-
-
[原创]Atom队-CrackMe 爆破分析
-
发表于:
2009-9-8 08:58
8287
-
【声明】:纯属技术学习,水平有限,如有错误之处,烦请指出!
CM 有anti,SOD直接无视(膜拜海风)
第一部份:
(一)、关键代码如下:
00401FF0 /. 55 push ebp ;
................................................................................................................
00402068 |. E8 930B0000 call 00402C00 ; 取当前时间的运算值
0040206D |. 8945 E0 mov dword ptr [ebp-20], eax ; 保存当前时间运算值(作为校验代码运行时间的初始值)
00402070 |. 33C0 xor eax, eax
0040208F |. 6A 01 push 1 ;bSaveAndValidate = TRUE(获取数据)
0040209C |. E8 1D180000 call <jmp.&MFC42.#CWnd::UpdateData_6334> ;取name和Serial有关数据(长度和字符)
004020A1 |. 8B4B 60 mov ecx, dword ptr [ebx+60]
004020A4 |. 8B41 F8 mov eax, dword ptr [ecx-8]
004020A7 83F8 06 cmp eax, 6 ;这里改cmp eax,0
004020AA |. 0F8C 49020000 jl 004022F9 ;name长度要大于等于6
004020B0 |. 83F8 20 cmp eax, 20
004020B3 |. 0F8F 40020000 jg 004022F9 ;name长度要小于等于32(0x20)
................................................................................................................
004020B9 |. 8B53 64 mov edx, dword ptr [ebx+64]
004020BC |. 8B52 F8 mov edx, dword ptr [edx-8]
004020BF 83FA 06 cmp edx, 6 ;这里改cmp edx,0
004020C2 |. 0F8C 31020000 jl 004022F9 ;Serial长度要大于等于6
004020C8 |. 81FA A0000000 cmp edx, 0A0
004020CE |. 0F8F 25020000 jg 004022F9 ;Serial长度要大于等于160(0xA0)
................................................................................................................
004020D4 |. 8B35 E8414000 mov esi, dword ptr [<&MSVCRT.strncpy>] ; msvcrt.strncpy
004020DA |. 50 push eax ; /maxlen
004020DB |. 51 push ecx ; |src
004020DC |. 68 34534000 push 00405334 ; |dest = CrackMe1.00405334
004020E1 |. FFD6 call esi ; \strncpy
; 将name字符串复制到405335地址中去
................................................................................................................
004020E3 |. 8B43 64 mov eax, dword ptr [ebx+64]
004020E6 |. 8B48 F8 mov ecx, dword ptr [eax-8]
004020E9 |. 51 push ecx
004020EA |. 50 push eax
004020EB |. 68 68534000 push 00405368
004020F0 |. FFD6 call esi ; 将Serial字符串复制到405368地址中去
................................................................................................................
0040210A |> 8A82 34534000 /mov al, byte ptr [edx+405334]
00402110 |. 3C 30 |cmp al, 30
00402112 |. 7C 04 |jl short 00402118
00402114 |. 3C 39 |cmp al, 39
00402116 |. 7E 10 |jle short 00402128
00402118 |> 3C 61 |cmp al, 61
0040211A |. 7C 04 |jl short 00402120
0040211C |. 3C 7A |cmp al, 7A
0040211E |. 7E 08 |jle short 00402128
00402120 |> 3C 41 |cmp al, 41
00402122 |. 7C 1A |jl short 0040213E
00402124 |. 3C 5A |cmp al, 5A
00402126 |. 7F 16 |jg short 0040213E
00402128 |> BF 34534000 |mov edi, 00405334
0040212D |. 83C9 FF |or ecx, FFFFFFFF
00402130 |. 33C0 |xor eax, eax
00402132 |. 42 |inc edx
00402133 |. F2:AE |repne scas byte ptr es:[edi]
00402135 |. F7D1 |not ecx
00402137 |. 49 |dec ecx
00402138 |. 3BD1 |cmp edx, ecx
0040213A |.^ 75 CE \jnz short 0040210A ;校验name是否由0-9,a-z,A-Z间的字符组成的
0040213C |. EB 05 jmp short 00402143
0040213E BE 01000000 mov esi, 1 ;这里改成mov esi,0(name含不合法字符的标志)
................................................................................................................
