160个练手CrackMe-001
来源:互联网 发布:淘宝里的地址怎么修改 编辑:程序博客网 时间:2024/06/05 07:56
CM集合:160个练手CM
1、查壳:工具PEID v0.95
Delphi编写,无壳
2、打开程序,随意输入Serial/Name,弹出失败提示框,"Sorry, The serial is incorect!",以此作为关键信息。
3、OD载入,F9让程序正常运行,Ctrl+A 分析代码,然后右键 “中文搜索引擎”-“智能搜索”,Ctrl+F 搜素 “Sorry”
双击进入反汇编窗口。
4、分析,在该代码块开始地方(0042F998)F2下断点
0042FA57 处,比较输入的Name字符串长度,小于4则直接提示失败
0042FAFE处,输入的Serial和正确的进行比较
0042F998 /. 55 push ebp0042F999 |. 8BEC mov ebp,esp0042F99B |. 33C9 xor ecx,ecx0042F99D |. 51 push ecx0042F99E |. 51 push ecx0042F99F |. 51 push ecx0042F9A0 |. 51 push ecx0042F9A1 |. 51 push ecx0042F9A2 |. 51 push ecx0042F9A3 |. 53 push ebx0042F9A4 |. 56 push esi0042F9A5 |. 8BD8 mov ebx,eax0042F9A7 |. 33C0 xor eax,eax0042F9A9 |. 55 push ebp0042F9AA |. 68 67FB4200 push Acid_bur.0042FB670042F9AF |. 64:FF30 push dword ptr fs:[eax]0042F9B2 |. 64:8920 mov dword ptr fs:[eax],esp0042F9B5 |. C705 50174300>mov dword ptr ds:[0x431750],0x290042F9BF |. 8D55 F0 lea edx,[local.4]0042F9C2 |. 8B83 DC010000 mov eax,dword ptr ds:[ebx+0x1DC]0042F9C8 |. E8 8BB0FEFF call Acid_bur.0041AA58 0042F9CD |. 8B45 F0 mov eax,[local.4]0042F9D0 |. E8 DB40FDFF call Acid_bur.00403AB00042F9D5 |. A3 6C174300 mov dword ptr ds:[0x43176C],eax0042F9DA |. 8D55 F0 lea edx,[local.4]0042F9DD |. 8B83 DC010000 mov eax,dword ptr ds:[ebx+0x1DC]0042F9E3 |. E8 70B0FEFF call Acid_bur.0041AA580042F9E8 |. 8B45 F0 mov eax,[local.4]0042F9EB |. 0FB600 movzx eax,byte ptr ds:[eax] ; 取name第一位0042F9EE |. 8BF0 mov esi,eax0042F9F0 |. C1E6 03 shl esi,0x3 ; 左移3位,高位移入CF,低位补00042F9F3 |. 2BF0 sub esi,eax0042F9F5 |. 8D55 EC lea edx,[local.5]0042F9F8 |. 8B83 DC010000 mov eax,dword ptr ds:[ebx+0x1DC]0042F9FE |. E8 55B0FEFF call Acid_bur.0041AA580042FA03 |. 8B45 EC mov eax,[local.5]0042FA06 |. 0FB640 01 movzx eax,byte ptr ds:[eax+0x1] ; 取name第二位0042FA0A |. C1E0 04 shl eax,0x4 ; 左移4位0042FA0D |. 03F0 add esi,eax0042FA0F |. 8935 54174300 mov dword ptr ds:[0x431754],esi ; [0x431754] = name[1]<<4 + name[0]<<30042FA15 |. 8D55 F0 lea edx,[local.4]0042FA18 |. 8B83 DC010000 mov eax,dword ptr ds:[ebx+0x1DC]0042FA1E |. E8 35B0FEFF call Acid_bur.0041AA580042FA23 |. 8B45 F0 mov eax,[local.4]0042FA26 |. 0FB640 03 movzx eax,byte ptr ds:[eax+0x3] ; 取name第四位0042FA2A |. 6BF0 0B imul esi,eax,0xB0042FA2D |. 8D55 EC lea edx,[local.5]0042FA30 |. 8B83 DC010000 mov eax,dword ptr ds:[ebx+0x1DC]0042FA36 |. E8 1DB0FEFF call Acid_bur.0041AA580042FA3B |. 