160个练手CrackMe-007
1、无壳,Delphi编写。
2、Dark查看事件。
3、OD载入,目标是让按钮消失。
首先分析Register按钮事件。
00442F28 /. 55 push ebp ; RegisterzClick
00442F29 |. 8BEC mov ebp,esp
00442F2B |. 83C4 F8 add esp,-0x8
00442F2E |. 53 push ebx
00442F2F |. 56 push esi
00442F30 |. 33C9 xor ecx,ecx
00442F32 |. 894D F8 mov [local.2],ecx
00442F35 |. 8BD8 mov ebx,eax
00442F37 |. 33C0 xor eax,eax
00442F39 |. 55 push ebp
00442F3A |. 68 22304400 push aLoNg3x_.00443022
00442F3F |. 64:FF30 push dword ptr fs:[eax]
00442F42 |. 64:8920 mov dword ptr fs:[eax],esp
00442F45 |. 8D55 F8 lea edx,[local.2]
00442F48 |. 8B83 DC020000 mov eax,dword ptr ds:[ebx+0x2DC]
00442F4E |. E8 ED02FEFF call aLoNg3x_.00423240
00442F53 |. 8B45 F8 mov eax,[local.2]
00442F56 |. 8D55 FC lea edx,[local.1]
00442F59 |. E8 FAF9FBFF call aLoNg3x_.00402958
00442F5E |. 8BF0 mov esi,eax
00442F60 |. 837D FC 00 cmp [local.1],0x0
00442F64 |. 74 37 je XaLoNg3x_.00442F9D
00442F66 |. B8 38304400 mov eax,aLoNg3x_.00443038 ; ASCII "You MUST insert a valid Long Integer Value in the Code Editor... Thank you :)"
00442F6B |. E8 00F6FFFF call aLoNg3x_.00442570
00442F70 |. 8D55 F8 lea edx,[local.2]
00442F73 |. 8B83 DC020000 mov eax,dword ptr ds:[ebx+0x2DC]
00442F79 |. E8 C202FEFF call aLoNg3x_.00423240
00442F7E |. 8B45 F8 mov eax,[local.2]
00442F81 |. E8 06FBFFFF call aLoNg3x_.00442A8C ; Proc_1
00442F86 |. A3 30584400 mov dword ptr ds:[0x445830],eax ; ?
00442F8B |. BA 90304400 mov edx,aLoNg3x_.00443090
00442F90 |. 8B83 DC020000 mov eax,dword ptr ds:[ebx+0x2DC]
00442F96 |. E8 D502FEFF call aLoNg3x_.00423270
00442F9B |. EB 6F jmp XaLoNg3x_.0044300C
00442F9D |> 85F6 test esi,esi
00442F9F |. 7E 5A jle XaLoNg3x_.00442FFB
00442FA1 |. 8D55 F8 lea edx,[local.2]
00442FA4 |. 8B83 D8020000 mov eax,dword ptr ds:[ebx+0x2D8]
00442FAA |. E8 9102FEFF call aLoNg3x_.00423240
00442FAF |. 8B4D F8 mov ecx,[local.2] ; name
00442FB2 |. 8BD6 mov edx,esi ; int(codice)
00442FB4 |. A1 30584400 mov eax,dword ptr ds:[0x445830]
00442FB9 |. E8 EAF9FFFF call aLoNg3x_.004429A8 ; 判断函数
00442FBE |. 84C0 test al,al
00442FC0 |. 74 30 je XaLoNg3x_.00442FF2 ; 爆破点
00442FC2 |. 33D2 xor edx,edx
00442FC4 |. 8B83 CC020000 mov eax,dword ptr ds:[ebx+0x2CC]
00442FCA |. E8 6101FEFF call aLoNg3x_.00423130
00442FCF |. B2 01 mov dl,0x1
00442FD1 |. 8B83 E8020000 mov eax,dword ptr ds:[ebx+0x2E8]
00442FD7 |. E8 5401FEFF call aLoNg3x_.00423130
00442FDC |. 33D2 xor edx,edx
00442FDE |. 8B83 D8020000 mov eax,dword ptr ds:[ebx+0x2D8]
00442FE4 |. 8B08 mov ecx,dword ptr ds:[eax]
00442FE6 |. FF51 60 call dword ptr ds:[ecx+0x60]
00442FE9 |. 33C0 xor eax,eax
00442FEB |. A3 30584400 mov dword ptr ds:[0x445830],eax ; 0
