160个练手CrackMe-007

1、无壳,Delphi编写。

2、Dark查看事件。

3、OD载入,目标是让按钮消失。

首先分析Register按钮事件。
00442F28  /.  55            push ebp                                 ;  RegisterzClick
00442F29  |.  8BEC          mov ebp,esp
00442F2B  |.  83C4 F8       add esp,-0x8
00442F2E  |.  53            push ebx
00442F2F  |.  56            push esi
00442F30  |.  33C9          xor ecx,ecx
00442F32  |.  894D F8       mov [local.2],ecx
00442F35  |.  8BD8          mov ebx,eax
00442F37  |.  33C0          xor eax,eax
00442F39  |.  55            push ebp
00442F3A  |.  68 22304400   push aLoNg3x_.00443022
00442F3F  |.  64:FF30       push dword ptr fs:[eax]
00442F42  |.  64:8920       mov dword ptr fs:[eax],esp
00442F45  |.  8D55 F8       lea edx,[local.2]
00442F48  |.  8B83 DC020000 mov eax,dword ptr ds:[ebx+0x2DC]
00442F4E  |.  E8 ED02FEFF   call aLoNg3x_.00423240
00442F53  |.  8B45 F8       mov eax,[local.2]
00442F56  |.  8D55 FC       lea edx,[local.1]
00442F59  |.  E8 FAF9FBFF   call aLoNg3x_.00402958
00442F5E  |.  8BF0          mov esi,eax
00442F60  |.  837D FC 00    cmp [local.1],0x0
00442F64  |.  74 37         je XaLoNg3x_.00442F9D
00442F66  |.  B8 38304400   mov eax,aLoNg3x_.00443038                ;  ASCII "You MUST insert a valid Long Integer Value in the Code Editor... Thank you :)"
00442F6B  |.  E8 00F6FFFF   call aLoNg3x_.00442570
00442F70  |.  8D55 F8       lea edx,[local.2]
00442F73  |.  8B83 DC020000 mov eax,dword ptr ds:[ebx+0x2DC]
00442F79  |.  E8 C202FEFF   call aLoNg3x_.00423240
00442F7E  |.  8B45 F8       mov eax,[local.2]
00442F81  |.  E8 06FBFFFF   call aLoNg3x_.00442A8C                   ;  Proc_1
00442F86  |.  A3 30584400   mov dword ptr ds:[0x445830],eax          ;  ?
00442F8B  |.  BA 90304400   mov edx,aLoNg3x_.00443090
00442F90  |.  8B83 DC020000 mov eax,dword ptr ds:[ebx+0x2DC]
00442F96  |.  E8 D502FEFF   call aLoNg3x_.00423270
00442F9B  |.  EB 6F         jmp XaLoNg3x_.0044300C
00442F9D  |>  85F6          test esi,esi
00442F9F  |.  7E 5A         jle XaLoNg3x_.00442FFB
00442FA1  |.  8D55 F8       lea edx,[local.2]
00442FA4  |.  8B83 D8020000 mov eax,dword ptr ds:[ebx+0x2D8]
00442FAA  |.  E8 9102FEFF   call aLoNg3x_.00423240
00442FAF  |.  8B4D F8       mov ecx,[local.2]                        ;  name
00442FB2  |.  8BD6          mov edx,esi                              ;  int(codice)
00442FB4  |.  A1 30584400   mov eax,dword ptr ds:[0x445830]
00442FB9  |.  E8 EAF9FFFF   call aLoNg3x_.004429A8                   ;  判断函数
00442FBE  |.  84C0          test al,al
00442FC0  |.  74 30         je XaLoNg3x_.00442FF2                    ;  爆破点
00442FC2  |.  33D2          xor edx,edx
00442FC4  |.  8B83 CC020000 mov eax,dword ptr ds:[ebx+0x2CC]
00442FCA  |.  E8 6101FEFF   call aLoNg3x_.00423130
00442FCF  |.  B2 01         mov dl,0x1
00442FD1  |.  8B83 E8020000 mov eax,dword ptr ds:[ebx+0x2E8]
00442FD7  |.  E8 5401FEFF   call aLoNg3x_.00423130
00442FDC  |.  33D2          xor edx,edx
00442FDE  |.  8B83 D8020000 mov eax,dword ptr ds:[ebx+0x2D8]
00442FE4  |.  8B08          mov ecx,dword ptr ds:[eax]
00442FE6  |.  FF51 60       call dword ptr ds:[ecx+0x60]
00442FE9  |.  33C0          xor eax,eax
00442FEB  |.  A3 30584400   mov dword ptr ds:[0x445830],eax          ;  0
00442FF0  |.  EB 1A         jmp XaLoNg3x_.0044300C
00442FF2  |>  33C0          xor eax,eax
00442FF4  |.  A3 30584400   mov dword ptr ds:[0x445830],eax          ;  0
00442FF9  |.  EB 11         jmp XaLoNg3x_.0044300C
00442FFB  |>  B8 9C304400   mov eax,aLoNg3x_.0044309C                ;  ASCII "Please... The Code Must be > 0"
00443000  |.  E8 6BF5FFFF   call aLoNg3x_.00442570
00443005  |.  33C0          xor eax,eax
00443007  |.  A3 30584400   mov dword ptr ds:[0x445830],eax          ;  0
0044300C  |>  33C0          xor eax,eax
0044300E  |.  5A            pop edx
0044300F  |.  59            pop ecx
00443010  |.  59            pop ecx
00443011  |.  64:8910       mov dword ptr fs:[eax],edx
00443014  |.  68 29304400   push aLoNg3x_.00443029
00443019  |>  8D45 F8       lea eax,[local.2]
0044301C  |.  E8 9707FCFF   call aLoNg3x_.004037B8
00443021  \.  C3            retn
关键是 call 004429A8 处的判断函数。三个参数 dword ptr ds:[0x445830],int(codice), name
其原型大概是:
int Regist_judge(int codice, char *name){
	int len, sum = 0;
	int i, j, tmp;
	
