能力值:
( LV2,RANK:10 )
30 楼
本人刚找到了解决的方法.马上就放出来.他用到了父进程检测,还有就是进程的目录下是否有OLLYDBY.INI
用来检测我们亲爱的OD.这一点我们完全可以用公版的OD把所有的都改了.不过插件也要改.这样是最好的
方法.并且在显示第一个窗口时用一个计时器来不断重复进行检测.下面我们开始吧.第一最好先有一个自
已修改过的OD包括插件.之后先运行目标程序,会在当前用户的\Local Settings\TEMP目录下生成一个
pf1.dll这个就是由目标程序同一目录中的同名DLL进行解密得来的.其中同目录下的DLL根本就不是同一个
文件.所以我们的目标要放在pf1.dll和目录EXE上.
一,运行目标程序,打开我们自已的OD,打开菜单文件\附加,选取目标程序,点击附加.我们将停在以下代码
处
77FA144C C3 retn
77FA144D n> CC int3
77FA144E C3 retn
77FA144F 8B4424 04 mov eax,dword ptr ss:[esp+4]
这时我们ALT+E打开执行模块双击窗口中的可执行模块,项目 2
基数=00400000
大小=00008000 (32768.)
入口=004025A8 riijj_cr.<ModuleEntryPoint>
名称=riijj_cr
文件版本=1, 0, 0, 1
路径=C:\Documents and Settings\Administrator\桌面\riijj_crackme.exe这就是我们的目标程序.我
们可以看到以下信息
00401000 /$ C705 64694000 0100>mov dword ptr ds:[406964],1
0040100A |> 813D 746B4000 FF00>/cmp dword ptr ds:[406B74],0FF
00401014 |. 74 09 |je short riijj_cr.0040101F
00401016 |. A1 64694000 |mov eax,dword ptr ds:[406964]
0040101B |. 85C0 |test eax,eax
0040101D |. 75 07 |jnz short riijj_cr.00401026
0040101F |> E8 0C040000 |call riijj_cr.00401430
00401024 |.^ EB E4 \jmp short riijj_cr.0040100A
00401026 \> C3 retn
向下看
00401260 /$ 55 push ebp
00401261 |. 56 push esi
00401262 |. 57 push edi
00401263 |. BF 30604000 mov edi,riijj_cr.00406030
; ASCII "pf1.dll"
00401268 |. 83C9 FF or ecx,FFFFFFFF
0040126B |. 33C0 xor eax,eax
0040126D |. F2:AE repne scas byte ptr es:[edi]
0040126F |. F7D1 not ecx
00401271 |. 2BF9 sub edi,ecx
00401273 |. 50 push eax
; /FailIfExists => FALSE
00401274 |. 8BF7 mov esi,edi
; |
00401276 |. 8BD1 mov edx,ecx
; |
00401278 |. BF 80694000 mov edi,riijj_cr.00406980
; |ASCII "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\pf1.dll"
0040127D |. 83C9 FF or ecx,FFFFFFFF
; |
00401280 |. F2:AE repne scas byte ptr es:[edi]
; |
00401282 |. 8BCA mov ecx,edx
; |
00401284 |. 4F dec edi
; |
00401285 |. C1E9 02 shr ecx,2
; |
00401288 |. F3:A5 rep movs dword ptr es:[edi],dword ptr ds:[esi]
; |
0040128A |. 8BCA mov ecx,edx
; |
0040128C |. 68 80694000 push riijj_cr.00406980
; |NewFileName = "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\pf1.dll"
00401291 |. 83E1 03 and ecx,3
; |
00401294 |. 68 30604000 push riijj_cr.00406030
; |ExistingFileName = "pf1.dll"
00401299 |. F3:A4 rep movs byte ptr es:[edi],byte ptr ds:[esi]
; |
0040129B |. FF15 1C504000 call dword ptr ds:[<&KERNEL32.CopyFileA>]
; \CopyFileA
004012A1 |. 6A 00 push 0
; /hTemplateFile = NULL
004012A3 |. 6A 00 push 0