8B45 EC mov eax,[local.5]0042FA3E |. 0FB640 02 movzx eax,byte ptr ds:[eax+0x2] ; 取name第三位0042FA42 |. 6BC0 0E imul eax,eax,0xE0042FA45 |. 03F0 add esi,eax0042FA47 |. 8935 58174300 mov dword ptr ds:[0x431758],esi ; [0x431758] = name[2]*0xE + name[3]*0xB0042FA4D |. A1 6C174300 mov eax,dword ptr ds:[0x43176C] ; 以上部分对数据的处理好像没什么意义0042FA52 |. E8 D96EFDFF call Acid_bur.00406930 ; 获取name编辑框内容长度0042FA57 |. 83F8 04 cmp eax,0x40042FA5A |. 7D 1D jge XAcid_bur.0042FA790042FA5C |. 6A 00 push 0x00042FA5E |. B9 74FB4200 mov ecx,Acid_bur.0042FB74 ; Try Again!0042FA63 |. BA 80FB4200 mov edx,Acid_bur.0042FB80 ; Sorry , The serial is incorect !0042FA68 |. A1 480A4300 mov eax,dword ptr ds:[0x430A48]0042FA6D |. 8B00 mov eax,dword ptr ds:[eax]0042FA6F |. E8 FCA6FFFF call Acid_bur.0042A1700042FA74 |. E9 BE000000 jmp Acid_bur.0042FB370042FA79 |> 8D55 F0 lea edx,[local.4]0042FA7C |. 8B83 DC010000 mov eax,dword ptr ds:[ebx+0x1DC]0042FA82 |. E8 D1AFFEFF call Acid_bur.0041AA580042FA87 |. 8B45 F0 mov eax,[local.4]0042FA8A |. 0FB600 movzx eax,byte ptr ds:[eax] ; name[0]0042FA8D |. F72D 50174300 imul dword ptr ds:[0x431750] ; name[0] * 0x290042FA93 |. A3 50174300 mov dword ptr ds:[0x431750],eax0042FA98 |. A1 50174300 mov eax,dword ptr ds:[0x431750]0042FA9D |. 0105 50174300 add dword ptr ds:[0x431750],eax ; name[0] * 0x29 * 20042FAA3 |. 8D45 FC lea eax,[local.1]0042FAA6 |. BA ACFB4200 mov edx,Acid_bur.0042FBAC ; 'CW'0042FAAB |. E8 583CFDFF call Acid_bur.00403708 ; local.1 = 'CW'0042FAB0 |. 8D45 F8 lea eax,[local.2]0042FAB3 |. BA B8FB4200 mov edx,Acid_bur.0042FBB8 ; CRACKED0042FAB8 |. E8 4B3CFDFF call Acid_bur.00403708 ; local.2 = 'CRACKED'0042FABD |. FF75 FC push [local.1]0042FAC0 |. 68 C8FB4200 push Acid_bur.0042FBC8 ; -0042FAC5 |. 8D55 E8 lea edx,[local.6]0042FAC8 |. A1 50174300 mov eax,dword ptr ds:[0x431750]0042FACD |. E8 466CFDFF call Acid_bur.00406718 ; local.6 = str(name[0] * 0x29 * 2)0042FAD2 |. FF75 E8 push [local.6]0042FAD5 |. 68 C8FB4200 push Acid_bur.0042FBC8 ; -0042FADA |. FF75 F8 push [local.2]0042FADD |. 8D45 F4 lea eax,[local.3]0042FAE0 |. BA 05000000 mov edx,0x50042FAE5 |. E8 C23EFDFF call Acid_bur.004039AC ; local.3 = "CW-" + local.6 + "-CRACKED"0042FAEA |. 8D55 F0 lea edx,[local.4]0042FAED |. 8B83 E0010000 mov eax,dword ptr ds:[ebx+0x1E0]0042FAF3 |. E8 60AFFEFF call Acid_bur.0041AA58 ; psw编辑框内容0042FAF8 |. 