好友
阅读权限10
听众
最后登录1970-1-1
|
经过一段时间的学习,终于有了点进步,在这里将我做160个crackme的第一个去弹窗的经过共享一下,大牛勿喷,希望跟我一样的菜鸟们多多交流,向大牛们靠近。
160crackme 1
首先查找文件的导入函数,其中存在MessageBox,所以在此函数下断点。
0042A1A2 50 PUSH EAX
0042A1A3 57 PUSH EDI
0042A1A4 |. 56 PUSH ESI ; |Text
0042A1A5 |. 8B43 24 MOV EAX,DWORD PTR DS:[EBX+0x24] ; |
0042A1A8 |. 50 PUSH EAX ; |hOwner
0042A1A9 |. E8 FAB5FDFF CALL <JMP.&user32.MessageBoxA> ; \MessageBoxA
0042A1AE |. 8945 FC MOV DWORD PTR SS:[EBP-0x4],EAX
函数在 0042A1A9处调用 MessageBoxA函数弹出提示对话框。
破解思路:
1)在 42A1A2处直接跳转到MessageBoxA函数的返回地址。
2) NOP掉 0042A1A9的调用。
前两种方法去弹窗后没法注册,猜测后面程序也调用此处函数。
3)搜索关键字符定位到弹窗函数。
00425637 . 8B83 D0010000 MOV EAX,DWORD PTR DS:[EBX+0x1D0]
0042563D . FF93 CC010000 CALL DWORD PTR DS:[EBX+0x1CC] ; //
跟进后
0042F784 . 6A 00 PUSH 0x0
0042F786 . B9 A0F74200 MOV ECX,Acid_bur.0042F7A0 ; hello you have to kill me!
0042F78B . BA BCF74200 MOV EDX,Acid_bur.0042F7BC ; Welcome to this Newbies Crackme made by ACiD BuRN [CracKerWoRlD]
0042F790 . A1 480A4300 MOV EAX,DWORD PTR DS:[0x430A48]
0042F795 . 8B00 MOV EAX,DWORD PTR DS:[EAX]
0042F797 . E8 D4A9FFFF CALL Acid_bur.0042A170
0042F79C . C3 RETN
在0042F797处弹出提示对话框,继续跟进
0042A170 /$ 55 PUSH EBP
0042A171 |. 8BEC MOV EBP,ESP
0042A173 |. 83C4 F4 ADD ESP,-0xC
0042A176 |. 53 PUSH EBX
0042A177 |. 56 PUSH ESI
0042A178 |. 57 PUSH EDI
0042A179 |. 8BF9 MOV EDI,ECX
0042A17B |. 8BF2 MOV ESI,EDX
0042A17D |. 8BD8 MOV EBX,EAX
0042A17F |. E8 7CB4FDFF CALL <JMP.&user32.GetActiveWindow> ; [GetActiveWindow
0042A184 |. 8945 F8 MOV DWORD PTR SS:[EBP-0x8],EAX
0042A187 |. 33C0 XOR EAX,EAX
0042A189 |. E8 12A0FFFF CALL Acid_bur.004241A0
0042A18E |. 8945 F4 MOV DWORD PTR SS:[EBP-0xC],EAX
0042A191 |. 33C0 XOR EAX,EAX
0042A193 |. 55 PUSH EBP
0042A194 |. 68 D0A14200 PUSH Acid_bur.0042A1D0
0042A199 |. 64:FF30 PUSH DWORD PTR FS:[EAX]
0042A19C |. 64:8920 MOV DWORD PTR FS:[EAX],ESP
0042A19F |. 8B45 08 MOV EAX,DWORD PTR SS:[EBP+0x8]
0042A1A2 50 PUSH EAX
0042A1A3 57 PUSH EDI
0042A1A4 |. 56 PUSH ESI ; |Text
0042A1A5 |. 8B43 24 MOV EAX,DWORD PTR DS:[EBX+0x24] ; |
0042A1A8 |. 50 PUSH EAX ; |hOwner
0042A1A9 E8 FAB5FDFF CALL <JMP.&user32.MessageBoxA> ; \MessageBoxA
0042A1AE |. 8945 FC MOV DWORD PTR SS:[EBP-0x4],EAX
0042A1B1 |. 33C0 XOR EAX,EAX
0042A1B3 |. 5A POP EDX
0042A1B4 |. 59 POP ECX
0042A1B5 |. 59 POP ECX
0042A1B6 |. 64:8910 MOV DWORD PTR FS:[EAX],EDX
0042A1B9 |. 68 D7A14200 PUSH Acid_bur.0042A1D7
0042A1BE |> 8B45 F4 MOV EAX,DWORD PTR SS:[EBP-0xC]
0042A1C1 |. E8 8AA0FFFF CALL Acid_bur.00424250
0042A1C6 |. 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-0x8]
0042A1C9 |. 50 PUSH EAX ; /hWnd
0042A1CA |. E8 59B6FDFF CALL <JMP.&user32.SetActiveWindow> ; \SetActiveWindow
0042A1CF \. C3 RETN
0042A1D0 .^E9 3F8FFDFF JMP Acid_bur.00403114
0042A1D5 .^EB E7 JMP SHORT Acid_bur.0042A1BE
0042A1D7 . 8B45 FC MOV EAX,DWORD PTR SS:[EBP-0x4]
0042A1DA . 5F POP EDI
0042A1DB . 5E POP ESI
0042A1DC . 5B POP EBX
0042A1DD . 8BE5 MOV ESP,EBP
0042A1DF . 5D POP EBP
0042A1E0 . C2 0400 RETN 0x4
可知在此函数内调用MessageBoxA,前两种修改方式在函数未完全退出到上一层函数修改,破坏了函数内部。
至此分析出弹出对话框的函数整体:
0042F784 . 6A 00 PUSH 0x0
0042F786 . B9 A0F74200 MOV ECX,Acid_bur.0042F7A0 ; hello you have to kill me!
