CrackMe【手动脱壳+简单算法分析+Bug公布】
本帖最后由 HPKEr 于 2010-1-30 09:32 编辑【文章标题】: CrackMe【手动脱壳+简单算法分析+Bug公布】
【文章作者】: HPKEr
【软件名称】: CrackMe
【软件大小】: 61.88KB
【下载地址】: http://xz.qupan.com/down/945520_5747357.html
【加壳方式】: PESpin 0.3x - 1.xx -> cyberbob
【编写语言】: Microsoft Visual C++ 5.0
【使用工具】: OD PEID0.95 UIF
【操作平台】: Windows XP SP3
【作者声明】: 只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!
--------------------------------------------------------------------------------
【详细过程】
1.PEID查壳显示:PESpin 0.3x - 1.xx -> cyberbob
2.OD载入,F8单步2次,来到004190D8处,hr esp下断。Shift+F9运行,OD停在0041ACB5 F7D2 NOT EDX ; ntdll.KiFastSystemCallRet处,利用“花指令去除器”去除PESPIN花指令。
3.抽取代码如下:
0041ACB5 F7D2 NOT EDX ; ntdll.KiFastSystemCallRet
0041ACB7 39C2 CMP EDX,EAX
0041ACB9 F7C0 74E7F921 TEST EAX,21F9E774
0041ACBF 0FACC2 48 SHRD EDX,EAX,48 ; 移动常数超出 1..31 的范围
0041ACC3 0FBDC8 BSR ECX,EAX
0041ACC6 C7C2 2431C7CD MOV EDX,CDC73124
0041ACCC 85C0 TEST EAX,EAX
0041ACCE 0FBAEA 31 BTS EDX,31
0041ACD2 F7D2 NOT EDX
0041ACD4 F7C1 25C4A65C TEST ECX,5CA6C425
0041ACDA 3BD0 CMP EDX,EAX
0041ACDC 0FABC2 BTS EDX,EAX
0041ACDF 90 NOP
0041ACE0 90 NOP
0041ACE1 90 NOP
0041ACE2 0FAFC8 IMUL ECX,EAX
0041ACE5 49 DEC ECX
0041ACE6 0FCA BSWAP EDX
0041ACE8 B9 0A07CDFD MOV ECX,FDCD070A
0041ACED 0BC8 OR ECX,EAX
0041ACEF 31C2 XOR EDX,EAX
0041ACF1 8D0D 945D734C LEA ECX,DWORD PTR DS:
0041ACF7 D1E9 SHR ECX,1
0041ACF9 4A DEC EDX
0041ACFA BA CD4ABDB3 MOV EDX,B3BD4ACD
0041ACFF D1D9 RCR ECX,1
0041AD01 0BD0 OR EDX,EAX
0041AD03 F7C1 2063B688 TEST ECX,88B66320
0041AD09 0FABC2 BTS EDX,EAX
0041AD0C 33D0 XOR EDX,EAX
0041AD0E C1F1 41 SAL ECX,41 ; 移动常数超出 1..31 的范围
0041AD11 55 PUSH EBP ; 抽取第一句代码
0041AD12 90 NOP
0041AD13 90 NOP
0041AD14 90 NOP
0041AD15 8BEC MOV EBP,ESP ; 抽取第二句代码
0041AD17 90 NOP
0041AD18 90 NOP
0041AD19 90 NOP
0041AD1A 6A FF PUSH -1 ; 抽取第三句代码
0041AD1C 90 NOP
0041AD1D 90 NOP
0041AD1E 90 NOP
0041AD1F 68 B8EAFCEA PUSH EAFCEAB8 ; 抽取第四句代码
0041AD24 810424 48684415 ADD DWORD PTR SS:,15446848
0041AD2B 68 F611E3F8 PUSH F8E311F6 ; 抽取第五句代码
0041AD30 810424 B20B5D07 ADD DWORD PTR SS:,75D0BB2
0041AD37 64:A1 00000000MOV EAX,DWORD PTR FS: ; 抽取第六句代码
0041AD3D 90 NOP
0041AD3E 90 NOP
0041AD3F 90 NOP
0041AD40 50 PUSH EAX ; 抽取第七句代码
0041AD41 90 NOP
0041AD42 90 NOP
0041AD43 90 NOP
0041AD44 64:8925 0000000>MOV DWORD PTR FS:,ESP ; 抽取第八句代码
