好友
阅读权限20
听众
最后登录1970-1-1
|
本帖最后由 成熟的美羊羊 于 2022-11-4 15:59 编辑
小菜没写过注册机,勉强做了一个半成品凑合一下吧
爆破
| 00402117 | BE 9F521062 | mov esi,6210529F | esi参与了弹窗字符串的运算 | | 0040211C | 90 | nop | 修改成00402178判断的操作数就好了 | | 0040211D | 90 | nop |
| | 0040211E | 90 | nop |
|
sub_401E10这个call计算了代码端的机器码(类似于crc32)参与了正确密码的计算
int sub_401E10(void* begin , int length)这个call是__fastcall , 调用规则:规定将前两个参数由寄存器ecx和edx来传递,其余参数还是通过堆栈传递(从右到左)。返回值贮存在eax寄存器中| 00401F58 | 8B7411 24 | mov esi,dword ptr ds:[ecx+edx+24 | esi:sub_401000 | | 00401F5C | 8B5411 20 | mov edx,dword ptr ds:[ecx+edx+20 | 代码段的粗略大小 | | 00401F60 | 03F0 | add esi,eax | esi:sub_401000 | | 00401F62 | 8BCE | mov ecx,esi | esi:sub_401000,GetModuleHandleW | | 00401F64 | E8 A7FEFFFF | call <crackme_cracked.E_sub_401E10> |
|
sub_00401CB0:Unicode_2_Ascii,就是将Unicode字符转化成Ascii的字符
| 00401F69 | 8B97 D8000000 | mov edx,dword ptr ds:[edi+D8 | edx:L"ZhouQing", [edi+D8]:L"ZhouQing" | | 00401F6F | 8D8D A8FDFFFF | lea ecx,dword ptr ss:[ebp-258] |
| | 00401F75 | 8985 C4FDFFFF | mov dword ptr ss:[ebp-23C],eax |
| | 00401F7B | E8 30FDFFFF | call <crackme_cracked.Unicode_2_Ascii> |
| | 00401F80 | 8B8F D8000000 | mov ecx,dword ptr ds:[edi+D8 | [edi+D8]:L"ZhouQing" | | 00401F86 | 8378 14 10 | cmp dword ptr ds:[eax+14,10 | eax:"ZhouQing" |
计算用户名的机器码,好像这么叫不对,不管了
| 00401F8C | 8B00 | mov eax,dword ptr ds:[eax | eax:"ZhouQing" | | 00401F8E <crackme_cracked.loc_401F8E> | 8B51 F4 | mov edx,dword ptr ds:[ecx-C | edx=8 | | 00401F91 | 8BC8 | mov ecx,eax | ecx:"ZhouQing", eax:"ZhouQing" | | 00401F93 | E8 78FEFFFF | call <crackme_cracked.E_sub_401E10> |
| | 00401F98 | 8B95 BCFDFFFF | mov edx,dword ptr ss:[ebp-244] | eax=80C13D6D |
长成这样的汇编代码就没有执行过
| 00401FA3 | 72 31 | jb <crackme_cracked.loc_401FD6> |
| | 00401FA5 | 8B8D A8FDFFFF | mov ecx,dword ptr ss:[ebp-258] |
| | 00401FAB | 42 | inc edx |
| | 00401FAC | 8BC1 | mov eax,ecx |
| | 00401FAE | 81FA 00100000 | cmp edx,1000 |
| | 00401FB4 | 72 16 | jb <crackme_cracked.loc_401FCC> |
| | 00401FB6 | 8B49 FC | mov ecx,dword ptr ds:[ecx-4 |
| | 00401FB9 | 83C2 23 | add edx,23 |
| | 00401FBC | 2BC1 | sub eax,ecx |
| | 00401FBE | 83C0 FC | add eax,FFFFFFFC |
| | 00401FC1 | 83F8 1F | cmp eax,1F |
| | 00401FC4 | 76 06 | jbe <crackme_cracked.loc_401FCC> |
| | 00401FC6 | FF15 48A14000 | call dword ptr ds:[<&_invalid_parameter_noinfo_noreturn> |
| | 00401FCC <crackme_cracked.loc_401FCC> | 52 | push edx | loc_401FCC | | 00401FCD | 51 | push ecx |
| | 00401FCE | E8 25670000 | call <crackme_cracked.sub_4086F8> |
| | 00401FD3 | 83C4 08 | add esp,8 |
|
取password
| 00402067 | C645 FC 04 | mov byte ptr ss:[ebp-4],4 | 取password |
password到整数
| 004020FE | 8378 14 10 | cmp dword ptr ds:[eax+14,10 | password | | 00402102 | 72 02 | jb <crackme.loc_402106> |
| | 00402104 | 8B00 | mov eax,dword ptr ds:[eax | 如果字符串长度>10 | | 00402106 <crackme.loc_402106> | 6A 10 | push 10 | loc_402106 | | 00402108 | 6A 00 | push 0 |
| | 0040210A | 50 | push eax |
| | 0040210B | FF15 18A14000 | call dword ptr ds:[<&strtol> | 字符串到整数 | | 00402111 | 8B95 BCFDFFFF | mov edx,dword ptr ss:[ebp-244] |
|
关键算法
| 00402117 | 8BF0 | mov esi,eax | esi = password_int ^ (代码段机器码^用户名) | | 00402119 | 33B5 C4FDFFFF | xor esi,dword ptr ss:[ebp-23C] | if(esi == 0x6210529F) =>正确 |
| 00402178 <crackme.loc_402178> | 81FE 9F521062 | cmp esi,6210529F | loc_402178 | | 0040217E | 75 36 | jne <crackme.loc_4021B6> |
|
所以我们如果要求正确的密码,算法应该是这样。关闭alsr,似乎会出现溢出的情况。不管了密码 = (代码段机器码 ^ 用户名) ^ 0x6210529F;
|
免费评分
-
查看全部评分
|
[复制链接]
发表于 2022-11-4 15:13
收藏
淘帖
有用
分享到朋友圈
