逆向分析练习六(实战CrackMe01)
逆向分析练习六(实战CrackMe01)
这次我们选择一个简单的Crackme程序进行算法逆向分析的实战
这次选的这个程序应该是汇编写的所以比较小也没有像是c或者c#编译出来的呢种启动函数之类的,还是比较简单的一个程序,我们主要是对里面的代码逻辑进行分析为主,爆破为辅。
程序的下载我会放在文章最后
逆向代码
这是从od中复制出来的代码,代码量比较小就全部复制出来给大家看了。
CPU Disasm
Address Hex dump Command Comments
00401000 /$ 6A 00 PUSH 0 ; /ModuleName = NULL
00401002 |. E8 34010000 CALL ; \KERNEL32.GetModuleHandleA
00401007 |. A3 EC234000 MOV DWORD PTR DS:[4023EC],EAX
0040100C |. 6A 00 PUSH 0 ; /InitParam = 0
0040100E |. 68 29104000 PUSH 00401029 ; |DialogProc = abexcm5.401029
00401013 |. 6A 00 PUSH 0 ; |hParent = NULL
00401015 |. 6A 01 PUSH 1 ; |TemplateName = 1
00401017 |. FF35 EC234000 PUSH DWORD PTR DS:[4023EC] ; |hInst = NULL
0040101D |. E8 3D010000 CALL ; \USER32.DialogBoxParamA
00401022 |. 6A 00 PUSH 0 ; /ExitCode = 0
00401024 |. E8 1E010000 CALL ; \KERNEL32.ExitProcess
00401029 |$ C8 0000 00 ENTER 0,0 ; ||Arg1 => ARG.EBP
0040102D |. 817D 0C 11010 CMP DWORD PTR SS:[EBP+0C],111 ; ||
00401034 |. 75 07 JNE SHORT 0040103D ; ||
00401036 |. E8 1B000000 CALL 00401056 ; |\abexcm5.00401056
0040103B |. EB 13 JMP SHORT 00401050 ; |
0040103D |> 837D 0C 02 CMP DWORD PTR SS:[EBP+0C],2 ; |
00401041 |. 75 07 JNE SHORT 0040104A ; |
00401043 |. E8 E5000000 CALL 0040112D ; \abexcm5.0040112D
00401048 |. EB 06 JMP SHORT 00401050
0040104A |> 33C0 XOR EAX,EAX
0040104C |. C9 LEAVE
0040104D |. C2 1000 RETN 10
00401050 |> 33C0 XOR EAX,EAX
00401052 |. C9 LEAVE
00401053 \. C2 1000 RETN 10
00401056 /$ 837D 10 65 CMP DWORD PTR SS:[EBP+10],65 ; abexcm5.00401056(guessed Arg1,Arg2,Arg3,Arg4)
0040105A |. 74 10 JE SHORT 0040106C
0040105C |. 837D 10 02 CMP DWORD PTR SS:[EBP+10],2
00401060 |. 0F84 C7000000 JE 0040112D
00401066 |. 33C0 XOR EAX,EAX
00401068 |. C9 LEAVE
00401069 |. C2 1000 RETN 10
0040106C |> 6A 25 PUSH 25 ; /MaxCount = 37.
0040106E |. 68 24234000 PUSH OFFSET 00402324 ; |String
00401073 |. 6A 68 PUSH 68 ; |ItemID = 104.
00401075 |. FF75 08 PUSH DWORD PTR SS:[EBP+8] ; |hDialog => [ARG.EBP+8]
00401078 |. E8 F4000000 CALL ; \USER32.GetDlgItemTextA
0040107D |. 6A 00 PUSH 0 ; /SysNameSize = 0
0040107F |. 6A 00 PUSH 0 ; |SysName = NULL
00401081 |. 68 C8204000 PUSH OFFSET 004020C8 ; |pFlags = abexcm5.4020C8 -> 0
00401086 |. 68 90214000 PUSH OFFSET 00402190 ; |pMaxNameLength = abexcm5.402190 -> 0
0040108B |. 68 94214000 PUSH OFFSET 00402194 ; |pSerialNumber = abexcm5.402194 -> 0
00401090 |. 6A 32 PUSH 32 ; |VolumeSize = 50.
