菜鸟也动手。以前都是对着例子做,也没试过自己动手,想动手吧,也很难找到没壳的玩.....今天在PEDIY论坛上找到一个没壳的CM.终于有机会玩玩了.
惯例,第一步看下有没壳. 用PEID看一下,嗯.很好,是MASM/TASM,没壳的.
然后就试用一下,错误的注册码有错误提示,而且是2个错误对话框.
用OD打开,不管3721,搜索所有文本字串参考.有2个相符的字符串.随便点一个,向上翻
00401346 |> \B8 00000000 MOV EAX,0
0040134B \.^ EB D8 JMP SHORT CRACKME.00401325
0040134D /$ 6A 30 PUSH 30 ; /Style = MB_OK|MB_ICONEXCLAMATION|MB_APPLMODAL
0040134F |. 68 29214000 PUSH CRACKME.00402129 ; |Title = "Good work!"
00401354 |. 68 34214000 PUSH CRACKME.00402134 ; |Text = "Great work, mate!
Now try the next CrackMe!"
00401359 |. FF75 08 PUSH DWORD PTR SS:[EBP+8] ; |hOwner
0040135C |. E8 D9000000 CALL <JMP.&USER32.MessageBoxA> ; \MessageBoxA
00401361 \. C3 RETN
00401362 /$ 6A 00 PUSH 0 ; /BeepType = MB_OK
00401364 |. E8 AD000000 CALL <JMP.&USER32.MessageBeep> ; \MessageBeep
00401369 |. 6A 30 PUSH 30 ; /Style = MB_OK|MB_ICONEXCLAMATION|MB_APPLMODAL
0040136B |. 68 60214000 PUSH CRACKME.00402160 ; |Title = "No luck!"
00401370 |. 68 69214000 PUSH CRACKME.00402169 ; |Text = "No luck there, mate!"
00401375 |. FF75 08 PUSH DWORD PTR SS:[EBP+8] ; |hOwner
00401378 |. E8 BD000000 CALL <JMP.&USER32.MessageBoxA> ; \MessageBoxA
0040137D \. C3 RETN
0040137E /$ 8B7424 04 MOV ESI,DWORD PTR SS:[ESP+4]
00401382 |. 56 PUSH ESI
00401383 |> 8A06 /MOV AL,BYTE PTR DS:[ESI]
00401385 |. 84C0 |TEST AL,AL
已经看到成功的对话框.然后选择00401362这行.在信息框可以看到调用来源.点右键"前往CALL来源",再向上翻
00401223 . 83F8 00 CMP EAX,0
00401226 .^ 74 BE JE SHORT CRACKME.004011E6
00401228 . 68 8E214000 PUSH CRACKME.0040218E ; ASCII "A123456"
0040122D . E8 4C010000 CALL CRACKME.0040137E ;这个CALL分析用户名
00401232 . 50 PUSH EAX
00401233 . 68 7E214000 PUSH CRACKME.0040217E ; ASCII "b123456"
00401238 . E8 9B010000 CALL CRACKME.004013D8 ;这个CALL分析注册码
0040123D . 83C4 04 ADD ESP,4
00401240 . 58 POP EAX
00401241 . 3BC3 CMP EAX,EBX
00401243 . 74 07 JE SHORT CRACKME.0040124C
看到这里相信像我一样的菜鸟都明白是什么意思了吧......
在这里断点会发现依然会弹出对话框.显然生成对话框在CALL里.F7跟进.
0040137E /$ 8B7424 04 MOV ESI,DWORD PTR SS:[ESP+4]
00401382 |. 56 PUSH ESI
00401383 |> 8A06 /MOV AL,BYTE PTR DS:[ESI]
00401385 |. 84C0 |TEST AL,AL
00401387 |. 74 13 |JE SHORT CRACKME.0040139C ; al=0 跳转
00401389 |. 3C 41 |CMP AL,41
0040138B |. 72 1F |JB SHORT CRACKME.004013AC ; 作者应该是限制用户名必须为字母,把它改为JB SHORT CRACKME.0040139C 取消这个限制
0040138D |. 3C 5A |CMP AL,5A
0040138F |. 73 03 |JNB SHORT CRACKME.00401394 ; AL>=5A 跳转
00401391 |. 46 |INC ESI
00401392 |.^ EB EF |JMP SHORT CRACKME.00401383
00401394 |> E8 39000000 |CALL CRACKME.004013D2 ;把字母转大写
00401399 |. 46 |INC ESI
0040139A |.^ EB E7 \JMP SHORT CRACKME.00401383
0040139C |> 5E POP ESI
0040139D |. E8 20000000 CALL CRACKME.004013C2
004013A2 |. 81F7 78560000 XOR EDI,5678
004013A8 |. 8BC7 MOV EAX,EDI
004013AA |. EB 15 JMP SHORT CRACKME.004013C1
004013AC |> 5E POP ESI
004013AD |. 6A 30 PUSH 30 ; /Style = MB_OK|MB_ICONEXCLAMATION|MB_APPLMODAL
004013AF |. 68 60214000 PUSH CRACKME.00402160 ; |Title = "No luck!"
004013B4 |. 68 69214000 PUSH CRACKME.00402169 ; |Text = "No luck there, mate!"
004013B9 |. FF75 08 PUSH DWORD PTR SS:[EBP+8] ; |hOwner
004013BC |. E8 79000000 CALL <JMP.&USER32.MessageBoxA> ; \MessageBoxA
004013C1 \> C3 RETN
然后把74改75就完成了
00401243 /74 07 JE SHORT CRACKME.0040124C ;改这里
00401245 . |E8 18010000 CALL CRACKME.00401362
0040124A .^|EB 9A JMP SHORT CRACKME.004011E6
0040124C > \E8 FC000000 CALL CRACKME.0040134D
00401251 .^ EB 93 JMP SHORT CRACKME.004011E6
00401253 /. C8 000000 ENTER 0,0
00401257 |. 53 PUSH EBX
哈哈,这CM适合菜鸟试下手.关于算法还在研究.....现在暂时暴破吧.不知道能不能混个邀请码
CRACKME.rar
[培训]《安卓高级研修班(网课)》月薪三万计划,掌握调试、分析还原ollvm、vmp的方法,定制art虚拟机自动化脱壳的方法
