-
-
[原创]第十一题 ToBeBetterCrackMe分析
-
2017-6-22 01:34 3147
-
此题未完成,只是脱壳后,分析到算法了,但感觉好像没这么简单,可能是坑。没有进行穷举,所以也没有最终的序列号了,只是分析下过程
工具:peid,od,ida
peid查发现有壳,直接拖进OD,提示有壳,直接点否
0044742C C9 leave 0044742D C3 retn 0044742E > E8 ECFBFFFF call 11-ToBeB.0044701F //跟进去 00447433 C3 retn 00447434 - FF25 00804400 jmp dword ptr ds:[<&kernel32.CloseHandle>] ; kernel32.CloseHandle 0044743A - FF25 04804400 jmp dword ptr ds:[<&kernel32.CreateFileA>] ; apphelp.56C265D0 00447440 - FF25 08804400 jmp dword ptr ds:[<&kernel32.CreateFileMap>; apphelp.56C24D20 00447446 - FF25 0C804400 jmp dword ptr ds:[<&kernel32.GetModuleFile>; kernel32.GetModuleFileNameA 0044744C - FF25 10804400 jmp dword ptr ds:[<&kernel32.GetProcAddres>; kernel32.GetProcAddress 00447452 - FF25 14804400 jmp dword ptr ds:[<&kernel32.LoadLibraryA>>; kernel32.LoadLibraryA 00447458 - FF25 18804400 jmp dword ptr ds:[<&kernel32.MapViewOfFile>; kernel32.MapViewOfFile 0044745E - FF25 1C804400 jmp dword ptr ds:[<&kernel32.RtlZeroMemory>; ntdll.RtlZeroMemory 00447464 - FF25 20804400 jmp dword ptr ds:[<&kernel32.UnmapViewOfFi>; kernel32.UnmapViewOfFile 0044746A - FF25 24804400 jmp dword ptr ds:[<&kernel32.VirtualAlloc>>; kernel32.VirtualAlloc 00447470 - FF25 28804400 jmp dword ptr ds:[<&kernel32.VirtualFree>] ; kernel32.VirtualFree 00447476 - FF25 2C804400 jmp dword ptr ds:[<&kernel32.VirtualProtec>; kernel32.VirtualProtect 00447109 FFB5 F4FEFFFF push dword ptr ss:[ebp-0x10C] 0044710F E8 44030000 call <jmp.&kernel32.MapViewOfFile> 00447114 0BC0 or eax,eax 00447116 75 05 jnz short 11-ToBeB.0044711D 00447118 E9 8D020000 jmp 11-ToBeB.004473AA 0044711D 8985 F0FEFFFF mov dword ptr ss:[ebp-0x110],eax 00447123 6A 40 push 0x40 00447125 68 00100000 push 0x1000 0044712A 68 00500400 push 0x45000 ; UNICODE "ms-win-core-file-ansi-l2-1-0" 0044712F 6A 00 push 0x0 00447131 E8 34030000 call <jmp.&kernel32.VirtualAlloc> ; 从0x00690000(每次运行地址不一样)分配了0x45000内存,用于解密PE文件 00447136 0BC0 or eax,eax 00447138 75 05 jnz short 11-ToBeB.0044713F 0044713A E9 6B020000 jmp 11-ToBeB.004473AA 0044713F 8985 ECFEFFFF mov dword ptr ss:[ebp-0x114],eax 00447145 8B85 F0FEFFFF mov eax,dword ptr ss:[ebp-0x110] 0044714B 05 00100000 add eax,0x1000 00447150 68 00500400 push 0x45000 ; UNICODE "ms-win-core-file-ansi-l2-1-0" 00447155 50 push eax 00447156 FFB5 ECFEFFFF push dword ptr ss:[ebp-0x114] 0044715C FF15 34804400 call dword ptr ds:[<&msvcrt.memcpy>] ; msvcrt.memcpy 00447162 83C4 0C add esp,0xC 