首页
社区
课程
招聘
[原创]第十一题 ToBeBetterCrackMe分析
2017-6-22 01:34 3444

[原创]第十一题 ToBeBetterCrackMe分析

2017-6-22 01:34
3444

此题未完成,只是脱壳后,分析到算法了,但感觉好像没这么简单,可能是坑。没有进行穷举,所以也没有最终的序列号了,只是分析下过程

工具:peid,od,ida

peid查发现有壳,直接拖进OD,提示有壳,直接点否

0044742C    C9                        leave
0044742D    C3                        retn
0044742E >  E8 ECFBFFFF               call 11-ToBeB.0044701F //跟进去
00447433    C3                        retn
00447434  - FF25 00804400             jmp dword ptr ds:[<&kernel32.CloseHandle>] ; kernel32.CloseHandle
0044743A  - FF25 04804400             jmp dword ptr ds:[<&kernel32.CreateFileA>] ; apphelp.56C265D0
00447440  - FF25 08804400             jmp dword ptr ds:[<&kernel32.CreateFileMap>; apphelp.56C24D20
00447446  - FF25 0C804400             jmp dword ptr ds:[<&kernel32.GetModuleFile>; kernel32.GetModuleFileNameA
0044744C  - FF25 10804400             jmp dword ptr ds:[<&kernel32.GetProcAddres>; kernel32.GetProcAddress
00447452  - FF25 14804400             jmp dword ptr ds:[<&kernel32.LoadLibraryA>>; kernel32.LoadLibraryA
00447458  - FF25 18804400             jmp dword ptr ds:[<&kernel32.MapViewOfFile>; kernel32.MapViewOfFile
0044745E  - FF25 1C804400             jmp dword ptr ds:[<&kernel32.RtlZeroMemory>; ntdll.RtlZeroMemory
00447464  - FF25 20804400             jmp dword ptr ds:[<&kernel32.UnmapViewOfFi>; kernel32.UnmapViewOfFile
0044746A  - FF25 24804400             jmp dword ptr ds:[<&kernel32.VirtualAlloc>>; kernel32.VirtualAlloc
00447470  - FF25 28804400             jmp dword ptr ds:[<&kernel32.VirtualFree>] ; kernel32.VirtualFree
00447476  - FF25 2C804400             jmp dword ptr ds:[<&kernel32.VirtualProtec>; kernel32.VirtualProtect

