160个练手CrackMe-006
来源:互联网 发布:linux系统更改ip地址 编辑:程序博客网 时间:2024/06/05 07:28
1、无壳,Delphi编写,提示信息大致信息是“OK”和“Cancella”消失就算成功。
2、Dark定位事件。
3、载入OD运行。
一步一步填坑
“OK”按钮禁止点击
关键点NomeChange事件。
00442E04 /. 55 push ebp ; NameChange00442E05 |. 8BEC mov ebp,esp00442E07 |. 6A 00 push 0x000442E09 |. 6A 00 push 0x000442E0B |. 53 push ebx00442E0C |. 8BD8 mov ebx,eax00442E0E |. 33C0 xor eax,eax00442E10 |. 55 push ebp00442E11 |. 68 9B2E4400 push aLoNg3x_.00442E9B00442E16 |. 64:FF30 push dword ptr fs:[eax]00442E19 |. 64:8920 mov dword ptr fs:[eax],esp00442E1C |. 8B83 D0020000 mov eax,dword ptr ds:[ebx+0x2D0]00442E22 |. 8078 47 00 cmp byte ptr ds:[eax+0x47],0x0 ; 021B6507 OK按钮可点击flag00442E26 75 0F jnz XaLoNg3x_.00442E37 ; 爆破点-让“OK”按钮可点击00442E28 |. B2 01 mov dl,0x100442E2A |. 8B83 CC020000 mov eax,dword ptr ds:[ebx+0x2CC]00442E30 |. 8B08 mov ecx,dword ptr ds:[eax]00442E32 |. FF51 60 call dword ptr ds:[ecx+0x60] ; 设置“OK”按钮可点击00442E35 |. EB 49 jmp XaLoNg3x_.00442E8000442E37 |> 8D55 FC lea edx,[local.1]00442E3A |. 8B83 E0020000 mov eax,dword ptr ds:[ebx+0x2E0]00442E40 |. E8 7B04FEFF call aLoNg3x_.004232C0 ; 取Codice00442E45 |. 8B45 FC mov eax,[local.1] ; local.1 存 Codice00442E48 |. 50 push eax00442E49 |. 8D55 F8 lea edx,[local.2]00442E4C |. 8B83 DC020000 mov eax,dword ptr ds:[ebx+0x2DC]00442E52 |. E8 6904FEFF call aLoNg3x_.004232C0 ; 取Name00442E57 |. 8B45 F8 mov eax,[local.2] ; local.2 存 Name00442E5A |. 5A pop edx00442E5B |. E8 DCFBFFFF call aLoNg3x_.00442A3C ; Proc_1 0x00442A3C 判断Name和Codice是否匹配00442E60 |. 84C0 test al,al00442E62 74 0F je XaLoNg3x_.00442E73 ; 爆破点-让“OK”按钮可点击00442E64 |. B2 01 mov dl,0x1 ; 1 可点击00442E66 |. 8B83 CC020000 mov eax,dword ptr ds:[ebx+0x2CC]00442E6C |. 8B08 mov ecx,dword ptr ds:[eax]00442E6E |. FF51 60 call dword ptr ds:[ecx+0x60]00442E71 |. EB 0D jmp XaLoNg3x_.00442E8000442E73 |> 33D2 xor edx,edx ; 0 不可点击00442E75 |. 8B83 CC020000 mov eax,dword ptr ds:[ebx+0x2CC]00442E7B |. 8B08 mov ecx,dword ptr ds:[eax]00442E7D |. FF51 60 call dword ptr ds:[ecx+0x60]00442E80 |> 33C0 xor eax,eax00442E82 |. 5A pop edx00442E83 |. 59 pop ecx00442E84 |. 59 pop ecx00442E85 |. 64:8910 mov dword ptr fs:[eax],edx00442E88 |. 68 A22E4400 push aLoNg3x_.00442EA200442E8D |> 8D45 F8 lea eax,[local.2]00442E90 |. BA 02000000 mov edx,0x200442E95 |. E8 4209FCFF call aLoNg3x_.004037DC00442E9A \. C3 retn判断函数 Proc_1(),返回1则设置“OK”可点击。
