新CrackMe160之032 - Crackme2
-
脱壳
使用ESP定律脱壳方式2直接成功 -
破解
汇编的代码直接看源码
00401000 > 6A 00 push 0x0
00401002 E8 23040000 call <jmp.&kernel32.GetModuleHandleA>
00401007 A3 F0344000 mov dword ptr ds:[0x4034F0],eax
0040100C 50 push eax
0040100D E8 13000000 call Crackme2.00401025
00401012 6A 00 push 0x0
00401014 E8 0B040000 call <jmp.&kernel32.ExitProcess>
00401019 6A 00 push 0x0
0040101B E8 0A040000 call <jmp.&kernel32.GetModuleHandleA>
00401020 A3 F0344000 mov dword ptr ds:[0x4034F0],eax
00401025 55 push ebp
00401026 8BEC mov ebp,esp
00401028 83C4 B0 add esp,-0x50
0040102B 6A 64 push 0x64
0040102D FF35 F0344000 push dword ptr ds:[0x4034F0]
00401033 E8 B0030000 call <jmp.&user32.LoadIconA>
00401038 8945 E8 mov dword ptr ss:[ebp-0x18],eax
0040103B C745 D0 3000000>mov dword ptr ss:[ebp-0x30],0x30
00401042 C745 D4 0300000>mov dword ptr ss:[ebp-0x2C],0x3
00401049 C745 D8 E211400>mov dword ptr ss:[ebp-0x28],Crackme2.004>
00401050 C745 DC 0000000>mov dword ptr ss:[ebp-0x24],0x0
00401057 C745 E0 1E00000>mov dword ptr ss:[ebp-0x20],0x1E
0040105E FF75 08 push dword ptr ss:[ebp+0x8]
00401061 8F45 E4 pop dword ptr ss:[ebp-0x1C] ; kernel32.7571FCC9
00401064 C745 F0 0500000>mov dword ptr ss:[ebp-0x10],0x5
0040106B C745 F4 0000000>mov dword ptr ss:[ebp-0xC],0x0
00401072 C745 F8 2C30400>mov dword ptr ss:[ebp-0x8],Crackme2.0040>; ASCII "Bengaly"
00401079 6A 64 push 0x64
0040107B FF35 F0344000 push dword ptr ds:[0x4034F0]
00401081 E8 62030000 call <jmp.&user32.LoadIconA>
00401086 8945 E8 mov dword ptr ss:[ebp-0x18],eax
00401089 8945 FC mov dword ptr ss:[ebp-0x4],eax
0040108C 68 007F0000 push 0x7F00
00401091 6A 00 push 0x0
00401093 E8 4A030000 call <jmp.&user32.LoadCursorA>
00401098 8945 EC mov dword ptr ss:[ebp-0x14],eax
0040109B 8D45 D0 lea eax,dword ptr ss:[ebp-0x30]
0040109E 50 push eax
0040109F E8 56030000 call <jmp.&user32.RegisterClassExA>
004010A4 6A 00 push 0x0
004010A6 6A 00 push 0x0
004010A8 6A 00 push 0x0
004010AA 68 21304000 push Crackme2.00403021 ; ASCII "MainWindow"
004010AF FF35 F0344000 push dword ptr ds:[0x4034F0]
004010B5 E8 F8020000 call <jmp.&user32.CreateDialogParamA>
004010BA 8945 B0 mov dword ptr ss:[ebp-0x50],eax
004010BD 68 C8000000 push 0xC8
004010C2 FF75 08 push dword ptr ss:[ebp+0x8]
004010C5 E8 12030000 call <jmp.&user32.LoadBitmapA>
004010CA A3 F4344000 mov dword ptr ds:[0x4034F4],eax
004010CF 6A 6C push 0x6C
004010D1 FF75 B0 push dword ptr ss:[ebp-0x50]
004010D4 E8 EB020000 call <jmp.&user32.GetDlgItem>
004010D9 FF35 F4344000 push dword ptr ds:[0x4034F4]
004010DF 6A 00 push 0x0
004010E1 68 F7000000 push 0xF7
004010E6 50 push eax
004010E7 E8 1A030000 call <jmp.&user32.SendMessageA>
004010EC 68 2C010000 push 0x12C
004010F1 FF75 08 push dword ptr ss:[ebp+0x8]
004010F4 E8 E3020000 call <jmp.&user32.LoadBitmapA>
004010F9 A3 F4344000 mov dword ptr ds:[0x4034F4],eax
004010FE 6A 70 push 0x70
00401100 FF75 B0 push dword ptr ss:[ebp-0x50]
00401103 E8 BC020000 call <jmp.&user32.GetDlgItem>
00401108 FF35 F4344000 push dword ptr ds:[0x4034F4]
