好友
阅读权限100
听众
最后登录1970-1-1
|
苏紫方璇
发表于 2014-10-24 12:15
本帖最后由 ximo 于 2014-10-25 23:19 编辑
打开CrackMe,输入任意注册名字和注册序号,然后程序自动关闭,并在程序当前目录生成ny.key,打开后发现是ini文件格式,因此推断CrackMe为重启验证,验证文件是ini格式。
使用od打开CrackMe,若没有反antiod类插件,CrackMe会退出,这是检查了程序的父进程名字,并与explorer.exe进行对比。
[Asm] 纯文本查看 复制代码 00402E3C . 68 63A34800 push CrackMe.0048A363 ; ASCII "explorer.exe"
00402E41 . FF75 E8 push dword ptr ss:[ebp-0x18]
00402E44 . E8 09E4FFFF call CrackMe.00401252
之后使用自己的文件名作为参数再次启动自己,并退出当前程序。
所以,直接在od上选择打开,并填入参数
断在程序入口点后,对GetPrivateProfileStringA进行下断。
程序断下后,返回到上一层,找到段首,f2下断,重新运行,断下后,单步跟
[Asm] 纯文本查看 复制代码 00401428 /. 55 push ebp
00401429 |. 8BEC mov ebp,esp
0040142B |. 81EC 10000000 sub esp,0x10
00401431 |. C745 FC 00000>mov [local.1],0x0
00401438 |. 68 00000000 push 0x0
0040143D |. BB 10424000 mov ebx,CrackMe.00404210
00401442 |. E8 DD200000 call CrackMe.00403524
00401447 |. 83C4 04 add esp,0x4
0040144A |. 8945 FC mov [local.1],eax
0040144D |. 8B5D 08 mov ebx,[arg.1]
00401450 |. 8B1B mov ebx,dword ptr ds:[ebx]
00401452 |. 83C3 04 add ebx,0x4
00401455 |. 895D F8 mov [local.2],ebx
00401458 |. 8B5D 08 mov ebx,[arg.1]
0040145B |. 8B1B mov ebx,dword ptr ds:[ebx]
0040145D |. 83C3 0C add ebx,0xC
00401460 |. 895D F4 mov [local.3],ebx
00401463 |. 6A 00 push 0x0
00401465 |. 6A 00 push 0x0
00401467 |. 6A 00 push 0x0
00401469 |. 68 04000080 push 0x80000004
0040146E |. 6A 00 push 0x0
00401470 |. 68 F6A24800 push CrackMe.0048A2F6
00401475 |. 68 04000080 push 0x80000004
0040147A |. 6A 00 push 0x0
0040147C |. 68 F6A24800 push CrackMe.0048A2F6
00401481 |. 68 04000080 push 0x80000004
00401486 |. 6A 00 push 0x0
00401488 |. 8B5D F4 mov ebx,[local.3]
0040148B |. 8B03 mov eax,dword ptr ds:[ebx]
0040148D |. 85C0 test eax,eax
0040148F |. 75 05 jnz XCrackMe.00401496
00401491 |. B8 F5A24800 mov eax,CrackMe.0048A2F5
00401496 |> 50 push eax
00401497 |. 68 04000000 push 0x4
0040149C |. BB 70434000 mov ebx,CrackMe.00404370
004014A1 |. E8 7E200000 call CrackMe.00403524 ; 获取用户名
004014A6 |. 83C4 34 add esp,0x34
004014A9 |. 8945 F0 mov [local.4],eax
004014AC |. 8B45 F0 mov eax,[local.4]
004014AF |. 50 push eax
004014B0 |. 8B5D F8 mov ebx,[local.2]
004014B3 |. 8B1B mov ebx,dword ptr ds:[ebx]
004014B5 |. 85DB test ebx,ebx
004014B7 |. 74 09 je XCrackMe.004014C2
004014B9 |. 53 push ebx
004014BA |. E8 47200000 call CrackMe.00403506
004014BF |. 83C4 04 add esp,0x4
004014C2 |> 58 pop eax
004014C3 |. 8B5D F8 mov ebx,[local.2]
004014C6 |. 8903 mov dword ptr ds:[ebx],eax
004014C8 |. 8B5D 08 mov ebx,[arg.1]
004014CB |. 8B1B mov ebx,dword ptr ds:[ebx]
004014CD |. 83C3 08 add ebx,0x8
004014D0 |. 895D F8 mov [local.2],ebx
004014D3 |. 8B5D 08 mov ebx,[arg.1]
004014D6 |. 8B1B mov ebx,dword ptr ds:[ebx]
004014D8 |. 83C3 0C add ebx,0xC
004014DB |. 895D F4 mov [local.3],ebx
004014DE |. 6A 00 push 0x0
004014E0 |. 6A 00 push 0x0
