废话我就不多说了,我就直奔主题吧。
呵呵,首先,因为这个CrackMe加了壳,所以我们先将他的壳去掉。
//外壳入口,第一层外壳,往下拉动滚动条,找到RETN子程序返回语句。
004B5000 > 9C PUSHFD
004B5001 60 PUSHAD
004B5002 8B4424 24 MOV EAX,DWORD PTR SS:[ESP+24]
004B5006 E8 00000000 CALL CRACKME1.004B500B
004B500B 5D POP EBP
004B500C 81ED 351C4000 SUB EBP,CRACKME1.00401C35
004B5012 50 PUSH EAX
004B5013 E8 ED020000 CALL CRACKME1.004B5305
004B5018 85C0 TEST EAX,EAX
004B501A 0F84 B3000000 JE CRACKME1.004B50D3
004B5020 8985 9C224000 MOV DWORD PTR SS:[EBP+40229C],EAX
004B5026 E8 95030000 CALL CRACKME1.004B53C0
004B502B 85C0 TEST EAX,EAX
004B502D 0F84 87000000 JE CRACKME1.004B50BA
004B5033 6A 00 PUSH 0
004B5035 FF95 D7214000 CALL DWORD PTR SS:[EBP+4021D7]
004B503B 8985 AC224000 MOV DWORD PTR SS:[EBP+4022AC],EAX
004B5041 80BD B0224000 0>CMP BYTE PTR SS:[EBP+4022B0],1
004B5048 0F85 86000000 JNZ CRACKME1.004B50D4
004B504E E8 9E010000 CALL CRACKME1.004B51F1
004B5053 85C0 TEST EAX,EAX
004B5055 74 63 JE SHORT CRACKME1.004B50BA
004B5057 E8 C4010000 CALL CRACKME1.004B5220
004B505C E8 DE030000 CALL CRACKME1.004B543F
004B5061 85C0 TEST EAX,EAX
004B5063 74 3D JE SHORT CRACKME1.004B50A2
004B5065 FFB5 A4224000 PUSH DWORD PTR SS:[EBP+4022A4]
004B506B 6A 00 PUSH 0
004B506D 68 72010000 PUSH 172
004B5072 FFB5 A0224000 PUSH DWORD PTR SS:[EBP+4022A0]
004B5078 FF95 66224000 CALL DWORD PTR SS:[EBP+402266]
004B507E FFB5 A0224000 PUSH DWORD PTR SS:[EBP+4022A0]
004B5084 FF95 77224000 CALL DWORD PTR SS:[EBP+402277]
004B508A FFB5 A8224000 PUSH DWORD PTR SS:[EBP+4022A8]
004B5090 FF95 C2214000 CALL DWORD PTR SS:[EBP+4021C2]
004B5096 FFB5 A0224000 PUSH DWORD PTR SS:[EBP+4022A0]
004B509C FF95 28224000 CALL DWORD PTR SS:[EBP+402228]
004B50A2 FFB5 A4224000 PUSH DWORD PTR SS:[EBP+4022A4]
004B50A8 FF95 AA214000 CALL DWORD PTR SS:[EBP+4021AA]
004B50AE FFB5 98224000 PUSH DWORD PTR SS:[EBP+402298]
004B50B4 FF95 F6214000 CALL DWORD PTR SS:[EBP+4021F6]
004B50BA 8B85 AC224000 MOV EAX,DWORD PTR SS:[EBP+4022AC]
004B50C0 0385 94224000 ADD EAX,DWORD PTR SS:[EBP+402294]
004B50C6 8985 F91C4000 MOV DWORD PTR SS:[EBP+401CF9],EAX
004B50CC 61 POPAD
004B50CD 9D POPFD
004B50CE 68 00000000 PUSH 0
004B50D3 C3 RETN //在这里下一个断点,F9运行程序将中断在这里
004B4000 90 NOP
004B4001 90 NOP
004B4002 90 NOP
004B4003 90 NOP
............................... //省略一大段NOP语句,
...............................
