开头包装的一层调用可以手动清理出来,他调用了sub_4026D2作为窗口回调,在WM_COMMAND里面
会再执行一次crackme,将入口点改为
0x401000通过调用Decompress函数,解压数据
类似格式是
在这里进行调用,v47用于加密,v45用于最后的验证
通过强制F5了几个函数发现,对应输入只进行了基于字节的异或加密、交换、查表,修改其中一个字节,只会对加密结果产生一个字节的影响。
这些代码花式调用了大量API,拖慢了计算速度,同时也有反调试。
其实根据附带的题目描述我感觉是叫你硬看,但我就偏要硬爆
将最后一个函数F5找到比对逻辑,将其导出。
将原始文件patch 入口点,push 0x402d4c call 0x401000 后 跟一个int3,然后nop掉0x04026C8的ExitProcess,到达int3后读取和重写flag的值,然后更改Eip为入口点进行下次爆破。
需要用到ScyllaHide,爆的时候执行一下InjectorCLIx86.exe sb.exe HookLibraryx86.dll nowait加载一下反反调试,配置文件选Themida x86/x64。
预计时间是(128 + 94) * 10 / 60 = 37分钟,
v21 = (*(int (__stdcall **)(int, int))(dword_4ABE44 + 92))(a1, 1001);// GetDlgItem
if ( v21 )
{
for ( i = 0; i < 0x100; ++i )
v7[i] = 0;
v42 = (*(int (__stdcall **)(int))(v35 + 96))(v21);// GetWindowTextLengthA
if ( v42 <= 210 && v42 >= 1 )
{
(*(void (__stdcall **)(int, char *, int))(v35 + 100))(v21, v7, 255);// GetWindowTextA
v42 = (*(int (__stdcall **)(char *))(v35 + 24))(v7);// lstrlenA
if ( v42 >= 1 && v42 <= 128 )
{
for ( j = v42; j < 128; ++j )
{
if ( j % 2 )
v7[j] = 0x20;
else
v7[j] = 0x7F;
}
v34 = 1;
}
else
{
v34 = 0;
}
}
else
{
v34 = 0;
}
}
else
{
v34 = 0;
}
if ( v34 )
{
v43 = dword_4ABE44;
if ( (*(int (__stdcall **)(_DWORD, char *, int))(dword_4ABE44 + 56))(0, v5, 255) )
{
strcpy(v27, "h");
v27[2] = 0;
v27[3] = 0;
v27[4] = 0;
v27[5] = 0xB8;
v27[6] = 0;
v27[7] = 0;
v27[8] = 0;
v27[9] = 0;
v27[10] = 0xFF;
v27[11] = 0xD0;
Eax = 0;
v31 = 0;
v8[17] = 0xFFFFFFFF;
for ( k = 0; k < 0x44; ++k )
*((_BYTE *)v8 + k) = 0;
v8[0] = 68;
for ( m = 0; m < 0x10; ++m )
*((_BYTE *)&v37 + m) = 0;
if ( (*(int (__stdcall **)(char *, _DWORD, _DWORD, _DWORD, _DWORD, int, _DWORD, _DWORD, int *, int *))(v43 + 28))(// CreateProcessW
v5,
0,
0,
0,
0,
4,
0,
0,
v8,
&v37) )
{
v6.ContextFlags = 0x10007;
if ( !(*(int (__stdcall **)(int, CONTEXT *))(v43 + 32))(v38, &v6) )// GetThreadContext
goto LABEL_69;
Eax = v6.Eax;
v31 = (*(int (__stdcall **)(int, _DWORD, int, int, int))(v43 + 44))(v37, 0, 128, 4096, 4);
if ( !v31 )
goto LABEL_69;
for ( n = 0; n < 0x80; n += v17 )
{
v17 = 0;
if ( !(*(int (__stdcall **)(int, unsigned int, char *, unsigned int, int *))(v43
+ 0x30))(// WriteProcessMemory
v37,
n + v31,
&v7[n],
128 - n,
&v17) )
{
v16 = 0;
goto LABEL_45;
}
}
v16 = 1;
if ( !v16 )
goto LABEL_69;
LABEL_45:
v20 = (PIMAGE_DOS_HEADER)(*(int (__stdcall **)(_DWORD))(v43 + 20))(0);// GetModuleHandleW
v10 = (int)v20 + v20->e_lfanew;
v9 = Eax - *(_DWORD *)(v10 + 40);
