【文章标题】: happytown 23th crackme 简单分析
【文章作者】: ikki[D.4s]
【下载地址】: http://bbs.pediy.com/attachment.php?s=&attachmentid=3036
【作者声明】: 只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!
--------------------------------------------------------------------------------
【详细过程】
004011A8 B0 C2 mov al,0C2
004011AA 66:894C24 29 mov word ptr ss:[esp+29],cx
004011AF 68 E8030000 push 3E8
004011B4 56 push esi
004011B5 C64424 38 00 mov byte ptr ss:[esp+38],0
004011BA C64424 1C FC mov byte ptr ss:[esp+1C],0FC ; ----
004011BF C64424 1D B5 mov byte ptr ss:[esp+1D],0B5
004011C4 884424 1E mov byte ptr ss:[esp+1E],al
004011C8 C64424 1F 7C mov byte ptr ss:[esp+1F],7C
004011CD C64424 20 DC mov byte ptr ss:[esp+20],0DC
004011D2 C64424 21 0D mov byte ptr ss:[esp+21],0D
004011D7 C64424 22 D9 mov byte ptr ss:[esp+22],0D9
004011DC C64424 23 DF mov byte ptr ss:[esp+23],0DF ; 这些数据用作后面blowfish的key
004011E1 C64424 24 83 mov byte ptr ss:[esp+24],83
004011E6 884424 25 mov byte ptr ss:[esp+25],al
004011EA C64424 26 B0 mov byte ptr ss:[esp+26],0B0
004011EF C64424 27 75 mov byte ptr ss:[esp+27],75
004011F4 C64424 28 DE mov byte ptr ss:[esp+28],0DE
004011F9 C64424 29 02 mov byte ptr ss:[esp+29],2
004011FE C64424 2A 11 mov byte ptr ss:[esp+2A],11
00401203 C64424 2B 28 mov byte ptr ss:[esp+2B],28 ; ----
00401208 C64424 2C 00 mov byte ptr ss:[esp+2C],0
0040120D 884C24 33 mov byte ptr ss:[esp+33],cl
-------------------------
key:FC B5 C2 7C DC 0D D9 DF 83 C2 B0 75 DE 02 11 28
00401211 FFD7 call edi ; GetDlgItemTextA
00401213 83F8 04 cmp eax,4 ; name的长度>=4
00401216 894424 24 mov dword ptr ss:[esp+24],eax
0040121A 7D 0C jge short <CrackMe_.loc_401228>
0040121C > 5F pop edi
0040121D 5E pop esi
0040121E 33C0 xor eax,eax
00401220 5D pop ebp
00401221 81C4 70120000 add esp,1270
00401227 C3 retn
00401228 > 8D4424 44 lea eax,dword ptr ss:[esp+44]
0040122C 68 C9000000 push 0C9
00401231 50 push eax
00401232 68 E9030000 push 3E9
00401237 56 push esi
00401238 FFD7 call edi ; GetDlgItemTextA
0040123A 83F8 10 cmp eax,10 ; code的长度=16?
0040123D 74 0C je short <CrackMe_.loc_40124B>
0040123F 5F pop edi
00401240 5E pop esi
00401241 33C0 xor eax,eax
00401243 5D pop ebp
00401244 81C4 70120000 add esp,1270
0040124A C3 retn
0040124B > 33F6 xor esi,esi
0040124D BD 01000000 mov ebp,1
00401252 > 392D E8A24000 cmp dword ptr ds:[40A2E8],ebp
00401258 7E 15 jle short <CrackMe_.loc_40126F>
0040125A 0FBE4C34 44 movsx ecx,byte ptr ss:[esp+esi+44]
0040125F 68 80000000 push 80
00401264 51 push ecx
00401265 E8 72300000 call <CrackMe_.__isctype>
0040126A 83C4 08 add esp,8
0040126D EB 12 jmp short <CrackMe_.loc_401281>
0040126F > 0FBE5434 44 movsx edx,byte ptr ss:[esp+esi+44]
00401274 A1 DCA04000 mov eax,dword ptr ds:[40A0DC]
00401279 8A0450 mov al,byte ptr ds:[eax+edx*2]
0040127C 25 80000000 and eax,80
00401281 > 85C0 test eax,eax
00401283 ^ 74 97 je short <CrackMe_.loc_40121C>
00401285 0FBE4C34 44 movsx ecx,byte ptr ss:[esp+esi+44]
0040128A 51 push ecx
0040128B E8 802F0000 call <CrackMe_._toupper>
00401290 83C4 04 add esp,4
00401293 884434 44 mov byte ptr ss:[esp+esi+44],al
00401297 46 inc esi
00401298 83FE 10 cmp esi,10
0040129B ^ 7C B5 jl short <CrackMe_.loc_401252>
0040129D 53 push ebx
0040129E 33FF xor edi,edi
004012A0 8D7424 49 lea esi,dword ptr ss:[esp+49]
004012A4 > 392D E8A24000 cmp dword ptr ds:[40A2E8],ebp
004012AA 7E 10 jle short <CrackMe_.loc_4012BC>
004012AC 0FBE56 FF movsx edx,byte ptr ds:[esi-1]
004012B0 55 push ebp
004012B1 52 push edx
004012B2 E8 25300000 call <CrackMe_.__isctype>
004012B7 83C4 08 add esp,8
004012BA EB 0F jmp short <CrackMe_.loc_4012CB>
