160个练手CrackMe-001

CM集合：160个练手CM

1、查壳：工具PEID v0.95

Delphi编写，无壳

2、打开程序，随意输入Serial/Name，弹出失败提示框，"Sorry, The serial is incorect!"，以此作为关键信息。

3、OD载入，F9让程序正常运行，Ctrl+A 分析代码，然后右键 “中文搜索引擎”-“智能搜索”，Ctrl+F 搜素 “Sorry”

双击进入反汇编窗口。

4、分析，在该代码块开始地方（0042F998）F2下断点

0042FA57 处，比较输入的Name字符串长度，小于4则直接提示失败

0042FAFE处，输入的Serial和正确的进行比较

0042F998  /.  55            push ebp0042F999  |.  8BEC          mov ebp,esp0042F99B  |.  33C9          xor ecx,ecx0042F99D  |.  51            push ecx0042F99E  |.  51            push ecx0042F99F  |.  51            push ecx0042F9A0  |.  51            push ecx0042F9A1  |.  51            push ecx0042F9A2  |.  51            push ecx0042F9A3  |.  53            push ebx0042F9A4  |.  56            push esi0042F9A5  |.  8BD8          mov ebx,eax0042F9A7  |.  33C0          xor eax,eax0042F9A9  |.  55            push ebp0042F9AA  |.  68 67FB4200   push Acid_bur.0042FB670042F9AF  |.  64:FF30       push dword ptr fs:[eax]0042F9B2  |.  64:8920       mov dword ptr fs:[eax],esp0042F9B5  |.  C705 50174300>mov dword ptr ds:[0x431750],0x290042F9BF  |.  8D55 F0       lea edx,[local.4]0042F9C2  |.  8B83 DC010000 mov eax,dword ptr ds:[ebx+0x1DC]0042F9C8  |.  E8 8BB0FEFF   call Acid_bur.0041AA58                   0042F9CD  |.  8B45 F0       mov eax,[local.4]0042F9D0  |.  E8 DB40FDFF   call Acid_bur.00403AB00042F9D5  |.  A3 6C174300   mov dword ptr ds:[0x43176C],eax0042F9DA  |.  8D55 F0       lea edx,[local.4]0042F9DD  |.  8B83 DC010000 mov eax,dword ptr ds:[ebx+0x1DC]0042F9E3  |.  E8 70B0FEFF   call Acid_bur.0041AA580042F9E8  |.  8B45 F0       mov eax,[local.4]0042F9EB  |.  0FB600        movzx eax,byte ptr ds:[eax]              ;  取name第一位0042F9EE  |.  8BF0          mov esi,eax0042F9F0  |.  C1E6 03       shl esi,0x3                              ;  左移3位，高位移入CF，低位补00042F9F3  |.  2BF0          sub esi,eax0042F9F5  |.  8D55 EC       lea edx,[local.5]0042F9F8  |.  8B83 DC010000 mov eax,dword ptr ds:[ebx+0x1DC]0042F9FE  |.  E8 55B0FEFF   call Acid_bur.0041AA580042FA03  |.  8B45 EC       mov eax,[local.5]0042FA06  |.  0FB640 01     movzx eax,byte ptr ds:[eax+0x1]          ;  取name第二位0042FA0A  |.  C1E0 04       shl eax,0x4                              ;  左移4位0042FA0D  |.  03F0          add esi,eax0042FA0F  |.  8935 54174300 mov dword ptr ds:[0x431754],esi          ;  [0x431754] = name[1]<<4 + name[0]<<30042FA15  |.  8D55 F0       lea edx,[local.4]0042FA18  |.  8B83 DC010000 mov eax,dword ptr ds:[ebx+0x1DC]0042FA1E  |.  E8 35B0FEFF   call Acid_bur.0041AA580042FA23  |.  8B45 F0       mov eax,[local.4]0042FA26  |.  0FB640 03     movzx eax,byte ptr ds:[eax+0x3]          ;  取name第四位0042FA2A  |.  6BF0 0B       imul esi,eax,0xB0042FA2D  |.  8D55 EC       lea edx,[local.5]0042FA30  |.  8B83 DC010000 mov eax,dword ptr ds:[ebx+0x1DC]0042FA36  |.  E8 1DB0FEFF   call Acid_bur.0041AA580042FA3B  |.  8B45 EC       mov eax,[local.5]0042FA3E  |.  0FB640 02     movzx eax,byte ptr ds:[eax+0x2]          ;  取name第三位0042FA42  |.  6BC0 0E       imul eax,eax,0xE0042FA45  |.  03F0          add esi,eax0042FA47  |.  8935 58174300 mov dword ptr ds:[0x431758],esi          ;  [0x431758] = name[2]*0xE + name[3]*0xB0042FA4D  |.  A1 6C174300   mov eax,dword ptr ds:[0x43176C]          ;  以上部分对数据的处理好像没什么意义0042FA52  |.  E8 D96EFDFF   call Acid_bur.00406930                   ;  获取name编辑框内容长度0042FA57  |.  83F8 04       cmp eax,0x40042FA5A  |.  7D 1D         jge XAcid_bur.0042FA790042FA5C  |.  6A 00         push 0x00042FA5E  |.  B9 74FB4200   mov ecx,Acid_bur.0042FB74                ;  Try Again!0042FA63  |.  BA 80FB4200   mov edx,Acid_bur.0042FB80                ;  Sorry , The serial is incorect !0042FA68  |.  A1 480A4300   mov eax,dword ptr ds:[0x430A48]0042FA6D  |.  8B00          mov eax,dword ptr ds:[eax]0042FA6F  |.  E8 FCA6FFFF   call Acid_bur.0042A1700042FA74  |.  E9 BE000000   jmp Acid_bur.0042FB370042FA79  |>  8D55 F0       lea edx,[local.4]0042FA7C  |.  