160个练手CrackMe-007

1、无壳，Delphi编写。

2、Dark查看事件。

3、OD载入，目标是让按钮消失。

首先分析Register按钮事件。

00442F28  /.  55            push ebp                                 ;  RegisterzClick00442F29  |.  8BEC          mov ebp,esp00442F2B  |.  83C4 F8       add esp,-0x800442F2E  |.  53            push ebx00442F2F  |.  56            push esi00442F30  |.  33C9          xor ecx,ecx00442F32  |.  894D F8       mov [local.2],ecx00442F35  |.  8BD8          mov ebx,eax00442F37  |.  33C0          xor eax,eax00442F39  |.  55            push ebp00442F3A  |.  68 22304400   push aLoNg3x_.0044302200442F3F  |.  64:FF30       push dword ptr fs:[eax]00442F42  |.  64:8920       mov dword ptr fs:[eax],esp00442F45  |.  8D55 F8       lea edx,[local.2]00442F48  |.  8B83 DC020000 mov eax,dword ptr ds:[ebx+0x2DC]00442F4E  |.  E8 ED02FEFF   call aLoNg3x_.0042324000442F53  |.  8B45 F8       mov eax,[local.2]00442F56  |.  8D55 FC       lea edx,[local.1]00442F59  |.  E8 FAF9FBFF   call aLoNg3x_.0040295800442F5E  |.  8BF0          mov esi,eax00442F60  |.  837D FC 00    cmp [local.1],0x000442F64  |.  74 37         je XaLoNg3x_.00442F9D00442F66  |.  B8 38304400   mov eax,aLoNg3x_.00443038                ;  ASCII "You MUST insert a valid Long Integer Value in the Code Editor... Thank you :)"00442F6B  |.  E8 00F6FFFF   call aLoNg3x_.0044257000442F70  |.  8D55 F8       lea edx,[local.2]00442F73  |.  8B83 DC020000 mov eax,dword ptr ds:[ebx+0x2DC]00442F79  |.  E8 C202FEFF   call aLoNg3x_.0042324000442F7E  |.  8B45 F8       mov eax,[local.2]00442F81  |.  E8 06FBFFFF   call aLoNg3x_.00442A8C                   ;  Proc_100442F86  |.  A3 30584400   mov dword ptr ds:[0x445830],eax          ;  ？00442F8B  |.  BA 90304400   mov edx,aLoNg3x_.0044309000442F90  |.  8B83 DC020000 mov eax,dword ptr ds:[ebx+0x2DC]00442F96  |.  E8 D502FEFF   call aLoNg3x_.0042327000442F9B  |.  EB 6F         jmp XaLoNg3x_.0044300C00442F9D  |>  85F6          test esi,esi00442F9F  |.  7E 5A         jle XaLoNg3x_.00442FFB00442FA1  |.  8D55 F8       lea edx,[local.2]00442FA4  |.  8B83 D8020000 mov eax,dword ptr ds:[ebx+0x2D8]00442FAA  |.  E8 9102FEFF   call aLoNg3x_.0042324000442FAF  |.  8B4D F8       mov ecx,[local.2]                        ;  name00442FB2  |.  8BD6          mov edx,esi                              ;  int(codice)00442FB4  |.  A1 30584400   mov eax,dword ptr ds:[0x445830]00442FB9  |.  E8 EAF9FFFF   call aLoNg3x_.004429A8                   ;  判断函数00442FBE  |.  84C0          test al,al00442FC0  |.  74 30         je XaLoNg3x_.00442FF2                    ;  爆破点00442FC2  |.  33D2          xor edx,edx00442FC4  |.  8B83 CC020000 mov eax,dword ptr ds:[ebx+0x2CC]00442FCA  |.  E8 6101FEFF   call aLoNg3x_.0042313000442FCF  |.  B2 01         mov dl,0x100442FD1  |.  8B83 E8020000 mov eax,dword ptr ds:[ebx+0x2E8]00442FD7  |.  E8 5401FEFF   call aLoNg3x_.0042313000442FDC  |.  33D2          xor edx,edx00442FDE  |.  8B83 D8020000 mov eax,dword ptr ds:[ebx+0x2D8]00442FE4  |.  8B08          mov ecx,dword ptr ds:[eax]00442FE6  |.  FF51 60       call dword ptr ds:[ecx+0x60]00442FE9  |.  33C0          xor eax,eax00442FEB  |.  A3 30584400   mov dword ptr ds:[0x445830],eax          ;  000442FF0  |.  EB 1A         jmp XaLoNg3x_.0044300C00442FF2  |>  33C0          xor eax,eax00442FF4  |.  A3 30584400   mov dword ptr ds:[0x445830],eax          ;  000442FF9  |.  EB 11         jmp XaLoNg3x_.0044300C00442FFB  |>  B8 9C304400   mov eax,aLoNg3x_.0044309C                ;  ASCII "Please... The Code Must be > 0"00443000  |.  E8 6BF5FFFF   call aLoNg3x_.0044257000443005  |.  33C0          xor eax,eax00443007  |.  A3 30584400   mov dword ptr ds:[0x445830],eax          ;  00044300C  |>  33C0          xor eax,eax0044300E  |.  5A            pop edx0044300F  |.  59            pop ecx00443010  |.  59            pop ecx00443011  |.  64:8910       mov dword ptr fs:[eax],edx00443014  |.  68 29304400   push aLoNg3x_.0044302900443019  |>  8D45 F8       lea eax,[local.2]0044301C  |.  E8 9707FCFF   call aLoNg3x_.004037B800443021  \.  C3            retn

