└文章标题┐:非常有趣的过关式CrackMe分析
└破文作者┐:-=>大菜一号<=-
└破解对象┐:附件中..
└下载地址┐:附件中..
└对象大小┐:不知不知
└加壳方式┐:upx
└保护方式┐:不清楚
└编写语言┐:Delphi
└使用工具┐:OD,DeDe
└破解平台┐:D版XP
└破解声明┐:Crack真好玩!
----------------------------------------------------------------------------------
└破解过程┐:
这个CrackME有三关,只有过了前一个才可以破下一个!!呵``和看雪电子杂志上的趣味CrackMe差不多,当然内容完全不一样咯!!
这个东东不难,只有那么一点算法,不过`偶想是专门用来提高分析,找关键处和一点点的逆算水平滴吧~~~
好了好了~~下面来看看,好东东大家分享,偶将基于本人破这个东东的快乐给大家唠叨!!
第一关:
介绍:
运行程序,看到有四个滑块条,分别拖动后,在右边的数值上会发生相应的变化
范围为0-9
从上到下四个滑块条分别对应数值的千位,百位,十位和个位
有一个很明显的错误信息,"invalid"->很大的红字!
过程:
OD载入,找到"invalid",就断在(先拖动好滑块条再下断,你手动试试就知道为啥哩!):
00434720 /$ 55 push ebp ;断在这里
00434721 |. 8BEC mov ebp, esp
00434723 |. 33C9 xor ecx, ecx
00434725 |. 51 push ecx
00434726 |. 51 push ecx
00434727 |. 51 push ecx
00434728 |. 51 push ecx
00434729 |. 51 push ecx
0043472A |. 33C0 xor eax, eax
0043472C |. 55 push ebp
0043472D |. 68 FD474300 push 004347FD
00434732 |. 64:FF30 push dword ptr fs:[eax]
00434735 |. 64:8920 mov dword ptr fs:[eax], esp
00434738 |. C605 71774300>mov byte ptr [437771], 0
0043473F |. 8D55 F8 lea edx, dword ptr [ebp-8]
00434742 |. 33C0 xor eax, eax
00434744 |. A0 5C774300 mov al, byte ptr [43775C]
00434749 |. E8 DA20FDFF call 00406828
0043474E |. FF75 F8 push dword ptr [ebp-8]
00434751 |. 8D55 F4 lea edx, dword ptr [ebp-C]
00434754 |. 33C0 xor eax, eax
00434756 |. A0 5D774300 mov al, byte ptr [43775D]
0043475B |. E8 C820FDFF call 00406828
00434760 |. FF75 F4 push dword ptr [ebp-C]
00434763 |. 8D55 F0 lea edx, dword ptr [ebp-10]
00434766 |. 33C0 xor eax, eax
00434768 |. A0 5E774300 mov al, byte ptr [43775E]
0043476D |. E8 B620FDFF call 00406828
00434772 |. FF75 F0 push dword ptr [ebp-10]
00434775 |. 8D55 EC lea edx, dword ptr [ebp-14]
00434778 |. 33C0 xor eax, eax
0043477A |. A0 5F774300 mov al, byte ptr [43775F]
0043477F |. E8 A420FDFF call 00406828
00434784 |. FF75 EC push dword ptr [ebp-14]
00434787 |. 8D45 FC lea eax, dword ptr [ebp-4]
0043478A |. BA 04000000 mov edx, 4
0043478F |. E8 30F2FCFF call 004039C4
00434794 |. 8B45 FC mov eax, dword ptr [ebp-4]
