-
-
[原创]利用IDA+Hex-Rays快速分析Korrect2(高手勿看)
-
发表于:
2008-2-25 11:16
13699
-
[原创]利用IDA+Hex-Rays快速分析Korrect2(高手勿看)
【文章标题】: 利用IDA+Hex-Rays快速分析Korrect2
【文章作者】: NWMonster
【作者QQ号】: 414211565
【软件名称】: Korrect2(CrackME)
【软件大小】: 12,800 字节
【下载地址】: http://www.crackmes.de/users/servitute/encrypted_v._2_find_the_right_word_to_pass/
【保护方式】: 无
【编写语言】: C++
【使用工具】: IDA+Hex-Rays/Calc/Ascii Table
【操作平台】: WinXP sp2
【软件介绍】: Difficulty: 2 - Needs a little brain (or luck)
【作者声明】: 没有感兴趣,只有其他目的。失误之处敬请诸位大侠赐教!
--------------------------------------------------------------------------------
【详细过程】
先使用IDA对程序进行分析,找到判断字串的函数----> sub_4012B0
利用Hex-Rays分析这个函数得到。
int __cdecl sub_4012B0()
{
int v0; // eax@3
signed int v2; // [sp+1Ch] [bp-BCh]@1
char v3; // [sp+60h] [bp-78h]@1
char *v4; // [sp+5Ch] [bp-7Ch]@1
int v5; // [sp+58h] [bp-80h]@1
signed int v6; // [sp+24h] [bp-B4h]@1
signed int v7; // [sp+54h] [bp-84h]@1
signed int v8; // [sp+2Ch] [bp-ACh]@1
signed int v9; // [sp+30h] [bp-A8h]@1
signed int v10; // [sp+34h] [bp-A4h]@1
signed int v11; // [sp+38h] [bp-A0h]@1
signed int v12; // [sp+3Ch] [bp-9Ch]@1
signed int v13; // [sp+40h] [bp-98h]@1
signed int v14; // [sp+44h] [bp-94h]@1
signed int v15; // [sp+48h] [bp-90h]@1
signed int v16; // [sp+4Ch] [bp-8Ch]@1
signed int v17; // [sp+50h] [bp-88h]@1
signed int v18; // [sp+28h] [bp-B0h]@1
_BYTE v19[8]; // [sp+D0h] [bp-8h]@5
char v20; // [sp+65h] [bp-73h]@8
char v21; // [sp+61h] [bp-77h]@11
char v22; // [sp+67h] [bp-71h]@17
char v23; // [sp+62h] [bp-76h]@20
char v24; // [sp+64h] [bp-74h]@23
char v25; // [sp+68h] [bp-70h]@26
char v26; // [sp+63h] [bp-75h]@29
char v27; // [sp+66h] [bp-72h]@32
char v28; // [sp+69h] [bp-6Fh]@35
signed int v29; // [sp+20h] [bp-B8h]@42
v2 = 16;
sub_401AA0();
sub_401740();
sub_401BE0("*******************************");
sub_401BE0("\n\nWhat's the right word to enter?");
sub_401BE0("\n\n>> ");
sub_401BD0(&v3);
v4 = "brunelleschi";
v5 = 0;
v6 = 0;
v7 = 100;
v8 = 12;
v9 = 12;
v10 = 12;
v11 = 12;
v12 = 12;
v13 = 12;
v14 = 12;
v15 = 12;
v16 = 12;
v17 = 12;
v18 = 0;
while ( v18 != 100 )
++v18;
v18 = -1;
v0 = sub_401BC0(&v3);
v5 = v0 + 1;
v19[v0 - 111] = 122;
v19[v5 - 111] = 105;
if ( v5 > 10 )
v18 = 104;
while ( v6 <= 665 )
{
if ( v20 == 99 )
v18 = 0;
else
v18 = -32;
if ( v21 == 115 )
v16 = 0;
else
v16 = -2;
if ( v3 == 116 )
v15 = 0;
else
v15 = 2;
if ( v22 == 111 )
v14 = 0;
else
v14 = 12;
if ( v23 == 99 )
v13 = 0;
else
v13 = 14;
if ( v24 == 105 )
v12 = 0;
else
v12 = -2;
if ( v25 == 108 )
v11 = 0;
else
v11 = -22222;
if ( v26 == 104 )
v10 = 0;
else
v10 = 3;
if ( v27 == 104 )
v9 = 0;
else
v9 = 9;
if ( v28 == 100 )
v8 = 0;
else
v8 = 5;
v6 += 12;
}
v4 = "brunelleschi";
v7 = 0;
while ( v7 <= 11 )
++v7;
v29 = v18;
if ( !v18 )
{
if ( !v18 )
{
if ( !v17 )
{
if ( !v16 )
{
if ( !v15 )
{
if ( !v14 )
{
if ( !v13 )
{
if ( !v12 )
