好友
阅读权限40
听众
最后登录1970-1-1
|
我是用户
发表于 2013-12-16 19:40
CM是什么?Crackme是什么?这是什么东西?楼主发的什么?
他们都是一些公开给别人尝试破解的小程序,制作 Crackme 的人可能是程序员,想测试一下自己的软件保护技术,也可能是一位 Cracker,想挑战一下其它 Cracker 的破解实力,也可能是一些正在学习破解的人,自己编一些小程序给自己破解,KeyGenMe是要求别人做出它的 keygen (序号产生器), ReverseMe 要求别人把它的算法做出逆向分析, UnpackMe 是要求别人把它成功脱壳,本版块禁止回复非技术无关水贴。
本帖最后由 我是用户 于 2013-12-16 20:22 编辑
【软件名称】: 【吾爱2013CM大赛解答】-- TempCrackme2013 -- Rookietp
【作者邮箱】: 2714608453@qq.com
【下载地址】: 见论坛
【软件语言】: VC8
【使用工具】: OD
【操作平台】: XP SP2
【作者声明】: 只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!
嗯嗯嗯.....
1.查壳
显示是VC8的.
2.分析
程序是双线程+初始化时验证CRC32码。
代码如下:
初始化:
[C++] 纯文本查看 复制代码 00401190 /$ 53 push ebx
00401191 |. 56 push esi
00401192 |. 57 push edi
00401193 |. 68 4CF45400 push offset <aNtdll_dll> ; /ntdll.dll
00401198 |. FF15 FC535200 call dword ptr [<&KERNEL32.LoadLibrar>; \LoadLibraryW
0040119E |. 68 7CF45400 push offset <aRtlcomputecrc3> ; /RtlComputeCrc32
004011A3 |. 50 push eax ; |hModule
004011A4 |. FF15 28545200 call dword ptr [<&KERNEL32.GetProcAdd>; \GetProcAddress
004011AA |. 68 27010000 push 0x127
004011AF |. 68 00104000 push 00401000
004011B4 |. 8BF0 mov esi, eax
004011B6 |. 6A 00 push 0x0
004011B8 |. FFD6 call esi
004011BA |. 8B3D 3C525200 mov edi, dword ptr [<&KERNEL32.Termi>; kernel32.TerminateProcess
004011C0 |. 8B1D 30545200 mov ebx, dword ptr [<&KERNEL32.GetCu>; kernel32.GetCurrentProcess
004011C6 |. 3D 71196895 cmp eax, 0x95681971
004011CB 74 07 je short 004011D4
004011CD |. 6A FF push -0x1 ; /ExitCode = FFFFFFFF (-1.)
004011CF |. FFD3 call ebx ; |[GetCurrentProcess
004011D1 |. 50 push eax ; |hProcess
004011D2 |. FFD7 call edi ; \TerminateProcess
004011D4 |> 68 27010000 push 0x127
004011D9 |. 68 40104000 push 00401040
004011DE |. 6A 00 push 0x0
004011E0 >|. FFD6 call esi ; aTinterfacedobj
004011E2 |. 3D 84DC625E cmp eax, 0x5E62DC84
004011E7 74 07 je short 004011F0
004011E9 |. 6A FF push -0x1
004011EB |. FFD3 call ebx
004011ED |. 50 push eax
004011EE |. FFD7 call edi
004011F0 |> 8B35 2C545200 mov esi, dword ptr [<&KERNEL32.GetMo>; kernel32.GetModuleHandleW
004011F6 |. 6A 00 push 0x0 ; /pModule = NULL
004011F8 |. FFD6 call esi ; \GetModuleHandleW
004011FA |. 50 push eax
004011FB |. E8 50FEFFFF call 00401050
00401200 |. 83C4 04 add esp, 0x4
00401203 |. 68 60F45400 push offset <aKernel32_dll_0> ; kernel32.dll
00401208 |. FFD6 call esi
0040120A |. 50 push eax
0040120B |. E8 40FEFFFF call 00401050
00401210 |. 83C4 04 add esp, 0x4
00401213 |. 5F pop edi
00401214 >|. 5E pop esi ;
00401215 |. 5B pop ebx
00401216 \. C3 retn
使用RtlComputeCrc32对程序进行两处CRC32效验,不等就GAME OVER,JMP跳过即可,call 00401050这个CALL里,使用VirtualAlloc申请虚拟空间,这样在不同的电脑上,地址就可能是不同的,然后用memcpy复制00401000处的代码到申请的空间,在此空间上新建线程,代码如下:
[C++] 纯文本查看 复制代码 00401050 /$ 55 push ebp
00401051 |. 8BEC mov ebp, esp
00401053 |. 83EC 0C sub esp, 0xC
00401056 |. 56 push esi
00401057 |. 8B75 08 mov esi, dword ptr [ebp+0x8]
0040105A |. 8B46 3C mov eax, dword ptr [esi+0x3C]
0040105D |. 0FB74C30 14 movzx ecx, word ptr [eax+esi+0x14]