00434797 |. E8 BC20FDFF call 00406858 ; 这个call,把你输拖出的数(原本是程序界面上是字符串),转换成数值,如:我拖出是"1234",则转为0x4d2
0043479C |. 35 97250000 xor eax, 2597 ; 与0x2597异或
004347A1 |. 3D 1A2B0000 cmp eax, 2B1A ; 结果与0x2b1a比较
004347A6 |. 75 1E jnz short 004347C6 ;不等就出错
004347A8 |. A1 58774300 mov eax, dword ptr [437758]
004347AD |. 8B80 10020000 mov eax, dword ptr [eax+210]
004347B3 |. BA 10484300 mov edx, 00434810 ;valid->成功信息
004347B8 |. E8 5366FEFF call 0041AE10
004347BD |. C605 71774300>mov byte ptr [437771], 1
004347C4 |. EB 1C jmp short 004347E2
004347C6 |> A1 58774300 mov eax, dword ptr [437758]
004347CB |. 8B80 10020000 mov eax, dword ptr [eax+210]
004347D1 |. BA 20484300 mov edx, 00434820 ;invalid->错误信息
004347D6 |. E8 3566FEFF call 0041AE10
004347DB |. C605 71774300>mov byte ptr [437771], 0
004347E2 |> 33C0 xor eax, eax
004347E4 |. 5A pop edx
004347E5 |. 59 pop ecx
004347E6 |. 59 pop ecx
004347E7 |. 64:8910 mov dword ptr fs:[eax], edx
004347EA |. 68 04484300 push 00434804
004347EF |> 8D45 EC lea eax, dword ptr [ebp-14]
004347F2 |. BA 05000000 mov edx, 5
004347F7 |. E8 B0EEFCFF call 004036AC
004347FC \. C3 retn
总结:
第一关就这样,很简单吧!
只要这样:0x2b1a XOR 0x2597 ->就是正确的值了,为3725
--------------------------------------------------------------
第二关:
介绍:
拖出"3725"之后,点"Next level->"出现第二关的标签页,看到一个实实在在的CrackMe!看起来好像很有内涵的东东!(好像很难),,其实也未必~~呵`
过程:
随便输入后得到错误字符串"Come on,isn't it easy?:)"
OD载入找到它`向上看`
发现....3个关键call,3个jnz跳转,2处错误信息!只有3个jnz跳转都通过了才到到达正确信息的地方~~下面看代码:
00434B48 . E8 EFFDFFFF call 0043493C
00434B4D . 803D 6E774300>cmp byte ptr [43776E], 0 ; 43776e地址的内容不为0就出错
00434B54 . 75 6E jnz short 00434BC4
00434B56 . E8 29FFFFFF call 00434A84
00434B5B . 803D 70774300>cmp byte ptr [437770], 1 ; 437770地址的内容不为1就出错
00434B62 . 75 46 jnz short 00434BAA
00434B64 . E8 57FEFFFF call 004349C0
00434B69 . 803D 6F774300>cmp byte ptr [43776F], 1 ; 43776f地址的内容不为1就出错
00434B70 . 75 1C jnz short 00434B8E
00434B72 . 6A 00 push 0 ; /Style = MB_OK|MB_APPLMODAL
00434B74 . 68 C84B4300 push 00434BC8 ; |success
00434B79 . 68 D04B4300 push 00434BD0 ; |good work!
