标签:
查壳发现是PECompact 2.x -> Jeremy Collake [Overlay] 而且还有附加数据处理
嗷嗷嗷,这个壳貌似挺好脱的,载入吧,然后选择不分析然后F8
在执行了这一句后观察寄存器的值
1: 00401225 50 push eax
2: 00401226 64:FF35 0000000>push dword ptr fs:[0] //执行了这一句后
看看看,看寄存器的值了
1: EAX 00450FDC crackme4.00450FDC
2: ECX 0022FFB0
3: EDX 7C92E4F4 ntdll.KiFastSystemCallRet
4: EBX 7FFD5000
5: ESP 0022FFBC //右键选择在数据窗口中跟随
6: EBP 0022FFF0
7: ESI FFFFFFFF
8: EDI 7C930208 ntdll.7C930208
9: EIP 0040122D crackme4.0040122D
嗷嗷,就看到下面的了
1: 0022FFBC E0 FF 22 00 DC 0F 45 00 67 70 81 7C 08 02 93 7C ?".?E.gp亅搢 //红色处右键选择断点--选择硬件执行
2: 0022FFCC FF FF FF FF 00 50 FD 7F FD 5B 54 80 C8 FF 22 00 .P?齕T€?".
3: 0022FFDC 20 10 ED 85 FF FF FF FF C0 9A 83 7C 70 70 81 7C 韰罋億pp亅
4: ....
5:
F9跑起来呀跑起来
然后直接到达这里,嗷嗷,一看就不是我们要的OEP,继续F8单步往下走吧
1: 00451010 51 push ecx
2: 00451011 57 push edi
3: 00451012 56 push esi
4: 00451013 52 push edx
嗷嗷嗷,看到一个特别大的跳转,而且还说是EntryPoint
1: 00451098 5A pop edx
2: 00451099 5E pop esi
3: 0045109A 5F pop edi
4: 0045109B 59 pop ecx
5: 0045109C 5B pop ebx
6: 0045109D 5D pop ebp
7: 0045109E - FFE0 jmp eax ; crackme4.<ModuleEntryPoint>
嗷嗷,跳过去,哇瑟,这不就是入口点了么。然后就脱壳就可以了。这里虽然有什么附加数据啥的,大师不用修复啥的直接可以运行
1: 00401220 > 55 push ebp
2: 00401221 89E5 mov ebp,esp
3: 00401223 83EC 08 sub esp,0x8
4: 00401226 C70424 01000000 mov dword ptr ss:[esp],0x1
5: 0040122D FF15 04824400 call dword ptr ds:[0x448204] ; msvcrt.__set_app_type
6: 00401233 E8 C8FEFFFF call crackme4.00401100
7: 00401238 90 nop
8: 00401239 8DB426 00000000 lea esi,dword ptr ds:[esi]
9: 00401240 55 push ebp
10: 00401241 89E5 mov ebp,esp
11: 00401243 83EC 08 sub esp,0x8
12: 00401246 C70424 02000000 mov dword ptr ss:[esp],0x2
13: 0040124D FF15 04824400 call dword ptr ds:[0x448204] ; msvcrt.__set_app_type
14: 00401253 E8 A8FEFFFF call crackme4.00401100
嗷嗷下面就是看算法了
看 一下调用的函数,发现在获取输入的时候,调用的是gets函数,那就直接Crtl+G找gets了,然后下断点运行,然后输入用户名,断下
获取用户名后获得用户名的ASICC码
1: 0040156A |> /8B45 D0 /mov eax,[local.12]
2: 0040156D |. |3B45 D4 |cmp eax,[local.11] ; 用户名转换成ASICC码
3: 00401570 |. |0F8D D2000000 |jge c4_1.00401648
4: 00401576 |. |8D45 F8 |lea eax,[local.2]
5: 00401579 |. |0345 D0 |add eax,[local.12]
6: 0040157C |. |83E8 20 |sub eax,0x20
7: 0040157F |. |8038 60 |cmp byte ptr ds:[eax],0x60
8: 00401582 |. |7E 57 |jle Xc4_1.004015DB
9: 00401584 |. |8D45 F8 |lea eax,[local.2]
10: 00401587 |. |0345 D0 |add eax,[local.12]
11: 0040158A |. |83E8 20 |sub eax,0x20
12: 0040158D |. |8038 7A |cmp byte ptr ds:[eax],0x7A
13: 00401590 |. |7F 49 |jg Xc4_1.004015DB
14: 00401592 |. |8D45 F8 |lea eax,[local.2]
15: 00401595 |. |0345 D0 |add eax,[local.12]
16: 00401598 |. |8D58 E0 |lea ebx,dword ptr ds:[eax-0x20]
17: 0040159B |. |8D45 F8 |lea eax,[local.2]
18: 0040159E |. |0345 D0 |add eax,[local.12]