004012BC > 0FBE46 FF movsx eax,byte ptr ds:[esi-1]
004012C0 8B0D DCA04000 mov ecx,dword ptr ds:[40A0DC]
004012C6 8A0441 mov al,byte ptr ds:[ecx+eax*2]
004012C9 23C5 and eax,ebp
004012CB > 8A5E FF mov bl,byte ptr ds:[esi-1]
004012CE 85C0 test eax,eax
004012D0 75 05 jnz short <CrackMe_.loc_4012D7>
004012D2 80EB 30 sub bl,30
004012D5 EB 03 jmp short <CrackMe_.loc_4012DA>
004012D7 > 80EB 37 sub bl,37
004012DA > 392D E8A24000 cmp dword ptr ds:[40A2E8],ebp
004012E0 7E 0F jle short <CrackMe_.loc_4012F1>
004012E2 0FBE16 movsx edx,byte ptr ds:[esi]
004012E5 55 push ebp
004012E6 52 push edx
004012E7 E8 F02F0000 call <CrackMe_.__isctype>
004012EC 83C4 08 add esp,8
004012EF EB 0E jmp short <CrackMe_.loc_4012FF>
004012F1 > 0FBE06 movsx eax,byte ptr ds:[esi]
004012F4 8B0D DCA04000 mov ecx,dword ptr ds:[40A0DC]
004012FA 8A0441 mov al,byte ptr ds:[ecx+eax*2]
004012FD 23C5 and eax,ebp
004012FF > 85C0 test eax,eax
00401301 8A06 mov al,byte ptr ds:[esi]
00401303 75 04 jnz short <CrackMe_.loc_401309>
00401305 2C 30 sub al,30
00401307 EB 02 jmp short <CrackMe_.loc_40130B>
00401309 > 2C 37 sub al,37
0040130B > C0E3 04 shl bl,4
0040130E 0AD8 or bl,al
00401310 83C6 02 add esi,2
00401313 885C3C 20 mov byte ptr ss:[esp+edi+20],bl
00401317 47 inc edi
00401318 83FF 08 cmp edi,8
0040131B ^ 7C 87 jl short <CrackMe_.loc_4012A4>
0040131D 8D9424 10010000 lea edx,dword ptr ss:[esp+110]
00401324 52 push edx
00401325 E8 86060000 call <CrackMe_.sub_4019B0> ; ripemd160_init
0040132A 8B4424 2C mov eax,dword ptr ss:[esp+2C]
0040132E 8D8C24 74010000 lea ecx,dword ptr ss:[esp+174]
00401335 50 push eax
00401336 8D9424 18010000 lea edx,dword ptr ss:[esp+118]
0040133D 51 push ecx
0040133E 52 push edx
0040133F E8 3C020000 call <CrackMe_.sub_401580> ; ripemd_update
00401344 8D8424 20010000 lea eax,dword ptr ss:[esp+120]
0040134B 8D4C24 3C lea ecx,dword ptr ss:[esp+3C]
0040134F 50 push eax
00401350 51 push ecx
00401351 E8 FA040000 call <CrackMe_.sub_401850> ; ripemd_final
00401356 8D5424 28 lea edx,dword ptr ss:[esp+28]
0040135A 8D8424 50020000 lea eax,dword ptr ss:[esp+250]
00401361 52 push edx
00401362 6A 10 push 10
00401364 50 push eax
00401365 E8 16010000 call <CrackMe_.sub_401480> ; blowfish_ks
0040136A 8D8C24 5C020000 lea ecx,dword ptr ss:[esp+25C]
00401371 6A 00 push 0 ; //工作模式参数:0为decode
00401373 8D5424 68 lea edx,dword ptr ss:[esp+68]
00401377 51 push ecx
00401378 8D4424 4C lea eax,dword ptr ss:[esp+4C]
0040137C 52 push edx
0040137D 50 push eax
0040137E E8 2D000000 call <CrackMe_.sub_4013B0> ; blowfish_Func
00401383 83C4 34 add esp,34
00401386 B9 02000000 mov ecx,2
0040138B 8D7C24 2C lea edi,dword ptr ss:[esp+2C]
0040138F 8D7424 40 lea esi,dword ptr ss:[esp+40]
00401393 33D2 xor edx,edx
00401395 5B pop ebx
00401396 F3:A7 repe cmps dword ptr es:[edi],dword ptr ds:[esi] ; //name,code分别计算得到的结果的
00401398 8BC2 mov eax,edx ; //前两个DWORD做比较,相等则OK
0040139A 5F pop edi
0040139B 5E pop esi
0040139C 5D pop ebp
0040139D 0F94C0 sete al
004013A0 81C4 70120000 add esp,1270
004013A6 C3 retn
--------------------------------------------------------------------------------
【经验总结】
算法总结:
1,计算RIPEMD160(name)
2,计算blowfish_Decode(inputCode)
(key:FC B5 C2 7C DC 0D D9 DF 83 C2 B0 75 DE 02 11 28)
3,比较两个计算结果的前两个DWORD,如果相等则通过验证。
容易得出对应的code的计算如下:
blowfish_Encode(RIPEMD160(name)(只取结果HEX串的前16位))
(key:FC B5 C2 7C DC 0D D9 DF 83 C2 B0 75 DE 02 11 28)
name:ikki
code:6ECEF5D13847073C
--------------------------------------------------------------------------------
【版权声明】: 本文原创于看雪技术论坛, 转载请注明作者并保持文章的完整, 谢谢!
2006年10月10日 20:29:50
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课