00442A3C /$ 55 push ebp ; proc 100442A3D |. 8BEC mov ebp,esp00442A3F |. 83C4 F8 add esp,-0x800442A42 |. 53 push ebx00442A43 |. 56 push esi00442A44 |. 8955 F8 mov [local.2],edx ; Codice00442A47 |. 8945 FC mov [local.1],eax ; Name00442A4A |. 8B45 FC mov eax,[local.1]00442A4D |. E8 9611FCFF call aLoNg3x_.00403BE8 ; 增加字符串引用次数00442A52 |. 8B45 F8 mov eax,[local.2]00442A55 |. E8 8E11FCFF call aLoNg3x_.00403BE800442A5A |. 33C0 xor eax,eax00442A5C |. 55 push ebp00442A5D |. 68 E52A4400 push aLoNg3x_.00442AE500442A62 |. 64:FF30 push dword ptr fs:[eax]00442A65 |. 64:8920 mov dword ptr fs:[eax],esp00442A68 |. 8B45 FC mov eax,[local.1]00442A6B |. E8 C40FFCFF call aLoNg3x_.00403A34 ; strlen()00442A70 |. 83F8 05 cmp eax,0x500442A73 |. 7E 53 jle XaLoNg3x_.00442AC800442A75 |. 8B45 FC mov eax,[local.1]00442A78 |. E8 B70FFCFF call aLoNg3x_.00403A3400442A7D |. 8BD8 mov ebx,eax ; ebx是字符串长度00442A7F |. 8B45 FC mov eax,[local.1]00442A82 |. E8 AD0FFCFF call aLoNg3x_.00403A3400442A87 |. 8BD0 mov edx,eax00442A89 |. 4A dec edx00442A8A |. 85D2 test edx,edx00442A8C |. 7E 20 jle XaLoNg3x_.00442AAE00442A8E |. B8 01000000 mov eax,0x1 ; eax是循环计数变量00442A93 |> 8B4D FC /mov ecx,[local.1]00442A96 |. 0FB64C01 FF |movzx ecx,byte ptr ds:[ecx+eax-0x1] ; Name[eax - 1]00442A9B |. 8B75 FC |mov esi,[local.1]00442A9E |. 0FB63406 |movzx esi,byte ptr ds:[esi+eax] ; Name[eax]00442AA2 |. 0FAFCE |imul ecx,esi ; Name[eax - 1] * Name[eax]00442AA5 |. 0FAFC8 |imul ecx,eax ; Name[eax - 1] * Name[eax] * eax00442AA8 |. 03D9 |add ebx,ecx ; ebx += Name[eax - 1] * Name[eax] * eax计数变量 + ebx00442AAA |. 40 |inc eax00442AAB |. 4A |dec edx00442AAC |.^ 75 E5 \jnz XaLoNg3x_.00442A9300442AAE |> 8B45 F8 mov eax,[local.2]00442AB1 |. E8 BA4BFCFF call aLoNg3x_.00407670 ; atoi()00442AB6 |. 2BD8 sub ebx,eax00442AB8 |. 81FB 9A020000 cmp ebx,0x29A00442ABE |. 75 04 jnz XaLoNg3x_.00442AC400442AC0 |. B3 01 mov bl,0x100442AC2 |. EB 06 jmp XaLoNg3x_.00442ACA00442AC4 |> 33DB xor ebx,ebx00442AC6 |. EB 02 jmp XaLoNg3x_.00442ACA00442AC8 |> 33DB xor ebx,ebx
对应的C代码大概是:
bool Proc_1(char *name, char *codice){int len, sum = 0;len = sum = strlen(name);if(len <= 5)return 0;else{for(int i=1; i<len; i++){sum += i * name[i] * name[i-1]; } if ( sum-atoi(codice) == 666 )return true;elsereturn false;} }所以return sum-666;就可以得到匹配Name的Codice,让“OK”按钮可点击。“123456” 和 “40180”就是匹配的。输入“123456”、“40180”点击OK按钮,Codice编辑框又变成“0”了,按钮也不能点击了,说明规则不对。
在OKClick下断。OK
00442D64 /. 55 push ebp ; OkClick00442D65 |. 8BEC mov ebp,esp00442D67 |. 6A 00 push 0x000442D69 |. 53 push ebx00442D6A |. 8BD8 mov ebx,eax00442D6C |. 33C0 xor eax,eax00442D6E |. 55 push ebp00442D6F |. 68 ED2D4400 push aLoNg3x_.00442DED00442D74 |. 64:FF30 push dword ptr fs:[eax]00442D77 |. 64:8920 mov dword ptr fs:[eax],esp00442D7A |. 8B83 D0020000 mov eax,dword ptr ds:[ebx+0x2D0]00442D80 |. 8078 47 01 cmp byte ptr ds:[eax+0x47],0x1 ; 021B6507 OK按钮可点击flag00442D84 75 12 jnz XaLoNg3x_.00442D98 ; 爆破点00442D86 |. BA 002E4400 mov edx,aLoNg3x_.00442E0000442D8B |. 