----------------------------------------------------------------------
1)PEID检查,Microsoft Visual C++ 6.0 [Overlay]。无壳
2)试运行程序,任意输入注册信息后,有错误提示“Incorrect,Try again”
3)用OD载入程序,用超级字符串查找“Incorrect,Try again”。
超级字串参考+ , 条目 7
地址=004016B3
反汇编=MOV ESI,CrackMe0.00404098
文本字串=incorrect!!, try again.
双击来到004016B3,向上找到运算开始的地方下断。也可以bp MessageBoxA直接下断。
4)重新载入程序,任意输入注册信息后程序中断
00401545 |. 50 PUSH EAX
00401546 |. 68 E8030000 PUSH 3E8
0040154B |. 8B8D 40FEFFFF MOV ECX,DWORD PTR SS:[EBP-1C0]
00401551 |. E8 34080000 CALL <JMP.&MFC42.#3097_?GetDlgItemTex>; 取用户名
00401556 |. 8D4D E8 LEA ECX,DWORD PTR SS:[EBP-18]
00401559 |. 51 PUSH ECX
0040155A |. 68 E9030000 PUSH 3E9
0040155F |. 8B8D 40FEFFFF MOV ECX,DWORD PTR SS:[EBP-1C0]
00401565 |. E8 20080000 CALL <JMP.&MFC42.#3097_?GetDlgItemTex>; 取假码
0040156A |. 8D4D EC LEA ECX,DWORD PTR SS:[EBP-14]
0040156D |. E8 DE020000 CALL CrackMe0.00401850 ; 取注册名位数、
00401572 |. 8945 E4 MOV DWORD PTR SS:[EBP-1C],EAX ; EAX=注册名位数
00401575 |. 837D E4 05 CMP DWORD PTR SS:[EBP-1C],5 ; 注册名位数与5比较
00401579 |. 7D 43 JGE SHORT CrackMe0.004015BE ; 小于5位则出现提示
0040157B |. 6A 40 PUSH 40
0040157D |. 68 20404000 PUSH CrackMe0.00404020 ; crackmeuser name must have at least 5 characters.
00401582 |. 68 28404000 PUSH CrackMe0.00404028 ; user name must have at least 5 characters.
00401587 |. 8B8D 40FEFFFF MOV ECX,DWORD PTR SS:[EBP-1C0]
0040158D |. E8 F2070000 CALL <JMP.&MFC42.#4224_?MessageBoxA@C>
00401592 |. C645 FC 01 MOV BYTE PTR SS:[EBP-4],1
00401596 |. 8D4D DC LEA ECX,DWORD PTR SS:[EBP-24]
00401599 |. E8 C2070000 CALL <JMP.&MFC42.#800_??1CString@@QAE>
0040159E |. C645 FC 00 MOV BYTE PTR SS:[EBP-4],0
004015A2 |. 8D4D E8 LEA ECX,DWORD PTR SS:[EBP-18]
004015A5 |. E8 B6070000 CALL <JMP.&MFC42.#800_??1CString@@QAE>
004015AA |. C745 FC FFFFF>MOV DWORD PTR SS:[EBP-4],-1
004015B1 |. 8D4D EC LEA ECX,DWORD PTR SS:[EBP-14]
004015B4 |. E8 A7070000 CALL <JMP.&MFC42.#800_??1CString@@QAE>
004015B9 |. E9 F9010000 JMP CrackMe0.004017B7
004015BE |> C745 E0 00000>MOV DWORD PTR SS:[EBP-20],0
004015C5 |. EB 09 JMP SHORT CrackMe0.004015D0
004015C7 |> 8B55 E0 /MOV EDX,DWORD PTR SS:[EBP-20]
004015CA |. 83C2 01 |ADD EDX,1
004015CD |. 8955 E0 |MOV DWORD PTR SS:[EBP-20],EDX
004015D0 |> 8B45 E0 MOV EAX,DWORD PTR SS:[EBP-20] ; EBP-20=0,所以EAX清零
004015D3 |. 3B45 E4 |CMP EAX,DWORD PTR SS:[EBP-1C] ; 计算完了吗,完了就跳走,没完则继续
004015D6 |. 7D 42 |JGE SHORT CrackMe0.0040161A
004015D8 |. 8B4D E0 |MOV ECX,DWORD PTR SS:[EBP-20] ; 每计算一次ECX+1
004015DB |. 51 |PUSH ECX ;
004015DC |. 8D4D EC |LEA ECX,DWORD PTR SS:[EBP-14] ; EBP-14=注册名
004015DF |. E8 1C030000 |CALL CrackMe0.00401900 ; 取用户名每一位的ASCII值
004015E4 |. 0FBED0 |MOVSX EDX,AL ; ASCII值放进EDX
004015E7 |. 8B45 F0 |MOV EAX,DWORD PTR SS:[EBP-10] ; EBP-10=An
004015EA |. 03C2 |ADD EAX,EDX ; 用户名ASCII值与相对应的An相加
