写了一个crack me大家一起试一试
下面是crack me的链接链接:https://pan.quark.cn/s/60150b87236e
下面是成功的提示语
加油啊!!!!! 实在是不好意思,第一次传crack me,没有🈚经验!对不起>人<,但是还是希望大家可以认真9完成这个crack me 本帖最后由 solly 于 2023-6-9 16:38 编辑
象是一个只有一个减法器的虚拟机,入口是 0x00405260:
.data:00405200 01 00 00 00 dword_405200 dd 1 ; DATA XREF: main_sub_401057+47↑o
.data:00405200 ; count of code buffer = 1
.data:00405204 D1 02 00 00 dd 2D1h ; length of code buffer = 721
.data:00405208 00 00 00 00 dd 0 ; sn (index = 00h)
.data:0040520C 00 00 00 00 dd 0 ; sn (index = 04h)
.data:00405210 00 00 00 00 dd 0 ; sn (index = 08h)
.data:00405214 00 00 00 00 dd 0 ; sn (index = 0Ch)
.data:00405218 00 00 00 00 dd 0
.data:0040521C 00 00 00 00 dd 0
.data:00405220 00 00 00 00 dd 0
.data:00405224 00 00 00 00 dd 0
.data:00405228 78 7F 63 82 dd 82637F78h
.data:0040522C 7E 99 86 93 dd 9386997Eh
.data:00405230 57 45 4C 43 4F 4D 45 20 54 4F+aWelcomeToThisC db 'WELCOME TO THIS CRACKME',0
.data:00405248 10 98 91 01 dd 1919810h ; input (index = 40h)
.data:0040524C 14 45 11 00 dd 114514h ; output (index = 44h)
.data:00405250 00 00 00 00 dd 0 ; aTmp (index = 48h)
.data:00405254 00 00 00 00 dd 0 ; bTmp (index = 4Ch)
.data:00405258 00 00 00 00 dd 0 ; const 0
.data:0040525C 00 00 00 00 dd 0 ; const 1
.data:00405260 28 00 00 00 dd 28h ; offset 'WELCOME TO THIS CRACKME'
.data:00405264 44 00 00 00 dd 44h ; output()
.data:00405268 00 00 00 00 dd 0
.data:0040526C 00 00 00 00 dd 0
.data:00405270 40 00 00 00 dd 40h ; input()
.data:00405274 00 00 00 00 dd 0
.data:00405278 48 00 00 00 dd 48h
.data:0040527C 10 00 00 00 dd 10h
.data:00405280 A0 00 00 00 dd 0A0h ; jmp 0x2A8
.data:00405284 88 00 00 00 dd 88h ; offset "you failed."
.data:00405288 44 00 00 00 dd 44h ; output()
.data:0040528C 94 00 00 00 dd 94h ; jmp 0x29C
.data:00405290 79 6F 75 20 66 61 69 6C 65 64+aYouFailed db 'you failed.',0 ; 0x88
.data:0040529C 00 00 00 00 dd 0 ; loc: 0x29C
.data:004052A0 00 00 00 00 dd 0
.data:004052A4 FF FF FF FF dd 0FFFFFFFFh ; 0x9C, exit code @ failed
.data:004052A8 04 00 00 00 dd 4 ; loc: 0x2A8
.data:004052AC 48 00 00 00 dd 48h
.data:004052B0 00 00 00 00 dd 0
.data:004052B4 48 00 00 00 dd 48h
.data:004052B8 00 00 00 00 dd 0
.data:004052BC 00 00 00 00 dd 0
.data:004052C0 48 00 00 00 dd 48h
.data:004052C4 48 00 00 00 dd 48h
.data:004052C8 00 00 00 00 dd 0
.data:004052CC 10 00 00 00 dd 10h
.data:004052D0 10 00 00 00 dd 10h
.data:004052D4 00 00 00 00 dd 0
.data:004052D8 00 00 00 00 dd 0
.data:004052DC 48 00 00 00 dd 48h
.data:004052E0 00 00 00 00 dd 0
.data:004052E4 48 00 00 00 dd 48h
.data:004052E8 10 00 00 00 dd 10h
.data:004052EC 00 00 00 00 dd 0
.data:004052F0 48 00 00 00 dd 48h
.data:004052F4 48 00 00 00 dd 48h
.data:004052F8 00 00 00 00 dd 0
.data:004052FC 0C 00 00 00 dd 0Ch
.data:00405300 48 00 00 00 dd 48h
.data:00405304 00 00 00 00 dd 0
.data:00405308 48 00 00 00 dd 48h
.data:0040530C 08 00 00 00 dd 8
.data:00405310 00 00 00 00 dd 0
.data:00405314 48 00 00 00 dd 48h
.data:00405318 48 00 00 00 dd 48h