v11 = (char *)sub_401000 - (char *)v20;
*(_DWORD *)&v27[1] = v31;
*(_DWORD *)&v27[6] = (char *)sub_401000 - (char *)v20 + v9;
for ( ii = 0; ii < 0xC; ii += v15 )
{
v15 = 0;
if ( !(*(int (__stdcall **)(int, unsigned int, char *, unsigned int, int *))(v43 + 48))(
v37,
ii + Eax,
&v27[ii],
12 - ii,
&v15) )
{
v14 = 0;
goto LABEL_52;
}
}
v14 = 1;
LABEL_52:
if ( v14 )
{
(*(void (__stdcall **)(int))(v43 + 36))(v38);// ResumeThread
v30 = 2;
if ( (*(int (__stdcall **)(int, int))(v43 + 60))(v37, 30000) )// WaitForSingleObject
{
(*(void (__stdcall **)(int, int))(v43 + 64))(v37, 2);// TerminateProcess
}
else
{
v18 = 0;
if ( (*(int (__stdcall **)(int, int *))(v43 + 52))(v37, &v18) && v18 != 2 )// GetExitCodeProcess
v30 = v18;
}
v21 = (*(int (__stdcall **)(int, int))(dword_4ABE44 + 92))(a1, 1001);// GetDlgItem
if ( v21 )
{
for ( i = 0; i < 0x100; ++i )
v7[i] = 0;
v42 = (*(int (__stdcall **)(int))(v35 + 96))(v21);// GetWindowTextLengthA
if ( v42 <= 210 && v42 >= 1 )
{
(*(void (__stdcall **)(int, char *, int))(v35 + 100))(v21, v7, 255);// GetWindowTextA
v42 = (*(int (__stdcall **)(char *))(v35 + 24))(v7);// lstrlenA
if ( v42 >= 1 && v42 <= 128 )
{
for ( j = v42; j < 128; ++j )
{
if ( j % 2 )
v7[j] = 0x20;
else
v7[j] = 0x7F;
}
v34 = 1;
}
else
{
v34 = 0;
}
}
else
{
v34 = 0;
}
}
else
{
v34 = 0;
}
if ( v34 )
{
v43 = dword_4ABE44;
if ( (*(int (__stdcall **)(_DWORD, char *, int))(dword_4ABE44 + 56))(0, v5, 255) )
{
strcpy(v27, "h");
v27[2] = 0;
v27[3] = 0;
v27[4] = 0;
v27[5] = 0xB8;
v27[6] = 0;
v27[7] = 0;
v27[8] = 0;
v27[9] = 0;
v27[10] = 0xFF;
v27[11] = 0xD0;
Eax = 0;
v31 = 0;
v8[17] = 0xFFFFFFFF;
for ( k = 0; k < 0x44; ++k )
*((_BYTE *)v8 + k) = 0;
v8[0] = 68;
for ( m = 0; m < 0x10; ++m )
*((_BYTE *)&v37 + m) = 0;
if ( (*(int (__stdcall **)(char *, _DWORD, _DWORD, _DWORD, _DWORD, int, _DWORD, _DWORD, int *, int *))(v43 + 28))(// CreateProcessW
v5,
0,
0,
0,
0,
4,
0,
0,
v8,
&v37) )
{
v6.ContextFlags = 0x10007;
if ( !(*(int (__stdcall **)(int, CONTEXT *))(v43 + 32))(v38, &v6) )// GetThreadContext
goto LABEL_69;
Eax = v6.Eax;
v31 = (*(int (__stdcall **)(int, _DWORD, int, int, int))(v43 + 44))(v37, 0, 128, 4096, 4);
if ( !v31 )
goto LABEL_69;
for ( n = 0; n < 0x80; n += v17 )
{
v17 = 0;
if ( !(*(int (__stdcall **)(int, unsigned int, char *, unsigned int, int *))(v43
+ 0x30))(// WriteProcessMemory
v37,
n + v31,
&v7[n],
128 - n,
&v17) )
{
v16 = 0;
goto LABEL_45;
}
}
v16 = 1;