004015EC |. 8945 F0 |MOV DWORD PTR SS:[EBP-10],EAX ; 结果给EBP-10
004015EF |. 8B4D E0 |MOV ECX,DWORD PTR SS:[EBP-20] ; EBP-20=所计算的次数-1
004015F2 |. C1E1 08 |SHL ECX,8 ; ECX左移8位
004015F5 |. 8B55 F0 |MOV EDX,DWORD PTR SS:[EBP-10] ; 用户名ASCII值与相对应的An相加的结果进EDX
004015F8 |. 33D1 |XOR EDX,ECX ; ECX(XOR)EDX
004015FA |. 8955 F0 |MOV DWORD PTR SS:[EBP-10],EDX ; 新的结果进EBP-10
004015FD |. 8B45 E0 |MOV EAX,DWORD PTR SS:[EBP-20]
00401600 |. 83C0 01 |ADD EAX,1
00401603 |. 8B4D E4 |MOV ECX,DWORD PTR SS:[EBP-1C]
00401606 |. 0FAF4D E0 |IMUL ECX,DWORD PTR SS:[EBP-20]
0040160A |. F7D1 |NOT ECX ; ECX中的值做NOT运算
0040160C |. 0FAFC1 |IMUL EAX,ECX ; EAX=EAX*ECX
0040160F |. 8B55 F0 |MOV EDX,DWORD PTR SS:[EBP-10]
00401612 |. 0FAFD0 |IMUL EDX,EAX ; 用户名ASCII值与相应的An相加的结果进EDX,再乘EAX
00401615 |. 8955 F0 |MOV DWORD PTR SS:[EBP-10],EDX ; 结果进EBP-10
00401618 |.^ EB AD \JMP SHORT CrackMe0.004015C7
0040161A |> 8B45 F0 MOV EAX,DWORD PTR SS:[EBP-10]
0040161D |. 50 PUSH EAX
0040161E |. 68 54404000 PUSH CrackMe0.00404054 ; %lucorrect!!
00401623 |. 8D4D DC LEA ECX,DWORD PTR SS:[EBP-24]
00401626 |. 51 PUSH ECX
00401627 |. E8 52070000 CALL <JMP.&MFC42.#2818_?Format@CStrin> 这个CALL的作用是把所得的结果转换成十进制。
0040162C |. 83C4 0C ADD ESP,0C
0040162F |. 8D4D DC LEA ECX,DWORD PTR SS:[EBP-24]
00401632 |. E8 79020000 CALL CrackMe0.004018B0
00401637 |. 50 PUSH EAX ; /Arg1
00401638 |. 8D4D E8 LEA ECX,DWORD PTR SS:[EBP-18] ; |
0040163B |. E8 80020000 CALL CrackMe0.004018C0 ; \CrackMe0.004018C0
00401640 |. 85C0 TEST EAX,EAX
00401642 |. 0F85 FF000000 JNZ CrackMe0.00401747 不相等就跳向失败
----------------------------------------------------------------------
BY 逍遥风
算法总结:
1)用户名必须大于等于5位。
2)用户名的ASCII值为C,每位用户名运算最终结果设为A,用户名位数设为n
3)归纳为通项公式:例:用户名第二位表示为C(2)
A(1)=81276345(定值) (n=1)
A(n)={[Cn+A(n-1)]xor[(n-1)00]}*{NOT[(n-1)*5]*n} 注:(n-1)00中n-1表示百位。
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
例:用户名:tc-xb
1)取t的ASCII值等于74,74+A1=74+81276345=812763B9。812763B9与000进行XOR运算等于812763B9
0*5=0,NOT(0)=FFFFFFFF,FFFFFFFF*1=FFFFFFFF
FFFFFFFF*812763B9=7ED89C47(A2)
2)取c的ASCII值等于63,63+A2=63+7ED89C47=7ED89CAA。7ED89CAA与100进行XOR运算等于7ED89DAA
1*5=5,NOT(5)=FFFFFFFA,FFFFFFFA*2=FFFFFFF4
FFFFFFF4*7ED89DAA=DD89C08(A3)
3)取"-"的ASCII值等于2D,2D+A3=2D+DD89C08=DD89C35。DD89C35与200进行XOR运算等于DD89E35
2*5=A,NOT(A)=FFFFFFF5,FFFFFFF5*3=FFFFFFDF
FFFFFFDF*DD89E35=37139B2B(A4)
4)取x的ASCII值等于78,78+A4=78+37139B2B=37139BA3。37139BA3与300进行XOR运算等于371398A3
3*5=F,NOT(F)=FFFFFFF0,FFFFFFF0*4=FFFFFFC0
FFFFFFC0*371398A3=3B19D740(A5)
5)取b的ASCII值等于62,62+A5=62+3B19D740=3B19D7A2。3B19D7A2与400进行XOR运算等于3B19D3A2
4*5=14,NOT(14)=FFFFFFEB,FFFFFFEB*5=FFFFFF97。
FFFFFF97*3B19D3A2=C268328E。(A6)
6)将A6=C268328E转换成十进制3261608590就是注册码了。
所以 注册名:tc-xb
注册码:3261608590
有疏漏或错误的地方请大家指出。
[培训]二进制漏洞攻防(第3期);满10人开班;模糊测试与工具使用二次开发;网络协议漏洞挖掘;Linux内核漏洞挖掘与利用;AOSP漏洞挖掘与利用;代码审计。
