-
-
[原创]Crackme 06-07 的详解
-
发表于: 2011-9-17 10:21
-
【破文标题】Crackme 06-07 的详解
【难度级别】初入门的新手
【下载地址】见附件
【破解工具】OD,peid
【加壳方式】无壳
【保护方式】无Anti-debug
【破解声明】本人破解很菜,此CrackMe算是入门级的,希望以此作为一些简单的案例,给我室友以及才开始接触逆向的各位兄弟,希望大家有所收获,如果不出意外这是一个长期的学习笔记,请大家多多指教。
【前文连接】http://bbs.pediy.com/showthread.php?t=139076
【备 注】
1.老手勿看。
2.开学了,事情好多呀
首先,我们来个温柔点的。拖入Peid查看之后,发现程序没有加壳,VC6.0编译的。通过查看导入表,我们果断用OD载入,然后对GetDlgItemTextA下断点,将程序跑起来,随便输入用户名和密码,我们来到0x4010dc。我们可以看到这是对输入的用户名和密码进行提取:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 | [SIZE="4"]004010C8 . 8B3D 98404000 MOV EDI,DWORD PTR DS:[<&USER32.GetDlgIte>; USER32.GetDlgItemTextA004010CE . 53 PUSH EBX004010CF . 8B5C24 38 MOV EBX,DWORD PTR SS:[ESP+38]004010D3 . 6A 1E PUSH 1E ; /Count = 1E (30.)004010D5 . 56 PUSH ESI ; |Buffer004010D6 . 68 EA030000 PUSH 3EA ; |ControlID = 3EA (1002.)004010DB . 53 PUSH EBX ; |hWnd004010DC . FFD7 CALL EDI ; \GetDlgItemTextA004010DE . 6A 0A PUSH 0A ; /Count = A (10.)004010E0 . 55 PUSH EBP ; |Buffer004010E1 . 68 EB030000 PUSH 3EB ; |ControlID = 3EB (1003.)004010E6 . 53 PUSH EBX ; |hWnd004010E7 . FFD7 CALL EDI ; \GetDlgItemTextA004010E9 . 8BFE MOV EDI,ESI ; 用户名字符串存入0x922FA0(长度最长为0x1E)004010EB . 83C9 FF OR ECX,FFFFFFFF ; 密码字符串存入0x922F70(长度最长为0xA)[/SIZE] |
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 | [SIZE=4]// 程序正向.cpp : Defines the entry point for the application.//#include "stdafx.h"#include "resource.h"int fun(HWND hwnd);int CALLBACK DialogMainProc(HWND hwndDlg, UINT uMsg, WPARAM wParam, LPARAM lParam );int APIENTRY WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int nCmdShow){ // TODO: Place code here. DialogBoxParam(hInstance, MAKEINTRESOURCE(IDD_DIALOG_MAIN), NULL, DialogMainProc,NULL); return 0;}int CALLBACK DialogMainProc(HWND hwndDlg, UINT uMsg, WPARAM wParam, LPARAM lParam ){ switch (uMsg) { case WM_COMMAND: if (wParam == IDC_BUTTON_OK) { fun(hwndDlg); } break; case WM_CLOSE: EndDialog(hwndDlg, NULL); break; case WM_DESTROY: EndDialog(hwndDlg, NULL); break; default: return 0; } return 1;}int fun(HWND hwnd){ char file_old_string[20]; char string_final[] = {0xd0,0x20,0x35,0x34,0xc0,0x30,0x57,0x5e,0x40,0x50,0xbd,0x58}; char our_input[20]; int i; int bl; int addr; char *p_char; int *p_int; int *p_int_2; int temp; DWORD sum; char cl; HANDLE file_handle; /*for (i = 6; i > 0; i--) //对原始文件字符串的前6个字符进行处理 { bl = file_old_string[6 - i]; bl = bl + i; bl = bl ^ file_old_string[6 - i]; file_old_string[6 - i] = bl; }*/ file_handle = CreateFile("blaad.xxx", GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL,NULL); if (file_handle == INVALID_HANDLE_VALUE) { MessageBox(hwnd, "sorry", "no", MB_OK); return 0; } ReadFile(file_handle, file_old_string, 12, &sum, NULL); if (sum != 12) { MessageBox(hwnd, "sorry", "no", MB_OK); return 0; } GetDlgItemText(hwnd, IDC_EDIT_INPUT, our_input, 13); p_char = &file_old_string[6]; p_int = (int *)(p_char - 6); temp = *p_int; temp = temp - 0xa; temp = temp & 0xffff; p_int = (int *)p_char; *p_int = *p_int ^ temp; p_int = (int *)(p_char - 4); temp = *p_int; temp = temp - 0x9; temp = temp & 0xffff; p_int = (int *)(p_char+2); *p_int = *p_int ^ temp; p_int = (int *)(p_char - 2); temp = *p_int; temp = temp - 0x5; temp = temp & 0xffff; p_int = (int *)(p_char+4); *p_int = *p_int ^ temp; for (i = 0; i < 12; i++) { file_old_string[i] ^= (i+1); } p_int_2 = (int *)file_old_string; p_int = (int *)our_input; cl = file_old_string[8]; for (i = 0; i < 3; i++) { temp = *(p_int_2+i); *(p_int+i) ^= temp; p_char = (char *)(p_int+i); *p_char += cl; *(p_int+i) &= 0xfffff0f0; } if (strncmp(our_input, string_final,12) == 0) { MessageBox(hwnd, "yes", "Ok", MB_OK); return 1; } return 0;}[/SIZE] |
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 | [SIZE="4"]// 注册机.cpp : Defines the entry point for the application.//#include "stdafx.h"#include "resource.h"int CALLBACK test( HWND hwndDlg, UINT uMsg, WPARAM wParam, LPARAM lParam );void fun_1(HWND hwnd);int APIENTRY WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int nCmdShow){ // TODO: Place code here. DialogBoxParam(hInstance,MAKEINTRESOURCE(IDD_DIALOG_MAIN),NULL, test,NULL); return 0;}void fun_1(HWND hwnd){ char our_input[20]; //= {"888888888888"}; char file_string[20]; char final_string[20] = {0xd0,0x20,0x35,0x34,0xc0,0x30,0x57,0x5e,0x40,0x50,0xbd,0x58}; char file_name[] = {"blaad.xxx"}; char temp_ch; DWORD tmp; char i; char *p_char; int *p_int; int temp; HANDLE file; GetDlgItemText(hwnd,IDC_EDIT_INPUT,our_input,13); for (i = 1; i < 120; i++) { temp_ch = our_input[8] ^ i; temp_ch = temp_ch + i; temp_ch &= 0xf0; if (temp_ch == 0x40) { file_string[8] = i; break; } } final_string[0] -= i; final_string[4] -= i; for (i = 0; i < 12; i++) { if (i == 8) { continue; } file_string[i] = our_input[i] ^ final_string[i]; } for (i = 0; i < 12; i++) { file_string[i] ^= (i+1); } p_char = &file_string[6]; p_int = (int *)(p_char - 6); temp = *p_int; temp = temp - 0xa; temp = temp & 0xffff; p_int = (int *)p_char; *p_int = *p_int ^ temp; p_int = (int *)(p_char - 4); temp = *p_int; temp = temp - 0x9; temp = temp & 