00447165 B9 00000000 mov ecx,0x0 0044716A 8B85 ECFEFFFF mov eax,dword ptr ss:[ebp-0x114] 00447170 EB 16 jmp short 11-ToBeB.00447188 00447172 8BD1 mov edx,ecx ; 解密PE文件 00447174 81C2 21079319 add edx,0x19930721 0044717A 3110 xor dword ptr ds:[eax],edx 0044717C 0108 add dword ptr ds:[eax],ecx 0044717E 8128 46925713 sub dword ptr ds:[eax],0x13579246 00447184 83C0 04 add eax,0x4 00447187 41 inc ecx 00447188 81F9 00140100 cmp ecx,0x11400 0044718E ^ 72 E2 jb short 11-ToBeB.00447172 00447190 8BB5 ECFEFFFF mov esi,dword ptr ss:[ebp-0x114] 00447196 56 push esi ; 11-ToBeB.<ModuleEntryPoint> 00447197 E8 64FEFFFF call 11-ToBeB.00447000 0044719C 0BC0 or eax,eax 0044719E 75 05 jnz short 11-ToBeB.004471A5 004471A0 E9 05020000 jmp 11-ToBeB.004473AA 004471A5 0376 3C add esi,dword ptr ds:[esi+0x3C] ;PE文件相关字段设值 004471A8 0FB746 06 movzx eax,word ptr ds:[esi+0x6] 004471AC 8985 E8FEFFFF mov dword ptr ss:[ebp-0x118],eax 004471B2 0FB746 14 movzx eax,word ptr ds:[esi+0x14] 004471B6 8985 E4FEFFFF mov dword ptr ss:[ebp-0x11C],eax 004471BC 8B46 34 mov eax,dword ptr ds:[esi+0x34] 004471BF 8985 D4FEFFFF mov dword ptr ss:[ebp-0x12C],eax 004471C5 8B46 28 mov eax,dword ptr ds:[esi+0x28] 004471C8 0385 D4FEFFFF add eax,dword ptr ss:[ebp-0x12C] 004471CE 8985 E0FEFFFF mov dword ptr ss:[ebp-0x120],eax 004471D4 8B46 50 mov eax,dword ptr ds:[esi+0x50] 004471D7 8985 DCFEFFFF mov dword ptr ss:[ebp-0x124],eax 004471DD 8B46 54 mov eax,dword ptr ds:[esi+0x54] 004471E0 8985 D8FEFFFF mov dword ptr ss:[ebp-0x128],eax 004471E6 8D86 80000000 lea eax,dword ptr ds:[esi+0x80] 004471EC 8B00 mov eax,dword ptr ds:[eax] 004471EE 0385 D4FEFFFF add eax,dword ptr ss:[ebp-0x12C] 004471F4 8985 CCFEFFFF mov dword ptr ss:[ebp-0x134],eax 004471FA 8D85 C8FEFFFF lea eax,dword ptr ss:[ebp-0x138] 00447200 50 push eax 00447201 6A 40 push 0x40 00447203 68 00500400 push 0x45000 ; UNICODE "ms-win-core-file-ansi-l2-1-0" 00447208 FFB5 D4FEFFFF push dword ptr ss:[ebp-0x12C] 0044720E E8 63020000 call <jmp.&kernel32.VirtualProtect> 00447213 0BC0 or eax,eax 00447215 75 05 jnz short 11-ToBeB.0044721C 00447217 E9 8E010000 jmp 11-ToBeB.004473AA 0044721C FFB5 D8FEFFFF push dword ptr ss:[ebp-0x128] 00447222 FFB5 ECFEFFFF push dword ptr ss:[ebp-0x114] 00447228 FFB5 D4FEFFFF push dword ptr ss:[ebp-0x12C] 0044722E FF15 34804400 call dword ptr ds:[<&msvcrt.memcpy>] ; msvcrt.memcpy 00447234 83C4 0C add esp,0xC 00447237 8D76 18 lea esi,dword ptr ds:[esi+0x18] 0044723A 03B5 E4FEFFFF add esi,dword ptr ss:[ebp-0x11C] 00447240 89B5 D0FEFFFF mov dword ptr ss:[ebp-0x130],esi ; 11-ToBeB.