00434B7E . 6A 00 push 0 ; |hOwner = NULL
00434B80 . E8 4B0CFDFF call <jmp.&user32.MessageBoxA> ; \MessageBoxA
00434B85 . C605 72774300>mov byte ptr [437772], 1
00434B8C . EB 36 jmp short 00434BC4
00434B8E > 6A 00 push 0 ; /Style = MB_OK|MB_APPLMODAL
00434B90 . 68 DC4B4300 push 00434BDC ; |failure
00434B95 . 68 E44B4300 push 00434BE4 ; |come on, isn't it easy? :)
00434B9A . 6A 00 push 0 ; |hOwner = NULL
00434B9C . E8 2F0CFDFF call <jmp.&user32.MessageBoxA> ; \MessageBoxA
00434BA1 . C605 72774300>mov byte ptr [437772], 0
00434BA8 . EB 1A jmp short 00434BC4
00434BAA > 6A 00 push 0 ; /Style = MB_OK|MB_APPLMODAL
00434BAC . 68 DC4B4300 push 00434BDC ; |failure
00434BB1 . 68 E44B4300 push 00434BE4 ; |come on, isn't it easy? :)
00434BB6 . 6A 00 push 0 ; |hOwner = NULL
00434BB8 . E8 130CFDFF call <jmp.&user32.MessageBoxA> ; \MessageBoxA
00434BBD . C605 72774300>mov byte ptr [437772], 0
00434BC4 > C3 retn
很明了了吧~~下面进入关键call中看看
call(1):
0043493C /$ 55 push ebp
0043493D |. 8BEC mov ebp, esp
0043493F |. 6A 00 push 0
00434941 |. 6A 00 push 0
00434943 |. 33C0 xor eax, eax
00434945 |. 55 push ebp
00434946 |. 68 B5494300 push 004349B5
0043494B |. 64:FF30 push dword ptr fs:[eax]
0043494E |. 64:8920 mov dword ptr fs:[eax], esp
00434951 |. C605 6E774300>mov byte ptr [43776E], 1
00434958 |. 8D55 FC lea edx, dword ptr [ebp-4]
0043495B |. A1 58774300 mov eax, dword ptr [437758]
00434960 |. 8B80 28020000 mov eax, dword ptr [eax+228]
00434966 |. E8 7564FEFF call 0041ADE0 ;取name长度
0043496B |. 837D FC 00 cmp dword ptr [ebp-4], 0
0043496F |. 74 22 je short 00434993 ;为0就出错
00434971 |. 8D55 F8 lea edx, dword ptr [ebp-8]
00434974 |. A1 58774300 mov eax, dword ptr [437758]
00434979 |. 8B80 30020000 mov eax, dword ptr [eax+230]
0043497F |. E8 5C64FEFF call 0041ADE0 ;取code长度
00434984 |. 837D F8 00 cmp dword ptr [ebp-8], 0
00434988 |. 74 09 je short 00434993 ;为0就出错
0043498A |. C605 6E774300>mov byte ptr [43776E], 0 ;0传到43776e(这个地址很熟悉吧!忘记的去看上面代码``呵``第一个jnz通过
00434991 |. EB 07 jmp short 0043499A
00434993 |> C605 6E774300>mov byte ptr [43776E], 1
0043499A |> 33C0 xor eax, eax
0043499C |. 5A pop edx
0043499D |. 59 pop ecx
0043499E |. 59 pop ecx
0043499F |. 64:8910 mov dword ptr fs:[eax], edx
004349A2 |. 68 BC494300 push 004349BC
004349A7 |> 8D45 F8 lea eax, dword ptr [ebp-8]
004349AA |. BA 02000000 mov edx, 2
004349AF |. E8 F8ECFCFF call 004036AC
004349B4 \. C3 retn
call(2):
00434A84 /$ 55 push ebp
00434A85 |. 8BEC mov ebp, esp
00434A87 |. 81C4 F0FEFFFF add esp, -110
00434A8D |. 56 push esi
