这是看雪论上最近有人发的一个CrackMe,带壳的,我也没脱,就带壳跑吧
yoda's Protector v1.02 (.dll,.ocx) -> Ashkbiz Danehkar (h) *
我破解了一下,顺便追了一下码.这个不是很难,我尽量说的仔细,本人也是新手,才学没多少时间,如果有错误的地方,还请大家见谅...
首先根据堆栈调用,找到提示错误的地方,F8走出来到这里
004011CC 68 0D404000 push 54guan.0040400D
004011D1 68 0E404000 push 54guan.0040400E ; 请输入注册码获取过关密码:
004011D6 68 69404000 push 54guan.00404069 ; 路路解迷破解游戏第54关
004011DB E8 6C100000 call 54guan.0040224C
004011E0 8D4424 04 lea eax,dword ptr ss:[esp+4]
004011E4 50 push eax
004011E5 E8 96150000 call 54guan.00402780
004011EA FF3424 push dword ptr ss:[esp] ; 提取假码
004011ED BA 0D404000 mov edx,54guan.0040400D
004011F2 59 pop ecx
004011F3 E8 08160000 call 54guan.00402800 ; 后面有比较,跳到错误地方,F7进去
004011F8 75 3B jnz short 54guan.00401235
004011FA FF3424 push dword ptr ss:[esp]
004011FD E8 CE0E0000 call 54guan.004020D0
00401202 89C3 mov ebx,eax
00401204 83FB 10 cmp ebx,10 ; 比较ebx与16,不相等就跳到失败
00401207 75 0A jnz short 54guan.00401213
00401209 FF3424 push dword ptr ss:[esp]
0040120C E8 A9FEFFFF call 54guan.004010BA
00401211 EB 20 jmp short 54guan.00401233
00401213 68 01000000 push 1
00401218 68 36404000 push 54guan.00404036 ; 注册码错误,是否继续输入?
0040121D 68 51404000 push 54guan.00404051 ; 提示
00401222 E8 DA0E0000 call 54guan.00402101
00401227 89C3 mov ebx,eax
00401229 83FB 01 cmp ebx,1
0040122C 75 05 jnz short 54guan.00401233
0040122E E8 8EFFFFFF call 54guan.004011C1 ;关键Call
00401233 EB 20 jmp short 54guan.00401255
00401235 68 01000000 push 1
0040123A 68 36404000 push 54guan.00404036 ; 注册码错误,是否继续输入?
0040123F 68 51404000 push 54guan.00404051 ; 提示
00401244 E8 B80E0000 call 54guan.00402101
00401249 89C3 mov ebx,eax
0040124B 83FB 01 cmp ebx,1
0040124E 75 05 jnz short 54guan.00401255
00401250 E8 6CFFFFFF call 54guan.004011C1
00401255 31C0 xor eax,eax
00401257 FF3424 push dword ptr ss:[esp]
在004011E5 E8 96150000 call 54guan.00402780处下短断
重新载入程序
在输入框中输入987654321假码,点确定.断下了,F8一次,看到了假码 堆栈 ss:[0012FFB8]=00A50650, (ASCII "987654321")
继续F8到004011F3 后面有比较,进去看看
00402800 09D2 or edx,edx ; 54guan.0040400D
00402802 75 05 jnz short 54guan.00402809
00402804 BA 8B404000 mov edx,54guan.0040408B
00402809 09C9 or ecx,ecx
0040280B 75 05 jnz short 54guan.00402812
0040280D B9 8B404000 mov ecx,54guan.0040408B
00402812 8A22 mov ah,byte ptr ds:[edx]
00402814 42 inc edx
00402815 8A01 mov al,byte ptr ds:[ecx] ; 赋值
00402817 41 inc ecx ; ecx加1
00402818 38C4 cmp ah,al ; 比较ah al
0040281A 75 0C jnz short 54guan.00402828
0040281C 08E4 or ah,ah
0040281E ^ 75 F2 jnz short 54guan.00402812
00402820 B8 01000000 mov eax,1
00402825 85C0 test eax,eax
00402827 C3 retn
这里是字符串比较的函数,我跟了一下,没发现什么可疑的,就是比较函数...出来后继续F8
00401207有个jnz我他会跳,我们不跳,因为是跳向失败的...继续这里0040122E是个关键call,根据后面跳转就就知道了
F7进去
004010BA 53 push ebx
004010BB 31C0 xor eax,eax
004010BD 50 push eax
004010BE 50 push eax
004010BF 8B5424 10 mov edx,dword ptr ss:[esp+10]
004010C3 8D0C24 lea ecx,dword ptr ss:[esp]
004010C6 E8 350F0000 call 54guan.00402000
004010CB C74424 04 01000>mov dword ptr ss:[esp+4],1
