一个用汇编写的crackme分析,隐藏函数调用方面做的很好,很喜欢这个CM
这个CM的隐藏函数调用做的很好,很喜欢,所以分析的时候心情也是非常激动啊!哈哈哈哈哈~废话不多说,OD载入,查找当前模块中的名称(ctrl+n),很囧地发现只有user32.DialogBoxParamA kernel32.ExitProcess Kernel32.GetModuleHandleA三个函数调用,黑人一大跳,F8一步一步跟进吧,看了大概有三五遍,终于大概知道了函数的流程,这是主程序的代码
代码
00401472 > $ FF3424 push dword ptr [esp] ; kernel32.7C817077
00401475 . E8 B4FBFFFF call 0040102E
0040147A . 0BC0 or eax, eax
0040147C . 74 1A je short 00401498
0040147E . A3 28304000 mov dword ptr [403028], eax
00401483 . 68 6A304000 push 0040306A ; ASCII "GetProcAddress"
00401488 . FF35 28304000 push dword ptr [403028]
0040148E . E8 15FCFFFF call 004010A8
00401493 . A3 30304000 mov dword ptr [403030], eax
00401498 > 833D 30304000>cmp dword ptr [403030], 0
0040149F . 0F84 A7000000 je 0040154C
004014A5 . 68 5D304000 push 0040305D ; ASCII "LoadLibraryA"
004014AA . FF35 28304000 push dword ptr [403028]
004014B0 . FF15 30304000 call dword ptr [403030]
004014B6 . A3 34304000 mov dword ptr [403034], eax
004014BB . 0BC0 or eax, eax
004014BD . 0F84 89000000 je 0040154C
004014C3 . 68 79304000 push 00403079 ; ASCII "user32"
004014C8 . FF15 34304000 call dword ptr [403034]
004014CE . A3 2C304000 mov dword ptr [40302C], eax
004014D3 . 68 80304000 push 00403080 ; ASCII "MessageBoxA"
004014D8 . FF35 2C304000 push dword ptr [40302C]
004014DE . FF15 30304000 call dword ptr [403030]
004014E4 . A3 0E314000 mov dword ptr [40310E], eax
004014E9 . A3 80304000 mov dword ptr [403080], eax
004014EE . 68 4D304000 push 0040304D ; ASCII "GetDlgItemTextA"
004014F3 . FF35 2C304000 push dword ptr [40302C]
004014F9 . FF15 30304000 call dword ptr [403030]
004014FF . A3 4D304000 mov dword ptr [40304D], eax
00401504 . 68 99304000 push 00403099 ; ASCII "SendMessageA"
00401509 . FF35 2C304000 push dword ptr [40302C]
0040150F . FF15 30304000 call dword ptr [403030]
00401515 . A3 99304000 mov dword ptr [403099], eax
0040151A . C705 0A314000>mov dword ptr [40310A], 0
00401524 . C705 06314000>mov dword ptr [403106], 00403008
0040152E . C705 02314000>mov dword ptr [403102], 0040300D ; ASCII "Wrong PassWord"
00401538 . C705 FE304000>mov dword ptr [4030FE], 0
00401542 . C705 0E314000>mov dword ptr [40310E], 3B
0040154C > 6A 00 push 0 ; /pModule = NULL
0040154E . E8 2B000000 call <jmp.&kernel32.GetModuleHandleA> ; \GetModuleHandleA
00401553 . A3 00304000 mov dword ptr [403000], eax
00401558 . 6A 00 push 0 ; /lParam = NULL
0040155A . 68 5B114000 push 0040115B ; |DlgProc = CrackMe_.0040115B
0040155F . 6A 00 push 0 ; |hOwner = NULL
00401561 . 68 E8030000 push 3E8 ; |pTemplate = 3E8
