-
-
[原创]看雪2016 第二十九题 CrackMe逆向分析
-
发表于:
2016-12-31 22:47
4519
-
[原创]看雪2016 第二十九题 CrackMe逆向分析
crackme采用多线程,分步骤解码方式,最终需要解密一段代码再运行并弹出提示消息框。反调试为CRC校验,具体逆向步骤如下:
IDA 打开crackerme,发现 GetDlgItemTextA,查找参考并来到 sub_4012E7
v3 = 0;
v4 = 8;
v5 = &sn;
v6 = (unsigned __int8)sn;
while ( v4 )
{
v3 += v6;
LOBYTE(v6) = *++v5;
--v4;
}
if ( (_BYTE)v6 )
result = (char *)MessageBoxA(hWnd, err, err, 0);
else
result = sub_401B0A(v3);
char *__stdcall sub_401B0A(int a1)
{
char *result; // eax@2
if ( dword_403037 )
{
++byte_403C99;
switch ( a1 )
{
case 0x566:
result = (char *)sub_401DA0();
break;
case 0x79A:
result = (char *)sub_401DC1();
break;
case 0x86B:
result = sub_401E16();
break;
case 0x5D5:
result = (char *)sub_401DE2();
break;
case 0x325:
result = (char *)sub_401DE2();
break;
default:
byte_403C99 = 0;
result = (char *)MessageBoxA(0, err, err, 0);
break;
}
}
else
{
result = (char *)MessageBoxA(0, err, err, 0);
}
return result;
}
a3 = 8;
while ( a3 )
{
v8 += v11;
*v10++ = v11 ^ 0x66;
++v9;
--a3;
LOBYTE(v11) = *v9;
}
if ( v8 == 0x353 )
{
v12 = 12;
goto LABEL_18;
}
if ( v8 == 0x325 )
{
v12 = 4;
goto LABEL_18;
}
if ( v8 == 0x29B )
break;
if ( v8 == 0x363 )
{
v12 = 20;
LABEL_18:
v13 = (char *)&dword_4032F1 + v12;
LOWORD(v12) = *(_WORD *)((char *)&unk_403BEA + 7);
a3 = v12 << 16;
LOWORD(a3) = *(_WORD *)((char *)&unk_403BEA + 9) + a3;
((void (__stdcall *)(_DWORD))a3)(*(_DWORD *)v13);
}
