CrackMe分析记录
本帖最后由 Liquor 于 2013-8-20 23:51 编辑【文章标题】: CrackMe破解记录
【文章作者】: Crack_Qs
【作者邮箱】: qs#ff0000.cc(#换@)
【软件名称】: CrackMe1.2
【下载地址】: http://www.unpack.cn/thread-92953-1-1.html
【编写语言】: 汇编
【使用工具】: ollydbg
【操作平台】: Win Xp Sp3
【作者声明】: 只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!
--------------------------------------------------------------------------------
【详细过程】
软件运行后,生成一个dll,那么就先从dll入手。
字符串里有明显可以利用的信息,“\unpack.ini”,从此处入手
00A71075 $55 push ebp
00A71076 .8BEC mov ebp,esp
00A71078 .83C4 FC add esp,-0x4
00A7107B .53 push ebx
00A7107C .56 push esi
00A7107D .57 push edi
00A7107E .6A 20 push 0x20 ; /Length = 20 (32.)
00A71080 .68 4930A700 push dll.00A73049 ; |1111
00A71085 .E8 04030000 call <jmp.&kernel32.RtlZeroMemory> ; \RtlZeroMemory
00A7108A .6A 20 push 0x20 ; /Count = 20 (32.)
00A7108C .68 4930A700 push dll.00A73049 ; |1111
00A71091 .FF75 0C push dword ptr ss: ; |ControlID
00A71094 .FF75 08 push dword ptr ss: ; |hWnd
00A71097 .E8 C2020000 call <jmp.&user32.GetDlgItemTextA> ; \GetDlgItemTextA;取用户名长度
00A7109C .68 4930A700 push dll.00A73049 ; /1111
00A710A1 .E8 FA020000 call <jmp.&kernel32.lstrlenA> ; \lstrlenA
00A710A6 .8945 FC mov dword ptr ss:,eax ;用户名长度传送到ebp-0x4
00A710A9 .837D FC 06 cmp dword ptr ss:,0x6 ;长度与0x6比较
00A710AD .73 0E jnb Xdll.00A710BD ;长度为6位即跳,不是即不跳
00A710AF .B8 00000000 mov eax,0x0
00A710B4 .5F pop edi
00A710B5 .5E pop esi
00A710B6 .5B pop ebx
00A710B7 .C9 leave
00A710B8 .C2 0800 retn 0x8
00A710BB .EB 07 jmp Xdll.00A710C4
00A710BD >5F pop edi
00A710BE .5E pop esi
00A710BF .5B pop ebx
00A710C0 .C9 leave
00A710C1 .C2 0800 retn 0x8 ;返回到 00A71320
00A71320 .0BC0 or eax,eax ;返回到此处,或运算EAX
00A71322 .75 09 jnz Xdll.00A7132D
00A71324 .5F pop edi
00A71325 .5E pop esi
00A71326 .5B pop ebx
00A71327 .C9 leave
00A71328 .C2 1000 retn 0x10
00A7132B .EB 0B jmp Xdll.00A71338
00A7132D >FF75 14 push dword ptr ss:
00A71330 .FF75 08 push dword ptr ss:
00A71333 .E8 22FEFFFF call dll.00A7115A ;调用MessageBox“注册信息已经保存,请重启软件检测”
00A71338 >5F pop edi
00A71339 .5E pop esi
00A7133A .5B pop ebx
00A7133B .C9 leave
00A7133C .C2 1000 retn 0x10
00A7115A $55 push ebp ;第二次来到此处
00A7115B .8BEC mov ebp,esp
00A7115D .83C4 F8 add esp,-0x8
00A71160 .53 push ebx
00A71161 .56 push esi
00A71162 .57 push edi
00A71163 .FF75 0C push dword ptr ss:
00A71166 .FF75 08 push dword ptr ss:
00A71169 .E8 56FFFFFF call dll.00A710C4 ;进
00A7116E .0BC0 or eax,eax
00A71170 .75 09 jnz Xdll.00A7117B
00A71172 .5F pop edi
00A71173 .5E pop esi
00A71174 .5B pop ebx
00A71175 .C9 leave
00A71176 .C2 0800 retn 0x8
00A710C4 $55 push ebp ;第二次
00A710C5 .8BEC mov ebp,esp
00A710C7 .83C4 FC add esp,-0x4
00A710CA .53 push ebx
00A710CB .56 push esi
00A710CC .57 push edi
00A710CD .6A 20 push 0x20 ; /Length = 20 (32.)
00A710CF .68 6930A700 push dll.00A73069 ; |Destination = dll.00A73069
00A710D4 .E8 B5020000 call <jmp.&kernel32.RtlZeroMemory> ; \RtlZeroMemory
00A710D9 .6A 20 push 0x20 ; /Count = 20 (32.)