0040110E 6A 00 push 0x0
00401110 68 F7000000 push 0xF7
00401115 50 push eax
00401116 E8 EB020000 call <jmp.&user32.SendMessageA>
0040111B 68 90010000 push 0x190
00401120 FF75 08 push dword ptr ss:[ebp+0x8]
00401123 E8 B4020000 call <jmp.&user32.LoadBitmapA>
00401128 A3 F4344000 mov dword ptr ds:[0x4034F4],eax
0040112D 6A 6D push 0x6D
0040112F FF75 B0 push dword ptr ss:[ebp-0x50]
00401132 E8 8D020000 call <jmp.&user32.GetDlgItem>
00401137 FF35 F4344000 push dword ptr ds:[0x4034F4]
0040113D 6A 00 push 0x0
0040113F 68 F7000000 push 0xF7
00401144 50 push eax
00401145 E8 BC020000 call <jmp.&user32.SendMessageA>
0040114A 68 F4010000 push 0x1F4
0040114F FF75 08 push dword ptr ss:[ebp+0x8]
00401152 E8 85020000 call <jmp.&user32.LoadBitmapA>
00401157 A3 F4344000 mov dword ptr ds:[0x4034F4],eax
0040115C 6A 71 push 0x71
0040115E FF75 B0 push dword ptr ss:[ebp-0x50]
00401161 E8 5E020000 call <jmp.&user32.GetDlgItem>
00401166 FF35 F4344000 push dword ptr ds:[0x4034F4]
0040116C 6A 00 push 0x0
0040116E 68 F7000000 push 0xF7
00401173 50 push eax
00401174 E8 8D020000 call <jmp.&user32.SendMessageA>
00401179 68 DC344000 push Crackme2.004034DC ; ASCII " Key/CrackmMe - #2"
0040117E FF75 B0 push dword ptr ss:[ebp-0x50]
00401181 E8 86020000 call <jmp.&user32.SetWindowTextA>
00401186 FF75 B0 push dword ptr ss:[ebp-0x50]
00401189 E8 90020000 call <jmp.&user32.UpdateWindow>
0040118E 6A 00 push 0x0
00401190 6A 00 push 0x0
00401192 6A 00 push 0x0
00401194 8D45 B4 lea eax,dword ptr ss:[ebp-0x4C]
00401197 50 push eax
00401198 E8 33020000 call <jmp.&user32.GetMessageA>
0040119D 0BC0 or eax,eax
0040119F 74 3A je short Crackme2.004011DB
004011A1 8D45 B4 lea eax,dword ptr ss:[ebp-0x4C]
004011A4 50 push eax
004011A5 FF75 B0 push dword ptr ss:[ebp-0x50]
004011A8 E8 29020000 call <jmp.&user32.IsDialogMessage>
004011AD 0BC0 or eax,eax
004011AF 75 28 jnz short Crackme2.004011D9
004011B1 8D45 B4 lea eax,dword ptr ss:[ebp-0x4C]
004011B4 50 push eax
004011B5 E8 5E020000 call <jmp.&user32.TranslateMessage>
004011BA 8D45 B4 lea eax,dword ptr ss:[ebp-0x4C]
004011BD 50 push eax
004011BE E8 FB010000 call <jmp.&user32.DispatchMessageA>
004011C3 FF35 F4344000 push dword ptr ds:[0x4034F4]
004011C9 E8 68020000 call <jmp.&gdi32.DeleteObject>
004011CE FF35 F4344000 push dword ptr ds:[0x4034F4]
004011D4 E8 5D020000 call <jmp.&gdi32.DeleteObject>
004011D9 ^ EB B3 jmp short Crackme2.0040118E
004011DB 8B45 BC mov eax,dword ptr ss:[ebp-0x44]
004011DE C9 leave
004011DF C2 0400 retn 0x4
004011E2 55 push ebp
004011E3 8BEC mov ebp,esp
004011E5 837D 0C 02 cmp dword ptr ss:[ebp+0xC],0x2
004011E9 75 09 jnz short Crackme2.004011F4
004011EB 6A 00 push 0x0
004011ED E8 02020000 call <jmp.&user32.PostQuitMessage>
004011F2 EB 42 jmp short Crackme2.00401236
004011F4 817D 0C 0102000>cmp dword ptr ss:[ebp+0xC],0x201
004011FB 75 18 jnz short Crackme2.00401215
004011FD E8 FE010000 call <jmp.&user32.ReleaseCapture>
00401202 6A 00 push 0x0
00401204 6A 02 push 0x2
