乐者为王

Do one thing, and do it well.

练习破解'Crackme2 - by CoSH'

Crackme2程序

  1. 用PEiD查看,程序没有加壳;
  2. 首先找到注册错误提示信息“One of the Details you entered was wrong”;
  3. 用W32Dasm反汇编,利用String Data References找到上述字符串,双击它,看到以下程序:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
* Reference To: MFC42.Ordinal:0F24, Ord:0F24h
|
:004014EB E85A030000              call 0040184A
:004014F0 83F805                  cmp eax, 00000005                 -> 比较Name的长度是否不大于5
:004014F3 7E41                    jle 00401536                      -> 如果是就跳到出错信息处
:004014F5 8D86E0000000            lea eax, dword ptr [esi+000000E0] -> Name字符串的地址
:004014FB 8BCF                    mov ecx, edi
:004014FD 50                      push eax

* Reference To: MFC42.Ordinal:0F22, Ord:0F22h
|
:004014FE E841030000              call 00401844
:00401503 8DBEE4000000            lea edi, dword ptr [esi+000000E4] -> Serial字符串的地址
:00401509 8BCD                    mov ecx, ebp
:0040150B 57                      push edi

从004014F0到004014F3可以知道Name必须大于5个字符,且和Serial无关。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
* Reference To: MFC42.Ordinal:0F22, Ord:0F22h
|
:0040150C E833030000              call 00401844
:00401511 8B07                    mov eax, dword ptr [edi]
:00401513 803836                  cmp byte ptr [eax], 36
:00401516 751E                    jne 00401536                      -> 跳到出错信息处
:00401518 80780132                cmp byte ptr [eax+01], 32
:0040151C 7518                    jne 00401536                      -> 跳到出错信息处
:0040151E 80780238                cmp byte ptr [eax+02], 38
:00401522 7512                    jne 00401536                      -> 跳到出错信息处
:00401524 80780337                cmp byte ptr [eax+03], 37
:00401528 750C                    jne 00401536                      -> 跳到出错信息处
:0040152A 8078042D                cmp byte ptr [eax+04], 2D
:0040152E 7506                    jne 00401536                      -> 跳到出错信息处
:00401530 80780541                cmp byte ptr [eax+05], 41
:00401534 7417                    je 0040154D                       -> 跳到正确信息处

由上面的比较代码可以得到:

1
2
3
4
5
6
36(hex) = 6
32(hex) = 2
38(hex) = 8
37(hex) = 7
2D(hex) = -
41(hex) = A

所以Serial是:6287-A

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:004014E4(C), :004014F3(C), :00401516(C), :0040151C(C), :00401522(C)
|:00401528(C), :0040152E(C)
|
:00401536 6A00                    push 00000000

* Possible StringData Ref from Data Obj ->"ERROR"
|
:00401538 6864304000              push 00403064

* Possible StringData Ref from Data Obj ->"One of the Details you entered was wrong"
|
:0040153D 6838304000              push 00403038
:00401542 8BCE                    mov ecx, esi

* Reference To: MFC42.Ordinal:1080, Ord:1080h
|
:00401544 E8F5020000              Call 0040183E
:00401549 6A00                    push 00000000
:0040154B FFD3                    call ebx

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00401534(C)
|
:0040154D 8D8EE0000000            lea ecx, dword ptr [esi+000000E0]
:00401553 8D542414                lea edx, dword ptr [esp+14]
:00401557 51                      push ecx

* Possible StringData Ref from Data Obj ->"Well done,"
|
:00401558 682C304000              push 0040302C
:0040155D 52                      push edx

* Reference To: MFC42.Ordinal:039E, Ord:039Eh
|
:0040155E E8D5020000              Call 00401838
:00401563 683C314000              push 0040313C
:00401568 50                      push eax
:00401569 8D442418                lea eax, dword ptr [esp+18]
:0040156D C744242800000000        mov [esp+28], 00000000
:00401575 50                      push eax

* Reference To: MFC42.Ordinal:039C, Ord:039Ch
|
:00401576 E8B7020000              Call 00401832
:0040157B 8B00                    mov eax, dword ptr [eax]
:0040157D 6A00                    push 00000000

* Possible StringData Ref from Data Obj ->"YOU DID IT"
|
:0040157F 6820304000              push 00403020
:00401584 50                      push eax
:00401585 8BCE                    mov ecx, esi
:00401587 C644242C01              mov [esp+2C], 01

整理后得到:Name的长度必须大于5个字符,且和Serial无关。

小技巧:如何截取W32Dasm中的汇编代码呢?很简单,在W32Dasm中点击其最左边,会有一红点,再按Shift键,点击另一处,选中所需范围,按Ctrl+C复制到剪贴版,剩下的事就是粘贴了。

Comments