-
-
[原创]Crackme 08 的详解
-
发表于: 2011-10-23 19:45
-
【破文标题】Crackme 08 的详解
【难度级别】初入门的新手
【下载地址】见附件
【破解工具】OD,peid
【加壳方式】无壳
【保护方式】最基本Anti-debug手段
【破解声明】本人破解很菜,此CrackMe算是入门级的,希望以此作为一些简单的案例,给我室友以及才开始接触逆向的各位兄弟,希望大家有所收获,如果不出意外这是一个长期的学习笔记,请大家多多指教。
【前文连接】http://bbs.pediy.com/showthread.php?t=140224
【备 注】
1.老手勿看。
2.最近事情太多了,都快没时间学习逆向了
,程序是老师给的,发现比较基本所以就学习学习(终于趁着班会的间隙把文字写完了
)
老规矩,脱入PEID查看之后发现是用MASM32写的,果断之间拖入OD
我们迅速定位到对话框函数
#include <stdio.h>
#include <string.h>
int main(int argc, char *argv[])
{
int i, tmp, name_len, pass_len;
int Var_0x40304F = 0;
//char name[] = {"loongzyd"};
char name[20];
char pass[11];
char str[] = {"ZWATRQLCGHPSXYENVBJDFKMU"};
printf("input your name:");
scanf("%s", name);
name_len = strlen(name);
tmp = 0;
for (i = 0; i < name_len; i++)
{
tmp += name[i];
}
Var_0x40304F = tmp % 256;
Var_0x40304F = Var_0x40304F % 0x18;
pass[1] = 'E';
pass[0] = str[Var_0x40304F];
Var_0x40304F = Var_0x40304F * 2 % 0x18;
pass[2] = str[Var_0x40304F];
for (i = 2; i < 8; i++)
{
Var_0x40304F = (pass[i] - 0x41 + Var_0x40304F) % 0x18;
pass[i + 1] = str[Var_0x40304F];
}
tmp = 0;
for (i = 0; i < 9; i++)
{
tmp += pass[i];
}
pass[9] = tmp / 9;
pass[10] = '\0';
printf("pass = %s\n", pass);
getchar();
getchar();
return 0;
}
00401210 |. 6A 00 PUSH 0 ; /lParam = NULL
00401212 |. 68 30124000 PUSH KeyGenMe.00401230 ; |DlgProc = KeyGenMe.00401230
00401217 |. 6A 00 PUSH 0 ; |hOwner = NULL
00401219 |. 56 PUSH ESI ; |pTemplate
0040121A |. FF35 50324000 PUSH DWORD PTR DS:[403250] ; |hInst = NULL
00401220 |. E8 6B030000 CALL <JMP.&user32.DialogBoxIndirectParam>; \DialogBoxIndirectParamA
00401230 /. 55 PUSH EBP ; 回调函数
00401231 |. 8BEC MOV EBP,ESP
00401233 |. 817D 0C 10010>CMP DWORD PTR SS:[EBP+C],110
0040123A |. 75 1E JNZ SHORT KeyGenMe.0040125A
0040123C |. 68 057F0000 PUSH 7F05 ; /RsrcName = IDI_WINLOGO
00401241 |. 6A 00 PUSH 0 ; |hInst = NULL
00401243 |. E8 5A030000 CALL <JMP.&user32.LoadIconA> ; \LoadIconA
00401248 |. 50 PUSH EAX ; /lParam
00401249 |. 6A 01 PUSH 1 ; |wParam = 1
0040124B |. 68 80000000 PUSH 80 ; |Message = WM_SETICON
00401250 |. FF75 08 PUSH DWORD PTR SS:[EBP+8] ; |hWnd
00401253 |. E8 56030000 CALL <JMP.&user32.SendMessageA> ; \SendMessageA
00401258 |. EB 36 JMP SHORT KeyGenMe.00401290
0040125A |> 817D 0C 11010>CMP DWORD PTR SS:[EBP+C],111
00401261 |. 75 1D JNZ SHORT KeyGenMe.00401280
00401263 |. 817D 10 E9030>CMP DWORD PTR SS:[EBP+10],3E9
0040126A |. 75 24 JNZ SHORT KeyGenMe.00401290
0040126C |. E8 A8020000 CALL KeyGenMe.00401519 ; 判断0x401296函数内是否有断点
00401271 |. E8 33020000 CALL KeyGenMe.004014A9 ; 判断GetItemText函数是否被下断点
00401276 |. FF75 08 PUSH DWORD PTR SS:[EBP+8]
00401279 |. E8 18000000 CALL KeyGenMe.00401296 ; 主算法函数
0040127E |. EB 10 JMP SHORT KeyGenMe.00401290
00401280 |> 837D 0C 10 CMP DWORD PTR SS:[EBP+C],10
00401284 |. 75 0A JNZ SHORT KeyGenMe.00401290 ; EXIT
00401286 |. 6A 00 PUSH 0 ; /Result = 0
00401288 |. FF75 08 PUSH DWORD PTR SS:[EBP+8] ; |hWnd
0040128B |. E8 06030000 CALL <JMP.&user32.EndDialog> ; \EndDialog
00401290 |> 33C0 XOR EAX,EAX ; defualt
00401292 |. C9 LEAVE
00401293 \. C2 1000 RETN 10
00401519 $ BF 96124000 MOV EDI,KeyGenMe.00401296 ; 入口地址
0040151E . B9 00010000 MOV ECX,100
00401523 . B0 99 MOV AL,99
00401525 . 34 55 XOR AL,55 ; AL='CC'
00401527 . F2:AE REPNE SCAS BYTE PTR ES:[EDI]
00401529 . 85C9 TEST ECX,ECX
0040152B . 74 06 JE SHORT KeyGenMe.00401533 ; 判断是否有Int 3断点
0040152D . 5E POP ESI
0040152E . 33F6 XOR ESI,ESI
00401530 . 57 PUSH EDI
00401531 .^ EB C2 JMP SHORT KeyGenMe.004014F5
00401533 > C3 RETN
004014A0 . /74 06 JE SHORT KeyGenMe.004014A8 ; 又在判断有无断点
004014A2 . |5E POP ESI
004014A3 . |33F6 XOR ESI,ESI
004014A5 . |57 PUSH EDI
004014A6 . |EB 4D JMP SHORT KeyGenMe.004014F5
004014A8 > \C3 RETN
004014A9 $ BE 9C154000 MOV ESI,<JMP.&user32.GetDlgItemTextA> ; 入口地址
004014AE . 8B7E 02 MOV EDI,DWORD PTR DS:[ESI+2]
004014B1 . 8B3F MOV EDI,DWORD PTR DS:[EDI]
004014B3 . B9 06000000 MOV ECX,6
004014B8 . B0 CC MOV AL,0CC
004014BA . F2:AE REPNE SCAS BYTE PTR ES:[EDI]
004014BC . 85C9 TEST ECX,ECX
004014BE . 74 06 JE SHORT KeyGenMe.004014C6 ; 判断GetDlgItemTextA函数是否被下断点
004014C0 . 5E POP ESI
004014C1 . 33F6 XOR ESI,ESI
004014C3 . 57 PUSH EDI
004014C4 . EB 2F JMP SHORT KeyGenMe.004014F5
004014C6 > C3 RETN
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)
|
|
|---|---|
|
|
谢谢楼主分享,学习一下
|
|
|
|
|
|
|
|
|
伤不起的大学呀
|
|
|
|
|
|
|
|
|
|
|
|
原来这个CrckMe已经有很久的历史了.....
|
