【吾爱2013CM大赛解答】-- 2013CM -TempCrackme2013 -- Rookietp
本帖最后由 我是用户 于 2013-12-16 20:22 编辑【软件名称】: 【吾爱2013CM大赛解答】-- TempCrackme2013 -- Rookietp
【作者邮箱】: 2714608453@qq.com
【下载地址】: 见论坛
【软件语言】: VC8
【使用工具】: OD
【操作平台】: XP SP2
【作者声明】: 只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!
嗯嗯嗯.....
1.查壳
显示是VC8的.
2.分析
程序是双线程+初始化时验证CRC32码。
代码如下:
初始化:
00401190/$53 push ebx
00401191|.56 push esi
00401192|.57 push edi
00401193|.68 4CF45400 push offset <aNtdll_dll> ; /ntdll.dll
00401198|.FF15 FC535200 call dword ptr [<&KERNEL32.LoadLibrar>; \LoadLibraryW
0040119E|.68 7CF45400 push offset <aRtlcomputecrc3> ; /RtlComputeCrc32
004011A3|.50 push eax ; |hModule
004011A4|.FF15 28545200 call dword ptr [<&KERNEL32.GetProcAdd>; \GetProcAddress
004011AA|.68 27010000 push 0x127
004011AF|.68 00104000 push 00401000
004011B4|.8BF0 mov esi, eax
004011B6|.6A 00 push 0x0
004011B8|.FFD6 call esi
004011BA|.8B3D 3C525200 mov edi, dword ptr [<&KERNEL32.Termi>;kernel32.TerminateProcess
004011C0|.8B1D 30545200 mov ebx, dword ptr [<&KERNEL32.GetCu>;kernel32.GetCurrentProcess
004011C6|.3D 71196895 cmp eax, 0x95681971
004011CB 74 07 je short 004011D4
004011CD|.6A FF push -0x1 ; /ExitCode = FFFFFFFF (-1.)
004011CF|.FFD3 call ebx ; |[GetCurrentProcess
004011D1|.50 push eax ; |hProcess
004011D2|.FFD7 call edi ; \TerminateProcess
004011D4|>68 27010000 push 0x127
004011D9|.68 40104000 push 00401040
004011DE|.6A 00 push 0x0
004011E0 >|.FFD6 call esi ;aTinterfacedobj
004011E2|.3D 84DC625E cmp eax, 0x5E62DC84
004011E7 74 07 je short 004011F0
004011E9|.6A FF push -0x1
004011EB|.FFD3 call ebx
004011ED|.50 push eax
004011EE|.FFD7 call edi
004011F0|>8B35 2C545200 mov esi, dword ptr [<&KERNEL32.GetMo>;kernel32.GetModuleHandleW
004011F6|.6A 00 push 0x0 ; /pModule = NULL
004011F8|.FFD6 call esi ; \GetModuleHandleW
004011FA|.50 push eax
004011FB|.E8 50FEFFFF call 00401050
00401200|.83C4 04 add esp, 0x4
00401203|.68 60F45400 push offset <aKernel32_dll_0> ;kernel32.dll
00401208|.FFD6 call esi
0040120A|.50 push eax
0040120B|.E8 40FEFFFF call 00401050
00401210|.83C4 04 add esp, 0x4
00401213|.5F pop edi
00401214 >|.5E pop esi ;
00401215|.5B pop ebx
00401216\.C3 retn
使用RtlComputeCrc32对程序进行两处CRC32效验,不等就GAME OVER,JMP跳过即可,call00401050这个CALL里,使用VirtualAlloc申请虚拟空间,这样在不同的电脑上,地址就可能是不同的,然后用memcpy复制00401000处的代码到申请的空间,在此空间上新建线程,代码如下:
00401050/$55 push ebp
00401051|.8BEC mov ebp, esp
00401053|.83EC 0C sub esp, 0xC
00401056|.56 push esi
00401057|.8B75 08 mov esi, dword ptr
0040105A|.8B46 3C mov eax, dword ptr
0040105D|.0FB74C30 14 movzx ecx, word ptr
00401062|.8D4C01 18 lea ecx, dword ptr
00401066|.0FB74430 06 movzx eax, word ptr
0040106B|.85C0 test eax, eax
0040106D|.0F84 18010000 je 0040118B
