-
-
[原创]一个Crackme练习
-
发表于: 2010-9-3 20:57
-
那本解密与加密看了一半。一直照着书上在做练习感觉有点无聊,今天发现光盘第五章里有习题。。于是下载了一个自己玩玩看。搞了6个小时才搞定。。
主要还是汇编太水,很多代码要分析很久。不过总算弄出来了,分享下。
这个Crackme的名字叫:Bigman's Crackme6。
下载下来解压 出现2个文件 一个unpacked 一个packed 果断选择了unpacked(我还不会脱壳呢。),先运行了下。随便乱填了个用户名,序列号。点check 没有任何反应。接着用IDA Pro载入。发现有GetDlgItemTextA 这个函数。于是OD跑起来,在GetDlgItemTextA下断点,运行。程序停到了刚读入用户名的地方。
0040153E |. 89C3 MOV EBX,EAX 00401540 |. 09DB OR EBX,EBX ;用户名长度为0 结束。 00401542 |. 75 04 JNZ SHORT unpacked.00401548 00401544 |. 31C0 XOR EAX,EAX 00401546 |. EB 50 JMP SHORT unpacked.00401598 00401548 |> BF BC020000 MOV EDI,2BC 0040154D |. BE 30000000 MOV ESI,30 00401552 |. B8 48000000 MOV EAX,48 00401557 |. 99 CDQ 00401558 |. F7FB IDIV EBX 0040155A |. 29C6 SUB ESI,EAX 0040155C |. 8D34B6 LEA ESI,DWORD PTR DS:[ESI+ESI*4] 0040155F |. 29F7 SUB EDI,ESI 00401561 |. 6BFF 6B IMUL EDI,EDI,6B 00401564 |. 81EF 6CCF0000 SUB EDI,0CF6C 0040156A |. 81FF 00230000 CMP EDI,2300 00401570 |. 7F 08 JG SHORT unpacked.0040157A 00401572 |. 81FF 90010000 CMP EDI,190 00401578 |. 7D 04 JGE SHORT unpacked.0040157E 0040157A |> 31C0 XOR EAX,EAX 0040157C |. EB 1A JMP SHORT unpacked.00401598
length = strlen(buffer); //用户名长度
flag = 48 - 72/length;
flag = (700-flag*5)*107-53100;
if(flag>8960)
{
return;
}
if(flag<400)
{
return;
}
0040157E |> \8D85 00FFFFFF LEA EAX,DWORD PTR SS:[EBP-100] 00401584 |. 50 PUSH EAX 00401585 |. 53 PUSH EBX 00401586 |. FF75 08 PUSH DWORD PTR SS:[EBP+8] 00401589 |. E8 77FDFFFF CALL unpacked.00401305
0040139E |. 68 00010000 PUSH 100 ; /Count = 100 (256.) 004013A3 |. 8D85 E1FCFFFF LEA EAX,DWORD PTR SS:[EBP-31F] ; | 004013A9 |. 50 PUSH EAX ; |Buffer 004013AA |. 6A 66 PUSH 66 ; |ControlID = 66 (102.) 004013AC |. FF75 08 PUSH DWORD PTR SS:[EBP+8] ; |hWnd 004013AF |. E8 84030000 CALL <JMP.&USER32.GetDlgItemTextA> ; \GetDlgItemTextA 004013B4 |. 09C0 OR EAX,EAX 004013B6 |. 0F84 48010000 JE unpacked.00401504 004013BC |. B8 CF110000 MOV EAX,11CF 004013C1 |. 0FB68D E1FCFF>MOVZX ECX,BYTE PTR SS:[EBP-31F] 004013C8 |. 99 CDQ 004013C9 |. F7F9 IDIV ECX 004013CB |. 83FA 17 CMP EDX,17 004013CE |. 74 07 JE SHORT unpacked.004013D7 004013D0 |. 31C0 XOR EAX,EAX 004013D2 |. E9 2D010000 JMP unpacked.00401504 004013D7 |> 31DB XOR EBX,EBX 004013D9 |. EB 0B JMP SHORT unpacked.004013E6 004013DB |> 8B45 10 /MOV EAX,DWORD PTR SS:[EBP+10] 004013DE |. 0FBE0418 |MOVSX EAX,BYTE PTR DS:[EAX+EBX] 004013E2 |. 0145 FC |ADD DWORD PTR SS:[EBP-4],EAX 004013E5 |. 43 |INC EBX 004013E6 |> 3B5D 0C CMP EBX,DWORD PTR SS:[EBP+C] 004013E9 |.^ 7C F0 \JL SHORT unpacked.004013DB
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
|
|
|---|---|
|
|
int main()
{
char table[28]="ABCDEFGHIJKLMNOPQRSTUVWXYZ";
char buffer[100],code[100],ch;
int length,end,sum=0,u,temp,flag;
//int length = GetDlgItemTextA(hwnd,66,buffer,100);
while(scanf("%s",&buffer)!=EOF)
{
//检查用户名是否符合规范.
length = strlen(buffer);
flag = 48;
flag -= 72/length;
flag = (700-flag*5)*107-53100;
if(flag>8960)
{
printf("This username can't generate a code\n");
continue;
}
if(flag<400)
{
printf("This username can't generate a code\n");
continue;
}
for(int i=0;i<length;i++)
{
sum+=buffer[i];
}
//计算code
for(i=0;i<length;i++)
{
int t=3*i-1;
if(t<0)
ch = 0;
else
ch=table[t];
temp = ch^buffer[i];
u = sum;
u = (u*i-u)^-1;
u = temp+u+333;
code[i]=((i+3)*length*buffer[i]+u)%10+48;
code[i]=((code[i]^0x0ADAC)*(i+2))%10+48;
}
code[i]='\0';
sprintf(buffer,"%c%s",'T',code);
end=length*sum%100+48;
sprintf(code,"%s-%d",buffer,end);
int codelength=strlen(code);
for(i=1;i<codelength;i++)
{
code[i]^=32;
code[i] = code[i]%10+48;
}
printf("%s\n",code);
}
return 0;
}
 
|
|
|
|
|
|
Thx for your support~~~
|
|
|
|
|
|
 楼主用的是c++
|
|
|
|
|
|
|
|
|
其实楼主用的是Delphi
|
