一道普通的CrackMe,Windows 32位程序,无壳、无VM、无密码学的三无CrackMe,祝大家六一laugh Out Loud。
无壳、无VM,拿起OD直接开干吧
先运行一遍程序,看看出错的提示信息,弹框提示“error”
载入OD,直接字符串检索,找到error所在text位置,不远处就是 “Registration Successful!”。
往上翻,去找逻辑判断点。
从关键字付出往上一直看到GetDiagTextA,发现没有call,只有几处判断的JN/JNE/JZ,说明核心就是下面这段代码。
那接下来要做的,就是读懂代码逻辑。
0040120B . FF15 A8704000 call dword ptr ds:[<&USER32.GetDlgItemTe>; \GetDlgItemTextA
00401211 . 68 F4010000 push 0x1F4 ; /Timeout = 500. ms
00401216 . FF15 00704000 call dword ptr ds:[<&KERNEL32.Sleep>] ; \Sleep
0040121C . 8D45 E4 lea eax,dword ptr ss:[ebp-0x1C]
0040121F . 50 push eax
00401220 . E8 DB000000 call WannaLOL.00401300
00401225 . 83F8 04 cmp eax,0x4
00401228 . 59 pop ecx
00401229 . 0F85 A0000000 jnz WannaLOL.004012CF
0040122F . 6A 30 push 0x30
00401231 . 59 pop ecx
00401232 . 384D E4 cmp byte ptr ss:[ebp-0x1C],cl
00401235 . 0F84 94000000 je WannaLOL.004012CF
0040123B . 384D E5 cmp byte ptr ss:[ebp-0x1B],cl
0040123E . 0F84 8B000000 je WannaLOL.004012CF
00401244 . 384D E6 cmp byte ptr ss:[ebp-0x1A],cl
00401247 . 0F84 82000000 je WannaLOL.004012CF
0040124D . 384D E7 cmp byte ptr ss:[ebp-0x19],cl
00401250 . 74 7D je short WannaLOL.004012CF
00401252 . 807D E4 31 cmp byte ptr ss:[ebp-0x1C],0x31
00401256 . 75 77 jnz short WannaLOL.004012CF
00401258 . 807D E5 35 cmp byte ptr ss:[ebp-0x1B],0x35
0040125C . 75 71 jnz short WannaLOL.004012CF
0040125E . 74 03 je short WannaLOL.00401263
00401260 . 75 01 jnz short WannaLOL.00401263
00401262 E8 db E8
00401263 > 66:B8 0800 mov ax,0x8
00401267 . 66:35 0700 xor ax,0x7
0040126B > . 0FBE45 E6 movsx eax,byte ptr ss:[ebp-0x1A]
0040126F . 2BC1 sub eax,ecx
00401271 . 8945 FC mov dword ptr ss:[ebp-0x4],eax
00401274 . 0FBE45 E4 movsx eax,byte ptr ss:[ebp-0x1C]
00401278 . DB45 FC fild dword ptr ss:[ebp-0x4]
0040127B . 2BC1 sub eax,ecx
0040127D . 8945 FC mov dword ptr ss:[ebp-0x4],eax
00401280 . 0FBE45 E5 movsx eax,byte ptr ss:[ebp-0x1B]
00401284 . DB45 FC fild dword ptr ss:[ebp-0x4]
00401287 . 2BC1 sub eax,ecx
00401289 . 8945 FC mov dword ptr ss:[ebp-0x4],eax
0040128C . DA75 FC fidiv dword ptr ss:[ebp-0x4]
0040128F . 0FBE45 E7 movsx eax,byte ptr ss:[ebp-0x19]
00401293 . 2BC1 sub eax,ecx
00401295 . 8945 FC mov dword ptr ss:[ebp-0x4],eax
00401298 . DEE9 fsubp st(1),st
0040129A . DA4D FC fimul dword ptr ss:[ebp-0x4]
0040129D . D80D 1C714000 fmul dword ptr ds:[0x40711C]
004012A3 . D95D FC fstp dword ptr ss:[ebp-0x4]
004012A6 . 74 03 je short WannaLOL.004012AB
004012A8 . 75 01 jnz short WannaLOL.004012AB
004012AA E8 db E8
004012AB > 66:B8 0800 mov ax,0x8
004012AF . 66:35 0700 xor ax,0x7
004012B3 . D945 FC fld dword ptr ss:[ebp-0x4]
004012B6 . D81D 18714000 fcomp dword ptr ds:[0x407118]
004012BC . 6A 00 push 0x0
004012BE . 68 78804000 push WannaLOL.00408078 ; CrackMe 2017 CTF
004012C3 . DFE0 fstsw ax
004012C5 . 9E sahf
004012C6 . 75 0E jnz short WannaLOL.004012D6
004012C8 . 68 5C804000 push WannaLOL.0040805C ; Registration successful !
开头一段比较好理解,先判断用户输入长度必须为4位,且输入中不能含有0.
