160个练手CrackMe-007
来源:互联网 发布:荣威 知乎 编辑:程序博客网 时间:2024/06/05 01:07
1、无壳,Delphi编写。
2、Dark查看事件。
3、OD载入,目标是让按钮消失。
首先分析Register按钮事件。
00442F28 /. 55 push ebp ; RegisterzClick00442F29 |. 8BEC mov ebp,esp00442F2B |. 83C4 F8 add esp,-0x800442F2E |. 53 push ebx00442F2F |. 56 push esi00442F30 |. 33C9 xor ecx,ecx00442F32 |. 894D F8 mov [local.2],ecx00442F35 |. 8BD8 mov ebx,eax00442F37 |. 33C0 xor eax,eax00442F39 |. 55 push ebp00442F3A |. 68 22304400 push aLoNg3x_.0044302200442F3F |. 64:FF30 push dword ptr fs:[eax]00442F42 |. 64:8920 mov dword ptr fs:[eax],esp00442F45 |. 8D55 F8 lea edx,[local.2]00442F48 |. 8B83 DC020000 mov eax,dword ptr ds:[ebx+0x2DC]00442F4E |. E8 ED02FEFF call aLoNg3x_.0042324000442F53 |. 8B45 F8 mov eax,[local.2]00442F56 |. 8D55 FC lea edx,[local.1]00442F59 |. E8 FAF9FBFF call aLoNg3x_.0040295800442F5E |. 8BF0 mov esi,eax00442F60 |. 837D FC 00 cmp [local.1],0x000442F64 |. 74 37 je XaLoNg3x_.00442F9D00442F66 |. B8 38304400 mov eax,aLoNg3x_.00443038 ; ASCII "You MUST insert a valid Long Integer Value in the Code Editor... Thank you :)"00442F6B |. E8 00F6FFFF call aLoNg3x_.0044257000442F70 |. 8D55 F8 lea edx,[local.2]00442F73 |. 8B83 DC020000 mov eax,dword ptr ds:[ebx+0x2DC]00442F79 |. E8 C202FEFF call aLoNg3x_.0042324000442F7E |. 8B45 F8 mov eax,[local.2]00442F81 |. E8 06FBFFFF call aLoNg3x_.00442A8C ; Proc_100442F86 |. A3 30584400 mov dword ptr ds:[0x445830],eax ; ?00442F8B |. BA 90304400 mov edx,aLoNg3x_.0044309000442F90 |. 8B83 DC020000 mov eax,dword ptr ds:[ebx+0x2DC]00442F96 |. E8 D502FEFF call aLoNg3x_.0042327000442F9B |. EB 6F jmp XaLoNg3x_.0044300C00442F9D |> 85F6 test esi,esi00442F9F |. 7E 5A jle XaLoNg3x_.00442FFB00442FA1 |. 8D55 F8 lea edx,[local.2]00442FA4 |. 8B83 D8020000 mov eax,dword ptr ds:[ebx+0x2D8]00442FAA |. E8 9102FEFF call aLoNg3x_.0042324000442FAF |. 8B4D F8 mov ecx,[local.2] ; name00442FB2 |. 8BD6 mov edx,esi ; int(codice)00442FB4 |. A1 30584400 mov eax,dword ptr ds:[0x445830]00442FB9 |. E8 EAF9FFFF call aLoNg3x_.004429A8 ; 判断函数00442FBE |. 84C0 test al,al00442FC0 |. 74 30 je XaLoNg3x_.00442FF2 ; 爆破点00442FC2 |. 33D2 xor edx,edx00442FC4 |. 8B83 CC020000 mov eax,dword ptr ds:[ebx+0x2CC]00442FCA |. E8 6101FEFF call aLoNg3x_.0042313000442FCF |. B2 01 mov dl,0x100442FD1 |. 8B83 E8020000 mov eax,dword ptr ds:[ebx+0x2E8]00442FD7 |. E8 5401FEFF call aLoNg3x_.0042313000442FDC |. 33D2 xor edx,edx00442FDE |. 8B83 D8020000 mov eax,dword ptr ds:[ebx+0x2D8]00442FE4 |. 8B08 mov ecx,dword ptr ds:[eax]00442FE6 |. FF51 60 call dword ptr ds:[ecx+0x60]00442FE9 |. 33C0 xor eax,eax00442FEB |. A3 30584400 mov dword ptr ds:[0x445830],eax ; 000442FF0 |. EB 1A jmp XaLoNg3x_.0044300C00442FF2 |> 33C0 xor eax,eax00442FF4 |. A3 30584400 mov dword ptr ds:[0x445830],eax ; 000442FF9 |. EB 11 jmp XaLoNg3x_.0044300C00442FFB |> B8 9C304400 mov eax,aLoNg3x_.0044309C ; ASCII "Please... The Code Must be > 0"00443000 |. E8 6BF5FFFF call aLoNg3x_.0044257000443005 |. 33C0 xor eax,eax00443007 |. A3 30584400 mov dword ptr ds:[0x445830],eax ; 00044300C |> 33C0 xor eax,eax0044300E |. 5A pop edx0044300F |. 59 pop ecx00443010 |. 59 pop ecx00443011 |. 64:8910 mov dword ptr fs:[eax],edx00443014 |. 68 29304400 push aLoNg3x_.0044302900443019 |> 8D45 F8 lea eax,[local.2]0044301C |. E8 9707FCFF call aLoNg3x_.004037B800443021 \. C3 retn关键是 call 004429A8 处的判断函数。三个参数 dword ptr ds:[0x445830],int(codice), name