00434A8E |. 33C0 xor eax, eax
00434A90 |. 8985 F0FEFFFF mov dword ptr [ebp-110], eax
00434A96 |. 33C0 xor eax, eax
00434A98 |. 55 push ebp
00434A99 |. 68 3B4B4300 push 00434B3B
00434A9E |. 64:FF30 push dword ptr fs:[eax]
00434AA1 |. 64:8920 mov dword ptr fs:[eax], esp
00434AA4 |. 33F6 xor esi, esi
00434AA6 |. C605 70774300>mov byte ptr [437770], 0
00434AAD |. 8D95 F0FEFFFF lea edx, dword ptr [ebp-110]
00434AB3 |. A1 58774300 mov eax, dword ptr [437758]
00434AB8 |. 8B80 30020000 mov eax, dword ptr [eax+230]
00434ABE |. E8 1D63FEFF call 0041ADE0 ;取name
00434AC3 |. 8B95 F0FEFFFF mov edx, dword ptr [ebp-110] ;name到edx
00434AC9 |. 8D85 F4FEFFFF lea eax, dword ptr [ebp-10C]
00434ACF |. B9 FF000000 mov ecx, 0FF
00434AD4 |. E8 07EEFCFF call 004038E0
00434AD9 |. 8D95 F4FEFFFF lea edx, dword ptr [ebp-10C]
00434ADF |. 8D45 F4 lea eax, dword ptr [ebp-C]
00434AE2 |. B1 0B mov cl, 0B
00434AE4 |. E8 EBDCFCFF call 004027D4 ;取code
00434AE9 |. 8A55 F4 mov dl, byte ptr [ebp-C] ;长度到dl
00434AEC |. 84D2 test dl, dl
00434AEE |. 76 14 jbe short 00434B04 ;为空转出错
00434AF0 |. 8D45 F5 lea eax, dword ptr [ebp-B]
00434AF3 |> 33C9 /xor ecx, ecx
00434AF5 |. 8A08 |mov cl, byte ptr [eax] ;每次循环依次取code字符
00434AF7 |. 69C9 91020000 |imul ecx, ecx, 291 ;*0x291
00434AFD |. 03F1 |add esi, ecx ;累加到esi
00434AFF |. 40 |inc eax ;eax+1指向下一位
00434B00 |. FECA |dec dl ;计数器减一
00434B02 |.^ 75 EF \jnz short 00434AF3
00434B04 |> 8BC6 mov eax, esi
00434B06 |. 35 9E100F00 xor eax, 0F109E ;累加结果与0xf109e异或
00434B0B |. 3D 105F0B00 cmp eax, 0B5F10 ;异或后和0b5f10比较
00434B10 |. 75 09 jnz short 00434B1B ;不等就跳到434b1b处,置标记437770为0,否则到下面就置为1
00434B12 |. C605 70774300>mov byte ptr [437770], 1
00434B19 |. EB 07 jmp short 00434B22
00434B1B |> C605 70774300>mov byte ptr [437770], 0
00434B22 |> 33C0 xor eax, eax
00434B24 |. 5A pop edx
00434B25 |. 59 pop ecx
00434B26 |. 59 pop ecx
00434B27 |. 64:8910 mov dword ptr fs:[eax], edx
00434B2A |. 68 424B4300 push 00434B42
00434B2F |> 8D85 F0FEFFFF lea eax, dword ptr [ebp-110]
00434B35 |. E8 4EEBFCFF call 00403688
00434B3A \. C3 retn
call(3)
004349C0 /$ 55 push ebp
004349C1 |. 8BEC mov ebp, esp
004349C3 |. 81C4 F0FEFFFF add esp, -110
004349C9 |. 56 push esi
004349CA |. 33C0 xor eax, eax
004349CC |. 8985 F0FEFFFF mov dword ptr [ebp-110], eax
004349D2 |. 33C0 xor eax, eax
004349D4 |. 55 push ebp
004349D5 |. 68 774A4300 push 00434A77
004349DA |. 64:FF30 push dword ptr fs:[eax]
004349DD |. 64:8920 mov dword ptr fs:[eax], esp
004349E0 |. C605 6F774300>mov byte ptr [43776F], 0