004B41A6 90 NOP
004B41A7 90 NOP
004B41A8 90 NOP
004B41A9 - E9 32D1FFFF JMP CRACKME1.004B12E0 //到这里,在这里下一个断点,F9运行程序将中断在这里。
004B12E0 60 PUSHAD
004B12E1 BE 00104700 MOV ESI,CRACKME1.00471000
004B12E6 8DBE 0000F9FF LEA EDI,DWORD PTR DS:[ESI+FFF90000]
004B12EC C787 D0240900 7>MOV DWORD PTR DS:[EDI+924D0],484B2170
004B12F6 57 PUSH EDI
004B12F7 83CD FF OR EBP,FFFFFFFF
004B12FA EB 0E JMP SHORT CRACKME1.004B130A
004B12FC 90 NOP
004B12FD 90 NOP
004B12FE 90 NOP
004B12FF 90 NOP
004B1300 8A06 MOV AL,BYTE PTR DS:[ESI]
004B1302 46 INC ESI
004B1303 8807 MOV BYTE PTR DS:[EDI],AL
004B1305 47 INC EDI
004B1306 01DB ADD EBX,EBX
004B1308 75 07 JNZ SHORT CRACKME1.004B1311
004B130A 8B1E MOV EBX,DWORD PTR DS:[ESI]
004B130C 83EE FC SUB ESI,-4
004B130F 11DB ADC EBX,EBX
004B1311 ^ 72 ED JB SHORT CRACKME1.004B1300
004B1313 B8 01000000 MOV EAX,1
004B1318 01DB ADD EBX,EBX
004B131A 75 07 JNZ SHORT CRACKME1.004B1323
004B131C 8B1E MOV EBX,DWORD PTR DS:[ESI]
004B131E 83EE FC SUB ESI,-4
004B1321 11DB ADC EBX,EBX
004B1323 11C0 ADC EAX,EAX
004B1325 01DB ADD EBX,EBX
004B1327 73 0B JNB SHORT CRACKME1.004B1334
004B1329 75 19 JNZ SHORT CRACKME1.004B1344
004B132B 8B1E MOV EBX,DWORD PTR DS:[ESI]
004B132D 83EE FC SUB ESI,-4
004B1330 11DB ADC EBX,EBX
004B1332 72 10 JB SHORT CRACKME1.004B1344
004B1334 48 DEC EAX
004B1335 01DB ADD EBX,EBX
004B1337 75 07 JNZ SHORT CRACKME1.004B1340
004B1339 8B1E MOV EBX,DWORD PTR DS:[ESI]
004B133B 83EE FC SUB ESI,-4
004B133E 11DB ADC EBX,EBX
004B1340 11C0 ADC EAX,EAX
004B1342 ^ EB D4 JMP SHORT CRACKME1.004B1318
004B1344 31C9 XOR ECX,ECX
004B1346 83E8 03 SUB EAX,3
004B1349 72 11 JB SHORT CRACKME1.004B135C
004B134B C1E0 08 SHL EAX,8
004B134E 8A06 MOV AL,BYTE PTR DS:[ESI]
004B1350 46 INC ESI
004B1351 83F0 FF XOR EAX,FFFFFFFF
004B1354 74 78 JE SHORT CRACKME1.004B13CE
004B1356 D1F8 SAR EAX,1
004B1358 89C5 MOV EBP,EAX
004B135A EB 0B JMP SHORT CRACKME1.004B1367
004B135C 01DB ADD EBX,EBX
004B135E 75 07 JNZ SHORT CRACKME1.004B1367
004B1360 8B1E MOV EBX,DWORD PTR DS:[ESI]
004B1362 83EE FC SUB ESI,-4
004B1365 11DB ADC EBX,EBX
004B1367 11C9 ADC ECX,ECX
004B1369 01DB ADD EBX,EBX
004B136B 75 07 JNZ SHORT CRACKME1.004B1374
004B136D 8B1E MOV EBX,DWORD PTR DS:[ESI]
004B136F 83EE FC SUB ESI,-4
004B1372 11DB ADC EBX,EBX
004B1374 11C9 ADC ECX,ECX
004B1376 75 20 JNZ SHORT CRACKME1.004B1398
004B1378 41 INC ECX
004B1379 01DB ADD EBX,EBX