00401206 68 A1000000 push 0xA1
0040120B FF75 08 push dword ptr ss:[ebp+0x8]
0040120E E8 F3010000 call <jmp.&user32.SendMessageA>
00401213 EB 21 jmp short Crackme2.00401236
00401215 817D 0C 1101000>cmp dword ptr ss:[ebp+0xC],0x111
0040121C 75 18 jnz short Crackme2.00401236
0040121E 8B45 10 mov eax,dword ptr ss:[ebp+0x10]
00401221 50 push eax
00401222 C1E8 10 shr eax,0x10
00401225 0BC0 or eax,eax
00401227 75 0D jnz short Crackme2.00401236
00401229 58 pop eax ; kernel32.7571FCC9
0040122A 83F8 6D cmp eax,0x6D
0040122D 75 07 jnz short Crackme2.00401236
0040122F 6A 00 push 0x0
00401231 E8 EE010000 call <jmp.&kernel32.ExitProcess>
00401236 817D 0C 1101000>cmp dword ptr ss:[ebp+0xC],0x111
0040123D 75 1B jnz short Crackme2.0040125A
0040123F 8B45 10 mov eax,dword ptr ss:[ebp+0x10]
00401242 50 push eax
00401243 C1E8 10 shr eax,0x10
00401246 0BC0 or eax,eax
00401248 75 10 jnz short Crackme2.0040125A
0040124A 58 pop eax ; kernel32.7571FCC9
0040124B 83F8 71 cmp eax,0x71
0040124E 75 0A jnz short Crackme2.0040125A
00401250 6A 06 push 0x6
00401252 FF75 08 push dword ptr ss:[ebp+0x8]
00401255 E8 B8010000 call <jmp.&user32.ShowWindow>
0040125A 817D 0C 1101000>cmp dword ptr ss:[ebp+0xC],0x111
00401261 0F85 01010000 jnz Crackme2.00401368
00401267 8B45 10 mov eax,dword ptr ss:[ebp+0x10]
0040126A 50 push eax
0040126B C1E8 10 shr eax,0x10
0040126E 0BC0 or eax,eax
00401270 75 19 jnz short Crackme2.0040128B
00401272 58 pop eax ; kernel32.7571FCC9
00401273 83F8 70 cmp eax,0x70
00401276 75 13 jnz short Crackme2.0040128B
00401278 6A 00 push 0x0
0040127A 68 62344000 push Crackme2.00403462 ; ASCII "Key/CrackMe #2 "
0040127F 68 3C324000 push Crackme2.0040323C ; ASCII " +=================================+\r\n | Key/CrackMe - 2 Created on 21/9/2001 | \r\n +========"
00401284 6A 00 push 0x0
00401286 E8 63010000 call <jmp.&user32.MessageBoxA>
0040128B 817D 0C 1101000>cmp dword ptr ss:[ebp+0xC],0x111
00401292 0F85 E5000000 jnz Crackme2.0040137D
00401298 8B45 10 mov eax,dword ptr ss:[ebp+0x10]
0040129B 50 push eax
0040129C C1E8 10 shr eax,0x10
0040129F 0BC0 or eax,eax
004012A1 0F85 BF000000 jnz Crackme2.00401366
004012A7 58 pop eax ; kernel32.7571FCC9
004012A8 83F8 6C cmp eax,0x6C
004012AB 0F85 B5000000 jnz Crackme2.00401366
004012B1 6A 40 push 0x40
004012B3 68 38304000 push Crackme2.00403038
004012B8 6A 6A push 0x6A
004012BA FF75 08 push dword ptr ss:[ebp+0x8]
004012BD E8 08010000 call <jmp.&user32.GetDlgItemTextA>
004012C2 83F8 00 cmp eax,0x0
004012C5 74 18 je short Crackme2.004012DF
004012C7 6A 40 push 0x40
004012C9 68 38314000 push Crackme2.00403138
004012CE 6A 6B push 0x6B
004012D0 FF75 08 push dword ptr ss:[ebp+0x8]
004012D3 E8 F2000000 call <jmp.&user32.GetDlgItemTextA>
004012D8 83F8 00 cmp eax,0x0
004012DB 74 02 je short Crackme2.004012DF
004012DD EB 17 jmp short Crackme2.004012F6
004012DF 6A 00 push 0x0
004012E1 68 62344000 push Crackme2.00403462 ; ASCII "Key/CrackMe #2 "
004012E6 68 00304000 push Crackme2.00403000 ; ASCII " Please Fill in 1 more Char!!"
