好友
阅读权限10
听众
最后登录1970-1-1
|
Teak
发表于 2019-3-3 14:22
本帖最后由 Teak 于 2019-3-30 20:36 编辑
计划160个CrackMe都弄一遍算法分析,其中肯定会参考别人的思路,但会把自己的过程写出来;
我觉得逆向破解最主要的还是动手,光看是没有成长的,希望不到之处有人指出,
我不知道自己要花多长时间,也许一年,也许更长,也许不会写了!随缘吧!
160Crackme之001 Acid_burn
1. F9 运行,如下图所示
2. 选择Serial/name,随便输入一个账号和密码 11111和12345
3. 出现一个弹窗,调用MessageBox(windows程序设计),F12暂停程序,然后点击k,就会来到如下的窗口
上图中77开头的地址太大,不属于模块范畴,看40000这个区域,跟踪红色箭头的MessageBox函数,右键显示调用,从反汇编窗口中可以查看到MessageBox的调用,然后向上滚动页面可以发现retn下面有一个push ebp ,如下如图所示,在这F2下断,运行,点击确定,继续chek it baby,命令会执行到push ebp(我们下断的地方,why?一个call进去之后,一般会有push的操作,堆栈平衡)
查看堆栈窗口,一般进行账户的逻辑判断后会调用弹窗表示是否正确,为了寻找谁调用这个Message和GetActive这些函数,如下图所示,红色箭头右键反汇编跟随
此时堆栈窗口如下图所示:
CW-4018-CRACKED就是我们想要的,你可以输入去验证一下;
这时11111对应的密码4018是如何来的,才是我们关注的重点。
此时,回到反汇编窗口的代码,往上滚鼠标找到push ebp,如下所示,建议新手从push ebp这里一步一步跟下去
算法分析:
1. 先全部F8,找找4018从哪里先出现的
[Asm] 纯文本查看 复制代码
0042F998 /. 55 push ebp 堆栈
0042F999 |. 8BEC mov ebp,esp
0042F99B |. 33C9 xor ecx,ecx ; Acid_bur.0042FB74
0042F99D |. 51 push ecx ; Acid_bur.0042FB74
0042F99E |. 51 push ecx ; Acid_bur.0042FB74
0042F99F |. 51 push ecx ; Acid_bur.0042FB74
0042F9A0 |. 51 push ecx ; Acid_bur.0042FB74
0042F9A1 |. 51 push ecx ; Acid_bur.0042FB74
0042F9A2 |. 51 push ecx ; Acid_bur.0042FB74
0042F9A3 |. 53 push ebx
0042F9A4 |. 56 push esi
0042F9A5 |. 8BD8 mov ebx,eax
0042F9A7 |. 33C0 xor eax,eax
0042F9A9 |. 55 push ebp
0042F9AA |. 68 67FB4200 push Acid_bur.0042FB67
0042F9AF |. 64:FF30 push dword ptr fs:[eax]
0042F9B2 |. 64:8920 mov dword ptr fs:[eax],esp
0042F9B5 |. C705 50174300>mov dword ptr ds:[0x431750],0x29
0042F9BF |. 8D55 F0 lea edx,[local.4]
0042F9C2 |. 8B83 DC010000 mov eax,dword ptr ds:[ebx+0x1DC]
0042F9C8 |. E8 8BB0FEFF call Acid_bur.0041AA58
0042F9CD |. 8B45 F0 mov eax,[local.4]
0042F9D0 |. E8 DB40FDFF call Acid_bur.00403AB0
0042F9D5 |. A3 6C174300 mov dword ptr ds:[0x43176C],eax
0042F9DA |. 8D55 F0 lea edx,[local.4]
0042F9DD |. 8B83 DC010000 mov eax,dword ptr ds:[ebx+0x1DC]
0042F9E3 |. E8 70B0FEFF call Acid_bur.0041AA58
0042F9E8 |. 8B45 F0 mov eax,[local.4]
0042F9EB |. 0FB600 movzx eax,byte ptr ds:[eax]
0042F9EE |. 8BF0 mov esi,eax
0042F9F0 |. C1E6 03 shl esi,0x3
0042F9F3 |. 2BF0 sub esi,eax
0042F9F5 |. 8D55 EC lea edx,[local.5]
0042F9F8 |. 8B83 DC010000 mov eax,dword ptr ds:[ebx+0x1DC]
0042F9FE |. E8 55B0FEFF call Acid_bur.0041AA58
0042FA03 |. 8B45 EC mov eax,[local.5]
0042FA06 |. 0FB640 01 movzx eax,byte ptr ds:[eax+0x1]
0042FA0A |. C1E0 04 shl eax,0x4
0042FA0D |. 03F0 add esi,eax
0042FA0F |. 8935 54174300 mov dword ptr ds:[0x431754],esi
0042FA15 |. 8D55 F0 lea edx,[local.4]
0042FA18 |. 8B83 DC010000 mov eax,dword ptr ds:[ebx+0x1DC]
0042FA1E |. E8 35B0FEFF call Acid_bur.0041AA58
0042FA23 |. 8B45 F0 mov eax,[local.4]
0042FA26 |. 0FB640 03 movzx eax,byte ptr ds:[eax+0x3]
0042FA2A |. 6BF0 0B imul esi,eax,0xB
0042FA2D |. 8D55 EC lea edx,[local.5]