<ModuleEntryPoint> 00447246 33C9 xor ecx,ecx 00447248 EB 26 jmp short 11-ToBeB.00447270 0044724A 8B5E 14 mov ebx,dword ptr ds:[esi+0x14] ; 定义4个节 0044724D 039D ECFEFFFF add ebx,dword ptr ss:[ebp-0x114] 00447253 8B7E 0C mov edi,dword ptr ds:[esi+0xC] 00447256 03BD D4FEFFFF add edi,dword ptr ss:[ebp-0x12C] 0044725C 51 push ecx 0044725D FF76 10 push dword ptr ds:[esi+0x10] 00447260 53 push ebx 00447261 57 push edi ; 11-ToBeB.<ModuleEntryPoint> 00447262 FF15 34804400 call dword ptr ds:[<&msvcrt.memcpy>] ; msvcrt.memcpy 00447268 83C4 0C add esp,0xC 0044726B 59 pop ecx ; 11-ToBeB.<ModuleEntryPoint> 0044726C 41 inc ecx 0044726D 83C6 28 add esi,0x28 00447270 3B8D E8FEFFFF cmp ecx,dword ptr ss:[ebp-0x118] 00447276 ^ 72 D2 jb short 11-ToBeB.0044724A 00447278 8BB5 CCFEFFFF mov esi,dword ptr ss:[ebp-0x134] 0044727E 6A 14 push 0x14 00447280 8D85 B4FEFFFF lea eax,dword ptr ss:[ebp-0x14C] 00447286 50 push eax 00447287 56 push esi ; 11-ToBeB.<ModuleEntryPoint> 00447288 FF15 38804400 call dword ptr ds:[<&msvcrt.memcmp>] ; msvcrt.memcmp 0044728E 83C4 0C add esp,0xC 00447291 0BC0 or eax,eax 00447293 75 05 jnz short 11-ToBeB.0044729A 00447295 E9 85000000 jmp 11-ToBeB.0044731F 0044729A 8B46 10 mov eax,dword ptr ds:[esi+0x10] 0044729D 0385 D4FEFFFF add eax,dword ptr ss:[ebp-0x12C] 004472A3 8338 00 cmp dword ptr ds:[eax],0x0 004472A6 75 05 jnz short 11-ToBeB.004472AD 004472A8 83C6 14 add esi,0x14 004472AB ^ EB D1 jmp short 11-ToBeB.0044727E 004472AD 8B46 0C mov eax,dword ptr ds:[esi+0xC] 004472B0 0385 D4FEFFFF add eax,dword ptr ss:[ebp-0x12C] 004472B6 50 push eax 004472B7 E8 96010000 call <jmp.&kernel32.LoadLibraryA> 004472BC 0BC0 or eax,eax 004472BE 75 02 jnz short 11-ToBeB.004472C2 004472C0 ^ EB BC jmp short 11-ToBeB.0044727E 004472C2 8985 B0FEFFFF mov dword ptr ss:[ebp-0x150],eax 004472C8 8B1E mov ebx,dword ptr ds:[esi] 004472CA 0BDB or ebx,ebx 004472CC 75 03 jnz short 11-ToBeB.004472D1 004472CE 8B5E 10 mov ebx,dword ptr ds:[esi+0x10] 004472D1 039D D4FEFFFF add ebx,dword ptr ss:[ebp-0x12C] 004472D7 8B7E 10 mov edi,dword ptr ds:[esi+0x10] 004472DA 03BD D4FEFFFF add edi,dword ptr ss:[ebp-0x12C] 004472E0 EB 30 jmp short 11-ToBeB.00447312 004472E2 F703 00000080 test dword ptr ds:[ebx],0x80000000 ; 找系统函数,并静态调用KERNEL32.dll,USER32.dll 004472E8 74 09 je short 11-ToBeB.004472F3 004472EA 8B03 mov eax,dword ptr ds:[ebx] 004472EC 25 FFFF0000 and eax,0xFFFF 004472F1 EB 0B jmp short 11-ToBeB.004472FE 004472F3 8B03 mov eax,dword ptr ds:[ebx] 004472F5 0385 D4FEFFFF add eax,dword ptr ss:[ebp-0x12C] 004472FB 8D40 02 lea eax,dword ptr ds:[eax+0x2] 004472FE 50 push eax 004472FF FFB5 B0FEFFFF push dword ptr ss:[ebp-0x150] 00447305 E8 42010000 call <jmp.