MAC平台下的crackme两例分析

作者:creantan 小葡萄爸爸

工具列表:
Hopper disassembler(静态分析)
lldb (动态调试)

撸起:
先来个最简单的,直接用Hopper disassembler分析:
直接把第一个crackme拖到Hopper里面,看下左边窗口,看下这个crackme的Labels

很容易就找到这个methed实现methImpl_AppDelegate_checkifisok_
点击它看下汇编:

0x0000000100001110 55                              push       rbp
0x0000000100001111 4889E5                          mov        rbp, rsp
0x0000000100001114 4883EC70                        sub        rsp, 0x70
0x0000000100001118 488D0551180000                  lea        rax, qword [ds:cfstring_Length_of_the_serial_string_is___lx] ; @"Length of the serial string is: %lx"
0x000000010000111f 488D0DBA160000                  lea        rcx, qword [ds:objc_msg_length] ; @selector(length)
0x0000000100001126 4C8D0523180000                  lea        r8, qword [ds:cfstring_Length_of_the_name_string_is___lx] ; @"Length of the name string is: %lx"
0x000000010000112d 4C8D0DFC170000                  lea        r9, qword [ds:cfstring_uh_] ; @"uh?"
0x0000000100001134 48897DF8                        mov        qword [ss:rbp-0x70+var_104], rdi
0x0000000100001138 488975F0                        mov        qword [ss:rbp-0x70+var_96], rsi
0x000000010000113c 488955E8                        mov        qword [ss:rbp-0x70+var_88], rdx
0x0000000100001140 4C89CF                          mov        rdi, r9
0x0000000100001143 488945B0                        mov        qword [ss:rbp-0x70+var_32], rax
0x0000000100001147 B000                            mov        al, 0x0
0x0000000100001149 4C8945A8                        mov        qword [ss:rbp-0x70+var_24], r8
0x000000010000114d 48894DA0                        mov        qword [ss:rbp-0x70+var_16], rcx
0x0000000100001151 E8C6030000                      call       imp___stubs__NSLog
0x0000000100001156 488B4DF8                        mov        rcx, qword [ss:rbp-0x70+var_104]
0x000000010000115a 488B152F190000                  mov        rdx, qword [ds:0x100002a90]
0x0000000100001161 488B0C11                        mov        rcx, qword [ds:rcx+rdx]
0x0000000100001165 488B350C160000                  mov        rsi, qword [ds:objc_sel_stringValue] ; @selector(stringValue)
0x000000010000116c 4889CF                          mov        rdi, rcx
0x000000010000116f E8B4030000                      call       imp___stubs__objc_msgSend
0x0000000100001174 488945E0                        mov        qword [ss:rbp-0x70+var_80], rax
0x0000000100001178 488B45E0                        mov        rax, qword [ss:rbp-0x70+var_80]
0x000000010000117c 4889C7                          mov        rdi, rax
0x000000010000117f 488B75A0                        mov        rsi, qword [ss:rbp-0x70+var_16]
0x0000000100001183 FF1557160000                    call       qword [ds:objc_msg_length]  ; @selector(length)
0x0000000100001189 488945D8                        mov        qword [ss:rbp-0x70+var_72], rax
0x000000010000118d 488B75D8                        mov        rsi, qword [ss:rbp-0x70+var_72]
0x0000000100001191 488B7DA8                        mov        rdi, qword [ss:rbp-0x70+var_24]
0x0000000100001195 B000                            mov        al, 0x0
0x0000000100001197 E880030000                      call       imp___stubs__NSLog
0x000000010000119c 488B4DF8                        mov        rcx, qword [ss:rbp-0x70+var_104]
0x00000001000011a0 488B15F1180000                  mov        rdx, qword [ds:0x100002a98]