	len = strlen(name);
	if(len > 4){
		for(i=0; i
重点在(int *)0x00445830的值,最开始一直为0,所以tmp=0,所以要先找哪个地方修改了[0x445830]。
在地址 00442FB4  |.  A1 30584400   mov eax,dword ptr ds:[0x445830] 处右击查找参考。
160个练手CrackMe-007_第1张图片
发现两条有用的赋值操作。双击第一个跟进去。
00442F59  |.  E8 FAF9FBFF   call aLoNg3x_.00402958                   ;  判断是否为数值
00442F5E  |.  8BF0          mov esi,eax
00442F60  |.  837D FC 00    cmp [local.1],0x0
00442F64  |.  74 37         je XaLoNg3x_.00442F9D                    ;  跳转
00442F66  |.  B8 38304400   mov eax,aLoNg3x_.00443038                ;  ASCII "You MUST insert a valid Long Integer Value in the Code Editor... Thank you :)"
00442F6B  |.  E8 00F6FFFF   call aLoNg3x_.00442570
00442F70  |.  8D55 F8       lea edx,[local.2]
00442F73  |.  8B83 DC020000 mov eax,dword ptr ds:[ebx+0x2DC]
00442F79  |.  E8 C202FEFF   call aLoNg3x_.00423240
00442F7E  |.  8B45 F8       mov eax,[local.2]
00442F81  |.  E8 06FBFFFF   call aLoNg3x_.00442A8C                   ;  Proc_1
00442F86  |.  A3 30584400   mov dword ptr ds:[0x445830],eax          ;  赋值
00442F8B  |.  BA 90304400   mov edx,aLoNg3x_.00443090
00442F90  |.  8B83 DC020000 mov eax,dword ptr ds:[ebx+0x2DC]
00442F96  |.  E8 D502FEFF   call aLoNg3x_.00423270
00442F9B  |.  EB 6F         jmp XaLoNg3x_.0044300C
从注释也可以看出,当Codice输入的不全是数字时才对[0x445830] 赋值操作。
而赋值的值是Proc_1的返回值。
分析Proc_1:
00442A8C  /$  55            push ebp                                 ;  Proc_1
00442A8D  |.  8BEC          mov ebp,esp
00442A8F  |.  51            push ecx
00442A90  |.  53            push ebx
00442A91  |.  56            push esi
00442A92  |.  57            push edi
00442A93  |.  8945 FC       mov [local.1],eax
00442A96  |.  8B45 FC       mov eax,[local.1]
00442A99  |.  E8 4A11FCFF   call aLoNg3x_.00403BE8
00442A9E  |.  33C0          xor eax,eax
00442AA0  |.  55            push ebp
00442AA1  |.  68 212B4400   push aLoNg3x_.00442B21
00442AA6  |.  64:FF30       push dword ptr fs:[eax]
00442AA9  |.  64:8920       mov dword ptr fs:[eax],esp
00442AAC  |.  8B45 FC       mov eax,[local.1]
00442AAF  |.  E8 800FFCFF   call aLoNg3x_.00403A34                   ;  strlen(codice)
00442AB4  |.  83F8 05       cmp eax,0x5                              ;  len 要大于5
00442AB7  |.  7E 3D         jle XaLoNg3x_.00442AF6
00442AB9  |.  BE 7B030000   mov esi,0x37B                            ;  sum = 0x37B
00442ABE  |.  8B45 FC       mov eax,[local.1]
00442AC1  |.  E8 6E0FFCFF   call aLoNg3x_.00403A34                   ;  strlen()
00442AC6  |.  8BD8          mov ebx,eax
00442AC8  |.  4B            dec ebx
00442AC9  |.  85DB          test ebx,ebx
00442ACB  |.  7E 2B         jle XaLoNg3x_.00442AF8
00442ACD  |.  B9 01000000   mov ecx,0x1
00442AD2  |>  8B45 FC       /mov eax,[local.1]
00442AD5  |.  0FB60408      |movzx eax,byte ptr ds:[eax+ecx]         ;  循环 sum += codice[i] * (codice[i+1] % 17 +1);
00442AD9  |.  BF 11000000   |mov edi,0x11
00442ADE  |.  33D2          |xor edx,edx
00442AE0  |.  F7F7          |div edi
00442AE2  |.  42            |inc edx
00442AE3  |.  8B45 FC       |mov eax,[local.1]
00442AE6  |.  0FB64408 FF   |movzx eax,byte ptr ds:[eax+ecx-0x1]
00442AEB  |.  0FAFD0        |imul edx,eax
00442AEE  |.  03F2          |add esi,edx
00442AF0  |.  41            |inc ecx
00442AF1  |.  4B            |dec ebx
00442AF2  |.^ 75 DE         \jnz XaLoNg3x_.00442AD2
00442AF4  |.  EB 02         jmp XaLoNg3x_.00442AF8
00442AF6  |>  33F6          xor esi,esi
00442AF8  |>  8BC6          mov eax,esi
00442AFA  |.  B9 48710000   mov ecx,0x7148
00442AFF  |.  99            cdq
00442B00  |.  F7F9          idiv ecx
00442B02  |.  8BC2          mov eax,edx
00442B04  |.  99            cdq
00442B05  |.  33C2          xor eax,edx
00442B07  |.  2BC2          sub eax,edx
00442B09  |.  8BD8          mov ebx,eax
00442B0B  |.  33C0          xor eax,eax
00442B0D  |.  5A            pop edx
00442B0E  |.  59            pop ecx
00442B0F  |.  59            pop ecx
00442B10  |.  64:8910       mov dword ptr fs:[eax],edx
00442B13  |.  68 282B4400   push aLoNg3x_.00442B28
00442B18  |>  8D45 FC       lea eax,[local.1]
00442B1B  |.  E8 980CFCFF   call aLoNg3x_.004037B8
00442B20  \.  C3            retn
00442B21   .^ E9 5207FCFF   jmp aLoNg3x_.00403278
00442B26   .^ EB F0         jmp XaLoNg3x_.00442B18
00442B28   .  8BC3          mov eax,ebx                              ;  返回值 sum%0x7148
00442B2A   .  5F            pop edi
00442B2B   .  5E            pop esi
00442B2C   .  5B            pop ebx
00442B2D   .  59            pop ecx
00442B2E   .  5D            pop ebp
00442B2F   .  C3            retn
对应的C:
int proc_1(char *codice){
	int len, sum = 891;
	int i, j, tmp;
	