00401232 . 384D E4 cmp byte ptr ss:[ebp-0x1C],cl
00401235 . 0F84 94000000 je WannaLOL.004012CF
0040123B . 384D E5 cmp byte ptr ss:[ebp-0x1B],cl
0040123E . 0F84 8B000000 je WannaLOL.004012CF
00401244 . 384D E6 cmp byte ptr ss:[ebp-0x1A],cl
00401247 . 0F84 82000000 je WannaLOL.004012CF
0040124D . 384D E7 cmp byte ptr ss:[ebp-0x19],cl
00401250 . 74 7D je short WannaLOL.004012CF
00401252 . 807D E4 31 cmp byte ptr ss:[ebp-0x1C],0x31
00401256 . 75 77 jnz short WannaLOL.004012CF
00401258 . 807D E5 35 cmp byte ptr ss:[ebp-0x1B],0x35
难点在后面的判断,使用了 fild/fidiv/fsubp/fimul/fmul/fstp/fstsw 等等陌生的指令。不过动态调试就是这点好,可以边猜边验证,下面是我加了注释的代码,供参考:
0040120B . FF15 A8704000 call dword ptr ds:[<&USER32.GetDlgItemTe>; \GetDlgItemTextA
00401211 . 68 F4010000 push 0x1F4 ; /Timeout = 500. ms
00401216 . FF15 00704000 call dword ptr ds:[<&KERNEL32.Sleep>] ; \Sleep
0040121C . 8D45 E4 lea eax,dword ptr ss:[ebp-0x1C]
0040121F . 50 push eax
00401220 . E8 DB000000 call WannaLOL.00401300
00401225 . 83F8 04 cmp eax,0x4 ; 密码长度为4位
00401228 . 59 pop ecx
00401229 . 0F85 A0000000 jnz WannaLOL.004012CF
0040122F . 6A 30 push 0x30
00401231 . 59 pop ecx
00401232 . 384D E4 cmp byte ptr ss:[ebp-0x1C],cl ; 1C/1B/1A/19分别对应第1-4个字符
00401235 . 0F84 94000000 je WannaLOL.004012CF
0040123B . 384D E5 cmp byte ptr ss:[ebp-0x1B],cl
0040123E . 0F84 8B000000 je WannaLOL.004012CF
00401244 . 384D E6 cmp byte ptr ss:[ebp-0x1A],cl ; 四个字符都不能为0
00401247 . 0F84 82000000 je WannaLOL.004012CF
0040124D . 384D E7 cmp byte ptr ss:[ebp-0x19],cl
00401250 . 74 7D je short WannaLOL.004012CF
00401252 . 807D E4 31 cmp byte ptr ss:[ebp-0x1C],0x31 ; 第一个字符应该为0x31,即数字1
00401256 . 75 77 jnz short WannaLOL.004012CF
00401258 . 807D E5 35 cmp byte ptr ss:[ebp-0x1B],0x35 ; 第二个字符应为0x35,即数字5
0040125C . 75 71 jnz short WannaLOL.004012CF
0040125E . 74 03 je short WannaLOL.00401263
00401260 . 75 01 jnz short WannaLOL.00401263
00401262 E8 db E8
00401263 > 66:B8 0800 mov ax,0x8
00401267 . 66:35 0700 xor ax,0x7
0040126B > . 0FBE45 E6 movsx eax,byte ptr ss:[ebp-0x1A] ; 取第三个字符,跟0x30做差,结果X转换为10进制放入st0
0040126F . 2BC1 sub eax,ecx
00401271 . 8945 FC mov dword ptr ss:[ebp-0x4],eax
00401274 . 0FBE45 E4 movsx eax,byte ptr ss:[ebp-0x1C] ; 取第一个字符,跟0x30做差,1转换为十进制1
00401278 . DB45 FC fild dword ptr ss:[ebp-0x4]
0040127B . 2BC1 sub eax,ecx
0040127D . 8945 FC mov dword ptr ss:[ebp-0x4],eax
00401280 . 0FBE45 E5 movsx eax,byte ptr ss:[ebp-0x1B] ; 取第二个字符,跟0x30做差,结果5转换为10进制1
00401284 . DB45 FC fild dword ptr ss:[ebp-0x4]
00401287 . 2BC1 sub eax,ecx
00401289 . 8945 FC mov dword ptr ss:[ebp-0x4],eax
0040128C . DA75 FC fidiv dword ptr ss:[ebp-0x4] ; 取导数,得到1/5=0.2
0040128F . 0FBE45 E7 movsx eax,byte ptr ss:[ebp-0x19] ; 取第四个字符,跟0x30做差,结果Y转换为10进制
00401293 . 2BC1 sub eax,ecx
00401295 . 8945 FC mov dword ptr ss:[ebp-0x4],eax
00401298 . DEE9 fsubp st(1),st ; 将st1和st0结果做差,即X-0.2
0040129A . DA4D FC fimul dword ptr ss:[ebp-0x4] ; Y*(X-0.2)存入ST中
0040129D . D80D 1C714000 fmul dword ptr ds:[0x40711C] ; Y*(X-0.2)*16
004012A3 . D95D FC fstp dword ptr ss:[ebp-0x4]
004012A6 . 74 03 je short WannaLOL.004012AB
004012A8 . 75 01 jnz short WannaLOL.004012AB
004012AA E8 db E8
004012AB > 66:B8 0800 mov ax,0x8
004012AF . 66:35 0700 xor ax,0x7
004012B3 . D945 FC fld dword ptr ss:[ebp-0x4]
004012B6 . D81D 18714000 fcomp dword ptr ds:[0x407118] ; 判断 Y*(X-0.2)*16 == 384 ?由此推断出结果为1555
004012BC . 6A 00 push 0x0
004012BE . 68 78804000 push WannaLOL.00408078 ; CrackMe 2017 CTF
004012C3 . DFE0 fstsw ax
004012C5 . 9E sahf
004012C6 . 75 0E jnz short WannaLOL.004012D6
004012C8 . 68 5C804000 push WannaLOL.0040805C ; Registration successful !
看起来有点头大,其实调个2-3遍,在纸上画一画,基本就出来了。下图供参考:
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)