【吾爱2013CM大赛解答】-- Crack晓晓
本帖最后由 我是用户 于 2013-12-16 19:11 编辑【软件名称】: 【吾爱2013CM大赛解答】-- Crack晓晓
【作者邮箱】: 2714608453@qq.com
【下载地址】: 见论坛
【软件语言】: Borland Delphi 6.0 - 7.0
【使用工具】: OD
【操作平台】: XP SP2
【作者声明】: 只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!
1.查壳
丢入PEID,显示为Borland Delphi 6.0 - 7.0。
如图1:
2.分析
丢入DEDE,显示不是Delphi或被加壳了,好吧,那我们就手工来找按钮事件吧。
如图2:
打开程序,如图3:
输入用户名和密码,点击注册,程序无反应。
注册按钮事件代码如下:
很简单,先是获取下用户名和密码,判断是否为空,再判断第一个字符是否为5,如果为5,则触发一个异常,如下代码:
0046811C .3E:0000 add byte ptr , al ;触发异常。
然后依次判断用户名是否为52PoJie,见如下代码:
00468131 .8B45 FC mov eax, dword ptr
00468134 .8078 02 50 cmp byte ptr , 0x50
00468138 .0F85 BA000000 jnz 004681F8
0046813E .33C0 xor eax, eax
00468140 .55 push ebp
00468141 .68 61814600 push 00468161
00468146 .64:FF30 push dword ptr fs:
00468149 .64:8920 mov dword ptr fs:, esp
0046814C .8B45 DC mov eax, dword ptr
0046814F .E8 88FDF9FF call <Sysutils::StrToInt(System::AnsiString)>
00468154 .33C0 xor eax, eax
00468156 .5A pop edx
00468157 .59 pop ecx
00468158 .59 pop ecx
00468159 .64:8910 mov dword ptr fs:, edx
0046815C .E9 97000000 jmp 004681F8
00468161 .^ E9 72B4F9FF jmp <System::__linkproc__ HandleAnyException(void)>
00468166 .8B45 F8 mov eax, dword ptr
00468169 .8078 01 32 cmp byte ptr , 0x32
0046816D .0F85 80000000 jnz 004681F3
00468173 .33C0 xor eax, eax
00468175 .55 push ebp
00468176 .68 93814600 push 00468193
0046817B .64:FF30 push dword ptr fs:
0046817E .64:8920 mov dword ptr fs:, esp
00468181 .8B45 F8 mov eax, dword ptr
00468184 .E8 53FDF9FF call <Sysutils::StrToInt(System::AnsiString)>
00468189 .33C0 xor eax, eax
0046818B .5A pop edx
0046818C .59 pop ecx
0046818D .59 pop ecx
0046818E .64:8910 mov dword ptr fs:, edx
00468191 .EB 60 jmp short 004681F3
00468193 .^ E9 40B4F9FF jmp <System::__linkproc__ HandleAnyException(void)>
00468198 .8B45 F4 mov eax, dword ptr
0046819B .8078 04 4A cmp byte ptr , 0x4A
0046819F .75 4D jnz short 004681EE
004681A1 .33C0 xor eax, eax
004681A3 .55 push ebp
004681A4 .68 C1814600 push 004681C1
004681A9 .64:FF30 push dword ptr fs:
004681AC .64:8920 mov dword ptr fs:, esp
004681AF .8B45 E4 mov eax, dword ptr
004681B2 .E8 25FDF9FF call <Sysutils::StrToInt(System::AnsiString)>
004681B7 .33C0 xor eax, eax
004681B9 .5A pop edx
004681BA .59 pop ecx
004681BB .59 pop ecx
004681BC .64:8910 mov dword ptr fs:, edx
004681BF .EB 2D jmp short 004681EE
004681C1 .^ E9 12B4F9FF jmp <System::__linkproc__ HandleAnyException(void)>