0041AD4B 90 NOP
0041AD4C 90 NOP
0041AD4D 90 NOP
0041AD4E 83C4 94 ADD ESP,-6C ; 抽取第九句代码
0041AD51 90 NOP
0041AD52 90 NOP
0041AD53 90 NOP
0041AD54 53 PUSH EBX ; 抽取第十句代码
0041AD55 90 NOP
0041AD56 90 NOP
0041AD57 90 NOP
0041AD58 56 PUSH ESI ; 抽取第十一句代码
0041AD59 90 NOP
0041AD5A 90 NOP
0041AD5B 90 NOP
0041AD5C 57 PUSH EDI ; 抽取第十二句代码
0041AD5D 90 NOP
0041AD5E 90 NOP
0041AD5F 90 NOP
0041AD60 8965 E8 MOV DWORD PTR SS:,ESP ; 抽取第十三句代码
0041AD63 90 NOP
0041AD64 90 NOP
0041AD65 90 NOP
0041AD66 C745 FC 0000000>MOV DWORD PTR SS:,0 ; 抽取第十四句代码
0041AD6D 90 NOP
0041AD6E 90 NOP
0041AD6F 90 NOP
0041AD70 6A 02 PUSH 2 ; 抽取第十五句代码
0041AD72 90 NOP
0041AD73 90 NOP
0041AD74 90 NOP
0041AD75 FF15 BC754100 CALL DWORD PTR DS: ; 抽取第十六句代码
0041AD7B 90 NOP
0041AD7C 90 NOP
0041AD7D 90 NOP
0041AD7E 83C4 04 ADD ESP,4 ; 抽取第十七句代码
0041AD81 90 NOP
0041AD82 90 NOP
0041AD83 90 NOP
0041AD84 C705 20694100 F>MOV DWORD PTR DS:,-1 ; 抽取第十八句代码
0041AD8E 90 NOP
0041AD8F 90 NOP
0041AD90 90 NOP
0041AD91 A1 20694100 MOV EAX,DWORD PTR DS: ; 抽取第十九句代码
0041AD96 90 NOP
0041AD97 90 NOP
0041AD98 90 NOP
0041AD99 A3 30694100 MOV DWORD PTR DS:,EAX ; 抽取第二十句代码
0041AD9E 90 NOP
0041AD9F 90 NOP
0041ADA0 90 NOP
0041ADA1- E9 E66DFEFF JMP CrackMe_.00401B8C
0041ADA6 F0:3A6CAA 2F LOCK CMP CH,BYTE PTR DS: ; 不允许锁定前缀
0041ADAB DDD9 FSTP ST(1)
0041ADAD E5 C2 IN EAX,0C2 ; I/O 命令
0041ADAF D299 1FFF8603 RCR BYTE PTR DS:,CL
0041ADB5 FF72 12 PUSH DWORD PTR DS:
0041ADB8 03D0 ADD EDX,EAX
0041ADBA 8A02 MOV AL,BYTE PTR DS:
0041ADBC 8802 MOV BYTE PTR DS:,AL
0041ADBE 49 DEC ECX
0041ADBF E2 15 LOOPD SHORT CrackMe_.0041ADD6
0041ADC1 E8 A7FFFFFF CALL CrackMe_.0041AD6D
0041ADC6 E8 47000000 CALL CrackMe_.0041AE12
0041ADCB FF68 9D JMP FAR FWORD PTR DS: ; 长跳转
0041ADCE 9E SAHF
4.一路F8,来到00401B8C FF15 B8754100 CALL DWORD PTR DS: ; MSVCRTD.__p__fmode
此处,发现上面有无效空数据,在00401B8C处,将抽取代码的二进制代码粘贴上去,在00401B8C处新建EIP,如下:
00401B40 55 PUSH EBP
00401B41 8BEC MOV EBP,ESP
00401B43 6A FF PUSH -1
00401B45 68 B8EAFCEA PUSH EAFCEAB8
00401B4A 68 F611E3F8 PUSH F8E311F6
00401B4F 64:A1 00000000 MOV EAX,DWORD PTR FS:
00401B55 50 PUSH EAX
00401B56 64:8925 00000000 MOV DWORD PTR FS:,ESP
00401B5D 83C4 94 ADD ESP,-6C
00401B60 53 PUSH EBX
00401B61 56 PUSH ESI
00401B62 57 PUSH EDI
00401B63 8965 E8 MOV DWORD PTR SS:,ESP
00401B66 C745 FC 00000000 MOV DWORD PTR SS:,0