; |Attributes = 0
004012A5 |. 6A 03 push 3
; |Mode = OPEN_EXISTING
004012A7 |. 6A 00 push 0
; |pSecurity = NULL
004012A9 |. 6A 00 push 0
; |ShareMode = 0
004012AB |. 68 000000C0 push C0000000
; |Access = GENERIC_READ|GENERIC_WRITE
004012B0 |. 68 80694000 push riijj_cr.00406980
; |FileName = "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\pf1.dll"
004012B5 |. FF15 18504000 call dword ptr ds:[<&KERNEL32.CreateFileA>]
; \CreateFileA
004012BB |. 8BF0 mov esi,eax
004012BD |. 6A 00 push 0
; /pFileSizeHigh = NULL
004012BF |. 56 push esi
; |hFile
004012C0 |. FF15 14504000 call dword ptr ds:[<&KERNEL32.GetFileSize>]
; \GetFileSize
004012C6 |. 6A 00 push 0
; /MapName = NULL
004012C8 |. 6A 00 push 0
; |MaximumSizeLow = 0
004012CA |. 6A 00 push 0
; |MaximumSizeHigh = 0
004012CC |. 68 04000008 push 8000004
; |Protection = PAGE_READWRITE|SEC_COMMIT
004012D1 |. 6A 00 push 0
; |pSecurity = NULL
004012D3 |. 56 push esi
; |hFile
004012D4 |. 8BF8 mov edi,eax
; |
004012D6 |. FF15 10504000 call dword ptr ds:[<&KERNEL32.CreateFileMappingA>]
; \CreateFileMappingA
004012DC |. 6A 00 push 0
; /MapSize = 0
004012DE |. 6A 00 push 0
; |OffsetLow = 0
004012E0 |. 8BE8 mov ebp,eax
; |
004012E2 |. 6A 00 push 0
; |OffsetHigh = 0
004012E4 |. 68 1F000F00 push 0F001F
; |AccessMode = F001F
004012E9 |. 55 push ebp
; |hMapObject
004012EA |. FF15 0C504000 call dword ptr ds:[<&KERNEL32.MapViewOfFile>]
; \MapViewOfFile
004012F0 |. 33C9 xor ecx,ecx
004012F2 |. 85FF test edi,edi
004012F4 |. 76 17 jbe short riijj_cr.0040130D
004012F6 |. 53 push ebx
004012F7 |> 8A1401 /mov dl,byte ptr ds:[ecx+eax]
004012FA |. 8A1D 886B4000 |mov bl,byte ptr ds:[406B88]
00401300 |. 32D3 |xor dl,bl
00401302 |. 32D1 |xor dl,cl
00401304 |. 881401 |mov byte ptr ds:[ecx+eax],dl
00401307 |. 41 |inc ecx
00401308 |. 3BCF |cmp ecx,edi
0040130A |.^ 72 EB \jb short riijj_cr.004012F7
0040130C |. 5B pop ebx
0040130D |> 50 push eax
; /BaseAddress
0040130E |. FF15 08504000 call dword ptr ds:[<&KERNEL32.UnmapViewOfFile>]
; \UnmapViewOfFile
00401314 |. 8B3D 04504000 mov edi,dword ptr ds:[<&KERNEL32.CloseHandle>]
; KERNEL32.CloseHandle
0040131A |. 55 push ebp
; /hObject
0040131B |. FFD7 call edi
; \CloseHandle
0040131D |. 56 push esi
; /hObject
0040131E |. FFD7 call edi
; \CloseHandle
00401320 |. 5F pop edi
00401321 |. 5E pop esi
00401322 |. 5D pop ebp
00401323 \. C3 retn
这一大段大概意思就是在当前用户的\Local Settings\TEMP目录下生成一个pf1.dll.
00401330 /$ A1 786B4000 mov eax,dword ptr ds:[406B78]
00401335 |. 8B0D 8C6B4000 mov ecx,dword ptr ds:[406B8C]
0040133B |. 56 push esi
0040133C |. 6A 00 push 0
; /lParam = NULL
0040133E |. 50 push eax
; |hInst => 00400000
0040133F |. 68 C9000000 push 0C9
; |hMenu = 000000C9
00401344 |. 51 push ecx
; |hParent => 00130170 (class='#32770',parent=000D014A)
00401345 |. 8B35 48514000 mov esi,dword ptr ds:[<&USER32.CreateWindowExA>]
; |USER32.CreateWindowExA
0040134B |. 6A 12 push 12
; |Height = 12 (18.)
0040134D |. 68 A0000000 push 0A0
; |Width = A0 (160.)
00401352 |. 6A 0B push 0B
; |Y = B (11.)
00401354 |. 6A 32 push 32
; |X = 32 (50.)
00401356 |. 68 80008050 push 50800080
; |Style = WS_CHILD|WS_VISIBLE|WS_BORDER|80
0040135B |. 6A 00 push 0
; |WindowName = NULL
0040135D |. 68 38604000 push riijj_cr.00406038
; |Class = "edit"
00401362 |. 6A 00 push 0
; |ExtStyle = 0
00401364 |. FFD6 call esi
; \CreateWindowExA
00401366 |. 8B15 786B4000 mov edx,dword ptr ds:[406B78]
; riijj_cr.00400000
0040136C |. A3 60694000 mov dword ptr ds:[406960],eax
00401371 |. A1 8C6B4000 mov eax,dword ptr ds:[406B8C]
00401376 |. 6A 00 push 0
; /lParam = NULL
00401378 |. 52 push edx
; |hInst => 00400000
00401379 |. 68 CA000000 push 0CA
; |hMenu = 000000CA (window)
0040137E |. 50 push eax
; |hParent => 00130170 (class='#32770',parent=000D014A)
0040137F |. 6A 12 push 12
; |Height = 12 (18.)
00401381 |. 68 A0000000 push 0A0
; |Width = A0 (160.)
00401386 |. 6A 29 push 29
; |Y = 29 (41.)
00401388 |. 6A 32 push 32
; |X = 32 (50.)
0040138A |. 68 80008050 push 50800080
; |Style = WS_CHILD|WS_VISIBLE|WS_BORDER|80
0040138F |. 6A 00 push 0
; |WindowName = NULL
00401391 |. 68 38604000 push riijj_cr.00406038
; |Class = "edit"
00401396 |. 6A 00 push 0
; |ExtStyle = 0
00401398 |. FFD6 call esi
; \CreateWindowExA
0040139A |. A3 946B4000 mov dword ptr ds:[406B94],eax
0040139F |. 5E pop esi
004013A0 \. C3 retn
以上是创建两个文本框.因为我们用资源工具打开时对话框中没有文本框,因为他是动态创建的.
能力值:
( LV2,RANK:10 )
31 楼
由于太多只好再发一贴了
004013B0 /$ E8 ABFEFFFF call riijj_cr.00401260
004013B5 |. 68 80694000 push riijj_cr.00406980
; /FileName = "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\pf1.dll"
004013BA |. FF15 24504000 call dword ptr ds:[<&KERNEL32.LoadLibraryA>]
; \LoadLibraryA
004013C0 |. 68 40604000 push riijj_cr.00406040
; /ProcNameOrOrdinal = "happytime"
004013C5 |. 50 push eax
; |hModule
004013C6 |. FF15 20504000 call dword ptr ds:[<&KERNEL32.GetProcAddress>]
; \GetProcAddress
004013CC |. A3 7C6B4000 mov dword ptr ds:[406B7C],eax
004013D1 \. C3 retn
以上是载入pf1.dll并得到地址.