.data:0040531C 00 00 00 00 dd 0
.data:00405320 14 00 00 00 dd 14h
.data:00405324 14 00 00 00 dd 14h
.data:00405328 00 00 00 00 dd 0
.data:0040532C 08 00 00 00 dd 8
.data:00405330 48 00 00 00 dd 48h
.data:00405334 00 00 00 00 dd 0
.data:00405338 48 00 00 00 dd 48h
.data:0040533C 14 00 00 00 dd 14h
.data:00405340 00 00 00 00 dd 0
.data:00405344 48 00 00 00 dd 48h
.data:00405348 48 00 00 00 dd 48h
.data:0040534C 00 00 00 00 dd 0
.data:00405350 10 00 00 00 dd 10h
.data:00405354 48 00 00 00 dd 48h
.data:00405358 00 00 00 00 dd 0
.data:0040535C 10 00 00 00 dd 10h
.data:00405360 10 00 00 00 dd 10h
.data:00405364 00 00 00 00 dd 0
.data:00405368 54 00 00 00 dd 54h
.data:0040536C 48 00 00 00 dd 48h
.data:00405370 00 00 00 00 dd 0
.data:00405374 48 00 00 00 dd 48h
.data:00405378 4C 00 00 00 dd 4Ch
.data:0040537C 00 00 00 00 dd 0
.data:00405380 4C 00 00 00 dd 4Ch
.data:00405384 10 00 00 00 dd 10h
.data:00405388 00 00 00 00 dd 0
.data:0040538C 48 00 00 00 dd 48h
.data:00405390 48 00 00 00 dd 48h
.data:00405394 00 00 00 00 dd 0
.data:00405398 4C 00 00 00 dd 4Ch
.data:0040539C 4C 00 00 00 dd 4Ch
.data:004053A0 00 00 00 00 dd 0
.data:004053A4 14 00 00 00 dd 14h
.data:004053A8 48 00 00 00 dd 48h
.data:004053AC 00 00 00 00 dd 0
.data:004053B0 14 00 00 00 dd 14h
.data:004053B4 14 00 00 00 dd 14h
.data:004053B8 00 00 00 00 dd 0
.data:004053BC 54 00 00 00 dd 54h
.data:004053C0 48 00 00 00 dd 48h
.data:004053C4 00 00 00 00 dd 0
.data:004053C8 48 00 00 00 dd 48h
.data:004053CC 4C 00 00 00 dd 4Ch
.data:004053D0 00 00 00 00 dd 0
.data:004053D4 4C 00 00 00 dd 4Ch
.data:004053D8 14 00 00 00 dd 14h
.data:004053DC 00 00 00 00 dd 0
.data:004053E0 48 00 00 00 dd 48h
.data:004053E4 48 00 00 00 dd 48h
.data:004053E8 00 00 00 00 dd 0
.data:004053EC 4C 00 00 00 dd 4Ch
.data:004053F0 4C 00 00 00 dd 4Ch
.data:004053F4 00 00 00 00 dd 0
.data:004053F8 10 00 00 00 dd 10h
.data:004053FC 20 00 00 00 dd 20h
.data:00405400 00 00 00 00 dd 0
.data:00405404 20 00 00 00 dd 20h
.data:00405408 48 00 00 00 dd 48h
.data:0040540C 14 02 00 00 dd 214h ; jmp 0x41C
.data:00405410 48 00 00 00 dd 48h
.data:00405414 48 00 00 00 dd 48h
.data:00405418 7C 00 00 00 dd 7Ch ; jmp "you failed."
.data:0040541C 48 00 00 00 dd 48h ; loc: 0x41C
.data:00405420 48 00 00 00 dd 48h
.data:00405424 00 00 00 00 dd 0
.data:00405428 48 00 00 00 dd 48h
.data:0040542C 20 00 00 00 dd 20h
.data:00405430 38 02 00 00 dd 238h ; jmp 0x440
.data:00405434 48 00 00 00 dd 48h
.data:00405438 48 00 00 00 dd 48h
.data:0040543C 7C 00 00 00 dd 7Ch ; jmp "you failed."
.data:00405440 48 00 00 00 dd 48h ; loc: 0x440
.data:00405444 48 00 00 00 dd 48h
.data:00405448 00 00 00 00 dd 0
.data:0040544C 14 00 00 00 dd 14h
.data:00405450 24 00 00 00 dd 24h
.data:00405454 00 00 00 00 dd 0
.data:00405458 24 00 00 00 dd 24h
.data:0040545C 48 00 00 00 dd 48h
.data:00405460 68 02 00 00 dd 268h ; jmp 0x470
.data:00405464 48 00 00 00 dd 48h
.data:00405468 48 00 00 00 dd 48h
.data:0040546C 7C 00 00 00 dd 7Ch ; jmp "you failed."