00401B6D 6A 02 PUSH 2
00401B6F FF15 EC714000 CALL DWORD PTR DS: ; MSVCRTD.__set_app_type
00401B75 83C4 04 ADD ESP,4
00401B78 C705 20694100 FFFFF>MOV DWORD PTR DS:,-1
00401B82 A1 20694100 MOV EAX,DWORD PTR DS:
00401B87 A3 30694100 MOV DWORD PTR DS:,EAX
00401B8C FF15 F0714000 CALL DWORD PTR DS: ; MSVCRTD.__p__fmode
00401B92 8B0D 0C694100 MOV ECX,DWORD PTR DS:
00401B98 8908 MOV DWORD PTR DS:,ECX
00401B9A FF15 F4714000 CALL DWORD PTR DS: ; MSVCRTD.__p__commode
00401BA0 8B15 08694100 MOV EDX,DWORD PTR DS:
00401BA6 8910 MOV DWORD PTR DS:,EDX
00401BA8 A1 F8714000 MOV EAX,DWORD PTR DS:
00401BAD 8B08 MOV ECX,DWORD PTR DS:
00401BAF 890D 14694100 MOV DWORD PTR DS:,ECX
00401BB5 E8 D6010000 CALL CrackMe_.00401D90
00401BBA 833D D0664100 00 CMP DWORD PTR DS:,0
00401BC1 75 0E JNZ SHORT CrackMe_.00401BD1
00401BC3 68 801D4000 PUSH CrackMe_.00401D80
00401BC8 FF15 FC714000 CALL DWORD PTR DS: ; MSVCRTD.__setusermatherr
00401BCE 83C4 04 ADD ESP,4
00401BD1 E8 8A010000 CALL CrackMe_.00401D60
抽取代码整理如下:
PUSH EBP
MOV EBP,ESP
PUSH -1
PUSH E3721302
PUSH F5EC0898
MOV EAX,DWORD PTR FS:
PUSH EAX
MOV DWORD PTR FS:,ESP
ADD ESP,-6C
PUSH EBX
PUSH ESI
PUSH EDI
MOV DWORD PTR SS:,ESP
MOV DWORD PTR SS:,0
PUSH 2
CALL DWORD PTR DS:
ADD ESP,4
MOV DWORD PTR DS:,-1
MOV EAX,DWORD PTR DS:
MOV DWORD PTR DS:,EAX
二进制代码整理如下:
55 8B EC 6A FF 68 41 40 A2 1A 68 66 C3 3E E8 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 C4 94 53 56 57 89 65 E8 C7 45 FC 00 00 00 00 6A 02 FF 15 BC 75 41 00 83 C4 04 C7 05 20 69 41 00 FF FF FF FF A1 20 69 41 00 A3 30 69 41 00
5.现在开始找无效空数据段,我发现OD下方有很多无效数据段,我们就从00407000处开始,用做处理IAT基址。要用到(UIF)工具,为什么要用它?答:这个工具是在程序可以运行但IAT乱序或者IAT分布比较散的时候使用。打开UIF工具,右边第一个Process ID:表示OD加载CrackMe(PID)进程标识符,只不过它是以十六进制表示,我的是536转换为十六进制为:218,第二个Code Start:代码段开始(不用填写,程序自动获取),第三个Code End:代码段结束(不用填写,程序自动获取),第四个New IAT VA:新建 IAT虚拟地址(必需填写),我的是:00407000。下面三个复选框都不选,最后点击“Start”按钮即可。
6.处理完后,dump程序,再用Import REC修复一下脱壳程序。程序就可以正常运行了。
去反调试:
1.OD载入,F9运行,提示:“进程已经终止,退出代码0”明显加了反调试。
2.单步跟踪、当前模块中的名称和利用堆栈调用法都可以找到关键位置,去反调试,如下:
0040227D .8BF4 MOV ESI,ESP
0040227F .8D4D B8 LEA ECX,DWORD PTR SS:
00402282 .51 PUSH ECX ; /pStartupinfo
00402283 .FF15 04004200 CALL DWORD PTR DS:[<&kernel32.GetStartup>; \GetStartupInfoA
00402289 .3BF4 CMP ESI,ESP
0040228B .E8 44F8FFFF CALL <JMP.&msvcrtd._chkesp>