00447109    FFB5 F4FEFFFF             push dword ptr ss:[ebp-0x10C]
0044710F    E8 44030000               call <jmp.&kernel32.MapViewOfFile>
00447114    0BC0                      or eax,eax
00447116    75 05                     jnz short 11-ToBeB.0044711D
00447118    E9 8D020000               jmp 11-ToBeB.004473AA
0044711D    8985 F0FEFFFF             mov dword ptr ss:[ebp-0x110],eax
00447123    6A 40                     push 0x40
00447125    68 00100000               push 0x1000
0044712A    68 00500400               push 0x45000                               ; UNICODE "ms-win-core-file-ansi-l2-1-0"
0044712F    6A 00                     push 0x0
00447131    E8 34030000               call <jmp.&kernel32.VirtualAlloc>          ; 从0x00690000(每次运行地址不一样)分配了0x45000内存,用于解密PE文件
00447136    0BC0                      or eax,eax
00447138    75 05                     jnz short 11-ToBeB.0044713F
0044713A    E9 6B020000               jmp 11-ToBeB.004473AA
0044713F    8985 ECFEFFFF             mov dword ptr ss:[ebp-0x114],eax
00447145    8B85 F0FEFFFF             mov eax,dword ptr ss:[ebp-0x110]
0044714B    05 00100000               add eax,0x1000
00447150    68 00500400               push 0x45000                               ; UNICODE "ms-win-core-file-ansi-l2-1-0"
00447155    50                        push eax
00447156    FFB5 ECFEFFFF             push dword ptr ss:[ebp-0x114]
0044715C    FF15 34804400             call dword ptr ds:[<&msvcrt.memcpy>]       ; msvcrt.memcpy
00447162    83C4 0C                   add esp,0xC
00447165    B9 00000000               mov ecx,0x0
0044716A    8B85 ECFEFFFF             mov eax,dword ptr ss:[ebp-0x114]
00447170    EB 16                     jmp short 11-ToBeB.00447188
00447172    8BD1                      mov edx,ecx                                ; 解密PE文件
00447174    81C2 21079319             add edx,0x19930721
0044717A    3110                      xor dword ptr ds:[eax],edx
0044717C    0108                      add dword ptr ds:[eax],ecx
0044717E    8128 46925713             sub dword ptr ds:[eax],0x13579246
00447184    83C0 04                   add eax,0x4
00447187    41                        inc ecx
00447188    81F9 00140100             cmp ecx,0x11400
0044718E  ^ 72 E2                     jb short 11-ToBeB.00447172
00447190    8BB5 ECFEFFFF             mov esi,dword ptr ss:[ebp-0x114]
00447196    56                        push esi                                   ; 11-ToBeB.<ModuleEntryPoint>
00447197    E8 64FEFFFF               call 11-ToBeB.00447000
0044719C    0BC0                      or eax,eax
0044719E    75 05                     jnz short 11-ToBeB.004471A5
004471A0    E9 05020000               jmp 11-ToBeB.004473AA
004471A5    0376 3C                   add esi,dword ptr ds:[esi+0x3C]            ;PE文件相关字段设值
004471A8    0FB746 06                 movzx eax,word ptr ds:[esi+0x6]
004471AC    8985 E8FEFFFF             mov dword ptr ss:[ebp-0x118],eax
004471B2    0FB746 14                 movzx eax,word ptr ds:[esi+0x14]
004471B6    8985 E4FEFFFF             mov dword ptr ss:[ebp-0x11C],eax
004471BC    8B46 34                   mov eax,dword ptr ds:[esi+0x34]
004471BF    8985 D4FEFFFF             mov dword ptr ss:[ebp-0x12C],eax
004471C5    8B46 28                   mov eax,dword ptr ds:[esi+0x28]
004471C8    0385 D4FEFFFF             add eax,dword ptr ss:[ebp-0x12C]
004471CE    8985 E0FEFFFF             mov dword ptr ss:[ebp-0x120],eax
004471D4    8B46 50                   mov eax,dword ptr ds:[esi+0x50]
004471D7    8985 DCFEFFFF             mov dword ptr ss:[ebp-0x124],eax
004471DD    8B46 54                   mov eax,dword ptr ds:[esi+0x54]
004471E0    8985 D8FEFFFF             mov dword ptr ss:[ebp-0x128],eax
004471E6    8D86 80000000             lea eax,dword ptr ds:[esi+0x80]
004471EC    8B00                      mov eax,dword ptr ds:[eax]
004471EE    0385 D4FEFFFF             add eax,dword ptr ss:[ebp-0x12C]
004471F4    8985 CCFEFFFF             mov dword ptr ss:[ebp-0x134],eax
004471FA    8D85 C8FEFFFF             lea eax,dword ptr ss:[ebp-0x138]
00447200    50                        push eax
00447201    6A 40                     push 0x40
00447203    68 00500400               push 0x45000                               ; UNICODE "ms-win-core-file-ansi-l2-1-0"
00447208    FFB5 D4FEFFFF             push dword ptr ss:[ebp-0x12C]
0044720E    E8 63020000               call <jmp.&kernel32.VirtualProtect>
00447213    0BC0                      or eax,eax
00447215    75 05                     jnz short 11-ToBeB.0044721C
00447217    E9 8E010000               jmp 11-ToBeB.004473AA
0044721C    FFB5 D8FEFFFF             push dword ptr ss:[ebp-0x128]
00447222    FFB5 ECFEFFFF             push dword ptr ss:[ebp-0x114]
00447228    FFB5 D4FEFFFF             push dword ptr ss:[ebp-0x12C]
0044722E    FF15 34804400             call dword ptr ds:[<&msvcrt.memcpy>]       ; msvcrt.memcpy
00447234    83C4 0C                   add esp,0xC
00447237    8D76 18                   lea esi,dword ptr ds:[esi+0x18]
0044723A    03B5 E4FEFFFF             add esi,dword ptr ss:[ebp-0x11C]