if ( !v16 )
goto LABEL_69;
LABEL_45:
v20 = (PIMAGE_DOS_HEADER)(*(int (__stdcall **)(_DWORD))(v43 + 20))(0);// GetModuleHandleW
v10 = (int)v20 + v20->e_lfanew;
v9 = Eax - *(_DWORD *)(v10 + 40);
v11 = (char *)sub_401000 - (char *)v20;
*(_DWORD *)&v27[1] = v31;
*(_DWORD *)&v27[6] = (char *)sub_401000 - (char *)v20 + v9;
for ( ii = 0; ii < 0xC; ii += v15 )
{
v15 = 0;
if ( !(*(int (__stdcall **)(int, unsigned int, char *, unsigned int, int *))(v43 + 48))(
v37,
ii + Eax,
&v27[ii],
12 - ii,
&v15) )
{
v14 = 0;
goto LABEL_52;
}
}
v14 = 1;
LABEL_52:
if ( v14 )
{
(*(void (__stdcall **)(int))(v43 + 36))(v38);// ResumeThread
v30 = 2;
if ( (*(int (__stdcall **)(int, int))(v43 + 60))(v37, 30000) )// WaitForSingleObject
{
(*(void (__stdcall **)(int, int))(v43 + 64))(v37, 2);// TerminateProcess
}
else
{
v18 = 0;
if ( (*(int (__stdcall **)(int, int *))(v43 + 52))(v37, &v18) && v18 != 2 )// GetExitCodeProcess
v30 = v18;
}
push input
mov eax,0x401000
call eax
push input
mov eax,0x401000
call eax
struct CodeData{
uint32_t CodeSize;
uint8_t code[CodeSize];
};
struct CodeData{
uint32_t CodeSize;
uint8_t code[CodeSize];
};
if ( v38 )
{
v90 = 0;
v29[0] = 5;
v29[1] = 0;
v29[2] = 4;
v29[3] = 3;
v29[4] = 2;
v29[5] = 1;
for ( ii = 0; ii < 6; ++ii )
{
v32 = v29[ii];
v92 = 0;
v47 = 0;
for ( jj = 0; jj <= v32; ++jj )
{
v47 = (int (__stdcall *)(_DWORD, _DWORD, _DWORD, _DWORD))(v108[30] + v92 + 4);
v46 = *(_DWORD *)(v108[30] + v92);
v92 += v46 + 4;
}
v90 = v47;
if ( !v47(*v108, v108[1], v108[2], a1) )
goto LABEL_134;
}
v56 = 1;
v91 = 0;
v45 = 0;
for ( kk = 0; kk <= 6; ++kk )
{
v45 = (int (__stdcall *)(_DWORD, _DWORD, _DWORD, _DWORD))(v108[30] + v91 + 4);
v48 = *(_DWORD *)(v108[30] + v91);
v91 += v48 + 4;
}
v90 = v45;
if ( !v45(*v108, v108[1], v108[2], a1) )
v56 = 0;
}
if ( v38 )
{
v90 = 0;
v29[0] = 5;
v29[1] = 0;
v29[2] = 4;
v29[3] = 3;
v29[4] = 2;
v29[5] = 1;
for ( ii = 0; ii < 6; ++ii )
{
v32 = v29[ii];
v92 = 0;
v47 = 0;
for ( jj = 0; jj <= v32; ++jj )
{
v47 = (int (__stdcall *)(_DWORD, _DWORD, _DWORD, _DWORD))(v108[30] + v92 + 4);
v46 = *(_DWORD *)(v108[30] + v92);
v92 += v46 + 4;
}
v90 = v47;
if ( !v47(*v108, v108[1], v108[2], a1) )
goto LABEL_134;
}
v56 = 1;
v91 = 0;
v45 = 0;
for ( kk = 0; kk <= 6; ++kk )
{
v45 = (int (__stdcall *)(_DWORD, _DWORD, _DWORD, _DWORD))(v108[30] + v91 + 4);
[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!
最后于 2022-12-3 20:23
被mb_xxgcvcih编辑
,原因:
