这个CrackMe是从论坛这个帖子中找到的http://bbs.pediy.com/showthread.php?t=195056。
发帖的兄弟想求个思路,我也是新手,下载下来试了一下,感觉分析的有点头绪了,所以写出来与大家分享一下。
下载下来先运行了一下,看到是jluctf2014,自己也在做一些CTF的题目,经常被虐的惨不忍睹,看到这个一开始心里还是有点忐忑,不知道能不能做出来。这个一个扫雷的程序,全图只有一个雷,根据提示,踩中才算成功。还好运气不错的是,自己也试图写过一个扫雷的程序,对其中的代码还是有点熟悉的。废话一堆~~,下面开始正式分析咯。。
先运行程序,随意点击,弹出消息框提示:只有踩中雷才算成功!茫茫多的砖块中怎么才能找到雷呢?还是先把程序拖进IDA中,分析一下吧。IDA直接定位到这个地方:
; int __stdcall WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int nShowCmd)
_WinMain@16 proc near
var_B8= byte ptr -0B8h
var_78= byte ptr -78h
WndClass= WNDCLASSA ptr -48h
Msg= tagMSG ptr -20h
hWnd= dword ptr -4
hInstance= dword ptr 8
hPrevInstance= dword ptr 0Ch
lpCmdLine= dword ptr 10h
nShowCmd= dword ptr 14h
push ebp
mov ebp, esp
sub esp, 0B8h
push ebx
push esi
push edi
lea edi, [ebp+var_B8]
mov ecx, 2Eh
mov eax, 0CCCCCCCCh
rep stosd
mov [ebp+WndClass.style], 3
mov [ebp+WndClass.lpfnWndProc], offset WndProc
看到这个一个用Win32API写的一个扫雷程序,自己原来也曾试图写过,还有点熟悉呢。先在上面注意到了WndProc回调函数。一路看下来:
.text:0040227E call ds:RegisterClassA //注册窗口类
……
.text:0040231D call ds:CreateWindowExA //创建住程序窗口
……
.text:00402332 mov esi, offset aHintFinalKeyKe ;一个提示字串,说要让我们找到key2
……
.text:0040233D call creatmine //可疑的函数,名字是我自己后来改的
.text:00402342 mov ecx, lpText //注意这里再给lpText指向的字符串赋值,很可疑
.text:00402348 mov byte ptr [ecx+6], 'o'
.text:0040234C mov esi, esp
.text:0040234E mov edx, [ebp+nShowCmd]
.text:00402351 push edx ; nCmdShow
.text:00402352 mov eax, [ebp+hWnd]
.text:00402355 push eax ; hWnd
.text:00402356 call ds:ShowWindow
.text:0040235C cmp esi, esp
.text:0040235E call __chkesp
.text:00402363 mov esi, esp
.text:00402365 mov ecx, [ebp+hWnd]
.text:00402368 push ecx ; hWnd
.text:00402369 call ds:UpdateWindow
.text:00401680 creatmine proc near ; CODE XREF: WinMain(x,x,x,x)+16Dp
.text:00401680
.text:00401680 var_4C = byte ptr -4Ch
.text:00401680 dwRand2 = dword ptr -0Ch
.text:00401680 dwRand1 = dword ptr -8
.text:00401680 var_4 = dword ptr -4
.text:00401680
.text:00401680 push ebp
.text:00401681 mov ebp, esp
.text:00401683 sub esp, 4Ch
.text:00401686 push ebx
.text:00401687 push esi
.text:00401688 push edi
.text:00401689 lea edi, [ebp+var_4C]
.text:0040168C mov ecx, 13h
.text:00401691 mov eax, 0CCCCCCCCh
.text:00401696 rep stosd
.text:00401698 push 0 ; time_t *
.text:0040169A call _time ;获取时间种子
.text:0040169F add esp, 4
.text:004016A2 push eax
.text:004016A3 call SaveTime ;保存上面获取到的时间
.text:004016A8 add esp, 4
.text:004016AB mov eax, lpText
.text:004016B0 mov byte ptr [eax+0Ah], 0
.text:004016B4 mov ecx, lpText
.text:004016BA mov byte ptr [ecx+1], 65h;给可疑字串继续赋值,暂时看不到完整的字串
.text:004016BE mov [ebp+var_4], 0 ;var4计循环次数
.text:004016C5 jmp short loc_4016D0
.text:004016C7 ; ---------------------------------------------------------------------------
.text:004016C7
.text:004016C7 loc_4016C7: ; CODE XREF: creatmine+A6j
.text:004016C7 ; creatmine:loc_401964j
.text:004016C7 mov edx, [ebp+var_4]
.text:004016CA add edx, 1 ;每次循环+1
.text:004016CD mov [ebp+var_4], edx
.text:004016D0
.text:004016D0 loc_4016D0: ; CODE XREF: creatmine+45j
.text:004016D0 cmp [ebp+var_4], 1 ;循环一次后跳出循环..为毛要加循环