004B137B 75 07 JNZ SHORT CRACKME1.004B1384
004B137D 8B1E MOV EBX,DWORD PTR DS:[ESI]
004B137F 83EE FC SUB ESI,-4
004B1382 11DB ADC EBX,EBX
004B1384 11C9 ADC ECX,ECX
004B1386 01DB ADD EBX,EBX
004B1388 ^ 73 EF JNB SHORT CRACKME1.004B1379
004B138A 75 09 JNZ SHORT CRACKME1.004B1395
004B138C 8B1E MOV EBX,DWORD PTR DS:[ESI]
004B138E 83EE FC SUB ESI,-4
004B1391 11DB ADC EBX,EBX
004B1393 ^ 73 E4 JNB SHORT CRACKME1.004B1379
004B1395 83C1 02 ADD ECX,2
004B1398 81FD 00FBFFFF CMP EBP,-500
004B139E 83D1 01 ADC ECX,1
004B13A1 8D142F LEA EDX,DWORD PTR DS:[EDI+EBP]
004B13A4 83FD FC CMP EBP,-4
004B13A7 76 0F JBE SHORT CRACKME1.004B13B8
004B13A9 8A02 MOV AL,BYTE PTR DS:[EDX]
004B13AB 42 INC EDX
004B13AC 8807 MOV BYTE PTR DS:[EDI],AL
004B13AE 47 INC EDI
004B13AF 49 DEC ECX
004B13B0 ^ 75 F7 JNZ SHORT CRACKME1.004B13A9
004B13B2 ^ E9 4FFFFFFF JMP CRACKME1.004B1306
004B13B7 90 NOP
004B13B8 8B02 MOV EAX,DWORD PTR DS:[EDX]
004B13BA 83C2 04 ADD EDX,4
004B13BD 8907 MOV DWORD PTR DS:[EDI],EAX
004B13BF 83C7 04 ADD EDI,4
004B13C2 83E9 04 SUB ECX,4
004B13C5 ^ 77 F1 JA SHORT CRACKME1.004B13B8
004B13C7 01CF ADD EDI,ECX
004B13C9 ^ E9 38FFFFFF JMP CRACKME1.004B1306
004B13CE 5E POP ESI
004B13CF 89F7 MOV EDI,ESI
004B13D1 B9 A6470000 MOV ECX,47A6
004B13D6 8A07 MOV AL,BYTE PTR DS:[EDI]
004B13D8 47 INC EDI
004B13D9 2C E8 SUB AL,0E8
004B13DB 3C 01 CMP AL,1
004B13DD ^ 77 F7 JA SHORT CRACKME1.004B13D6
004B13DF 803F 19 CMP BYTE PTR DS:[EDI],19
004B13E2 ^ 75 F2 JNZ SHORT CRACKME1.004B13D6
004B13E4 8B07 MOV EAX,DWORD PTR DS:[EDI]
004B13E6 8A5F 04 MOV BL,BYTE PTR DS:[EDI+4]
004B13E9 66:C1E8 08 SHR AX,8
004B13ED C1C0 10 ROL EAX,10
004B13F0 86C4 XCHG AH,AL
004B13F2 29F8 SUB EAX,EDI
004B13F4 80EB E8 SUB BL,0E8
004B13F7 01F0 ADD EAX,ESI
004B13F9 8907 MOV DWORD PTR DS:[EDI],EAX
004B13FB 83C7 05 ADD EDI,5
004B13FE 89D8 MOV EAX,EBX
004B1400 ^ E2 D9 LOOPD SHORT CRACKME1.004B13DB
004B1402 8DBE 00E00A00 LEA EDI,DWORD PTR DS:[ESI+AE000]
004B1408 8B07 MOV EAX,DWORD PTR DS:[EDI]
004B140A 09C0 OR EAX,EAX
004B140C 74 3C JE SHORT CRACKME1.004B144A
004B140E 8B5F 04 MOV EBX,DWORD PTR DS:[EDI+4]
004B1411 8D8430 30200B00 LEA EAX,DWORD PTR DS:[EAX+ESI+B2030]
004B1418 01F3 ADD EBX,ESI
004B141A 50 PUSH EAX
004B141B 83C7 08 ADD EDI,8
004B141E FF96 F8200B00 CALL DWORD PTR DS:[ESI+B20F8]
004B1424 95 XCHG EAX,EBP
004B1425 8A07 MOV AL,BYTE PTR DS:[EDI]
004B1427 47 INC EDI
004B1428 08C0 OR AL,AL
