OD 运行crackme,发现直接退出,查看堆栈来到
004020CD . 64:A3 0000000>mov dword ptr fs:[0], eax
004020D3 . E8 88FEFFFF call 00401F60 ; 反调试,跳过该函数
004020D8 . 3BF4 cmp esi, esp
004020DA . E8 B1FCFFFF call 00401D90 ; gets(sn)
004020DF . 8BF0 mov esi, eax
004020E1 . 3BF5 cmp esi, ebp
跳过这句,过掉反调试。之后向下分析
004020E3 . C745 DC 54727>mov dword ptr [ebp-24], 73757254
004020EA . C745 E0 744D6>mov dword ptr [ebp-20], 654D74
004020F1 . 8D45 DC lea eax, dword ptr [ebp-24]
004020F4 . 50 push eax
004020F5 . 56 push esi
004020F6 . E8 353E0000 call <_strstr> ; 查找 TrustMe
004020FB . 83C4 08 add esp, 8
004020FE . 85C0 test eax, eax
00402100 . 75 07 jnz short 00402109
这里有个坑,必须查找到TrustMe,才会走到正确的分支。
0040202F |. E8 BC070000 call 004027F0
00402034 |. 837C24 14 0F cmp dword ptr [esp+14], 0F ; 长度为 15
00402039 |. 75 24 jnz short 0040205F
0040203B |. A1 588C4200 mov eax, dword ptr [428C58]
00402040 |. 83C0 07 add eax, 7 ; 第7位
00402043 |. 50 push eax
00402044 |. A3 588C4200 mov dword ptr [428C58], eax
00402049 |. E8 45410000 call 00406193 ; strtol
0040204E |. 83C4 04 add esp, 4
00402051 |. 3D FAA13301 cmp eax, 133A1FA ; 20161018
00402056 |. 75 07 jnz short 0040205F
00402058 |. BE 01000000 mov esi, 1 ; return 1 -> ok
0040205D |. EB 02 jmp short 00402061
第7位 开始必须为20161018
sn = TrustMe20161018
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课