004016AC |. 33C0 xor eax,eax
004016AE |. 83E1 03 and ecx,3
004016B1 |. F3:A4 rep movs byte ptr es:[edi],byte ptr ds:[esi]
004016B3 |. BF A06B4000 mov edi,riijj_cr.00406BA0
; ASCII "ollydbg.ini"
004016B8 |. 83C9 FF or ecx,FFFFFFFF
004016BB |. F2:AE repne scas byte ptr es:[edi]
004016BD |. F7D1 not ecx
004016BF |. 2BF9 sub edi,ecx
004016C1 |. 8BF7 mov esi,edi
004016C3 |. 8BD9 mov ebx,ecx
004016C5 |. 8BFA mov edi,edx
004016C7 |. 83C9 FF or ecx,FFFFFFFF
004016CA |. F2:AE repne scas byte ptr es:[edi]
004016CC |. 8BCB mov ecx,ebx
004016CE |. 4F dec edi
004016CF |. C1E9 02 shr ecx,2
004016D2 |. F3:A5 rep movs dword ptr es:[edi],dword ptr ds:[esi]
004016D4 |. 8BCB mov ecx,ebx
004016D6 |. 8D4424 0C lea eax,dword ptr ss:[esp+C]
004016DA |. 83E1 03 and ecx,3
004016DD |. 50 push eax
; /FileName
004016DE |. F3:A4 rep movs byte ptr es:[edi],byte ptr ds:[esi]
; |
004016E0 |. FF15 28504000 call dword ptr ds:[<&KERNEL32.GetFileAttributesA>]
; \GetFileAttributesA
004016E6 |. 5F pop edi
004016E7 |. 5E pop esi
004016E8 |. 83F8 FF cmp eax,-1
004016EB |. 5B pop ebx
004016EC |. 74 05 je short riijj_cr.004016F3
004016EE |. E8 3DFBFFFF call riijj_cr.00401230
004016F3 |> 81C4 F4010000 add esp,1F4
004016F9 \. C3 retn
这一段可是要杀不少人呀.
00401700 /$ 81EC 4C030000 sub esp,34C
00401706 |. 57 push edi
00401707 |. 6A 00 push 0
; /ProcessID = 0
00401709 |. 6A 02 push 2
; |Flags = TH32CS_SNAPPROCESS
0040170B |. C74424 0C 28010000 mov dword ptr ss:[esp+C],128
; |
00401713 |. C78424 34010000 24>mov dword ptr ss:[esp+134],224
; |
0040171E |. C705 886B4000 C300>mov dword ptr ds:[406B88],0C3
; |
00401728 |. E8 A7060000 call <jmp.&KERNEL32.CreateToolhelp32Snapshot>
; \CreateToolhelp32Snapshot
0040172D |. 8BF8 mov edi,eax
0040172F |. 85FF test edi,edi
00401731 0F84 8D000000 je riijj_cr.004017C4
00401737 |. 8D4424 04 lea eax,dword ptr ss:[esp+4]
0040173B |. 50 push eax
; /pProcessentry
0040173C |. 57 push edi
; |hSnapshot
0040173D |. E8 8C060000 call <jmp.&KERNEL32.Process32First>
; \Process32First
00401742 |. A1 806B4000 mov eax,dword ptr ds:[406B80]
00401747 |. 85C0 test eax,eax
00401749 |. 74 26 je short riijj_cr.00401771
0040174B |. 8B0D 9C6B4000 mov ecx,dword ptr ds:[406B9C]
00401751 |. 85C9 test ecx,ecx
00401753 |. 75 1C jnz short riijj_cr.00401771
00401755 |. 68 E0114000 push riijj_cr.004011E0
; /Timerproc = riijj_cr.004011E0
0040175A |. 6A 64 push 64
; |Timeout = 100. ms
0040175C |. 6A 02 push 2
; |TimerID = 2
0040175E |. 50 push eax
; |hWnd => 000D014A ('Riijj Crackme - 20041121',class='Class123')
0040175F |. FF15 4C514000 call dword ptr ds:[<&USER32.SetTimer>]