004B142A ^ 74 DC JE SHORT CRACKME1.004B1408
004B142C 89F9 MOV ECX,EDI
004B142E 57 PUSH EDI
004B142F 48 DEC EAX
004B1430 F2:AE REPNE SCAS BYTE PTR ES:[EDI]
004B1432 55 PUSH EBP
004B1433 FF96 FC200B00 CALL DWORD PTR DS:[ESI+B20FC]
004B1439 09C0 OR EAX,EAX
004B143B 74 07 JE SHORT CRACKME1.004B1444
004B143D 8903 MOV DWORD PTR DS:[EBX],EAX
004B143F 83C3 04 ADD EBX,4
004B1442 ^ EB E1 JMP SHORT CRACKME1.004B1425
004B1444 FF96 00210B00 CALL DWORD PTR DS:[ESI+B2100]
004B144A 61 POPAD //到这里,下一个断点,F9运行程序将中断在这里。
004B144B ^ E9 A8EBFDFF JMP CRACKME1.0048FFF8 //跨段跳,跳到程序入口。
0048FFF8 55 PUSH EBP
0048FFF9 8BEC MOV EBP,ESP
0048FFFB 83C4 F4 ADD ESP,-0C
0048FFFE B8 18FE4800 MOV EAX,CRACKME1.0048FE18
00490003 E8 6C65F7FF CALL CRACKME1.00406574
00490008 A1 6C234900 MOV EAX,DWORD PTR DS:[49236C]
0049000D 8B00 MOV EAX,DWORD PTR DS:[EAX]
0049000F E8 D890FAFF CALL CRACKME1.004390EC
00490014 E8 FFFCFFFF CALL CRACKME1.0048FD18
00490019 84C0 TEST AL,AL
0049001B 74 0E JE SHORT CRACKME1.0049002B
0049001D A1 6C234900 MOV EAX,DWORD PTR DS:[49236C]
00490022 8B00 MOV EAX,DWORD PTR DS:[EAX]
00490024 E8 0F92FAFF CALL CRACKME1.00439238
00490029 EB 24 JMP SHORT CRACKME1.0049004F
0049002B 8B0D 6C244900 MOV ECX,DWORD PTR DS:[49246C] ; CRACKME1.0049393C
00490031 A1 6C234900 MOV EAX,DWORD PTR DS:[49236C]
00490036 8B00 MOV EAX,DWORD PTR DS:[EAX]
00490038 8B15 68F24800 MOV EDX,DWORD PTR DS:[48F268] ; CRACKME1.0048F2B4
0049003E E8 C190FAFF CALL CRACKME1.00439104
00490043 A1 6C234900 MOV EAX,DWORD PTR DS:[49236C]
00490048 8B00 MOV EAX,DWORD PTR DS:[EAX]
0049004A E8 3591FAFF CALL CRACKME1.00439184
0049004F E8 5839F7FF CALL CRACKME1.004039AC
00490054 0000 ADD BYTE PTR DS:[EAX],AL
00490056 0000 ADD BYTE PTR DS:[EAX],AL
00490058 0000 ADD BYTE PTR DS:[EAX],AL
0049005A 0000 ADD BYTE PTR DS:[EAX],AL
0048FB2C 55 push ebp
0048FB2D 8BEC mov ebp, esp
0048FB2F 6A00 push $00
0048FB31 6A00 push $00
0048FB33 6A00 push $00
0048FB35 33C0 xor eax, eax
0048FB37 55 push ebp
0048FB38 68E5FB4800 push $0048FBE5
***** TRY
|
0048FB3D 64FF30 push dword ptr fs:[eax]
0048FB40 648920 mov fs:[eax], esp
0048FB43 8D55FC lea edx, [ebp-$04]
0048FB46 A13C394900 mov eax, dword ptr [$0049393C]
* Reference to control Edit1 : TEdit
|
0048FB4B 8B80D8020000 mov eax, [eax+$02D8]
* Reference to: controls.TControl.GetText(TControl):TCaption;
|
0048FB51 E89670FBFF call 00446BEC
0048FB56 8B45FC mov eax, [ebp-$04]