0xffff; p_int = (int *)(p_char+2); *p_int = *p_int ^ temp; p_int = (int *)(p_char - 2); temp = *p_int; temp = temp - 0x5; temp = temp & 0xffff; p_int = (int *)(p_char+4); *p_int = *p_int ^ temp; file = (HANDLE)CreateFile(file_name, GENERIC_WRITE | GENERIC_READ, FILE_SHARE_WRITE, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL); WriteFile(file,file_string,12,&tmp,NULL); CloseHandle(file);}int CALLBACK test(HWND hwndDlg, UINT uMsg, WPARAM wParam, LPARAM lParam ){ switch (uMsg) { case WM_COMMAND: if (wParam == IDC_BUTTON_OK) { fun_1(hwndDlg); } break; case WM_DESTROY: EndDialog(hwndDlg, 0); break; case WM_CLOSE: EndDialog(hwndDlg, 0); break; default: return 0; } return 1;}[/SIZE] |
004010F0 . 8B1D 9C404000 MOV EBX,DWORD PTR DS:[<&USER32.MessageBoxA>] ; USER32.MessageBoxA
004010F6 . F2:AE REPNE SCAS BYTE PTR ES:[EDI]
004010F8 . F7D1 NOT ECX
004010FA . 49 DEC ECX
004010FB . 83F9 03 CMP ECX,3 ; 判断用户名长度是否大于等于3,如果小于3则失败
004010FE . 73 0F JNB SHORT prova2.0040110F
00401100 . 6A 40 PUSH 40 ; /Style = MB_OK|MB_ICONASTERISK|MB_APPLMODAL
00401102 . 68 DC504000 PUSH prova2.004050DC ; |Title = ">:-("
00401107 . 68 A8504000 PUSH prova2.004050A8 ; |Text = "You have to input a name of minimum 3 characters"
0040110C . 50 PUSH EAX ; |hOwner => NULL
0040110D . FFD3 CALL EBX ; \MessageBoxA
0040110F > 8BFD MOV EDI,EBP
00401111 . 83C9 FF OR ECX,FFFFFFFF
00401114 . 33C0 XOR EAX,EAX
00401116 . F2:AE REPNE SCAS BYTE PTR ES:[EDI]
00401118 . F7D1 NOT ECX
0040111A . 49 DEC ECX
0040111B . 83F9 03 CMP ECX,3
0040111E . 73 1E JNB SHORT prova2.0040113E ; 判断密码长度是否大于等于3,如果小于3则失败
00401120 . 6A 40 PUSH 40
00401122 . 68 DC504000 PUSH prova2.004050DC ; ASCII ">:-("
00401127 . 68 6C504000 PUSH prova2.0040506C ; ASCII "You have to input a serial number of minimum 3 characters"
0040112C . 50 PUSH EAX
0040112D . FFD3 CALL EBX ; MessageBoxA
0040112F . 5B POP EBX
00401130 . 5F POP EDI
00401131 . 5E POP ESI
00401132 . B8 01000000 MOV EAX,1
00401137 . 5D POP EBP
00401138 . 83C4 24 ADD ESP,24
0040113B . C2 1000 RETN 10
0040113E > 8BFE MOV EDI,ESI
00401140 . 83C9 FF OR ECX,FFFFFFFF
00401143 . 33C0 XOR EAX,EAX
00401145 . F2:AE REPNE SCAS BYTE PTR ES:[EDI]
00401147 . F7D1 NOT ECX
00401149 . 49 DEC ECX
0040114A . 83F9 03 CMP ECX,3 ; 用户名字符串长度必须大于等于3
0040114D . 0F82 8A000000 JB prova2.004011DD
00401153 . 8BFD MOV EDI,EBP
00401155 . 83C9 FF OR ECX,FFFFFFFF
00401158 . F2:AE REPNE SCAS BYTE PTR ES:[EDI]
0040115A . F7D1 NOT ECX
0040115C . 49 DEC ECX
0040115D . 83F9 03 CMP ECX,3
00401160 . 72 7B JB SHORT prova2.004011DD ; 密码字符串长度必须大于等于3