0x00000001000011a7 488B0C11                        mov        rcx, qword [ds:rcx+rdx]
0x00000001000011ab 488B35C6150000                  mov        rsi, qword [ds:objc_sel_stringValue] ; @selector(stringValue)
0x00000001000011b2 4889CF                          mov        rdi, rcx
0x00000001000011b5 E86E030000                      call       imp___stubs__objc_msgSend
0x00000001000011ba 488945D0                        mov        qword [ss:rbp-0x70+var_64], rax
0x00000001000011be 488B45D0                        mov        rax, qword [ss:rbp-0x70+var_64]
0x00000001000011c2 4889C7                          mov        rdi, rax
0x00000001000011c5 488B75A0                        mov        rsi, qword [ss:rbp-0x70+var_16]
0x00000001000011c9 FF1511160000                    call       qword [ds:objc_msg_length]  ; @selector(length)
0x00000001000011cf 488945C8                        mov        qword [ss:rbp-0x70+var_56], rax
0x00000001000011d3 488B75C8                        mov        rsi, qword [ss:rbp-0x70+var_56]
0x00000001000011d7 488B7DB0                        mov        rdi, qword [ss:rbp-0x70+var_32]
0x00000001000011db B000                            mov        al, 0x0
0x00000001000011dd E83A030000                      call       imp___stubs__NSLog
0x00000001000011e2 48817DC80A000000                cmp        qword [ss:rbp-0x70+var_56], 0xa
0x00000001000011ea 0F86BF000000                    jbe        0x1000012af     //判断密码长度是否大于10
                                       ; Basic Block Input Regs: rbp -  Killed Regs: 
0x00000001000011f0 48817DC80F000000                cmp        qword [ss:rbp-0x70+var_56], 0xf
0x00000001000011f8 0F83B1000000                    jnc        0x1000012af //判断密码长度是否小于15
                                       ; Basic Block Input Regs: rbp -  Killed Regs: 
0x00000001000011fe 48817DD807000000                cmp        qword [ss:rbp-0x70+var_72], 0x7
0x0000000100001206 0F86A3000000                    jbe        0x1000012af   //判断用户名长度是否大于7
                                       ; Basic Block Input Regs: rbp -  Killed Regs: 
0x000000010000120c 48817DD80F000000                cmp        qword [ss:rbp-0x70+var_72], 0xf
0x0000000100001214 0F8395000000                    jnc        0x1000012af   // 判断用户名长度是否小于15
                                       ; Basic Block Input Regs:  -  Killed Regs: rax rcx rdx rbp rsi rdi
0x000000010000121a 488D05CF150000                  lea        rax, qword [ds:objc_msg_isEqualToString_] ; @selector(isEqualToString:)
0x0000000100001221 488D0D68170000                  lea        rcx, qword [ds:cfstring_]   ; @""
0x0000000100001228 488B15D9150000                  mov        rdx, qword [ds:bind__OBJC_CLASS_$_NSCharacterSet]
0x000000010000122f 488B354A150000                  mov        rsi, qword [ds:objc_sel_alphanumericCharacterSet] ; @selector(alphanumericCharacterSet)
0x0000000100001236 4889D7                          mov        rdi, rdx
0x0000000100001239 48894598                        mov        qword [ss:rbp-0x70+var_8], rax
0x000000010000123d 48894D90                        mov        qword [ss:rbp-0x70+var_0], rcx
0x0000000100001241 E8E2020000                      call       imp___stubs__objc_msgSend     //获取字母和数字集合 NSCharacterSet *alphanumericSet = [ NSCharacterSetalphanumericCharacterSet ];
0x0000000100001246 488945C0                        mov        qword [ss:rbp-0x70+var_48], rax