0048FB59 50 push eax
* Possible String Reference to: 'name'
|
0048FB5A B9F8FB4800 mov ecx, $0048FBF8
* Possible String Reference to: 'Reg'
|
0048FB5F BA08FC4800 mov edx, $0048FC08
0048FB64 A144394900 mov eax, dword ptr [$00493944]
* Reference to: registry.TRegIniFile.WriteString(TRegIniFile;AnsiString;AnsiString;AnsiString);
|
0048FB69 E8E2F5FFFF call 0048F150
0048FB6E 8D55F8 lea edx, [ebp-$08]
0048FB71 A13C394900 mov eax, dword ptr [$0049393C]
* Reference to control Edit2 : TEdit
|
0048FB76 8B80E0020000 mov eax, [eax+$02E0]
* Reference to: controls.TControl.GetText(TControl):TCaption;
|
0048FB7C E86B70FBFF call 00446BEC
0048FB81 8B45F8 mov eax, [ebp-$08]
0048FB84 50 push eax
* Possible String Reference to: 'code'
|
0048FB85 B914FC4800 mov ecx, $0048FC14
* Possible String Reference to: 'Reg'
|
0048FB8A BA08FC4800 mov edx, $0048FC08
0048FB8F A144394900 mov eax, dword ptr [$00493944]
* Reference to: registry.TRegIniFile.WriteString(TRegIniFile;AnsiString;AnsiString;AnsiString);
|
0048FB94 E8B7F5FFFF call 0048F150
0048FB99 6A01 push $01
0048FB9B 8D55F4 lea edx, [ebp-$0C]
0048FB9E A16C234900 mov eax, dword ptr [$0049236C]
0048FBA3 8B00 mov eax, [eax]
* Reference to: ddeman.TDdeMgr.GetExeName(TDdeMgr):AnsiString;
| or: forms.TApplication.GetExeName(TApplication):AnsiString;
|
0048FBA5 E8A29AFAFF call 0043964C
0048FBAA 8B45F4 mov eax, [ebp-$0C]
* Reference to: system.@LStrToPChar;
|
0048FBAD E87643F7FF call 00403F28
0048FBB2 50 push eax
* Reference to: Y.WinExec()
|
0048FBB3 E8386CF7FF call 004067F0
0048FBB8 A13C394900 mov eax, dword ptr [$0049393C]
* Reference to: forms.TCustomForm.Close(TCustomForm);
|
0048FBBD E8D663FAFF call 00435F98
0048FBC2 33C0 xor eax, eax
0048FBC4 5A pop edx
0048FBC5 59 pop ecx
0048FBC6 59 pop ecx
0048FBC7 648910 mov fs:[eax], edx
****** FINALLY
|
0048FBCA 68ECFB4800 push $0048FBEC
0048FBCF 8D45F4 lea eax, [ebp-$0C]
* Reference to: system.@LStrClr(String;String);
|
0048FBD2 E80D3FF7FF call 00403AE4
0048FBD7 8D45F8 lea eax, [ebp-$08]
0048FBDA BA02000000 mov edx, $00000002
* Reference to: system.@LStrArrayClr;
|
0048FBDF E8243FF7FF call 00403B08
0048FBE4 C3 ret
* Reference to: system.@HandleFinally;
|
0048FBE5 E99239F7FF jmp 0040357C
0048FBEA EBE3 jmp 0048FBCF
****** END
|
0048FBEC 8BE5 mov esp, ebp
0048FBEE 5D pop ebp
0048FBEF C3 ret
[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!