00442FF0 |. EB 1A jmp XaLoNg3x_.0044300C
00442FF2 |> 33C0 xor eax,eax
00442FF4 |. A3 30584400 mov dword ptr ds:[0x445830],eax ; 0
00442FF9 |. EB 11 jmp XaLoNg3x_.0044300C
00442FFB |> B8 9C304400 mov eax,aLoNg3x_.0044309C ; ASCII "Please... The Code Must be > 0"
00443000 |. E8 6BF5FFFF call aLoNg3x_.00442570
00443005 |. 33C0 xor eax,eax
00443007 |. A3 30584400 mov dword ptr ds:[0x445830],eax ; 0
0044300C |> 33C0 xor eax,eax
0044300E |. 5A pop edx
0044300F |. 59 pop ecx
00443010 |. 59 pop ecx
00443011 |. 64:8910 mov dword ptr fs:[eax],edx
00443014 |. 68 29304400 push aLoNg3x_.00443029
00443019 |> 8D45 F8 lea eax,[local.2]
0044301C |. E8 9707FCFF call aLoNg3x_.004037B8
00443021 \. C3 retn
其原型大概是:
int Regist_judge(int codice, char *name){
int len, sum = 0;
int i, j, tmp;
len = strlen(name);
if(len > 4){
for(i=0; i
在地址 00442FB4 |. A1 30584400 mov eax,dword ptr ds:[0x445830] 处右击查找参考。
发现两条有用的赋值操作。双击第一个跟进去。
00442F59 |. E8 FAF9FBFF call aLoNg3x_.00402958 ; 判断是否为数值
00442F5E |. 8BF0 mov esi,eax
00442F60 |. 837D FC 00 cmp [local.1],0x0
00442F64 |. 74 37 je XaLoNg3x_.00442F9D ; 跳转
00442F66 |. B8 38304400 mov eax,aLoNg3x_.00443038 ; ASCII "You MUST insert a valid Long Integer Value in the Code Editor... Thank you :)"
00442F6B |. E8 00F6FFFF call aLoNg3x_.00442570
00442F70 |. 8D55 F8 lea edx,[local.2]
00442F73 |. 8B83 DC020000 mov eax,dword ptr ds:[ebx+0x2DC]
00442F79 |. E8 C202FEFF call aLoNg3x_.00423240
00442F7E |. 8B45 F8 mov eax,[local.2]
00442F81 |. E8 06FBFFFF call aLoNg3x_.00442A8C ; Proc_1
00442F86 |. A3 30584400 mov dword ptr ds:[0x445830],eax ; 赋值
00442F8B |. BA 90304400 mov edx,aLoNg3x_.00443090
00442F90 |. 8B83 DC020000 mov eax,dword ptr ds:[ebx+0x2DC]
00442F96 |. E8 D502FEFF call aLoNg3x_.00423270
00442F9B |. EB 6F jmp XaLoNg3x_.0044300C
而赋值的值是Proc_1的返回值。
分析Proc_1:
00442A8C /$ 55 push ebp ; Proc_1
00442A8D |. 8BEC mov ebp,esp
00442A8F |. 51 push ecx
00442A90 |. 53 push ebx
00442A91 |. 56 push esi
00442A92 |. 57 push edi
00442A93 |. 8945 FC mov [local.1],eax
00442A96 |. 8B45 FC mov eax,[local.1]
00442A99 |. E8 4A11FCFF call aLoNg3x_.00403BE8
00442A9E |. 33C0 xor eax,eax
00442AA0 |. 55 push ebp
00442AA1 |. 68 212B4400 push aLoNg3x_.00442B21
00442AA6 |. 64:FF30 push dword ptr fs:[eax]
00442AA9 |. 64:8920 mov dword ptr fs:[eax],esp
00442AAC |. 8B45 FC mov eax,[local.1]
00442AAF |. E8 800FFCFF call aLoNg3x_.00403A34 ; strlen(codice)
00442AB4 |. 83F8 05 cmp eax,0x5 ; len 要大于5
00442AB7 |. 7E 3D jle XaLoNg3x_.00442AF6
00442AB9 |. BE 7B030000 mov esi,0x37B ; sum = 0x37B
00442ABE |. 8B45 FC mov eax,[local.1]
00442AC1 |. E8 6E0FFCFF call aLoNg3x_.00403A34 ; strlen()
00442AC6 |. 8BD8 mov ebx,eax
