好友
阅读权限10
听众
最后登录1970-1-1
|
IFire
发表于 2013-11-19 19:12
西南某大学的决赛的cm1破解,大牛勿喷!
先PEiD查壳,很好,没壳; 用OD,根据运行程序,再暂停,从系统领空回到用户领空,或者查字符串,这里用字符串查找比较好,直接点,然后F8走几步,就可以跟到关键代码处
由于考虑到长度为15的基本要求,因此我重输的字符串为"0123456789abcde"
第一段:
00401120 |. 68 50B04000 push 0040B050 ; ASCII "please input your CDKEY:"
00401125 |. 894C24 08 mov dword ptr [esp+8], ecx
00401129 |. 895424 0C mov dword ptr [esp+C], edx
0040112D |. 884424 10 mov byte ptr [esp+10], al
00401131 |. E8 39030000 call 0040146F
00401136 |. 8D4C24 14 lea ecx, dword ptr [esp+14]
0040113A |. 51 push ecx
0040113B |. 68 4CB04000 push 0040B04C ; ASCII "%s"
00401140 |. E8 13030000 call 00401458
00401145 |. 8D5424 1C lea edx, dword ptr [esp+1C]
00401149 |. 52 push edx
0040114A |. E8 B1FEFFFF call 00401000 ; #call_1判断字符串长度,长度必须为15
0040114F |. 8D4424 20 lea eax, dword ptr [esp+20] ; #堆栈地址=0012FE84, (ASCII "0123456789abcde")
00401153 |. 50 push eax ; #eax = 0012FE84
00401154 |. E8 C7FEFFFF call 00401020 ; #call_2第一次运算,得进
00401159 |. 8D4C24 24 lea ecx, dword ptr [esp+24] ; #堆栈地址=0012FE84;
; 这是放字符串的关键位置,希望破解的时候在数据窗口查看着这个位置来
0040115D |. 51 push ecx
0040115E |. E8 0DFFFFFF call 00401070 ; #call_3对前面3位的验证
00401163 |. 8A4424 2C mov al, byte ptr [esp+2C] ; #al = s[4]
00401167 |. 83C4 18 add esp, 18 ; #esp = 0012FE74
0040116A |. 3C D2 cmp al, 0D2 ; #应该有s[4] = 0D2
0040116C |. 74 09 je short 00401177 ; #得跳
0040116E |. 33C0 xor eax, eax
00401170 |. 81C4 10010000 add esp, 110
00401176 |. C3 retn
00401177 |> \8D5424 00 lea edx, dword ptr [esp]
0040117B |. 52 push edx
0040117C |. E8 2FFFFFFF call 004010B0 ; #对字符串"hello world!"进行换算,忽悠的,直接跳过
00401181 |. 8A4424 19 mov al, byte ptr [esp+19] ; #al = s[5]
00401185 |. 83C4 04 add esp, 4 ; #esp = 0012FE74
00401188 |. 3C DE cmp al, 0DE ; #应有s[5] = 0DE
0040118A |. 74 09 je short 00401195 ; #得跳
0040118C |. 33C0 xor eax, eax
0040118E |. 81C4 10010000 add esp, 110
00401194 |. C3 retn
00401195 |> 807C24 16 93 cmp byte ptr [esp+16], 93 ; #应有s[6] = 93
0040119A |. 74 09 je short 004011A5 ; #得跳
0040119C |. 33C0 xor eax, eax
0040119E |. 81C4 10010000 add esp, 110
004011A4 |. C3 retn
----------------------------------------------------------------------------------------------------------
call_1:
00401000 /$ 57 push edi
00401001 |. 8B7C24 08 mov edi, dword ptr [esp+8]
00401005 |. 83C9 FF or ecx, FFFFFFFF
00401008 |. 33C0 xor eax, eax
0040100A |. F2:AE repne scas byte ptr es:[edi]
0040100C |. F7D1 not ecx
0040100E |. 49 dec ecx ; #计算出字符串长度