.data:00405470 48 00 00 00 dd 48h ; loc: 0x470
.data:00405474 48 00 00 00 dd 48h
.data:00405478 00 00 00 00 dd 0
.data:0040547C 48 00 00 00 dd 48h
.data:00405480 20 00 00 00 dd 20h
.data:00405484 8C 02 00 00 dd 28Ch ; jmp 0x494
.data:00405488 48 00 00 00 dd 48h
.data:0040548C 48 00 00 00 dd 48h
.data:00405490 7C 00 00 00 dd 7Ch ; jmp "you failed."
.data:00405494 48 00 00 00 dd 48h ; loc:0x494
.data:00405498 48 00 00 00 dd 48h
.data:0040549C A1 02 00 00 dd 2A1h ; jmp to OK
.data:004054A0 F1 EE D8 A2 dd 0A2D8EEF1h ; "you xim."
.data:004054A4 F6 02 F4 C1 dd 0C1F402F6h
.data:004054A8 00 db 0
.data:004054A9 10 00 00 00 dd 10h ; loc: OK
.data:004054AD 98 02 00 00 dd 298h ; offset "you "
.data:004054B1 00 00 00 00 dd 0
.data:004054B5 14 00 00 00 dd 14h
.data:004054B9 9C 02 00 00 dd 29Ch ; offset "xim."
.data:004054BD 00 00 00 00 dd 0
.data:004054C1 98 02 00 00 dd 298h ; offset "you xim."
.data:004054C5 44 00 00 00 dd 44h ; output()
.data:004054C9 00 00 00 00 dd 0
.data:004054CD 48 00 00 00 dd 48h
.data:004054D1 48 00 00 00 dd 48h
.data:004054D5 FF FF FF FF dd 0FFFFFFFFh ; exit code @ success
本帖最后由 solly 于 2023-6-10 23:25 编辑
整理了一下代码,IDA中F5如下:
int sub_401057()
{
SIZE_T v0; // ecx
int *virtual_machine_buffer_v1; // eax
int v2; // eax
int v3; // eax
int v4; // eax
int v5; // eax
void *v6; // eax
unsigned int v8; //
char *virtual_machine_buffer_v9; //
char v10; //
char *v11; //
int v12; //
int v13; //
int v14; //
int v15; //
int code_index_sub_40187F; //
int index_sub_40187F; //
int index_sub_40187Fa; //
int ValueByAddress_sub_40187F; //
int result_v20; //
void *inputString_v21; //
int next_ip_v22; //
int current_ip_v23; //
char *data_base_v24; //
_DWORD *lpa; //
char *lpBuffer; //
// 初始化
lpa = (_DWORD *)alloc_sub_402588(8u);
*lpa = dword_405530;
lpa = dword_405530;
next_ip_v22 = 0;
inputString_v21 = 0;
get_length_sub_401010(&src_dword_405200); // get size
virtual_machine_buffer_v1 = (int *)alloc_sub_402588(v0);// v0 = size
qmemcpy(virtual_machine_buffer_v1, &src_dword_405200, v8);// 将虚拟机数据和代码拷贝到缓冲区
virtual_machine_buffer_v9 = (char *)virtual_machine_buffer_v1;
free_sub_402576(lpa);
lpBuffer = virtual_machine_buffer_v9;
data_base_v24 = virtual_machine_buffer_v9 + 8;
current_ip_v23 = (int)(virtual_machine_buffer_v9 + 96);
//执行虚拟机
while ( 1 )
{
code_index_sub_40187F = getValueByAddress_sub_40187F(current_ip_v23 + 4);
if ( getValueByAddress_sub_40187F((int)&data_base_v24) == 0x114514 )// 输出信息
{
ValueByAddress_sub_40187F = getValueByAddress_sub_40187F(current_ip_v23);
v10 = int2pointer_sub_4019A3((int)&data_base_v24);// v10 = (char *)data_base_v24
//显示字符串
WriteConsole_sub_402950(2u, 0, 0, 0, v10);// 第1次显示 'WELCOME TO THIS CRACKME',第2次显示 'you xim.'