004014E2 |. 6A 00 push 0x0
004014E4 |. 68 04000080 push 0x80000004
004014E9 |. 6A 00 push 0x0
004014EB |. 68 F8A24800 push CrackMe.0048A2F8
004014F0 |. 68 04000080 push 0x80000004
004014F5 |. 6A 00 push 0x0
004014F7 |. 68 F6A24800 push CrackMe.0048A2F6
004014FC |. 68 04000080 push 0x80000004
00401501 |. 6A 00 push 0x0
00401503 |. 8B5D F4 mov ebx,[local.3]
00401506 |. 8B03 mov eax,dword ptr ds:[ebx]
00401508 |. 85C0 test eax,eax
0040150A |. 75 05 jnz XCrackMe.00401511
0040150C |. B8 F5A24800 mov eax,CrackMe.0048A2F5
00401511 |> 50 push eax
00401512 |. 68 04000000 push 0x4
00401517 |. BB 70434000 mov ebx,CrackMe.00404370
0040151C |. E8 03200000 call CrackMe.00403524 ; 获取注册码
00401521 |. 83C4 34 add esp,0x34
00401524 |. 8945 F0 mov [local.4],eax
00401527 |. 8B45 F0 mov eax,[local.4]
0040152A |. 50 push eax
0040152B |. 8B5D F8 mov ebx,[local.2]
0040152E |. 8B1B mov ebx,dword ptr ds:[ebx]
00401530 |. 85DB test ebx,ebx
00401532 |. 74 09 je XCrackMe.0040153D
00401534 |. 53 push ebx
00401535 |. E8 CC1F0000 call CrackMe.00403506
0040153A |. 83C4 04 add esp,0x4
0040153D |> 58 pop eax
0040153E |. 8B5D F8 mov ebx,[local.2]
00401541 |. 8903 mov dword ptr ds:[ebx],eax
00401543 |. FF75 08 push [arg.1]
00401546 |. 8B0424 mov eax,dword ptr ss:[esp]
00401549 |. 8B00 mov eax,dword ptr ds:[eax]
0040154B |. 8B00 mov eax,dword ptr ds:[eax]
0040154D |. FF50 14 call dword ptr ds:[eax+0x14] ; 算法验证
00401550 |. E9 00000000 jmp CrackMe.00401555
00401555 |> 8BE5 mov esp,ebp
00401557 |. 5D pop ebp
00401558 \. C2 0400 retn 0x4
这段代码的最后一个call有验证,由于能力有限,感觉可能是包含有算法
F7单步步入到这里
[Asm] 纯文本查看 复制代码 004017FE |. 50 push eax
004017FF |. FF75 F0 push [local.4]
00401802 |. E8 4BFAFFFF call CrackMe.00401252 ; 看不懂的对比
00401807 |. 83C4 08 add esp,0x8
0040180A |. 83F8 00 cmp eax,0x0
0040180D |. B8 00000000 mov eax,0x0
00401812 |. 0F94C0 sete al
00401815 |. 8945 E8 mov [local.6],eax
00401818 |. 8B5D F0 mov ebx,[local.4]
0040181B |. 85DB test ebx,ebx
0040181D |. 74 09 je XCrackMe.00401828
0040181F |. 53 push ebx
00401820 |. E8 E11C0000 call CrackMe.00403506
00401825 |. 83C4 04 add esp,0x4
00401828 |> 837D E8 00 cmp [local.6],0x0
0040182C 0F84 3D000000 je CrackMe.0040186F ; 关键跳
00401832 |. 68 02000080 push 0x80000002
00401837 |. 6A 00 push 0x0
00401839 |. 68 00000000 push 0x0
0040183E |. 6A 00 push 0x0
00401840 |. 6A 00 push 0x0
00401842 |. 6A 00 push 0x0
00401844 |. 68 01000100 push 0x10001
00401849 |. 68 23000106 push 0x6010023
0040184E |. 68 24000152 push 0x52010024
00401853 |. 68 03000000 push 0x3
00401858 |. BB B0374000 mov ebx,CrackMe.004037B0
0040185D |. E8 C21C0000 call CrackMe.00403524 ; 显示窗体
把0040182C 0F84 3D000000 je CrackMe.0040186F 改为nop就可以爆破了
之后会有二次验证,但走的还是这里,所以只用改一次就可以了。
爆破之后,输入任意注册名字和序号,程序退出,再次运行后显示已注册,但不知道右下角的注册按钮一个暗桩或者是作者故意留下的
CrackMe.rar
(306.61 KB, 下载次数: 6)
|
免费评分
-
查看全部评分
|