关键是 call 004429A8 处的判断函数。三个参数 dword ptr ds:[0x445830]，int(codice)， name

其原型大概是：

int Regist_judge(int codice, char *name){int len, sum = 0;int i, j, tmp;len = strlen(name);if(len > 4){for(i=0; i<len; i++){for(j=0; j<len; j++){sum += *((int *)0x00445830) * name[i] * name[j];}}tmp = abs(sum) % 666666;codice = codice % 80 + codice / 89 + 1;if(tmp == codice){return 1;}else{return 0;}}}

重点在(int *)0x00445830的值，最开始一直为0，所以tmp=0，所以要先找哪个地方修改了[0x445830]。

在地址 00442FB4  |.  A1 30584400   mov eax,dword ptr ds:[0x445830] 处右击查找参考。

发现两条有用的赋值操作。双击第一个跟进去。

00442F59  |.  E8 FAF9FBFF   call aLoNg3x_.00402958                   ;  判断是否为数值00442F5E  |.  8BF0          mov esi,eax00442F60  |.  837D FC 00    cmp [local.1],0x000442F64  |.  74 37         je XaLoNg3x_.00442F9D                    ;  跳转00442F66  |.  B8 38304400   mov eax,aLoNg3x_.00443038                ;  ASCII "You MUST insert a valid Long Integer Value in the Code Editor... Thank you :)"00442F6B  |.  E8 00F6FFFF   call aLoNg3x_.0044257000442F70  |.  8D55 F8       lea edx,[local.2]00442F73  |.  8B83 DC020000 mov eax,dword ptr ds:[ebx+0x2DC]00442F79  |.  E8 C202FEFF   call aLoNg3x_.0042324000442F7E  |.  8B45 F8       mov eax,[local.2]00442F81  |.  E8 06FBFFFF   call aLoNg3x_.00442A8C                   ;  Proc_100442F86  |.  A3 30584400   mov dword ptr ds:[0x445830],eax          ;  赋值00442F8B  |.  BA 90304400   mov edx,aLoNg3x_.0044309000442F90  |.  8B83 DC020000 mov eax,dword ptr ds:[ebx+0x2DC]00442F96  |.  E8 D502FEFF   call aLoNg3x_.0042327000442F9B  |.  EB 6F         jmp XaLoNg3x_.0044300C

从注释也可以看出，当Codice输入的不全是数字时才对[0x445830] 赋值操作。

而赋值的值是Proc_1的返回值。

分析Proc_1:

00442A8C  /$  55            push ebp                                 ;  Proc_100442A8D  |.  8BEC          mov ebp,esp00442A8F  |.  51            push ecx00442A90  |.  53            push ebx00442A91  |.  56            push esi00442A92  |.  57            push edi00442A93  |.  8945 FC       mov [local.1],eax00442A96  |.  8B45 FC       mov eax,[local.1]00442A99  |.  E8 4A11FCFF   call aLoNg3x_.00403BE800442A9E  |.  33C0          xor eax,eax00442AA0  |.  55            push ebp00442AA1  |.  68 212B4400   push aLoNg3x_.00442B2100442AA6  |.  64:FF30       push dword ptr fs:[eax]00442AA9  |.  64:8920       mov dword ptr fs:[eax],esp00442AAC  |.  8B45 FC       mov eax,[local.1]00442AAF  |.  E8 800FFCFF   call aLoNg3x_.00403A34                   ;  strlen(codice)00442AB4  |.  83F8 05       cmp eax,0x5                              ;  len 要大于500442AB7  |.  7E 3D         jle XaLoNg3x_.00442AF600442AB9  |.  BE 7B030000   mov esi,0x37B                            ;  sum = 0x37B00442ABE  |.  8B45 FC       mov eax,[local.1]00442AC1  |.  E8 6E0FFCFF   call aLoNg3x_.00403A34                   ;  strlen()00442AC6  |.  8BD8          mov ebx,eax00442AC8  |.  4B            dec ebx00442AC9  |.  85DB          test ebx,ebx00442ACB  |.  7E 2B         jle XaLoNg3x_.00442AF800442ACD  |.  B9 01000000   mov ecx,0x100442AD2  |>  8B45 FC       /mov eax,[local.1]00442AD5  |.  0FB60408      |movzx eax,byte ptr ds:[eax+ecx]         ;  循环 sum += codice[i] * (codice[i+1] % 17 +1);00442AD9  |.  BF 11000000   |mov edi,0x1100442ADE  |.  33D2          |xor edx,edx00442AE0  |.  F7F7          |div edi00442AE2  |.  42            |inc edx00442AE3  |.  8B45 FC       |mov eax,[local.1]00442AE6  |.  0FB64408 FF   |movzx eax,byte ptr ds:[eax+ecx-0x1]00442AEB  |.  0FAFD0        |imul edx,eax00442AEE  |.  03F2          |add esi,edx00442AF0  |.  41            |inc ecx00442AF1  |.  4B            |dec ebx00442AF2  |.^ 75 DE         \jnz XaLoNg3x_.00442AD200442AF4  |.  EB 02         jmp XaLoNg3x_.00442AF800442AF6  |>  33F6          xor esi,esi00442AF8  |>  8BC6          mov eax,esi00442AFA  |.  B9 48710000   mov ecx,0x714800442AFF  |.  99            cdq00442B00  |.  F7F9          idiv ecx00442B02  |.  8BC2          mov eax,edx00442B04  |.  99            cdq00442B05  |.  33C2          xor eax,edx00442B07  |.  2BC2          sub eax,edx00442B09  |.  8BD8          mov ebx,eax00442B0B  |.  33C0          xor eax,eax00442B0D  |.  5A            pop edx00442B0E  |.  59            pop ecx00442B0F  |.  59            pop ecx00442B10  |.  64:8910       mov dword ptr fs:[eax],edx00442B13  |.  68 282B4400   push aLoNg3x_.00442B2800442B18  |>  8D45 FC       lea eax,[local.1]00442B1B  |.  E8 980CFCFF   call aLoNg3x_.004037B800442B20  \.  C3            retn00442B21   .^ E9 5207FCFF   jmp aLoNg3x_.0040327800442B26   .^ EB F0         jmp XaLoNg3x_.00442B1800442B28   .  8BC3          mov eax,ebx                              ;  返回值 sum%0x714800442B2A   .  5F            pop edi00442B2B   .  5E            pop esi00442B2C   .  5B            pop ebx00442B2D   .  59            pop ecx00442B2E   .  5D            pop ebp00442B2F   .  C3            retn

对应的C：

int proc_1(char *codice){int len, sum = 891;int i, j, tmp;len = strlen(codice);if(len > 5){for(i=0; i<len-1; i++){sum += codice[i] * (codice[i+1] % 17 +1);}}return sum % 0x7148;//abcdf->7104}

测试输入“abcdef”， [0x445830] 处的值被修改为0x1BC0。将这个值带入Regist_judge()中，当name=“123456”时，tmp=297702。

即要满足 codice % 80 + codice / 89 + 1 == 297702 按钮就会消失。

没找到数学关系，爆破流走起。

for i in range(26495000, 26500000):if i % 80 + i // 89 == 297701:print(i)break

输出结果为：26495044

小结：

Register消失的流程：

1.Codice编辑框输入长度大于5的非纯数字。

2.点击Register按钮，弹出信息框。此时便修改了 [0x445830]。

3.按Regist_judge()计算正确的Codice，输入，点击按钮，按钮消失。

测试：

name输入 “123456”，Codice先输入“abcdef”，点击按钮，再把Codice修改为“26495044”。按钮消失。出现了新按钮。

再来分析again按钮事件。

和Register一样的操作。重复一遍。

两个按钮都消失了。标题也改了。

4、注册机

import randomname = input('Name:')cat = input('输入长度大于5的非全数值字串：')codice = Nonesum = 891for i in range(len(cat)-1):sum += ord(cat[i]) * (ord(cat[i+1]) % 17 +1)key = sum % 0x7148sum = 0for i in range(len(name)):    for j in range(len(name)):        sum += key * ord(name[i]) * ord(name[j])sum %= 666666# print(sum)l =[]for i in range((sum - 1 - 0) * 89, (sum - 1 - 81) * 89, -1):    # print(i)    if i % 80 + i // 89 == sum - 1:        l.append(i)print('注册流程：',      'Name编辑框输入：%s' % name,      'Codice编辑框输入：%s' % cat,      '点击按钮后把Codice编辑框内容修改为：%s' % l[random.randint(0, len(l))],sep='\n')

一个name对应有多个codice。

结束，不足之处望指点。