Crackme 20

来源：互联网发布：ipad儿童游戏 6岁知乎编辑：程序博客网时间：2024/05/24 06:28

首先用PEID检测一下
这里写图片描述
有壳wwPack32 经典壳，现在接触的带壳程序不多，上次直接脱壳软件搞定，这次跟着教程手动搞了一下
首先单步调试找到跨段跳转

跳入之后下断点（一般跳入之后就是程序开始的地方），但里面的没有反汇编代码，看着比较难受。
这里写图片描述
首先脱壳

脱壳之后打不开，我看有的题解上脱壳后可以打开····
利用PEID查看什么程序编写

利用dede反编译没有什么成果，直接利用IDR分析Delphi

Unit1::TForm1.Button1Click 0044A2E8    push       ebp 0044A2E9    mov        ebp,esp 0044A2EB    xor        ecx,ecx 0044A2ED    push       ecx 0044A2EE    push       ecx 0044A2EF    push       ecx 0044A2F0    push       ecx 0044A2F1    push       ebx 0044A2F2    push       esi 0044A2F3    mov        ebx,eax 0044A2F5    xor        eax,eax 0044A2F7    push       ebp 0044A2F8    push       44A3E4 0044A2FD    push       dword ptr fs:[eax] 0044A300    mov        dword ptr fs:[eax],esp 0044A303    lea        edx,[ebp-4] 0044A306    mov        eax,dword ptr [ebx+2C8]; TForm1.Edit2:TEdit 0044A30C    call       TControl.GetText 0044A311    mov        eax,dword ptr [ebp-4] 0044A314    call       StrToInt 0044A319    mov        esi,eax 0044A31B    mov        eax,dword ptr [ebp-4] 0044A31E    call       StrToInt64 0044A323    push       edx 0044A324    push       eax 0044A325    mov        eax,esi 0044A327    cdq 0044A328    add        eax,dword ptr [esp] 0044A32B    adc        edx,dword ptr [esp+4] 0044A32F    add        esp,8 0044A332    push       edx 0044A333    push       eax 0044A334    mov        eax,esi 0044A336    cdq 0044A337    add        eax,dword ptr [esp] 0044A33A    adc        edx,dword ptr [esp+4] 0044A33E    add        esp,8 0044A341    push       edx 0044A342    push       eax 0044A343    lea        edx,[ebp-8] 0044A346    mov        eax,6 0044A34B    call       IntToHex 0044A350    mov        edx,dword ptr [ebp-8] 0044A353    mov        eax,dword ptr [ebx+2CC]; TForm1.Edit3:TEdit 0044A359    call       TControl.SetText 0044A35E    lea        edx,[ebp-0C] 0044A361    mov        eax,dword ptr [ebx+2CC]; TForm1.Edit3:TEdit 0044A367    call       TControl.GetText 0044A36C    mov        eax,dword ptr [ebp-0C] 0044A36F    push       eax 0044A370    lea        edx,[ebp-10] 0044A373    mov        eax,dword ptr [ebx+2F0]; TForm1.Label1:TLabel 0044A379    call       TControl.GetText 0044A37E    mov        edx,dword ptr [ebp-10] 0044A381    pop        eax 0044A382    call       @LStrCmp>0044A387    jne        0044A398 0044A389    mov        dl,1 0044A38B    mov        eax,dword ptr [ebx+2FC]; TForm1.Label2:TLabel 0044A391    call       TControl.SetVisible>0044A396    jmp        0044A3A9 0044A398    mov        eax,dword ptr [ebx+2D4]; TForm1.Label6:TLabel 0044A39E    mov        edx,dword ptr [eax+34]; TLabel.Top:Integer 0044A3A1    sub        edx,0A 0044A3A4    call       TControl.SetTop 0044A3A9    mov        eax,dword ptr [ebx+2D4]; TForm1.Label6:TLabel 0044A3AF    cmp        dword ptr [eax+34],32; TLabel.Top:Integer>0044A3B3    jge        0044A3BC 0044A3B5    mov        eax,ebx 0044A3B7    call       TCustomForm.Close 0044A3BC    xor        eax,eax 0044A3BE    pop        edx 0044A3BF    pop        ecx 0044A3C0    pop        ecx 0044A3C1    mov        dword ptr fs:[eax],edx 0044A3C4    push       44A3EB 0044A3C9    lea        eax,[ebp-10] 0044A3CC    mov        edx,2 0044A3D1    call       @LStrArrayClr 0044A3D6    lea        eax,[ebp-8] 0044A3D9    mov        edx,2 0044A3DE    call       @LStrArrayClr 0044A3E3    ret<0044A3E4    jmp        @HandleFinally<0044A3E9    jmp        0044A3C9 0044A3EB    pop        esi 0044A3EC    pop        ebx 0044A3ED    mov        esp,ebp 0044A3EF    pop        ebp 0044A3F0    ret