004010D3 B8 10000000 mov eax,10
004010D8 3B4424 04 cmp eax,dword ptr ss:[esp+4]
004010DC 7C 6E jl short 54guan.0040114C
004010DE A1 28464000 mov eax,dword ptr ds:[404628]
004010E3 50 push eax
004010E4 50 push eax
004010E5 68 01000000 push 1
004010EA FF7424 10 push dword ptr ss:[esp+10]
004010EE FF7424 10 push dword ptr ss:[esp+10]
004010F2 E8 590F0000 call 54guan.00402050
004010F7 FF05 28464000 inc dword ptr ds:[404628]
004010FD A1 28464000 mov eax,dword ptr ds:[404628]
00401102 50 push eax
00401103 50 push eax
00401104 8B5C24 10 mov ebx,dword ptr ss:[esp+10]
00401108 83C3 3E add ebx,3E
0040110B 53 push ebx
0040110C E8 1F0F0000 call 54guan.00402030
00401111 5A pop edx
00401112 59 pop ecx
00401113 890D 28464000 mov dword ptr ds:[404628],ecx
00401119 030D 94404000 add ecx,dword ptr ds:[404094]
0040111F 0315 94404000 add edx,dword ptr ds:[404094]
00401125 E8 D6160000 call 54guan.00402800 ;调用比较函数
0040112A 75 1A jnz short 54guan.00401146
0040112C 68 00000000 push 0
00401131 68 80404000 push 54guan.00404080 ; 注册码错误
00401136 68 51404000 push 54guan.00404051 ; 提示
0040113B E8 C10F0000 call 54guan.00402101
00401140 EB 0A jmp short 54guan.0040114C
00401142 31C0 xor eax,eax
00401144 EB 6C jmp short 54guan.004011B2
00401146 FF4424 04 inc dword ptr ss:[esp+4]
0040114A ^ 71 87 jno short 54guan.004010D3 ; 这里是往上跳的,不能跳 NOP掉看看
0040114C FF3424 push dword ptr ss:[esp]
0040114F E8 7C0F0000 call 54guan.004020D0
00401154 89C3 mov ebx,eax
00401156 83FB 10 cmp ebx,10
00401159 75 55 jnz short 54guan.004011B0
0040115B FF3424 push dword ptr ss:[esp]
0040115E 8B15 00464000 mov edx,dword ptr ds:[404600]
00401164 59 pop ecx
00401165 E8 96160000 call 54guan.00402800 ; 调用比较函数比较注册码
0040116A 74 44 je short 54guan.004011B0
0040116C FF35 28464000 push dword ptr ds:[404628]
00401172 68 00000000 push 0
00401177 FF35 28464000 push dword ptr ds:[404628]
0040117D BA 29404000 mov edx,54guan.00404029 ; 过关密码是:
00401182 E8 99150000 call 54guan.00402720
00401187 8B5424 0C mov edx,dword ptr ss:[esp+C]
0040118B E8 90150000 call 54guan.00402720
00401190 FF05 28464000 inc dword ptr ds:[404628]
00401196 68 56404000 push 54guan.00404056 ; 恭喜你找到了注册码
0040119B 8B15 94404000 mov edx,dword ptr ds:[404094]
004011A1 015424 04 add dword ptr ss:[esp+4],edx
004011A5 E8 570F0000 call 54guan.00402101
004011AA 8F05 28464000 pop dword ptr ds:[404628]
004011B0 31C0 xor eax,eax
004011B2 FF3424 push dword ptr ss:[esp]
004011B5 E8 76160000 call 54guan.00402830
004011BA 83C4 08 add esp,8
004011BD 5B pop ebx
004011BE C2 0400 retn 4
走走看看,
0040113B 这里的call提示 失败,所以前面的00401125让它跳下来.后面有"过关密码是"我们可以猜想那里还是要比较注册码的,我们就修改0040114A 这里是往上跳的,不能跳 NOP掉看看,下面继续走,这里出现了注册码了,还是调用00401165 E8 96160000 call 54guan.00402800 比较...
ds:[00404600]=00A546A0, (ASCII "?@ABCDEFGHIJKLMN")这个就是注册码字符串.
如果是暴力破解也是很容易的...
写得这么多,希望大家看得明白,我没有分析算法,因为我怕分析错了而误导人,所以就只说了一些暴力破解的思路...算法留给牛人来解答吧!...
[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!
