一个简单的crackme分析
这是一篇来自轻院的狼写的一个crackme,网址:http://www.blogcn.com/User14/immlep/blog/24655601.html
下载:http://bbs.pediy.com/upload/2005/8/files/crackme.rar_841.rar
用到了anti技术。具体内容可到上面的网址看看。
最近被anti搞晕了,找了个简单的随便写写,大家见笑了。
开始:
od载入,用Ultra String Reference查找发现“- [CPU -”,
定位到如下代码:
00401335 |> /A3 98304000 /mov dword ptr ds:,eax
0040133A |. |68 C8000000 |push 0C8 ; /Count = C8 (200.)
0040133F |. |68 00314000 |push CrackMe.00403100 ; |Buffer = CrackMe.00403100
00401344 |. |FF35 983040>|push dword ptr ds: ; |hWnd = NULL
0040134A |. |E8 FB010000 |call <jmp.&user32.GetWindowTextA> ; \GetWindowTextA
0040134F |. |83F8 00 |cmp eax,0
00401352 |. |74 7F |je short CrackMe.004013D3
00401354 |. |68 64314000 |push CrackMe.00403164
00401359 |. |68 00314000 |push CrackMe.00403100
0040135E |. |6A 01 |push 1
00401360 |. |E8 3EFEFFFF |call CrackMe.004011A3
00401365 |. |83F8 00 |cmp eax,0
00401368 |. |74 16 |je short CrackMe.00401380
0040136A |. |68 95304000 |push CrackMe.00403095 ;ASCII ", "
0040136F |. |68 00314000 |push CrackMe.00403100
00401374 |. |6A 01 |push 1
00401376 |. |E8 28FEFFFF |call CrackMe.004011A3
0040137B |. |83F8 00 |cmp eax,0
0040137E |. |75 42 |jnz short CrackMe.004013C2
00401380 |> |68 67304000 |push CrackMe.00403067 ;ASCII " - [CPU - "
00401385 |. |68 00314000 |push CrackMe.00403100
0040138A |. |6A 01 |push 1
0040138C |. |E8 12FEFFFF |call CrackMe.004011A3
00401391 |. |83F8 00 |cmp eax,0
00401394 |. |75 2C |jnz short CrackMe.004013C2
00401396 |. |68 72304000 |push CrackMe.00403072 ;ASCII " - "
0040139B |. |68 00314000 |push CrackMe.00403100
004013A0 |. |6A 01 |push 1
004013A2 |. |E8 FCFDFFFF |call CrackMe.004011A3
004013A7 |. |83F8 00 |cmp eax,0
004013AA |. |75 16 |jnz short CrackMe.004013C2
004013AC |. |68 C8314000 |push CrackMe.004031C8
004013B1 |. |68 00314000 |push CrackMe.00403100
004013B6 |. |6A 03 |push 3
004013B8 |. |E8 E6FDFFFF |call CrackMe.004011A3
004013BD |. |83F8 00 |cmp eax,0
004013C0 |. |74 11 |je short CrackMe.004013D3
004013C2 |> |6A 00 |push 0 ; /lParam = 0//这里下断点
004013C4 |. |6A 00 |push 0 ; |wParam = 0
004013C6 |. |6A 12 |push 12 ; |Message = WM_QUIT
004013C8 |. |FF35 983040>|push dword ptr ds: ; |hWnd = NULL
004013CE |. |E8 83010000 |call <jmp.&user32.PostMessageA> ; \PostMessageA
004013D3 |> |6A 02 |push 2 ; /Relation = GW_HWNDNEXT
004013D5 |. |FF35 983040>|push dword ptr ds: ; |hWnd = NULL
004013DB |. |E8 64010000 |call <jmp.&user32.GetWindow> ; \GetWindow
004013E0 |. |83F8 00 |cmp eax,0
004013E3 |.^\0F85 4CFFFF>\jnz CrackMe.00401335
004013E9 \.C3 retn
在004013c2下断,F9运行,断下来后,将push 0改为retn
这样就不会因检测到调试器而退出了。
修改之后反回到这里:
004010CC |. /E9 C9000000 jmp CrackMe.0040119A
004010D1 |> |3D 38010000 cmp eax,138
004010D6 |. |75 05 jnz short CrackMe.004010DD
004010D8 |. |E9 BD000000 jmp CrackMe.0040119A
004010DD |> |3D 11010000 cmp eax,111
004010E2 |. |0F85 980000>jnz CrackMe.00401180
004010E8 |. |8B45 10 mov eax,dword ptr ss:
004010EB |. |3D EC030000 cmp eax,3EC
004010F0 |. |75 0F jnz short CrackMe.00401101
004010F2 |. |6A 00 push 0 ; /Result = 0
004010F4 |. |FF75 08 push dword ptr ss: ; |hWnd
004010F7 |. |E8 30040000 call <jmp.&user32.EndDialog> ; \EndDialog
004010FC |. |E9 99000000 jmp CrackMe.0040119A
00401101 |> |3D EB030000 cmp eax,3EB
00401106 |. |0F85 8E0000>jnz CrackMe.0040119A
0040110C |. |6A 21 push 21 ; /Count = 21 (33.)
