-
-
[原创]3个crackme爆破分析,求邀请码
-
发表于: 2010-9-5 15:07
-
Crack0
od载入,查找字符串,找到congratulation! correct serial num,do next one? :)
关键代码
004015A0 . 56 push esi
004015A1 . 57 push edi
004015A2 . 6A 01 push 1
004015A4 . 8BF1 mov esi, ecx
004015A6 . E8 6B030000 call <jmp.&MFC71.#6236_CWnd::UpdateDa>
004015AB . 8D7E 74 lea edi, dword ptr [esi+74]
004015AE . 8BCF mov ecx, edi
004015B0 . FF15 D0314000 call dword ptr [<&MFC71.#2902_ATL::CS>; MFC71.7C146AB0
004015B6 . 83F8 06 cmp eax, 6 ; 判断name是否大于等于六位
004015B9 7D 1A jge short 004015D5
004015BB . 817E 78 A0860>cmp dword ptr [esi+78], 186A0
004015C2 . 7D 11 jge short 004015D5
004015C4 . 6A 00 push 0
004015C6 . 6A 00 push 0
004015C8 . 68 8C394000 push 0040398C ; name or serial is too short!
004015CD . E8 3E030000 call <jmp.&MFC71.#1123_AfxMessageBox>
004015D2 > 5F pop edi
004015D3 . 5E pop esi
004015D4 . C3 retn
004015D5 > 68 78394000 push 00403978 ; indolentafternoon
004015DA . 8BCF mov ecx, edi
004015DC . FF15 C0314000 call dword ptr [<&MFC71.#1482_ATL::CS>; MFC71.7C144DAE
004015E2 . 85C0 test eax, eax
004015E4 ^ 75 EC jnz short 004015D2 ; 关键跳,不能让他往回跳,所以得NOP掉
004015E6 . 817E 78 D7C75>cmp dword ptr [esi+78], 56C7D7
004015ED ^ 75 E3 jnz short 004015D2 ; 同是关键跳,不能让他回跳,所以得NOP掉
004015EF . 6A 00 push 0
004015F1 . 6A 00 push 0
004015F3 . 68 44394000 push 00403944 ; congratulation! correct serial num,do next one? :)
004015F8 . E8 13030000 call <jmp.&MFC71.#1123_AfxMessageBox>
crack1
od载入,查找字符串,找到name or serial is wrong,try again !
0040155E . 57 push edi
0040155F 74 08 je short 00401569 ; 关键跳,不跳就死,改成JMP
00401561 . 57 push edi
00401562 > 68 60264000 push 00402660 ; name or serial is wrong,try again !
00401567 EB 21 jmp short 0040158A
00401569 > 68 58264000 push 00402658 ; zeng
0040156E . 8BCD mov ecx, ebp
00401570 . FF15 B4214000 call dword ptr [<&MFC71.#2272_ATL::CS>; MFC71.7C188D0D
00401576 . 85C0 test eax, eax
00401578 . 57 push edi
00401579 . 57 push edi
0040157A ^ 7E E6 jle short 00401562 ; 这里也是关键跳,改成NOP
0040157C . 68 10264000 push 00402610 ; congratulation ! correct serial number,good job,do next one? :)
00401581 . EB 07 jmp short 0040158A
00401583 > 57 push edi
00401584 . 57 push edi
00401585 . 68 F4254000 push 004025F4 ; name or serial is too short
0040158A > E8 07030000 call <jmp.&MFC71.#1123_AfxMessageBox>
crack2
由于程序是MFC的,所以要用个工具找到按钮地址
00401550就是按钮入口地址
在OD窗口使用快捷键Ctrl+G,输入00401550
下面是关键代码
00401581 |. 6A 01 push 1
00401583 |. 8BCB mov ecx, ebx
00401585 |. AA stos byte ptr es:[edi]
00401586 |. E8 CB030000 call <jmp.&MFC71.#6236_CWnd::UpdateDa>
0040158B |. 8D4B 74 lea ecx, dword ptr [ebx+74]
0040158E |. FF15 9C314000 call dword ptr [<&MFC71.#876_ATL::CSi>; MFC71.7C158BCD
00401594 |. 8D5424 10 lea edx, dword ptr [esp+10]
00401598 |> 8A08 /mov cl, byte ptr [eax]
0040159A |. 40 |inc eax
0040159B |. 880A |mov byte ptr [edx], cl
0040159D |. 42 |inc edx
0040159E |. 84C9 |test cl, cl