分析算法

0044A30C  |.  E8 FBA0FDFF   CALL 3.0042440C                          ;  name string0044A311  |.  8B45 FC       MOV EAX,[LOCAL.1]0044A314  |.  E8 EFD6FBFF   CALL 3.00407A08                          ;  strtoint0044A319  |.  8BF0          MOV ESI,EAX0044A31B  |.  8B45 FC       MOV EAX,[LOCAL.1]0044A31E  |.  E8 5DD7FBFF   CALL 3.00407A800044A323  |.  52            PUSH EDX0044A324  |.  50            PUSH EAX0044A325  |.  8BC6          MOV EAX,ESI0044A327  |.  99            CDQ0044A328  |.  030424        ADD EAX,DWORD PTR SS:[ESP]               ;  0x7b + 0x7b0044A32B  |.  135424 04     ADC EDX,DWORD PTR SS:[ESP+4]0044A32F  |.  83C4 08       ADD ESP,80044A332  |.  52            PUSH EDX0044A333  |.  50            PUSH EAX0044A334  |.  8BC6          MOV EAX,ESI0044A336  |.  99            CDQ0044A337  |.  030424        ADD EAX,DWORD PTR SS:[ESP]               ;  0x7b + 0xf60044A33A  |.  135424 04     ADC EDX,DWORD PTR SS:[ESP+4]0044A33E  |.  83C4 08       ADD ESP,80044A341  |.  52            PUSH EDX                                 ; /Arg20044A342  |.  50            PUSH EAX                                 ; |Arg10044A343  |.  8D55 F8       LEA EDX,[LOCAL.2]                        ; |0044A346  |.  B8 06000000   MOV EAX,6                                ; |0044A34B  |.  E8 78D6FBFF   CALL 3.004079C8                          ; \int to hex0044A350  |.  8B55 F8       MOV EDX,[LOCAL.2]0044A353  |.  8B83 CC020000 MOV EAX,DWORD PTR DS:[EBX+2CC]0044A359  |.  E8 DEA0FDFF   CALL 3.0042443C0044A35E  |.  8D55 F4       LEA EDX,[LOCAL.3]0044A361  |.  8B83 CC020000 MOV EAX,DWORD PTR DS:[EBX+2CC]0044A367  |.  E8 A0A0FDFF   CALL 3.0042440C0044A36C  |.  8B45 F4       MOV EAX,[LOCAL.3]0044A36F  |.  50            PUSH EAX0044A370  |.  8D55 F0       LEA EDX,[LOCAL.4]0044A373  |.  8B83 F0020000 MOV EAX,DWORD PTR DS:[EBX+2F0]0044A379  |.  E8 8EA0FDFF   CALL 3.0042440C0044A37E  |.  8B55 F0       MOV EDX,[LOCAL.4]0044A381  |.  58            POP EAX0044A382 >|.  E8 6198FBFF   CALL 3.00403BE8                          ;  strcmp

写出注册机

s = '0x3e74984b'print int(s,16)/3

这里写图片描述

0 0