WriteConsole_sub_402950(2u, 0, 0, 0, (char)CrLf_asc_4054E9);
////
if ( getValueByAddress_sub_40187F(current_ip_v23 + 8) )// // code = 0-jmp, other-next_code
current_ip_v23 = (int)&data_base_v24;
else
current_ip_v23 += 12;
//
next_ip_v22 = current_ip_v23 + 8;
}
index_sub_40187F = getValueByAddress_sub_40187F(current_ip_v23 + 4);
if ( getValueByAddress_sub_40187F((int)&data_base_v24) == 0x1919810 ) // 输入数据
{
inputString_v21 = (void *)getch_sub_402A40(1, 0, 0, 0);// 输入字符串
if ( (int)strlen_sub_402B20(1, inputString_v21) < 16 )// 检查输入的长度
{
break; // 长度不够,退出程序
}
WriteConsole_sub_402950(2u, 0, 0, 0, (char)CrLf_asc_4054E9);
// 将输入的pwd拷贝到虚拟机数据空间,每次4字节,拷贝4次,共16字节
v11 = &data_base_v24;// copy pwd
v2 = getValueByAddress_sub_40187F((int)inputString_v21);
Save_Integer_sub_401A1A(v11, v2);
v12 = (int)&data_base_v24;// copy pwd
v3 = getValueByAddress_sub_40187F((int)inputString_v21 + 4);
Save_Integer_sub_401A1A(v12, v3);
v13 = (int)&data_base_v24;// copy pwd
v4 = getValueByAddress_sub_40187F((int)inputString_v21 + 8);
Save_Integer_sub_401A1A(v13, v4);
v14 = (int)&data_base_v24;// copy pwd
v5 = getValueByAddress_sub_40187F((int)inputString_v21 + 12);
Save_Integer_sub_401A1A(v14, v5);
////
current_ip_v23 = (int)(data_base_v24 + 160);
next_ip_v22 = (int)(data_base_v24 + 168);
}
index_sub_40187Fa = getValueByAddress_sub_40187F(current_ip_v23 + 4);
v15 = getValueByAddress_sub_40187F(current_ip_v23);
//执行减法
result_v20 = subtract_processor_sub_401A2D(index_sub_40187Fa, v15, data_base_v24);// 执行减法指令
//设置两个常量
Set_Constant_sub_4024DB((_DWORD *)data_base_v24 + 20, 0);
Set_Constant_sub_4024DB((_DWORD *)data_base_v24 + 21, 1);
if ( result_v20 > 0 ) // 减法结果检查,0-jxx_check, other-next_code
{
current_ip_v23 += 12;
next_ip_v22 = current_ip_v23 + 8;
}
else
{
if ( getValueByAddress_sub_40187F(next_ip_v22) == -1 )// 是否退出
goto exit_label; //// 指令为-1则退出程序
if ( getValueByAddress_sub_40187F(next_ip_v22) )// code = 0-next_code, other-jmp
current_ip_v23 = (int)&data_base_v24;
else
current_ip_v23 += 12;
////
next_ip_v22 = current_ip_v23 + 8;
}
}
WriteConsole_sub_402950(2u, 0, 0, 0, (char)length_shorter_asc_405504);// 显示长度不够
//退出程序
exit_label:
WriteConsole_sub_402950(2u, 0, 0, 0, (char)aPressEnterToEx);// press enter to exit
v6 = (void *)getch_sub_402A40(1, 0, 0, 0); // pause
if ( v6 )
free_sub_402576(v6);
free_sub_402576(lpBuffer);
if ( inputString_v21 )
free_sub_402576(inputString_v21);
return 0;
}
每条指令为12个字节,由3个 dword 组成,第1,2个是操作数索引,第3个是操作码(0:执行下一条指令;-1:exit;大于0则是jmp,并且其值为目标索引),所有索引都是基于 data_base 的字节偏移量。 楼主能换个网盘吗?夸克下不了啊 下不了,还的输入手机号,还得注册,还的要验证码 在下载这一步就淘汰50%的人了 谢谢分享,学习一下先 备份一下楼主的东西
链接:https://share.weiyun.com/VEP4MgNi 密码:h5r3r6 byh3025 发表于 2023-6-6 12:57
楼主能换个网盘吗?夸克下不了啊
好的👌🏻 yueguang3048 发表于 2023-6-7 10:38
备份一下楼主的东西
链接:https://share.weiyun.com/VEP4MgNi 密码:h5r3r6
对不起>人<,麻烦了,但是一定要试一试这个crack me😂😂 yueguang3048 发表于 2023-6-7 10:38
备份一下楼主的东西
链接:https://share.weiyun.com/VEP4MgNi 密码:h5r3r6
你的文件没有后缀 byh3025 发表于 2023-6-7 11:04
你的文件没有后缀
链接:https://pan.baidu.com/s/1ooagowp8N_DqslaTyOpJeQ
提取码:52PJ
这是百度网盘的,不好意思,但请搞定这个CRACK ME 欧