好友
阅读权限10
听众
最后登录1970-1-1
|
本帖最后由 Liquor 于 2013-8-20 23:51 编辑
【文章标题】: CrackMe破解记录
【文章作者】: Crack_Qs
【作者邮箱】: qs#ff0000.cc(#换@)
【软件名称】: CrackMe1.2
【下载地址】: http://www.unpack.cn/thread-92953-1-1.html
【编写语言】: 汇编
【使用工具】: OllyDbg
【操作平台】: Win Xp Sp3
【作者声明】: 只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!
--------------------------------------------------------------------------------
【详细过程】
软件运行后,生成一个dll,那么就先从dll入手。
字符串里有明显可以利用的信息,“\unpack.ini”,从此处入手
00A71075 $ 55 push ebp
00A71076 . 8BEC mov ebp,esp
00A71078 . 83C4 FC add esp,-0x4
00A7107B . 53 push ebx
00A7107C . 56 push esi
00A7107D . 57 push edi
00A7107E . 6A 20 push 0x20 ; /Length = 20 (32.)
00A71080 . 68 4930A700 push dll.00A73049 ; |1111
00A71085 . E8 04030000 call <jmp.&kernel32.RtlZeroMemory> ; \RtlZeroMemory
00A7108A . 6A 20 push 0x20 ; /Count = 20 (32.)
00A7108C . 68 4930A700 push dll.00A73049 ; |1111
00A71091 . FF75 0C push dword ptr ss:[ebp+0xC] ; |ControlID
00A71094 . FF75 08 push dword ptr ss:[ebp+0x8] ; |hWnd
00A71097 . E8 C2020000 call <jmp.&user32.GetDlgItemTextA> ; \GetDlgItemTextA;取用户名长度
00A7109C . 68 4930A700 push dll.00A73049 ; /1111
00A710A1 . E8 FA020000 call <jmp.&kernel32.lstrlenA> ; \lstrlenA
00A710A6 . 8945 FC mov dword ptr ss:[ebp-0x4],eax ; 用户名长度传送到ebp-0x4
00A710A9 . 837D FC 06 cmp dword ptr ss:[ebp-0x4],0x6 ; 长度与0x6比较
00A710AD . 73 0E jnb Xdll.00A710BD ; 长度为6位即跳,不是即不跳
00A710AF . B8 00000000 mov eax,0x0
00A710B4 . 5F pop edi
00A710B5 . 5E pop esi
00A710B6 . 5B pop ebx
00A710B7 . C9 leave
00A710B8 . C2 0800 retn 0x8
00A710BB . EB 07 jmp Xdll.00A710C4
00A710BD > 5F pop edi
00A710BE . 5E pop esi
00A710BF . 5B pop ebx
00A710C0 . C9 leave
00A710C1 . C2 0800 retn 0x8 ; 返回到 00A71320
00A71320 . 0BC0 or eax,eax ; 返回到此处,或运算EAX
00A71322 . 75 09 jnz Xdll.00A7132D
00A71324 . 5F pop edi
00A71325 . 5E pop esi
00A71326 . 5B pop ebx
00A71327 . C9 leave
00A71328 . C2 1000 retn 0x10
00A7132B . EB 0B jmp Xdll.00A71338
00A7132D > FF75 14 push dword ptr ss:[ebp+0x14]
00A71330 . FF75 08 push dword ptr ss:[ebp+0x8]
00A71333 . E8 22FEFFFF call dll.00A7115A ; 调用MessageBox“注册信息已经保存,请重启软件检测”
00A71338 > 5F pop edi
00A71339 . 5E pop esi
00A7133A . 5B pop ebx
00A7133B . C9 leave
00A7133C . C2 1000 retn 0x10
00A7115A $ 55 push ebp ; 第二次来到此处
00A7115B . 8BEC mov ebp,esp
00A7115D . 83C4 F8 add esp,-0x8
00A71160 . 53 push ebx
00A71161 . 56 push esi
00A71162 . 57 push edi
00A71163 . FF75 0C push dword ptr ss:[ebp+0xC]
00A71166 . FF75 08 push dword ptr ss:[ebp+0x8]
00A71169 . E8 56FFFFFF call dll.00A710C4 ; 进
00A7116E . 0BC0 or eax,eax
00A71170 . 75 09 jnz Xdll.00A7117B
00A71172 . 5F pop edi
00A71173 . 5E pop esi
00A71174 . 5B pop ebx
00A71175 . C9 leave
00A71176 . C2 0800 retn 0x8
00A710C4 $ 55 push ebp ; 第二次
00A710C5 . 8BEC mov ebp,esp
00A710C7 . 83C4 FC add esp,-0x4
00A710CA . 53 push ebx
00A710CB . 56 push esi
00A710CC . 57 push edi
00A710CD . 6A 20 push 0x20 ; /Length = 20 (32.)