00447240    89B5 D0FEFFFF             mov dword ptr ss:[ebp-0x130],esi           ; 11-ToBeB.<ModuleEntryPoint>
00447246    33C9                      xor ecx,ecx
00447248    EB 26                     jmp short 11-ToBeB.00447270
0044724A    8B5E 14                   mov ebx,dword ptr ds:[esi+0x14]            ; 定义4个节
0044724D    039D ECFEFFFF             add ebx,dword ptr ss:[ebp-0x114]
00447253    8B7E 0C                   mov edi,dword ptr ds:[esi+0xC]
00447256    03BD D4FEFFFF             add edi,dword ptr ss:[ebp-0x12C]
0044725C    51                        push ecx
0044725D    FF76 10                   push dword ptr ds:[esi+0x10]
00447260    53                        push ebx
00447261    57                        push edi                                   ; 11-ToBeB.<ModuleEntryPoint>
00447262    FF15 34804400             call dword ptr ds:[<&msvcrt.memcpy>]       ; msvcrt.memcpy
00447268    83C4 0C                   add esp,0xC
0044726B    59                        pop ecx                                    ; 11-ToBeB.<ModuleEntryPoint>
0044726C    41                        inc ecx
0044726D    83C6 28                   add esi,0x28
00447270    3B8D E8FEFFFF             cmp ecx,dword ptr ss:[ebp-0x118]
00447276  ^ 72 D2                     jb short 11-ToBeB.0044724A
00447278    8BB5 CCFEFFFF             mov esi,dword ptr ss:[ebp-0x134]
0044727E    6A 14                     push 0x14
00447280    8D85 B4FEFFFF             lea eax,dword ptr ss:[ebp-0x14C]
00447286    50                        push eax
00447287    56                        push esi                                   ; 11-ToBeB.<ModuleEntryPoint>
00447288    FF15 38804400             call dword ptr ds:[<&msvcrt.memcmp>]       ; msvcrt.memcmp
0044728E    83C4 0C                   add esp,0xC
00447291    0BC0                      or eax,eax
00447293    75 05                     jnz short 11-ToBeB.0044729A
00447295    E9 85000000               jmp 11-ToBeB.0044731F
0044729A    8B46 10                   mov eax,dword ptr ds:[esi+0x10]
0044729D    0385 D4FEFFFF             add eax,dword ptr ss:[ebp-0x12C]
004472A3    8338 00                   cmp dword ptr ds:[eax],0x0
004472A6    75 05                     jnz short 11-ToBeB.004472AD
004472A8    83C6 14                   add esi,0x14
004472AB  ^ EB D1                     jmp short 11-ToBeB.0044727E
004472AD    8B46 0C                   mov eax,dword ptr ds:[esi+0xC]
004472B0    0385 D4FEFFFF             add eax,dword ptr ss:[ebp-0x12C]
004472B6    50                        push eax
004472B7    E8 96010000               call <jmp.&kernel32.LoadLibraryA>
004472BC    0BC0                      or eax,eax
004472BE    75 02                     jnz short 11-ToBeB.004472C2
004472C0  ^ EB BC                     jmp short 11-ToBeB.0044727E
004472C2    8985 B0FEFFFF             mov dword ptr ss:[ebp-0x150],eax
004472C8    8B1E                      mov ebx,dword ptr ds:[esi]
004472CA    0BDB                      or ebx,ebx
004472CC    75 03                     jnz short 11-ToBeB.004472D1
004472CE    8B5E 10                   mov ebx,dword ptr ds:[esi+0x10]
004472D1    039D D4FEFFFF             add ebx,dword ptr ss:[ebp-0x12C]
004472D7    8B7E 10                   mov edi,dword ptr ds:[esi+0x10]
004472DA    03BD D4FEFFFF             add edi,dword ptr ss:[ebp-0x12C]
004472E0    EB 30                     jmp short 11-ToBeB.00447312
004472E2    F703 00000080             test dword ptr ds:[ebx],0x80000000         ; 找系统函数,并静态调用KERNEL32.dll,USER32.dll
004472E8    74 09                     je short 11-ToBeB.004472F3
004472EA    8B03                      mov eax,dword ptr ds:[ebx]
004472EC    25 FFFF0000               and eax,0xFFFF
004472F1    EB 0B                     jmp short 11-ToBeB.004472FE
004472F3    8B03                      mov eax,dword ptr ds:[ebx]
004472F5    0385 D4FEFFFF             add eax,dword ptr ss:[ebp-0x12C]
004472FB    8D40 02                   lea eax,dword ptr ds:[eax+0x2]
004472FE    50                        push eax
004472FF    FFB5 B0FEFFFF             push dword ptr ss:[ebp-0x150]
00447305    E8 42010000               call <jmp.&kernel32.GetProcAddress>
0044730A    8907                      mov dword ptr ds:[edi],eax
0044730C    83C3 04                   add ebx,0x4
0044730F    83C7 04                   add edi,0x4
00447312    833B 00                   cmp dword ptr ds:[ebx],0x0
00447315  ^ 75 CB                     jnz short 11-ToBeB.004472E2
00447317    83C6 14                   add esi,0x14
0044731A  ^ E9 5FFFFFFF               jmp 11-ToBeB.0044727E
0044731F    83BD ECFEFFFF 00          cmp dword ptr ss:[ebp-0x114],0x0
00447326    74 1C                     je short 11-ToBeB.00447344
00447328    68 00800000               push 0x8000
0044732D    6A 00                     push 0x0
0044732F    FFB5 ECFEFFFF             push dword ptr ss:[ebp-0x114]
00447335    E8 36010000               call <jmp.&kernel32.VirtualFree>           ;此处一定要先在内存中把解密的PE文件先dump出来,不然会被清空
0044733A    C785 F0FEFFFF 00000000    mov dword ptr ss:[ebp-0x110],0x0
00447344    83BD F0FEFFFF 00          cmp dword ptr ss:[ebp-0x110],0x0
0044734B    74 15                     je short 11-ToBeB.00447362