.text:004016D4 jge loc_401969
.text:004016DA call _rand ;产生随机数
.text:004016DF and eax, 8000001Fh ;随机数对0x1F(31)取余
.text:004016E4 jns short loc_4016EB
.text:004016E6 dec eax
.text:004016E7 or eax, 0FFFFFFE0h
.text:004016EA inc eax
.text:004016EB
.text:004016EB loc_4016EB: ; CODE XREF: creatmine+64j
.text:004016EB mov [ebp+dwRand1], eax ;保存随机数1到局部变量
.text:004016EE call _rand ;产生随机数
.text:004016F3 and eax, 8000001Fh ; 对31取余
.text:004016F8 jns short loc_4016FF
.text:004016FA dec eax
.text:004016FB or eax, 0FFFFFFE0h
.text:004016FE inc eax
.text:004016FF
.text:004016FF loc_4016FF: ; CODE XREF: creatmine+78j
.text:004016FF mov [ebp+dwRand2], eax ;保存随机数1到局部变量
.text:00401702 mov eax, lpText
.text:00401707 mov byte ptr [eax], 'k' ;给可疑字串继续赋值,暂时看不到完整的字串
.text:0040170A mov ecx, [ebp+dwRand1]
.text:0040170D shl ecx, 7
.text:00401710 mov edx, [ebp+dwRand2] ; 简化一下为(x*32+y)*4
.text:00401710 ; 当时想到二维数组,初步判断dwrod Table[32][32]
.text:00401713 cmp (dword_417AA8+0FFCh)[ecx+edx*4], 'c' ;一开始这个Table都是0
.text:0040171B jnz short loc_401728
.text:0040171D mov eax, [ebp+var_4]
.text:00401720 sub eax, 1
.text:00401723 mov [ebp+var_4], eax
.text:00401726 jmp short loc_4016C7
.text:00401728 ; ---------------------------------------------------------------------------
.text:00401728
.text:00401728 loc_401728: ; CODE XREF: creatmine+9Bj
.text:00401728 mov ecx, [ebp+dwRand1]
.text:0040172B shl ecx, 7 ;*128
.text:0040172E mov edx, [ebp+dwRand2]
.text:00401731 mov (dword_417AA8+0FFCh)[ecx+edx*4], 'c';做雷的标记
.text:0040173C mov eax, [ebp+dwRand2]
.text:0040173F add eax, 1
.text:00401742 push eax
.text:00401743 mov ecx, [ebp+dwRand1]
.text:00401746 push ecx ; (X,Y+1)
.text:00401747 call ChangeAl10
.text:0040174C add esp, 8
.text:0040174F and eax, 0FFh
.text:00401754 test eax, eax
.text:00401756 jz short loc_40177B
.text:00401758 mov edx, [ebp+dwRand1]
.text:0040175B shl edx, 7
.text:0040175E mov eax, [ebp+dwRand2]
.text:00401761 mov ecx, dword ptr unk_418AA8[edx+eax*4]
.text:00401768 add ecx, 1
.text:0040176B mov edx, [ebp+dwRand1]
.text:0040176E shl edx, 7
.text:00401771 mov eax, [ebp+dwRand2]
.text:00401774 mov dword ptr unk_418AA8[edx+eax*4], ecx
.text:0040177B
.text:0040177B loc_40177B: ; CODE XREF: creatmine+D6j
.text:0040177B mov ecx, [ebp+dwRand2]
.text:0040177E sub ecx, 1
.text:00401781 push ecx
.text:00401782 mov edx, [ebp+dwRand1]
.text:00401785 push edx ; (X,Y-1)
.text:00401786 call ChangeAl10
.text:0040178B add esp, 8
.text:0040178E and eax, 0FFh
.text:00401793 test eax, eax
.text:00401795 jz short loc_4017BA
.text:00401797 mov eax, [ebp+dwRand1]
.text:0040179A shl eax, 7
.text:0040179D mov ecx, [ebp+dwRand2]
.text:004017A0 mov edx, (dword_417AA8+0FF8h)[eax+ecx*4]
.text:004017A7 add edx, 1
.text:004017AA mov eax, [ebp+dwRand1]
.text:004017AD shl eax, 7
.text:004017B0 mov ecx, [ebp+dwRand2]
.text:004017B3 mov (dword_417AA8+0FF8h)[eax+ecx*4], edx
.text:004017BA
.text:004017BA loc_4017BA: ; CODE XREF: creatmine+115j
.text:004017BA mov edx, [ebp+dwRand2]
.text:004017BD push edx
.text:004017BE mov eax, [ebp+dwRand1]
.text:004017C1 add eax, 1