004015A0 |.^ 75 F6 \jnz short 00401598
004015A2 |. 8A4424 16 mov al, byte ptr [esp+16]
004015A6 |. 84C0 test al, al
004015A8 75 50 jnz short 004015FA ; 关键跳,NOP掉
004015AA 8A5424 15 mov dl, byte ptr [esp+15]
004015AE 84D2 test dl, dl
004015B0 74 48 je short 004015FA ; 关键跳,nop掉
004015B2 8B43 78 mov eax, dword ptr [ebx+78]
004015B5 3D A0860100 cmp eax, 186A0
004015BA 7C 3E jl short 004015FA ; 关键跳nop掉
004015BC 0FBE7424 12 movsx esi, byte ptr [esp+12]
004015C1 0FBE4C24 11 movsx ecx, byte ptr [esp+11]
004015C6 0FBE7C24 14 movsx edi, byte ptr [esp+14]
004015CB 03CE add ecx, esi
004015CD 0FBE7424 10 movsx esi, byte ptr [esp+10]
004015D2 03CE add ecx, esi
004015D4 0FBE7424 13 movsx esi, byte ptr [esp+13]
004015D9 0FBED2 movsx edx, dl
004015DC 03F7 add esi, edi
004015DE 03F2 add esi, edx
004015E0 99 cdq
004015E1 BF E8030000 mov edi, 3E8
004015E6 F7FF idiv edi
004015E8 3BC8 cmp ecx, eax
004015EA 75 0E jnz short 004015FA ; 关键跳,nop掉
004015EC 3BF2 cmp esi, edx
004015EE 75 0A jnz short 004015FA ; 关键跳nop掉
004015F0 |. 8B03 mov eax, dword ptr [ebx]
004015F2 |. 8BCB mov ecx, ebx
004015F4 |. FF90 54010000 call dword ptr [eax+154]
004015FA |> 8B8C24 940000>mov ecx, dword ptr [esp+94]
00401601 |. E8 43040000 call 00401A49
00401606 |. 5F pop edi
00401607 |. 5E pop esi
00401608 |. 5B pop ebx
00401609 |. 8BE5 mov esp, ebp
0040160B |. 5D pop ebp
0040160C \. C3 retn
如果对这些Crackme有兴趣的可以到这个帖子里下载
http://bbs.pediy.com/showthread.php?t=93936
od载入,查找字符串,找到congratulation! correct serial num,do next one? :)
关键代码
004015A0 . 56 push esi
004015A1 . 57 push edi
004015A2 . 6A 01 push 1
004015A4 . 8BF1 mov esi, ecx
004015A6 . E8 6B030000 call <jmp.&MFC71.#6236_CWnd::UpdateDa>
004015AB . 8D7E 74 lea edi, dword ptr [esi+74]
004015AE . 8BCF mov ecx, edi
004015B0 . FF15 D0314000 call dword ptr [<&MFC71.#2902_ATL::CS>; MFC71.7C146AB0
004015B6 . 83F8 06 cmp eax, 6 ; 判断name是否大于等于六位
004015B9 7D 1A jge short 004015D5
004015BB . 817E 78 A0860>cmp dword ptr [esi+78], 186A0
004015C2 . 7D 11 jge short 004015D5
004015C4 . 6A 00 push 0
004015C6 . 6A 00 push 0
004015C8 . 68 8C394000 push 0040398C ; name or serial is too short!
004015CD . E8 3E030000 call <jmp.&MFC71.#1123_AfxMessageBox>
004015D2 > 5F pop edi
004015D3 . 5E pop esi
004015D4 . C3 retn
004015D5 > 68 78394000 push 00403978 ; indolentafternoon
004015DA . 8BCF mov ecx, edi
004015DC . FF15 C0314000 call dword ptr [<&MFC71.#1482_ATL::CS>; MFC71.7C144DAE
004015E2 . 85C0 test eax, eax
004015E4 ^ 75 EC jnz short 004015D2 ; 关键跳,不能让他往回跳,所以得NOP掉
004015E6 . 817E 78 D7C75>cmp dword ptr [esi+78], 56C7D7
004015ED ^ 75 E3 jnz short 004015D2 ; 同是关键跳,不能让他回跳,所以得NOP掉
004015EF . 6A 00 push 0
004015F1 . 6A 00 push 0
004015F3 . 68 44394000 push 00403944 ; congratulation! correct serial num,do next one? :)
004015F8 . E8 13030000 call <jmp.&MFC71.#1123_AfxMessageBox>
crack1
od载入,查找字符串,找到name or serial is wrong,try again !
