那本解密与加密看了一半。一直照着书上在做练习感觉有点无聊,今天发现光盘第五章里有习题。。于是下载了一个自己玩玩看。搞了6个小时才搞定。。
主要还是汇编太水,很多代码要分析很久。不过总算弄出来了,分享下。
这个Crackme的名字叫:Bigman's Crackme6。
下载下来解压 出现2个文件 一个unpacked 一个packed 果断选择了unpacked(我还不会脱壳呢。),先运行了下。随便乱填了个用户名,序列号。点check 没有任何反应。接着用IDA Pro载入。发现有GetDlgItemTextA 这个函数。于是OD跑起来,在GetDlgItemTextA下断点,运行。程序停到了刚读入用户名的地方。
0040153E |. 89C3 MOV EBX,EAX
00401540 |. 09DB OR EBX,EBX ;用户名长度为0 结束。
00401542 |. 75 04 JNZ SHORT unpacked.00401548
00401544 |. 31C0 XOR EAX,EAX
00401546 |. EB 50 JMP SHORT unpacked.00401598
00401548 |> BF BC020000 MOV EDI,2BC
0040154D |. BE 30000000 MOV ESI,30
00401552 |. B8 48000000 MOV EAX,48
00401557 |. 99 CDQ
00401558 |. F7FB IDIV EBX
0040155A |. 29C6 SUB ESI,EAX
0040155C |. 8D34B6 LEA ESI,DWORD PTR DS:[ESI+ESI*4]
0040155F |. 29F7 SUB EDI,ESI
00401561 |. 6BFF 6B IMUL EDI,EDI,6B
00401564 |. 81EF 6CCF0000 SUB EDI,0CF6C
0040156A |. 81FF 00230000 CMP EDI,2300
00401570 |. 7F 08 JG SHORT unpacked.0040157A
00401572 |. 81FF 90010000 CMP EDI,190
00401578 |. 7D 04 JGE SHORT unpacked.0040157E
0040157A |> 31C0 XOR EAX,EAX
0040157C |. EB 1A JMP SHORT unpacked.00401598
length = strlen(buffer); //用户名长度
flag = 48 - 72/length;
flag = (700-flag*5)*107-53100;
if(flag>8960)
{
return;
}
if(flag<400)
{
return;
}
0040157E |> \8D85 00FFFFFF LEA EAX,DWORD PTR SS:[EBP-100]
00401584 |. 50 PUSH EAX
00401585 |. 53 PUSH EBX
00401586 |. FF75 08 PUSH DWORD PTR SS:[EBP+8]
00401589 |. E8 77FDFFFF CALL unpacked.00401305
0040139E |. 68 00010000 PUSH 100 ; /Count = 100 (256.)
004013A3 |. 8D85 E1FCFFFF LEA EAX,DWORD PTR SS:[EBP-31F] ; |
004013A9 |. 50 PUSH EAX ; |Buffer
004013AA |. 6A 66 PUSH 66 ; |ControlID = 66 (102.)
004013AC |. FF75 08 PUSH DWORD PTR SS:[EBP+8] ; |hWnd
004013AF |. E8 84030000 CALL <JMP.&USER32.GetDlgItemTextA> ; \GetDlgItemTextA
004013B4 |. 09C0 OR EAX,EAX
004013B6 |. 0F84 48010000 JE unpacked.00401504
004013BC |. B8 CF110000 MOV EAX,11CF
004013C1 |. 0FB68D E1FCFF>MOVZX ECX,BYTE PTR SS:[EBP-31F]
004013C8 |. 99 CDQ
004013C9 |. F7F9 IDIV ECX
004013CB |. 83FA 17 CMP EDX,17
004013CE |. 74 07 JE SHORT unpacked.004013D7
004013D0 |. 31C0 XOR EAX,EAX
004013D2 |. E9 2D010000 JMP unpacked.00401504
004013D7 |> 31DB XOR EBX,EBX
004013D9 |. EB 0B JMP SHORT unpacked.004013E6
004013DB |> 8B45 10 /MOV EAX,DWORD PTR SS:[EBP+10]
004013DE |. 0FBE0418 |MOVSX EAX,BYTE PTR DS:[EAX+EBX]
004013E2 |. 0145 FC |ADD DWORD PTR SS:[EBP-4],EAX
004013E5 |. 43 |INC EBX
004013E6 |> 3B5D 0C CMP EBX,DWORD PTR SS:[EBP+C]
004013E9 |.^ 7C F0 \JL SHORT unpacked.004013DB
[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!