00401073|.53 push ebx
00401074|.57 push edi
00401075|.8D7C31 24 lea edi, dword ptr
00401079|.897D FC mov dword ptr , edi
0040107C|.8945 F8 mov dword ptr , eax
0040107F|.90 nop
00401080|>8B07 /mov eax, dword ptr
00401082|.A9 00000020 |test eax, 0x20000000
00401087|.0F84 ED000000 |je 0040117A
0040108D|.A9 00000040 |test eax, 0x40000000
00401092|.0F84 E2000000 |je 0040117A
00401098|.A8 20 |test al, 0x20
0040109A|.0F84 DA000000 |je 0040117A
004010A0|.A9 00000002 |test eax, 0x2000000
004010A5|.0F85 CF000000 |jnz 0040117A
004010AB|.68 94F45400 |push offset <OutputString> ; /create code check\r\n
004010B0|.FF15 1C545200 |call dword ptr [<&KERNEL32.OutputDeb>; \OutputDebugStringA
004010B6|.8B5F E4 |mov ebx, dword ptr
004010B9|.8B7F E8 |mov edi, dword ptr
004010BC|.68 4CF45400 |push offset <aNtdll_dll> ; /ntdll.dll
004010C1|.03FE |add edi, esi ; |
004010C3|.FF15 FC535200 |call dword ptr [<&KERNEL32.LoadLibra>; \LoadLibraryW
004010C9|.6A 40 |push 0x40 ; /flProtect = 40 (64.)
004010CB|.68 00300000 |push 0x3000 ; |flAllocationType = 3000 (12288.)
004010D0|.6A 14 |push 0x14 ; |dwSize = 14 (20.)
004010D2|.6A 00 |push 0x0 ; |lpAddress = NULL
004010D4|.8945 F4 |mov dword ptr , eax ; |
004010D7|.FF15 30545200 |call dword ptr [<&KERNEL32.GetCurren>; |[GetCurrentProcess
004010DD|.50 |push eax ; |hProcess
004010DE|.FF15 F8535200 |call dword ptr [<&KERNEL32.VirtualAl>; \VirtualAllocEx
004010E4|.8B55 F4 |mov edx, dword ptr
004010E7|.68 7CF45400 |push offset <aRtlcomputecrc3> ; /RtlComputeCrc32
004010EC >|.52 |push edx ; |_cls_System_TObject
004010ED|.8BF0 |mov esi, eax ; |
004010EF|.FF15 28545200 |call dword ptr [<&KERNEL32.GetProcAd>; \GetProcAddress
004010F5|.68 8CF45400 |push offset <aSleep> ; /Sleep
004010FA|.68 60F45400 |push offset <aKernel32_dll_0> ; |/kernel32.dll
004010FF|.8906 |mov dword ptr , eax ; ||
00401101|.FF15 2C545200 |call dword ptr [<&KERNEL32.GetModule>; |\GetModuleHandleW
00401107|.50 |push eax ; |hModule
00401108|.FF15 28545200 |call dword ptr [<&KERNEL32.GetProcAd>; \GetProcAddress
0040110E|.8946 04 |mov dword ptr , eax
00401111|.897E 0C |mov dword ptr , edi
00401114|.B8 00104000 |mov eax, 00401000
00401119|.895E 10 |mov dword ptr , ebx
0040111C|.C746 08 40104>|mov dword ptr , 00401040
00401123|.33FF |xor edi, edi
00401125|.8138 AAAAAAAA |cmp dword ptr , 0xAAAAAAAA
0040112B|.74 0F |je short 0040113C
0040112D|.B8 00104000 |mov eax, 00401000
00401132|>40 |/inc eax
00401133|.47 ||inc edi
00401134|.8138 AAAAAAAA ||cmp dword ptr , 0xAAAAAAAA
0040113A|.^ 75 F6 |\jnz short 00401132
0040113C|>6A 40 |push 0x40 ; /flProtect = 40 (64.)
0040113E|.68 00300000 |push 0x3000 ; |flAllocationType = 3000 (12288.)
