[原创]一个新手对CrackMe的爆破. 望高手指点.-CTF对抗-看雪-安全社区|安全招聘|kanxue.com

[原创]一个新手对CrackMe的爆破. 望高手指点.

发表于: 2006-8-8 17:33 4617

[原创]一个新手对CrackMe的爆破. 望高手指点.

dennislwy

2006-8-8 17:33

4617

【破解软件】CrackMe.
【下载地址】http://disk.i2008.com/myfile/lwy7758/crackme.rar
【运行环境】Win9x/Me/NT/2000/XP/2003
【软件类别】CrackMe
【保护方式】无
【作者声明】初学Crack，只是感兴趣，消遣业余时间，错误之处敬请诸位前辈不吝赐教。
【调试工具】OllyDBD、PEiD
【软件信息】This is my first crackme.I tried to make it not too easy..., well, we'll see ;)

一、破解过程
先用PEiD查看,无壳. MASM32 / TASM32 [Overlay]

启动OD. 下断,
Bpx GetdlgItemTextA
输入假码用户名123  密码321
在004010B5 被断下. 然后F8.

0040109C /$  C705 82214000 98B>mov dword ptr ds:[402182],FEDCBA98
004010A6 |.  6A 11          push 11                                        ; /Count = 11 (17.)
004010A8 |.  68 71214000    push cycle.00402171                            ; |Buffer = cycle.00402171
004010AD |.  68 E9030000    push 3E9                                     ; |ControlID = 3E9 (1001.)
004010B2 |.  FF75 08          push dword ptr ss:[ebp+8]                      ; |hWnd
004010B5 |.  E8 0F020000    call <jmp.&USER32.GetDlgItemTextA>             ; \GetDlgItemTextA
004010BA |.  0BC0             or eax,eax
004010BC    74 61          je short cycle.0040111F
004010BE |.  6A 11          push 11                                        ; /Count = 11 (17.)
004010C0 |.  68 60214000    push cycle.00402160                            ; |Buffer = cycle.00402160
004010C5 |.  68 E8030000    push 3E8                                     ; |ControlID = 3E8 (1000.)
004010CA |.  FF75 08          push dword ptr ss:[ebp+8]                      ; |hWnd
004010CD |.  E8 F7010000    call <jmp.&USER32.GetDlgItemTextA>             ; \GetDlgItemTextA
004010D2 |.  0BC0             or eax,eax
004010D4    74 49          je short cycle.0040111F
004010D6 |.  B9 10000000    mov ecx,10
004010DB |.  2BC8             sub ecx,eax
004010DD |.  BE 60214000    mov esi,cycle.00402160                         ;  ASCII "1231231231231231"
004010E2 |.  8BFE             mov edi,esi
004010E4 |.  03F8             add edi,eax
004010E6 |.  FC             cld
004010E7 |.  F3:A4          rep movs byte ptr es:[edi],byte ptr ds:[esi]
004010E9 |.  33C9             xor ecx,ecx
004010EB |.  BE 71214000    mov esi,cycle.00402171                         ;  ASCII "321"
004010F0 |>  41             /inc ecx
004010F1 |.  AC             |lods byte ptr ds:[esi]
004010F2 |.  0AC0             |or al,al
004010F4 |.  74 0A          |je short cycle.00401100
004010F6 |.  3C 7E          |cmp al,7E
004010F8 |.  7F 06          |jg short cycle.00401100
004010FA |.  3C 30          |cmp al,30
004010FC |.  72 02          |jb short cycle.00401100
004010FE |.^ EB F0          \jmp short cycle.004010F0
00401100 |>  83F9 11          cmp ecx,11
00401103    75 1A          jnz short cycle.0040111F ;跳走就完蛋! 7574
00401105 |.  E8 E7000000    call cycle.004011F1                         ;  call1 应该是关键点
0040110A |.  B9 01FF0000    mov ecx,0FF01
0040110F |.  51             push ecx
00401110 |.  E8 7B000000    call cycle.00401190                            ;  call2 应该是关键点
00401115 |.  83F9 01          cmp ecx,1
00401118    74 06          je short cycle.00401120 ;不跳就完蛋! 7475
0040111A |>  E8 47000000    call cycle.00401166
0040111F |>  C3             retn
00401120 |>  A1 68214000    mov eax,dword ptr ds:[402168]
00401125 |.  8B1D 6C214000    mov ebx,dword ptr ds:[40216C]
0040112B |.  33C3             xor eax,ebx
0040112D |.  3305 82214000    xor eax,dword ptr ds:[402182]
00401133 |.  0D 40404040    or eax,40404040
00401138 |.  25 77777777    and eax,77777777
0040113D |.  3305 79214000    xor eax,dword ptr ds:[402179]
00401143 |.  3305 7D214000    xor eax,dword ptr ds:[40217D]
00401149    ^ 75 CF          jnz short cycle.0040111A ;跳走就完蛋! 7574
0040114B |.  E8 2B000000    call cycle.0040117B
00401150 \.  C3             retn
00401151 /$  6A 00          push 0                                        ; /Style = MB_OK|MB_APPLMODAL
00401153 |.  68 00204000    push cycle.00402000                            ; |Title = "About this crackme"
00401158 |.  68 13204000    push cycle.00402013                            ; |Text = "CycleCrackme by cW_
Try to get a serial for your name and write a keygen... no patching!
This should be not too hard..., if you understand how it works ;-)
Please send your solution to cW_6556@yahoo.com"
0040115D |.  FF75 08          push dword ptr ss:[ebp+8]                      ; |hOwner
00401160 |.  E8 58010000    call <jmp.&USER32.MessageBoxA>             ; \MessageBoxA
00401165 \.  C3             retn
00401166 /$  6A 00          push 0                                     ; 如果上面有跳到这里的,那就重来吧!
00401168 |.  68 DE204000    push cycle.004020DE                         ; |Title = "Ahm. No!"
0040116D |.  68 E7204000    push cycle.004020E7                         ; |Text = "Please enter a valid serial for your name!"
00401172 |.  FF75 08          push dword ptr ss:[ebp+8]                      ; |hOwner
00401175 |.  E8 43010000    call <jmp.&USER32.MessageBoxA>                ; \MessageBoxA
0040117A \.  C3             retn
0040117B /$  6A 00          push 0                                     ; 恭喜你爆破手!!
0040117D |.  68 12214000    push cycle.00402112                         ; |Title = "Wow!"
00401182 |.  68 17214000    push cycle.00402117                            ; |Text = "Congratulations!
Write a tutorial/keygen an send it to cW_6556@yahoo.com"
00401187 |.  FF75 08          push dword ptr ss:[ebp+8]                      ; |hOwner
0040118A |.  E8 2E010000    call <jmp.&USER32.MessageBoxA>                ; \MessageBoxA
0040118F \.  C3             retn

把401103, 401118, 401149 三处修改一下,就完成了爆破.

对这个CRACKME的爆破只要看清它的跳转就可以了, 00401166 是失败的开始, 0040117B是成功的开始. 对于401103和401118这两个跳转其实也好判断. 多调试两次就知道该不该跳了.

而且我这样爆破也可能不正确.希望如果是我错了或还有更简单的方法的话,请提出来.

另由于本人还不会分析算法..望高手补充!

[培训]内核驱动高级班，冲击BAT一流互联网大厂工作，每周日13:00-18:00直播授课

收藏・0

免费・0

支持