19: 004015A1 |. |83E8 20 |sub eax,0x20
20: 004015A4 |. |0FBE00 |movsx eax,byte ptr ds:[eax]
21: 004015A7 |. |83E8 61 |sub eax,0x61
22: 004015AA |. |0FAF45 CC |imul eax,[local.13]
23: 004015AE |. |89C1 |mov ecx,eax
24: 004015B0 |. |034D C8 |add ecx,[local.14]
25: 004015B3 |. |B8 4FECC44E |mov eax,0x4EC4EC4F
26: 004015B8 |. |F7E9 |imul ecx
27: 004015BA |. |C1FA 03 |sar edx,0x3
28: 004015BD |. |89C8 |mov eax,ecx
29: 004015BF |. |C1F8 1F |sar eax,0x1F
30: 004015C2 |. |29C2 |sub edx,eax
31: 004015C4 |. |89D0 |mov eax,edx
32: 004015C6 |. |01C0 |add eax,eax
33: 004015C8 |. |01D0 |add eax,edx
34: 004015CA |. |C1E0 02 |shl eax,0x2
35: 004015CD |. |01D0 |add eax,edx
36: 004015CF |. |01C0 |add eax,eax
37: 004015D1 |. |29C1 |sub ecx,eax
38: 004015D3 |. |89C8 |mov eax,ecx
39: 004015D5 |. |04 41 |add al,0x41
40: 004015D7 |. |8803 |mov byte ptr ds:[ebx],al
41: 004015D9 |. |EB 63 |jmp Xc4_1.0040163E
42: 004015DB |> |8D45 F8 |lea eax,[local.2]
43: 004015DE |. |0345 D0 |add eax,[local.12]
44: 004015E1 |. |83E8 20 |sub eax,0x20
45: 004015E4 |. |8038 40 |cmp byte ptr ds:[eax],0x40
46: 004015E7 |. |7E 55 |jle Xc4_1.0040163E
47: 004015E9 |. |8D45 F8 |lea eax,[local.2]
48: 004015EC |. |0345 D0 |add eax,[local.12]
49: 004015EF |. |83E8 20 |sub eax,0x20
50: 004015F2 |. |8038 5A |cmp byte ptr ds:[eax],0x5A
51: 004015F5 |. |7F 47 |jg Xc4_1.0040163E
52: 004015F7 |. |8D45 F8 |lea eax,[local.2]
53: 004015FA |. |0345 D0 |add eax,[local.12]
54: 004015FD |. |8D58 E0 |lea ebx,dword ptr ds:[eax-0x20]
55: 00401600 |. |8D45 F8 |lea eax,[local.2]
56: 00401603 |. |0345 D0 |add eax,[local.12]
57: 00401606 |. |83E8 20 |sub eax,0x20
58: 00401609 |. |0FBE00 |movsx eax,byte ptr ds:[eax]
59: 0040160C |. |83E8 41 |sub eax,0x41
60: 0040160F |. |0FAF45 CC |imul eax,[local.13]
61: 00401613 |. |89C1 |mov ecx,eax
62: 00401615 |. |034D C8 |add ecx,[local.14]
63: 00401618 |. |B8 4FECC44E |mov eax,0x4EC4EC4F
64: 0040161D |. |F7E9 |imul ecx
65: 0040161F |. |C1FA 03 |sar edx,0x3
66: 00401622 |. |89C8 |mov eax,ecx
67: 00401624 |. |C1F8 1F |sar eax,0x1F
68: 00401627 |. |29C2 |sub edx,eax
69: 00401629 |. |89D0 |mov eax,edx
70: 0040162B |. |01C0 |add eax,eax
71: 0040162D |. |01D0 |add eax,edx
72: 0040162F |. |C1E0 02 |shl eax,0x2
73: 00401632 |. |01D0 |add eax,edx
74: 00401634 |. |01C0 |add eax,eax
75: 00401636 |. |29C1 |sub ecx,eax
76: 00401638 |. |89C8 |mov eax,ecx
77: 0040163A |. |04 41 |add al,0x41
78: 0040163C |. |8803 |mov byte ptr ds:[ebx],al
79: 0040163E |> |8D45 D0 |lea eax,[local.12]
80: 00401641 |. |FF00 |inc dword ptr ds:[eax]
81: 00401643 |.^\E9 22FFFFFF \jmp c4_1.0040156A
标签:
原文地址:http://www.cnblogs.com/kangxiaopao/p/4581264.html
