1、UPX壳,Delphi
①单步法:没跟出来
②ESP定律:OD载入后F8一步,发现只有ESP有变化,可以用ESP定律法,输入命令:dd esp。断点->硬件访问->DWord。F9,断下来的地方在单步一下就跳向OEP。插件->OllyDump
2、Dark + OD
程序开始会判断同目录下是否有Reg.dat文件。
OD 载入。OK按钮不可用,Dark确定按钮事件地址,发现只是调用了显示成功的信息框。
EditChange事件都调用了00437BD8。
00437BD8()末尾很明显是设置OK按钮是否可用。
00437CC7 |> \85C9 test ecx,ecx
00437CC9 |. 75 14 jnz Xcrackme_.00437CDF ; 爆破点
00437CCB |. A1 28A74300 mov eax,dword ptr ds:[0x43A728]
00437CD0 |. 8B80 E0010000 mov eax,dword ptr ds:[eax+0x1E0]
00437CD6 |. B2 01 mov dl,0x1
00437CD8 |. E8 7B54FEFF call crackme_.0041D158 ; OK.setEnabled = ture
00437CDD |. EB 12 jmp Xcrackme_.00437CF1
00437CDF |> A1 28A74300 mov eax,dword ptr ds:[0x43A728]
00437CE4 |. 8B80 E0010000 mov eax,dword ptr ds:[eax+0x1E0]
00437CEA |. 33D2 xor edx,edx
00437CEC |. E8 6754FEFF call crackme_.0041D158 ; OK.setEnabled = flase
00437CF1 |> 33C0 xor eax,eax
整体:
00437BD8 /$ 55 push ebp
00437BD9 |. 8BEC mov ebp,esp
00437BDB |. 6A 00 push 0x0
00437BDD |. 6A 00 push 0x0
00437BDF |. 53 push ebx
00437BE0 |. 56 push esi
00437BE1 |. 33C0 xor eax,eax
00437BE3 |. 55 push ebp
00437BE4 |. 68 0C7D4300 push crackme_.00437D0C
00437BE9 |. 64:FF30 push dword ptr fs:[eax]
00437BEC |. 64:8920 mov dword ptr fs:[eax],esp
00437BEF |. 8D55 FC lea edx,[local.1]
00437BF2 |. A1 28A74300 mov eax,dword ptr ds:[0x43A728]
00437BF7 |. 8B80 0C020000 mov eax,dword ptr ds:[eax+0x20C]
00437BFD |. E8 BE55FEFF call crackme_.0041D1C0
00437C02 |. 8B45 FC mov eax,[local.1]
00437C05 |. E8 6EBDFCFF call crackme_.00403978 ; strlen()
00437C0A |. 83F8 05 cmp eax,0x5
00437C0D |. 0F8C AF000000 jl crackme_.00437CC2
00437C13 |. 8B45 FC mov eax,[local.1] ; eax = Name[0]
00437C16 |. 0FB600 movzx eax,byte ptr ds:[eax]
00437C19 |. B9 0A000000 mov ecx,0xA
00437C1E |. 99 cdq
00437C1F |. F7F9 idiv ecx
00437C21 |. A3 2CA74300 mov dword ptr ds:[0x43A72C],eax ; [0x43A72C] = Name[0] / 10
00437C26 |. 8B45 FC mov eax,[local.1]
00437C29 |. 0FB640 02 movzx eax,byte ptr ds:[eax+0x2]
00437C2D |. B9 0A000000 mov ecx,0xA
00437C32 |. 99 cdq
00437C33 |. F7F9 idiv ecx
00437C35 |. A3 30A74300 mov dword ptr ds:[0x43A730],eax ; [0x43A730] = Name[2] / 10
00437C3A |. 8B45 FC mov eax,[local.1]
00437C3D |. 0FB640 03 movzx eax,byte ptr ds:[eax+0x3]
00437C41 |. B9 0A000000 mov ecx,0xA
00437C46 |. 99 cdq
00437C47 |. F7F9 idiv ecx
00437C49 |. A3 34A74300 mov dword ptr ds:[0x43A734],eax ; [0x43A734] = Name[3] / 10
00437C4E |. 8B45 FC mov eax,[local.1]
00437C51 |. 0FB640 04 movzx eax,byte ptr ds:[eax+0x4]
00437C55 |. B9 0A000000 mov ecx,0xA
