C写的第六个cm(xp可运行)
新手一个,用c写了一个cm,
希望破掉的各位,可以告诉下爆破位置和思路。
先谢为敬。
本帖最后由 搜索曾经的回忆 于 2021-11-23 23:28 编辑
s-h-e-n-p
反调试大概是线程检测调试和时间差检测,若被调试进入错误的分支,会分析到假密码:p-o-j-i-e
爆破就不爆破了,楼主能否给份源码学习下呢 往IDA一丢,基本逻辑就看的差不多了
DWORD __stdcall ThreadFunc2(LPVOID a1)
{
char *v1; // eax
int v2; // ebx
int i; // eax
int v4; // eax
int v5; // ebp
bool v6; // zf
int v7; // ebx
int v8; // ebx
int b; //
HANDLE hThread4; //
int qq; //
char *q; // BYREF
char s; // BYREF
int zxzx; // BYREF
DWORD threadId4; // BYREF
hThread4 = CreateThread(0, 0, ThreadFunc4, 0, 0, threadId4);
starta1 = clock();
memset(q, 0, sizeof(q));
scanf("%s", s);
v1 = strtok(s, "-");
v2 = 0;
while ( v1 )
{
q = v1;
qq = 0;
v1 = strtok(0, "-");
}
for ( i = v2; i >= 0; --i )
;
if ( v2 == 5 )
{
v4 = 100;
b = 20;
v5 = 20;
while ( 1 )
{
if ( !v5 )
{
if ( strcmp(q, "h") )
break;
if ( !qq )
qq = 1;
}
v8 = 50;
while ( v8 > 39 )
{
if ( v4 > 1 )
{
v4 -= 3;
}
else
{
if ( --v8 % 10 == 1 )
{
if ( strcmp(q, "p") )
goto loop5;
if ( !qq )
qq = 1;
}
if ( strcmp(q, "n") )
goto loop5;
if ( !qq )
qq = 1;
v4 = v8;
}
}
v6 = strcmp(q, "e") == 0;
v7 = !v6;
if ( !v6 )
break;
if ( !qq )
qq = 1;
while ( 1 )
{
while ( v5 > 19 )
v5 -= 30;
if ( v5 >= 0 )
break;
v5 += 5;
}
if ( b <= 5 )
{
while ( v7 <= 4 )
{
Sleep(0xAu);
++v7;
}
if ( !strcmp(q, "s") )
{
stopa1 = clock();
Sleep(0x1F4u);
WaitForSingleObject(hThread4, 0xFFFFFFFF);
GetExitCodeThread(hThread4, (LPDWORD)&zxzx);
if ( zxzx )
{
printf("%s%s%s%s%s password\n", "r", "i", "g", "h", "t");
return 0;
}
}
break;
}
--b;
v4 = 50;
}
}
loop5:
puts("wrong password");
return 0;
} 可惜了,装了个win10,谢谢吧。。。 如三楼所述,本人对于IDA只会简单操作也能看到些信息
DWORD __stdcall ThreadFunc3(LPVOID p3)
{
signed int v1; // edx
int i; // eax
int v3; // ebx
HANDLE v5; // eax
unsigned int v6; // eax
HANDLE hHeap; // eax
PROCESS_HEAP_ENTRY HeapEntry; //
BOOL bDebuggerPresent; //
v1 = 0;
for ( i = 0; ; i = v1++ + 1 )
{
while ( i <= 99 )
++i;
if ( v1 > 49 )
break;
}
foosleep();
if ( IsDebuggerPresent() )
return 0;
v5 = GetCurrentProcess();
if ( CheckRemoteDebuggerPresent(v5, &bDebuggerPresent) == 1 && bDebuggerPresent == 1 )
return 0;
if ( NtCurrentPeb()->BeingDebugged )
return 0;
v3 = (_DWORD)NtCurrentPeb()->Reserved9 & 0x70;
if ( v3 )
return 0;
v6 = 0;
do
{
*(PVOID *)((char *)&HeapEntry.lpData + v6) = 0;
v6 += 4;
}
while ( v6 < 0x1C );
while ( 1 )
{
hHeap = GetProcessHeap();
if ( !HeapWalk(hHeap, &HeapEntry) )
break;
if ( HeapEntry.wFlags == 4 )
{
if ( !getProcess("OllyDBG.exe")
&& !getProcess("OLLYDBG.exe")
&& !getProcess("ollydbg.exe")
&& !getProcess("破解工具包.exe")
&& !getProcess("Snd.exe")
&& !getProcess("TheoDBG.exe")
&& !getProcess("IDebugger.exe")
&& !getProcess("DosaDbg.exe") )
{
v3 = 1;
}
return v3;
}
}
return v3;
}
这段代码是打算验证常用破解工具打算强行结束进程么?貌似是遗漏了IDA 本帖最后由 killerzeno 于 2021-11-24 10:46 编辑
好久没来玩Crackme了,今天刚好不忙来玩一会儿,哈哈。
祝吾爱越来越好
调试文件:cm-6-2021-11-23
调试系统:单位的破win10
调试工具:随便用,用啥都可以。
CrackMe分析:正确Password:s-h-e-n-p,用了反调试检测等手段,有假密。可爆破,见截图。上班呢,不方便打太多字。就这样Pass了~Over!
Cracker By:Killerzeno
有点意思,,,,
页:
[1]