00401062 |. 8D4C01 18 lea ecx, dword ptr [ecx+eax+0x18]
00401066 |. 0FB74430 06 movzx eax, word ptr [eax+esi+0x6]
0040106B |. 85C0 test eax, eax
0040106D |. 0F84 18010000 je 0040118B
00401073 |. 53 push ebx
00401074 |. 57 push edi
00401075 |. 8D7C31 24 lea edi, dword ptr [ecx+esi+0x24]
00401079 |. 897D FC mov dword ptr [ebp-0x4], edi
0040107C |. 8945 F8 mov dword ptr [ebp-0x8], eax
0040107F |. 90 nop
00401080 |> 8B07 /mov eax, dword ptr [edi]
00401082 |. A9 00000020 |test eax, 0x20000000
00401087 |. 0F84 ED000000 |je 0040117A
0040108D |. A9 00000040 |test eax, 0x40000000
00401092 |. 0F84 E2000000 |je 0040117A
00401098 |. A8 20 |test al, 0x20
0040109A |. 0F84 DA000000 |je 0040117A
004010A0 |. A9 00000002 |test eax, 0x2000000
004010A5 |. 0F85 CF000000 |jnz 0040117A
004010AB |. 68 94F45400 |push offset <OutputString> ; /create code check\r\n
004010B0 |. FF15 1C545200 |call dword ptr [<&KERNEL32.OutputDeb>; \OutputDebugStringA
004010B6 |. 8B5F E4 |mov ebx, dword ptr [edi-0x1C]
004010B9 |. 8B7F E8 |mov edi, dword ptr [edi-0x18]
004010BC |. 68 4CF45400 |push offset <aNtdll_dll> ; /ntdll.dll
004010C1 |. 03FE |add edi, esi ; |
004010C3 |. FF15 FC535200 |call dword ptr [<&KERNEL32.LoadLibra>; \LoadLibraryW
004010C9 |. 6A 40 |push 0x40 ; /flProtect = 40 (64.)
004010CB |. 68 00300000 |push 0x3000 ; |flAllocationType = 3000 (12288.)
004010D0 |. 6A 14 |push 0x14 ; |dwSize = 14 (20.)
004010D2 |. 6A 00 |push 0x0 ; |lpAddress = NULL
004010D4 |. 8945 F4 |mov dword ptr [ebp-0xC], eax ; |
004010D7 |. FF15 30545200 |call dword ptr [<&KERNEL32.GetCurren>; |[GetCurrentProcess
004010DD |. 50 |push eax ; |hProcess
004010DE |. FF15 F8535200 |call dword ptr [<&KERNEL32.VirtualAl>; \VirtualAllocEx
004010E4 |. 8B55 F4 |mov edx, dword ptr [ebp-0xC]
004010E7 |. 68 7CF45400 |push offset <aRtlcomputecrc3> ; /RtlComputeCrc32
004010EC >|. 52 |push edx ; |_cls_System_TObject
004010ED |. 8BF0 |mov esi, eax ; |
004010EF |. FF15 28545200 |call dword ptr [<&KERNEL32.GetProcAd>; \GetProcAddress
004010F5 |. 68 8CF45400 |push offset <aSleep> ; /Sleep
004010FA |. 68 60F45400 |push offset <aKernel32_dll_0> ; |/kernel32.dll
004010FF |. 8906 |mov dword ptr [esi], eax ; ||
00401101 |. FF15 2C545200 |call dword ptr [<&KERNEL32.GetModule>; |\GetModuleHandleW
00401107 |. 50 |push eax ; |hModule
00401108 |. FF15 28545200 |call dword ptr [<&KERNEL32.GetProcAd>; \GetProcAddress
0040110E |. 8946 04 |mov dword ptr [esi+0x4], eax
00401111 |. 897E 0C |mov dword ptr [esi+0xC], edi
00401114 |. B8 00104000 |mov eax, 00401000
00401119 |. 895E 10 |mov dword ptr [esi+0x10], ebx
0040111C |. C746 08 40104>|mov dword ptr [esi+0x8], 00401040
00401123 |. 33FF |xor edi, edi
00401125 |. 8138 AAAAAAAA |cmp dword ptr [eax], 0xAAAAAAAA
0040112B |. 74 0F |je short 0040113C
0040112D |. B8 00104000 |mov eax, 00401000
00401132 |> 40 |/inc eax
00401133 |. 47 ||inc edi
00401134 |. 8138 AAAAAAAA ||cmp dword ptr [eax], 0xAAAAAAAA
0040113A |.^ 75 F6 |\jnz short 00401132
0040113C |> 6A 40 |push 0x40 ; /flProtect = 40 (64.)
