好友
阅读权限40
听众
最后登录1970-1-1
|
我是用户
发表于 2013-7-15 18:41
本帖最后由 我是用户 于 2013-7-15 18:44 编辑
【软件名称】: Delphi2
【作者邮箱】: 2714608453@qq.com
【下载地址】: 见附件
【软件语言】: Delphi
【使用工具】: OD
【操作平台】: XP SP2
【作者声明】: 只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!
1.查壳
如图1:
Delphi的,无误。
2.去反调试
我们先打开这个CrackMe,然后输入User和Key,确定,程序报错.
如图2:
我们先来看看这个CrackMe的说明
Everything is allowed.
For elite crackers: Try to write a keygenme for this!
Hint: "Its not a bug - its a feature" ;)
I wish you good luck
其实这个程序是有反调试的,所以他会报错.
我们记下图2报错的地址004057CD,然后OD跟随,下好断点.
如图3:
然后重新运行,程序报错.
如图4:
然后我记下图4报错的地址,004055E7,然后OD跟随,下好断点.
重新运行,程序断下.
如图5:
可见他是引用了一个不存在的地址所以报错.
具体代码如下:
[C++] 纯文本查看 复制代码 00405500 . 55 push ebp
00405501 . 8BEC mov ebp,esp
00405503 . 81C4 54FEFFFF add esp,-0x1AC
00405509 . 33C0 xor eax,eax
0040550B . 8985 54FEFFFF mov dword ptr ss:[ebp-0x1AC],eax
00405511 . 8985 58FEFFFF mov dword ptr ss:[ebp-0x1A8],eax
00405517 . 33C0 xor eax,eax
00405519 . 55 push ebp
0040551A . 68 42564000 push breakdow.00405642
0040551F . 64:FF30 push dword ptr fs:[eax]
00405522 . 64:8920 mov dword ptr fs:[eax],esp
00405525 . 8D55 EC lea edx,dword ptr ss:[ebp-0x14]
00405528 . B8 A8774000 mov eax,breakdow.004077A8
0040552D . B9 10000000 mov ecx,0x10
00405532 . E8 15D6FFFF call breakdow.00402B4C
00405537 . 8D55 84 lea edx,dword ptr ss:[ebp-0x7C]
0040553A . B8 B8774000 mov eax,breakdow.004077B8
0040553F . B9 10000000 mov ecx,0x10
00405544 . E8 03D6FFFF call breakdow.00402B4C
00405549 > 8D95 58FEFFFF lea edx,dword ptr ss:[ebp-0x1A8]
0040554F . A1 C8774000 mov eax,dword ptr ds:[0x4077C8] ; z 1,
00405554 . E8 27FFFFFF call breakdow.00405480
00405559 . 8B85 58FEFFFF mov eax,dword ptr ss:[ebp-0x1A8]
0040555F . E8 90E4FFFF call breakdow.004039F4
00405564 . 8BD0 mov edx,eax
00405566 . 8D8D C4FEFFFF lea ecx,dword ptr ss:[ebp-0x13C]
0040556C . 33C0 xor eax,eax
0040556E . E8 31FEFFFF call breakdow.004053A4
00405573 . 8D95 54FEFFFF lea edx,dword ptr ss:[ebp-0x1AC]
00405579 . A1 CC774000 mov eax,dword ptr ds:[0x4077CC] ; z= 1,
0040557E . E8 FDFEFFFF call breakdow.00405480
00405583 . 8B85 54FEFFFF mov eax,dword ptr ss:[ebp-0x1AC]
00405589 . E8 66E4FFFF call breakdow.004039F4
0040558E . 8BD0 mov edx,eax
00405590 . 8D8D 5CFEFFFF lea ecx,dword ptr ss:[ebp-0x1A4]
00405596 . 33C0 xor eax,eax
00405598 . E8 07FEFFFF call breakdow.004053A4
0040559D . 8D55 94 lea edx,dword ptr ss:[ebp-0x6C]
004055A0 . 8D85 C4FEFFFF lea eax,dword ptr ss:[ebp-0x13C]
004055A6 . E8 A9FDFFFF call breakdow.00405354
004055AB . 8845 FF mov byte ptr ss:[ebp-0x1],al
