160个练手CrackMe-039
来源:互联网 发布:pda软件开发 编辑:程序博客网 时间:2024/05/17 07:58
1、ASP壳,Delphi
①单步法:
②ESP定律:OD载入后F8一步,发现只有ESP有变化,可以用ESP定律法,输入命令:dd esp。断点->硬件访问->DWord。F9。(win10上脱出来无法运行,xp上成功,但是查壳还显示ASP)
2、DeDark无效
OD载入,定位到消息处理函数。
004010DE |. /0F84 C5010000 je damn_unp.004012A9 ; Button_LOCKED004010E4 |. |66:3D F203 cmp ax,0x3F2004010E8 |.^|74 BE je Xdamn_unp.004010A8004010EA |. |66:3D ED03 cmp ax,0x3ED004010EE |. |74 15 je Xdamn_unp.00401105 ; Button_Register004010F0 |. |66:3D EB03 cmp ax,0x3EB004010F4 |. |74 2C je Xdamn_unp.00401122 ; Name004010F6 |. |66:3D EC03 cmp ax,0x3EC004010FA |. |74 4B je Xdamn_unp.00401147 ; Key
关键点在Key。
00401147 |> \6A 22 push 0x22 ; /Count = 22 (34.)00401149 |. 68 21234000 push damn_unp.00402321 ; |0040114E |. 68 EC030000 push 0x3EC ; |ControlID = 3EC (1004.)00401153 |. FF35 91234000 push dword ptr ds:[0x402391] ; |hWnd = 00040AB2 ('DAMN's TryMe - CRACKED!',class='#32770')00401159 |. E8 A1020000 call <jmp.&user32.GetDlgItemTextA> ; \GetDlgItemTextA0040115E |. A3 8D234000 mov dword ptr ds:[0x40238D],eax00401163 |. E8 8B010000 call damn_unp.004012F3 ; 判断函数00401168 |. 50 push eax ; /Enable00401169 |. FF35 85234000 push dword ptr ds:[0x402385] ; |hWnd = 00010B24 ('Register',class='Button',parent=00040AB2)0040116F |. E8 79020000 call <jmp.&user32.EnableWindow> ; \EnableWindow00401174 |. 33C0 xor eax,eax ; 使能Register按钮
函数call_004012F3() 返回1,则使能注册按钮。
004012F3 /$ 90 nop004012F4 |. 8B0D 89234000 mov ecx,dword ptr ds:[0x402389] ; len(Name)004012FA |. 85C9 test ecx,ecx004012FC |. 74 71 je Xdamn_unp.0040136F004012FE |. 49 dec ecx004012FF |. 8BF1 mov esi,ecx00401301 |. BF 53234000 mov edi,damn_unp.00402353 ; Name00401306 |. BB 4E4D4144 mov ebx,0x44414D4E0040130B |. 33D2 xor edx,edx0040130D |. 8BCA mov ecx,edx ; ecx = i = 00040130F |> 33C0 /xor eax,eax00401311 |. 8A040F |mov al,byte ptr ds:[edi+ecx]00401314 |. 03D0 |add edx,eax ; sum += name[i]00401316 |. D1CB |ror ebx,1 ; ebx >>= 100401318 |. D3CB |ror ebx,cl ; ebx >>= i0040131A |. 33DA |xor ebx,edx ; ebx ^ sum0040131C |. 3BCE |cmp ecx,esi0040131E |. 74 03 |je Xdamn_unp.0040132300401320 |. 41 |inc ecx00401321 |.^ EB EC \jmp Xdamn_unp.0040130F00401323 |> 81CB 10101010 or ebx,0x1010101000401329 |. 87DA xchg edx,ebx0040132B |. BF 21234000 mov edi,damn_unp.00402321 ; Key00401330 |. 8B0D 8D234000 mov ecx,dword ptr ds:[0x40238D] ; len(Key)00401336 |. 83F9 08 cmp ecx,0x800401339 |. 75 34 jnz Xdamn_unp.0040136F0040133B |. 33C9 xor ecx,ecx ; ecx = i = 00040133D |> 33C0 /xor eax,eax0040133F |. C1C2 08 |rol edx,0x800401342 |. 8AC2 |mov al,dl00401344 |. 8AD8 |mov bl,al00401346 |. 24 0F |and al,0xF00401348 |. C0EB 04 |shr bl,0x40040134B |. 80E3 0F |and bl,0xF0040134E |. 3C 0A |cmp al,0xA00401350 |. 1C 69 |sbb al,0x6900401352 |. 2F |das00401353 |. 38444F 01 |cmp byte ptr ds:[edi+ecx*2+0x1],al00401357 ^ 75 90 |jnz Xdamn_unp.004012E9 ; 不同直接返回000401359 |. 8AC3 |mov al,bl0040135B |. 3C 0A |cmp al,0xA0040135D |. 1C 69 |sbb al,0x690040135F |. 2F |das00401360 |. 38044F |cmp byte ptr ds:[edi+ecx*2],al00401363 ^ 75 90 |jnz Xdamn_unp.004012F5 ; 不同直接返回000401365 |. 41 |inc ecx00401366 |. 83F9 04 |cmp ecx,0x400401369 |.^ 75 D2 \jnz Xdamn_unp.0040133D0040136B |. 33C0 xor eax,eax0040136D |. 40 inc eax ; 返回10040136E |. C3 retn0040136F |> 33C0 xor eax,eax00401371 \. C3 retn
3、爆破
注册机写得有些蓝瘦,爆破。两处返回0的地方直接nop覆盖(00401357、00401363)。
阅读全文
0 0
- 160个练手CrackMe-039
- 160个练手CrackMe-001
- 160个练手CrackMe-002
- 160个练手CrackMe-003
- 160个练手CrackMe-004
- 160个练手CrackMe-005
- 160个练手CrackMe-006
- 160个练手CrackMe-007
- 160个练手CrackMe-008
- 160个练手CrackMe-009
- 160个练手CrackMe-010
- 160个练手CrackMe-011
- 160个练手CrackMe-012
- 160个练手CrackMe-013
- 160个练手CrackMe-014
- 160个练手CrackMe-015
- 160个练手CrackMe-016
- 160个练手CrackMe-017
- vue的计算属性(computed)、methods、watched三者区别
- 《挑战程序设计竞赛》P32 题目:Lacking Couting POJ 2386 深搜
- 标记满足条件的数据:玩转Excel数据
- LightOJ
- jsp页面传参
- 160个练手CrackMe-039
- GIT -- gitflow分支模型
- 问题记录
- 数据结构与算法分析(Java 语言描述)(35)—— 使用两个栈实现一个队列
- Reinforcement Learning_By David Silver笔记一: Introduction
- Algorithm之路八:String to Imteger
- Delaunay三角网生成算法
- [转载]Ubuntu 16.04编译安装OpenCV(Python2 /python3)(使用虚拟环境)
- 快速删除所有空值:汪琪玩Excel第十四招