00401092 |. 68 5C224000 PUSH OFFSET 0040225C ; |VolumeName = abexcm5.40225C -> 00
00401097 |. 6A 00 PUSH 0 ; |Root = NULL
00401099 |. E8 B5000000 CALL ; \KERNEL32.lstrcat
004010AD |. B2 02 MOV DL,2
004010AF |> 8305 5C224000 /ADD DWORD PTR DS:[40225C],1
004010B6 |. 8305 5D224000 |ADD DWORD PTR DS:[40225D],1
004010BD |. 8305 5E224000 |ADD DWORD PTR DS:[40225E],1
004010C4 |. 8305 5F224000 |ADD DWORD PTR DS:[40225F],1
004010CB |. FECA |DEC DL
004010CD |.^ 75 E0 \JNZ SHORT 004010AF
004010CF |. 68 FD234000 PUSH OFFSET 004023FD ; /Src = "L2C-5781"
004010D4 |. 68 00204000 PUSH OFFSET 00402000 ; |Dest
004010D9 |. E8 63000000 CALL ; \KERNEL32.lstrcat
004010DE |. 68 5C224000 PUSH OFFSET 0040225C ; /Src
004010E3 |. 68 00204000 PUSH OFFSET 00402000 ; |Dest
004010E8 |. E8 54000000 CALL ; \KERNEL32.lstrcat
004010ED |. 68 24234000 PUSH OFFSET 00402324 ; /String2
004010F2 |. 68 00204000 PUSH OFFSET 00402000 ; |String1
004010F7 |. E8 51000000 CALL ; \KERNEL32.lstrcmpiA
004010FC |. 83F8 00 CMP EAX,0
004010FF |. 74 16 JE SHORT 00401117
00401101 |. 6A 00 PUSH 0 ; /Type = MB_OK|MB_DEFBUTTON1|MB_APPLMODAL
00401103 |. 68 34244000 PUSH OFFSET 00402434 ; |Caption = "Error!"
00401108 |. 68 3B244000 PUSH OFFSET 0040243B ; |Text = "The serial you entered is not correct!"
0040110D |. FF75 08 PUSH DWORD PTR SS:[EBP+8] ; |hOwner => [ARG.EBP+8]
00401110 |. E8 56000000 CALL ; \USER32.MessageBoxA
00401115 |. EB 16 JMP SHORT 0040112D
00401117 |> 6A 00 PUSH 0 ; /Type = MB_OK|MB_DEFBUTTON1|MB_APPLMODAL
00401119 |. 68 06244000 PUSH OFFSET 00402406 ; |Caption = "Well Done!"
0040111E |. 68 11244000 PUSH OFFSET 00402411 ; |Text = "Yep, you entered a correct serial!"
00401123 |. FF75 08 PUSH DWORD PTR SS:[EBP+8] ; |hOwner => [ARG.EBP+8]
00401126 |. E8 40000000 CALL ; \USER32.MessageBoxA
0040112B |. EB 00 JMP SHORT 0040112D
0040112D |$ 6A 00 PUSH 0 ; /Result = 0
0040112F |. FF75 08 PUSH DWORD PTR SS:[EBP+8] ; |hDialog => [ARG.EBP+8]
00401132 |. E8 22000000 CALL ; \USER32.EndDialog
00401137 |. C9 LEAVE
00401138 \. C2 1000 RETN 10
0040113B $- FF25 6C304000 JMP DWORD PTR DS:[<&KERNEL32.GetModuleHa
00401141 $- FF25 70304000 JMP DWORD PTR DS:[<&KERNEL32.lstrcatA>]
00401147 $- FF25 74304000 JMP DWORD PTR DS:[<&KERNEL32.ExitProcess
0040114D $- FF25 78304000 JMP DWORD PTR DS:[<&KERNEL32.lstrcmpiA>]
00401153 $- FF25 7C304000 JMP DWORD PTR DS:[<&KERNEL32.GetVolumeIn
00401159 $- FF25 84304000 JMP DWORD PTR DS:[<&USER32.EndDialog>]
0040115F $- FF25 88304000 JMP DWORD PTR DS:[<&USER32.DialogBoxPara
00401165 .- FF25 8C304000 JMP DWORD PTR DS:[<&USER32.wsprintfA>]
0040116B $- FF25 90304000 JMP DWORD PTR DS:[<&USER32.MessageBoxA>]
00401171 $- FF25 94304000 JMP DWORD PTR DS:[<&USER32.GetDlgItemTex
分析
- 进入od后的入口点就是00401000呢我们就从这里开始看
- 前面一大段是启动过程,然后调用了Windowsapi开启了一个dialogbox窗口
- 这个dialogbox传入的过程函数是401029,所以说这个程序启动后我们输入内容点击确认后会执行到401029部分的代码,随后就是退出
- 我们来看一下401029的部分,这里可以看出来他是通过getdialogText函数获取我们输入的文本内容
- 我们输入的文本内容存入了402324
- 随后调用了getvolumeinformation,这个函数是获取卷信息的函数存入了40225c
- 然后又将40225c和4023F3两个字符串合并
- 合并出来就是卷名称-ABEX
- 下面是一个循环首先赋予DL=2,随后每次对40225c开始的四个字符依次做dec的操作,循环两次
- 随后又将4023fd和40225c拼接
- L2C-5781+刚刚减完之后的字符串
- 如果上述字符串和我们输入的一致则返回注册成功否则返回注册失败
整个的算法逻辑就是上面这个了
最后我这边破解出来的密码就是这个:L2C-57816784-ABEX
当然如果只是爆破的话就很简单了,只需要把004010FF位置的je改为jne或者jmp就可以了
CrackMe程序下载,如果暂时看不到可能是还在审核可以一两天再来看下,不需要积分的哦