【答案提交】【吾爱破解2014CrackMe大赛】【第三组】

苏紫方璇 发表于 2014-10-24 12:15

本帖最后由 ximo 于 2014-10-25 23:19 编辑

打开CrackMe，输入任意注册名字和注册序号，然后程序自动关闭，并在程序当前目录生成ny.key，打开后发现是ini文件格式，因此推断CrackMe为重启验证，验证文件是ini格式。
使用od打开CrackMe，若没有反antiod类插件，CrackMe会退出，这是检查了程序的父进程名字，并与explorer.exe进行对比。
00402E3C .68 63A34800 push CrackMe.0048A363                ;ASCII "explorer.exe"
00402E41 .FF75 E8    push dword ptr ss:
00402E44 .E8 09E4FFFF call CrackMe.00401252

之后使用自己的文件名作为参数再次启动自己，并退出当前程序。
所以，直接在od上选择打开，并填入参数

断在程序入口点后，对GetPrivateProfileStringA进行下断。
程序断下后，返回到上一层，找到段首，f2下断，重新运行，断下后，单步跟
00401428/.55          push ebp
00401429|.8BEC       mov ebp,esp
0040142B|.81EC 10000000 sub esp,0x10
00401431|.C745 FC 00000>mov ,0x0
00401438|.68 00000000 push 0x0
0040143D|.BB 10424000 mov ebx,CrackMe.00404210
00401442|.E8 DD200000 call CrackMe.00403524
00401447|.83C4 04    add esp,0x4
0040144A|.8945 FC    mov ,eax
0040144D|.8B5D 08    mov ebx,
00401450|.8B1B       mov ebx,dword ptr ds:
00401452|.83C3 04    add ebx,0x4
00401455|.895D F8    mov ,ebx
00401458|.8B5D 08    mov ebx,
0040145B|.8B1B       mov ebx,dword ptr ds:
0040145D|.83C3 0C    add ebx,0xC
00401460|.895D F4    mov ,ebx
00401463|.6A 00       push 0x0
00401465|.6A 00       push 0x0
00401467|.6A 00       push 0x0
00401469|.68 04000080 push 0x80000004
0040146E|.6A 00       push 0x0
00401470|.68 F6A24800 push CrackMe.0048A2F6
00401475|.68 04000080 push 0x80000004
0040147A|.6A 00       push 0x0
0040147C|.68 F6A24800 push CrackMe.0048A2F6
00401481|.68 04000080 push 0x80000004
00401486|.6A 00       push 0x0
00401488|.8B5D F4    mov ebx,
0040148B|.8B03       mov eax,dword ptr ds:
0040148D|.85C0       test eax,eax
0040148F|.75 05       jnz XCrackMe.00401496
00401491|.B8 F5A24800 mov eax,CrackMe.0048A2F5
00401496|>50          push eax
00401497|.68 04000000 push 0x4
0040149C|.BB 70434000 mov ebx,CrackMe.00404370
004014A1|.E8 7E200000 call CrackMe.00403524                ;获取用户名
004014A6|.83C4 34    add esp,0x34
004014A9|.8945 F0    mov ,eax
004014AC|.8B45 F0    mov eax,
004014AF|.50          push eax
004014B0|.8B5D F8    mov ebx,
004014B3|.8B1B       mov ebx,dword ptr ds:
004014B5|.85DB       test ebx,ebx
004014B7|.74 09       je XCrackMe.004014C2
004014B9|.53          push ebx
004014BA|.E8 47200000 call CrackMe.00403506
004014BF|.83C4 04    add esp,0x4
004014C2|>58          pop eax
004014C3|.8B5D F8    mov ebx,
004014C6|.8903       mov dword ptr ds:,eax
004014C8|.8B5D 08    mov ebx,
004014CB|.8B1B       mov ebx,dword ptr ds:
004014CD|.83C3 08    add ebx,0x8
004014D0|.895D F8    mov ,ebx
004014D3|.8B5D 08    mov ebx,
004014D6|.8B1B       mov ebx,dword ptr ds:
004014D8|.83C3 0C    add ebx,0xC
004014DB|.895D F4    mov ,ebx
004014DE|.6A 00       push 0x0
004014E0|.6A 00       push 0x0
004014E2|.6A 00       push 0x0
004014E4|.68 04000080 push 0x80000004
004014E9|.6A 00       push 0x0
004014EB|.68 F8A24800 push CrackMe.0048A2F8
004014F0|.68 04000080 push 0x80000004
004014F5|.6A 00       push 0x0
004014F7|.68 F6A24800 push CrackMe.0048A2F6
004014FC|.68 04000080 push 0x80000004
00401501|.6A 00       push 0x0
00401503|.8B5D F4    mov ebx,
00401506|.8B03       mov eax,dword ptr ds:
00401508|.85C0       test eax,eax
0040150A|.75 05       jnz XCrackMe.00401511
0040150C|.B8 F5A24800 mov eax,CrackMe.0048A2F5
00401511|>50          push eax
00401512|.68 04000000 push 0x4
00401517|.BB 70434000 mov ebx,CrackMe.00404370
0040151C|.E8 03200000 call CrackMe.00403524                ;获取注册码
00401521|.83C4 34    add esp,0x34
00401524|.8945 F0    mov ,eax
00401527|.8B45 F0    mov eax,
0040152A|.50          push eax
0040152B|.8B5D F8    mov ebx,
0040152E|.8B1B       mov ebx,dword ptr ds:
00401530|.85DB       test ebx,ebx
00401532|.74 09       je XCrackMe.0040153D
00401534|.53          push ebx
00401535|.E8 CC1F0000 call CrackMe.00403506
0040153A|.83C4 04    add esp,0x4
0040153D|>58          pop eax
0040153E|.8B5D F8    mov ebx,
00401541|.8903       mov dword ptr ds:,eax
00401543|.FF75 08    push
00401546|.8B0424    mov eax,dword ptr ss:
00401549|.8B00       mov eax,dword ptr ds:
0040154B|.8B00       mov eax,dword ptr ds:
0040154D|.FF50 14    call dword ptr ds:          ;算法验证
00401550|.E9 00000000 jmp CrackMe.00401555
00401555|>8BE5       mov esp,ebp
00401557|.5D          pop ebp
00401558\.C2 0400    retn 0x4

