160个CrackMe 0x05 ajj_2

0x05 ajj_2

发现加了UPX壳,先脱壳,脱壳后继续分析。

D:\Tools\Security_Tools\010\upx-3.95-win64\upx-3.95-win64>upx.exe -d CKme002.exe
                       Ultimate Packer for eXecutables
                          Copyright (C) 1996 - 2018
UPX 3.95w       Markus Oberhumer, Laszlo Molnar & John Reiser   Aug 26th 2018

        File size         Ratio      Format      Name
   --------------------   ------   -----------   -----------
    458752 <-    146432   31.92%    win32/pe     CKme002.exe

Unpacked 1 file.

这道题好像看起来有点复杂,从看雪工具包中下载Delphi的反汇编工具:DeDe

分析文件看到如下事件:

160个CrackMe 0x05 ajj_2_第1张图片

分别查看这些事件的代码,在Timer2Timer中看到如下代码:

004473E4   53                     push    ebx
004473E5   8BD8                   mov     ebx, eax
004473E7   81BB04030000340C0000   cmp     dword ptr [ebx+$0304], $00000C34
004473F1   0F8488000000           jz      0044747F
004473F7   81BB080300000D230000   cmp     dword ptr [ebx+$0308], $0000230D
00447401   747C                   jz      0044747F
00447403   81BB10030000940F0000   cmp     dword ptr [ebx+$0310], $00000F94
0044740D   7570                   jnz     0044747F
0044740F   8B8318030000           mov     eax, [ebx+$0318]
00447415   3B8314030000           cmp     eax, [ebx+$0314]
0044741B   7562                   jnz     0044747F
0044741D   81BB1C030000E7030000   cmp     dword ptr [ebx+$031C], $000003E7
00447427   7456                   jz      0044747F
00447429   33D2                   xor     edx, edx

修改跳转逻辑之后可以看到注册成功的界面:

160个CrackMe 0x05 ajj_2_第2张图片

你可能感兴趣的:(Windows安全)