004055AE . 8D95 2CFFFFFF lea edx,dword ptr ss:[ebp-0xD4]
004055B4 . 8D85 5CFEFFFF lea eax,dword ptr ss:[ebp-0x1A4]
004055BA . E8 95FDFFFF call breakdow.00405354
004055BF . 8845 FE mov byte ptr ss:[ebp-0x2],al
004055C2 . 31D2 xor edx,edx
004055C4 . BA 15000000 mov edx,0x15
004055C9 . 83FA 15 cmp edx,0x15
004055CC . 75 02 jnz short breakdow.004055D0
004055CE . 74 07 je short breakdow.004055D7
004055D0 > 00DE add dh,bl
004055D2 . AD lods dword ptr ds:[esi]
004055D3 DE db DE
004055D4 AB db AB
004055D5 90 nop
004055D6 1D db 1D
004055D7 . 0FB645 FF movzx eax,byte ptr ss:[ebp-0x1]
004055DB . 0FB655 FE movzx edx,byte ptr ss:[ebp-0x2]
004055DF . 00D0 add al,dl
004055E1 . 3C 02 cmp al,0x2
004055E3 . 7C 02 jl short breakdow.004055E7
004055E5 . 7D 03 jge short breakdow.004055EA
004055E7 > AD lods dword ptr ds:[esi]
004055E8 DE db DE
004055E9 90 nop
004055EA . 42 inc edx
004055EB . 84D2 test dl,dl
004055ED . 74 02 je short breakdow.004055F1
004055EF . 75 07 jnz short breakdow.004055F8
004055F1 > EF out dx,eax
004055F2 . BE ADDEA4A8 mov esi,0xA8A4DEAD
004055F7 . DFA0 3CA84000 fbld tbyte ptr ds:[eax+0x40A83C]
004055FD . BA 52000000 mov edx,0x52
00405602 . 84D2 test dl,dl
00405604 . 74 02 je short breakdow.00405608
00405606 . 75 09 jnz short breakdow.00405611
00405608 > EF out dx,eax
00405609 . BE ADDEA4A8 mov esi,0xA8A4DEAD
0040560E . 90 nop
0040560F . 00DF add bh,bl
00405611 > 84C0 test al,al
00405613 .^ 75 DC jnz short breakdow.004055F1
00405615 . 68 85000000 push 0x85 ; /Timeout = 133. ms
0040561A . E8 91EDFFFF call <jmp.&kernel32.Sleep> ; \Sleep
0040561F .^ E9 25FFFFFF jmp breakdow.00405549
这个是一个死循环,用来检测CC断点,循环代码为00405549至0040561F。因此我们猜测,这是一个线程。打开OD的线程窗口,我们可以很明显的看到有两个线程。
如图6:
因此我们可以下断CreatThread来阻止这个线程的创建,以此来跳过CC断点检测。但我们再看看这个函数,有加花指令,他和程序入口点的模式是一样的。我们手工把花指令去除。
入口点代码如下:
[C++] 纯文本查看 复制代码 004060E4 > $ 55 push ebp
004060E5 . 8BEC mov ebp,esp
004060E7 . 83C4 F0 add esp,-0x10
004060EA . B8 F85D4000 mov eax,breakdow.00405DF8
004060EF . E8 48E2FFFF call breakdow.0040433C
004060F4 . 90 nop
004060F5 . 90 nop
004060F6 . 90 nop
004060F7 . 90 nop
004060F8 . 90 nop
004060F9 . 90 nop
004060FA . 90 nop
004060FB . 90 nop
004060FC . 90 nop
004060FD . 90 nop
004060FE . 90 nop
004060FF . 90 nop
00406100 . 90 nop
00406101 . 90 nop
00406102 . 90 nop
00406103 . 90 nop
00406104 . 90 nop
00406105 . 90 nop
00406106 . 90 nop
00406107 . 90 nop
00406108 . 90 nop
00406109 . 90 nop
0040610A . 90 nop
0040610B . 90 nop
0040610C . 90 nop
0040610D . 90 nop
0040610E 90 nop
0040610F 90 nop