	len = strlen(codice);
	if(len > 5){
		for(i=0; i7104
}
测试输入“abcdef”, [0x445830] 处的值被修改为0x1BC0。将这个值带入Regist_judge()中,当name=“123456”时,tmp=297702。
即要满足 codice % 80 + codice / 89 + 1 == 297702 按钮就会消失。
没找到数学关系,爆破流走起。
for i in range(26495000, 26500000):
	if i % 80 + i // 89 == 297701:
		print(i)
		break
输出结果为:26495044

小结:
Register消失的流程:
1.Codice编辑框输入长度大于5的非纯数字。
2.点击Register按钮,弹出信息框。此时便修改了 [0x445830]。
3.按Regist_judge()计算正确的Codice,输入,点击按钮,按钮消失。

测试:
name输入 “123456”,Codice先输入“abcdef”,点击按钮,再把Codice修改为“26495044”。按钮消失。出现了新按钮。
160个练手CrackMe-007_第2张图片


再来分析again按钮事件。
和Register一样的操作。重复一遍。
160个练手CrackMe-007_第3张图片

两个按钮都消失了。标题也改了。

4、注册机

import random

name = input('Name:')
cat = input('输入长度大于5的非全数值字串:')
codice = None

sum = 891
for i in range(len(cat)-1):
	sum += ord(cat[i]) * (ord(cat[i+1]) % 17 +1)

key = sum % 0x7148

sum = 0
for i in range(len(name)):
    for j in range(len(name)):
        sum += key * ord(name[i]) * ord(name[j])

sum %= 666666
# print(sum)
l =[]
for i in range((sum - 1 - 0) * 89, (sum - 1 - 81) * 89, -1):
    # print(i)
    if i % 80 + i // 89 == sum - 1:
        l.append(i)

print('注册流程:',
      'Name编辑框输入:%s' % name,
      'Codice编辑框输入:%s' % cat,
      '点击按钮后把Codice编辑框内容修改为:%s' % l[random.randint(0, len(l))],sep='\n')

一个name对应有多个codice。

结束,不足之处望指点。



你可能感兴趣的:(160个练手CM)