0040113E |. 68 00300000 |push 0x3000 ; |flAllocationType = 3000 (12288.)
00401143 |. 57 |push edi ; |dwSize
00401144 >|. 6A 00 |push 0x0 ; |System::_16409
00401146 |. FF15 30545200 |call dword ptr [<&KERNEL32.GetCurren>; |[GetCurrentProcess
0040114C |. 50 |push eax ; |hProcess
0040114D |. FF15 F8535200 |call dword ptr [<&KERNEL32.VirtualAl>; \VirtualAllocEx
00401153 |. 57 |push edi
00401154 |. 8BD8 |mov ebx, eax
00401156 |. 68 00104000 |push 00401000
0040115B |. 53 |push ebx
0040115C |. E8 6F171000 |call <_memcpy>
00401161 |. 83C4 0C |add esp, 0xC
00401164 |. 6A 00 |push 0x0 ; /pThreadId = NULL
00401166 |. 6A 00 |push 0x0 ; |CreationFlags = 0
00401168 |. 56 |push esi ; |pThreadParm
00401169 |. 53 |push ebx ; |ThreadFunction
0040116A |. 6A 00 |push 0x0 ; |StackSize = 0x0
0040116C |. 6A 00 |push 0x0 ; |pSecurity = NULL
0040116E |. FF15 20545200 |call dword ptr [<&KERNEL32.CreateThr>; \CreateThread
00401174 |. 8B7D FC |mov edi, dword ptr [ebp-0x4]
00401177 |. 8B75 08 |mov esi, dword ptr [ebp+0x8]
0040117A |> 83C7 28 |add edi, 0x28
0040117D |. FF4D F8 |dec dword ptr [ebp-0x8]
00401180 |. 897D FC |mov dword ptr [ebp-0x4], edi
00401183 |.^ 0F85 F7FEFFFF \jnz 00401080
00401189 |. 5F pop edi
0040118A |. 5B pop ebx
0040118B |> 5E pop esi
0040118C |. 8BE5 mov esp, ebp
0040118E |. 5D pop ebp
0040118F \. C3 retn
线程代码:
[C++] 纯文本查看 复制代码 00401000 . 55 push ebp
00401001 . 8BEC mov ebp, esp
00401003 . 56 push esi
00401004 . 8B75 08 mov esi, dword ptr [ebp+0x8]
00401007 . 8B46 10 mov eax, dword ptr [esi+0x10]
0040100A . 8B4E 0C mov ecx, dword ptr [esi+0xC]
0040100D . 8B16 mov edx, dword ptr [esi]
0040100F . 57 push edi
00401010 . 50 push eax
00401011 . 51 push ecx
00401012 . 6A 00 push 0x0
00401014 . FFD2 call edx
00401016 . 8BF8 mov edi, eax
00401018 > 8B46 10 mov eax, dword ptr [esi+0x10]
0040101B . 8B4E 0C mov ecx, dword ptr [esi+0xC]
0040101E . 8B16 mov edx, dword ptr [esi]
00401020 . 50 push eax
00401021 . 51 push ecx
00401022 . 6A 00 push 0x0
00401024 . FFD2 call edx
00401026 . 3BC7 cmp eax, edi
00401028 . 74 05 je short 0040102F
0040102A . 8B46 08 mov eax, dword ptr [esi+0x8]
0040102D . FFD0 call eax
0040102F > 8B4E 04 mov ecx, dword ptr [esi+0x4]
00401032 . 68 B80B0000 push 0xBB8
00401037 . FFD1 call ecx
00401039 .^ EB DD jmp short 00401018
先建立初始CRC32值,然后取现有值,比较,不等就结束程序,相等就SLEEP,等下一波验证。
3.爆破
好吧,这个CM是只能爆破的,不能追码,害我还追了半天,代码看了个遍,什么都没有。。。。
注册按钮事件如下:
[C++] 纯文本查看 复制代码 00402100 . 8379 20 7B cmp dword ptr [ecx+0x20], 0x7B
00402104 . 75 0E jnz short 00402114
00402106 . 6A 00 push 0x0
00402108 . 6A 00 push 0x0
0040210A . 68 28F85400 push 0054F828 ; 注册成功!
0040210F . E8 9F030000 call <AfxMessageBox(wchar_t const *,u>
00402114 > C3 retn
nop掉即可.
成功如下:
|
免费评分
-
查看全部评分
|
发表于 2013-12-16 19:47
发表于 2013-12-16 20:16