004681C6 .8B45 F0 mov eax, dword ptr
004681C9 .8078 03 6F cmp byte ptr , 0x6F
004681CD .75 1A jnz short 004681E9
004681CF .8B45 EC mov eax, dword ptr
004681D2 .8078 06 65 cmp byte ptr , 0x65
004681D6 .75 11 jnz short 004681E9
004681D8 .8B45 F4 mov eax, dword ptr
004681DB .8078 05 69 cmp byte ptr , 0x69
004681DF .75 08 jnz short 004681E9
004681E1 .8B45 DC mov eax, dword ptr
004681E4 .E8 0BFCFFFF call 00467DF4
这里有一点要注意,要对用户名进行判断时要调用StrtoInt来触发异常,如何你输入的是数字,而且数字的大小范围是在Int的范围之间的,
则异常就不会触发,也就无法进行下一步验证。
对密码的验证在004681E4 .E8 0BFCFFFF call 00467DF4这里。
进入00467DF4,我们发现,又触发了一个异常,如下:
00467DFE .6A 00 push 0x0
00467E00 .49 dec ecx
00467E01 75 52 jnz short 00467E55
00467E03 .53 push ebx
00467E04 .56 push esi
00467E05 .57 push edi
jnz short 00467E55跳转的这个地址其实是错的,他触发一个异常,由于并没有设置顶层异常处理,所以这里的异常会导致验证中止,
也就是说,我们可以推测这个地址是被改写的,OK,我们下写入断点进行查找,找到的代码如下:
00468234 > .53 push ebx ;_TForm1_tmr1Timer
00468235 .56 push esi
00468236 .51 push ecx
00468237 .B8 3C804600 mov eax, <_TForm1_btn1Click>
0046823C .BA 58020000 mov edx, 0x258
00468241 .E8 4AFAFFFF call 00467C90 //检测CC断点
00468246 .48 dec eax
00468247 .75 2D jnz short 00468276
00468249 .E8 9EDCF9FF call <GetCurrentProcess> ; [GetCurrentProcess
0046824E .8BD8 mov ebx, eax
00468250 .54 push esp ; /pOldProtect
00468251 .6A 40 push 0x40 ; |NewProtect =
PAGE_EXECUTE_READWRITE
00468253 .68 E8030000 push 0x3E8 ; |Size = 3E8 (1000.)
00468258 .BE F47D4600 mov esi, 00467DF4 ; |入口地址
0046825D .56 push esi ; |Address => Project1.00467DF4
0046825E .53 push ebx ; |hProcess
0046825F .E8 E8DDF9FF call <VirtualProtectEx> ; \VirtualProtectEx
00468264 .54 push esp ; /pBytesWritten
00468265 .6A 05 push 0x5 ; |BytesToWrite = 0x5
00468267 .68 20A74600 push 0046A720 ; |Buffer = Project1.0046A720
0046826C .83C6 0E add esi, 0xE ; |
0046826F .56 push esi ; |Address => 0x467E02
00468270 .53 push ebx ; |hProcess
00468271 .E8 F6DDF9FF call <WriteProcessMemory> ; \WriteProcessMemory
00468276 >BE F47D4600 mov esi, 00467DF4 ;入口地址
0046827B .8BC6 mov eax, esi
0046827D .BA 64000000 mov edx, 0x64
00468282 .E8 09FAFFFF call 00467C90
00468287 .48 dec eax
00468288 .75 2C jnz short 004682B6
0046828A .E8 5DDCF9FF call <GetCurrentProcess> ; [GetCurrentProcess
0046828F .8BD8 mov ebx, eax
00468291 .54 push esp ; /pOldProtect
00468292 .6A 40 push 0x40 ; |NewProtect =
PAGE_EXECUTE_READWRITE
00468294 .68 E8030000 push 0x3E8 ; |Size = 3E8 (1000.)