004012EB 6A 00 push 0x0
004012ED E8 FC000000 call <jmp.&user32.MessageBoxA>
004012F2 C9 leave
004012F3 C2 1000 retn 0x10
004012F6 68 38304000 push Crackme2.00403038
004012FB E8 30010000 call <jmp.&kernel32.lstrlen>
00401300 33F6 xor esi,esi ; Crackme2.<ModuleEntryPoint>
00401302 8BC8 mov ecx,eax
00401304 B8 01000000 mov eax,0x1
00401309 8B15 38304000 mov edx,dword ptr ds:[0x403038]
0040130F 8A90 37304000 mov dl,byte ptr ds:[eax+0x403037]
00401315 81E2 FF000000 and edx,0xFF
0040131B 8BDA mov ebx,edx ; Crackme2.<ModuleEntryPoint>
0040131D 0FAFDA imul ebx,edx ; Crackme2.<ModuleEntryPoint>
00401320 03F3 add esi,ebx
00401322 8BDA mov ebx,edx ; Crackme2.<ModuleEntryPoint>
00401324 D1FB sar ebx,1
00401326 03F3 add esi,ebx
00401328 2BF2 sub esi,edx ; Crackme2.<ModuleEntryPoint>
0040132A 40 inc eax
0040132B 49 dec ecx ; Crackme2.<ModuleEntryPoint>
0040132C ^ 75 DB jnz short Crackme2.00401309
0040132E 56 push esi ; Crackme2.<ModuleEntryPoint>
0040132F 68 38314000 push Crackme2.00403138
00401334 E8 4A000000 call Crackme2.00401383
00401339 5E pop esi ; kernel32.7571FCC9
0040133A 3BC6 cmp eax,esi ; Crackme2.<ModuleEntryPoint>
0040133C 75 15 jnz short Crackme2.00401353
0040133E 6A 00 push 0x0
00401340 68 62344000 push Crackme2.00403462 ; ASCII "Key/CrackMe #2 "
00401345 68 B8344000 push Crackme2.004034B8 ; ASCII " Good Job, I Wish You the Very Best"
0040134A 6A 00 push 0x0
0040134C E8 9D000000 call <jmp.&user32.MessageBoxA>
00401351 EB 13 jmp short Crackme2.00401366
00401353 6A 00 push 0x0
00401355 68 62344000 push Crackme2.00403462 ; ASCII "Key/CrackMe #2 "
0040135A 68 86344000 push Crackme2.00403486 ; ASCII " You Have Enter A Wrong Serial, Please Try Again "
0040135F 6A 00 push 0x0
00401361 E8 88000000 call <jmp.&user32.MessageBoxA>
00401366 EB 15 jmp short Crackme2.0040137D
00401368 FF75 14 push dword ptr ss:[ebp+0x14]
0040136B FF75 10 push dword ptr ss:[ebp+0x10]
0040136E FF75 0C push dword ptr ss:[ebp+0xC]
00401371 FF75 08 push dword ptr ss:[ebp+0x8]
00401374 E8 3F000000 call <jmp.&ntdll.NtdllDefWindowProc_A>
00401379 C9 leave
0040137A C2 1000 retn 0x10
0040137D 33C0 xor eax,eax
0040137F C9 leave
00401380 C2 1000 retn 0x10
00401383 55 push ebp
00401384 8BEC mov ebp,esp
00401386 FF75 08 push dword ptr ss:[ebp+0x8]
00401389 E8 A2000000 call <jmp.&kernel32.lstrlen>
0040138E 53 push ebx
0040138F 33DB xor ebx,ebx
00401391 8BC8 mov ecx,eax
00401393 8B75 08 mov esi,dword ptr ss:[ebp+0x8]
00401396 51 push ecx ; Crackme2.<ModuleEntryPoint>
00401397 33C0 xor eax,eax
00401399 AC lods byte ptr ds:[esi]
0040139A 83E8 30 sub eax,0x30
0040139D 49 dec ecx ; Crackme2.<ModuleEntryPoint>
0040139E 74 05 je short Crackme2.004013A5
004013A0 6BC0 0A imul eax,eax,0xA
004013A3 ^ E2 FB loopd short Crackme2.004013A0
004013A5 03D8 add ebx,eax
004013A7 59 pop ecx ; kernel32.7571FCC9
004013A8 ^ E2 EC loopd short Crackme2.00401396
004013AA 8BC3 mov eax,ebx