&kernel32.GetProcAddress> 0044730A 8907 mov dword ptr ds:[edi],eax 0044730C 83C3 04 add ebx,0x4 0044730F 83C7 04 add edi,0x4 00447312 833B 00 cmp dword ptr ds:[ebx],0x0 00447315 ^ 75 CB jnz short 11-ToBeB.004472E2 00447317 83C6 14 add esi,0x14 0044731A ^ E9 5FFFFFFF jmp 11-ToBeB.0044727E 0044731F 83BD ECFEFFFF 00 cmp dword ptr ss:[ebp-0x114],0x0 00447326 74 1C je short 11-ToBeB.00447344 00447328 68 00800000 push 0x8000 0044732D 6A 00 push 0x0 0044732F FFB5 ECFEFFFF push dword ptr ss:[ebp-0x114] 00447335 E8 36010000 call <jmp.&kernel32.VirtualFree> ;此处一定要先在内存中把解密的PE文件先dump出来,不然会被清空 0044733A C785 F0FEFFFF 00000000 mov dword ptr ss:[ebp-0x110],0x0 00447344 83BD F0FEFFFF 00 cmp dword ptr ss:[ebp-0x110],0x0 0044734B 74 15 je short 11-ToBeB.00447362
解密的PE文件,在地址0x00690000,注意这是我本机的地址,而且每次都不一样的
下面是dump出来的PE文件,可以看到有4个节和两个dll及相关的系统函数
将dump的PE文件拖进OD,发现有创建了几个进程,跟到00401690,
00401690 /$ 55 push ebp 00401691 |. 8BEC mov ebp,esp 00401693 |. 83EC 70 sub esp,0x70 00401696 |. 803D 509B4300 00 cmp byte ptr ds:[0x439B50],0x0 0040169D |. 0F84 88000000 je 12.0040172B 004016A3 |. E8 08FFFFFF call 12.004015B0 004016A8 |. 803D 519B4300 00 cmp byte ptr ds:[0x439B51],0x0 004016AF |. 74 1C je short 12.004016CD ;这里不能跳,显示主界面 004016B1 |. 6A 00 push 0x0 ; /lParam = NULL 004016B3 |. 68 40174000 push 12.00401740 ; |DlgProc = 12.00401740 ;关键,点击按钮处理函数在里面 004016B8 |. 6A 00 push 0x0 ; |hOwner = NULL 004016BA |. 6A 67 push 0x67 ; |pTemplate = 0x67 004016BC |. FF75 08 push [arg.1] ; |hInst = 003BE000 004016BF |. FF15 94A14200 call dword ptr ds:[<&USER32.DialogBoxParam>; \DialogBoxParamW 004016C5 |. 33C0 xor eax,eax 004016C7 |. 8BE5 mov esp,ebp 004016C9 |. 5D pop ebp ; 12.004182DC 004016CA |. C2 1000 retn 0x10 004016CD |> 8D4D 90 lea ecx,[local.28] 004016D0 |. E8 0BF10000 call 12.004107E0 004016D5 |. E8 C6FEFFFF call 12.004015A0 004016DA |. 8D4D EC lea ecx,[local.5] 004016DD |. 8B40 30 mov eax,dword ptr ds:[eax+0x30] 004016E0 |. 50 push eax 004016E1 |. E8 AAEB0000 call 12.00410290 004016E6 |. 8D4D 90 lea ecx,[local.28] 004016E9 |. E8 C2FE0000 call 12.004115B0 004016EE |. 