00468299 .68 F47D4600 push 00467DF4 ; |Address = Project1.00467DF4
0046829E .53 push ebx ; |hProcess
0046829F .E8 A8DDF9FF call <VirtualProtectEx> ; \VirtualProtectEx
004682A4 .54 push esp ; /pBytesWritten
004682A5 .6A 05 push 0x5 ; |BytesToWrite = 0x5
004682A7 .68 20A74600 push 0046A720 ; |Buffer = Project1.0046A720
004682AC .83C6 0E add esi, 0xE ; |
004682AF .56 push esi ; |Address
004682B0 .53 push ebx ; |hProcess
004682B1 .E8 B6DDF9FF call <WriteProcessMemory> ; \WriteProcessMemory
004682B6 >5A pop edx
004682B7 .5E pop esi
004682B8 .5B pop ebx
004682B9 .C3 retn
看到了没,这里是设置了一个定时器,来检测CC断点,如果发现,则改成跳转偏移,我们retn或者进入00467C90这个CALL里将修改标志位,
这两种方法都行。正确的跳转是
00467DF4 $55 push ebp
00467DF5 .8BEC mov ebp, esp
00467DF7 .B9 09000000 mov ecx, 0x9
00467DFC >6A 00 push 0x0
00467DFE .6A 00 push 0x0
00467E00 .49 dec ecx
00467E01 ^ 75 F9 jnz short 00467DFC
00467E03 .53 push ebx
00467E04 .56 push esi
00467E05 .57 push edi
00467E06 .8945 FC mov dword ptr , eax
00467E09 .8B45 FC mov eax, dword ptr
00467E0C .E8 27C5F9FF call <System::__linkproc__ LStrAddRef(void *)>
00467E11 .33C0 xor eax, eax
00467E13 .55 push ebp
00467E14 .68 2B804600 push 0046802B
00467E19 .64:FF30 push dword ptr fs:
00467E1C .64:8920 mov dword ptr fs:, esp
00467E1F .33C0 xor eax, eax
00467E21 .55 push ebp
00467E22 .68 F97F4600 push 00467FF9
00467E27 .64:FF30 push dword ptr fs:
00467E2A .64:8920 mov dword ptr fs:, esp
00467E2D .8D55 DC lea edx, dword ptr
00467E30 .8B45 FC mov eax, dword ptr
00467E33 .E8 88C7FEFF call <MD5>
00467E38 .8B45 DC mov eax, dword ptr
00467E3B .8D55 E0 lea edx, dword ptr
00467E3E .E8 7DC7FEFF call <MD5>
00467E43 .8B45 E0 mov eax, dword ptr
00467E46 .8D55 F8 lea edx, dword ptr
00467E49 .E8 72C7FEFF call <MD5>
00467E4E .8D45 E8 lea eax, dword ptr
00467E51 .8B55 F8 mov edx, dword ptr
00467E54 .E8 C7C0F9FF call <System::__linkproc__ LStrLAsg(void *,void *)>
00467E59 .8D45 F0 lea eax, dword ptr
00467E5C .8B55 E8 mov edx, dword ptr
00467E5F .E8 BCC0F9FF call <System::__linkproc__ LStrLAsg(void *,void *)>
00467E64 .8D45 EC lea eax, dword ptr
00467E67 .8B55 F8 mov edx, dword ptr
00467E6A .E8 B1C0F9FF call <System::__linkproc__ LStrLAsg(void *,void *)>
00467E6F .8D45 D8 lea eax, dword ptr
00467E72 .8B55 F8 mov edx, dword ptr
00467E75 .8A52 1D mov dl, byte ptr
00467E78 .8850 01 mov byte ptr , dl
00467E7B .C600 01 mov byte ptr , 0x1
00467E7E .8D55 D8 lea edx, dword ptr
00467E81 .8D45 D4 lea eax, dword ptr
00467E84 .E8 AFABF9FF call <System::__linkproc__ PStrCpy(System::SmallString>
00467E89 .8D45 D0 lea eax, dword ptr
00467E8C .8B55 F8 mov edx, dword ptr
00467E8F .8A52 1E mov dl, byte ptr
00467E92 .8850 01 mov byte ptr , dl
00467E95 .C600 01 mov byte ptr , 0x1
00467E98 .8D55 D0 lea edx, dword ptr
00467E9B .8D45 D4 lea eax, dword ptr
00467E9E .B1 02 mov cl, 0x2
00467EA0 .E8 63ABF9FF call <System::__linkproc__ PStrNCat(void)>
00467EA5 .8D55 D4 lea edx, dword ptr
00467EA8 .8D45 CC lea eax, dword ptr
00467EAB .E8 88ABF9FF call <System::__linkproc__ PStrCpy(System::SmallString>
00467EB0 .8D45 D0 lea eax, dword ptr