0x000000010000124a 488B45D0                        mov        rax, qword [ss:rbp-0x70+var_64]
0x000000010000124e 488B55C0                        mov        rdx, qword [ss:rbp-0x70+var_48]
0x0000000100001252 488B352F150000                  mov        rsi, qword [ds:objc_sel_stringByTrimmingCharactersInSet_] ; @selector(stringByTrimmingCharactersInSet:)
0x0000000100001259 4889C7                          mov        rdi, rax
0x000000010000125c E8C7020000                      call       imp___stubs__objc_msgSend  //格式化密码,去除密码中含alphanumericSet中的字符 NSString *trimmedString = [passwdString stringByTrimmingCharactersInSet:alphanumericSet];
0x0000000100001261 4889C7                          mov        rdi, rax
0x0000000100001264 488B7598                        mov        rsi, qword [ss:rbp-0x70+var_8]
0x0000000100001268 488B5590                        mov        rdx, qword [ss:rbp-0x70+var_0]
0x000000010000126c FF157E150000                    call       qword [ds:objc_msg_isEqualToString_] ; @selector(isEqualToString:)//判断trimmedString是否和@“”空串相等
0x0000000100001272 8845BF                          mov        byte [ss:rbp-0x70+var_47], al
0x0000000100001275 807DBF00                        cmp        byte [ss:rbp-0x70+var_47], 0x0
0x0000000100001279 0F8418000000                    je         0x100001297   //不等则显示错误
                                       ; Basic Block Input Regs: rbp -  Killed Regs: rax rsi rdi
0x000000010000127f 488B45F8                        mov        rax, qword [ss:rbp-0x70+var_104]
0x0000000100001283 488B3506150000                  mov        rsi, qword [ds:objc_sel_yes] ; @selector(yes)
0x000000010000128a 4889C7                          mov        rdi, rax
0x000000010000128d E896020000                      call       imp___stubs__objc_msgSend
0x0000000100001292 E913000000                      jmp        0x1000012aa
                                       ; Basic Block Input Regs: rbp -  Killed Regs: rax rsi rdi
0x0000000100001297 488B45F8                        mov        rax, qword [ss:rbp-0x70+var_104] ; XREF=0x100001279
0x000000010000129b 488B35F6140000                  mov        rsi, qword [ds:objc_sel_no] ; @selector(no)
0x00000001000012a2 4889C7                          mov        rdi, rax
0x00000001000012a5 E87E020000                      call       imp___stubs__objc_msgSend
                                       ; Basic Block Input Regs:  -  Killed Regs: 
0x00000001000012aa E913000000                      jmp        0x1000012c2                ; XREF=0x100001292
                                       ; Basic Block Input Regs: rbp -  Killed Regs: rax rsi rdi
0x00000001000012af 488B45F8                        mov        rax, qword [ss:rbp-0x70+var_104] ; XREF=0x1000011ea, 0x1000011f8, 0x100001206, 0x100001214
0x00000001000012b3 488B35DE140000                  mov        rsi, qword [ds:objc_sel_no] ; @selector(no)
0x00000001000012ba 4889C7                          mov        rdi, rax
0x00000001000012bd E866020000                      call       imp___stubs__objc_msgSend
                                       ; Basic Block Input Regs:  -  Killed Regs: rsp rbp
0x00000001000012c2 4883C470                        add        rsp, 0x70                  ; XREF=0x1000012aa
0x00000001000012c6 5D                              pop        rbp
0x00000001000012c7 C3                              ret       