004349E7 |. 33F6 xor esi, esi
004349E9 |. 8D95 F0FEFFFF lea edx, dword ptr [ebp-110]
004349EF |. A1 58774300 mov eax, dword ptr [437758]
004349F4 |. 8B80 28020000 mov eax, dword ptr [eax+228]
004349FA |. E8 E163FEFF call 0041ADE0 ;取name
004349FF |. 8B95 F0FEFFFF mov edx, dword ptr [ebp-110]
00434A05 |. 8D85 F4FEFFFF lea eax, dword ptr [ebp-10C]
00434A0B |. B9 FF000000 mov ecx, 0FF
00434A10 |. E8 CBEEFCFF call 004038E0
00434A15 |. 8D95 F4FEFFFF lea edx, dword ptr [ebp-10C]
00434A1B |. 8D45 F4 lea eax, dword ptr [ebp-C]
00434A1E |. B1 0B mov cl, 0B
00434A20 |. E8 AFDDFCFF call 004027D4
00434A25 |. 8A55 F4 mov dl, byte ptr [ebp-C]
00434A28 |. 84D2 test dl, dl
00434A2A |. 76 14 jbe short 00434A40
00434A2C |. 8D45 F5 lea eax, dword ptr [ebp-B]
00434A2F |> 33C9 /xor ecx, ecx
00434A31 |. 8A08 |mov cl, byte ptr [eax] ;每次循环依次取name字符
00434A33 |. 69C9 59010000 |imul ecx, ecx, 159 ;*0x159
00434A39 |. 03F1 |add esi, ecx ;累加到esi
00434A3B |. 40 |inc eax ;指向下一位
00434A3C |. FECA |dec dl ;计数器减一
00434A3E |.^ 75 EF \jnz short 00434A2F
00434A40 |> 8BC6 mov eax, esi
00434A42 |. 35 FE9E0C00 xor eax, 0C9EFE ;结果与0xc9efe异或
00434A47 |. 3D 90120900 cmp eax, 91290 ;异或后和0x91290比较
00434A4C |. 75 09 jnz short 00434A57 ;不等就置43776f为0,否则为1
00434A4E |. C605 6F774300>mov byte ptr [43776F], 1
00434A55 |. EB 07 jmp short 00434A5E
00434A57 |> C605 6F774300>mov byte ptr [43776F], 0
00434A5E |> 33C0 xor eax, eax
00434A60 |. 5A pop edx
00434A61 |. 59 pop ecx
00434A62 |. 59 pop ecx
00434A63 |. 64:8910 mov dword ptr fs:[eax], edx
00434A66 |. 68 7E4A4300 push 00434A7E
00434A6B |> 8D85 F0FEFFFF lea eax, dword ptr [ebp-110]
00434A71 |. E8 12ECFCFF call 00403688
00434A76 \. C3 retn
总结:
也很简单吧~~呵``call2是计算code的,call3是计算name的!总结一下看怎么算!~~
分析后知道其并不是用输入的name算出code的,而是要逆出两个编辑框的注册码
算出code:
我举了一个正确的code 2<F22222
asc('2')=50
asc('<')=60
asc('F')=70
0xB5F10^0xF109E=0x44f8e
(50+60+70)*0x291=0x1cdc4
0x44f8e-0x1cdc4=0x281ca
0x281ca/(50*0x291)=5 //求出除了"2<F"之外还要5个"2"
(50*0x291)*5+0x1cdc4=0x281ca
0x281ca^0xf109e=0xb5f10
先逆出最后要累加出的和
然后偶是从asc表中找到为50,60,70的字符,呵``这三个算了之后,用算出要累加的和减去其,乘下的/50,谁知道刚好等于5,所以在"2<F"后再加五个'2'
再举一个正确的name }}}}}}}}6
asc('}')=125 //这是可以输入的最大的asc了`
0x91290^0xc9efe=0x58c6e //算出要累加出的和
0x58c6e/(125*0x159)=8 //其实不能整除,先取出为8个'}'
0x58c6e-125*0x159*8=0x48c6 //不到整除的部份
0x48c6/0x159=36 //asc表中,36正好为'6',所以...
最后就为}}}}}}}}6```
就这样``
------------------------------------------------------------
第三关:
介绍:
刚开如偶还不知道是要干嘛咧`看到界面上的一个Edit控件,6个按扭``汗``
后来才知道,其实跟CrackMe很相似,根据你输入的name,算出对应的按扭,然后依次点击按扭,正确就会提示了!!