00467EB3 .8B55 F8 mov edx, dword ptr
00467EB6 .8A52 1F mov dl, byte ptr
00467EB9 .8850 01 mov byte ptr , dl
00467EBC .C600 01 mov byte ptr , 0x1
00467EBF .8D55 D0 lea edx, dword ptr
00467EC2 .8D45 CC lea eax, dword ptr
00467EC5 .B1 03 mov cl, 0x3
00467EC7 .E8 3CABF9FF call <System::__linkproc__ PStrNCat(void)>
00467ECC .8D55 CC lea edx, dword ptr
00467ECF .8D45 E4 lea eax, dword ptr
00467ED2 .E8 15C2F9FF call <unknown_libname_66>
00467ED7 .8B45 E4 mov eax, dword ptr
00467EDA .E8 FDFFF9FF call <Sysutils::StrToInt(System::AnsiString)>
00467EDF .83F8 6E cmp eax, 0x6E
00467EE2 .0F85 07010000 jnz 00467FEF
00467EE8 .8D45 F4 lea eax, dword ptr
00467EEB .8B55 EC mov edx, dword ptr
00467EEE .E8 2DC0F9FF call <System::__linkproc__ LStrLAsg(void *,void *)>
00467EF3 .8D45 C8 lea eax, dword ptr
00467EF6 .8B55 F4 mov edx, dword ptr
00467EF9 .8A52 02 mov dl, byte ptr
00467EFC .E8 6FC1F9FF call <unknown_libname_63>
00467F01 .8B45 C8 mov eax, dword ptr
00467F04 .E8 D3FFF9FF call <Sysutils::StrToInt(System::AnsiString)>
00467F09 .83F8 04 cmp eax, 0x4
00467F0C .7E 15 jle short 00467F23
00467F0E .8B45 F8 mov eax, dword ptr
00467F11 .E8 72FEFFFF call 00467D88
00467F16 .33C0 xor eax, eax
00467F18 .5A pop edx
00467F19 .59 pop ecx
00467F1A .59 pop ecx
00467F1B .64:8910 mov dword ptr fs:, edx
00467F1E .E9 E0000000 jmp 00468003
00467F23 >8D45 C4 lea eax, dword ptr
00467F26 .8B55 EC mov edx, dword ptr
00467F29 .8A52 05 mov dl, byte ptr
00467F2C .E8 3FC1F9FF call <unknown_libname_63>
00467F31 .8B45 C4 mov eax, dword ptr
00467F34 .E8 A3FFF9FF call <Sysutils::StrToInt(System::AnsiString)>
00467F39 .83F8 05 cmp eax, 0x5
00467F3C .7D 15 jge short 00467F53
00467F3E .8B45 F0 mov eax, dword ptr
00467F41 .E8 42FEFFFF call 00467D88
00467F46 .33C0 xor eax, eax
00467F48 .5A pop edx
00467F49 .59 pop ecx
00467F4A .59 pop ecx
00467F4B .64:8910 mov dword ptr fs:, edx
00467F4E .E9 B0000000 jmp 00468003
00467F53 >8D45 D8 lea eax, dword ptr
00467F56 .8B55 EC mov edx, dword ptr
00467F59 .8A52 04 mov dl, byte ptr
00467F5C .8850 01 mov byte ptr , dl
00467F5F .C600 01 mov byte ptr , 0x1
00467F62 .8D55 D8 lea edx, dword ptr
00467F65 .8D45 D4 lea eax, dword ptr
00467F68 .E8 CBAAF9FF call <System::__linkproc__ PStrCpy(System::SmallString>
00467F6D .8D45 D0 lea eax, dword ptr
00467F70 .8B55 EC mov edx, dword ptr
00467F73 .8A52 05 mov dl, byte ptr
00467F76 .8850 01 mov byte ptr , dl
00467F79 .C600 01 mov byte ptr , 0x1
00467F7C .8D55 D0 lea edx, dword ptr
00467F7F .8D45 D4 lea eax, dword ptr
00467F82 .B1 02 mov cl, 0x2
00467F84 .E8 7FAAF9FF call <System::__linkproc__ PStrNCat(void)>
00467F89 .8D55 D4 lea edx, dword ptr
00467F8C .8D45 CC lea eax, dword ptr
00467F8F .E8 A4AAF9FF call <System::__linkproc__ PStrCpy(System::SmallString>
00467F94 .8D45 D0 lea eax, dword ptr
00467F97 .8B55 EC mov edx, dword ptr
00467F9A .8A52 06 mov dl, byte ptr
00467F9D .8850 01 mov byte ptr , dl
00467FA0 .C600 01 mov byte ptr , 0x1
00467FA3 .8D55 D0 lea edx, dword ptr
00467FA6 .8D45 CC lea eax, dword ptr
00467FA9 .B1 03 mov cl, 0x3
00467FAB .E8 58AAF9FF call <System::__linkproc__ PStrNCat(void)>