复原代码如下:

/**
 *  用户名密码验证
 *  用户名密码长度验证,密码字母和数字验证,密码只能包含数字和字母
 *  @return 返回YES or NO
 */
-(BOOL)checkifisok{
    NSString* name = [nameTextField text];
    NSString* serial = [serialTextField text];
    int nameLength = [name length];
    int serialLength = [serial length];
    if(serialLength > 10 && serialLength < 15){
        if(nameLength > 7 && nameLength < 15){
            NSCharacterSet *alphanumericSet = [NSCharacterSet alphanumericCharacterSet];
            NSString *trimmedString = [serial stringByTrimmingCharactersInSet:alphanumericSet];
            if([trimmedString isEqualToString:@""]){
                returnYES;
            }
        }else{
            returnNO
        }
    }else{
        returnNO;
    }
}

第二个使用lldb动态调试:

lldb crackme2.app
r
ctl+c
br s -a 0x2a9e
0x00002a9e 55                              push      ebp
0x00002a9f 89E5                            mov       ebp,esp
0x00002aa1 57                              push      edi
0x00002aa2 56                              push      esi
0x00002aa3 53                              push      ebx
0x00002aa4 83EC3C                          sub       esp,0x3c
0x00002aa7 A140400000                      mov       eax, dword [ds:objc_msg_length]    ; @selector(length)
0x00002aac 89442404                        mov        dword [ss:esp+0x4],eax
0x00002ab0 8B4510                          mov       eax, dword [ss:ebp-0x48+arg_8]
0x00002ab3 890424                          mov        dword [ss:esp],eax
0x00002ab6 E8A3250000                      call       imp___jump_table__objc_msgSend
0x00002abb 83F808                          cmp        eax,0x8   //判断注册码长度是否为8位
0x00002abe 0F858A010000                    jne       0x2c4e  //不等跳往错误提示
                                       ; Basic Block Input Regs: ecx ebx ebp -  Killed Regs: eax ecx ebx esp ebp esi edi
0x00002ac4 A144400000                      mov       eax, dword [ds:objc_msg_lossyCString]; @selector(lossyCString)
0x00002ac9 BE04000000                      mov       esi,0x4   //esi初始化为4
0x00002ace 31DB                            xor       ebx,ebx
0x00002ad0 89442404                        mov        dword [ss:esp+0x4],eax
0x00002ad4 8B4514                          mov       eax, dword [ss:ebp-0x48+arg_C]
0x00002ad7 890424                          mov        dword [ss:esp],eax
0x00002ada E87F250000                      call       imp___jump_table__objc_msgSend
0x00002adf 890424                          mov        dword [ss:esp],eax
0x00002ae2 89C7                            mov       edi,eax
0x00002ae4 E87A250000                      call       imp___jump_table__strlen
0x00002ae9 31C9                            xor       ecx,ecx
0x00002aeb 8945D0                          mov        dword [ss:ebp-0x48+var_24],eax
0x00002aee EB37                            jmp       0x2b27
                                       ; Basic Block Input Regs: ebx esi edi -  Killed Regs: eax ecx edx ebx ebp esi
0x00002af0 0FBE041F                        movsx     eax, byte [ds:edi+ebx]             ; XREF=0x2b2a   //取用户名的一个字符
0x00002af4 43                              inc       ebx  //循环累加器
0x00002af5 0FAFC6                          imul      eax,esi  //取出来的字符与esi相乘
0x00002af8 83C604                          add       esi,0x4  //esi+4
0x00002afb 89C2                            mov       edx,eax
0x00002afd C1E204                          shl       edx,0x4  //edx << 0x4
0x00002b00 29C2                            sub       edx,eax
0x00002b02 B8AD8BDB68                      mov       eax,0x68db8bad
0x00002b07 8D8C0A9A020000                  lea       ecx, dword [ds:edx+ecx+0x29a]
0x00002b0e F7E9                            imul      ecx
0x00002b10 89C8                            mov       eax,ecx
0x00002b12 C1F81F                          sar       eax,0x1f
0x00002b15 C1FA0C                          sar       edx,0xc
0x00002b18 29C2                            sub       edx,eax
0x00002b1a 89C8                            mov       eax,ecx
0x00002b1c 69D210270000                    imul      edx,edx,0x2710
0x00002b22 29D0                            sub       eax,edx
0x00002b24 8945E0                          mov        dword [ss:ebp-0x48+var_40],eax
                                       ; Basic Block Input Regs: ebx ebp -  Killed Regs: 