解密的PE文件,在地址0x00690000,注意这是我本机的地址,而且每次都不一样的

下面是dump出来的PE文件,可以看到有4个节和两个dll及相关的系统函数

将dump的PE文件拖进OD,发现有创建了几个进程,跟到00401690,

00401690  /$  55                      push ebp
00401691  |.  8BEC                    mov ebp,esp
00401693  |.  83EC 70                 sub esp,0x70
00401696  |.  803D 509B4300 00        cmp byte ptr ds:[0x439B50],0x0
0040169D  |.  0F84 88000000           je 12.0040172B
004016A3  |.  E8 08FFFFFF             call 12.004015B0
004016A8  |.  803D 519B4300 00        cmp byte ptr ds:[0x439B51],0x0
004016AF  |.  74 1C                   je short 12.004016CD                       ;这里不能跳,显示主界面
004016B1  |.  6A 00                   push 0x0                                   ; /lParam = NULL
004016B3  |.  68 40174000             push 12.00401740                           ; |DlgProc = 12.00401740 ;关键,点击按钮处理函数在里面
004016B8  |.  6A 00                   push 0x0                                   ; |hOwner = NULL
004016BA  |.  6A 67                   push 0x67                                  ; |pTemplate = 0x67
004016BC  |.  FF75 08                 push [arg.1]                               ; |hInst = 003BE000
004016BF  |.  FF15 94A14200           call dword ptr ds:[<&USER32.DialogBoxParam>; \DialogBoxParamW
004016C5  |.  33C0                    xor eax,eax
004016C7  |.  8BE5                    mov esp,ebp
004016C9  |.  5D                      pop ebp                                    ;  12.004182DC
004016CA  |.  C2 1000                 retn 0x10
004016CD  |>  8D4D 90                 lea ecx,[local.28]
004016D0  |.  E8 0BF10000             call 12.004107E0
004016D5  |.  E8 C6FEFFFF             call 12.004015A0
004016DA  |.  8D4D EC                 lea ecx,[local.5]
004016DD  |.  8B40 30                 mov eax,dword ptr ds:[eax+0x30]
004016E0  |.  50                      push eax
004016E1  |.  E8 AAEB0000             call 12.00410290
004016E6  |.  8D4D 90                 lea ecx,[local.28]
004016E9  |.  E8 C2FE0000             call 12.004115B0
004016EE  |.  8D45 EC                 lea eax,[local.5]
004016F1  |.  50                      push eax
004016F2  |.  8D4D 94                 lea ecx,[local.27]
004016F5  |.  E8 66180000             call 12.00402F60
004016FA  |.  8D4D EC                 lea ecx,[local.5]
004016FD  |.  E8 2EEC0000             call 12.00410330
00401702  |.  FF35 A0404300           push dword ptr ds:[0x4340A0]               ;  12.00401C30
00401708  |.  8D4D 90                 lea ecx,[local.28]
0040170B  |.  E8 30FF0000             call 12.00411640
00401710  |.  6A 20                   push 0x20
00401712  |.  8D4D 90                 lea ecx,[local.28]
00401715  |.  E8 26F40000             call 12.00410B40
0040171A  |.  50                      push eax
0040171B  |.  8D4D 90                 lea ecx,[local.28]
0040171E  |.  E8 EDFC0000             call 12.00411410
00401723  |.  8D4D 90                 lea ecx,[local.28]
00401726  |.  E8 F5F10000             call 12.00410920
0040172B  |>  33C0                    xor eax,eax
0040172D  |.  8BE5                    mov esp,ebp
0040172F  |.  5D                      pop ebp                                    ;  12.004182DC
00401730  \.  C2 1000                 retn 0x10