过程:
在界面上看到"Press Start after entering name."这句,提示我们输入好name后先点击"Start"再依次选择正确的6个Button
输入"123456"->点"Start"->马上出错
再输入"abcdef"->变成大写的了->点击"Start"->没反映,不过推测是当点击了"Start"之后触发算法,之后再选择button,这样的设计!
先用DeDe找到第一按钮按下后的代码,如下:(很有规律的代码哦!,我们先不分析点击"Start"后的算法部分,先说明那6个button
00434EF8 . FE05 74774300 inc byte ptr [437774] ;437774自加一(这个地址很关键)
00434EFE . 33C0 xor eax, eax
00434F00 . A0 74774300 mov al, byte ptr [437774]
00434F05 . C680 5F774300>mov byte ptr [eax+43775F], 1 ;1传到(很的规律的.看到没,这里是第一个button,后面是依次6个,分别把1,2,3,4,5,6传进内存中了),这里是第一次启动程序,所以437774中是1,eax从437774是得到了1,再+43775f后是就437760(这个地址很关键);
00434F0C . E8 93FEFFFF call 00434DA4
00434F11 . C3 retn
00434F12 8BC0 mov eax, eax
00434F14 . FE05 74774300 inc byte ptr [437774] ;当再点击这6个button中的随便一个的时候,437774又加一,假如这时我点击第二个,所以就在这里,
00434F1A . 33C0 xor eax, eax
00434F1C . A0 74774300 mov al, byte ptr [437774]
00434F21 . C680 5F774300>mov byte ptr [eax+43775F], 2 ;第二个,所以把2传到437761处了,因为这时437774自加一了,eax为2了`呵``别搞乱了
00434F28 . E8 77FEFFFF call 00434DA4
00434F2D . C3 retn
00434F2E 8BC0 mov eax, eax
00434F30 . FE05 74774300 inc byte ptr [437774] ;再点击这6个button中的随便一个时,437774又加一
00434F36 . 33C0 xor eax, eax
00434F38 . A0 74774300 mov al, byte ptr [437774]
00434F3D . C680 5F774300>mov byte ptr [eax+43775F], 3 ;假如我点击第三个,这里就是3传到407762(是第三次了,注意注意);
下面不说明了!
00434F44 . E8 5BFEFFFF call 00434DA4
00434F49 . C3 retn
00434F4A 8BC0 mov eax, eax
00434F4C . FE05 74774300 inc byte ptr [437774]
00434F52 . 33C0 xor eax, eax
00434F54 . A0 74774300 mov al, byte ptr [437774]
00434F59 . C680 5F774300>mov byte ptr [eax+43775F], 4
00434F60 . E8 3FFEFFFF call 00434DA4
00434F65 . C3 retn
00434F66 8BC0 mov eax, eax
00434F68 . FE05 74774300 inc byte ptr [437774]
00434F6E . 33C0 xor eax, eax
00434F70 . A0 74774300 mov al, byte ptr [437774]
00434F75 . C680 5F774300>mov byte ptr [eax+43775F], 5
00434F7C . E8 23FEFFFF call 00434DA4
00434F81 . C3 retn
00434F82 8BC0 mov eax, eax
00434F84 . FE05 74774300 inc byte ptr [437774]
00434F8A . 33C0 xor eax, eax
00434F8C . A0 74774300 mov al, byte ptr [437774]
00434F91 . C680 5F774300>mov byte ptr [eax+43775F], 6
00434F98 . E8 07FEFFFF call 00434DA4
00434F9D . C3 retn
00434F9E 8BC0 mov eax, eax
00434FA0 . C605 74774300>mov byte ptr [437774], 0
00434FA7 . C605 75774300>mov byte ptr [437775], 1
00434FAE . E8 5DFDFFFF call 00434D10
00434FB3 . C3 retn
这里先总的说一下吧!437774在程序启动时为0,每当点击这6个button时都会自加一,从左往右,button依次为第一,二,..个!