8B83 E0020000 mov eax,dword ptr ds:[ebx+0x2E0]00442D91 |. E8 5A05FEFF call aLoNg3x_.004232F0 ; 设置Coide编辑框为“0”00442D96 |. EB 3F jmp XaLoNg3x_.00442DD700442D98 |> 8D55 FC lea edx,[local.1]00442D9B |. 8B83 E0020000 mov eax,dword ptr ds:[ebx+0x2E0]00442DA1 |. E8 1A05FEFF call aLoNg3x_.004232C000442DA6 |. 8B45 FC mov eax,[local.1] ; Codice00442DA9 |. E8 C248FCFF call aLoNg3x_.0040767000442DAE |. 50 push eax00442DAF |. 8D55 FC lea edx,[local.1]00442DB2 |. 8B83 DC020000 mov eax,dword ptr ds:[ebx+0x2DC]00442DB8 |. E8 0305FEFF call aLoNg3x_.004232C000442DBD |. 8B45 FC mov eax,[local.1] ; Name00442DC0 |. 5A pop edx00442DC1 |. E8 DAFDFFFF call aLoNg3x_.00442BA0 ; Proc_3 返回真-“OK”消失00442DC6 |. 84C0 test al,al00442DC8 |. 74 0D je XaLoNg3x_.00442DD7 ; 爆破点,让OK按钮消失00442DCA |. 33D2 xor edx,edx00442DCC |. 8B83 CC020000 mov eax,dword ptr ds:[ebx+0x2CC]00442DD2 |. E8 D903FEFF call aLoNg3x_.004231B0 ; 设置“OK”按钮不可视00442DD7 |> 33C0 xor eax,eax00442DD9 |. 5A pop edx00442DDA |. 59 pop ecx00442DDB |. 59 pop ecx00442DDC |. 64:8910 mov dword ptr fs:[eax],edx00442DDF |. 68 F42D4400 push aLoNg3x_.00442DF400442DE4 |> 8D45 FC lea eax,[local.1]00442DE7 |. E8 CC09FCFF call aLoNg3x_.004037B800442DEC \. C3 retn00442DED .^ E9 8604FCFF jmp aLoNg3x_.0040327800442DF2 .^ EB F0 jmp XaLoNg3x_.00442DE400442DF4 . 5B pop ebx00442DF5 . 59 pop ecx00442DF6 . 5D pop ebp00442DF7 . C3 retn
点击OK按钮后。
让OK按钮消失的条件:A、 [eax+0x47] 不为1 ; B、00442DC1 | call aLoNg3x_.00442BA0 (Proc_3_0x00442BA0)返回真;
这里我们先分析条件B,其对应的C代码大概是:
char buff[20] = {0};int Proc_3(char *name, char *codice){int len, sum = 0;len = sum = strlen(codice);if(len <= 5)return 0;else{for(int i=len; i>0; i--){buff[i-1] = (char)(i * codice[i-1] * codice[i-1] % 25 + 65);}if (strcmp(buff, name) == 0)//相同strcmp()返回0 return 1;elsereturn 0;} }Proc_3是以输入的Codice算匹配的Name。条件B解决了,再来看条件A。要找出改变了 [eax+0x47] 的代码。右键这条指令。查找参考
显示的是可能和这个地址相关的指令。
有可能是修改点的只有一条,双击进去,在该函数头再次查找参考,显示的是哪些地方调用了这个函数。
发现两个和“Cancella”按钮有关的地方调用了这个函数。
分析“Cancella”按钮。
00442EA8 /. 55 push ebp ; cancella_click00442EA9 |. 8BEC mov ebp,esp00442EAB |. 6A 00 push 0x000442EAD |. 53 push ebx00442EAE |. 8BD8 mov ebx,eax00442EB0 |. 33C0 xor eax,eax00442EB2 |. 55 push ebp00442EB3 |. 68 322F4400 push aLoNg3x_.00442F3200442EB8 |. 64:FF30 push dword ptr fs:[eax]00442EBB |. 64:8920 mov dword ptr fs:[eax],esp00442EBE |. 8D55 FC lea edx,[local.1]00442EC1 |. 8B83 E0020000 mov eax,dword ptr ds:[ebx+0x2E0] ; codice00442EC7 |. E8 F403FEFF call aLoNg3x_.004232C000442ECC |. 8B45 FC mov eax,[local.1]00442ECF |. E8 9C47FCFF call aLoNg3x_.0040767000442ED4 |. 50 push eax00442ED5 |. 8D55 FC lea edx,[local.1]00442ED8 |. 