00406110 90 nop
00406111 90 nop
00406112 90 nop
00406113 90 nop
00406114 90 nop
00406115 90 nop
00406116 90 nop
00406117 90 nop
00406118 90 nop
00406119 90 nop
0040611A 90 nop
0040611B 90 nop
0040611C 90 nop
0040611D 90 nop
0040611E 90 nop
0040611F 90 nop
00406120 90 nop
00406121 90 nop
00406122 90 nop
00406123 90 nop
00406124 90 nop
00406125 90 nop
00406126 90 nop
00406127 90 nop
00406128 90 nop
00406129 90 nop
0040612A . FF35 40A84000 push dword ptr ds:[0x40A840] ; /pThreadId = NULL
00406130 . 6A 00 push 0x0 ; |CreationFlags = 0
00406132 . 90 nop ; |
00406133 . 90 nop ; |
00406134 . 90 nop ; |
00406135 . 90 nop ; |
00406136 . 90 nop ; |
00406137 . 90 nop ; |
00406138 . 90 nop ; |
00406139 . 90 nop ; |
0040613A . 90 nop ; |
0040613B . 90 nop ; |
0040613C . 90 nop ; |
0040613D . 90 nop ; |
0040613E . 90 nop ; |
0040613F . 6A 00 push 0x0 ; |pThreadParm = NULL
00406141 . 8D05 00554000 lea eax,dword ptr ds:[0x405500] ; |
00406147 . 50 push eax ; |ThreadFunction = breakdow.00404380
00406148 . 6A 00 push 0x0 ; |StackSize = 0x0
0040614A . 6A 00 push 0x0 ; |pSecurity = NULL
0040614C . 90 nop ; |
0040614D . 90 nop ; |
0040614E . 90 nop ; |
0040614F . 90 nop ; |
00406150 . 90 nop ; |
00406151 . 90 nop ; |
00406152 . 90 nop ; |
00406153 . 90 nop ; |
00406154 . 90 nop ; |
00406155 . 90 nop ; |
00406156 . 90 nop ; |
00406157 . 90 nop ; |
00406158 . 90 nop ; |
00406159 . 90 nop ; |
0040615A . 90 nop ; |
0040615B . 90 nop ; |
0040615C . 8D05 7E434000 lea eax,dword ptr ds:[0x40437E] ; |
00406162 . 83C0 02 add eax,0x2 ; |
00406165 . FFD0 call eax ; \CreateThread
下断00406165,此时|ThreadFunction = breakdow.00404380。
刚好就是线程的入口点,把这个CreateThread全部nop掉,跳过反调试。
3.爆破
爆破就很简单了。我们记下图2的报错点004057CD
代码如下:
[C++] 纯文本查看 复制代码 004057C2 . /7C 03 jl short breakdow.004057C7
004057C4 > |AD lods dword ptr ds:[esi]
004057C5 . |DE90 39F07502 ficom word ptr ds:[eax+0x275F039]
004057CB . 74 03 je short breakdow.004057D0
004057CD . AD lods dword ptr ds:[esi]
004057CE DE db DE
004057CF 90 nop
004057D0 > 8A05 3CA84000 mov al,byte ptr ds:[0x40A83C]
004057D6 . 84C0 test al,al
004057D8 . 75 02 jnz short breakdow.004057DC
004057DA . 74 03 je short breakdow.004057DF
004057DC > AD lods dword ptr ds:[esi]
004057DD DE db DE
004057DE 90 nop
004057DF . 6A 40 push 0x40 ; /Style = MB_OK|MB_ICONASTERISK|MB_APPLMODAL
004057E1 . FF35 D0774000 push dword ptr ds:[0x4077D0] ; |Title = "Goodboy"
004057E7 . FF35 D4774000 push dword ptr ds:[0x4077D4] ; |Text = "Congratulation"
004057ED . 6A 00 push 0x0 ; |hOwner = NULL