00401566 . FF35 00304000 push dword ptr [403000] ; |hInst = NULL
0040156C . E8 01000000 call <jmp.&user32.DialogBoxParamA> ; \DialogBoxParamA
00401475 . E8 B4FBFFFF call 0040102E
0040147A . 0BC0 or eax, eax
0040147C . 74 1A je short 00401498
0040147E . A3 28304000 mov dword ptr [403028], eax
00401483 . 68 6A304000 push 0040306A ; ASCII "GetProcAddress"
00401488 . FF35 28304000 push dword ptr [403028]
0040148E . E8 15FCFFFF call 004010A8
00401493 . A3 30304000 mov dword ptr [403030], eax
00401498 > 833D 30304000>cmp dword ptr [403030], 0
0040149F . 0F84 A7000000 je 0040154C
004014A5 . 68 5D304000 push 0040305D ; ASCII "LoadLibraryA"
004014AA . FF35 28304000 push dword ptr [403028]
004014B0 . FF15 30304000 call dword ptr [403030]
004014B6 . A3 34304000 mov dword ptr [403034], eax
004014BB . 0BC0 or eax, eax
004014BD . 0F84 89000000 je 0040154C
004014C3 . 68 79304000 push 00403079 ; ASCII "user32"
004014C8 . FF15 34304000 call dword ptr [403034]
004014CE . A3 2C304000 mov dword ptr [40302C], eax
004014D3 . 68 80304000 push 00403080 ; ASCII "MessageBoxA"
004014D8 . FF35 2C304000 push dword ptr [40302C]
004014DE . FF15 30304000 call dword ptr [403030]
004014E4 . A3 0E314000 mov dword ptr [40310E], eax
004014E9 . A3 80304000 mov dword ptr [403080], eax
004014EE . 68 4D304000 push 0040304D ; ASCII "GetDlgItemTextA"
004014F3 . FF35 2C304000 push dword ptr [40302C]
004014F9 . FF15 30304000 call dword ptr [403030]
004014FF . A3 4D304000 mov dword ptr [40304D], eax
00401504 . 68 99304000 push 00403099 ; ASCII "SendMessageA"
00401509 . FF35 2C304000 push dword ptr [40302C]
0040150F . FF15 30304000 call dword ptr [403030]
00401515 . A3 99304000 mov dword ptr [403099], eax
0040151A . C705 0A314000>mov dword ptr [40310A], 0
00401524 . C705 06314000>mov dword ptr [403106], 00403008
0040152E . C705 02314000>mov dword ptr [403102], 0040300D ; ASCII "Wrong PassWord"
00401538 . C705 FE304000>mov dword ptr [4030FE], 0
00401542 . C705 0E314000>mov dword ptr [40310E], 3B
0040154C > 6A 00 push 0 ; /pModule = NULL
0040154E . E8 2B000000 call <jmp.&kernel32.GetModuleHandleA> ; \GetModuleHandleA
00401553 . A3 00304000 mov dword ptr [403000], eax
00401558 . 6A 00 push 0 ; /lParam = NULL
0040155A . 68 5B114000 push 0040115B ; |DlgProc = CrackMe_.0040115B
0040155F . 6A 00 push 0 ; |hOwner = NULL
00401561 . 68 E8030000 push 3E8 ; |pTemplate = 3E8
00401566 . FF35 00304000 push dword ptr [403000] ; |hInst = NULL
0040156C . E8 01000000 call <jmp.&user32.DialogBoxParamA> ; \DialogBoxParamA
可以看到,里面几乎所有的call都是通过间接的方式调用的,这也是为什么我们根本看不到函数调用的记录的原因,太牛了!