8D45 EC lea eax,[local.5] 004016F1 |. 50 push eax 004016F2 |. 8D4D 94 lea ecx,[local.27] 004016F5 |. E8 66180000 call 12.00402F60 004016FA |. 8D4D EC lea ecx,[local.5] 004016FD |. E8 2EEC0000 call 12.00410330 00401702 |. FF35 A0404300 push dword ptr ds:[0x4340A0] ; 12.00401C30 00401708 |. 8D4D 90 lea ecx,[local.28] 0040170B |. E8 30FF0000 call 12.00411640 00401710 |. 6A 20 push 0x20 00401712 |. 8D4D 90 lea ecx,[local.28] 00401715 |. E8 26F40000 call 12.00410B40 0040171A |. 50 push eax 0040171B |. 8D4D 90 lea ecx,[local.28] 0040171E |. E8 EDFC0000 call 12.00411410 00401723 |. 8D4D 90 lea ecx,[local.28] 00401726 |. E8 F5F10000 call 12.00410920 0040172B |> 33C0 xor eax,eax 0040172D |. 8BE5 mov esp,ebp 0040172F |. 5D pop ebp ; 12.004182DC 00401730 \. C2 1000 retn 0x10
这时主界面已经显示出来,在004017A3处下断,输入SN确定
成功断在004017A3处,获取SN
004017A3 |. FF15 90A14200 call dword ptr ds:[<&USER32.GetDlgItemText>; \GetDlgItemTextW
00401740 /. 55 push ebp 00401741 |. 8BEC mov ebp,esp 00401743 |. 8B45 0C mov eax,[arg.2] 00401746 |. 81EC 00060000 sub esp,0x600 0040174C |. 2D 10010000 sub eax,0x110 ; Switch (cases 110..111) 00401751 |. 0F84 59010000 je 12.004018B0 00401757 |. 48 dec eax 00401758 |. 0F85 4A010000 jnz 12.004018A8 0040175E |. 8B45 10 mov eax,[arg.3] ; Case 111 of switch 0040174C 00401761 |. B9 E8030000 mov ecx,0x3E8 00401766 |. 66:3BC1 cmp ax,cx 00401769 |. 0F85 28010000 jnz 12.00401897 0040176F |. 56 push esi 00401770 |. 33C0 xor eax,eax 00401772 |. 68 FC010000 push 0x1FC 00401777 |. 50 push eax 00401778 |. 66:8985 00FAFFFF mov word ptr ss:[ebp-0x600],ax 0040177F |. 8D85 02FAFFFF lea eax,dword ptr ss:[ebp-0x5FE] 00401785 |. 50 push eax 00401786 |. E8 D56B0100 call 12.00418360 0040178B |. 8B75 08 mov esi,[arg.1] 0040178E |. 8D85 00FAFFFF lea eax,[local.384] 00401794 |. 83C4 0C add esp,0xC 00401797 |. 68 FE010000 push 0x1FE ; /Count = 1FE (510.) 0040179C |. 50 push eax ; |Buffer = 0019F104 0040179D |. 68 E9030000 push 0x3E9 ; |ControlID = 3E9 (1001.) 004017A2 |. 56 push esi ; |hWnd = 00F30658 ('CrackMe',class='#32770') 004017A3 |. FF15 90A14200 call dword ptr ds:[<&USER32.GetDlgItemText>; \GetDlgItemTextW ;获取SN 004017A9 |. C745 08 00000000 mov [arg.1],0x0 004017B0 |. 33D2 xor edx,edx 004017B2 |. B8 108B1E45 mov eax,0x451E8B10 004017B7 |. 8B0D 087A4300 mov ecx,dword ptr ds:[0x437A08] 004017BD |. F7F1 div ecx 004017BF |. 8945 08 mov [arg.1],eax 004017C2 |. FF75 08 push [arg.1] 004017C5 |. 