这时主界面已经显示出来,在004017A3处下断,输入SN确定

成功断在004017A3处,获取SN

004017A3  |.  FF15 90A14200           call dword ptr ds:[<&USER32.GetDlgItemText>; \GetDlgItemTextW

00401740  /.  55                      push ebp
00401741  |.  8BEC                    mov ebp,esp
00401743  |.  8B45 0C                 mov eax,[arg.2]
00401746  |.  81EC 00060000           sub esp,0x600
0040174C  |.  2D 10010000             sub eax,0x110                              ;  Switch (cases 110..111)
00401751  |.  0F84 59010000           je 12.004018B0
00401757  |.  48                      dec eax
00401758  |.  0F85 4A010000           jnz 12.004018A8
0040175E  |.  8B45 10                 mov eax,[arg.3]                            ;  Case 111 of switch 0040174C
00401761  |.  B9 E8030000             mov ecx,0x3E8
00401766  |.  66:3BC1                 cmp ax,cx
00401769  |.  0F85 28010000           jnz 12.00401897
0040176F  |.  56                      push esi
00401770  |.  33C0                    xor eax,eax
00401772  |.  68 FC010000             push 0x1FC
00401777  |.  50                      push eax
00401778  |.  66:8985 00FAFFFF        mov word ptr ss:[ebp-0x600],ax
0040177F  |.  8D85 02FAFFFF           lea eax,dword ptr ss:[ebp-0x5FE]
00401785  |.  50                      push eax
00401786  |.  E8 D56B0100             call 12.00418360
0040178B  |.  8B75 08                 mov esi,[arg.1]
0040178E  |.  8D85 00FAFFFF           lea eax,[local.384]
00401794  |.  83C4 0C                 add esp,0xC
00401797  |.  68 FE010000             push 0x1FE                                 ; /Count = 1FE (510.)
0040179C  |.  50                      push eax                                   ; |Buffer = 0019F104
0040179D  |.  68 E9030000             push 0x3E9                                 ; |ControlID = 3E9 (1001.)
004017A2  |.  56                      push esi                                   ; |hWnd = 00F30658 ('CrackMe',class='#32770')
004017A3  |.  FF15 90A14200           call dword ptr ds:[<&USER32.GetDlgItemText>; \GetDlgItemTextW           ;获取SN
004017A9  |.  C745 08 00000000        mov [arg.1],0x0
004017B0  |.  33D2                    xor edx,edx
004017B2  |.  B8 108B1E45             mov eax,0x451E8B10
004017B7  |.  8B0D 087A4300           mov ecx,dword ptr ds:[0x437A08]
004017BD  |.  F7F1                    div ecx
004017BF  |.  8945 08                 mov [arg.1],eax
004017C2  |.  FF75 08                 push [arg.1]
004017C5  |.  8D85 00FAFFFF           lea eax,[local.384]
004017CB  |.  50                      push eax
004017CC  |.  E8 6F020000             call 12.00401A40                           ;  关键CALL,算法在此
004017D1  |.  83C4 08                 add esp,0x8
004017D4  |.  C785 00FCFFFF D0633A79  mov [local.256],0x793A63D0
004017DE  |.  85C0                    test eax,eax
004017E0  |.  8D85 04FCFFFF           lea eax,[local.255]
004017E6  |.  68 FA010000             push 0x1FA
004017EB  |.  6A 00                   push 0x0
004017ED  |.  50                      push eax
004017EE  |.  74 58                   je short 12.00401848                      ;此处跳到注册失败弹出框
004017F0  |.  E8 6B6B0100             call 12.00418360
004017F5  |.  68 F6010000             push 0x1F6
004017FA  |.  8D85 08FEFFFF           lea eax,[local.126]
00401800  |.  C785 00FEFFFF E86C8C51  mov [local.128],0x518C6CE8
0040180A  |.  6A 00                   push 0x0
0040180C  |.  50                      push eax
0040180D  |.  C785 04FEFFFF 10629F52  mov [local.127],0x529F6210
00401817  |.  E8 446B0100             call 12.00418360
0040181C  |.  83C4 18                 add esp,0x18
