2021-06-15CrackMe00
请注意,本文编写于 532 天前,最后修改于 204 天前,其中某些信息可能已经过时。

目录


环境

工具:看雪OD
系统:Windows10 20H2

简要分析


程序有两种验证方式,一种是Serial/Name,另一种单Serial

首先随便输入看看会提示什么,会不会有多种提示

Serial/Name模式下的错误提示:

单Serial模式下的错误提示

分析步骤

分析不使用nop大法

Serial/Name

通过使用OD查找,所有参考文本子串,我们发现了校验算法入口
所有参考文本子串
找到函数入口之后,开始分析校验算法

随便输入一个账号密码,123123/aaaaa

asm
0042FA52  |.  E8 D96EFDFF   call    00406930                         ;  strlen
0042FA57  |.  83F8 04       cmp     eax, 4                           ;  用户名长度需大于等于4
0042FA5A  |.  7D 1D         jge     short 0042FA79
0042FA5C  |.  6A 00         push    0
0042FA5E  |.  B9 74FB4200   mov     ecx, 0042FB74                    ;  ASCII "Try Again!"
0042FA63  |.  BA 80FB4200   mov     edx, 0042FB80                    ;  ASCII "Sorry , The serial is incorect !"
0042FA68  |.  A1 480A4300   mov     eax, dword ptr [430A48]
0042FA6D  |.  8B00          mov     eax, dword ptr [eax]
0042FA6F  |.  E8 FCA6FFFF   call    0042A170                         ;  提示错误
0042FA74  |.  E9 BE000000   jmp     0042FB37
0042FA79  |>  8D55 F0       lea     edx, dword ptr [ebp-10]
0042FA7C  |.  8B83 DC010000 mov     eax, dword ptr [ebx+1DC]
0042FA82  |.  E8 D1AFFEFF   call    0041AA58
0042FA87  |.  8B45 F0       mov     eax, dword ptr [ebp-10]
0042FA8A  |.  0FB600        movzx   eax, byte ptr [eax]              ;  获取用户名第一位
0042FA8D  |.  F72D 50174300 imul    dword ptr [431750]               ;  乘以0x29
0042FA93  |.  A3 50174300   mov     dword ptr [431750], eax          ;  保存结果
0042FA98  |.  A1 50174300   mov     eax, dword ptr [431750]
0042FA9D  |.  0105 50174300 add     dword ptr [431750], eax          ;  自己加自己,也就是乘以2
0042FAA3  |.  8D45 FC       lea     eax, dword ptr [ebp-4]
0042FAA6  |.  BA ACFB4200   mov     edx, 0042FBAC                    ;  ASCII "CW"
0042FAAB  |.  E8 583CFDFF   call    00403708
0042FAB0  |.  8D45 F8       lea     eax, dword ptr [ebp-8]
0042FAB3  |.  BA B8FB4200   mov     edx, 0042FBB8                    ;  ASCII "CRACKED"
0042FAB8  |.  E8 4B3CFDFF   call    00403708
0042FABD  |.  FF75 FC       push    dword ptr [ebp-4]
0042FAC0  |.  68 C8FB4200   push    0042FBC8                         ;-
0042FAC5  |.  8D55 E8       lea     edx, dword ptr [ebp-18]
0042FAC8  |.  A1 50174300   mov     eax, dword ptr [431750]          ;  计算结果十六进制转成字符串
0042FACD  |.  E8 466CFDFF   call    00406718
0042FAD2  |.  FF75 E8       push    dword ptr [ebp-18]
0042FAD5  |.  68 C8FB4200   push    0042FBC8                         ;-
0042FADA  |.  FF75 F8       push    dword ptr [ebp-8]
0042FADD  |.  8D45 F4       lea     eax, dword ptr [ebp-C]
0042FAE0  |.  BA 05000000   mov     edx, 5
0042FAE5  |.  E8 C23EFDFF   call    004039AC                         ; 字符串拼接
0042FAEA  |.  8D55 F0       lea     edx, dword ptr [ebp-10]
0042FAED  |.  8B83 E0010000 mov     eax, dword ptr [ebx+1E0]
0042FAF3  |.  E8 60AFFEFF   call    0041AA58
0042FAF8  |.  8B55 F0       mov     edx, dword ptr [ebp-10]
0042FAFB  |.  8B45 F4       mov     eax, dword ptr [ebp-C]           ;  CW-xxxx-CRACKED
0042FAFE  |.  E8 F93EFDFF   call    004039FC                         ;  strcmp
0042FB03  |.  75 1A         jnz     short 0042FB1F                   ;  结果不为0,则报错
0042FB05  |.  6A 00         push    0
0042FB07  |.  B9 CCFB4200   mov     ecx, 0042FBCC                    ;  ASCII "Congratz !!"
0042FB0C  |.  BA D8FB4200   mov     edx, 0042FBD8                    ;  ASCII "Good job dude =)"
0042FB11  |.  A1 480A4300   mov     eax, dword ptr [430A48]
0042FB16  |.  8B00          mov     eax, dword ptr [eax]

注册机

c
# include <iostream>
# include <windows.h>
using namespace std;

int main()
{
    char szName[MAX_PATH] = { 0 };
    int  nResult = 0;
    cout << "enter one user name" << endl;
    cin >> szName;
    int nLen = strlen(szName);
    if (nLen < 4)
    {
        cout << "error" << endl;
    }
    else
	{
	   nResult = szName[0];
        nResult *= 0x29;
        nResult *= 2;
        printf("CW-%d-CRACKED\r\n", nResult);
    }
    return 0;
}

单Serial

查找报错提示Try Again!, 发现上面是正确提示,和一个跳转

再向上查看,发现有一个比较的函数,而上面的跳转就是根据它的结果来执行的,它参数分别是eaxebx,所以我们在这里下断点等待

123123是我们随便输入的,而Hello Dude!很显然就是我们要找的东西了

asm
0042F4CA  |.  8B45 F0       mov     eax, dword ptr [ebp-10]
0042F4CD  |.  8B55 F4       mov     edx, dword ptr [ebp-C]
0042F4D0  |.  E8 2745FDFF   call    004039FC                         ;  strcmp
0042F4D5  |.  75 1A         jnz     short 0042F4F1
0042F4D7  |.  6A 00         push    0
0042F4D9  |.  B9 64F54200   mov     ecx, 0042F564                    ;  ASCII "Congratz!"
0042F4DE  |.  BA 70F54200   mov     edx, 0042F570                    ;  ASCII "God Job dude !! =)"
0042F4E3  |.  A1 480A4300   mov     eax, dword ptr [430A48]
0042F4E8  |.  8B00          mov     eax, dword ptr [eax]
0042F4EA  |.  E8 81ACFFFF   call    0042A170                         ;  正确提示
0042F4EF  |.  EB 18         jmp     short 0042F509
0042F4F1  |>  6A 00         push    0
0042F4F3  |.  B9 84F54200   mov     ecx, 0042F584                    ;  ASCII "Failed!"
0042F4F8  |.  BA 8CF54200   mov     edx, 0042F58C                    ;  ASCII "Try Again!!"
0042F4FD  |.  A1 480A4300   mov     eax, dword ptr [430A48]
0042F502  |.  8B00          mov     eax, dword ptr [eax]

本文作者:Na1r

本文链接:

版权声明:本博客所有文章除特别声明外,均采用 BY-NC-SA 许可协议。转载请注明出处!