0040155E . 57 push edi
0040155F 74 08 je short 00401569 ; 关键跳,不跳就死,改成JMP
00401561 . 57 push edi
00401562 > 68 60264000 push 00402660 ; name or serial is wrong,try again !
00401567 EB 21 jmp short 0040158A
00401569 > 68 58264000 push 00402658 ; zeng
0040156E . 8BCD mov ecx, ebp
00401570 . FF15 B4214000 call dword ptr [<&MFC71.#2272_ATL::CS>; MFC71.7C188D0D
00401576 . 85C0 test eax, eax
00401578 . 57 push edi
00401579 . 57 push edi
0040157A ^ 7E E6 jle short 00401562 ; 这里也是关键跳,改成NOP
0040157C . 68 10264000 push 00402610 ; congratulation ! correct serial number,good job,do next one? :)
00401581 . EB 07 jmp short 0040158A
00401583 > 57 push edi
00401584 . 57 push edi
00401585 . 68 F4254000 push 004025F4 ; name or serial is too short
0040158A > E8 07030000 call <jmp.&MFC71.#1123_AfxMessageBox>
crack2
由于程序是MFC的,所以要用个工具找到按钮地址
00401550就是按钮入口地址
在OD窗口使用快捷键Ctrl+G,输入00401550
下面是关键代码
00401581 |. 6A 01 push 1
00401583 |. 8BCB mov ecx, ebx
00401585 |. AA stos byte ptr es:[edi]
00401586 |. E8 CB030000 call <jmp.&MFC71.#6236_CWnd::UpdateDa>
0040158B |. 8D4B 74 lea ecx, dword ptr [ebx+74]
0040158E |. FF15 9C314000 call dword ptr [<&MFC71.#876_ATL::CSi>; MFC71.7C158BCD
00401594 |. 8D5424 10 lea edx, dword ptr [esp+10]
00401598 |> 8A08 /mov cl, byte ptr [eax]
0040159A |. 40 |inc eax
0040159B |. 880A |mov byte ptr [edx], cl
0040159D |. 42 |inc edx
0040159E |. 84C9 |test cl, cl
004015A0 |.^ 75 F6 \jnz short 00401598
004015A2 |. 8A4424 16 mov al, byte ptr [esp+16]
004015A6 |. 84C0 test al, al
004015A8 75 50 jnz short 004015FA ; 关键跳,NOP掉
004015AA 8A5424 15 mov dl, byte ptr [esp+15]
004015AE 84D2 test dl, dl
004015B0 74 48 je short 004015FA ; 关键跳,nop掉
004015B2 8B43 78 mov eax, dword ptr [ebx+78]
004015B5 3D A0860100 cmp eax, 186A0
004015BA 7C 3E jl short 004015FA ; 关键跳nop掉
004015BC 0FBE7424 12 movsx esi, byte ptr [esp+12]
004015C1 0FBE4C24 11 movsx ecx, byte ptr [esp+11]
004015C6 0FBE7C24 14 movsx edi, byte ptr [esp+14]
004015CB 03CE add ecx, esi
004015CD 0FBE7424 10 movsx esi, byte ptr [esp+10]
004015D2 03CE add ecx, esi
004015D4 0FBE7424 13 movsx esi, byte ptr [esp+13]
004015D9 0FBED2 movsx edx, dl
004015DC 03F7 add esi, edi
004015DE 03F2 add esi, edx
004015E0 99 cdq
004015E1 BF E8030000 mov edi, 3E8
004015E6 F7FF idiv edi
004015E8 3BC8 cmp ecx, eax
004015EA 75 0E jnz short 004015FA ; 关键跳,nop掉
004015EC 3BF2 cmp esi, edx
004015EE 75 0A jnz short 004015FA ; 关键跳nop掉
004015F0 |. 8B03 mov eax, dword ptr [ebx]
004015F2 |. 8BCB mov ecx, ebx
004015F4 |. FF90 54010000 call dword ptr [eax+154]
004015FA |> 8B8C24 940000>mov ecx, dword ptr [esp+94]
00401601 |. E8 43040000 call 00401A49
00401606 |. 5F pop edi
00401607 |. 5E pop esi
00401608 |. 5B pop ebx
00401609 |. 8BE5 mov esp, ebp
0040160B |. 5D pop ebp
0040160C \. C3 retn
如果对这些Crackme有兴趣的可以到这个帖子里下载
http://bbs.pediy.com/showthread.php?t=93936
[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!