004013AC 5B pop ebx ; kernel32.7571FCC9
004013AD C9 leave
004013AE C2 0400 retn 0x4
004013B1 CC int3
004013B2 - FF25 60C04300 jmp dword ptr ds:[<&user32.CreateDialogP>; user32.CreateDialogParamA
004013B8 - FF25 58C04300 jmp dword ptr ds:[<&ntdll.NtdllDefWindow>; ntdll.NtdllDefWindowProc_A
004013BE - FF25 50C04300 jmp dword ptr ds:[<&user32.DispatchMessa>; user32.DispatchMessageA
004013C4 - FF25 4CC04300 jmp dword ptr ds:[<&user32.GetDlgItem>] ; user32.GetDlgItem
004013CA - FF25 48C04300 jmp dword ptr ds:[<&user32.GetDlgItemTex>; user32.GetDlgItemTextA
004013D0 - FF25 44C04300 jmp dword ptr ds:[<&user32.GetMessageA>] ; user32.GetMessageA
004013D6 - FF25 18C04300 jmp dword ptr ds:[<&user32.IsDialogMessa>; user32.IsDialogMessageA
004013DC - FF25 2CC04300 jmp dword ptr ds:[<&user32.LoadBitmapA>] ; user32.LoadBitmapA
004013E2 - FF25 30C04300 jmp dword ptr ds:[<&user32.LoadCursorA>] ; user32.LoadCursorA
004013E8 - FF25 1CC04300 jmp dword ptr ds:[<&user32.LoadIconA>] ; user32.LoadIconA
004013EE - FF25 20C04300 jmp dword ptr ds:[<&user32.MessageBoxA>] ; user32.MessageBoxA
004013F4 - FF25 24C04300 jmp dword ptr ds:[<&user32.PostQuitMessa>; user32.PostQuitMessage
004013FA - FF25 28C04300 jmp dword ptr ds:[<&user32.RegisterClass>; user32.RegisterClassExA
00401400 - FF25 64C04300 jmp dword ptr ds:[<&user32.ReleaseCaptur>; user32.ReleaseCapture
00401406 - FF25 68C04300 jmp dword ptr ds:[<&user32.SendMessageA>>; user32.SendMessageA
0040140C - FF25 34C04300 jmp dword ptr ds:[<&user32.SetWindowText>; user32.SetWindowTextA
00401412 - FF25 38C04300 jmp dword ptr ds:[<&user32.ShowWindow>] ; user32.ShowWindow
00401418 - FF25 3CC04300 jmp dword ptr ds:[<&user32.TranslateMess>; user32.TranslateMessage
0040141E - FF25 40C04300 jmp dword ptr ds:[<&user32.UpdateWindow>>; user32.UpdateWindow
00401424 - FF25 10C04300 jmp dword ptr ds:[<&kernel32.ExitProcess>; kernel32.ExitProcess
0040142A - FF25 0CC04300 jmp dword ptr ds:[<&kernel32.GetModuleHa>; kernel32.GetModuleHandleA
00401430 - FF25 08C04300 jmp dword ptr ds:[<&kernel32.lstrlen>] ; kernel32.lstrlenA
00401436 - FF25 00C04300 jmp dword ptr ds:[<&gdi32.DeleteObject>] ; gdi32.DeleteObject
0040143C 0000 add byte ptr ds:[eax],al
0040143E 0000 add byte ptr ds:[eax],al
代码量也就300多行, 看一遍就可以发现按钮入口004012F6,下好断点就可以单步看算法了, 看这算法是不是很熟悉,就跟026一样一样的
注册机代码直接复制过来,小调整一个就可以直接用了
#include <stdio.h>
#include <string.h>
int main() {
char user[21] = {0};
printf("用户名: ");
fgets(user, sizeof(user), stdin);
unsigned int ebx, edx, esi = 0;
int i, len = strlen(user) - 1; //最后一个\n
for(i=0; i<len; i++){
edx = user[i];
ebx = edx * edx;
esi += ebx;
ebx = edx >> 1;
//ebx += 3; //这里这里
//ebx *= edx; //这里这里
//ebx -= edx; //这里这里
esi += ebx;
esi -= edx; //这里这里
}
printf("系列号: %d\n", esi); //这里这里
getchar();
return 0;
}
运行示例:
用户名: abc
系列号: 28666
使用的工具连接(工具有点多有点大,可以先下OD,其它的后面慢慢下) 点击前往下载
下面是我的OD的界面布局,我觉得这4个是最常用的界面,其它的我基本上没用到~
浙公网安备 33010602011771号