算法小生60个CRACKME之第五十八个
查找字符串,很容易的找到关键处00401139 $6A 32 push32 ; /Count = 32 (50.)
0040113B .68 F3204000 pushCrackMe.004020F3 ; |Buffer = CrackMe.004020F3
00401140 .68 C8000000 push0C8; |ControlID = C8 (200.)
00401145 .FF75 08 pushdword ptr ss: ; |hWnd = 00120518 ('CrackMe #1 coded by Bad Sector',class='#32770')
00401148 .E8 DE000000 call<jmp.&USER32.GetDlgItemTextA>; \GetDlgItemTextA
0040114D .83F8 00 cmp eax, 0
00401150 .0F84 99000000 jeCrackMe.004011EF
00401156 .83F8 04 cmp eax, 4
00401159 .0F82 90000000 jbCrackMe.004011EF
0040115F .33C9xor ecx, ecx
00401161 .33DBxor ebx, ebx
00401163 .33F6xor esi, esi ;CrackMe.00401029
00401165 .8945 FC mov dword ptr ss:, eax
00401168 >0FBE81 F32040>movsx eax, byte ptr ds:
0040116F .83F8 20 cmp eax, 20
00401172 .74 07 jeshort CrackMe.0040117B
00401174 .6BC0 04 imuleax, eax, 4
00401177 .03D8add ebx, eax
00401179 .8BF3mov esi, ebx
0040117B >41inc ecx
0040117C .3B4D FC cmp ecx, dword ptr ss:
0040117F .^ 75 E7 jnz short CrackMe.00401168
00401181 .83FE 00 cmp esi, 0
00401184 .74 69 jeshort CrackMe.004011EF
00401186 .BB 89476500 mov ebx, 654789
0040118B >0FBE81 F22040>movsx eax, byte ptr ds:
00401192 .4Bdec ebx
00401193 .6BC3 02 imuleax, ebx, 2
00401196 .03D8add ebx, eax
00401198 .4Bdec ebx
00401199 .49dec ecx
0040119A .^ 75 EF jnz short CrackMe.0040118B
0040119C .56pushesi; /<%lu> = 401029 (4198441.)
0040119D .53pushebx; |<%lX> = 0
0040119E .68 C7204000 pushCrackMe.004020C7 ; |Format = "BS-%lX-%lu"
004011A3 .68 BB214000 pushCrackMe.004021BB ; |s = CrackMe.004021BB
004011A8 .E8 6C000000 call<jmp.&USER32.wsprintfA>; \wsprintfA
004011AD .58pop eax;CrackMe.004010AC
004011AE .58pop eax;CrackMe.004010AC
004011AF .58pop eax;CrackMe.004010AC
004011B0 .58pop eax;CrackMe.004010AC
004011B1 .E8 01000000 callCrackMe.004011B7
004011B6 .C3retn
004011B7 $33C9xor ecx, ecx
004011B9 .6A 32 push32 ; /Count = 32 (50.)
004011BB .68 57214000 pushCrackMe.00402157 ; |Buffer = CrackMe.00402157
004011C0 .68 C9000000 push0C9; |ControlID = C9 (201.)
004011C5 .FF75 08 pushdword ptr ss: ; |hWnd = 00120518 ('CrackMe #1 coded by Bad Sector',class='#32770')
004011C8 .E8 5E000000 call<jmp.&USER32.GetDlgItemTextA>; \GetDlgItemTextA
004011CD .83F8 00 cmp eax, 0
004011D0 .74 1D jeshort CrackMe.004011EF
004011D2 .33C9xor ecx, ecx
004011D4 >0FBE81 572140>movsx eax, byte ptr ds:
004011DB .0FBE99 BB2140>movsx ebx, byte ptr ds:
004011E2 .3BC3cmp eax, ebx
004011E4 .75 09 jnz short CrackMe.004011EF
004011E6 .83F8 00 cmp eax, 0
004011E9 .74 19 jeshort CrackMe.00401204
004011EB .41inc ecx
004011EC .^ EB E6 jmp short CrackMe.004011D4
004011EE .C3retn
004011EF >6A 10 push10 ; /Style = MB_OK|MB_ICONHAND|MB_APPLMODAL
004011F1 .68 E4204000 pushCrackMe.004020E4 ; |Title = "Nope"
004011F6 .68 E9204000 pushCrackMe.004020E9 ; |Text = "Try again"
004011FB .FF75 08 pushdword ptr ss: ; |hOwner = 00120518 ('CrackMe #1 coded by Bad Sector',class='#32770')
004011FE .E8 34000000 call<jmp.&USER32.MessageBoxA>; \MessageBoxA
00401203 .C3retn
00401204 >6A 40 push40 ; /Style = MB_OK|MB_ICONASTERISK|MB_APPLMODAL
00401206 .68 D2204000 pushCrackMe.004020D2 ; |Title = "Solved"
0040120B .68 D9204000 pushCrackMe.004020D9 ; |Text = "Well done."