0042FA30 |. 8B83 DC010000 mov eax,dword ptr ds:[ebx+0x1DC]
0042FA36 |. E8 1DB0FEFF call Acid_bur.0041AA58
0042FA3B |. 8B45 EC mov eax,[local.5]
0042FA3E |. 0FB640 02 movzx eax,byte ptr ds:[eax+0x2]
0042FA42 |. 6BC0 0E imul eax,eax,0xE
0042FA45 |. 03F0 add esi,eax
0042FA47 |. 8935 58174300 mov dword ptr ds:[0x431758],esi
0042FA4D |. A1 6C174300 mov eax,dword ptr ds:[0x43176C]
0042FA52 |. E8 D96EFDFF call Acid_bur.00406930
0042FA57 |. 83F8 04 cmp eax,0x4
0042FA5A |. 7D 1D jge short Acid_bur.0042FA79
0042FA5C |. 6A 00 push 0x0
0042FA5E |. B9 74FB4200 mov ecx,Acid_bur.0042FB74 ; ASCII "Try Again!"
0042FA63 |. BA 80FB4200 mov edx,Acid_bur.0042FB80 ; ASCII "Sorry , The serial is incorect !"
0042FA68 |. A1 480A4300 mov eax,dword ptr ds:[0x430A48]
0042FA6D |. 8B00 mov eax,dword ptr ds:[eax] ; Acid_bur.00424090
0042FA6F |. E8 FCA6FFFF call Acid_bur.0042A170
0042FA74 |. E9 BE000000 jmp Acid_bur.0042FB37
0042FA79 |> 8D55 F0 lea edx,[local.4]
0042FA7C |. 8B83 DC010000 mov eax,dword ptr ds:[ebx+0x1DC]
0042FA82 |. E8 D1AFFEFF call Acid_bur.0041AA58
0042FA87 |. 8B45 F0 mov eax,[local.4]
0042FA8A |. 0FB600 movzx eax,byte ptr ds:[eax]
0042FA8D |. F72D 50174300 imul dword ptr ds:[0x431750]
0042FA93 |. A3 50174300 mov dword ptr ds:[0x431750],eax
0042FA98 |. A1 50174300 mov eax,dword ptr ds:[0x431750]
0042FA9D |. 0105 50174300 add dword ptr ds:[0x431750],eax
0042FAA3 |. 8D45 FC lea eax,[local.1]
0042FAA6 |. BA ACFB4200 mov edx,Acid_bur.0042FBAC ; ASCII "CW"
0042FAAB |. E8 583CFDFF call Acid_bur.00403708
0042FAB0 |. 8D45 F8 lea eax,[local.2]
0042FAB3 |. BA B8FB4200 mov edx,Acid_bur.0042FBB8 ; ASCII "CRACKED"
0042FAB8 |. E8 4B3CFDFF call Acid_bur.00403708
0042FABD |. FF75 FC push [local.1] ; Acid_bur.0042FBAC
0042FAC0 |. 68 C8FB4200 push Acid_bur.0042FBC8 ; UNICODE "-"
0042FAC5 |. 8D55 E8 lea edx,[local.6]
0042FAC8 |. A1 50174300 mov eax,dword ptr ds:[0x431750]
0042FACD |. E8 466CFDFF call Acid_bur.00406718 下断,F7跟进去查看,此时eax=FB2,注意eax ebx ecx之类的,也许是call的调用参数,该call生成4018,我从里面跟了无数个函数,回头发现FB2(16进制)=4018(10进制),此时瞬间明白这个call是16进制转10进制,此时的重点是分析FB2是如何来的
0042FAD2 |. FF75 E8 push [local.6] 单步到这,堆栈窗口发现4018出现,应该是上一个call生成,故在上一个call下断,然后继续运行,chek it baby,然后跑到上一个call为止跟进去,
0042FAD5 |. 68 C8FB4200 push Acid_bur.0042FBC8 ; UNICODE "-"
0042FADA |. FF75 F8 push [local.2] ; Acid_bur.0042FBB8
0042FADD |. 8D45 F4 lea eax,[local.3]
0042FAE0 |. BA 05000000 mov edx,0x5
0042FAE5 |. E8 C23EFDFF call Acid_bur.004039AC
0042FAEA |. 8D55 F0 lea edx,[local.4]
0042FAED |. 8B83 E0010000 mov eax,dword ptr ds:[ebx+0x1E0]
0042FAF3 |. E8 60AFFEFF call Acid_bur.0041AA58
0042FAF8 |. 8B55 F0 mov edx,[local.4]
0042FAFB |. 8B45 F4 mov eax,[local.3]
0042FAFE |. E8 F93EFDFF call Acid_bur.004039FC
0042FB03 |. 75 1A jnz short Acid_bur.0042FB1F
0042FB05 |. 6A 00 push 0x0
0042FB07 |. B9 CCFB4200 mov ecx,Acid_bur.0042FBCC ; ASCII "Congratz !!"