0040110E |. |68 00304000 push CrackMe.00403000 ; |Buffer = CrackMe.00403000
00401113 |. |68 EA030000 push 3EA ; |ControlID = 3EA (1002.)
00401118 |. |FF75 08 push dword ptr ss: ; |hWnd
0040111B |. |E8 1E040000 call <jmp.&user32.GetDlgItemTextA> ; \GetDlgItemTextA//这里下断,取PassWord
00401120 |. |68 00304000 push CrackMe.00403000 ; /String = ""//PassWord地址入栈
00401125 |. |E8 F0030000 call <jmp.&kernel32.lstrlenA> ; \lstrlenA//取PassWord长度
0040112A |. |83F8 00 cmp eax,0 //---
0040112D |. |74 3C je short CrackMe.0040116B //---没有输入跳走
0040112F |. |8BC8 mov ecx,eax //ecx循环计数
00401131 |. |8D05 003040>lea eax,dword ptr ds: //eax指向PassWord==============
00401137 |> |8030 08 /xor byte ptr ds:,8 //取一个字母与8异或
0040113A |. |49 |dec ecx //循环计数减1
0040113B |. |83F9 00 |cmp ecx,0 //---
0040113E |. |74 05 |je short CrackMe.00401145 //---循环完跳走
00401140 |. |83C0 01 |add eax,1 //移动指针,指向下一个
00401143 |.^|EB F2 \jmp short CrackMe.00401137 //循环继续====================
00401145 |> |68 3A304000 push CrackMe.0040303A ; /String2 = "adg~mpaigz}"
0040114A |. |68 00304000 push CrackMe.00403000 ; |String1 = ""
0040114F |. |E8 BA030000 call <jmp.&kernel32.lstrcmpA> ; \lstrcmpA
00401154 |. |75 15 jnz short CrackMe.0040116B
00401156 |. |6A 00 push 0 ; /Style = MB_OK|MB_APPLMODAL
00401158 |. |68 46304000 push CrackMe.00403046 ; |Title = "nohack.cn"
0040115D |. |68 50304000 push CrackMe.00403050 ; |Text = "yes!right"
00401162 |. |6A 00 push 0 ; |hOwner = NULL
00401164 |. |E8 E7030000 call <jmp.&user32.MessageBoxA> ; \MessageBoxA
00401169 |. |EB 13 jmp short CrackMe.0040117E
0040116B |> |6A 00 push 0 ; /Style = MB_OK|MB_APPLMODAL
0040116D |. |68 46304000 push CrackMe.00403046 ; |Title = "nohack.cn"
00401172 |. |68 5A304000 push CrackMe.0040305A ; |Text = "no!wrong"
00401177 |. |6A 00 push 0 ; |hOwner = NULL
00401179 |. |E8 D2030000 call <jmp.&user32.MessageBoxA> ; \MessageBoxA
可以看出是将输入的PassWord依次与8异或之后与adg~mpaigz}比较,相同就成功了。
将adg~mpaigz}依次与8异或之后得到ilovexiaoru就是正确的PassWord。
最后希望高手能把现在流行的anti技术总结一下,写一篇教程,我是菜鸟,遇见anti就晕,
我在这里代表全体菜鸟先谢谢啦。
surge
2005-11-1 不是很明白,收藏先,多谢`` 支持!
非常的不错!
有空教我两手啊!! 客气,兄弟的文章我很是佩服,还要多多向你学习呢。 学习中
支持
页:
[1]