00A710DB .68 6930A700 push dll.00A73069 ; |Buffer = dll.00A73069
00A710E0 .FF75 0C push dword ptr ss: ; |ControlID
00A710E3 .FF75 08 push dword ptr ss: ; |hWnd
00A710E6 .E8 73020000 call <jmp.&user32.GetDlgItemTextA> ; \GetDlgItemTextA;取注册码长度
00A710EB .68 6930A700 push dll.00A73069 ; /String = "1234567890"
00A710F0 .E8 AB020000 call <jmp.&kernel32.lstrlenA> ; \lstrlenA
00A710F5 .8945 FC mov dword ptr ss:,eax ;注册码长度传送到ebp-0x4
00A710F8 .837D FC 06 cmp dword ptr ss:,0x6 ;长度与0x6比较
00A710FC .73 0E jnb Xdll.00A7110C ;长度不为6位即跳,为6即不跳
00A710FE .B8 00000000 mov eax,0x0
00A71103 .5F pop edi
00A71104 .5E pop esi
00A71105 .5B pop ebx
00A71106 .C9 leave
00A71107 .C2 0800 retn 0x8
CK发帖时已经注明,是重启验证。既然已经生成出来ini了,那就接着日重启。
bp GetPrivateProfileStringA
0012FC34 7C8337BF/CALL 到 GetPrivateProfileStringA 来自 kernel32.7C8337BA
0012FC38 00000000|Section = NULL
0012FC3C 00000000|Key = NULL
0012FC40 00000000|Default = NULL
0012FC44 00A73199|ReturnBuffer = dll.00A73199
0012FC48 00000020|BufSize = 20 (32.)
0012FC4C 00A73089\IniFileName = "C:\Documents and Settings\Administrator\桌面\unpack.ini"
00A711DE .0BC0 or eax,eax ;返回到此处
00A711E0 .75 0C jnz Xdll.00A711EE
00A711E2 .5F pop edi
00A711E3 .5E pop esi
00A711E4 .5B pop ebx
00A711E5 .C9 leave
00A711E6 .C2 1000 retn 0x10
00A711E9 .E9 09010000 jmp dll.00A712F7
00A711EE >68 8930A700 push dll.00A73089 ; /C:\Documents and Settings\Administrator\桌面\unpack.ini
00A711F3 .6A 20 push 0x20 ; |BufSize = 20 (32.)
00A711F5 .68 B931A700 push dll.00A731B9 ; |ReturnBuffer = dll.00A731B9
00A711FA .68 9931A700 push dll.00A73199 ; |Section = "1250962585096peace"
00A711FF .E8 78010000 call <jmp.&kernel32.GetPrivateProfileSec>; \GetPrivateProfileSectionA
00A71204 .BE B931A700 mov esi,dll.00A731B9 ;ASCII "crack0=1234567890"
00A71209 .BF 4930A700 mov edi,dll.00A73049 ;1111
00A7120E .EB 07 jmp Xdll.00A71217
00A71210 >B9 01000000 mov ecx,0x1 ;运算注册名
00A71215 .F3:A4 rep movs byte ptr es:,byte ptr ds:[>
00A71217 >803E 3D cmp byte ptr ds:,0x3D
00A7121A .^ 75 F4 jnz Xdll.00A71210 ;循环6次
00A7121C .46 inc esi ;取注册码“=”+“注册码”
00A7121D .8975 FC mov dword ptr ss:,esi
00A71220 .56 push esi ; /Text
00A71221 .FF75 10 push dword ptr ss: ; |ControlID
00A71224 .FF75 08 push dword ptr ss: ; |hWnd
00A71227 .E8 3E010000 call <jmp.&user32.SetDlgItemTextA> ; \SetDlgItemTextA
00A7122C .68 4930A700 push dll.00A73049 ; /1111
00A71231 .FF75 0C push dword ptr ss: ; |ControlID
00A71234 .FF75 08 push dword ptr ss: ; |hWnd
00A71237 .E8 2E010000 call <jmp.&user32.SetDlgItemTextA> ; \SetDlgItemTextA
00A7123C .68 2430A700 push dll.00A73024 ; /1250962585096peace
00A71241 .E8 5A010000 call <jmp.&kernel32.lstrlenA> ; \lstrlenA
00A71246 .8945 F8 mov dword ptr ss:,eax
00A71249 .33D2 xor edx,edx
00A7124B .33C9 xor ecx,ecx
00A7124D .EB 0D jmp Xdll.00A7125C
00A7124F >BE 2430A700 mov esi,dll.00A73024 ;字串“1250962585096peace”跳位取数
00A71254 .8A0431 mov al,byte ptr ds: ;“1”“5”“9”“2”“8”“0”“6”“e”“c”
00A71257 .03D0 add edx,eax
00A71259 .83C1 02 add ecx,0x2
00A7125C >3B4D F8 cmp ecx,dword ptr ss:
