失败。如果用户名长度大于等于3,则获取密码。
之后的代码就不知道是什么意思了之后的代码如下:
00401340处为
0040134A处为
0040132E \. C3 retn执行后跳转到
至此,除了那段获取用户名和密码的代码看懂之外,其他的都看不懂,希望高手能给我解释一下。谢谢各位了。
还有一个问题:
为什么输入用户名000后获取存入到缓冲区时变成303030呢?密码也是,0000存入缓冲区后变成30303030.
这个Crackme是在论坛上下载的,据说是最简单的了,我研究了几天才理出点头绪
看来基础还是打得不够..用OD打开这个东东,按Ctrl+N,找到函数GetDlgItemTextA,对其下断点,然后运行程序,输入用户名密码后,程序中止在GetDlgItemTextA函数处,代码如下:
[LEFT]0040123F |. 8B35 94404000 mov esi, dword ptr [<&USER32.GetDlgI>; USER32.GetDlgItemTextA 00401245 |. 6A 10 push 10 ; /Count = 10 (16.) 00401247 |. 50 push eax ; |Buffer 00401248 |. 68 E8030000 push 3E8 ; |ControlID = 3E8 (1000.) 0040124D |. 51 push ecx ; |hWnd => 002B0390 (class='#32770',parent=001C01FA) 0040124E |. 33DB xor ebx, ebx ; | 00401250 |. FFD6 call esi ; \GetDlgItemTextA 00401252 |. 83F8 03 cmp eax, 3 00401255 |. 73 0B jnb short 00401262 00401257 |. 5E pop esi 00401258 |. B8 01000000 mov eax, 1 0040125D |. 5B pop ebx 0040125E |. 83C4 30 add esp, 30 00401261 |. C3 retn 00401262 |> A1 BC564000 mov eax, dword ptr [4056BC] 00401267 |. 8D5424 28 lea edx, dword ptr [esp+28] 0040126B |. 6A 10 push 10 0040126D |. 52 push edx 0040126E |. 68 E9030000 push 3E9 00401273 |. 50 push eax 00401274 |. FFD6 call esi [/LEFT]
这是我唯一能看懂的一段代码了,这段代码的意思应该是先获取用户名和用户名长度并将用户名存入缓冲区,如果用户名长度小于3,则直接跳转到注册失败。如果用户名长度大于等于3,则获取密码。
之后的代码就不知道是什么意思了
之后的代码如下:[LEFT]00401276 |. 0FBE4424 08 movsx eax, byte ptr [esp+8] 0040127B |. 0FBE4C24 09 movsx ecx, byte ptr [esp+9] 00401280 |. 99 cdq 00401281 |. F7F9 idiv ecx 00401283 |. 8BCA mov ecx, edx 00401285 |. 83C8 FF or eax, FFFFFFFF 00401288 |. 0FBE5424 0A movsx edx, byte ptr [esp+A] 0040128D |. 0FAFCA imul ecx, edx 00401290 |. 41 inc ecx 00401291 |. 33D2 xor edx, edx 00401293 |. F7F1 div ecx 00401295 |. 50 push eax 00401296 |. E8 A5000000 call 00401340 0040129B |. 83C4 04 add esp, 4 0040129E |. 33F6 xor esi, esi 004012A0 |> E8 A5000000 /call 0040134A 004012A5 |. 99 |cdq 004012A6 |. B9 1A000000 |mov ecx, 1A 004012AB |. F7F9 |idiv ecx 004012AD |. 80C2 41 |add dl, 41 004012B0 |. 885434 18 |mov byte ptr [esp+esi+18], dl 004012B4 |. 46 |inc esi 004012B5 |. 83FE 0F |cmp esi, 0F 004012B8 |.^ 72 E6 \jb short 004012A0 004012BA |. 57 push edi 004012BB |. 8D7C24 0C lea edi, dword ptr [esp+C] 004012BF |. 83C9 FF or ecx, FFFFFFFF 004012C2 |. 33C0 xor eax, eax 004012C4 |. 33F6 xor esi, esi 004012C6 |. F2:AE repne scas byte ptr es:[edi] 004012C8 |. F7D1 not ecx 004012CA |. 49 dec ecx 004012CB |. 74 59 je short 00401326 004012CD |> 8A4434 0C /mov al, byte ptr [esp+esi+C] 004012D1 |. C0F8 05 |sar al, 5 004012D4 |. 0FBEC0 |movsx eax, al 004012D7 |. 8D1480 |lea edx, dword ptr [eax+eax*4] 004012DA |. 8D04D0 |lea eax, dword ptr [eax+edx*8] 004012DD |. 8D0440 |lea eax, dword ptr [eax+eax*2] 004012E0 |. 85C0 |test eax, eax 004012E2 |. 7E 0A |jle short 004012EE 004012E4 |. 8BF8 |mov edi, eax 004012E6 |> E8 5F000000 |/call 0040134A 004012EB |. 4F ||dec edi 004012EC |.^ 75 F8 |\jnz short 004012E6 004012EE |> E8 57000000 |call 0040134A 004012F3 |. 99 |cdq 004012F4 |. B9 1A000000 |mov ecx, 1A 004012F9 |. 8D7C24 0C |lea edi, dword ptr [esp+C] 004012FD |. F7F9 |idiv ecx 004012FF |. 