{
if ( !v11 )
{
if ( !v10 )
{
if ( !v9 )
{
if ( !v8 )
v29 = 0;
}
}
}
}
}
}
}
}
}
}
}
if ( !sub_401BB0(&v3, "brunelleschi") )
v29 = 690;
if ( v29 )
{
if ( v29 == 690 )
sub_401BE0("\n\nAhahah! No! Try again...");
else
sub_401BE0("\n\nNein! Try again...");
}
else
{
sub_401BE0("\n\nYes! Es ist gut!");
}
sub_401BE0("\n\n");
sub_401BA0("pause");
return 0;
}
看到如上代码。足见
while ( v6 <= 665 )
{
if ( v20 == 99 )
v18 = 0;
else
v18 = -32;
if ( v21 == 115 )
v16 = 0;
else
v16 = -2;
if ( v3 == 116 )
v15 = 0;
else
v15 = 2;
if ( v22 == 111 )
v14 = 0;
else
v14 = 12;
if ( v23 == 99 )
v13 = 0;
else
v13 = 14;
if ( v24 == 105 )
v12 = 0;
else
v12 = -2;
if ( v25 == 108 )
v11 = 0;
else
v11 = -22222;
if ( v26 == 104 )
v10 = 0;
else
v10 = 3;
if ( v27 == 104 )
v9 = 0;
else
v9 = 9;
if ( v28 == 100 )
v8 = 0;
else
v8 = 5;
v6 += 12;
}
是关键判断机制。brunelleschi是个诱人的字串
int v0; // eax@3
signed int v2; // [sp+1Ch] [bp-BCh]@1
char v3; // [sp+60h] [bp-78h]@1 <===================注意
char *v4; // [sp+5Ch] [bp-7Ch]@1
int v5; // [sp+58h] [bp-80h]@1
signed int v6; // [sp+24h] [bp-B4h]@1
signed int v7; // [sp+54h] [bp-84h]@1
signed int v8; // [sp+2Ch] [bp-ACh]@1
signed int v9; // [sp+30h] [bp-A8h]@1
signed int v10; // [sp+34h] [bp-A4h]@1
signed int v11; // [sp+38h] [bp-A0h]@1
signed int v12; // [sp+3Ch] [bp-9Ch]@1
signed int v13; // [sp+40h] [bp-98h]@1
signed int v14; // [sp+44h] [bp-94h]@1
signed int v15; // [sp+48h] [bp-90h]@1
signed int v16; // [sp+4Ch] [bp-8Ch]@1
signed int v17; // [sp+50h] [bp-88h]@1
signed int v18; // [sp+28h] [bp-B0h]@1
_BYTE v19[8]; // [sp+D0h] [bp-8h]@5
char v20; // [sp+65h] [bp-73h]@8 ×-----------------------×
char v21; // [sp+61h] [bp-77h]@11
char v22; // [sp+67h] [bp-71h]@17
char v23; // [sp+62h] [bp-76h]@20 字串
char v24; // [sp+64h] [bp-74h]@23
char v25; // [sp+68h] [bp-70h]@26
char v26; // [sp+63h] [bp-75h]@29
char v27; // [sp+66h] [bp-72h]@32
char v28; // [sp+69h] [bp-6Fh]@35 ×-----------------------×
signed int v29; // [sp+20h] [bp-B8h]@42
定义了这么多。仔细看发现v20 v21 ……其实有很多联通之处[sp+6xh]是连贯的。说明他是一个一个字母进行比对的
注意v3是[sp+60h]参与比对,定义在上头了,呵呵
好,看到对比,注意他是用十进制的。所以换算下然后查AsciiTable得到:
char v3; // [sp+60h] [bp-78h]@1 t
char v20; // [sp+65h] [bp-73h]@8 c
char v21; // [sp+61h] [bp-77h]@11 s
char v22; // [sp+67h] [bp-71h]@17 o
char v23; // [sp+62h] [bp-76h]@20 c
char v24; // [sp+64h] [bp-74h]@23 i
char v25; // [sp+68h] [bp-70h]@26 l
char v26; // [sp+63h] [bp-75h]@29 h
char v27; // [sp+66h] [bp-72h]@32 h
char v28; // [sp+69h] [bp-6Fh]@35 d
按顺序整理可得:
tschichold
完成
--------------------------------------------------------------------------------
【经验总结】
IDA>>OllyDBG
--------------------------------------------------------------------------------
【版权声明】: 请随便抄袭没有版权。
2008年02月25日 11:18:06
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
这东西上周末研究半天也没效果……
Thx for share......斑斑怎么还不来加精华啊?
