160个CrackMe 027 Cosh.1

来源：互联网发布：淘宝一件代发供货平台编辑：程序博客网时间：2024/06/05 14:54

首先打开
image_1ak62ihds1pl619v1ek64bj95r9.png-6.6kB
发现这是一个CD-check的题目

这里推荐一下《加密与解密第三版》的5.7节CD-Check还有一个博客
CD-check

大家可以参考

之后PEID查，没有壳，C++程序,CD-Check我们只能够通过爆破:
OD运行:

接下来大致分成三种找到关键位置的方式:
1.正常运行:F9之后弹出对话框，我们点击Check for CD之后，弹出错误对话框，不点击确定，直接F12暂停程序之Alt+K找对话框的函数调用(这是弹出错误对话框类型的处理方式)
image_1ak6328u61artk621rk9kc36fam.png-128kB

找到函数调用的部分，show call过去

2.既然是一个CD-Check那么我们就去找关键函数呗，GetDirvertypeA是获取磁盘驱动器类型的关键函数
OD之后，Crtl+N 查找所有调用函数模块
image_1ak638b8i19avqnijbq2i618r413.png-126.4kB
查看调用树，找到调用位置
image_1ak63ap7b1l35nnc12um1uju10o91j.png-3.9kB
反汇编窗口跟随过去即可