00A7125F .^ 72 EE jb Xdll.00A7124F
00A71261 .3155 F8 xor dword ptr ss:,edx
00A71264 .68 4930A700 push dll.00A73049 ; /1111
00A71269 .E8 32010000 call <jmp.&kernel32.lstrlenA> ; \lstrlenA
00A7126E .8945 F4 mov dword ptr ss:,eax
00A71271 .33C9 xor ecx,ecx
00A71273 .33D2 xor edx,edx
00A71275 .EB 0B jmp Xdll.00A71282
00A71277 >BE 4930A700 mov esi,dll.00A73049 ;1111;循环运算用户名
00A7127C .8B1431 mov edx,dword ptr ds:
00A7127F .03D2 add edx,edx
00A71281 .41 inc ecx
00A71282 >3B4D F4 cmp ecx,dword ptr ss:
00A71285 .^ 72 F0 jb Xdll.00A71277
00A71287 .3155 F8 xor dword ptr ss:,edx ;edx=60
00A7128A .8B45 FC mov eax,dword ptr ss: ;假码传送到eax
00A7128D .8B00 mov eax,dword ptr ds: ;EAX值传送到EAX?这句本菜屌看寄存器里面的变化是没懂
00A7128F .3945 F8 cmp dword ptr ss:,eax ;假码值与计算后的真码值比较,即EAX与ebp-0x8比较
00A71292 .75 63 jnz Xdll.00A712F7 ;此处修改即可爆破
00A71294 .FF75 10 push dword ptr ss: ; /ControlID
00A71297 .FF75 08 push dword ptr ss: ; |hWnd
00A7129A .E8 B9000000 call <jmp.&user32.GetDlgItem> ; \GetDlgItem
00A7129F .6A 00 push 0x0 ; /Enable = FALSE
00A712A1 .50 push eax ; |hWnd
00A712A2 .E8 AB000000 call <jmp.&user32.EnableWindow> ; \EnableWindow
00A712A7 .BE D931A700 mov esi,dll.00A731D9 ;打我PG我不乖,开始解码,两句反汇编解码一个字
00A712AC .8006 05 add byte ptr ds:,0x5
00A712AF .C646 01 A7 mov byte ptr ds:,0xA7 ;解码正确后出现“恭”
00A712B3 .C646 02 CF mov byte ptr ds:,0xCF
00A712B7 .C646 03 B2 mov byte ptr ds:,0xB2 ;解码正确后出现“喜”
00A712BB .8046 04 76 add byte ptr ds:,0x76
00A712BF .C646 05 C6 mov byte ptr ds:,0xC6 ;解码正确后出现“破”
00A712C3 .C646 06 BD mov byte ptr ds:,0xBD
00A712C7 .C646 07 E2 mov byte ptr ds:,0xE2 ;解码正确后出现“解”
00A712CB .C646 08 B3 mov byte ptr ds:,0xB3
00A712CF .C646 09 C9 mov byte ptr ds:,0xC9 ;解码正确后出现“成”
00A712D3 .C646 0A B9 mov byte ptr ds:,0xB9
00A712D7 .C646 0B A6 mov byte ptr ds:,0xA6 ;解码正确后出现“功”
00A712DB .56 push esi ; /取解码后正确文字“恭喜破解成功”字串
00A712DC .FF75 08 push dword ptr ss: ; |hWnd
00A712DF .E8 8C000000 call <jmp.&user32.SetWindowTextA> ; \传送到标题
00A712E4 .FF75 14 push dword ptr ss: ; /ControlID
00A712E7 .FF75 08 push dword ptr ss: ; |hWnd
00A712EA .E8 69000000 call <jmp.&user32.GetDlgItem> ; \GetDlgItem
00A712EF .6A 00 push 0x0 ; /Enable = FALSE
00A712F1 .50 push eax ; |hWnd
00A712F2 .E8 5B000000 call <jmp.&user32.EnableWindow> ; \EnableWindow,把注册按钮禁用
00A712F7 >5F pop edi
00A712F8 .5E pop esi ;CrackMe1.0040103F
00A712F9 .5B pop ebx
00A712FA .C9 leave
00A712FB .C2 1000 retn 0x10
至此全部分析完成
--------------------------------------------------------------------------------
【版权声明】: 本文原创于Crack_Qs, 转载请注明作者并保持文章的完整, 谢谢!
2013年05月01日 12:10:47
有点怀疑了!这不是QS本人看结尾 吾爱扣扣 发表于 2013-8-20 16:32 static/image/common/back.gif
有点怀疑了!这不是QS本人看结尾
确实是我本人,可以邮箱联系我,qs#ff0000.cc
RE: CrackMe破解记录
Liquor 发表于 2013-8-20 16:46 static/image/common/back.gif确实是我本人,可以邮箱联系我,qs#ff0000.cc
错怪大大了。。 菜菜表示目前只会改个je啥的...{:301_972:} 膜拜大神{:1_930:} 膜拜大神,算法帝啊。 Qs师傅不是在红客待么 1354669803 发表于 2013-8-21 20:53 static/image/common/back.gif
Qs师傅不是在红客待么
我没在红客呆过,那是红黑
吾爱扣扣 发表于 2013-8-20 16:32 static/image/common/back.gif
有点怀疑了!这不是QS本人看结尾
unpack转帖过来的
发帖的时候是5.1
页:
[1]