在40155A行,可以清晰地看到对话框响应函数的地址为40115B,来到这个地址
代码
0040115B . 55 push ebp ; 对话框主函数
0040115C . 8BEC mov ebp, esp
0040115E . 81C4 F8FEFFFF add esp, -108
00401164 . 53 push ebx
00401165 . 56 push esi
00401166 . 57 push edi
00401167 . 8B45 0C mov eax, dword ptr [ebp+C]
0040116A . 3D 11010000 cmp eax, 111 ; 消息的switch、case; Switch (cases 10..7C3)
0040116F . 0F85 92000000 jnz 00401207
00401175 . 8B45 08 mov eax, dword ptr [ebp+8] ; Case 111 of switch 0040116A
00401178 . A3 B0304000 mov dword ptr [4030B0], eax
0040117D . 8B45 10 mov eax, dword ptr [ebp+10]
00401180 . 66:3D EC03 cmp ax, 3EC
00401184 . 0F85 C1010000 jnz 0040134B
0040118A . 90 nop
0040118B . C705 22314000>mov dword ptr [403122], 54
00401195 . 68 00010000 push 100
0040119A . 8D85 00FFFFFF lea eax, dword ptr [ebp-100]
004011A0 . 50 push eax
004011A1 . 68 E9030000 push 3E9
004011A6 . FF75 08 push dword ptr [ebp+8]
004011A9 . 68 B4114000 push 004011B4
004011AE .- FF25 4D304000 jmp dword ptr [40304D] ; call GetDlgItemTextA
004011B4 . 8D85 00FFFFFF lea eax, dword ptr [ebp-100] ; 获得对话框中内容
004011BA . 66:8B18 mov bx, word ptr [eax]
004011BD . 2AFB sub bh, bl
004011BF . 0FB6DF movzx ebx, bh
004011C2 . 81C3 BD070000 add ebx, 7BD
004011C8 . A3 1E314000 mov dword ptr [40311E], eax
004011CD . C705 1A314000>mov dword ptr [40311A], 0
004011D7 . 891D 16314000 mov dword ptr [403116], ebx
004011DD . 8B5D 08 mov ebx, dword ptr [ebp+8]
004011E0 . 891D 12314000 mov dword ptr [403112], ebx
004011E6 . 68 57134000 push 00401357
004011EB . 40 inc eax
004011EC . 40 inc eax
004011ED . A3 1E314000 mov dword ptr [40311E], eax
004011F2 . 66:8B18 mov bx, word ptr [eax]
004011F5 . 2AFB sub bh, bl
004011F7 . 0F8F 96010000 jg 00401393
004011FD . E9 4B010000 jmp 0040134D
00401202 . E9 44010000 jmp 0040134B
00401207 > 83F8 10 cmp eax, 10
0040120A . 75 0F jnz short 0040121B
0040120C . 68 57134000 push 00401357 ; Case 10 of switch 0040116A
00401211 . E9 54020000 jmp 0040146A
00401216 . E9 30010000 jmp 0040134B
0040121B > 3D 4A070000 cmp eax, 74A
00401220 . 75 3F jnz short 00401261
00401222 . 8B5D 14 mov ebx, dword ptr [ebp+14] ; Case 74A of switch 0040116A
00401225 . 83C3 02 add ebx, 2
00401228 . 891D 1E314000 mov dword ptr [40311E], ebx
0040122E . 83EB 02 sub ebx, 2
00401231 . 33C0 xor eax, eax
00401233 . 66:8B03 mov ax, word ptr [ebx]
00401236 . 2AE0 sub ah, al
00401238 . 0F8C 0F010000 jl 0040134D
0040123E . 86E0 xchg al, ah
00401240 . 32E4 xor ah, ah
00401242 . C705 DD304000>mov dword ptr [4030DD], 88
0040124C . 2905 16314000 sub dword ptr [403116], eax
00401252 . 68 57134000 push 00401357
00401257 . E9 37010000 jmp 00401393
0040125C . E9 EA000000 jmp 0040134B
00401261 > 3D C3070000 cmp eax, 7C3