00A710CF . 68 6930A700 push dll.00A73069 ; |Destination = dll.00A73069
00A710D4 . E8 B5020000 call <jmp.&kernel32.RtlZeroMemory> ; \RtlZeroMemory
00A710D9 . 6A 20 push 0x20 ; /Count = 20 (32.)
00A710DB . 68 6930A700 push dll.00A73069 ; |Buffer = dll.00A73069
00A710E0 . FF75 0C push dword ptr ss:[ebp+0xC] ; |ControlID
00A710E3 . FF75 08 push dword ptr ss:[ebp+0x8] ; |hWnd
00A710E6 . E8 73020000 call <jmp.&user32.GetDlgItemTextA> ; \GetDlgItemTextA;取注册码长度
00A710EB . 68 6930A700 push dll.00A73069 ; /String = "1234567890"
00A710F0 . E8 AB020000 call <jmp.&kernel32.lstrlenA> ; \lstrlenA
00A710F5 . 8945 FC mov dword ptr ss:[ebp-0x4],eax ; 注册码长度传送到ebp-0x4
00A710F8 . 837D FC 06 cmp dword ptr ss:[ebp-0x4],0x6 ; 长度与0x6比较
00A710FC . 73 0E jnb Xdll.00A7110C ; 长度不为6位即跳,为6即不跳
00A710FE . B8 00000000 mov eax,0x0
00A71103 . 5F pop edi
00A71104 . 5E pop esi
00A71105 . 5B pop ebx
00A71106 . C9 leave
00A71107 . C2 0800 retn 0x8
CK发帖时已经注明,是重启验证。既然已经生成出来ini了,那就接着日重启。
bp GetPrivateProfileStringA
0012FC34 7C8337BF /CALL 到 GetPrivateProfileStringA 来自 kernel32.7C8337BA
0012FC38 00000000 |Section = NULL
0012FC3C 00000000 |Key = NULL
0012FC40 00000000 |Default = NULL
0012FC44 00A73199 |ReturnBuffer = dll.00A73199
0012FC48 00000020 |BufSize = 20 (32.)
0012FC4C 00A73089 \IniFileName = "C:\Documents and Settings\Administrator\桌面\unpack.ini"
00A711DE . 0BC0 or eax,eax ; 返回到此处
00A711E0 . 75 0C jnz Xdll.00A711EE
00A711E2 . 5F pop edi
00A711E3 . 5E pop esi
00A711E4 . 5B pop ebx
00A711E5 . C9 leave
00A711E6 . C2 1000 retn 0x10
00A711E9 . E9 09010000 jmp dll.00A712F7
00A711EE > 68 8930A700 push dll.00A73089 ; /C:\Documents and Settings\Administrator\桌面\unpack.ini
00A711F3 . 6A 20 push 0x20 ; |BufSize = 20 (32.)