.text:004017C4 push eax
.text:004017C5 call ChangeAl10 ; (X+1,Y)
.text:004017CA add esp, 8
.text:004017CD and eax, 0FFh
.text:004017D2 test eax, eax
.text:004017D4 jz short loc_4017FF
.text:004017D6 mov ecx, [ebp+dwRand1]
.text:004017D9 add ecx, 1
.text:004017DC shl ecx, 7
.text:004017DF mov edx, [ebp+dwRand2]
.text:004017E2 mov eax, (dword_417AA8+0FFCh)[ecx+edx*4]
.text:004017E9 add eax, 1
.text:004017EC mov ecx, [ebp+dwRand1]
.text:004017EF add ecx, 1
.text:004017F2 shl ecx, 7
.text:004017F5 mov edx, [ebp+dwRand2]
.text:004017F8 mov (dword_417AA8+0FFCh)[ecx+edx*4], eax
.text:004017FF
.text:004017FF loc_4017FF: ; CODE XREF: creatmine+154j
.text:004017FF mov eax, [ebp+dwRand2]
.text:00401802 sub eax, 1
.text:00401805 push eax
.text:00401806 mov ecx, [ebp+dwRand1]
.text:00401809 add ecx, 1
.text:0040180C push ecx ; X+1,Y-1
.text:0040180D call ChangeAl10
.text:00401812 add esp, 8
.text:00401815 and eax, 0FFh
.text:0040181A test eax, eax
.text:0040181C jz short loc_401847
.text:0040181E mov edx, [ebp+dwRand1]
.text:00401821 add edx, 1
.text:00401824 shl edx, 7
.text:00401827 mov eax, [ebp+dwRand2]
.text:0040182A mov ecx, (dword_417AA8+0FF8h)[edx+eax*4]
.text:00401831 add ecx, 1
.text:00401834 mov edx, [ebp+dwRand1]
.text:00401837 add edx, 1
.text:0040183A shl edx, 7
.text:0040183D mov eax, [ebp+dwRand2]
.text:00401840 mov (dword_417AA8+0FF8h)[edx+eax*4], ecx
.text:00401847
.text:00401847 loc_401847: ; CODE XREF: creatmine+19Cj
.text:00401847 mov ecx, [ebp+dwRand2]
.text:0040184A add ecx, 1
.text:0040184D push ecx
.text:0040184E mov edx, [ebp+dwRand1]
.text:00401851 add edx, 1
.text:00401854 push edx
.text:00401855 call ChangeAl10 ; X+1,Y+1
.text:0040185A add esp, 8
.text:0040185D and eax, 0FFh
.text:00401862 test eax, eax
.text:00401864 jz short loc_40188F
.text:00401866 mov eax, [ebp+dwRand1]
.text:00401869 add eax, 1
.text:0040186C shl eax, 7
.text:0040186F mov ecx, [ebp+dwRand2]
.text:00401872 mov edx, dword ptr unk_418AA8[eax+ecx*4]
.text:00401879 add edx, 1
.text:0040187C mov eax, [ebp+dwRand1]
.text:0040187F add eax, 1
.text:00401882 shl eax, 7
.text:00401885 mov ecx, [ebp+dwRand2]
.text:00401888 mov dword ptr unk_418AA8[eax+ecx*4], edx
.text:0040188F
.text:0040188F loc_40188F: ; CODE XREF: creatmine+1E4j
.text:0040188F mov edx, [ebp+dwRand2]
.text:00401892 push edx
.text:00401893 mov eax, [ebp+dwRand1]
.text:00401896 sub eax, 1
.text:00401899 push eax
.text:0040189A call ChangeAl10 ; (X-1,Y)
; 这个函数是检测这个点在不在边角,不在的话把al置1
.text:0040189F add esp, 8
.text:004018A2 and eax, 0FFh
.text:004018A7 test eax, eax
.text:004018A9 jz short loc_4018D4
.text:004018AB mov ecx, [ebp+dwRand1]
.text:004018AE sub ecx, 1
.text:004018B1 shl ecx, 7
.text:004018B4 mov edx, [ebp+dwRand2]
.text:004018B7 mov eax, (dword_417AA8+0FFCh)[ecx+edx*4]
.text:004018BE add eax, 1
.text:004018C1 mov ecx, [ebp+dwRand1]
.text:004018C4 sub ecx, 1
.text:004018C7 shl ecx, 7
.text:004018CA mov edx, [ebp+dwRand2]
.text:004018CD mov (dword_417AA8+0FFCh)[ecx+edx*4], eax ;给(X-1,Y)置1
……
……
[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!