00402290 .837D C8 00 CMP DWORD PTR SS:,0
00402294 75 31 JNZ SHORT CrackMe?004022C7 ;JNZ SHORT 004022C7改为jmp 004022D8
00402296 .837D CC 00 CMP DWORD PTR SS:,0
0040229A .75 2B JNZ SHORT CrackMe?004022C7
0040229C .837D D8 00 CMP DWORD PTR SS:,0
004022A0 .75 25 JNZ SHORT CrackMe?004022C7
004022A2 .837D DC 00 CMP DWORD PTR SS:,0
004022A6 .75 1F JNZ SHORT CrackMe?004022C7
004022A8 .837D E0 00 CMP DWORD PTR SS:,0
004022AC .75 19 JNZ SHORT CrackMe?004022C7
004022AE .837D D0 00 CMP DWORD PTR SS:,0
004022B2 .75 13 JNZ SHORT CrackMe?004022C7
004022B4 .837D D4 00 CMP DWORD PTR SS:,0
004022B8 .75 0D JNZ SHORT CrackMe?004022C7
004022BA .8B55 E4 MOV EDX,DWORD PTR SS:
004022BD .81E2 80000000 AND EDX,80
004022C3 .85D2 TEST EDX,EDX
004022C5 .74 11 JE SHORT CrackMe?004022D8
004022C7 >8BF4 MOV ESI,ESP
004022C9 .6A 00 PUSH 0 ; /ExitCode = 0
004022CB .FF15 00004200 CALL DWORD PTR DS:[<&kernel32.ExitProces>; \ExitProcess
004022D1 .3BF4 CMP ESI,ESP
004022D3 .E8 FCF7FFFF CALL <JMP.&msvcrtd._chkesp>
004022D8 >B8 01000000 MOV EAX,1
004022DD .5F POP EDI
004022DE .5E POP ESI
004022DF .5B POP EBX
004022E0 .81C4 88000000 ADD ESP,88
004022E6 .3BEC CMP EBP,ESP
004022E8 .E8 E7F7FFFF CALL <JMP.&msvcrtd._chkesp>
004022ED .8BE5 MOV ESP,EBP
004022EF .5D POP EBP
004022F0 .C3 RETN
简单算法分析:
1.OD载入,F9运行2次,输入用户名:guapi注册码:123456利用万能断点,断在004015BE处。向上找00401580处,F2下断。重新载入CrackMe(Ctrl+F2),输入用户名和注册码,点击“注册”按钮,断下,OD停在00401580处。
00401580/> \55 PUSH EBP
00401581|.8BEC MOV EBP,ESP
00401583|.83EC 44 SUB ESP,44
00401586|.53 PUSH EBX
00401587|.56 PUSH ESI
00401588|.57 PUSH EDI
00401589|.51 PUSH ECX
0040158A|.8D7D BC LEA EDI,DWORD PTR SS:
0040158D|.B9 11000000 MOV ECX,11
00401592|.B8 CCCCCCCC MOV EAX,CCCCCCCC
00401597|.F3:AB REP STOS DWORD PTR ES:
00401599|.59 POP ECX
0040159A|.894D FC MOV DWORD PTR SS:,ECX
0040159D|.8B45 08 MOV EAX,DWORD PTR SS:
004015A0|.50 PUSH EAX
004015A1|.8B4D FC MOV ECX,DWORD PTR SS:
004015A4|.E8 D7040000 CALL <JMP.&mfc42d.#1857>
004015A9|.8B4D FC MOV ECX,DWORD PTR SS:
004015AC|.83C1 60 ADD ECX,60
004015AF|.51 PUSH ECX
004015B0|.68 E8030000 PUSH 3E8
004015B5|.8B55 08 MOV EDX,DWORD PTR SS:
004015B8|.52 PUSH EDX
004015B9|.E8 B8FBFFFF CALL <JMP.&mfc42d.#1772> ;取得用户名:guapi
004015BE|.8B45 FC MOV EAX,DWORD PTR SS:
004015C1|.83C0 64 ADD EAX,64
004015C4|.50 PUSH EAX