00467FB0 .8D55 CC lea edx, dword ptr
00467FB3 .8D45 C0 lea eax, dword ptr
00467FB6 .E8 31C1F9FF call <unknown_libname_66>
00467FBB .8B45 C0 mov eax, dword ptr
00467FBE .E8 19FFF9FF call <Sysutils::StrToInt(System::AnsiString)>
00467FC3 .3D C6030000 cmp eax, 0x3C6
00467FC8 .75 25 jnz short 00467FEF
00467FCA .8D4D B8 lea ecx, dword ptr
00467FCD .BA 04000000 mov edx, 0x4
00467FD2 .B8 6B4F0000 mov eax, 0x4F6B
00467FD7 .E8 D8FEF9FF call <Sysutils::IntToHex(int,int)>
00467FDC .8B45 B8 mov eax, dword ptr
00467FDF .8D55 BC lea edx, dword ptr
00467FE2 .E8 D9FCFFFF call 00467CC0
00467FE7 .8B45 BC mov eax, dword ptr
00467FEA .E8 89F7FBFF call <Dialogs::ShowMessage(System::AnsiString)>
00467FEF >33C0 xor eax, eax
00467FF1 .5A pop edx
00467FF2 .59 pop ecx
00467FF3 .59 pop ecx
00467FF4 .64:8910 mov dword ptr fs:, edx
00467FF7 .EB 0A jmp short 00468003
00467FF9 .^ E9 DAB5F9FF jmp <System::__linkproc__ HandleAnyException(void)>
00467FFE .E8 3DB9F9FF call <System::__linkproc__ DoneExcept(void)>
00468003 >33C0 xor eax, eax
00468005 .5A pop edx
00468006 .59 pop ecx
00468007 .59 pop ecx
00468008 .64:8910 mov dword ptr fs:, edx
0046800B .68 32804600 push 00468032
00468010 >8D45 B8 lea eax, dword ptr
00468013 .BA 05000000 mov edx, 0x5
00468018 .E8 8FBEF9FF call <System::__linkproc__ LStrArrayClr(void *,int)>
0046801D .8D45 DC lea eax, dword ptr
00468020 .BA 09000000 mov edx, 0x9
00468025 .E8 82BEF9FF call <System::__linkproc__ LStrArrayClr(void *,int)>
0046802A .C3 retn
0046802B .^ E9 5CB8F9FF jmp <unknown_libname_53>
其实一眼就能看出来,密码的验证是对输入的密码进行三重MD5加密,然后在分别取值相加与设定值判断,只能通过暴力猜解了。
如下:
md5 + md5 + md5 == 110
md5 + md5 + md5 = 966
md5 < 4
md5 > 5
3.暴力解密码。
程序用C#写的,代码太乱,勿喷
using System;
using System.Collections.Generic;
using System.Linq;
using System.Text;
using System.Security.Cryptography;
namespace ConsoleApplication1
{
class Program
{
public static string Encrypt(string strPwd)
{
MD5 md5 = new MD5CryptoServiceProvider();
byte[] data = Encoding.Default.GetBytes(strPwd);
byte[] md5data = md5.ComputeHash(data);
md5.Clear();
string str = "";
for (int i = 0; i < 16; i++)
{
str += md5data.ToString("x").PadLeft(2, '0');
}
return str;
}
static void Main(string[] args)
{
string strKey = "a", str1,str2 ;
for (int i = 0; i < 10000000;i++ )
{
strKey = "a" + i.ToString();
String str = Encrypt(Encrypt(Encrypt(strKey)));
str1 = str.ToString() + str.ToString() + str.ToString();
str2 = str.ToString() + str.ToString() + str.ToString();
if (str1 == "110" && str2=="966")
{
Console.WriteLine("true Key is {0}",strKey);
Console.ReadKey();
}
//strKey = strKey+1;
}
Console.WriteLine("未找到");
Console.ReadKey();
}
}
}
成功如下图:
所以正确的一组Key是
用户名:52PoJie
密码:
成功如下图
{:301_1008:}MD5j加密解个毛线, - - brack 发表于 2013-12-15 16:11 static/image/common/back.gif
MD5j加密解个毛线, - -
密码经MD5三重加密,然后再比较
我是用户 发表于 2013-12-15 16:17 static/image/common/back.gif
密码经MD5三重加密,然后再比较
{:301_1001:}谁会逆MD5就牛逼了.
a563975491 发表于 2013-12-15 16:24 static/image/common/back.gif
MD5貌似有网站可以解把!不过是不是同一种MD5我就不知道l !
那种是收集大量的MD5,然后匹配网站数据库相同的MD5,如果数据库有,就提示解密了.
我要像大神一样学习
页:
[1]