Nevyn's nev-crackme（DEPHI）

快雪时晴 · 发表于 2006-7-25 02:58:04

Nevyn's nev-crackme
Download nev-crackme.zip, 207 kb
Browse contents of nev-crackme.zip
I've written a somewhat more "advanced" basic crackme.
Its not packed in anyway, just a little application that has encrypted messages and code.

Let's see who the first person is to tell me the password =)

(should be able to find it rather fast)

Difficulty: 2 - Needs a little brain (or luck)
Platform: Windows
Language: Borland Delphi

Published: 09. Jul, 2006
Downloads: 150

0045393C /. 5>push ebp
0045393D |. 8>mov ebp, esp
0045393F |. 6>push 0
00453941 |. 6>push 0
00453943 |. 6>push 0
00453945 |. 5>push ebx
00453946 |. 5>push esi
00453947 |. 5>push edi
00453948 |. 8>mov edi, eax
0045394A |. B>mov ebx, 00456D04
0045394F |. B>mov esi, 00456C04
00453954 |. 3>xor eax, eax
00453956 |. 5>push ebp
00453957 |. 6>push 00453A2D
0045395C |. 6>push dword ptr fs:[eax]
0045395F |. 6>mov fs:[eax], esp
00453962 |. 8>lea edx, [ebp-4]
00453965 |. 8>mov eax, [edi+2FC]
0045396B |. E>call 00432A4C
00453970 |. 8>mov edx, [ebp-4] ; 试验码
00453973 |. 8>mov eax, esi
00453975 |. B>mov ecx, 0FF
0045397A |. E>call 004040E8 ; 函数F1（EDX,EAX,ECX），复制最多0ff个文本到[edx]
0045397F |. 3>xor eax, eax
00453981 |. 8>mov al, [esi] ; 试验码长度
00453983 |. 8>test eax, eax
00453985 |. 7>jle short 00453998
00453987 |. C>mov dword ptr [ebx], 1
0045398D |> 8>/mov edx, [ebx] ; 循环异或试验码[i] XOR 0x17
0045398F |. 8>|xor byte ptr [esi+edx], 17
00453993 |. F>|inc dword ptr [ebx]
00453995 |. 4>|dec eax
00453996 |.^ 7>\jnz short 0045398D
00453998 |> 8>mov eax, esi ; 结果串S1
0045399A |. B>mov edx, 00453A3C
0045399F |. 3>xor ecx, ecx
004539A1 |. 8>mov cl, [eax] ; 试验码长度
004539A3 |. 4>inc ecx
004539A4 |. E>call 00402AA8 ; 函数F2，与固定串[EDX]比较,包含则返回eax=0
004539A9 |. 7>jnz short 004539CB
004539AB |. 3>xor eax, eax
004539AD |. 8>mov al, [esi] ; 试验码长度
004539AF |. 8>test eax, eax
004539B1 |. 7>jle short 004539CB
004539B3 |. C>mov dword ptr [ebx], 1
004539B9 |> 8>/mov edx, [ebx] ; 上个循环的逆运算，还原试验码
004539BB |. 8>|mov dl, [esi+edx]
004539BE |. 8>|xor dl, 17
004539C1 |. 8>|mov ecx, [ebx]
004539C3 |. 8>|mov [esi+ecx], dl
004539C6 |. F>|inc dword ptr [ebx]
004539C8 |. 4>|dec eax
004539C9 |.^ 7>\jnz short 004539B9
004539CB |> 8>mov eax, esi
004539CD |. B>mov edx, 00453A48 ; ASCII 09,"htContext"
004539D2 |. 3>xor ecx, ecx
004539D4 |. 8>mov cl, [eax]
004539D6 |. 4>inc ecx
004539D7 |. E>call 00402AA8 ; 函数F2，与固定串[EDX]比较,包含则返回eax=0
004539DC |. 7>jnz short 004539F5 ; 跳失败
004539DE |. 8>lea edx, [ebp-8]
004539E1 |. B>mov eax, 00453A5C ; ASCII "Xfmm!epof"""
004539E6 |. E>call 004538AC
004539EB |. 8>mov eax, [ebp-8] ; (ASCII "Well done!")
004539EE |. E>call 0042736C
004539F3 |. E>jmp short 00453A0A
004539F5 |> 8>lea edx, [ebp-C]
004539F8 |. B>mov eax, 00453A70 ; ASCII "Cbe!hbnf"""
004539FD |. E>call 004538AC ; 这是字符串解密函数，参数eax(待解密文本),edx(解密文本)
00453A02 |. 8>mov eax, [ebp-C] ; “Bad game！”
00453A05 |. E>call 0042736C
00453A0A |> 3>xor eax, eax
00453A0C |. 5>pop edx
00453A0D |. 5>pop ecx
00453A0E |. 5>pop ecx
00453A0F |. 6>mov fs:[eax], edx
00453A12 |. 6>push 00453A34
00453A17 |> 8>lea eax, [ebp-C]
00453A1A |. B>mov edx, 2
00453A1F |. E>call 00403E70
00453A24 |. 8>lea eax, [ebp-4]
00453A27 |. E>call 00403E4C
00453A2C \. C>retn
真实序列号为固定码：htContext

复制代码

其实中间一大段循环XOR再比较都是迷惑性的，真正的比较从

004539CD |. B>mov edx, 00453A48 ; ASCII 09,"htContext"

复制代码

开始

caterpilla · 发表于 2006-7-25 08:28:29

厉害，支持走出国门，呵呵。。。。。。。

agang · 发表于 2006-7-25 20:42:24

快兄出手真够快,佩服佩服!

加解密部分能否跟入重点分析下.

冷血书生 · 发表于 2006-7-25 21:18:23

强~~~看得过瘾，再来~~

joker27 · 发表于 2006-7-26 19:38:15

标题是delphi吧，漏了个L

		自动登录	找回密码
密码			加入我们

Nevyn's nev-crackme（DEPHI）

本帖子中包含更多资源