160个练手CrackMe-051_crackme 160 051-CSDN博客

本文链接：https://blog.csdn.net/M_N_N/article/details/78946000

1、无壳

2、OD载入，搜字符串，定位按钮事件地址

004011ED  |.  6A 09         push 0x9                                 ; /Count = 9
004011EF  |.  68 21214000   push DueList_.00402121                   ; |Buffer = DueList_.00402121
004011F4  |.  6A 69         push 0x69                                ; |ControlID = 69 (105.)
004011F6  |.  FF75 08       push [arg.1]                             ; |hWnd
004011F9  |.  E8 A0020000   call <jmp.&USER32.GetDlgItemTextA>       ; \GetDlgItemTextA
004011FE  |.  83F8 08       cmp eax,0x8                              ;  长度为8
00401201  |.  74 24         je XDueList_.00401227

GetDIgItemTextA() 将输入的Serial存到0x00402121。并返回串长。

00401227  |> \FF75 08       push [arg.1]                             ;  hWnd
0040122A  |.  E8 1CFEFFFF   call DueList_.0040104B                   ;  关键函数
0040122F  |.  83F8 01       cmp eax,0x1
00401232  |.  75 18         jnz XDueList_.0040124C

call 0x0040104B是判断函数，返回1正确

0040105C  |.  A1 21214000   mov eax,dword ptr ds:[0x402121]
00401061  |.  B9 02000000   mov ecx,0x2
00401066  |.  99            cdq
00401067  |.  F7F1          div ecx
00401069  |.  8BF0          mov esi,eax
0040106B  |.  B8 44554536   mov eax,0x36455544
00401070  |.  8B0D 21214000 mov ecx,dword ptr ds:[0x402121]
00401076  |>  C1C0 06       /rol eax,0x6                             ;  循环左移
00401079  |.  32E0          |xor ah,al
0040107B  |.  02C1          |add al,cl
0040107D  |.  49            |dec ecx
0040107E  |.^ 75 F6         \jnz XDueList_.00401076
00401080  |.  3D 85180704   cmp eax,0x4071885                        ;  值比较
00401085  |.  75 4E         jnz XDueList_.004010D5
00401087  |.  68 E1204000   push DueList_.004020E1                   ; /Duelist's Crackme #6 -  50%
0040108C  |.  FF75 08       push [arg.1]                             ; |hWnd
0040108F  |.  E8 40040000   call <jmp.&USER32.SetWindowTextA>        ; \SetWindowTextA
00401094  |.  A1 25214000   mov eax,dword ptr ds:[0x402125]
00401099  |.  B9 02000000   mov ecx,0x2
0040109E  |.  99            cdq
0040109F      F7F1          div ecx
004010A1      8BF0          mov esi,eax
004010A3      B8 52495343   mov eax,0x43534952
004010A8  |.  8B0D 25214000 mov ecx,dword ptr ds:[0x402125]
004010AE  |>  C1C0 06       /rol eax,0x6
004010B1  |.  32E0          |xor ah,al
004010B3  |.  02C1          |add al,cl
004010B5  |.  49            |dec ecx
004010B6  |.^ 75 F6         \jnz XDueList_.004010AE
004010B8  |.  3D 27D1004B   cmp eax,0x4B00D127                       ;  值比较
004010BD  |.  75 16         jnz XDueList_.004010D5

中间有两次循环处理和值的比较，根据循环写逆向代码。

3、还原

unsigned int i=0, j=0;

int main(){
	
//	__asm__("push %eax");
//	__asm__("mov $10,%eax");
//	__asm__("sub $1, %eax");
//	__asm__("mov %eax,_i");
//	__asm__("pop %eax");

	__asm__("push %eax\n\
			push %ecx\n\
			push %ebx\n\
			mov $0,%ecx\n\
			mov $0x4071885,%eax\n\
			mov $0x36455544,%ebx\n\
			1:\n\
			inc %ecx\n\
			sub %cl,%al\n\
			xor %al,%ah\n\
			ror $0x06,%eax\n\
			cmp %eax,%ebx\n\
			jnz 1b\n\
			mov %ecx,_i\n\
			mov $0,%ecx\n\
			mov $0x4B00D127,%eax\n\
			mov $0x43534952,%ebx\n\
			2:\n\
			inc %ecx\n\
			sub %cl,%al\n\
			xor %al,%ah\n\
			ror $0x06,%eax\n\
			cmp %eax,%ebx\n\
			jnz 2b\n\
			mov %ecx,_j\n\
			pop %ebx\n\
			pop %ecx\n\
			pop %eax");

	cout << hex << i << endl;
	cout << hex << j;
	
	return 0;
}

i 表示前四位，j 后四位。

运行结果：