8D85 00FAFFFF lea eax,[local.384] 004017CB |. 50 push eax 004017CC |. E8 6F020000 call 12.00401A40 ; 关键CALL,算法在此 004017D1 |. 83C4 08 add esp,0x8 004017D4 |. C785 00FCFFFF D0633A79 mov [local.256],0x793A63D0 004017DE |. 85C0 test eax,eax 004017E0 |. 8D85 04FCFFFF lea eax,[local.255] 004017E6 |. 68 FA010000 push 0x1FA 004017EB |. 6A 00 push 0x0 004017ED |. 50 push eax 004017EE |. 74 58 je short 12.00401848 ;此处跳到注册失败弹出框 004017F0 |. E8 6B6B0100 call 12.00418360 004017F5 |. 68 F6010000 push 0x1F6 004017FA |. 8D85 08FEFFFF lea eax,[local.126] 00401800 |. C785 00FEFFFF E86C8C51 mov [local.128],0x518C6CE8 0040180A |. 6A 00 push 0x0 0040180C |. 50 push eax 0040180D |. C785 04FEFFFF 10629F52 mov [local.127],0x529F6210 00401817 |. E8 446B0100 call 12.00418360 0040181C |. 83C4 18 add esp,0x18 0040181F |. 8D85 00FCFFFF lea eax,[local.256] ;此处注册成功弹出框 00401825 |. 6A 00 push 0x0 ; /Style = MB_OK|MB_APPLMODAL 00401827 |. 50 push eax ; |Title = "" 00401828 |. 8D85 00FEFFFF lea eax,[local.128] ; | 0040182E |. 50 push eax ; |Text = "" 0040182F |. 56 push esi ; |hOwner = 00F30658 ('CrackMe',class='#32770') 00401830 |. FF15 8CA14200 call dword ptr ds:[<&USER32.MessageBoxW>] ; \MessageBoxW 00401836 |. 6A 02 push 0x2 ; /Result = 0x2 00401838 |. 56 push esi ; |hWnd = 00F30658 ('CrackMe',class='#32770') 00401839 |. FF15 88A14200 call dword ptr ds:[<&USER32.EndDialog>] ; \EndDialog 0040183F |. 33C0 xor eax,eax 00401841 |. 5E pop esi 00401842 |. 8BE5 mov esp,ebp 00401844 |. 5D pop ebp 00401845 |. C2 1000 retn 0x10 00401848 |> E8 136B0100 call 12.00418360 0040184D |. 68 F6010000 push 0x1F6 00401852 |. 8D85 08FEFFFF lea eax,[local.126] 00401858 |. C785 00FEFFFF E86C8C51 mov [local.128],0x518C6CE8 00401862 |. 6A 00 push 0x0 00401864 |. 50 push eax 00401865 |. C785 04FEFFFF 3159258D mov [local.127],0x8D255931 0040186F |. E8 EC6A0100 call 12.00418360 00401874 |. 83C4 18 add esp,0x18 00401877 |. 8D85 00FCFFFF lea eax,[local.256] ;此处注册失败弹出框 0040187D |. 6A 00 push 0x0 ; /Style = MB_OK|MB_APPLMODAL 0040187F |. 50 push eax ; |Title = "" 00401880 |. 8D85 00FEFFFF lea eax,[local.128] ; | 00401886 |. 50 push eax ; |Text = "" 00401887 |. 56 push esi ; |hOwner = 00F30658 ('CrackMe',class='#32770') 00401888 |. FF15 8CA14200 call dword ptr ds:[<&USER32.MessageBoxW>] ; \MessageBoxW 0040188E |. 33C0 xor eax,eax 00401890 |. 5E pop esi 00401891 |. 8BE5 mov esp,ebp 00401893 |. 5D pop ebp 00401894 |. C2 1000 retn 0x10 00401897 |> 66:83F8 02 cmp ax,0x2 0040189B |. 