; \SetTimer
00401765 |. A1 9C6B4000 mov eax,dword ptr ds:[406B9C]
0040176A |. 0C 01 or al,1
0040176C |. A3 9C6B4000 mov dword ptr ds:[406B9C],eax
00401771 |> 56 push esi
00401772 |> 8B4C24 10 /mov ecx,dword ptr ss:[esp+10]
00401776 |. 51 |push ecx
; /ProcessID
00401777 |. 6A 08 |push 8
; |Flags = TH32CS_SNAPMODULE
00401779 |. E8 56060000 |call <jmp.&KERNEL32.CreateToolhelp32Snapshot>
; \CreateToolhelp32Snapshot
0040177E |. 8D9424 30010000 |lea edx,dword ptr ss:[esp+130]
00401785 |. 8BF0 |mov esi,eax
00401787 |. 52 |push edx
; /pModuleentry
00401788 |. 56 |push esi
; |hSnapshot
00401789 |. E8 3A060000 |call <jmp.&KERNEL32.Module32First>
; \Module32First
0040178E |. 85C0 |test eax,eax
00401790 |. 74 10 |je short riijj_cr.004017A2
00401792 |> 8D8424 30010000 |lea eax,dword ptr ss:[esp+130]
00401799 |. 50 |push eax
0040179A |. E8 A1FEFFFF |call riijj_cr.00401640
0040179F |. 83C4 04 |add esp,4
004017A2 |> 8D8C24 30010000 |lea ecx,dword ptr ss:[esp+130]
004017A9 |. 51 |push ecx
; /pModuleentry
004017AA |. 56 |push esi
; |hSnapshot
004017AB |. E8 12060000 |call <jmp.&KERNEL32.Module32Next>
; \Module32Next
004017B0 |. 85C0 |test eax,eax
004017B2 |.^ 75 DE |jnz short riijj_cr.00401792
004017B4 |. 8D5424 08 |lea edx,dword ptr ss:[esp+8]
004017B8 |. 52 |push edx
; /pProcessentry
004017B9 |. 57 |push edi
; |hSnapshot
004017BA |. E8 FD050000 |call <jmp.&KERNEL32.Process32Next>
; \Process32Next
004017BF |. 85C0 |test eax,eax
004017C1 |.^ 75 AF \jnz short riijj_cr.00401772
004017C3 |. 5E pop esi
004017C4 |> 5F pop edi
004017C5 |. 81C4 4C030000 add esp,34C
004017CB \. C3 retn
这一段那可是关键呀,就是父进程检测一个一个的找所以我们只要把
00401731 0F84 8D000000 je riijj_cr.004017C4
改为
00401731 /E9 8E000000 jmp riijj_cr.004017C4
00401736 90 nop
直接退出循环检测.再点运行.是不是成功了,没有出错.下一步我们是找按钮事件,可以来到.00401160
. 817C24 08 11010000 cmp dword ptr ss:[esp+8],111
00401168 . 75 14 jnz short riijj_cr.0040117E
0040116A . 817C24 0C EE030000 cmp dword ptr ss:[esp+C],3EE这里就是判断的地方
00401172 . 75 0A jnz short riijj_cr.0040117E如果是按下了注册按钮就不会跳.
00401174 . C705 846B4000 0100>mov dword ptr ds:[406B84],1
0040117E > 33C0 xor eax,eax
00401180 . C2 1000 retn 10
在00401174下断.输入用户名:gatestone注册码:987654321点确定是不是断了下来.我们一直F8单步就来到
了pf1.dll的地盘.
10001010 p> 81EC 84000000 sub esp,84
10001016 B9 19000000 mov ecx,19
1000101B 33C0 xor eax,eax
; pf1.happytime
1000101D 53 push ebx
1000101E 55 push ebp
1000101F 56 push esi
10001020 57 push edi
...
1000105D 83FD 0F cmp ebp,0F 用户名长度与16比较是不是大于
10001060 AA stos byte ptr es:[edi]
10001061 0F8F A1000000 jg pf1.10001108大于就出错了.