其原型大概是:
int Regist_judge(int codice, char *name){int len, sum = 0;int i, j, tmp;len = strlen(name);if(len > 4){for(i=0; i<len; i++){for(j=0; j<len; j++){sum += *((int *)0x00445830) * name[i] * name[j];}}tmp = abs(sum) % 666666;codice = codice % 80 + codice / 89 + 1;if(tmp == codice){return 1;}else{return 0;}}}重点在(int *)0x00445830的值,最开始一直为0,所以tmp=0,所以要先找哪个地方修改了[0x445830]。
在地址 00442FB4 |. A1 30584400 mov eax,dword ptr ds:[0x445830] 处右击查找参考。
发现两条有用的赋值操作。双击第一个跟进去。
00442F59 |. E8 FAF9FBFF call aLoNg3x_.00402958 ; 判断是否为数值00442F5E |. 8BF0 mov esi,eax00442F60 |. 837D FC 00 cmp [local.1],0x000442F64 |. 74 37 je XaLoNg3x_.00442F9D ; 跳转00442F66 |. B8 38304400 mov eax,aLoNg3x_.00443038 ; ASCII "You MUST insert a valid Long Integer Value in the Code Editor... Thank you :)"00442F6B |. E8 00F6FFFF call aLoNg3x_.0044257000442F70 |. 8D55 F8 lea edx,[local.2]00442F73 |. 8B83 DC020000 mov eax,dword ptr ds:[ebx+0x2DC]00442F79 |. E8 C202FEFF call aLoNg3x_.0042324000442F7E |. 8B45 F8 mov eax,[local.2]00442F81 |. E8 06FBFFFF call aLoNg3x_.00442A8C ; Proc_100442F86 |. A3 30584400 mov dword ptr ds:[0x445830],eax ; 赋值00442F8B |. BA 90304400 mov edx,aLoNg3x_.0044309000442F90 |. 8B83 DC020000 mov eax,dword ptr ds:[ebx+0x2DC]00442F96 |. E8 D502FEFF call aLoNg3x_.0042327000442F9B |. EB 6F jmp XaLoNg3x_.0044300C从注释也可以看出,当Codice输入的不全是数字时才对[0x445830] 赋值操作。
而赋值的值是Proc_1的返回值。
分析Proc_1:
00442A8C /$ 55 push ebp ; Proc_100442A8D |. 8BEC mov ebp,esp00442A8F |. 51 push ecx00442A90 |. 53 push ebx00442A91 |. 56 push esi00442A92 |. 57 push edi00442A93 |. 8945 FC mov [local.1],eax00442A96 |. 8B45 FC mov eax,[local.1]00442A99 |. E8 4A11FCFF call aLoNg3x_.00403BE800442A9E |. 33C0 xor eax,eax00442AA0 |. 55 push ebp00442AA1 |. 68 212B4400 push aLoNg3x_.00442B2100442AA6 |. 64:FF30 push dword ptr fs:[eax]00442AA9 |. 64:8920 mov dword ptr fs:[eax],esp00442AAC |. 8B45 FC mov eax,[local.1]00442AAF |. E8 800FFCFF call aLoNg3x_.00403A34 ; strlen(codice)00442AB4 |. 83F8 05 cmp eax,0x5 ; len 要大于500442AB7 |. 7E 3D jle XaLoNg3x_.00442AF600442AB9 |. BE 7B030000 mov esi,0x37B ; sum = 0x37B00442ABE |. 8B45 FC mov eax,[local.1]00442AC1 |. E8 6E0FFCFF call aLoNg3x_.00403A34 ; strlen()00442AC6 |. 8BD8 mov ebx,eax00442AC8 |. 4B dec ebx00442AC9 |. 85DB test ebx,ebx00442ACB |. 7E 2B jle XaLoNg3x_.00442AF800442ACD |. B9 01000000 mov ecx,0x100442AD2 |> 8B45 FC /mov eax,[local.1]00442AD5 |. 0FB60408 |movzx eax,byte ptr ds:[eax+ecx] ; 循环 sum += codice[i] * (codice[i+1] % 17 +1);00442AD9 |. BF 11000000 |mov edi,0x1100442ADE |. 33D2 |xor edx,edx00442AE0 |. F7F7 |div edi00442AE2 |. 42 |inc edx00442AE3 |. 8B45 FC |mov eax,[local.1]00442AE6 |. 