0040181F  |.  8D85 00FCFFFF           lea eax,[local.256]                        ;此处注册成功弹出框
00401825  |.  6A 00                   push 0x0                                   ; /Style = MB_OK|MB_APPLMODAL
00401827  |.  50                      push eax                                   ; |Title = ""
00401828  |.  8D85 00FEFFFF           lea eax,[local.128]                        ; |
0040182E  |.  50                      push eax                                   ; |Text = ""
0040182F  |.  56                      push esi                                   ; |hOwner = 00F30658 ('CrackMe',class='#32770')
00401830  |.  FF15 8CA14200           call dword ptr ds:[<&USER32.MessageBoxW>]  ; \MessageBoxW
00401836  |.  6A 02                   push 0x2                                   ; /Result = 0x2
00401838  |.  56                      push esi                                   ; |hWnd = 00F30658 ('CrackMe',class='#32770')
00401839  |.  FF15 88A14200           call dword ptr ds:[<&USER32.EndDialog>]    ; \EndDialog
0040183F  |.  33C0                    xor eax,eax
00401841  |.  5E                      pop esi
00401842  |.  8BE5                    mov esp,ebp
00401844  |.  5D                      pop ebp
00401845  |.  C2 1000                 retn 0x10
00401848  |>  E8 136B0100             call 12.00418360
0040184D  |.  68 F6010000             push 0x1F6
00401852  |.  8D85 08FEFFFF           lea eax,[local.126]
00401858  |.  C785 00FEFFFF E86C8C51  mov [local.128],0x518C6CE8
00401862  |.  6A 00                   push 0x0
00401864  |.  50                      push eax
00401865  |.  C785 04FEFFFF 3159258D  mov [local.127],0x8D255931
0040186F  |.  E8 EC6A0100             call 12.00418360
00401874  |.  83C4 18                 add esp,0x18
00401877  |.  8D85 00FCFFFF           lea eax,[local.256]                        ;此处注册失败弹出框
0040187D  |.  6A 00                   push 0x0                                   ; /Style = MB_OK|MB_APPLMODAL
0040187F  |.  50                      push eax                                   ; |Title = ""
00401880  |.  8D85 00FEFFFF           lea eax,[local.128]                        ; |
00401886  |.  50                      push eax                                   ; |Text = ""
00401887  |.  56                      push esi                                   ; |hOwner = 00F30658 ('CrackMe',class='#32770')
00401888  |.  FF15 8CA14200           call dword ptr ds:[<&USER32.MessageBoxW>]  ; \MessageBoxW
0040188E  |.  33C0                    xor eax,eax
00401890  |.  5E                      pop esi
00401891  |.  8BE5                    mov esp,ebp
00401893  |.  5D                      pop ebp
00401894  |.  C2 1000                 retn 0x10
00401897  |>  66:83F8 02              cmp ax,0x2
0040189B  |.  75 0B                   jnz short 12.004018A8
0040189D  |.  6A 02                   push 0x2                                   ; /Result = 0x2
0040189F  |.  FF75 08                 push [arg.1]                               ; |hWnd = 00F30658 ('CrackMe',class='#32770')
004018A2  |.  FF15 88A14200           call dword ptr ds:[<&USER32.EndDialog>]    ; \EndDialog
004018A8  |>  33C0                    xor eax,eax                                ;  Default case of switch 0040174C
004018AA  |.  8BE5                    mov esp,ebp
004018AC  |.  5D                      pop ebp
004018AD  |.  C2 1000                 retn 0x10
004018B0  |>  B8 01000000             mov eax,0x1                                ;  Case 110 of switch 0040174C
004018B5  |.  8BE5                    mov esp,ebp
004018B7  |.  5D                      pop ebp
004018B8  \.  C2 1000                 retn 0x10