75 0B jnz short 12.004018A8 0040189D |. 6A 02 push 0x2 ; /Result = 0x2 0040189F |. FF75 08 push [arg.1] ; |hWnd = 00F30658 ('CrackMe',class='#32770') 004018A2 |. FF15 88A14200 call dword ptr ds:[<&USER32.EndDialog>] ; \EndDialog 004018A8 |> 33C0 xor eax,eax ; Default case of switch 0040174C 004018AA |. 8BE5 mov esp,ebp 004018AC |. 5D pop ebp 004018AD |. C2 1000 retn 0x10 004018B0 |> B8 01000000 mov eax,0x1 ; Case 110 of switch 0040174C 004018B5 |. 8BE5 mov esp,ebp 004018B7 |. 5D pop ebp 004018B8 \. C2 1000 retn 0x10
跟进到call 12.00401A40 ; 关键CALL,算法在此,长度<=20
00401A40 /$ 55 push ebp ; 算法在此 00401A41 |. 8BEC mov ebp,esp 00401A43 |. 83EC 0C sub esp,0xC 00401A46 |. 53 push ebx 00401A47 |. 56 push esi 00401A48 |. 57 push edi 00401A49 |. 8B7D 08 mov edi,[arg.1] 00401A4C |. 33D2 xor edx,edx 00401A4E |. 33F6 xor esi,esi 00401A50 |. 8955 F8 mov [local.2],edx 00401A53 |. 8975 FC mov [local.1],esi 00401A56 |. 33C9 xor ecx,ecx 00401A58 |. 8D5F 02 lea ebx,dword ptr ds:[edi+0x2] 00401A5B |. EB 03 jmp short 12.00401A60 00401A5D | 8D49 00 lea ecx,dword ptr ds:[ecx] 00401A60 |> 66:8B07 /mov ax,word ptr ds:[edi] ; strlen 00401A63 |. 83C7 02 |add edi,0x2 00401A66 |. 66:85C0 |test ax,ax 00401A69 |.^ 75 F5 \jnz short 12.00401A60 00401A6B |. 2BFB sub edi,ebx 00401A6D |. D1FF sar edi,1 00401A6F |. 83FF 14 cmp edi,0x14 ; len<=20 00401A72 |. 7C 09 jl short 12.00401A7D 00401A74 |. 5F pop edi ; 004B1650 00401A75 |. 5E pop esi ; 004B1650 00401A76 |. 33C0 xor eax,eax 00401A78 |. 5B pop ebx ; 004B1650 00401A79 |. 8BE5 mov esp,ebp 00401A7B |. 5D pop ebp ; 004B1650 00401A7C |. C3 retn 00401A7D |> 33DB xor ebx,ebx 00401A7F |. 85FF test edi,edi 00401A81 |. 7E 74 jle short 12.00401AF7 ; len>0 00401A83 |. C745 F4 34000000 mov [local.3],0x34 00401A8A |. 8D9B 00000000 lea ebx,dword ptr ds:[ebx] 00401A90 |> 8B45 08 /mov eax,[arg.1] ; 循环取每个字符 00401A93 |. 0FB71458 |movzx edx,word ptr ds:[eax+ebx*2] 00401A97 |. 8D42 9F |lea eax,dword ptr ds:[edx-0x61] ;(v8 - 97) > 0x19 00401A9A |. 66:83F8 19 |cmp ax,0x19 00401A9E |. 77 05 |ja short 12.00401AA5 00401AA0 |. 8D4A A0 |lea ecx,dword ptr ds:[edx-0x60] ;v8 - 96 00401AA3 |. EB 0C |jmp short 12.00401AB1 00401AA5 |> 8D42 BF |lea eax,dword ptr ds:[edx-0x41] 00401AA8 |. 66:83F8 19 |cmp ax,0x19 00401AAC |. 77 03 |ja short 12.00401AB1 00401AAE |. 8D4A DA |lea ecx,dword ptr ds:[edx-0x26] 00401AB1 |> 8D0449 |lea eax,dword ptr ds:[ecx+ecx*2] 00401AB4 |. 