00402156 |> 8A82 68534000 /mov al, byte ptr [edx+405368]
0040215C |. 3C 30 |cmp al, 30
0040215E |. 7C 04 |jl short 00402164
00402160 |. 3C 39 |cmp al, 39
00402162 |. 7E 10 |jle short 00402174
00402164 |> 3C 61 |cmp al, 61
00402166 |. 7C 04 |jl short 0040216C
00402168 |. 3C 7A |cmp al, 7A
0040216A |. 7E 08 |jle short 00402174
0040216C |> 3C 41 |cmp al, 41
0040216E |. 7C 1D |jl short 0040218D
00402170 |. 3C 5A |cmp al, 5A
00402172 |. 7F 19 |jg short 0040218D
00402174 |> BF 68534000 |mov edi, 00405368
00402179 |. 83C9 FF |or ecx, FFFFFFFF
0040217C |. 33C0 |xor eax, eax
0040217E |. 42 |inc edx
0040217F |. F2:AE |repne scas byte ptr es:[edi]
00402181 |. F7D1 |not ecx
00402183 |. 49 |dec ecx
00402184 |. 3BD1 |cmp edx, ecx
00402186 |.^ 75 CE \jnz short 00402156 ;校验Serial是否由0-9,a-z,A-Z间的字符组成的
00402188 |> 83FE 01 cmp esi, 1 ;判断name是否含不合法字符
0040218B |. 75 0B jnz short 00402198 ;name合法跳
0040218D |> 8B45 F0 mov eax, dword ptr [ebp-10]
00402190 |. 6A 00 push 0
00402192 |. 50 push eax
00402193 |. E9 64010000 jmp 004022FC ;name不合法跳
00402198 |> B9 58544000 mov ecx, 00405458
0040219D |. E8 5E0A0000 call 00402C00 ;取当前时间的运算值
004021A2 |. 8B75 E0 mov esi, dword ptr [ebp-20] ;取上面保存的初始时间的运算值
004021A5 |. 2BC6 sub eax, esi ;计算两个运算值的差值
004021A7 |. 83F8 02 cmp eax, 2 ;判断差值是否小于等于2
004021AA |. 7E 07 jle short 004021B3 ;是就跳走(OD中调试要注意这里必须跳)
004021AC |. 8BCB mov ecx, ebx
004021AE |. E8 0F160000 call <jmp.&MFC42.#CDialog::OnCancel_4376> ;大于2就关闭对话框
004021B3 |> BF 68534000 mov edi, 00405368
004021B8 |. 83C9 FF or ecx, FFFFFFFF
004021BB |. 33C0 xor eax, eax
004021BD |. F2:AE repne scas byte ptr es:[edi]
004021BF |. F7D1 not ecx
004021C1 |. 49 dec ecx
004021C2 83F9 20 cmp ecx, 20 ;这里改成cmp ecx,0
004021C5 |. 73 0A jnb short 004021D1 ;Serial长度是否不小于32(0x20),不小于跳走
004021C7 |. 8B4D F0 mov ecx, dword ptr [ebp-10]
004021CA |. 50 push eax
004021CB |. 51 push ecx
004021CC |. E9 2B010000 jmp 004022FC ;小于跳走
004021D1 |> 8B53 64 mov edx, dword ptr [ebx+64]
004021D4 |. 8D4D E4 lea ecx, dword ptr [ebp-1C]
004021D7 |. 8B42 F8 mov eax, dword ptr [edx-8]
004021DA |. 50 push eax
004021DB |. 68 68534000 push 00405368
004021E0 |. E8 4B110000 call 00403330 ; 这个CALL跟Serial有关(时间关系不看了)
004021E5 |. B9 58544000 mov ecx, 00405458
................................................................................................................