004015C5|.68 E9030000 PUSH 3E9
004015CA|.8B4D 08 MOV ECX,DWORD PTR SS:
004015CD|.51 PUSH ECX
004015CE|.E8 A3FBFFFF CALL <JMP.&mfc42d.#1772> ;取得注册码:123456
004015D3|.5F POP EDI
004015D4|.5E POP ESI
004015D5|.5B POP EBX
004015D6|.83C4 44 ADD ESP,44
004015D9|.3BEC CMP EBP,ESP
004015DB|.E8 F4040000 CALL <JMP.&msvcrtd._chkesp>
004015E0|.8BE5 MOV ESP,EBP
004015E2|.5D POP EBP
004015E3\.C2 0400 RETN 4
F8单步走直到:
00401F32|.83C1 60 ADD ECX,60
00401F35|.E8 DCF1FFFF CALL <JMP.&mfc42d.#880>
00401F3A|.50 PUSH EAX ; /src
00401F3B|.8D4D E4 LEA ECX,DWORD PTR SS: ; |
00401F3E|.51 PUSH ECX ; |dest
00401F3F|.E8 90F1FFFF CALL <JMP.&msvcrtd.strcpy> ; \strcpy
00401F44|.83C4 08 ADD ESP,8
00401F47|.8B4D FC MOV ECX,DWORD PTR SS:
00401F4A|.83C1 60 ADD ECX,60
00401F4D|.E8 12F2FFFF CALL <JMP.&mfc42d.#2640> ;取得用户名字符数为5
00401F52|.83F8 05 CMP EAX,5
00401F55|.7D 18 JGE SHORT CrackMe?00401F6F ;用户名不能小于5个字符
00401F57|.6A 00 PUSH 0
00401F59|.6A 00 PUSH 0
00401F5B|.8D95 78FFFFFF LEA EDX,DWORD PTR SS:
00401F61|.52 PUSH EDX
00401F62|.8B4D FC MOV ECX,DWORD PTR SS:
00401F65|.E8 00F2FFFF CALL <JMP.&mfc42d.#3517>
00401F6A|.E9 F8010000 JMP CrackMe?00402167
00401F6F|>8B4D FC MOV ECX,DWORD PTR SS:
00401F72|.83C1 60 ADD ECX,60
00401F75|.E8 EAF1FFFF CALL <JMP.&mfc42d.#2640> ;取得用户名字符数为5
00401F7A|.8945 A8 MOV DWORD PTR SS:,EAX
00401F7D|.8B45 A8 MOV EAX,DWORD PTR SS:
00401F80|.8945 AC MOV DWORD PTR SS:,EAX
00401F83|.EB 09 JMP SHORT CrackMe?00401F8E
00401F85|>8B4D AC /MOV ECX,DWORD PTR SS: ;用户名字符数5入ECX
00401F88|.83E9 01 |SUB ECX,1 ;用户名字符数减1
00401F8B|.894D AC |MOV DWORD PTR SS:,ECX
00401F8E|>837D AC 01 CMP DWORD PTR SS:,1 ;取得用户名字符数5与1比较,低于就跳。
00401F92|.7E 13 |JLE SHORT CrackMe?00401FA7
00401F94|.8B55 AC |MOV EDX,DWORD PTR SS:
00401F97|.0FBE4415 E4 |MOVSX EAX,BYTE PTR SS: ;符号扩展至EAX
00401F9C|.8B4D 9C |MOV ECX,DWORD PTR SS: ;1入ECX
00401F9F|.0FAFC8 |IMUL ECX,EAX ;相乘结果为0
00401FA2|.894D 9C |MOV DWORD PTR SS:,ECX
00401FA5|.^ EB DE \JMP SHORT CrackMe?00401F85 ;继续循环
00401FA7|>C745 AC 00000>MOV DWORD PTR SS:,0
00401FAE|>8B45 9C /MOV EAX,DWORD PTR SS:
00401FB1|.99 |CDQ
00401FB2|.B9 0A000000 |MOV ECX,0A
00401FB7|.F7F9 |IDIV ECX ;除以10取余数
00401FB9|.83C2 30 |ADD EDX,30 ;将余数转换成十六进制30
00401FBC|.8B45 AC |MOV EAX,DWORD PTR SS:
00401FBF|.885405 B4 |MOV BYTE PTR SS:,DL
00401FC3|.8B45 9C |MOV EAX,DWORD PTR SS:
00401FC6|.99 |CDQ
00401FC7|.B9 0A000000 |MOV ECX,0A
00401FCC|.F7F9 |IDIV ECX ;除以10取整数
00401FCE|.8945 9C |MOV DWORD PTR SS:,EAX
00401FD1|.8B55 AC |MOV EDX,DWORD PTR SS:
00401FD4|.83C2 01 |ADD EDX,1 ;EDX加1
00401FD7|.8955 AC |MOV DWORD PTR SS:,EDX
00401FDA|.837D 9C 00 |CMP DWORD PTR SS:,0
00401FDE|.^ 75 CE \JNZ SHORT CrackMe?00401FAE
00401FE0|.8B45 AC MOV EAX,DWORD PTR SS: ;将结果放入EAX
00401FE3|.C64405 B4 00MOV BYTE PTR SS:,0
00401FE8|.8D4D B4 LEA ECX,DWORD PTR SS: ;将堆栈变量CCCC0030放入ECX
00401FEB|.51 PUSH ECX ; /s
00401FEC|.E8 E9F0FFFF CALL <JMP.&msvcrtd.strlen> ; \strlen
00401FF1|.83C4 04 ADD ESP,4
00401FF4|.8945 A4 MOV DWORD PTR SS:,EAX
00401FF7|.C745 AC 00000>MOV DWORD PTR SS:,0
00401FFE|.EB 09 JMP SHORT CrackMe?00402009
00402000|>8B55 AC /MOV EDX,DWORD PTR SS:
00402003|.83C2 01 |ADD EDX,1
00402006|.8955 AC |MOV DWORD PTR SS:,EDX
00402009|>8B45 AC MOV EAX,DWORD PTR SS:
0040200C|.3B45 A8 |CMP EAX,DWORD PTR SS: ;用户名:guapi字符数入EAX
0040200F|.7D 31 |JGE SHORT CrackMe?00402042 ;当EAX中值高于或者等于0时,跳出循环。
00402011|.8B4D AC |MOV ECX,DWORD PTR SS:
00402014|.0FBE540D E4 |MOVSX EDX,BYTE PTR SS: ;用户名:guapi第一个字符g的ASCII码十六进制67入EDX
00402019|.8B45 AC |MOV EAX,DWORD PTR SS:
0040201C|.8D0C42 |LEA ECX,DWORD PTR DS:
0040201F|.8B55 AC |MOV EDX,DWORD PTR SS:
00402022|.884C15 E4 |MOV BYTE PTR SS:,CL
00402026|.8B45 AC |MOV EAX,DWORD PTR SS:
00402029|.0FBE4C05 E4 |MOVSX ECX,BYTE PTR SS:
0040202E|.83F9 7A |CMP ECX,7A
00402031|.7E 0D |JLE SHORT CrackMe?00402040
00402033|.8B55 AC |MOV EDX,DWORD PTR SS:
00402036|.83C2 61 |ADD EDX,61
00402039|.8B45 AC |MOV EAX,DWORD PTR SS:
0040203C|.885405 E4 |MOV BYTE PTR SS:,DL
00402040|>^ EB BE \JMP SHORT CrackMe?00402000
00402042|>8B4D A8 MOV ECX,DWORD PTR SS:
00402045|.3B4D A4 CMP ECX,DWORD PTR SS:
00402048|.7D 12 JGE SHORT CrackMe?0040205C
0040204A|.8B55 A8 MOV EDX,DWORD PTR SS:
0040204D|.8955 A0 MOV DWORD PTR SS:,EDX
00402050|.8B45 A0 MOV EAX,DWORD PTR SS:
00402053|.8D4C05 E4 LEA ECX,DWORD PTR SS:
00402057|.894D B0 MOV DWORD PTR SS:,ECX
0040205A|.EB 10 JMP SHORT CrackMe?0040206C
0040205C|>8B55 A4 MOV EDX,DWORD PTR SS:
0040205F|.8955 A0 MOV DWORD PTR SS:,EDX
00402062|.8B45 A0 MOV EAX,DWORD PTR SS:
00402065|.8D4C05 B4 LEA ECX,DWORD PTR SS:
00402069|.894D B0 MOV DWORD PTR SS:,ECX
0040206C|>C745 AC 00000>MOV DWORD PTR SS:,0