00401143|.57 |push edi ; |dwSize
00401144 >|.6A 00 |push 0x0 ; |System::_16409
00401146|.FF15 30545200 |call dword ptr [<&KERNEL32.GetCurren>; |[GetCurrentProcess
0040114C|.50 |push eax ; |hProcess
0040114D|.FF15 F8535200 |call dword ptr [<&KERNEL32.VirtualAl>; \VirtualAllocEx
00401153|.57 |push edi
00401154|.8BD8 |mov ebx, eax
00401156|.68 00104000 |push 00401000
0040115B|.53 |push ebx
0040115C|.E8 6F171000 |call <_memcpy>
00401161|.83C4 0C |add esp, 0xC
00401164|.6A 00 |push 0x0 ; /pThreadId = NULL
00401166|.6A 00 |push 0x0 ; |CreationFlags = 0
00401168|.56 |push esi ; |pThreadParm
00401169|.53 |push ebx ; |ThreadFunction
0040116A|.6A 00 |push 0x0 ; |StackSize = 0x0
0040116C|.6A 00 |push 0x0 ; |pSecurity = NULL
0040116E|.FF15 20545200 |call dword ptr [<&KERNEL32.CreateThr>; \CreateThread
00401174|.8B7D FC |mov edi, dword ptr
00401177|.8B75 08 |mov esi, dword ptr
0040117A|>83C7 28 |add edi, 0x28
0040117D|.FF4D F8 |dec dword ptr
00401180|.897D FC |mov dword ptr , edi
00401183|.^ 0F85 F7FEFFFF \jnz 00401080
00401189|.5F pop edi
0040118A|.5B pop ebx
0040118B|>5E pop esi
0040118C|.8BE5 mov esp, ebp
0040118E|.5D pop ebp
0040118F\.C3 retn
线程代码:
00401000 .55 push ebp
00401001 .8BEC mov ebp, esp
00401003 .56 push esi
00401004 .8B75 08 mov esi, dword ptr
00401007 .8B46 10 mov eax, dword ptr
0040100A .8B4E 0C mov ecx, dword ptr
0040100D .8B16 mov edx, dword ptr
0040100F .57 push edi
00401010 .50 push eax
00401011 .51 push ecx
00401012 .6A 00 push 0x0
00401014 .FFD2 call edx
00401016 .8BF8 mov edi, eax
00401018 >8B46 10 mov eax, dword ptr
0040101B .8B4E 0C mov ecx, dword ptr
0040101E .8B16 mov edx, dword ptr
00401020 .50 push eax
00401021 .51 push ecx
00401022 .6A 00 push 0x0
00401024 .FFD2 call edx
00401026 .3BC7 cmp eax, edi
00401028 .74 05 je short 0040102F
0040102A .8B46 08 mov eax, dword ptr
0040102D .FFD0 call eax
0040102F >8B4E 04 mov ecx, dword ptr
00401032 .68 B80B0000 push 0xBB8
00401037 .FFD1 call ecx
00401039 .^ EB DD jmp short 00401018
先建立初始CRC32值,然后取现有值,比较,不等就结束程序,相等就SLEEP,等下一波验证。
3.爆破
好吧,这个CM是只能爆破的,不能追码,害我还追了半天,代码看了个遍,什么都没有。。。。
注册按钮事件如下:
00402100 .8379 20 7B cmp dword ptr , 0x7B
00402104 .75 0E jnz short 00402114
00402106 .6A 00 push 0x0
00402108 .6A 00 push 0x0
0040210A .68 28F85400 push 0054F828 ;注册成功!
0040210F .E8 9F030000 call <AfxMessageBox(wchar_t const *,u>
00402114 >C3 retn
nop掉即可.
成功如下:
膜拜大牛 大牛确实就是牛,怎么这么久了,还没拉出来 赞啊,这么快就搞定 厉害,大棒的cm就被搞定了啊 大牛拉屎好慢。有风度啊{:17_1068:} 好快!拜膜大牛 {:1_931:} 膜拜大牛!{:301_978:} WIN7 64位运行失败 我还以为暗藏杀机 ?
还有超级猥琐代码?
难道我想多了?
{:1_909:}
页:
[1]