004057EF . E8 3CECFFFF call <jmp.&user32.MessageBoxA> ; \MessageBoxA
004057F4 . 33C0 xor eax,eax
004057F6 . 5A pop edx ; kernel32.7C817077
004057F7 . 59 pop ecx ; kernel32.7C817077
花指令和反调试的去除和上一部是一样的。
修改好的代码如下:
[C++] 纯文本查看 复制代码 004056B8 $ 55 push ebp
004056B9 . 8BEC mov ebp,esp
004056BB . 33C9 xor ecx,ecx
004056BD . 51 push ecx
004056BE . 51 push ecx
004056BF . 51 push ecx
004056C0 . 51 push ecx
004056C1 . 51 push ecx
004056C2 . 51 push ecx
004056C3 . 51 push ecx
004056C4 . 51 push ecx
004056C5 . 33C0 xor eax,eax
004056C7 . 55 push ebp
004056C8 . 68 17584000 push breakdow.00405817
004056CD . 64:FF30 push dword ptr fs:[eax]
004056D0 . 64:8920 mov dword ptr fs:[eax],esp
004056D3 . 8D55 F0 lea edx,dword ptr ss:[ebp-0x10]
004056D6 . A1 18A84000 mov eax,dword ptr ds:[0x40A818]
004056DB . E8 30F7FFFF call breakdow.00404E10
004056E0 . 837D F0 00 cmp dword ptr ss:[ebp-0x10],0x0
004056E4 . 74 13 je short breakdow.004056F9
004056E6 . 8D55 EC lea edx,dword ptr ss:[ebp-0x14]
004056E9 . A1 1CA84000 mov eax,dword ptr ds:[0x40A81C]
004056EE . E8 1DF7FFFF call breakdow.00404E10
004056F3 . 837D EC 00 cmp dword ptr ss:[ebp-0x14],0x0
004056F7 . 75 04 jnz short breakdow.004056FD
004056F9 > B0 01 mov al,0x1
004056FB . EB 25 jmp short breakdow.00405722
004056FD > 8D55 E8 lea edx,dword ptr ss:[ebp-0x18]
00405700 . A1 18A84000 mov eax,dword ptr ds:[0x40A818]
00405705 . E8 06F7FFFF call breakdow.00404E10
0040570A . 8B45 E8 mov eax,dword ptr ss:[ebp-0x18]
0040570D . 8945 E4 mov dword ptr ss:[ebp-0x1C],eax
00405710 . 8B45 E4 mov eax,dword ptr ss:[ebp-0x1C]
00405713 . 85C0 test eax,eax
00405715 . 74 05 je short breakdow.0040571C
00405717 . 83E8 04 sub eax,0x4
0040571A . 8B00 mov eax,dword ptr ds:[eax]
0040571C > 83F8 04 cmp eax,0x4
0040571F . 0F9CC0 setl al
00405722 > 84C0 test al,al
00405724 . 74 04 je short breakdow.0040572A
00405726 . B0 01 mov al,0x1
00405728 . EB 25 jmp short breakdow.0040574F
0040572A > 8D55 E0 lea edx,dword ptr ss:[ebp-0x20]
0040572D . A1 1CA84000 mov eax,dword ptr ds:[0x40A81C]
00405732 . E8 D9F6FFFF call breakdow.00404E10
00405737 . 8B45 E0 mov eax,dword ptr ss:[ebp-0x20]
0040573A . 8945 E4 mov dword ptr ss:[ebp-0x1C],eax
0040573D . 8B45 E4 mov eax,dword ptr ss:[ebp-0x1C]
00405740 . 85C0 test eax,eax
00405742 . 74 05 je short breakdow.00405749
00405744 . 83E8 04 sub eax,0x4
00405747 . 8B00 mov eax,dword ptr ds:[eax]
00405749 > 83F8 0C cmp eax,0xC
0040574C . 0F95C0 setne al
0040574F > 84C0 test al,al
00405751 90 nop
00405752 90 nop
00405753 90 nop