这段代码的最后一个call有验证，由于能力有限，感觉可能是包含有算法
F7单步步入到这里
004017FE|.50          push eax
004017FF|.FF75 F0    push
00401802|.E8 4BFAFFFF call CrackMe.00401252                ;看不懂的对比
00401807|.83C4 08    add esp,0x8
0040180A|.83F8 00    cmp eax,0x0
0040180D|.B8 00000000 mov eax,0x0
00401812|.0F94C0    sete al
00401815|.8945 E8    mov ,eax
00401818|.8B5D F0    mov ebx,
0040181B|.85DB       test ebx,ebx
0040181D|.74 09       je XCrackMe.00401828
0040181F|.53          push ebx
00401820|.E8 E11C0000 call CrackMe.00403506
00401825|.83C4 04    add esp,0x4
00401828|>837D E8 00 cmp ,0x0
0040182C    0F84 3D000000 je CrackMe.0040186F                   ;关键跳
00401832|.68 02000080 push 0x80000002
00401837|.6A 00       push 0x0
00401839|.68 00000000 push 0x0
0040183E|.6A 00       push 0x0
00401840|.6A 00       push 0x0
00401842|.6A 00       push 0x0
00401844|.68 01000100 push 0x10001
00401849|.68 23000106 push 0x6010023
0040184E|.68 24000152 push 0x52010024
00401853|.68 03000000 push 0x3
00401858|.BB B0374000 mov ebx,CrackMe.004037B0
0040185D|.E8 C21C0000 call CrackMe.00403524                ;显示窗体

把0040182C 0F84 3D000000 je CrackMe.0040186F 改为nop就可以爆破了
之后会有二次验证，但走的还是这里，所以只用改一次就可以了。
爆破之后，输入任意注册名字和序号，程序退出，再次运行后显示已注册，但不知道右下角的注册按钮一个暗桩或者是作者故意留下的

ximo 发表于 2014-10-25 23:19

最后成绩：16*0.35=5分
评委评价：爆破有效
谢谢参与，请继续加油。

页: [1]

吾爱破解 - 52pojie.cn's Archiver

【答案提交】【吾爱破解2014CrackMe大赛】【第三组】