8B83 DC020000 mov eax,dword ptr ds:[ebx+0x2DC] ; name00442EDE |. E8 DD03FEFF call aLoNg3x_.004232C000442EE3 |. 8B45 FC mov eax,[local.1]00442EE6 |. 5A pop edx00442EE7 |. E8 08FCFFFF call aLoNg3x_.00442AF4 ; Proc_2 返回真-“Cancella”按钮消失00442EEC |. 84C0 test al,al00442EEE 74 1C je XaLoNg3x_.00442F0C ; 爆破点00442EF0 |. 33D2 xor edx,edx00442EF2 |. 8B83 D0020000 mov eax,dword ptr ds:[ebx+0x2D0]00442EF8 |. E8 B302FEFF call aLoNg3x_.004231B0 ; 让“Cancella”按钮消失并将OK按钮的标志位赋值为000442EFD |. B2 01 mov dl,0x100442EFF |. 8B83 CC020000 mov eax,dword ptr ds:[ebx+0x2CC]00442F05 |. 8B08 mov ecx,dword ptr ds:[eax]00442F07 |. FF51 60 call dword ptr ds:[ecx+0x60] ; 让"OK"按钮可点击00442F0A |. EB 10 jmp XaLoNg3x_.00442F1C00442F0C |> BA 482F4400 mov edx,aLoNg3x_.00442F48 ; 设置Codice编辑框内容为“0”00442F11 |. 8B83 E0020000 mov eax,dword ptr ds:[ebx+0x2E0]00442F17 |. E8 D403FEFF call aLoNg3x_.004232F000442F1C |> 33C0 xor eax,eax00442F1E |. 5A pop edx00442F1F |. 59 pop ecx00442F20 |. 59 pop ecx00442F21 |. 64:8910 mov dword ptr fs:[eax],edx00442F24 |. 68 392F4400 push aLoNg3x_.00442F3900442F29 |> 8D45 FC lea eax,[local.1]00442F2C |. E8 8708FCFF call aLoNg3x_.004037B800442F31 \. C3 retn00442F32 .^ E9 4103FCFF jmp aLoNg3x_.0040327800442F37 .^ EB F0 jmp XaLoNg3x_.00442F2900442F39 . 5B pop ebx00442F3A . 59 pop ecx00442F3B . 5D pop ebp00442F3C . C3 retn要分析Proc_2,其C代码大概是:
int Proc_2(char *name, char *codice){int tmp;int len, sum = 0;len = sum = strlen(name);if(len <= 5)return 0;else{tmp = Factorial(name[4] % 7 + 2);//阶乘 for(int i=0; i<len; i++){sum += tmp * name[i-1]; } //return sum-31337;if ( sum-atoi(codice) == 31337 )return 1;elsereturn 0;} }Proc_2是以name算Codice,sum-31337是正确值。“123456”对应的Codice为“191143”。测试一波,右边按钮消失,OK按钮变成可点击。
对于OK按钮,上面有写,判断函数是Proc_3。是以Codice算name,"191143"对应的是“BXDEUG”
测试成功。OK按钮也消失了。
重新总结下注册流程:
1.输入匹配的Name/Codice。
2.点击“Cancella”按钮,“Can”按钮消失,“OK”会变成可点击状态。
3.再点击“OK”按钮,“OK”按钮消失,就算注册成功。
4、注册机就不写了,爆破点也标记了。
不足之处望指点。
阅读全文
0 0
- 160个练手CrackMe-006
- 160个练手CrackMe-001
- 160个练手CrackMe-002
- 160个练手CrackMe-003
- 160个练手CrackMe-004
- 160个练手CrackMe-005
- 160个练手CrackMe-007
- 160个练手CrackMe-008
- 160个练手CrackMe-009
- 160个练手CrackMe-010
- 160个练手CrackMe-011
- 160个练手CrackMe-012
- 160个练手CrackMe-013
- 160个练手CrackMe-014
- 160个练手CrackMe-015
- 160个练手CrackMe-016
- 160个练手CrackMe-017
- 160个练手CrackMe-018
- 1040: 递归10(素数圈)
- 初学者的学习复习_day5
- NOIP 2009-2016 提高组初赛c++试题及参考答案
- python入门0-环境准备
- 02动态规划基础---最大连续子序列的和
- 160个练手CrackMe-006
- 激励函数
- 22
- 大数据的门口
- python numpy、skicit-learn .whl安装包下载地址
- 解决Maven项目在update时,变为默认用java1.5编译的问题
- Java多线程编程-(5)-使用Lock对象实现同步以及线程间通信
- HeadChooseView头部视图滑动
- PowerShell: 如何解决File **.ps1 cannot be loaded because the execution of scripts is disabled on this sy