下面来看看"Start"的算法部份,跟进0043fae那个call:
00434D10 /$ 55 push ebp
00434D11 |. 8BEC mov ebp, esp
00434D13 |. 6A 00 push 0
00434D15 |. 53 push ebx
00434D16 |. 56 push esi
00434D17 |. 33C0 xor eax, eax
00434D19 |. 55 push ebp
00434D1A |. 68 974D4300 push 00434D97
00434D1F |. 64:FF30 push dword ptr fs:[eax]
00434D22 |. 64:8920 mov dword ptr fs:[eax], esp
00434D25 |. 803D 75774300>cmp byte ptr [437775], 1
00434D2C |. 75 53 jnz short 00434D81
00434D2E |. 8D55 FC lea edx, dword ptr [ebp-4]
00434D31 |. A1 58774300 mov eax, dword ptr [437758]
00434D36 |. 8B80 3C020000 mov eax, dword ptr [eax+23C]
00434D3C |. E8 9F60FEFF call 0041ADE0 ;取name
00434D41 |. 8B55 FC mov edx, dword ptr [ebp-4]
00434D44 |. A1 58774300 mov eax, dword ptr [437758]
00434D49 |. 8B08 mov ecx, dword ptr [eax]
00434D4B |. FF51 18 call dword ptr [ecx+18]
00434D4E |. B3 01 mov bl, 1
00434D50 |. BE 68774300 mov esi, 00437768 ;437768这个地址很关键哦``要记住是存放结果滴!
00434D55 |> 33C0 /xor eax, eax ;开始循环
00434D57 |. 8AC3 |mov al, bl
00434D59 |. 8B15 58774300 |mov edx, dword ptr [437758]
00434D5F |. 8B52 08 |mov edx, dword ptr [edx+8]
00434D62 |. 0FB64402 FF |movzx eax, byte ptr [edx+eax-1] ;取name的各个字符
00434D67 |. B9 07000000 |mov ecx, 7 ;7传到ecx
00434D6C |. 99 |cdq
00434D6D |. F7F9 |idiv ecx ;除
00434D6F |. 8BCA |mov ecx, edx ;余数到ecx
00434D71 |. 880E |mov byte ptr [esi], cl ;余数传到esi地址处,
00434D73 |. 84C9 |test cl, cl ;余数是否为空
检查是否可以整除
00434D75 |. 75 03 |jnz short 00434D7A ;不能整除就跳
00434D77 |. C606 03 |mov byte ptr [esi], 3 ;如果能整除就没有余数了,这里是确保每位字符算法后都有结果,没有余数的话结果就是3,
00434D7A |> 43 |inc ebx
00434D7B |. 46 |inc esi
00434D7C |. 80FB 07 |cmp bl, 7 ;循环次数为6,不论输入多少个字符,都循环7次
00434D7F |.^ 75 D4 \jnz short 00434D55
00434D81 |> 33C0 xor eax, eax
00434D83 |. 5A pop edx
00434D84 |. 59 pop ecx
00434D85 |. 59 pop ecx
00434D86 |. 64:8910 mov dword ptr fs:[eax], edx
00434D89 |. 68 9E4D4300 push 00434D9E
00434D8E |> 8D45 FC lea eax, dword ptr [ebp-4]
00434D91 |. E8 F2E8FCFF call 00403688
00434D96 \. C3 retn
无论输入多少个字符,就只算6个,因为只有6个button嘛!