0040100F |. 5F pop edi
00401010 |. 83F9 0F cmp ecx, 0F ; #长度应为0F
00401013 |. 75 03 jnz short 00401018 ; #不能跳
00401015 |. 8BC1 mov eax, ecx
00401017 |. C3 retn ----------------------------------------------------------------------------------------------------------
call_2:
00401020 |$ 8B4C24 04 mov ecx, dword ptr [esp+4] ; #堆栈 ss:[0012FE60]=0012FE84, (ASCII "0123456789abcde")
00401024 |. 8079 03 2D cmp byte ptr [ecx+3], 2D ; #判断字符串s[3]是否为-
00401028 |. 74 07 je short 00401031 ; #得跳
0040102A |. 6A FF push -1
0040102C |. E8 BC020000 call 004012ED
00401031 |> 56 push esi
00401032 |. BE 03000000 mov esi, 3 ; #循环3次
00401037 |> 0FBE11 /movsx edx, byte ptr [ecx] ; #edx = 00000030
0040103A |. B8 67666666 |mov eax, 66666667 ; #eax = 2 / 5
0040103F |. F7EA |imul edx ; #edx = edx * 2 / 5
00401041 |. C1FA 02 |sar edx, 2 ; #edx /= 4
00401044 |. 8BC2 |mov eax, edx
00401046 |. C1E8 1F |shr eax, 1F
00401049 |. 03D0 |add edx, eax
0040104B |. 8811 |mov byte ptr [ecx], dl ; #ecx = 0012FE84,也就说将原来的'0'给覆盖为计算结果dl
0040104D |. 41 |inc ecx ; #ecx指向下一个,即'1'
0040104E |. 4E |dec esi ; #循环次数减一
0040104F |.^ 75 E6 \jnz short 00401037
00401051 |. 41 inc ecx ; #ecx指向s[4]
00401052 |. BE 03000000 mov esi, 3 ; #循环3次
00401057 |> 8A01 /mov al, byte ptr [ecx]
00401059 |. B2 03 |mov dl, 3
0040105B |. F6EA |imul dl ; #al *= 3
0040105D |. 8801 |mov byte ptr [ecx], al ; #al值覆盖原来的s[4]
0040105F |. 41 |inc ecx ; #ecx指向下一个,即'5'
00401060 |. 4E |dec esi ; #循环次数减一
00401061 |.^ 75 F4 \jnz short 00401057
00401063 |. 5E pop esi
00401064 \. C3 retn
----------------------------------------------------------------------------------------------------------
call_3:
00401070 /$ 8B4424 04 mov eax, dword ptr [esp+4] ; #堆栈 ss:[0012FE5C]=0012FE84
00401074 |. 0FBE08 movsx ecx, byte ptr [eax]
00401077 |. 83C1 04 add ecx, 4 ; #ecx = s[0] + 4
0040107A |. 83F9 0A cmp ecx, 0A ; #再将ecx与0A比较,因此只需要第一次运算后的s[0] = 6即可
0040107D |. 74 07 je short 00401086 ; #得跳
0040107F |. 6A FF push -1
00401081 |. E8 67020000 call 004012ED
00401086 |> 0FBE50 01 movsx edx, byte ptr [eax+1] ; #edx = s[1]
0040108A |. 83EA 04 sub edx, 4 ; #edx -= 4
0040108D |. 83FA 01 cmp edx, 1 ; #将edx和比较,即得刚才的s[1] = 5
00401090 |. 74 07 je short 00401099 ; #得跳
00401092 |. 6A FF push -1
00401094 |. E8 54020000 call 004012ED
00401099 |> 0FBE40 02 movsx eax, byte ptr [eax+2] ; #eax = s[2]
0040109D |. 8D0440 lea eax, dword ptr [eax+eax*2] ; #eax *= 3