0x00002b27 395DD0                          cmp        dword [ss:ebp-0x48+var_24],ebx   ; XREF=0x2aee
0x00002b2a 77C4                            jnbe      0x2af0
                                       ; Basic Block Input Regs: ecx ebx ebp edi -  Killed Regs: eax ecx ebx esp ebp esi
0x00002b2c 8B45E0                          mov       eax, dword [ss:ebp-0x48+var_40]
0x00002b2f BE04000000                      mov       esi,0x4
0x00002b34 31DB                            xor       ebx,ebx
0x00002b36 C744240878300000                mov        dword [ss:esp+0x8],0x3078         ; @"%i"
0x00002b3e 8944240C                        mov        dword [ss:esp+0xc],eax
0x00002b42 A128400000                      mov       eax, dword [ds:objc_msg_stringWithFormat_]; @selector(stringWithFormat:)
0x00002b47 89442404                        mov        dword [ss:esp+0x4],eax
0x00002b4b A154400000                      mov       eax, dword [ds:cls_NSString]
0x00002b50 890424                          mov        dword [ss:esp],eax
0x00002b53 E806250000                      call       imp___jump_table__objc_msgSend   //将结果格式化为NSString
0x00002b58 893C24                          mov        dword [ss:esp],edi
0x00002b5b 8945D8                          mov        dword [ss:ebp-0x48+var_32],eax
0x00002b5e E800250000                      call       imp___jump_table__strlen
0x00002b63 31C9                            xor       ecx,ecx
0x00002b65 8945D4                          mov        dword [ss:ebp-0x48+var_28],eax
0x00002b68 EB32                            jmp       0x2b9c
                                       ; Basic Block Input Regs: ebx esi edi -  Killed Regs: eax ecx edx ebx ebp esi
0x00002b6a 0FBE041F                        movsx     eax, byte [ds:edi+ebx]             ; XREF=0x2b9f
0x00002b6e 43                              inc       ebx
0x00002b6f 0FAFC6                          imul      eax,esi
0x00002b72 83C608                          add       esi,0x8
0x00002b75 8D1480                          lea       edx, dword [ds:eax+eax*4]
0x00002b78 8D54502D                        lea       edx, dword [ds:eax+edx*2+0x2d]
0x00002b7c B8AD8BDB68                      mov       eax,0x68db8bad
0x00002b81 01D1                            add       ecx,edx
0x00002b83 F7E9                            imul      ecx
0x00002b85 89C8                            mov       eax,ecx
0x00002b87 C1F81F                          sar       eax,0x1f
0x00002b8a C1FA0C                          sar       edx,0xc
0x00002b8d 29C2                            sub       edx,eax
0x00002b8f 89C8                            mov       eax,ecx
0x00002b91 69D210270000                    imul      edx,edx,0x2710
0x00002b97 29D0                            sub       eax,edx
0x00002b99 8945E4                          mov        dword [ss:ebp-0x48+var_44],eax
                                       ; Basic Block Input Regs: ebx ebp -  Killed Regs: 
0x00002b9c 3B5DD4                          cmp       ebx, dword [ss:ebp-0x48+var_28]    ; XREF=0x2b68
0x00002b9f 72C9                            jc        0x2b6a
                                       ; Basic Block Input Regs: ebx ebp -  Killed Regs: eax ebx esp ebp esi edi
0x00002ba1 8B45E4                          mov       eax, dword [ss:ebp-0x48+var_44]
0x00002ba4 BE04000000                      mov       esi,0x4
0x00002ba9 31DB                            xor       ebx,ebx
0x00002bab C744240878300000                mov        dword [ss:esp+0x8],0x3078         ; @"%i"
0x00002bb3 BF04000000                      mov       edi,0x4
0x00002bb8 8944240C                        mov        dword [ss:esp+0xc],eax
0x00002bbc A128400000                      mov       eax, dword [ds:objc_msg_stringWithFormat_]; @selector(stringWithFormat:)
0x00002bc1 89442404                        mov        dword [ss:esp+0x4],eax
0x00002bc5 A154400000                      mov       eax, dword [ds:cls_NSString]
0x00002bca 890424                          mov        dword [ss:esp],eax
0x00002bcd E88C240000                      call       imp___jump_table__objc_msgSend //将结果格式化为NSString
0x00002bd2 895C2408                        mov        dword [ss:esp+0x8],ebx
0x00002bd6 8974240C                        mov        dword [ss:esp+0xc],esi