0FBE4C34 2C |movsx ecx, byte ptr [esp+esi+2C] 00401304 |. 80C2 41 |add dl, 41 00401307 |. 0FBEC2 |movsx eax, dl 0040130A |. 2BC1 |sub eax, ecx 0040130C |. 885434 1C |mov byte ptr [esp+esi+1C], dl 00401310 |. 99 |cdq 00401311 |. 33C2 |xor eax, edx 00401313 |. 83C9 FF |or ecx, FFFFFFFF 00401316 |. 2BC2 |sub eax, edx 00401318 |. 03D8 |add ebx, eax 0040131A |. 33C0 |xor eax, eax 0040131C |. 46 |inc esi 0040131D |. F2:AE |repne scas byte ptr es:[edi] 0040131F |. F7D1 |not ecx 00401321 |. 49 |dec ecx 00401322 |. 3BF1 |cmp esi, ecx 00401324 |.^ 72 A7 \jb short 004012CD 00401326 |> 5F pop edi 00401327 |. 8BC3 mov eax, ebx 00401329 |. 5E pop esi 0040132A |. 5B pop ebx 0040132B |. 83C4 30 add esp, 30 0040132E \. C3 retn[/LEFT]
00401340处为
[LEFT]00401340 /$ 8B4424 04 mov eax, dword ptr [esp+4] 00401344 |. A3 AC504000 mov dword ptr [4050AC], eax 00401349 \. C3 retn[/LEFT]
0040134A处为
[LEFT]0040134A /$ A1 AC504000 mov eax, dword ptr [4050AC] 0040134F |. 69C0 FD430300 imul eax, eax, 343FD ; ASCII "?... 00401355 |. 05 C39E2600 add eax, 269EC3 0040135A |. A3 AC504000 mov dword ptr [4050AC], eax 0040135F |. C1F8 10 sar eax, 10 00401362 |. 25 FF7F0000 and eax, 7FFF 00401367 \. C3 retn[/LEFT]
0040132E \. C3 retn执行后跳转到
[LEFT]00401069 . 85C0 test eax, eax
0040106B . 6A 00 push 0 ; /Style = MB_OK|MB_APPLMODAL
0040106D . 68 80504000 push 00405080 ; |Title = "ncrackme"
00401072 . 75 1B jnz short 0040108F ; |这一句可修改一下使注册成功
00401074 . A1 B8564000 mov eax, dword ptr [4056B8] ; |
00401079 . 68 64504000 push 00405064 ; |Text = "Registration successful."
0040107E . 50 push eax ; |hOwner => 001C01FA ('Newbie smallsize crackme - v1',class='myWindowClass')
0040107F . FF15 C0404000 call dword ptr [<&USER32.MessageBoxA>>; \MessageBoxA
00401085 . E8 A6020000 call 00401330
0040108A . 33C0 xor eax, eax
0040108C . C2 1000 retn 10
0040108F > 8B0D B8564000 mov ecx, dword ptr [4056B8] ; |
00401095 . 68 50504000 push 00405050 ; |Text = "Registration fail."
0040109A . 51 push ecx ; |hOwner => 001C01FA ('Newbie smallsize crackme - v1',class='myWindowClass')
0040109B . FF15 C0404000 call dword ptr [<&USER32.MessageBoxA>>; \MessageBoxA
004010A1 . 33C0 xor eax, eax
004010A3 . C2 1000 retn 10
004010A6 > 66:3D EB03 cmp ax, 3EB
004010AA . 75 22 jnz short 004010CE
004010AC . A1 C0564000 mov eax, dword ptr [4056C0]
004010B1 . 85C0 test eax, eax
004010B3 . 74 19 je short 004010CE
004010B5 . 8B15 B8564000 mov edx, dword ptr [4056B8]
004010BB . 6A 00 push 0 ; /Style = MB_OK|MB_APPLMODAL
004010BD . 68 80504000 push 00405080 ; |Title = "ncrackme"
004010C2 . 68 30504000 push 00405030 ; |Text = "good function, i was cracked"
004010C7 . 52 push edx ; |hOwner => 001C01FA ('Newbie smallsize crackme - v1',class='myWindowClass')
004010C8 . FF15 C0404000 call dword ptr [<&USER32.MessageBoxA>>; \MessageBoxA
004010CE > 33C0 xor eax, eax
004010D0 . C2 1000 retn 10[/LEFT]至此,除了那段获取用户名和密码的代码看懂之外,其他的都看不懂,希望高手能给我解释一下。谢谢各位了。
还有一个问题:
为什么输入用户名000后获取存入到缓冲区时变成303030呢?密码也是,0000存入缓冲区后变成30303030.
[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!
|
|
|---|---|