10001067 83FD 04 cmp ebp,4
1000106A 0F8C 98000000 jl pf1.10001108小于4就出错了.用户名长度为5-15
10001070 83FA 1E cmp edx,1E
10001073 0F8F 8F000000 jg pf1.10001108与30比较是一样的.
10001079 83FA 04 cmp edx,4
1000107C 0F8C 86000000 jl pf1.10001108同上.
10001082 33C9 xor ecx,ecx
10001084 85ED test ebp,ebp
10001086 76 26 jbe short pf1.100010AE如果长度为零就走人.
10001088 8D7424 11 lea esi,dword ptr ss:[esp+11]
1000108C 0FBE0419 movsx eax,byte ptr ds:[ecx+ebx]
10001090 99 cdq
10001091 BF 62000000 mov edi,62
10001096 83C6 02 add esi,2
10001099 F7FF idiv edi
1000109B 41 inc ecx
1000109C 3BCD cmp ecx,ebp
1000109E 8A4414 30 mov al,byte ptr ss:[esp+edx+30]
100010A2 8A5414 31 mov dl,byte ptr ss:[esp+edx+31]
100010A6 8846 FD mov byte ptr ds:[esi-3],al
100010A9 8856 FE mov byte ptr ds:[esi-2],dl
100010AC ^ 72 DE jb short pf1.1000108C 这里不停的向上走是在计算我们的用户
名呢!
100010AE 8BB424 9C000000 mov esi,dword ptr ss:[esp+9C]
100010B5 C64424 2E 00 mov byte ptr ss:[esp+2E],0
100010BA 8D4424 10 lea eax,dword ptr ss:[esp+10]这里我们看到了计算后的注册码
堆栈地址=0012F5F0, (ASCII "jhtamcugqmmclbnlug")
eax=00000075
100010BE 8A10 mov dl,byte ptr ds:[eax]
100010C0 8A1E mov bl,byte ptr ds:[esi]
100010C2 8ACA mov cl,dl
100010C4 3AD3 cmp dl,bl
100010C6 75 1E jnz short pf1.100010E6
..
100010E6 1BC0 sbb eax,eax
100010E8 83D8 FF sbb eax,-1
100010EB 85C0 test eax,eax
100010ED 75 19 jnz short pf1.10001108这个跳很就是成功与否的地方了.
100010EF 50 push eax
100010F0 8B8424 A4000000 mov eax,dword ptr ss:[esp+A4]
100010F7 68 4C500010 push pf1.1000504C
; ASCII "Crackme"
100010FC 68 30500010 push pf1.10005030
; ASCII "Registration successful !"
10001101 50 push eax
10001102 FF15 B0400010 call dword ptr ds:[<&USER32.MessageBoxA>]
; USER32.MessageBoxA
总结.用户名:gatestone 注册码:jhtamcugqmmclbnlug.如果有人问如果我想爆破怎么办.那我要告诉你,你
只有用内存补丁了.而且要补的是TEMP目录下的哦.
全文完.写了我半个多小时.真正找也没花多少时间.希望可以让大家共享了.不过其中为什么点注册按钮的
事件是在
. 817C24 08 11010000 cmp dword ptr ss:[esp+8],111
00401168 . 75 14 jnz short riijj_cr.0040117E
0040116A . 817C24 0C EE030000 cmp dword ptr ss:[esp+C],3EE这里就是判断的地方
00401172 . 75 0A jnz short riijj_cr.0040117E如果是按下了注册按钮就不会跳.
00401174 . C705 846B4000 0100>mov dword ptr ds:[406B84],1
0040117E > 33C0 xor eax,eax
00401180 . C2 1000 retn 10
这其实很简单,用资源工具可以看到按钮的ID为1006转换为十六进制就行了.再搜索了.这一点说起来可能
大家认为不怎么样,但在我所看的所有破文中这方面的技巧,大家还是有所保留的.