00401210 .FF75 08 pushdword ptr ss: ; |hOwner = 00120518 ('CrackMe #1 coded by Bad Sector',class='#32770')
00401213 .E8 1F000000 call<jmp.&USER32.MessageBoxA>; \MessageBoxA
00401218 .C3retn
分析:
00401148 .E8 DE000000 call<jmp.&USER32.GetDlgItemTextA>; \GetDlgItemTextA
0040114D .83F8 00 cmp eax, 0
00401150 .0F84 99000000 jeCrackMe.004011EF
获得用户名,长度为0则失败
00401156 .83F8 04 cmp eax, 4
00401159 .0F82 90000000 jbCrackMe.004011EF
长度小于4则失败
0040115F .33C9xor ecx, ecx
00401161 .33DBxor ebx, ebx
00401163 .33F6xor esi, esi
都清零
A部分:
00401165 .8945 FC mov dword ptr ss:, eax
00401168 >0FBE81 F32040>movsx eax, byte ptr ds:
0040116F .83F8 20 cmp eax, 20
00401172 .74 07 jeshort CrackMe.0040117B//用户名的字符 ascci值小于20则失败
00401174 .6BC0 04 imuleax, eax, 4 //ascci值乘以4,(如1的ascci值十六进制为31,十进制为49,乘以4后为十进制196,即十六进制C4)
00401177 .03D8add ebx, eax //累加到EBX
00401179 .8BF3mov esi, ebx//移到ESI
0040117B >41inc ecx
0040117C .3B4D FC cmp ecx, dword ptr ss:
0040117F .^ 75 E7 jnz short CrackMe.00401168 //循环取完每一位
00401181 .83FE 00 cmp esi, 0
00401184 .74 69 jeshort CrackMe.004011EF
B部分
00401186 .BB 89476500 mov ebx, 654789 //常数给EBX
0040118B >0FBE81 F22040>movsx eax, byte ptr ds://倒序依次取用户名字符
00401192 .4Bdec ebx //EBX减一
00401193 .6BC3 02 imuleax, ebx, 2 //EAX = EBX * 2
00401196 .03D8add ebx, eax EBX = EBX + EAX
00401198 .4Bdec ebx //EBX减一
00401199 .49dec ecx //ECX减一
0040119A .^ 75 EF jnz short CrackMe.0040118B
0040119C .56pushesi; /<%lu> = 3FC (1020.)
0040119D .53pushebx; |<%lX> = 42
0040119E .68 C7204000 pushCrackMe.004020C7 ; |Format = "BS-%lX-%lu"
004011A3 .68 BB214000 pushCrackMe.004021BB ; |s = CrackMe.004021BB
004011A8 .E8 6C000000 call<jmp.&USER32.wsprintfA>; \wsprintfA
算出真码
真码为BS-(A部分算出的ESI)-(B部分算出的EBX)
004011B9 .6A 32 push32 ; /Count = 32 (50.)
004011BB .68 57214000 pushCrackMe.00402157 ; |Buffer = CrackMe.00402157
004011C0 .68 C9000000 push0C9; |ControlID = C9 (201.)
004011C5 .FF75 08 pushdword ptr ss: ; |hWnd = 00160518 ('CrackMe #1 coded by Bad Sector',class='#32770')
004011C8 .E8 5E000000 call<jmp.&USER32.GetDlgItemTextA>; \GetDlgItemTextA
004011CD .83F8 00 cmp eax, 0
004011D0 .74 1D jeshort CrackMe.004011EF
获得注册码,并要求不为空
004011D2 .33C9xor ecx, ecx
004011D4 >0FBE81 572140>movsx eax, byte ptr ds:
004011DB .0FBE99 BB2140>movsx ebx, byte ptr ds:
004011E2 .3BC3cmp eax, ebx
004011E4 .75 09 jnz short CrackMe.004011EF
004011E6 .83F8 00 cmp eax, 0
004011E9 .74 19 jeshort CrackMe.00401204
004011EB .41inc ecx
004011EC .^ EB E6 jmp short CrackMe.004011D4
真码与伪码一个字符一个字符的比较
004011EF > \6A 10 push10 ; /Style = MB_OK|MB_ICONHAND|MB_APPLMODAL
004011F1 .68 E4204000 pushCrackMe.004020E4 ; |Title = "Nope"
004011F6 .68 E9204000 pushCrackMe.004020E9 ; |Text = "Try again"
004011FB .FF75 08 pushdword ptr ss: ; |hOwner = 0004034A ('CrackMe #1 coded by Bad Sector',class='#32770')
004011FE .E8 34000000 call<jmp.&USER32.MessageBoxA>; \MessageBoxA
00401203 .C3retn
00401204 >6A 40 push40 ; /Style = MB_OK|MB_ICONASTERISK|MB_APPLMODAL
00401206 .68 D2204000 pushCrackMe.004020D2 ; |Title = "Solved"
0040120B .68 D9204000 pushCrackMe.004020D9 ; |Text = "Well done."
00401210 .FF75 08 pushdword ptr ss: ; |hOwner = 0004034A ('CrackMe #1 coded by Bad Sector',class='#32770')
00401213 .E8 1F000000 call<jmp.&USER32.MessageBoxA>; \MessageBoxA
00401218 .C3retn
成功与失败! 学习学习 偶要CM~~~~~
每此看到 都能弥补自己的不足
谢谢LZ给我们带来的破文分析
页:
[1]