0042F78B . BA BCF74200 MOV EDX,Acid_bur.0042F7BC ; Welcome to this Newbies Crackme made by ACiD BuRN [CracKerWoRlD]
0042F790 . A1 480A4300 MOV EAX,DWORD PTR DS:[0x430A48]
0042F795 . 8B00 MOV EAX,DWORD PTR DS:[EAX]
0042F797 . E8 D4A9FFFF CALL Acid_bur.0042A170
0042F79C . C3 RETN
继续返回上层,在上层爆破,或在此爆破(函数首地址 jmp到返回地址,或nop掉call)
检测两种方法的可行性
jmp到返回地址
0042F784 EB 16 JMP SHORT Acid_bur.0042F79C
0042F786 . B9 A0F74200 MOV ECX,Acid_bur.0042F7A0 ; hello you have to kill me!
0042F78B . BA BCF74200 MOV EDX,Acid_bur.0042F7BC ; Welcome to this Newbies Crackme made by ACiD BuRN [CracKerWoRlD]
0042F790 . A1 480A4300 MOV EAX,DWORD PTR DS:[0x430A48]
0042F795 . 8B00 MOV EAX,DWORD PTR DS:[EAX]
0042F797 . E8 D4A9FFFF CALL Acid_bur.0042A170
0042F79C . C3 RETN
去弹窗后注册码可被判断。未破坏内部结构。
nop掉call函数:
0042F784 6A 00 PUSH 0x0
0042F786 B9 A0F74200 MOV ECX,Acid_bur.0042F7A0 ; hello you have to kill me!
0042F78B BA BCF74200 MOV EDX,Acid_bur.0042F7BC ; Welcome to this Newbies Crackme made by ACiD BuRN [CracKerWoRlD]
0042F790 A1 480A4300 MOV EAX,DWORD PTR DS:[0x430A48]
0042F795 8B00 MOV EAX,DWORD PTR DS:[EAX]
0042F797 90 NOP
0042F798 90 NOP
0042F799 90 NOP
0042F79A 90 NOP
0042F79B 90 NOP
0042F79C C3 RETN
去弹窗后,会出现一个内存读取错误,后面的注册码验证也是正常。
也可再退出一层函数,跳过弹窗函数。
00425627 . 66:83B8 CE0100>CMP WORD PTR DS:[EAX+0x1CE],0x0
0042562F . 74 12 JE SHORT Acid_bur.00425643
00425631 . 8B5D FC MOV EBX,DWORD PTR SS:[EBP-0x4]
00425634 . 8B55 FC MOV EDX,DWORD PTR SS:[EBP-0x4]
00425637 . 8B83 D0010000 MOV EAX,DWORD PTR DS:[EBX+0x1D0]
0042563D . FF93 CC010000 CALL DWORD PTR DS:[EBX+0x1CC] ; //弹窗
00425643 > 33C0 XOR EAX,EAX
00425645 . 5A POP EDX
可修改两处
CMP WORD PTR DS:[EAX+0x1CE],0x0改为不与0相比。
或者JE SHORT Acid_bur.00425643,此处改为jne或者 直接jmp。
后面的注册码破解就不献丑了,各位应该都破解完成的。这里只是分享一下我破解弹窗过程的一些思路,大牛勿喷。
|
-
|
发表于 2014-9-9 12:10
|
发表于 2014-9-9 13:34
