-
-
[原创]看雪2016 第二十五题 CrackMe逆向分析
-
发表于:
2017-1-1 22:10
6274
-
[原创]看雪2016 第二十五题 CrackMe逆向分析
该题作者使用了base32和camellia算法,定位算法使用了特征值 0xA09E667F,0x3BCC908B。该值用于camellia算法的key扩展中。
通过WM_GETTEXT获取sn字符串,如下
004032E5 |. 66:898424 450>mov word ptr [esp+145], ax ; |
004032ED |. 888424 470100>mov byte ptr [esp+147], al ; |
004032F4 |. A1 08A24200 mov eax, dword ptr [42A208] ; |
004032F9 |. 6A 0D push 0D ; |Message = WM_GETTEXT
004032FB |. 50 push eax ; |hWnd => NULL
004032FC |. C68424 3C0100>mov byte ptr [esp+13C], 0 ; |
00403304 |. FF15 08F14100 call dword ptr [<&USER32.SendMessageA>; \SendMessageA
0040330A |. 83F8 23 cmp eax, 23
0040330D |. 0F85 D0010000 jnz 004034E3
00403322 |> /0FBE88 E08E42>|/movsx ecx, byte ptr [eax+428EE0]
00403329 |. |3BF1 ||cmp esi, ecx
0040332B |. |74 08 ||je short 00403335
0040332D |. |40 ||inc eax
0040332E |. |83F8 03 ||cmp eax, 3
00403331 |.^\72 EF |\jb short 00403322
00403333 |. EB 15 |jmp short 0040334A
00403335 |> 0FBE90 E08E42>|movsx edx, byte ptr [eax+428EE0]
0040333C |. 80BC14 580100>|cmp byte ptr [esp+edx+158], 4C ; 'L'
00403344 |. 0F85 99010000 |jnz 004034E3
0040334A |> 83F8 03 |cmp eax, 3
004033A0 |. 8D4C24 14 lea ecx, dword ptr [esp+14]
004033A4 |. 51 push ecx
004033A5 |. 8D9424 440100>lea edx, dword ptr [esp+144]
004033AC |. 52 push edx
004033AD |. 8D8424 840100>lea eax, dword ptr [esp+184]
004033B4 |. 50 push eax
004033B5 |. 8D4C24 24 lea ecx, dword ptr [esp+24]
004033B9 |. 51 push ecx
004033BA |. E8 31CE0000 call 004101F0
004033D6 |. 50 push eax ; /String
004033D7 |. FF15 10F04100 call dword ptr [<&KERNEL32.lstrlenA>] ; \lstrlenA
004033DD |. 50 push eax
004033DE |. 8DBC24 A40100>lea edi, dword ptr [esp+1A4]
004033E5 |. E8 F6FAFFFF call 00402EE0
004033EA |. 83C4 08 add esp, 8