8B83 DC010000 mov eax,dword ptr ds:[ebx+0x1DC]0042FA82  |.  E8 D1AFFEFF   call Acid_bur.0041AA580042FA87  |.  8B45 F0       mov eax,[local.4]0042FA8A  |.  0FB600        movzx eax,byte ptr ds:[eax]              ;  name[0]0042FA8D  |.  F72D 50174300 imul dword ptr ds:[0x431750]             ;  name[0] * 0x290042FA93  |.  A3 50174300   mov dword ptr ds:[0x431750],eax0042FA98  |.  A1 50174300   mov eax,dword ptr ds:[0x431750]0042FA9D  |.  0105 50174300 add dword ptr ds:[0x431750],eax          ;  name[0] * 0x29 * 20042FAA3  |.  8D45 FC       lea eax,[local.1]0042FAA6  |.  BA ACFB4200   mov edx,Acid_bur.0042FBAC                ;  'CW'0042FAAB  |.  E8 583CFDFF   call Acid_bur.00403708                   ;  local.1 = 'CW'0042FAB0  |.  8D45 F8       lea eax,[local.2]0042FAB3  |.  BA B8FB4200   mov edx,Acid_bur.0042FBB8                ;  CRACKED0042FAB8  |.  E8 4B3CFDFF   call Acid_bur.00403708                   ;  local.2 = 'CRACKED'0042FABD  |.  FF75 FC       push [local.1]0042FAC0  |.  68 C8FB4200   push Acid_bur.0042FBC8                   ;  -0042FAC5  |.  8D55 E8       lea edx,[local.6]0042FAC8  |.  A1 50174300   mov eax,dword ptr ds:[0x431750]0042FACD  |.  E8 466CFDFF   call Acid_bur.00406718                   ;  local.6 = str(name[0] * 0x29 * 2)0042FAD2  |.  FF75 E8       push [local.6]0042FAD5  |.  68 C8FB4200   push Acid_bur.0042FBC8                   ;  -0042FADA  |.  FF75 F8       push [local.2]0042FADD  |.  8D45 F4       lea eax,[local.3]0042FAE0  |.  BA 05000000   mov edx,0x50042FAE5  |.  E8 C23EFDFF   call Acid_bur.004039AC                   ;  local.3 = "CW-" + local.6 + "-CRACKED"0042FAEA  |.  8D55 F0       lea edx,[local.4]0042FAED  |.  8B83 E0010000 mov eax,dword ptr ds:[ebx+0x1E0]0042FAF3  |.  E8 60AFFEFF   call Acid_bur.0041AA58                   ;  psw编辑框内容0042FAF8  |.  8B55 F0       mov edx,[local.4]0042FAFB  |.  8B45 F4       mov eax,[local.3]0042FAFE  |.  E8 F93EFDFF   call Acid_bur.004039FC                   ;  比较字符串0042FB03  |.  75 1A         jnz XAcid_bur.0042FB1F                   ;  不相同则跳向失败0042FB05  |.  6A 00         push 0x00042FB07  |.  B9 CCFB4200   mov ecx,Acid_bur.0042FBCC                ;  Congratz !!0042FB0C  |.  BA D8FB4200   mov edx,Acid_bur.0042FBD8                ;  Good job dude =)0042FB11  |.  A1 480A4300   mov eax,dword ptr ds:[0x430A48]0042FB16  |.  8B00          mov eax,dword ptr ds:[eax]0042FB18  |.  E8 53A6FFFF   call Acid_bur.0042A1700042FB1D  |.  EB 18         jmp XAcid_bur.0042FB370042FB1F  |>  6A 00         push 0x00042FB21  |.  B9 74FB4200   mov ecx,Acid_bur.0042FB74                ;  Try Again!0042FB26  |.  BA 80FB4200   mov edx,Acid_bur.0042FB80                ;  Sorry , The serial is incorect !0042FB2B  |.  A1 480A4300   mov eax,dword ptr ds:[0x430A48]0042FB30  |.  8B00          mov eax,dword ptr ds:[eax]0042FB32  |.  E8 39A6FFFF   call Acid_bur.0042A1700042FB37  |>  33C0          xor eax,eax0042FB39  |.  5A            pop edx0042FB3A  |.  59            pop ecx0042FB3B  |.  59            pop ecx0042FB3C  |.  64:8910       mov dword ptr fs:[eax],edx0042FB3F  |.  68 6EFB4200   push Acid_bur.0042FB6E0042FB44  |>  8D45 E8       lea eax,[local.6]0042FB47  |.  E8 243BFDFF   call Acid_bur.004036700042FB4C  |.  8D45 EC       lea eax,[local.5]0042FB4F  |.  BA 02000000   mov edx,0x20042FB54  |.  E8 3B3BFDFF   call Acid_bur.004036940042FB59  |.  8D45 F4       lea eax,[local.3]0042FB5C  |.  BA 03000000   mov edx,0x30042FB61  |.  E8 2E3BFDFF   call Acid_bur.004036940042FB66  \.  C3            retn0042FB67   .^ E9 A835FDFF   jmp Acid_bur.004031140042FB6C   .^ EB D6         jmp XAcid_bur.0042FB440042FB6E   .  5E            pop esi0042FB6F   .  5B            pop ebx0042FB70   .  8BE5          mov esp,ebp0042FB72   .  5D            pop ebp0042FB73   .  C3            retn

5、注册机

if(strlen(name) < 4){cout << "长度要大于等于4" << endl;}else{cout << "CW-" << name[0]*0x29*2 << "-CRACKED" << endl;}

最后，博主还是新手一枚，写的有点杂，不足之处望指点。