00442AC8 |. 4B dec ebx
00442AC9 |. 85DB test ebx,ebx
00442ACB |. 7E 2B jle XaLoNg3x_.00442AF8
00442ACD |. B9 01000000 mov ecx,0x1
00442AD2 |> 8B45 FC /mov eax,[local.1]
00442AD5 |. 0FB60408 |movzx eax,byte ptr ds:[eax+ecx] ; 循环 sum += codice[i] * (codice[i+1] % 17 +1);
00442AD9 |. BF 11000000 |mov edi,0x11
00442ADE |. 33D2 |xor edx,edx
00442AE0 |. F7F7 |div edi
00442AE2 |. 42 |inc edx
00442AE3 |. 8B45 FC |mov eax,[local.1]
00442AE6 |. 0FB64408 FF |movzx eax,byte ptr ds:[eax+ecx-0x1]
00442AEB |. 0FAFD0 |imul edx,eax
00442AEE |. 03F2 |add esi,edx
00442AF0 |. 41 |inc ecx
00442AF1 |. 4B |dec ebx
00442AF2 |.^ 75 DE \jnz XaLoNg3x_.00442AD2
00442AF4 |. EB 02 jmp XaLoNg3x_.00442AF8
00442AF6 |> 33F6 xor esi,esi
00442AF8 |> 8BC6 mov eax,esi
00442AFA |. B9 48710000 mov ecx,0x7148
00442AFF |. 99 cdq
00442B00 |. F7F9 idiv ecx
00442B02 |. 8BC2 mov eax,edx
00442B04 |. 99 cdq
00442B05 |. 33C2 xor eax,edx
00442B07 |. 2BC2 sub eax,edx
00442B09 |. 8BD8 mov ebx,eax
00442B0B |. 33C0 xor eax,eax
00442B0D |. 5A pop edx
00442B0E |. 59 pop ecx
00442B0F |. 59 pop ecx
00442B10 |. 64:8910 mov dword ptr fs:[eax],edx
00442B13 |. 68 282B4400 push aLoNg3x_.00442B28
00442B18 |> 8D45 FC lea eax,[local.1]
00442B1B |. E8 980CFCFF call aLoNg3x_.004037B8
00442B20 \. C3 retn
00442B21 .^ E9 5207FCFF jmp aLoNg3x_.00403278
00442B26 .^ EB F0 jmp XaLoNg3x_.00442B18
00442B28 . 8BC3 mov eax,ebx ; 返回值 sum%0x7148
00442B2A . 5F pop edi
00442B2B . 5E pop esi
00442B2C . 5B pop ebx
00442B2D . 59 pop ecx
00442B2E . 5D pop ebp
00442B2F . C3 retn
int proc_1(char *codice){
int len, sum = 891;
int i, j, tmp;
len = strlen(codice);
if(len > 5){
for(i=0; i7104
}
即要满足 codice % 80 + codice / 89 + 1 == 297702 按钮就会消失。
没找到数学关系,爆破流走起。
for i in range(26495000, 26500000):
if i % 80 + i // 89 == 297701:
print(i)
break
小结:
Register消失的流程:
1.Codice编辑框输入长度大于5的非纯数字。
2.点击Register按钮,弹出信息框。此时便修改了 [0x445830]。
3.按Regist_judge()计算正确的Codice,输入,点击按钮,按钮消失。
测试:
name输入 “123456”,Codice先输入“abcdef”,点击按钮,再把Codice修改为“26495044”。按钮消失。出现了新按钮。
再来分析again按钮事件。
和Register一样的操作。重复一遍。
两个按钮都消失了。标题也改了。
4、注册机
import random
name = input('Name:')
cat = input('输入长度大于5的非全数值字串:')
codice = None
sum = 891
for i in range(len(cat)-1):
sum += ord(cat[i]) * (ord(cat[i+1]) % 17 +1)
key = sum % 0x7148
sum = 0
for i in range(len(name)):
for j in range(len(name)):
sum += key * ord(name[i]) * ord(name[j])
sum %= 666666
# print(sum)
l =[]
for i in range((sum - 1 - 0) * 89, (sum - 1 - 81) * 89, -1):
# print(i)
if i % 80 + i // 89 == sum - 1:
l.append(i)
print('注册流程:',
'Name编辑框输入:%s' % name,
'Codice编辑框输入:%s' % cat,
'点击按钮后把Codice编辑框内容修改为:%s' % l[random.randint(0, len(l))],sep='\n')
结束,不足之处望指点。