00402073|.EB 09 JMP SHORT CrackMe?0040207E
00402075|>8B55 AC /MOV EDX,DWORD PTR SS:
00402078|.83C2 01 |ADD EDX,1
0040207B|.8955 AC |MOV DWORD PTR SS:,EDX
0040207E|>8B45 AC MOV EAX,DWORD PTR SS:
00402081|.3B45 A0 |CMP EAX,DWORD PTR SS:
00402084|.7D 1E |JGE SHORT CrackMe?004020A4 ;当EAX中值为1时跳出循环
00402086|.8B4D AC |MOV ECX,DWORD PTR SS:
00402089|.8B55 AC |MOV EDX,DWORD PTR SS:
0040208C|.8A4415 B4 |MOV AL,BYTE PTR SS:
00402090|.88444D C4 |MOV BYTE PTR SS:,AL
00402094|.8B4D AC |MOV ECX,DWORD PTR SS:
00402097|.8B55 AC |MOV EDX,DWORD PTR SS:
0040209A|.8A4415 E4 |MOV AL,BYTE PTR SS:
0040209E|.88444D C5 |MOV BYTE PTR SS:,AL
004020A2|.^ EB D1 \JMP SHORT CrackMe?00402075
004020A4|>8B4D AC MOV ECX,DWORD PTR SS: ;1入ECX
004020A7|.C6444D C4 00MOV BYTE PTR SS:,0
004020AC|.8B55 B0 MOV EDX,DWORD PTR SS:
004020AF|.52 PUSH EDX ; /src
004020B0|.8D45 C4 LEA EAX,DWORD PTR SS: ; |真码:0g入EAX
004020B3|.50 PUSH EAX ; |dest
004020B4|.E8 51F0FFFF CALL <JMP.&msvcrtd.strcat> ; \strcat
004020B9|.83C4 08 ADD ESP,8
004020BC|.8D4D C4 LEA ECX,DWORD PTR SS:
004020BF|.51 PUSH ECX ; /s
004020C0|.E8 15F0FFFF CALL <JMP.&msvcrtd.strlen> ; \取得真码:0g长度为2
004020C5|.83C4 04 ADD ESP,4
004020C8|.8BF0 MOV ESI,EAX ;将注册码长度2入ESI
004020CA|.8B4D FC MOV ECX,DWORD PTR SS:
004020CD|.83C1 64 ADD ECX,64
004020D0|.E8 41F0FFFF CALL <JMP.&mfc42d.#880> ;取输入注册码:123456
004020D5|.50 PUSH EAX ; /s
004020D6|.E8 FFEFFFFF CALL <JMP.&msvcrtd.strlen> ; \取输入注册码:123456长度为6
004020DB|.83C4 04 ADD ESP,4
004020DE|.3BF0 CMP ESI,EAX ;真码与假码长度比较
004020E0|.0F85 81000000 JNZ CrackMe?00402167 ;如果不为0就跳死,通过改变标志位,用假码:123456进行跟踪。
004020E6|.C745 AC 00000>MOV DWORD PTR SS:,0
004020ED|.EB 09 JMP SHORT CrackMe?004020F8
004020EF|>8B55 AC /MOV EDX,DWORD PTR SS:
004020F2|.83C2 01 |ADD EDX,1
004020F5|.8955 AC |MOV DWORD PTR SS:,EDX
004020F8|>8D45 C4 LEA EAX,DWORD PTR SS: ;真码:0g入EAX
004020FB|.50 |PUSH EAX ; /s
004020FC|.E8 D9EFFFFF |CALL <JMP.&msvcrtd.strlen> ; \取得真码:0g长度为2
00402101|.83C4 04 |ADD ESP,4
00402104|.3945 AC |CMP DWORD PTR SS:,EAX
00402107|.73 34 |JNB SHORT CrackMe?0040213D ;高于等于2就跳死
00402109|.8B4D AC |MOV ECX,DWORD PTR SS: ;真码:0g入ECX
0040210C|.0FBE740D C4 |MOVSX ESI,BYTE PTR SS: ;0扩展至ESI
00402111|.8B55 AC |MOV EDX,DWORD PTR SS:
00402114|.52 |PUSH EDX
00402115|.8B4D FC |MOV ECX,DWORD PTR SS:
00402118|.83C1 64 |ADD ECX,64