00401162 . 8BFE MOV EDI,ESI
00401164 . 83C9 FF OR ECX,FFFFFFFF
00401167 . 33DB XOR EBX,EBX
00401169 . F2:AE REPNE SCAS BYTE PTR ES:[EDI]
0040116B . F7D1 NOT ECX
0040116D . 49 DEC ECX
0040116E . 74 27 JE SHORT prova2.00401197
00401170 . 8D6C24 14 LEA EBP,DWORD PTR SS:[ESP+14] ; ebp(0x12FA64)字符串: 0123456789:;<=>?@ABCDEFGHIJKL
00401174 . 8BD6 MOV EDX,ESI ; 这里需要注意一下
00401176 . 2BEE SUB EBP,ESI ; edx的初始值为esi,而ebp先减去esi然后又加上edx,实际上还是为ebp原来的值
00401178 > 8A042A MOV AL,BYTE PTR DS:[EDX+EBP] ; 这里,通过edx的增加来实现一个循环的操作:将那串字符串中的字符依次放入AL中
0040117B . 8A0A MOV CL,BYTE PTR DS:[EDX] ; 依次取出输入的用户名字符串中的字符放入CL
0040117D . 32C8 XOR CL,AL ; CL与AL进行异或
0040117F . 43 INC EBX ; ebx表示现在已经处理的字符个数
00401180 . 880A MOV BYTE PTR DS:[EDX],CL ; 异或之后的结果放入原来的用户字符串中
00401182 . 8BFE MOV EDI,ESI
00401184 . 83C9 FF OR ECX,FFFFFFFF
00401187 . 33C0 XOR EAX,EAX
00401189 . 42 INC EDX
0040118A . F2:AE REPNE SCAS BYTE PTR ES:[EDI] ; 获取用户名字符串的长度
0040118C . F7D1 NOT ECX
0040118E . 49 DEC ECX
0040118F . 3BD9 CMP EBX,ECX ; 判断用户名字符串是否处理完毕
00401191 .^ 72 E5 JB SHORT prova2.00401178 ; 处理完毕之后才跳出循环
00401193 . 8B6C24 10 MOV EBP,DWORD PTR SS:[ESP+10]
00401197 > 8BFE MOV EDI,ESI
00401199 . 83C9 FF OR ECX,FFFFFFFF
0040119C . 33C0 XOR EAX,EAX
0040119E . 33DB XOR EBX,EBX
004011A0 . F2:AE REPNE SCAS BYTE PTR ES:[EDI]
004011A2 . F7D1 NOT ECX
004011A4 . 49 DEC ECX
004011A5 . 74 21 JE SHORT prova2.004011C8 ; 如果密码长度为1,则成功=.=(显然这是不可能滴)
004011A7 . 8BD6 MOV EDX,ESI
004011A9 . 2BEE SUB EBP,ESI ; 这里和前面是一个道理
004011AB > 8A02 MOV AL,BYTE PTR DS:[EDX] ; 这里依次取出前面处理之后的用户名字符串
004011AD . 84C0 TEST AL,AL
004011AF . 74 3B JE SHORT prova2.004011EC ; 失败
004011B1 . 3A042A CMP AL,BYTE PTR DS:[EDX+EBP] ; 密码字符串要和前面处理了的用户名字符串匹配
004011B4 . 75 36 JNZ SHORT prova2.004011EC ; 如果不匹配则失败
004011B6 . 43 INC EBX
004011B7 . 8BFE MOV EDI,ESI
004011B9 . 83C9 FF OR ECX,FFFFFFFF
004011BC . 33C0 XOR EAX,EAX
004011BE . 42 INC EDX
004011BF . F2:AE REPNE SCAS BYTE PTR ES:[EDI]
004011C1 . F7D1 NOT ECX
004011C3 . 49 DEC ECX
004011C4 . 3BD9 CMP EBX,ECX
004011C6 .^ 72 E3 JB SHORT prova2.004011AB ; 判断是否处理完毕
赞赏记录
参与人
雪币
留言
时间
伟叔叔
为你点赞~
2024-5-31 02:16
心游尘世外
为你点赞~
2024-3-5 02:05
飘零丶
为你点赞~
2024-2-26 00:51
QinBeast
为你点赞~
2024-2-4 00:47
shinratensei
为你点赞~
2024-1-23 05:19
PLEBFE
为你点赞~
2023-3-7 00:51
|
|
|---|---|
|
|
|
|
|
|
|
|
 来学习了,多谢分享 |
|
|
01-05全都 玩过啦~
|
|
|
顶下哈哈 饿 还是学生时代比较有时间..
|
|
|
support!楼主三叶草的
|
|
|
|
|
|
 楼上。。。。。 你是怎么社出来的。。。
|
|
|
|
|
|
你的头像
|
|
|
支持张兄弟
|
|
|
谢谢兄弟呀
|
|
|
敢问你是哪个学校的呀?圈圈和曾哥都不知道你是谁?
|
|
|
|
|
|
 大牛们在回忆当年西湖旁边的容嬷嬷嘛......
|
|
|
|
|
|
|
|
|
|
