160个练手CrackMe-034

1、无壳

FileKey类型

2、OD载入

00401016  |.  6A 00         push 0x0                                 ; /hTemplateFile = NULL00401018  |.  68 80000000   push 0x80                                ; |Attributes = NORMAL0040101D  |.  6A 03         push 0x3                                 ; |Mode = OPEN_EXISTING0040101F  |.  6A 00         push 0x0                                 ; |pSecurity = NULL00401021  |.  6A 03         push 0x3                                 ; |ShareMode = FILE_SHARE_READ|FILE_SHARE_WRITE00401023  |.  68 000000C0   push 0xC0000000                          ; |Access = GENERIC_READ|GENERIC_WRITE00401028  |.  68 D7204000   push Cruehead.004020D7                   ; |CRACKME3.KEY0040102D  |.  E8 76040000   call <jmp.&KERNEL32.CreateFileA>         ; \CreateFileA00401032  |.  83F8 FF       cmp eax,-0x100401035  |.  75 0C         jnz XCruehead.0040104300401037  |>  68 0E214000   push Cruehead.0040210E                   ;  CrackMe v3.00040103C  |.  E8 B4020000   call Cruehead.004012F5                   ;  " - Uncracked"00401041  |.  EB 6B         jmp XCruehead.004010AE00401043  |>  A3 F5204000   mov dword ptr ds:[0x4020F5],eax          ;  文件句柄00401048  |.  B8 12000000   mov eax,0x120040104D  |.  BB 08204000   mov ebx,Cruehead.00402008                ;  ASCII "              opqr"00401052  |.  6A 00         push 0x0                                 ; /pOverlapped = NULL00401054  |.  68 A0214000   push Cruehead.004021A0                   ; |pBytesRead = Cruehead.004021A000401059  |.  50            push eax                                 ; |BytesToRead => 12 (18.)0040105A  |.  53            push ebx                                 ; |Buffer => Cruehead.004020080040105B  |.  FF35 F5204000 push dword ptr ds:[0x4020F5]             ; |hFile = 000001E800401061  |.  E8 30040000   call <jmp.&KERNEL32.ReadFile>            ; \ReadFile00401066  |.  833D A0214000>cmp dword ptr ds:[0x4021A0],0x12         ;  读取长度 0x120040106D  |.^ 75 C8         jnz XCruehead.004010370040106F  |.  68 08204000   push Cruehead.00402008                   ;  00401074  |.  E8 98020000   call Cruehead.00401311                   ;  处理函数 100401079  |.  8135 F9204000>xor dword ptr ds:[0x4020F9],0x1234567800401083  |.  83C4 04       add esp,0x400401086  |.  68 08204000   push Cruehead.00402008                   ;  0040108B  |.  E8 AC020000   call Cruehead.0040133C                   ;  处理函数 200401090  |.  83C4 04       add esp,0x400401093  |.  3B05 F9204000 cmp eax,dword ptr ds:[0x4020F9]          ;  比较00401099  |.  0F94C0        sete al0040109C  |.  50            push eax0040109D  |.  84C0          test al,al0040109F  |.^ 74 96         je XCruehead.00401037                    ;  跳向失败

call 00401311()处理Serial前14位得到一个值，和Serial的后4位比较，相同成功，不相同失败；

原型：

int call_00401311(char *serial){    int sum = 0;    for(int i = 0; i < 0xE; i++){        serial[i] ^= 0x41 + i;        sum += serial[i];         if(serial[i] == 0)            break;    }    return sum ^ 0x12345678;}if(call_00401311(serial) == *(int *)(serial + 14))    "Y";else    "N";

3、注册机

int call_00401311(char *serial){    int sum = 0;    for(int i = 0; i < 0xE; i++){        serial[i] ^= 0x41 + i;        sum += serial[i];         if(serial[i] == 0)            break;    }    return sum ^ 0x12345678;}int main(){    FILE *fp;    char serial[15];    int ret;    cout << "Please enter a string with a length of 14:" << endl;    cin >> serial;    fp = fopen("CRACKME3.KEY", "wb+");    fwrite(serial, 0x0E, 1, fp);    fflush(fp);    ret = call_00401311(serial);    fwrite(&ret, 0x04, 1, fp);//  cout << hex << ret;    return 0;}