99 |cdq 00401AB5 |. F77D F4 |idiv [local.3] 00401AB8 |. 8D42 E5 |lea eax,dword ptr ds:[edx-0x1B] ; - 27 00401ABB |. 83F8 19 |cmp eax,0x19 00401ABE |. 77 05 |ja short 12.00401AC5 00401AC0 |. 8D42 26 |lea eax,dword ptr ds:[edx+0x26] 00401AC3 |. EB 0B |jmp short 12.00401AD0 00401AC5 |> 8D42 FF |lea eax,dword ptr ds:[edx-0x1] 00401AC8 |. 83F8 19 |cmp eax,0x19 00401ACB |. 77 09 |ja short 12.00401AD6 00401ACD |. 8D42 60 |lea eax,dword ptr ds:[edx+0x60] 00401AD0 |> 0FB7F0 |movzx esi,ax 00401AD3 |. 8975 FC |mov [local.1],esi 00401AD6 |> 8B55 0C |mov edx,[arg.2] 00401AD9 |. 2BD3 |sub edx,ebx 00401ADB |. 43 |inc ebx 00401ADC |. 8D0432 |lea eax,dword ptr ds:[edx+esi] 00401ADF |. 0FBFF0 |movsx esi,ax 00401AE2 |. 8D42 61 |lea eax,dword ptr ds:[edx+0x61] 00401AE5 |. 8B55 F8 |mov edx,[local.2] 00401AE8 |. 98 |cwde 00401AE9 |. 33F0 |xor esi,eax 00401AEB |. 03D6 |add edx,esi 00401AED |. 8B75 FC |mov esi,[local.1] 00401AF0 |. 8955 F8 |mov [local.2],edx 00401AF3 |. 3BDF |cmp ebx,edi 00401AF5 |.^ 7C 99 \jl short 12.00401A90 00401AF7 |> 33C0 xor eax,eax 00401AF9 |. 81FA 4D512701 cmp edx,0x127514D 00401AFF |. 5F pop edi ; 004B1650 00401B00 |. 5E pop esi ; 004B1650 00401B01 |. 0f94c0 sete al 00401B04 |. 5B pop ebx ; 004B1650 00401B05 |. 8BE5 mov esp,ebp 00401B07 |. 5D pop ebp ; 004B1650 00401B08 \. C3 retn
直接用IDA,F5后的代码如下,最后算出来的值与19353933要相等
int __cdecl sub_401A40(const unsigned __int16 *a1, __int16 a2) { int v2; // edx@1 __int16 v3; // si@1 int v4; // ecx@1 signed int v5; // edi@1 signed int v7; // ebx@3 int v8; // edx@4 int v9; // edx@8 __int16 v10; // ax@9 __int16 v11; // dx@13 int v12; // [sp+10h] [bp-8h]@1 __int16 v13; // [sp+14h] [bp-4h]@1 v2 = 0; v3 = 0; v12 = 0; v13 = 0; v4 = 0; v5 = wcslen(a1); if ( v5 >= 20 ) return 0; v7 = 0; if ( v5 > 0 ) { while ( 1 ) { v8 = a1[v7]; if ( (unsigned __int16)(v8 - 97) > 0x19u ) { if ( (unsigned __int16)(v8 - 65) <= 0x19u ) v4 = v8 - 38; } else { v4 = v8 - 96; } v9 = 3 * v4 % 52; if ( (unsigned int)(v9 - 27) <= 0x19 ) break; if ( (unsigned int)(v9 - 1) <= 0x19 ) { v10 = v9 + 96; goto LABEL_12; } LABEL_13: v11 = a2 - v7++; v2 = ((signed __int16)(v11 + 97) ^ (signed __int16)(v11 + v3)) + v12; v3 = v13; v12 = v2; if ( v7 >= v5 ) return v2 == 19353933; } v10 = v9 + 38; LABEL_12: v3 = v10; v13 = v10; goto LABEL_13; } return v2 == 19353933; }
这里只是将算法逆出来了,但感觉好像没这么简单,可能是坑。并没有去跑结果,高手勿喷,洗洗睡
[培训]《安卓高级研修班(网课)》月薪三万计划,掌握调试、分析还原ollvm、vmp的方法,定制art虚拟机自动化脱壳的方法
赞赏
他的文章
看原图