004010A0 |. D1E0 shl eax, 1 ; #eax *= 2
004010A2 |. 83F8 24 cmp eax, 24 ; #将eax和24比较,即刚才应该有的s[2] = 6
004010A5 |. 74 07 je short 004010AE ; #得跳
004010A7 |. 6A FF push -1
004010A9 |. E8 3F020000 call 004012ED
004010AE \> C3 retn
----------------------------------------------------------------------------------------------------------
以上是对第一段代码的分析,到这里就可得到s[0]的ASCII范围:60 ~ 69;s[1]的ASCII范围:50 ~ 59;s[2]的ASCII范围:60 ~ 69;
根据比赛要求,s[0] = A,s[1] = 8,s[2] = E;
而s[3] = -,s[4] = F,s[5] = J,s[6] = 1;
----------------------------------------------------------------------------------------------------------
第二段:
004011A5 |> \8D4424 10 lea eax, dword ptr [esp+10]
004011A9 |. 50 push eax
004011AA |. E8 01FFFFFF call 004010B0 ; #又是一个忽悠陷阱,不理
004011AF |. 8B4C24 22 mov ecx, dword ptr [esp+22]
004011B3 |. 8B5424 1E mov edx, dword ptr [esp+1E]
004011B7 |. 81E1 FF000000 and ecx, 0FF ; #ecx = s[14]
004011BD |. 81E2 FF000000 and edx, 0FF ; #edx = s[10]
004011C3 |. 83E9 20 sub ecx, 20 ; #ecx -= 20
004011C6 |. 83C4 04 add esp, 4
004011C9 |. 3BCA cmp ecx, edx ; #得到第一个等式s[14] - 20H = s[10]
004011CB |. 74 09 je short 004011D6 ; #得跳
004011CD |. 33C0 xor eax, eax
004011CF |. 81C4 10010000 add esp, 110
004011D5 |. C3 retn
004011D6 |> 8A4424 1E mov al, byte ptr [esp+1E] ; #al = s[14]
004011DA |. 34 15 xor al, 15 ; #al ^= 15
004011DC |. 3C 6D cmp al, 6D ; #就有是s[14] ^ 15H = 6DH
004011DE |. 74 09 je short 004011E9 ; #得跳
004011E0 |. 33C0 xor eax, eax
004011E2 |. 81C4 10010000 add esp, 110
004011E8 |. C3 retn
004011E9 |> 8D4C24 10 lea ecx, dword ptr [esp+10]
004011ED |. 51 push ecx
004011EE |. E8 BDFEFFFF call 004010B0 ; #忽悠的,跳过
004011F3 |. 8A5424 21 mov dl, byte ptr [esp+21] ; #dl = s[13]
004011F7 |. 8A4424 1D mov al, byte ptr [esp+1D] ; #al = s[9]
004011FB |. 83C4 04 add esp, 4
004011FE |. 3AD0 cmp dl, al ; #等二个等式s[13] = s[9]
00401200 |. 74 09 je short 0040120B ; #得跳
00401202 |. 33C0 xor eax, eax
00401204 |. 81C4 10010000 add esp, 110
0040120A |. C3 retn
0040120B |> 8A5424 1C mov dl, byte ptr [esp+1C] ; #dl = s[12]
0040120F |. 8A4C24 1B mov cl, byte ptr [esp+1B] ; #cl = s[11]
00401213 |. 8A4424 18 mov al, byte ptr [esp+18] ; #al = s[8]
00401217 |. 80F2 15 xor dl, 15 ; #dl ^= 15
0040121A |. 80F1 15 xor cl, 15 ; #cl ^= 15
0040121D |. 34 15 xor al, 15 ; #al ^= 15
0040121F |. 885424 1C mov byte ptr [esp+1C], dl ; #s[12] = dl
00401223 |. 8B5424 1D mov edx, dword ptr [esp+1D]
00401227 |. 884C24 1B mov byte ptr [esp+1B], cl ; #s[11] = cl