3.最简单使用的，直接找参考文本字符串
image_1ak63d2kqb4g1mbl1g7lqc6too20.png-72kB
失败的成功一起找到，很简单

之后找到关键位置，找跳转语句就很轻松了

0040138C     /0F84 F3000000 je Cosh_1.00401485                       ;  跳转语句00401392   > |FF45 EC       inc dword ptr ss:[ebp-0x14]00401395   . |83C7 04       add edi,0x400401398   . |837D EC 07    cmp dword ptr ss:[ebp-0x14],0x70040139C   .^|75 9F         jnz short Cosh_1.0040133D0040139E   . |53            push ebx0040139F   . |68 4C304000   push Cosh_1.0040304C                     ;  ASCII "Try again"004013A4   . |68 40304000   push Cosh_1.00403040                     ;  ASCII "You lost"004013A9   > |8B4D E4       mov ecx,dword ptr ss:[ebp-0x1C]004013AC   . |E8 D1020000   call <jmp.&MFC42.#CWnd::MessageBoxA_4224>004013B1   . |8D4D E8       lea ecx,dword ptr ss:[ebp-0x18]004013B4   . |C645 FC 0E    mov byte ptr ss:[ebp-0x4],0xE004013B8   . |E8 DD020000   call <jmp.&MFC42.#CString::~CString_800>004013BD   . |56            push esi                                 ;  Cosh_1.<ModuleEntryPoint>004013BE   . |6A 01         push 0x1004013C0   . |8D45 DC       lea eax,dword ptr ss:[ebp-0x24]004013C3   . |6A 04         push 0x4004013C5   . |50            push eax004013C6   . |C645 FC 0D    mov byte ptr ss:[ebp-0x4],0xD004013CA   . |E8 27030000   call Cosh_1.004016F6004013CF   . |8D4D D8       lea ecx,dword ptr ss:[ebp-0x28]004013D2   . |C645 FC 0C    mov byte ptr ss:[ebp-0x4],0xC004013D6   . |E8 BF020000   call <jmp.&MFC42.#CString::~CString_800>004013DB   . |8D4D D4       lea ecx,dword ptr ss:[ebp-0x2C]004013DE   . |C645 FC 0B    mov byte ptr ss:[ebp-0x4],0xB004013E2   . |E8 B3020000   call <jmp.&MFC42.#CString::~CString_800>004013E7   . |8D4D D0       lea ecx,dword ptr ss:[ebp-0x30]004013EA   . |C645 FC 0A    mov byte ptr ss:[ebp-0x4],0xA004013EE   . |E8 A7020000   call <jmp.&MFC42.#CString::~CString_800>004013F3   . |8D4D CC       lea ecx,dword ptr ss:[ebp-0x34]004013F6   . |C645 FC 09    mov byte ptr ss:[ebp-0x4],0x9004013FA   . |E8 9B020000   call <jmp.&MFC42.#CString::~CString_800>004013FF   . |8D4D C8       lea ecx,dword ptr ss:[ebp-0x38]00401402   . |C645 FC 08    mov byte ptr ss:[ebp-0x4],0x800401406   . |E8 8F020000   call <jmp.&MFC42.#CString::~CString_800>0040140B   . |8D4D C4       lea ecx,dword ptr ss:[ebp-0x3C]0040140E   . |C645 FC 07    mov byte ptr ss:[ebp-0x4],0x700401412   . |E8 83020000   call <jmp.&MFC42.#CString::~CString_800>00401417   . |8D4D C0       lea ecx,dword ptr ss:[ebp-0x40]0040141A   . |C645 FC 06    mov byte ptr ss:[ebp-0x4],0x60040141E   . |E8 77020000   call <jmp.&MFC42.#CString::~CString_800>00401423   . |8D4D BC       lea ecx,dword ptr ss:[ebp-0x44]00401426   . |C645 FC 05    mov byte ptr ss:[ebp-0x4],0x50040142A   . |E8 6B020000   call <jmp.&MFC42.#CString::~CString_800>0040142F   . |8D4D B8       lea ecx,dword ptr ss:[ebp-0x48]00401432   . |C645 FC 04    mov byte ptr ss:[ebp-0x4],0x400401436   . |E8 5F020000   call <jmp.&MFC42.#CString::~CString_800>0040143B   . |8D4D B4       lea ecx,dword ptr ss:[ebp-0x4C]0040143E   . |C645 FC 03    mov byte ptr ss:[ebp-0x4],0x300401442   . |E8 53020000   call <jmp.&MFC42.#CString::~CString_800>00401447   . |8D4D B0       lea ecx,dword ptr ss:[ebp-0x50]0040144A   . |C645 FC 02    mov byte ptr ss:[ebp-0x4],0x20040144E   . |E8 47020000   call <jmp.&MFC42.#CString::~CString_800>00401453   . |8D4D AC       lea ecx,dword ptr ss:[ebp-0x54]00401456   . |C645 FC 01    mov byte ptr ss:[ebp-0x4],0x10040145A   . |E8 3B020000   call <jmp.&MFC42.#CString::~CString_800>0040145F   . |8D4D A8       lea ecx,dword ptr ss:[ebp-0x58]00401462   . |885D FC       mov byte ptr ss:[ebp-0x4],bl00401465   . |E8 30020000   call <jmp.&MFC42.#CString::~CString_800>0040146A   . |834D FC FF    or dword ptr ss:[ebp-0x4],-0x10040146E   . |8D4D A4       lea ecx,dword ptr ss:[ebp-0x5C]00401471   . |E8 24020000   call <jmp.&MFC42.#CString::~CString_800>00401476   . |8B4D F4       mov ecx,dword ptr ss:[ebp-0xC]00401479   . |5F            pop edi                                  ;  kernel32.740738F40040147A   . |5E            pop esi                                  ;  kernel32.740738F40040147B   . |5B            pop ebx                                  ;  kernel32.740738F40040147C   . |64:890D 00000>mov dword ptr fs:[0],ecx                 ;  Cosh_1.<ModuleEntryPoint>00401483   . |C9            leave00401484   . |C3            retn00401485   > \53            push ebx00401486   .  68 34304000   push Cosh_1.00403034                     ;  ASCII "You did it"0040148B   .  68 20304000   push Cosh_1.00403020                     ;  ASCII "Well done, Cracker"00401490   .^ E9 14FFFFFF   jmp Cosh_1.004013A9

爆破，更改

0040138C     /0F84 F3000000 je Cosh_1.00401485                       ;  跳转语句

无脑跳转

0040138C     /E9 F4000000   jmp Cosh_1.00401485                      ;  跳转语句00401391     |90            nop

dump下来成一个新文件
image_1ak63it75sulh1d1e9j1noo1pdg2t.png-109.7kB
成功.

向上看一下这个CD-Check的过程:
使用Creatflie()函数从C盘符查找到P盘符，看看有没有
CD_CHECK.DAT这个文件，如果有就打开，但是明显我们没有，所以就失败了。

0 0