00401266 . 75 31 jnz short 00401299
00401268 . 8B5D 14 mov ebx, dword ptr [ebp+14] ; Case 7C3 of switch 0040116A
0040126B . 33C0 xor eax, eax
0040126D . 66:8B03 mov ax, word ptr [ebx]
00401270 . 2AE0 sub ah, al
00401272 . 32C0 xor al, al
00401274 . 86E0 xchg al, ah
00401276 . 2905 16314000 sub dword ptr [403116], eax
0040127C . B8 64000000 mov eax, 64
00401281 . 68 57134000 push 00401357
00401286 . 83C3 02 add ebx, 2
00401289 . 891D 1E314000 mov dword ptr [40311E], ebx
0040128F . E9 FF000000 jmp 00401393
00401294 . E9 B2000000 jmp 0040134B
00401299 > 3D B8070000 cmp eax, 7B8
0040129E . 75 3E jnz short 004012DE
004012A0 . 8B5D 14 mov ebx, dword ptr [ebp+14] ; Case 7B8 of switch 0040116A
004012A3 . 83C3 02 add ebx, 2
004012A6 . 891D 1E314000 mov dword ptr [40311E], ebx
004012AC . 83EB 02 sub ebx, 2
004012AF . 33C0 xor eax, eax
004012B1 . 66:8B03 mov ax, word ptr [ebx]
004012B4 . 02C4 add al, ah
004012B6 . 32E4 xor ah, ah
004012B8 . 2905 16314000 sub dword ptr [403116], eax
004012BE . C705 D9304000>mov dword ptr [4030D9], 88
004012C8 . 68 D2124000 push 004012D2
004012CD . E9 91000000 jmp 00401363
004012D2 > 68 57134000 push 00401357
004012D7 . E9 B7000000 jmp 00401393
004012DC . EB 6D jmp short 0040134B
004012DE > 3D 44070000 cmp eax, 744
004012E3 . 75 0C jnz short 004012F1
004012E5 . 68 57134000 push 00401357 ; Case 744 of switch 0040116A
004012EA . E9 D6000000 jmp 004013C5
004012EF . EB 5A jmp short 0040134B
004012F1 > 3D 45070000 cmp eax, 745
004012F6 . 75 2B jnz short 00401323
004012F8 . 8B5D 14 mov ebx, dword ptr [ebp+14] ; Case 745 of switch 0040116A
004012FB . 83C3 02 add ebx, 2
004012FE . 891D 1E314000 mov dword ptr [40311E], ebx
00401304 . 83EB 02 sub ebx, 2
00401307 . 33C0 xor eax, eax
00401309 . 66:8B03 mov ax, word ptr [ebx]
0040130C . 2AE0 sub ah, al
0040130E . 7C 3D jl short 0040134D
00401310 . 86E0 xchg al, ah
00401312 . 32E4 xor ah, ah
00401314 . 0105 16314000 add dword ptr [403116], eax
0040131A . 68 57134000 push 00401357
0040131F . EB 72 jmp short 00401393
00401321 . EB 28 jmp short 0040134B
00401323 > B9 BD090000 mov ecx, 9BD
00401328 . 3D BD050000 cmp eax, 5BD
0040132D . 72 10 jb short 0040133F
0040132F . 3BC1 cmp eax, ecx
00401331 . 77 0C ja short 0040133F
00401333 . 68 3D134000 push 0040133D
00401338 . E9 D1000000 jmp 0040140E
0040133D . EB 0C jmp short 0040134B
0040133F > B8 00000000 mov eax, 0
00401344 . 5F pop edi
00401345 . 5E pop esi
00401346 . 5B pop ebx
00401347 . C9 leave
00401348 . C2 1000 retn 10
0040115C . 8BEC mov ebp, esp
0040115E . 81C4 F8FEFFFF add esp, -108
00401164 . 53 push ebx
00401165 . 56 push esi
00401166 . 57 push edi
00401167 . 8B45 0C mov eax, dword ptr [ebp+C]