004021FD |> 68 BC514000 push 004051BC ; /Arg3 = 004051BC ASCII "Name"
00402202 |. 6A 20 push 20 ; |Arg2 = 00000020
00402204 |. 68 34534000 push 00405334 ; |Arg1 = 00405334
00402209 |. 8D4D E4 lea ecx, dword ptr [ebp-1C] ; |
0040220C |. E8 2F0F0000 call 00403140 ; \CrackMe1.00403140
; 将name字符串加密
................................................................................................................
00402211 |. 68 B4514000 push 004051B4 ; /Arg3 = 004051B4 ASCII "Serial"
00402216 |. 6A 20 push 20 ; |Arg2 = 00000020
00402218 |. 68 68534000 push 00405368 ; |Arg1 = 00405368
0040221D |. 8D4D E4 lea ecx, dword ptr [ebp-1C] ; |
00402220 |. E8 1B0F0000 call 00403140 ; \CrackMe1.00403140
; 将Serial字符串加密
00402225 |. 0FBE05 695340>movsx eax, byte ptr [405369] ;EAX=Serial加密后第二个字符的ASCII值
0040222C |. 0FBE0D 685340>movsx ecx, byte ptr [405368] ;ECX=Serial加密后第一个字符的ASCII值
00402233 |. 0FBE15 355340>movsx edx, byte ptr [405335] ;EDX=name加密后第二个字符的ASCII值
0040223A |. 50 push eax ;保存EAX
0040223B |. 51 push ecx ;保存ECX
0040223C |. 0FBE05 345340>movsx eax, byte ptr [405334] ;EAX=name加密后第一个字符的ASCII值
00402243 |. 52 push edx ;保存EDX
00402244 |. 50 push eax ;保存EAX
00402245 |. 6A 01 push 1 ;Arg1 = 00000001
00402247 |. 8D4D A8 lea ecx, dword ptr [ebp-58] ;
0040224A |. E8 21F1FFFF call 00401370 ;关键CALL(时间关系不看了)
................................................................................................................
0040227D |. 0FBE0D 6A5340>movsx ecx, byte ptr [40536A] ;ECX=Serial加密后第三个字符的ASCII值
00402284 |. 0FBE15 375340>movsx edx, byte ptr [405337] ;EDX=name加密后第四个字符的ASCII值
0040228B |. 0FBE05 365340>movsx eax, byte ptr [405336] ;EAX=name加密后第三个字符的ASCII值
00402292 |. 6A 00 push 0 ;Arg6 = 00000000
00402294 |. 51 push ecx ;保存ECX
00402295 |. 0FBE0D 005340>movsx ecx, byte ptr [405300] ;ECX=byte ptr [405300](这个405300地址是个关键)
0040229C |. 52 push edx ;保存EDX
0040229D |. 50 push eax ;保存EAX
0040229E |. 51 push ecx ;保存ECX
0040229F |. 6A 02 push 2 ;Arg1 = 00000002
004022A1 |. 8D4D A8 lea ecx, dword ptr [ebp-58] ;
004022A4 |. E8 17F2FFFF call 004014C0 ;关键CALL(时间关系不看了)
004022F2 |. E8 19030000 call 00402610 ;进这个CALL
00402610 /$ 56 push esi ;
00402611 |. 8BF1 mov esi, ecx
00402613 |. 6A 03 push 3
00402615 |. E8 66FEFFFF call 00402480 ;关键CALL(时间关系不看了)返回的eax必须为1
0040261A 83F8 01 cmp eax, 1 ;
0040261D 74 04 je short 00402623 ;eax为1跳,所以这里改成jmp 00402623
0040261F |. 33C0 xor eax, eax
00402621 |. 5E pop esi
00402622 |. C3 retn
00402623 |> 8BCE mov ecx, esi ;跳到这里来
00402625 |. E8 8E120000 call <jmp.&MFC42.#CDialog::DoModal_2514> ;调用CDialog::DoModal()函数
0040262A |. 5E pop esi
0040262B \. C3 retn
[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!