00A711F5 . 68 B931A700 push dll.00A731B9 ; |ReturnBuffer = dll.00A731B9
00A711FA . 68 9931A700 push dll.00A73199 ; |Section = "1250962585096peace"
00A711FF . E8 78010000 call <jmp.&kernel32.GetPrivateProfileSec>; \GetPrivateProfileSectionA
00A71204 . BE B931A700 mov esi,dll.00A731B9 ; ASCII "crack0=1234567890"
00A71209 . BF 4930A700 mov edi,dll.00A73049 ; 1111
00A7120E . EB 07 jmp Xdll.00A71217
00A71210 > B9 01000000 mov ecx,0x1 ; 运算注册名
00A71215 . F3:A4 rep movs byte ptr es:[edi],byte ptr ds:[>
00A71217 > 803E 3D cmp byte ptr ds:[esi],0x3D
00A7121A .^ 75 F4 jnz Xdll.00A71210 ; 循环6次
00A7121C . 46 inc esi ; 取注册码“=”+“注册码”
00A7121D . 8975 FC mov dword ptr ss:[ebp-0x4],esi
00A71220 . 56 push esi ; /Text
00A71221 . FF75 10 push dword ptr ss:[ebp+0x10] ; |ControlID
00A71224 . FF75 08 push dword ptr ss:[ebp+0x8] ; |hWnd
00A71227 . E8 3E010000 call <jmp.&user32.SetDlgItemTextA> ; \SetDlgItemTextA
00A7122C . 68 4930A700 push dll.00A73049 ; /1111
00A71231 . FF75 0C push dword ptr ss:[ebp+0xC] ; |ControlID
00A71234 . FF75 08 push dword ptr ss:[ebp+0x8] ; |hWnd
00A71237 . E8 2E010000 call <jmp.&user32.SetDlgItemTextA> ; \SetDlgItemTextA
00A7123C . 68 2430A700 push dll.00A73024 ; /1250962585096peace
00A71241 . E8 5A010000 call <jmp.&kernel32.lstrlenA> ; \lstrlenA
00A71246 . 8945 F8 mov dword ptr ss:[ebp-0x8],eax
00A71249 . 33D2 xor edx,edx
00A7124B . 33C9 xor ecx,ecx
00A7124D . EB 0D jmp Xdll.00A7125C
00A7124F > BE 2430A700 mov esi,dll.00A73024 ; 字串“1250962585096peace”跳位取数
00A71254 . 8A0431 mov al,byte ptr ds:[ecx+esi] ; “1”“5”“9”“2”“8”“0”“6”“e”“c”
00A71257 . 03D0 add edx,eax
00A71259 . 83C1 02 add ecx,0x2
00A7125C > 3B4D F8 cmp ecx,dword ptr ss:[ebp-0x8]
00A7125F .^ 72 EE jb Xdll.00A7124F
00A71261 . 3155 F8 xor dword ptr ss:[ebp-0x8],edx
00A71264 . 68 4930A700 push dll.00A73049 ; /1111
00A71269 . E8 32010000 call <jmp.&kernel32.lstrlenA> ; \lstrlenA
00A7126E . 8945 F4 mov dword ptr ss:[ebp-0xC],eax
00A71271 . 33C9 xor ecx,ecx
00A71273 . 33D2 xor edx,edx
00A71275 . EB 0B jmp Xdll.00A71282
00A71277 > BE 4930A700 mov esi,dll.00A73049 ; 1111;循环运算用户名
00A7127C . 8B1431 mov edx,dword ptr ds:[ecx+esi]
00A7127F . 03D2 add edx,edx
00A71281 . 41 inc ecx
00A71282 > 3B4D F4 cmp ecx,dword ptr ss:[ebp-0xC]
00A71285 .^ 72 F0 jb Xdll.00A71277