0040211B|.E8 50F0FFFF |CALL <JMP.&mfc42d.#850> ;取假码:123456
00402120|.0FBEC0 |MOVSX EAX,AL ;AL=31符号扩展至EAX
00402123|.33F0 |XOR ESI,EAX ;真码:0g第一位30与假码:123456第一位31异或,结果ESI=1。
00402125|.8B45 AC |MOV EAX,DWORD PTR SS:
00402128|.99 |CDQ
00402129|.B9 03000000 |MOV ECX,3
0040212E|.F7F9 |IDIV ECX
00402130|.0FBE5415 98 |MOVSX EDX,BYTE PTR SS: ;b的十六进制62符号扩展至EDX
00402135|.3BF2 |CMP ESI,EDX
00402137|.74 02 |JE SHORT CrackMe?0040213B ;相等就跳
00402139|.EB 02 |JMP SHORT CrackMe?0040213D
0040213B|>^ EB B2 \JMP SHORT CrackMe?004020EF
0040213D|>8D45 C4 LEA EAX,DWORD PTR SS:
00402140|.50 PUSH EAX ; /s
00402141|.E8 94EFFFFF CALL <JMP.&msvcrtd.strlen> ; \strlen
00402146|.83C4 04 ADD ESP,4
00402149|.8945 AC MOV DWORD PTR SS:,EAX
0040214C|.837D AC 00 CMP DWORD PTR SS:,0
00402150|.74 15 JE SHORT CrackMe?00402167
00402152|.6A 00 PUSH 0
00402154|.8D4D 90 LEA ECX,DWORD PTR SS:
00402157|.51 PUSH ECX
00402158|.8D95 6CFFFFFF LEA EDX,DWORD PTR SS:
0040215E|.52 PUSH EDX
0040215F|.8B4D FC MOV ECX,DWORD PTR SS:
00402162|.E8 03F0FFFF CALL <JMP.&mfc42d.#3517> ;出现注册成功提示:“真的很厉害!”
00402167|>6A 00 PUSH 0
00402169|.8B4D FC MOV ECX,DWORD PTR SS:
0040216C|.E8 9FEFFFFF CALL <JMP.&mfc42d.#5056>
00402171|.5F POP EDI
00402172|.5E POP ESI
00402173|.5B POP EBX
00402174|.81C4 D4000000 ADD ESP,0D4
0040217A|.3BEC CMP EBP,ESP
0040217C|.E8 53F9FFFF CALL <JMP.&msvcrtd._chkesp>
00402181|.8BE5 MOV ESP,EBP
00402183|.5D POP EBP
00402184\.C3 RETN
可用序列号:
用户名:guapi
注册码:0g
用户名:pigua
注册码:0g
用户名:123456
注册码:0g
注册成功图:
--------------------------------------------------------------------------------
【经验总结】
1.基本的步骤就是用ESP定律,然后找回所有的stolen code,接着来到foep处,补上所有的代码,然后用UIF修复下IAT,最后dump程序和修复程序就OK了。
2.重要提示:此CrackMe有个BUG,用户名随便写(只要符合要求),注册码只要写上两位比如:0g 、og、10、01等等,就OK了!
3.此文是http://www.52pojie.cn/thread-37226-1-1.html续集,注:
提供一个CrackMe给大家练手
本帖最后由 HPKEr 于 2010-1-9 17:21 编辑
说明:1.原版CrackMe没有加壳,我就加了个PESpin 1.32壳,此壳是老牌强壳。
2.原版CrackMe加了反调试,破解它要解决此问题。
3.我放出来一段时间给大家练手,希望有大牛出来,把脱壳步骤和算法分析贴出来。
4.如果没有大牛感兴趣贴出破文,我会将自己粗浅破文贴出。
--------------------------------------------------------------------------------
【版权声明】: 本文原创于HPKEr, 转载请注明作者并保持文章的完整, 谢谢!
2010年01月29日 14:20:40 强大……好好学习分析 希望我会在很短的时间内有能力看懂这篇文章 新手学习中 努力再努力 好好学习分析 做个视频教程出来啊这样看累人啊 LZ是陕西人? 这个GUAPI注册名 很是那个熟啊 感谢分享,楼主的教程非常好,能教教 我们吗 好棒的脫殼教學,希望早日可以看懂! 回复 1# HPKEr
受用了 ,真的很厉害