00437C5A |. 99 cdq
00437C5B |. F7F9 idiv ecx
00437C5D |. A3 38A74300 mov dword ptr ds:[0x43A738],eax ; [0x43A738] = Name[4] / 10
00437C62 |. BE 01000000 mov esi,0x1
00437C67 |. BB 2CA74300 mov ebx,crackme_.0043A72C
00437C6C |> 8D55 F8 /lea edx,[local.2]
00437C6F |. 8B03 |mov eax,dword ptr ds:[ebx]
00437C71 |. E8 8AECFCFF |call crackme_.00406900
00437C76 |. 8B45 F8 |mov eax,[local.2]
00437C79 |. E8 FABCFCFF |call crackme_.00403978 ; 循环比较Serial
00437C7E |. 48 |dec eax
00437C7F |. 74 0C |je Xcrackme_.00437C8D
00437C81 |. 8B03 |mov eax,dword ptr ds:[ebx]
00437C83 |. B9 0A000000 |mov ecx,0xA
00437C88 |. 99 |cdq
00437C89 |. F7F9 |idiv ecx
00437C8B |. 8903 |mov dword ptr ds:[ebx],eax
00437C8D |> 46 |inc esi
00437C8E |. 83C3 04 |add ebx,0x4
00437C91 |. 83FE 05 |cmp esi,0x5
00437C94 |.^ 75 D6 \jnz Xcrackme_.00437C6C
00437C96 |. BE 01000000 mov esi,0x1
00437C9B |. B8 2CA74300 mov eax,crackme_.0043A72C
00437CA0 |. BA 3CA74300 mov edx,crackme_.0043A73C
00437CA5 |> 8B0A /mov ecx,dword ptr ds:[edx]
00437CA7 |. 3B08 |cmp ecx,dword ptr ds:[eax]
00437CA9 |. 74 07 |je Xcrackme_.00437CB2
00437CAB |. B9 01000000 |mov ecx,0x1
00437CB0 |. EB 15 |jmp Xcrackme_.00437CC7
00437CB2 |> 33C9 |xor ecx,ecx
00437CB4 |. 46 |inc esi
00437CB5 |. 83C2 04 |add edx,0x4
00437CB8 |. 83C0 04 |add eax,0x4
00437CBB |. 83FE 05 |cmp esi,0x5
00437CBE |.^ 75 E5 \jnz Xcrackme_.00437CA5
00437CC0 |. EB 05 jmp Xcrackme_.00437CC7
00437CC2 |> B9 01000000 mov ecx,0x1
00437CC7 |> 85C9 test ecx,ecx
00437CC9 |. 75 14 jnz Xcrackme_.00437CDF
00437CCB |. A1 28A74300 mov eax,dword ptr ds:[0x43A728]
00437CD0 |. 8B80 E0010000 mov eax,dword ptr ds:[eax+0x1E0]
00437CD6 |. B2 01 mov dl,0x1
00437CD8 |. E8 7B54FEFF call crackme_.0041D158 ; OK.setEnabled = ture
00437CDD |. EB 12 jmp Xcrackme_.00437CF1
00437CDF |> A1 28A74300 mov eax,dword ptr ds:[0x43A728]
00437CE4 |. 8B80 E0010000 mov eax,dword ptr ds:[eax+0x1E0]
00437CEA |. 33D2 xor edx,edx
00437CEC |. E8 6754FEFF call crackme_.0041D158 ; OK.setEnabled = flase
00437CF1 |> 33C0 xor eax,eax
00437CF3 |. 5A pop edx
00437CF4 |. 59 pop ecx
00437CF5 |. 59 pop ecx
00437CF6 |. 64:8910 mov dword ptr fs:[eax],edx
00437CF9 |. 68 137D4300 push crackme_.00437D13
Serial1 = Name[0] / 10;
Serial2 = Name[2] / 10;
Serial3 = Name[3] / 10;
Serial4 = Name[4] / 10;
3、注册机
>>> Name = '8188569'
>>> Serial1 = ord(Name[0]) // 10;Serial2 = ord(Name[2]) // 10;Serial3 = ord(Name[3]) // 10;Serial4 = ord(Name[4]) // 10;
>>> Serial1,Serial2,Serial3,Serial4
(5, 5, 5, 5)
>>>