8B55 F0 mov edx,[local.4]0042FAFB |. 8B45 F4 mov eax,[local.3]0042FAFE |. E8 F93EFDFF call Acid_bur.004039FC ; 比较字符串0042FB03 |. 75 1A jnz XAcid_bur.0042FB1F ; 不相同则跳向失败0042FB05 |. 6A 00 push 0x00042FB07 |. B9 CCFB4200 mov ecx,Acid_bur.0042FBCC ; Congratz !!0042FB0C |. BA D8FB4200 mov edx,Acid_bur.0042FBD8 ; Good job dude =)0042FB11 |. A1 480A4300 mov eax,dword ptr ds:[0x430A48]0042FB16 |. 8B00 mov eax,dword ptr ds:[eax]0042FB18 |. E8 53A6FFFF call Acid_bur.0042A1700042FB1D |. EB 18 jmp XAcid_bur.0042FB370042FB1F |> 6A 00 push 0x00042FB21 |. B9 74FB4200 mov ecx,Acid_bur.0042FB74 ; Try Again!0042FB26 |. BA 80FB4200 mov edx,Acid_bur.0042FB80 ; Sorry , The serial is incorect !0042FB2B |. A1 480A4300 mov eax,dword ptr ds:[0x430A48]0042FB30 |. 8B00 mov eax,dword ptr ds:[eax]0042FB32 |. E8 39A6FFFF call Acid_bur.0042A1700042FB37 |> 33C0 xor eax,eax0042FB39 |. 5A pop edx0042FB3A |. 59 pop ecx0042FB3B |. 59 pop ecx0042FB3C |. 64:8910 mov dword ptr fs:[eax],edx0042FB3F |. 68 6EFB4200 push Acid_bur.0042FB6E0042FB44 |> 8D45 E8 lea eax,[local.6]0042FB47 |. E8 243BFDFF call Acid_bur.004036700042FB4C |. 8D45 EC lea eax,[local.5]0042FB4F |. BA 02000000 mov edx,0x20042FB54 |. E8 3B3BFDFF call Acid_bur.004036940042FB59 |. 8D45 F4 lea eax,[local.3]0042FB5C |. BA 03000000 mov edx,0x30042FB61 |. E8 2E3BFDFF call Acid_bur.004036940042FB66 \. C3 retn0042FB67 .^ E9 A835FDFF jmp Acid_bur.004031140042FB6C .^ EB D6 jmp XAcid_bur.0042FB440042FB6E . 5E pop esi0042FB6F . 5B pop ebx0042FB70 . 8BE5 mov esp,ebp0042FB72 . 5D pop ebp0042FB73 . C3 retn
5、注册机
if(strlen(name) < 4){cout << "长度要大于等于4" << endl;}else{cout << "CW-" << name[0]*0x29*2 << "-CRACKED" << endl;}
阅读全文
0 0
- 160个练手CrackMe-001
- 160个练手CrackMe-002
- 160个练手CrackMe-003
- 160个练手CrackMe-004
- 160个练手CrackMe-005
- 160个练手CrackMe-006
- 160个练手CrackMe-007
- 160个练手CrackMe-008
- 160个练手CrackMe-009
- 160个练手CrackMe-010
- 160个练手CrackMe-011
- 160个练手CrackMe-012
- 160个练手CrackMe-013
- 160个练手CrackMe-014
- 160个练手CrackMe-015
- 160个练手CrackMe-016
- 160个练手CrackMe-017
- 160个练手CrackMe-018
- java生成二维码与解析二维码
- [线性规划 费用流]BZOJ1061 志愿者招募 && BZOJ3112防守战线
- 微软asp.net core JwtBearer获取访问令牌accessToken
- bzoj 2456 mode
- ios 快捷键~刪除文字、英文拼写
- 160个练手CrackMe-001
- bzoj 3236(莫队+分块)
- poj1847 Tram
- Python3 模块
- Android BLE开发总结第一篇
- poj3734——矩阵快速幂入门题
- NOIP复习计划
- JavaSE基础02
- 模式的秘密---单例模式