跟进到call 12.00401A40 ;  关键CALL,算法在此,长度<=20

00401A40  /$  55                      push ebp                                   ;  算法在此
00401A41  |.  8BEC                    mov ebp,esp
00401A43  |.  83EC 0C                 sub esp,0xC
00401A46  |.  53                      push ebx
00401A47  |.  56                      push esi
00401A48  |.  57                      push edi
00401A49  |.  8B7D 08                 mov edi,[arg.1]
00401A4C  |.  33D2                    xor edx,edx
00401A4E  |.  33F6                    xor esi,esi
00401A50  |.  8955 F8                 mov [local.2],edx
00401A53  |.  8975 FC                 mov [local.1],esi
00401A56  |.  33C9                    xor ecx,ecx
00401A58  |.  8D5F 02                 lea ebx,dword ptr ds:[edi+0x2]
00401A5B  |.  EB 03                   jmp short 12.00401A60
00401A5D  |   8D49 00                 lea ecx,dword ptr ds:[ecx]
00401A60  |>  66:8B07                 /mov ax,word ptr ds:[edi]                  ;  strlen
00401A63  |.  83C7 02                 |add edi,0x2
00401A66  |.  66:85C0                 |test ax,ax
00401A69  |.^ 75 F5                   \jnz short 12.00401A60
00401A6B  |.  2BFB                    sub edi,ebx
00401A6D  |.  D1FF                    sar edi,1
00401A6F  |.  83FF 14                 cmp edi,0x14                               ;  len<=20
00401A72  |.  7C 09                   jl short 12.00401A7D
00401A74  |.  5F                      pop edi                                    ;  004B1650
00401A75  |.  5E                      pop esi                                    ;  004B1650
00401A76  |.  33C0                    xor eax,eax
00401A78  |.  5B                      pop ebx                                    ;  004B1650
00401A79  |.  8BE5                    mov esp,ebp
00401A7B  |.  5D                      pop ebp                                    ;  004B1650
00401A7C  |.  C3                      retn
00401A7D  |>  33DB                    xor ebx,ebx
00401A7F  |.  85FF                    test edi,edi
00401A81  |.  7E 74                   jle short 12.00401AF7                      ;  len>0
00401A83  |.  C745 F4 34000000        mov [local.3],0x34
00401A8A  |.  8D9B 00000000           lea ebx,dword ptr ds:[ebx]
00401A90  |>  8B45 08                 /mov eax,[arg.1]                           ;  循环取每个字符
00401A93  |.  0FB71458                |movzx edx,word ptr ds:[eax+ebx*2]
00401A97  |.  8D42 9F                 |lea eax,dword ptr ds:[edx-0x61]           ;(v8 - 97) > 0x19
00401A9A  |.  66:83F8 19              |cmp ax,0x19
00401A9E  |.  77 05                   |ja short 12.00401AA5
00401AA0  |.  8D4A A0                 |lea ecx,dword ptr ds:[edx-0x60]           ;v8 - 96
00401AA3  |.  EB 0C                   |jmp short 12.00401AB1
00401AA5  |>  8D42 BF                 |lea eax,dword ptr ds:[edx-0x41]
00401AA8  |.  66:83F8 19              |cmp ax,0x19
00401AAC  |.  77 03                   |ja short 12.00401AB1
00401AAE  |.  8D4A DA                 |lea ecx,dword ptr ds:[edx-0x26]
00401AB1  |>  8D0449                  |lea eax,dword ptr ds:[ecx+ecx*2]
00401AB4  |.  99                      |cdq
00401AB5  |.  F77D F4                 |idiv [local.3]
00401AB8  |.  8D42 E5                 |lea eax,dword ptr ds:[edx-0x1B]           ;   - 27
00401ABB  |.  83F8 19                 |cmp eax,0x19
00401ABE  |.  77 05                   |ja short 12.00401AC5
00401AC0  |.  8D42 26                 |lea eax,dword ptr ds:[edx+0x26]
00401AC3  |.  EB 0B                   |jmp short 12.00401AD0
00401AC5  |>  8D42 FF                 |lea eax,dword ptr ds:[edx-0x1]
00401AC8  |.  83F8 19                 |cmp eax,0x19
00401ACB  |.  77 09                   |ja short 12.00401AD6
00401ACD  |.  8D42 60                 |lea eax,dword ptr ds:[edx+0x60]
00401AD0  |>  0FB7F0                  |movzx esi,ax
00401AD3  |.  8975 FC                 |mov [local.1],esi
00401AD6  |>  8B55 0C                 |mov edx,[arg.2]
00401AD9  |.  2BD3                    |sub edx,ebx
00401ADB  |.  43                      |inc ebx
00401ADC  |.  8D0432                  |lea eax,dword ptr ds:[edx+esi]
00401ADF  |.  0FBFF0                  |movsx esi,ax
00401AE2  |.  8D42 61                 |lea eax,dword ptr ds:[edx+0x61]
00401AE5  |.  8B55 F8                 |mov edx,[local.2]
00401AE8  |.  98                      |cwde
00401AE9  |.  33F0                    |xor esi,eax
00401AEB  |.  03D6                    |add edx,esi
00401AED  |.  8B75 FC                 |mov esi,[local.1]
00401AF0  |.  8955 F8                 |mov [local.2],edx
00401AF3  |.  3BDF                    |cmp ebx,edi
00401AF5  |.^ 7C 99                   \jl short 12.00401A90
00401AF7  |>  33C0                    xor eax,eax
00401AF9  |.  81FA 4D512701           cmp edx,0x127514D
00401AFF  |.  5F                      pop edi                                    ;  004B1650
00401B00  |.  5E                      pop esi                                    ;  004B1650
00401B01  |.  0f94c0                  sete al
00401B04  |.  5B                      pop ebx                                    ;  004B1650
00401B05  |.  8BE5                    mov esp,ebp
00401B07  |.  5D                      pop ebp                                    ;  004B1650
00401B08  \.  C3                      retn

