环境:
windows xp sp3
工具:
Ollydbg,exeinfope
用exeinfope查壳:
没有壳,vc编译的
运行后第一步,随便输入个”12345“,弹出一个错误消息框。
OD载入后直接搜索错误消息框的字符串,发现字符串也不多
文本字串参考位于 Brad_Sob:.text
地址 反汇编 文本字串
00401571 push Brad_Sob.0040302C ASCII "CrackMe"
00401576 push Brad_Sob.00403034 ASCII "Enter Registration Number"
00401595 jnz XBrad_Sob.004015AD (初始 CPU 选择)
00401599 push Brad_Sob.00403050 ASCII "CrackMe"
0040159E push Brad_Sob.00403058 ASCII "Correct way to go!!"
004015AF push Brad_Sob.0040306C ASCII "CrackMe"
004015B4 push Brad_Sob.00403074 ASCII "Incorrect try again!!"
00401CE5 push 0x10000 UNICODE "=::=::\"
一眼看到错误信息所在位置,在反汇编窗口跟随。
00401512 /. 55 push ebp
00401513 |. 8BEC mov ebp,esp
00401515 |. 83EC 20 sub esp,0x20
00401518 |. 894D E0 mov [local.8],ecx
0040151B |. 66:A1 5C31400>mov ax,word ptr ds:[0x40315C]
00401521 |. 66:8945 F4 mov word ptr ss:[ebp-0xC],ax
00401525 |. 33C9 xor ecx,ecx
00401527 |. 894D F6 mov dword ptr ss:[ebp-0xA],ecx
0040152A |. 894D FA mov dword ptr ss:[ebp-0x6],ecx
0040152D |. 8B15 20304000 mov edx,dword ptr ds:[0x403020]
00401533 |. 8955 E4 mov [local.7],edx
00401536 |. A1 24304000 mov eax,dword ptr ds:[0x403024]
0040153B |. 8945 E8 mov [local.6],eax
0040153E |. 66:8B0D 28304>mov cx,word ptr ds:[0x403028]
00401545 |. 66:894D EC mov word ptr ss:[ebp-0x14],cx
00401549 |. 6A 0A push 0xA
0040154B |. 8D55 F4 lea edx,[local.3]
0040154E |. 52 push edx
0040154F |. 68 E8030000 push 0x3E8
00401554 |. 8B4D E0 mov ecx,[local.8]
00401557 |. E8 A8050000 call <jmp.&MFC42.#3098> ; 这里是读取输入的serial
0040155C |. 8D45 F4 lea eax,[local.3]
0040155F |. 50 push eax ; /String
00401560 |. FF15 04204000 call dword ptr ds:[<&KERNEL32.lstrlenA>] ; \lstrlenA
00401566 |. 8945 F0 mov [local.4],eax
00401569 |. 837D F0 01 cmp [local.4],0x1 ; 比较输入的serial长度
0040156D |. 73 16 jnb XBrad_Sob.00401585
0040156F |. 6A 40 push 0x40
00401571 |. 68 2C304000 push Brad_Sob.0040302C ; ASCII "CrackMe"
00401576 |. 68 34304000 push Brad_Sob.00403034 ; ASCII "Enter Registration Number"
0040157B |. 8B4D E0 mov ecx,[local.8]
0040157E |. E8 7B050000 call <jmp.&MFC42.#4224>
00401583 |. EB 3C jmp XBrad_Sob.004015C1
00401585 |> 8D4D E4 lea ecx,[local.7] ; 直接就是字符串明文比较
00401588 |. 51 push ecx ; /String2
00401589 |. 8D55 F4 lea edx,[local.3] ; |
0040158C |. 52 push edx ; |String1
0040158D |. FF15 00204000 call dword ptr ds:[<&KERNEL32.lstrcmpA>] ; \lstrcmpA
00401593 |. 85C0 test eax,eax
00401595 |. 75 16 jnz XBrad_Sob.004015AD
00401597 |. 6A 40 push 0x40
00401599 |. 68 50304000 push Brad_Sob.00403050 ; ASCII "CrackMe"
0040159E |. 68 58304000 push Brad_Sob.00403058 ; ASCII "Correct way to go!!"
004015A3 |. 8B4D E0 mov ecx,[local.8]
004015A6 |. E8 53050000 call <jmp.&MFC42.#4224>
004015AB |. EB 14 jmp XBrad_Sob.004015C1
004015AD |> 6A 40 push 0x40
004015AF |. 68 6C304000 push Brad_Sob.0040306C ; ASCII "CrackMe"
004015B4 |. 68 74304000 push Brad_Sob.00403074 ; ASCII "Incorrect try again!!"
004015B9 |. 8B4D E0 mov ecx,[local.8]
004015BC |. E8 3D050000 call <jmp.&MFC42.#4224>
004015C1 |> 8BE5 mov esp,ebp
004015C3 |. 5D pop ebp
004015C4 \. C3 retn
serial:<BrD-SoB>