0040116A . 3D 11010000 cmp eax, 111 ; 消息的switch、case; Switch (cases 10..7C3)
0040116F . 0F85 92000000 jnz 00401207
00401175 . 8B45 08 mov eax, dword ptr [ebp+8] ; Case 111 of switch 0040116A
00401178 . A3 B0304000 mov dword ptr [4030B0], eax
0040117D . 8B45 10 mov eax, dword ptr [ebp+10]
00401180 . 66:3D EC03 cmp ax, 3EC
00401184 . 0F85 C1010000 jnz 0040134B
0040118A . 90 nop
0040118B . C705 22314000>mov dword ptr [403122], 54
00401195 . 68 00010000 push 100
0040119A . 8D85 00FFFFFF lea eax, dword ptr [ebp-100]
004011A0 . 50 push eax
004011A1 . 68 E9030000 push 3E9
004011A6 . FF75 08 push dword ptr [ebp+8]
004011A9 . 68 B4114000 push 004011B4
004011AE .- FF25 4D304000 jmp dword ptr [40304D] ; call GetDlgItemTextA
004011B4 . 8D85 00FFFFFF lea eax, dword ptr [ebp-100] ; 获得对话框中内容
004011BA . 66:8B18 mov bx, word ptr [eax]
004011BD . 2AFB sub bh, bl
004011BF . 0FB6DF movzx ebx, bh
004011C2 . 81C3 BD070000 add ebx, 7BD
004011C8 . A3 1E314000 mov dword ptr [40311E], eax
004011CD . C705 1A314000>mov dword ptr [40311A], 0
004011D7 . 891D 16314000 mov dword ptr [403116], ebx
004011DD . 8B5D 08 mov ebx, dword ptr [ebp+8]
004011E0 . 891D 12314000 mov dword ptr [403112], ebx
004011E6 . 68 57134000 push 00401357
004011EB . 40 inc eax
004011EC . 40 inc eax
004011ED . A3 1E314000 mov dword ptr [40311E], eax
004011F2 . 66:8B18 mov bx, word ptr [eax]
004011F5 . 2AFB sub bh, bl
004011F7 . 0F8F 96010000 jg 00401393
004011FD . E9 4B010000 jmp 0040134D
00401202 . E9 44010000 jmp 0040134B
00401207 > 83F8 10 cmp eax, 10
0040120A . 75 0F jnz short 0040121B
0040120C . 68 57134000 push 00401357 ; Case 10 of switch 0040116A
00401211 . E9 54020000 jmp 0040146A
00401216 . E9 30010000 jmp 0040134B
0040121B > 3D 4A070000 cmp eax, 74A
00401220 . 75 3F jnz short 00401261
00401222 . 8B5D 14 mov ebx, dword ptr [ebp+14] ; Case 74A of switch 0040116A
00401225 . 83C3 02 add ebx, 2
00401228 . 891D 1E314000 mov dword ptr [40311E], ebx
0040122E . 83EB 02 sub ebx, 2
00401231 . 33C0 xor eax, eax
00401233 . 66:8B03 mov ax, word ptr [ebx]
00401236 . 2AE0 sub ah, al
00401238 . 0F8C 0F010000 jl 0040134D
0040123E . 86E0 xchg al, ah
00401240 . 32E4 xor ah, ah
00401242 . C705 DD304000>mov dword ptr [4030DD], 88
0040124C . 2905 16314000 sub dword ptr [403116], eax
00401252 . 68 57134000 push 00401357
00401257 . E9 37010000 jmp 00401393
0040125C . E9 EA000000 jmp 0040134B
00401261 > 3D C3070000 cmp eax, 7C3
00401266 . 75 31 jnz short 00401299
00401268 . 8B5D 14 mov ebx, dword ptr [ebp+14] ; Case 7C3 of switch 0040116A
0040126B . 33C0 xor eax, eax
0040126D . 66:8B03 mov ax, word ptr [ebx]
00401270 . 2AE0 sub ah, al
00401272 . 32C0 xor al, al