00405754 90 nop
00405755 90 nop
00405756 90 nop
00405757 90 nop
00405758 90 nop
00405759 90 nop
0040575A 90 nop
0040575B 90 nop
0040575C 90 nop
0040575D 90 nop
0040575E 90 nop
0040575F 90 nop
00405760 90 nop
00405761 90 nop
00405762 90 nop
00405763 90 nop
00405764 90 nop
00405765 90 nop
00405766 90 nop
00405767 90 nop
00405768 90 nop
00405769 90 nop
0040576A 90 nop
0040576B 90 nop
0040576C 90 nop
0040576D 90 nop
0040576E 90 nop
0040576F 90 nop
00405770 90 nop
00405771 90 nop
00405772 90 nop
00405773 90 nop
00405774 90 nop
00405775 90 nop
00405776 90 nop
00405777 90 nop
00405778 90 nop
00405779 90 nop
0040577A 90 nop
0040577B . 8D55 F4 lea edx,dword ptr ss:[ebp-0xC]
0040577E . A1 18A84000 mov eax,dword ptr ds:[0x40A818]
00405783 . E8 88F6FFFF call breakdow.00404E10
00405788 . 8D45 F4 lea eax,dword ptr ss:[ebp-0xC]
0040578B . E8 C0FEFFFF call breakdow.00405650
00405790 . 8945 FC mov dword ptr ss:[ebp-0x4],eax
00405793 . 8D55 F4 lea edx,dword ptr ss:[ebp-0xC]
00405796 . A1 1CA84000 mov eax,dword ptr ds:[0x40A81C]
0040579B . E8 70F6FFFF call breakdow.00404E10
004057A0 . 8D45 F4 lea eax,dword ptr ss:[ebp-0xC]
004057A3 . E8 D0FEFFFF call breakdow.00405678
004057A8 . 8945 F8 mov dword ptr ss:[ebp-0x8],eax
004057AB . 8B45 FC mov eax,dword ptr ss:[ebp-0x4]
004057AE . 8B75 F8 mov esi,dword ptr ss:[ebp-0x8]
004057B1 90 nop
004057B2 90 nop
004057B3 90 nop
004057B4 90 nop
004057B5 90 nop
004057B6 90 nop
004057B7 90 nop
004057B8 90 nop
004057B9 90 nop
004057BA 90 nop
004057BB 90 nop
004057BC 90 nop
004057BD 90 nop
004057BE 90 nop
004057BF 90 nop
004057C0 90 nop
004057C1 90 nop
004057C2 90 nop
004057C3 90 nop
004057C4 90 nop
004057C5 90 nop
004057C6 90 nop
004057C7 90 nop
004057C8 90 nop
004057C9 90 nop
004057CA 90 nop
004057CB 90 nop
004057CC 90 nop
004057CD 90 nop
004057CE 90 nop
004057CF 90 nop
004057D0 90 nop
004057D1 90 nop
004057D2 90 nop
004057D3 90 nop
004057D4 90 nop
004057D5 90 nop
004057D6 90 nop
004057D7 90 nop
004057D8 90 nop
004057D9 90 nop
004057DA 90 nop
004057DB 90 nop
004057DC 90 nop
004057DD 90 nop
004057DE 90 nop
004057DF . 6A 40 push 0x40 ; /Style = MB_OK|MB_ICONASTERISK|MB_APPLMODAL
004057E1 . FF35 D0774000 push dword ptr ds:[0x4077D0] ; |Title = "Goodboy"
004057E7 . FF35 D4774000 push dword ptr ds:[0x4077D4] ; |Text = "Congratulation"
004057ED . 6A 00 push 0x0 ; |hOwner = NULL
004057EF . E8 3CECFFFF call <jmp.&user32.MessageBoxA> ; \MessageBoxA
成功界面如图7:
另外这个按钮是由消息驱动的,所以下按钮事件是不管用的。
OK,这课就到这,搞定收工。
|
免费评分
-
查看全部评分
|
发表于 2013-7-15 18:44