好``现在我们跟进那6个button的关键比较call那里看看!!别怕``不是6个,是通用一个滴!~汗`~
下断在434ef8处,点击第一个button,被断下了,跟进下面的那个call,就到这里:
00434DA4 /$ 53 push ebx
00434DA5 |. C605 73774300>mov byte ptr [437773], 0
00434DAC |. 803D 74774300>cmp byte ptr [437774], 6 ;为什么要比较6,知道了吧!437774啊~~每当我们点击这6个button时无论哪个,这个地址的内容都会自加一滴!所在,这里就确保要点击6次!,哪六次就不知道了`
00434DB3 |. 75 55 jnz short 00434E0A ;还没点完6次就出错(是没提示的出错)
00434DB5 |. B0 01 mov al, 1
00434DB7 |. BA 60774300 mov edx, 00437760 ;这个地址熟悉吧,前面分析了!是当程序第一次启动且第一次点击button时会把button的号码存在里面的,比如第一次点击第一个,437760里就是1,第二次点击第6个,437761里就是6
00434DBC |. B9 68774300 mov ecx, 00437768 ;这个地址不会又忘了吧!汗`
是存放我们的余数~
00434DC1 |> 8A1A /mov bl, byte ptr [edx] ;取出第一次点击的button的号码
00434DC3 |. 3A19 |cmp bl, byte ptr [ecx] ;和余数比较
00434DC5 |. 74 09 |je short 00434DD0 ;等于就跳
00434DC7 |. C605 73774300>|mov byte ptr [437773], 0 ;437773是个标记,点击错误就置0
00434DCE |. EB 0E |jmp short 00434DDE
00434DD0 |> C605 73774300>|mov byte ptr [437773], 1 ;正确就置1
00434DD7 |. 40 |inc eax
00434DD8 |. 41 |inc ecx
00434DD9 |. 42 |inc edx
00434DDA |. 3C 07 |cmp al, 7 ;也是比较6次哦!
00434DDC |.^ 75 E3 \jnz short 00434DC1
00434DDE |> 803D 73774300>cmp byte ptr [437773], 1
00434DE5 |. 75 13 jnz short 00434DFA
00434DE7 |. 6A 00 push 0 ; /Style = MB_OK|MB_APPLMODAL
00434DE9 |. 68 0C4E4300 push 00434E0C ; |bravo cracker!
00434DEE |. 68 1C4E4300 push 00434E1C ; |hey, man! you're the best :)\nyou've cracked all three levels\nnow, tell me how. mail your tut to\ngandalf_gcrew@hotmail.com.\n\nyou can also visit our page\nwere you will find more cool crackmes\ngandalf --==genocide crew==-- ;正确的提示
00434DF3 |. 6A 00 push 0 ; |hOwner = NULL
00434DF5 |. E8 D609FDFF call <jmp.&user32.MessageBoxA> ; \MessageBoxA
00434DFA |> B0 01 mov al, 1
00434DFC |. BA 60774300 mov edx, 00437760
00434E01 |> C602 00 /mov byte ptr [edx], 0
00434E04 |. 40 |inc eax
00434E05 |. 42 |inc edx
00434E06 |. 3C 07 |cmp al, 7
00434E08 |.^ 75 F7 \jnz short 00434E01
00434E0A |> 5B pop ebx
00434E0B \. C3 retn
总结:
所以呢``算法很简单`就是取余,,看来这个CrackMe主要是提高分析能力了!
把输入的name的前6位,与7取余,再根据余数点击对应号码的button就正确的,
最后的呢``就是
ABCDEFG->点击2,3,4,5,6个,再回过来点击第3个(因为最后一个会整除,呵``)->提示正确``
----------------------------------------------------------------------------
这个子三关都过了``很简单吧!!呵``
----------------------------------------------------------------------------------
└经验总结┐:
呵``原来Crack也是不很难,至少这个是这样@@ ^.^``
----------------------------------------------------------------------------------
└版权声明┐ 本文原创于看雪软件安全论坛, 转载请注明作者并保持文章的完整, 谢谢!
2007年4月11日 19:32:35
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
学习