0040122B |. 884424 18 mov byte ptr [esp+18], al ; #s[8] = al
0040122F |. 8B4424 19 mov eax, dword ptr [esp+19]
00401233 |. 81E2 FF000000 and edx, 0FF ; #edx = s[13]
00401239 |. 25 FF000000 and eax, 0FF ; #eax = s[9]
0040123E |. 83EA 35 sub edx, 35 ; #edx -= 35
00401241 |. 83E8 35 sub eax, 35 ; #eax -= 35
00401244 |. 8B4C24 1C mov ecx, dword ptr [esp+1C]
00401248 |. 0FAFC2 imul eax, edx ; #eax *= edx
0040124B |. 81E1 FF000000 and ecx, 0FF ; #ecx = s[12]
00401251 |. 56 push esi
00401252 |. 03C1 add eax, ecx ; #eax += ecx
00401254 |. 57 push edi
00401255 |. 3BC1 cmp eax, ecx ; #刚进行了加法,又比较eax和ecx,可见叫法前eax = 0
00401257 |. 75 4D jnz short 004012A6 ; #不能跳;到这里就有第三个等式就有s[9] - 35H = 0
00401259 |. 8B7C24 20 mov edi, dword ptr [esp+20]
0040125D |. 8B7424 23 mov esi, dword ptr [esp+23]
00401261 |. 81E7 FF000000 and edi, 0FF ; #edi = s[8]
00401267 |. 81E6 FF000000 and esi, 0FF ; #esi = s[11]
0040126D |. 8D043E lea eax, dword ptr [esi+edi] ; #eax = esi + edi
00401270 |. 03C1 add eax, ecx ; #eax += ecx
00401272 |. 3D 81000000 cmp eax, 81 ; #第四个等式s[8] + s[11] + s[12] = 81H
00401277 |. 75 2D jnz short 004012A6 ; #不能跳
00401279 |. 8BC6 mov eax, esi ; #eax = s[11]
0040127B |. 99 cdq
0040127C |. F7FF idiv edi ; #eax /= edi
0040127E |. 03C1 add eax, ecx ; #eax += ecx
00401280 |. 83F8 26 cmp eax, 26 ; #第五个等式s[11] / s[8] + s[12] = 26H
00401283 |. 75 21 jnz short 004012A6 ; #不能跳
00401285 |. 8D0449 lea eax, dword ptr [ecx+ecx*2] ; #eax = 3 * ecx =3 * s[12]
00401288 |. 8D0C76 lea ecx, dword ptr [esi+esi*2] ; #ecx = 3 * esi =3 * s[11]
0040128B |. D1E0 shl eax, 1 ; #eax *= 2
0040128D |. 99 cdq
0040128E |. F7FF idiv edi ; #eax /= edi
00401290 |. 03C1 add eax, ecx ; #eax += ecx
00401292 |. 3D AE000000 cmp eax, 0AE ; #第六个等式6 * s[12] / s[8] + 3 * s[11] = 0AEH
00401297 |. 75 0D jnz short 004012A6 ; #不能跳
00401299 |. 68 38B04000 push 0040B038 ; ASCII "Congradulations "
0040129E |. E8 CC010000 call 0040146F
----------------------------------------------------------------------------------------------------------
根据第二段的分析,有s[7]任意,s[9] = 5,s[10] = X,s[13] = 5,s[14] = x;
再根据最后三个等式即可求出s[8]、s[11]、s[12]的值,这里算比较麻烦,我就直接写程序计算的,最后还得将结果和15异或,因为前面做过一次运算
那就OK啦
----------------------------------------------------------------------------------------------------------
最后,作为第一帖,望各位顶一下,望自己能和大家一起交流,一起进步,真正提高自己!
支持吾爱!!
|
-
-
cm1.zip
25.79 KB, 下载次数: 0, 下载积分: 吾爱币 -1 CB
|
[复制链接]
|
发表于 2013-11-19 19:16