直接用IDA,F5后的代码如下,最后算出来的值与19353933要相等

int __cdecl sub_401A40(const unsigned __int16 *a1, __int16 a2)
{
  int v2; // edx@1
  __int16 v3; // si@1
  int v4; // ecx@1
  signed int v5; // edi@1
  signed int v7; // ebx@3
  int v8; // edx@4
  int v9; // edx@8
  __int16 v10; // ax@9
  __int16 v11; // dx@13
  int v12; // [sp+10h] [bp-8h]@1
  __int16 v13; // [sp+14h] [bp-4h]@1
  v2 = 0;
  v3 = 0;
  v12 = 0;
  v13 = 0;
  v4 = 0;
  v5 = wcslen(a1);
  if ( v5 >= 20 )
    return 0;
  v7 = 0;
  if ( v5 > 0 )
  {
    while ( 1 )
    {
      v8 = a1[v7];
      if ( (unsigned __int16)(v8 - 97) > 0x19u )
      {
        if ( (unsigned __int16)(v8 - 65) <= 0x19u )
          v4 = v8 - 38;
      }
      else
      {
        v4 = v8 - 96;
      }
      v9 = 3 * v4 % 52;
      if ( (unsigned int)(v9 - 27) <= 0x19 )
        break;
      if ( (unsigned int)(v9 - 1) <= 0x19 )
      {
        v10 = v9 + 96;
        goto LABEL_12;
      }
LABEL_13:
      v11 = a2 - v7++;
      v2 = ((signed __int16)(v11 + 97) ^ (signed __int16)(v11 + v3)) + v12;
      v3 = v13;
      v12 = v2;
      if ( v7 >= v5 )
        return v2 == 19353933;
    }
    v10 = v9 + 38;
LABEL_12:
    v3 = v10;
    v13 = v10;
    goto LABEL_13;
  }
  return v2 == 19353933;
}

这里只是将算法逆出来了,但感觉好像没这么简单,可能是坑。并没有去跑结果,高手勿喷,洗洗睡





[培训]《安卓高级研修班(网课)》月薪三万计划,掌握调试、分析还原ollvm、vmp的方法,定制art虚拟机自动化脱壳的方法

收藏
免费 1
打赏
分享
最新回复 (0)
游客
登录 | 注册 方可回帖
返回