0x00002bda 8945DC                          mov        dword [ss:ebp-0x48+var_36],eax
0x00002bdd A148400000                      mov       eax, dword [ds:objc_msg_substringWithRange_]; @selector(substringWithRange:)
0x00002be2 89442404                        mov        dword [ss:esp+0x4],eax
0x00002be6 8B4510                          mov       eax, dword [ss:ebp-0x48+arg_8]
0x00002be9 890424                          mov        dword [ss:esp],eax
0x00002bec E86D240000                      call       imp___jump_table__objc_msgSend //截取密码前4位验证
0x00002bf1 89742408                        mov        dword [ss:esp+0x8],esi
0x00002bf5 897C240C                        mov        dword [ss:esp+0xc],edi
0x00002bf9 89C3                            mov       ebx,eax
0x00002bfb A148400000                      mov       eax, dword [ds:objc_msg_substringWithRange_]; @selector(substringWithRange:)
0x00002c00 89442404                        mov        dword [ss:esp+0x4],eax
0x00002c04 8B4510                          mov       eax, dword [ss:ebp-0x48+arg_8]
0x00002c07 890424                          mov        dword [ss:esp],eax
0x00002c0a E84F240000                      call       imp___jump_table__objc_msgSend//截取密码后4位验证
0x00002c0f 891C24                          mov        dword [ss:esp],ebx
0x00002c12 89C6                            mov       esi,eax
0x00002c14 8B45D8                          mov       eax, dword [ss:ebp-0x48+var_32]
0x00002c17 89442408                        mov        dword [ss:esp+0x8],eax
0x00002c1b A108400000                      mov       eax, dword [ds:objc_msg_isEqual_]  ; @selector(isEqual:)
0x00002c20 89442404                        mov        dword [ss:esp+0x4],eax
0x00002c24 E835240000                      call       imp___jump_table__objc_msgSend //判断是否相等
0x00002c29 84C0                            test      al,al
0x00002c2b 7421                            je        0x2c4e
                                       ; Basic Block Input Regs: ebp esi -  Killed Regs: eax edx esp
0x00002c2d 8B45DC                          mov       eax, dword [ss:ebp-0x48+var_36]
0x00002c30 893424                          mov        dword [ss:esp],esi
0x00002c33 89442408                        mov        dword [ss:esp+0x8],eax
0x00002c37 A108400000                      mov       eax, dword [ds:objc_msg_isEqual_]  ; @selector(isEqual:)
0x00002c3c 89442404                        mov        dword [ss:esp+0x4],eax
0x00002c40 E819240000                      call       imp___jump_table__objc_msgSend//判断是否相等
0x00002c45 BA01000000                      mov       edx,0x1
0x00002c4a 84C0                            test      al,al
0x00002c4c 7502                            jne       0x2c50
                                       ; Basic Block Input Regs: edx -  Killed Regs: edx
0x00002c4e 31D2                            xor       edx,edx                           ; XREF=0x2abe, 0x2c2b
                                       ; Basic Block Input Regs: edx -  Killed Regs: eax ebx esp esi edi
0x00002c50 83C43C                          add       esp,0x3c                         ; XREF=0x2c4c
0x00002c53 89D0                            mov       eax,edx
0x00002c55 5B                              pop       ebx
0x00002c56 5E                              pop       esi
0x00002c57 5F                              pop       edi
0x00002c58 C9                              leave     
0x00002c59 C3                              ret       

keygen代码如下:

int main(int argc, constchar * argv[]) {
    @autoreleasepool {
       
        unsignedlong nameLength = strlen(argv[1]);
        constchar* index = argv[1];
        unsignedint eax = 0;
        int ecx=0,edx=0,esi = 4;
        int serial_1=0;
        long constValue =  0x68db8bad;
        for (int i = 0; i> 32;
            serial_1 = ecx - ((edx >> 0xc)-(ecx >> 0x1f)) * 0x2710;
            index++;
           
        }
        int serial_2=0;
        index = argv[1];
        eax = 0,ecx=0,edx=0,esi = 4;
       
        for (int i = 0; i> 32;
            serial_2 = ecx - ((edx >> 0xc) - (ecx >> 0x1f)) * 0x2710;
            index++;
        }
        NSLog(@"\nname:%s\nserial:%d%d",argv[1],serial_1,serial_2);
    }
    return0;
}

你可能感兴趣的:(MAC平台下的crackme两例分析)