0FB64408 FF |movzx eax,byte ptr ds:[eax+ecx-0x1]00442AEB |. 0FAFD0 |imul edx,eax00442AEE |. 03F2 |add esi,edx00442AF0 |. 41 |inc ecx00442AF1 |. 4B |dec ebx00442AF2 |.^ 75 DE \jnz XaLoNg3x_.00442AD200442AF4 |. EB 02 jmp XaLoNg3x_.00442AF800442AF6 |> 33F6 xor esi,esi00442AF8 |> 8BC6 mov eax,esi00442AFA |. B9 48710000 mov ecx,0x714800442AFF |. 99 cdq00442B00 |. F7F9 idiv ecx00442B02 |. 8BC2 mov eax,edx00442B04 |. 99 cdq00442B05 |. 33C2 xor eax,edx00442B07 |. 2BC2 sub eax,edx00442B09 |. 8BD8 mov ebx,eax00442B0B |. 33C0 xor eax,eax00442B0D |. 5A pop edx00442B0E |. 59 pop ecx00442B0F |. 59 pop ecx00442B10 |. 64:8910 mov dword ptr fs:[eax],edx00442B13 |. 68 282B4400 push aLoNg3x_.00442B2800442B18 |> 8D45 FC lea eax,[local.1]00442B1B |. E8 980CFCFF call aLoNg3x_.004037B800442B20 \. C3 retn00442B21 .^ E9 5207FCFF jmp aLoNg3x_.0040327800442B26 .^ EB F0 jmp XaLoNg3x_.00442B1800442B28 . 8BC3 mov eax,ebx ; 返回值 sum%0x714800442B2A . 5F pop edi00442B2B . 5E pop esi00442B2C . 5B pop ebx00442B2D . 59 pop ecx00442B2E . 5D pop ebp00442B2F . C3 retn对应的C:
int proc_1(char *codice){int len, sum = 891;int i, j, tmp;len = strlen(codice);if(len > 5){for(i=0; i<len-1; i++){sum += codice[i] * (codice[i+1] % 17 +1);}}return sum % 0x7148;//abcdf->7104}测试输入“abcdef”, [0x445830] 处的值被修改为0x1BC0。将这个值带入Regist_judge()中,当name=“123456”时,tmp=297702。
即要满足 codice % 80 + codice / 89 + 1 == 297702 按钮就会消失。
没找到数学关系,爆破流走起。
for i in range(26495000, 26500000):if i % 80 + i // 89 == 297701:print(i)break输出结果为:26495044
小结:
Register消失的流程:
1.Codice编辑框输入长度大于5的非纯数字。
2.点击Register按钮,弹出信息框。此时便修改了 [0x445830]。
3.按Regist_judge()计算正确的Codice,输入,点击按钮,按钮消失。
测试:
name输入 “123456”,Codice先输入“abcdef”,点击按钮,再把Codice修改为“26495044”。按钮消失。出现了新按钮。
再来分析again按钮事件。
和Register一样的操作。重复一遍。
两个按钮都消失了。标题也改了。
4、注册机
import randomname = input('Name:')cat = input('输入长度大于5的非全数值字串:')codice = Nonesum = 891for i in range(len(cat)-1):sum += ord(cat[i]) * (ord(cat[i+1]) % 17 +1)key = sum % 0x7148sum = 0for i in range(len(name)): for j in range(len(name)): sum += key * ord(name[i]) * ord(name[j])sum %= 666666# print(sum)l =[]for i in range((sum - 1 - 0) * 89, (sum - 1 - 81) * 89, -1): # print(i) if i % 80 + i // 89 == sum - 1: l.append(i)print('注册流程:', 'Name编辑框输入:%s' % name, 'Codice编辑框输入:%s' % cat, '点击按钮后把Codice编辑框内容修改为:%s' % l[random.randint(0, len(l))],sep='\n')
结束,不足之处望指点。
阅读全文
0 0
- 160个练手CrackMe-007
- 160个练手CrackMe-001
- 160个练手CrackMe-002
- 160个练手CrackMe-003
- 160个练手CrackMe-004
- 160个练手CrackMe-005
- 160个练手CrackMe-006
- 160个练手CrackMe-008
- 160个练手CrackMe-009
- 160个练手CrackMe-010
- 160个练手CrackMe-011
- 160个练手CrackMe-012
- 160个练手CrackMe-013
- 160个练手CrackMe-014
- 160个练手CrackMe-015
- 160个练手CrackMe-016
- 160个练手CrackMe-017
- 160个练手CrackMe-018
- IntelliJ Idea 常用快捷键列表
- String.format的使用方法
- 主流的三种kafka监控程序
- Android中消息机制中一些细节知识点
- Tomcat在Linux上的安装与配置
- 160个练手CrackMe-007
- sqoop初学习
- 生活小记21
- JAVA 单继承 与 接口 多重继承
- C++基础知识点总结四
- 我的Java设计模式-建造者模式
- Java实现自定义对象的排序
- [自然语言处理] (4) Word2Vec
- Calling python method from C++ (or C) callback