0042FB0C |. BA D8FB4200 mov edx,Acid_bur.0042FBD8 ; ASCII "Good job dude =)"
0042FB11 |. A1 480A4300 mov eax,dword ptr ds:[0x430A48]
0042FB16 |. 8B00 mov eax,dword ptr ds:[eax] ; Acid_bur.00424090
0042FB18 |. E8 53A6FFFF call Acid_bur.0042A170
0042FB1D |. EB 18 jmp short Acid_bur.0042FB37
0042FB1F |> 6A 00 push 0x0
0042FB21 |. B9 74FB4200 mov ecx,Acid_bur.0042FB74 ; ASCII "Try Again!"
0042FB26 |. BA 80FB4200 mov edx,Acid_bur.0042FB80 ; ASCII "Sorry , The serial is incorect !"
0042FB2B |. A1 480A4300 mov eax,dword ptr ds:[0x430A48]
0042FB30 |. 8B00 mov eax,dword ptr ds:[eax] ; Acid_bur.00424090
0042FB32 |. E8 39A6FFFF call Acid_bur.0042A170
0042FB37 |> 33C0 xor eax,eax
寻找FB2,如果先前从push ebp单步f8的同学,每步注释的话,一定可以发现如下的反汇编代码;不过更快的是单步F8找找哪里开始有11111,然后每步的算一下,可以省略前面的很多汇编代码。
[Asm] 纯文本查看 复制代码
0042FA82 |. E8 D1AFFEFF call Acid_bur.0041AA58
0042FA87 |. 8B45 F0 mov eax,[local.4] ; eax=9e49ac [9e49ac]="11111" 我们输入的账户字符
0042FA8A |. 0FB600 movzx eax,byte ptr ds:[eax] ; eax=31
0042FA8D |. F72D 50174300 imul dword ptr ds:[0x431750] ; eax=31*29=7D9
0042FA93 |. A3 50174300 mov dword ptr ds:[0x431750],eax ; [431750]=7D9
0042FA98 |. A1 50174300 mov eax,dword ptr ds:[0x431750] ; eax=7D9
0042FA9D |. 0105 50174300 add dword ptr ds:[0x431750],eax ; [431750]=7d9+7d9=fb2
0042FAA3 |. 8D45 FC lea eax,[local.1] ; eax=12f9a4
0042FAA6 |. BA ACFB4200 mov edx,Acid_bur.0042FBAC ; ASCII "CW"
0042FAAB |. E8 583CFDFF call Acid_bur.00403708
0042FAB0 |. 8D45 F8 lea eax,[local.2] ; eax=12f9a0
0042FAB3 |. BA B8FB4200 mov edx,Acid_bur.0042FBB8 ; ASCII "CRACKED"
0042FAB8 |. E8 4B3CFDFF call Acid_bur.00403708
0042FABD |. FF75 FC push [local.1]
0042FAC0 |. 68 C8FB4200 push Acid_bur.0042FBC8 ; UNICODE "-"
0042FAC5 |. 8D55 E8 lea edx,[local.6]
0042FAC8 |. A1 50174300 mov eax,dword ptr ds:[0x431750] ; eax=fb2
0042FACD |. E8 466CFDFF call Acid_bur.00406718 ; 16进制转10进制
算法是上面这样算出来的:
取11111的1的ascii码0x31,先用0x31*0x29=7D9,再7D9+7D9=FB2,最后FB2(16进制)=4018(10进制),从push ebp来一遍,和从call Acid_bur.00406718 跟一遍印象最深刻,跟的时候注意参数eax。
注册机的算法就不写了,很简单的哦,码了这么多字好难受。
上述若有不到之处,请望指正 |
免费评分
-
查看全部评分
|
|
发表于 2019-3-3 21:01