00A71287 . 3155 F8 xor dword ptr ss:[ebp-0x8],edx ; edx=60
00A7128A . 8B45 FC mov eax,dword ptr ss:[ebp-0x4] ; 假码传送到eax
00A7128D . 8B00 mov eax,dword ptr ds:[eax] ; EAX值传送到EAX?这句本菜屌看寄存器里面的变化是没懂
00A7128F . 3945 F8 cmp dword ptr ss:[ebp-0x8],eax ; 假码值与计算后的真码值比较,即EAX与ebp-0x8比较
00A71292 . 75 63 jnz Xdll.00A712F7 ; 此处修改即可爆破
00A71294 . FF75 10 push dword ptr ss:[ebp+0x10] ; /ControlID
00A71297 . FF75 08 push dword ptr ss:[ebp+0x8] ; |hWnd
00A7129A . E8 B9000000 call <jmp.&user32.GetDlgItem> ; \GetDlgItem
00A7129F . 6A 00 push 0x0 ; /Enable = FALSE
00A712A1 . 50 push eax ; |hWnd
00A712A2 . E8 AB000000 call <jmp.&user32.EnableWindow> ; \EnableWindow
00A712A7 . BE D931A700 mov esi,dll.00A731D9 ; 打我PG我不乖,开始解码,两句反汇编解码一个字
00A712AC . 8006 05 add byte ptr ds:[esi],0x5
00A712AF . C646 01 A7 mov byte ptr ds:[esi+0x1],0xA7 ; 解码正确后出现“恭”
00A712B3 . C646 02 CF mov byte ptr ds:[esi+0x2],0xCF
00A712B7 . C646 03 B2 mov byte ptr ds:[esi+0x3],0xB2 ; 解码正确后出现“喜”
00A712BB . 8046 04 76 add byte ptr ds:[esi+0x4],0x76
00A712BF . C646 05 C6 mov byte ptr ds:[esi+0x5],0xC6 ; 解码正确后出现“破”
00A712C3 . C646 06 BD mov byte ptr ds:[esi+0x6],0xBD
00A712C7 . C646 07 E2 mov byte ptr ds:[esi+0x7],0xE2 ; 解码正确后出现“解”
00A712CB . C646 08 B3 mov byte ptr ds:[esi+0x8],0xB3
00A712CF . C646 09 C9 mov byte ptr ds:[esi+0x9],0xC9 ; 解码正确后出现“成”
00A712D3 . C646 0A B9 mov byte ptr ds:[esi+0xA],0xB9
00A712D7 . C646 0B A6 mov byte ptr ds:[esi+0xB],0xA6 ; 解码正确后出现“功”
00A712DB . 56 push esi ; /取解码后正确文字“恭喜破解成功”字串
00A712DC . FF75 08 push dword ptr ss:[ebp+0x8] ; |hWnd
00A712DF . E8 8C000000 call <jmp.&user32.SetWindowTextA> ; \传送到标题
00A712E4 . FF75 14 push dword ptr ss:[ebp+0x14] ; /ControlID
00A712E7 . FF75 08 push dword ptr ss:[ebp+0x8] ; |hWnd
00A712EA . E8 69000000 call <jmp.&user32.GetDlgItem> ; \GetDlgItem
00A712EF . 6A 00 push 0x0 ; /Enable = FALSE
00A712F1 . 50 push eax ; |hWnd
00A712F2 . E8 5B000000 call <jmp.&user32.EnableWindow> ; \EnableWindow,把注册按钮禁用
00A712F7 > 5F pop edi
00A712F8 . 5E pop esi ; CrackMe1.0040103F
00A712F9 . 5B pop ebx
00A712FA . C9 leave
00A712FB . C2 1000 retn 0x10
至此全部分析完成
--------------------------------------------------------------------------------
【版权声明】: 本文原创于Crack_Qs, 转载请注明作者并保持文章的完整, 谢谢!
2013年05月01日 12:10:47
|
免费评分
-
查看全部评分
|
发表于 2013-8-20 16:29
|
发表于 2013-8-20 16:46