00401274 . 86E0 xchg al, ah
00401276 . 2905 16314000 sub dword ptr [403116], eax
0040127C . B8 64000000 mov eax, 64
00401281 . 68 57134000 push 00401357
00401286 . 83C3 02 add ebx, 2
00401289 . 891D 1E314000 mov dword ptr [40311E], ebx
0040128F . E9 FF000000 jmp 00401393
00401294 . E9 B2000000 jmp 0040134B
00401299 > 3D B8070000 cmp eax, 7B8
0040129E . 75 3E jnz short 004012DE
004012A0 . 8B5D 14 mov ebx, dword ptr [ebp+14] ; Case 7B8 of switch 0040116A
004012A3 . 83C3 02 add ebx, 2
004012A6 . 891D 1E314000 mov dword ptr [40311E], ebx
004012AC . 83EB 02 sub ebx, 2
004012AF . 33C0 xor eax, eax
004012B1 . 66:8B03 mov ax, word ptr [ebx]
004012B4 . 02C4 add al, ah
004012B6 . 32E4 xor ah, ah
004012B8 . 2905 16314000 sub dword ptr [403116], eax
004012BE . C705 D9304000>mov dword ptr [4030D9], 88
004012C8 . 68 D2124000 push 004012D2
004012CD . E9 91000000 jmp 00401363
004012D2 > 68 57134000 push 00401357
004012D7 . E9 B7000000 jmp 00401393
004012DC . EB 6D jmp short 0040134B
004012DE > 3D 44070000 cmp eax, 744
004012E3 . 75 0C jnz short 004012F1
004012E5 . 68 57134000 push 00401357 ; Case 744 of switch 0040116A
004012EA . E9 D6000000 jmp 004013C5
004012EF . EB 5A jmp short 0040134B
004012F1 > 3D 45070000 cmp eax, 745
004012F6 . 75 2B jnz short 00401323
004012F8 . 8B5D 14 mov ebx, dword ptr [ebp+14] ; Case 745 of switch 0040116A
004012FB . 83C3 02 add ebx, 2
004012FE . 891D 1E314000 mov dword ptr [40311E], ebx
00401304 . 83EB 02 sub ebx, 2
00401307 . 33C0 xor eax, eax
00401309 . 66:8B03 mov ax, word ptr [ebx]
0040130C . 2AE0 sub ah, al
0040130E . 7C 3D jl short 0040134D
00401310 . 86E0 xchg al, ah
00401312 . 32E4 xor ah, ah
00401314 . 0105 16314000 add dword ptr [403116], eax
0040131A . 68 57134000 push 00401357
0040131F . EB 72 jmp short 00401393
00401321 . EB 28 jmp short 0040134B
00401323 > B9 BD090000 mov ecx, 9BD
00401328 . 3D BD050000 cmp eax, 5BD
0040132D . 72 10 jb short 0040133F
0040132F . 3BC1 cmp eax, ecx
00401331 . 77 0C ja short 0040133F
00401333 . 68 3D134000 push 0040133D
00401338 . E9 D1000000 jmp 0040140E
0040133D . EB 0C jmp short 0040134B
0040133F > B8 00000000 mov eax, 0
00401344 . 5F pop edi
00401345 . 5E pop esi
00401346 . 5B pop ebx
00401347 . C9 leave
00401348 . C2 1000 retn 10
很典型的windows消息处理的switch case结构,因此程序的结构基本清楚了。下面是处理的过程
1.输入命令:bp DispatchMessageW,断点击check按钮的消息,函数自身调用的函数可以通过各种手段隐藏,但是这个dispatch消息的过程可是没办法隐藏的,这样的命令会把所有的消息都断下来,而我们只要断鼠标点击的消息,因此,在bp的这个位置下条件断点替代原断点,条件为[[esp+4]+4]==WM_LBUTTONUP
2.在40116A处下断点,断下来的消息应该是跟我们单击鼠标以后的处理相关的,首先我想是不是能直接在eax里面找到WM_LBUTTONUP之类的消息,可惜没有,但是有一个WM_COMMAND消息,跟进以后发现这个消息就是处理验证的消息
3.找到老巢了,下面就是还原验证算法了,俺没做,汇编代码看的眼花,有空再做
这个CM很经典,包括里面的函数调用方法,有些竟然不是用的call,直接用的jmp指令,大牛啊,很有研究价值!!
