这个crackme是aspack 1.6的壳,很简单,直接能看见popad jmp eax
这个是个dephi的程序
直接叫上dede看下窗口过程然后下断就可到达关键部分,下断:00455504
00455504 /. 55 PUSH EBP
00455505 |. 8BEC MOV EBP,ESP
00455507 |. B9 04000000 MOV ECX,4
0045550C |> 6A 00 /PUSH 0
0045550E |. 6A 00 |PUSH 0
00455510 |. 49 |DEC ECX
00455511 |.^ 75 F9 /JNZ SHORT 脱壳后.0045550C
00455513 |. 51 PUSH ECX
00455514 |. 53 PUSH EBX
00455515 |. 56 PUSH ESI
00455516 |. 57 PUSH EDI
00455517 |. 8BD8 MOV EBX,EAX
00455519 |. 33C0 XOR EAX,EAX
0045551B |. 55 PUSH EBP
0045551C |. 68 88564500 PUSH 脱壳后.00455688
00455521 |. 64:FF30 PUSH DWORD PTR FS:[EAX]
00455524 |. 64:8920 MOV DWORD PTR FS:[EAX],ESP
00455527 |. 8D55 FC LEA EDX,DWORD PTR SS:[EBP-4]
0045552A |. 8B83 CC020000 MOV EAX,DWORD PTR DS:[EBX+2CC]
00455530 |. E8 6FE0FCFF CALL 脱壳后.004235A4 ; 123456
00455535 |. 8B43 08 MOV EAX,DWORD PTR DS:[EBX+8]
00455538 |. E8 27E5FAFF CALL 脱壳后.00403A64
0045553D |. 85C0 TEST EAX,EAX ; asmzz
0045553F |. 0F8C 1B010000 JL 脱壳后.00455660
00455545 |. 40 INC EAX
00455546 |. 8945 E8 MOV DWORD PTR SS:[EBP-18],EAX
下面一段是关键算法处理部分:;
设code[]为我们填入的假的key为123456
00455549 |. 33FF XOR EDI,EDI ; edi为i
0045554B |> 8BF7 /MOV ESI,EDI ; esi为tempi
0045554D |. C1EE 0E |SHR ESI,0E ; tempi>>0xe
00455550 |. 33F7 |XOR ESI,EDI ; tempi^=i
00455552 |. 81C6 A0212F00 |ADD ESI,2F21A0 ; tempi+=0x2f21a0
00455558 |. 81C6 CE950700 |ADD ESI,795CE ; tempi+=0x795ce
0045555E |. 8D55 F8 |LEA EDX,DWORD PTR SS:[EBP-8]
00455561 |. 8BC6 |MOV EAX,ESI
00455563 |. E8 0021FBFF |CALL 脱壳后.00407668 ; 出现一串数据3585902
00455568 |. 8BC6 |MOV EAX,ESI ; tempii
0045556A |. B9 49000000 |MOV ECX,49
0045556F |. 99 |CDQ
00455570 |. F7F9 |IDIV ECX ; tempii=tempi tempii/=0x49
00455572 |. 2D BA0B0000 |SUB EAX,0BBA
00455577 |. 8945 EC |MOV DWORD PTR SS:[EBP-14],EAX ; tempii-=0xbba
0045557A |. 8D55 F4 |LEA EDX,DWORD PTR SS:[EBP-C]
0045557D |. 8B45 EC |MOV EAX,DWORD PTR SS:[EBP-14]
00455580 |. E8 E320FBFF |CALL 脱壳后.00407668 ; 又一串数 46119
00455585 |. 8BC6 |MOV EAX,ESI ; tempiii=tempi
00455587 |. B9 30010000 |MOV ECX,130
0045558C |. 99 |CDQ
0045558D |. F7F9 |IDIV ECX
0045558F |. C1E0 02 |SHL EAX,2 ; tempiii/=0x130
00455592 |. 8D0480 |LEA EAX,DWORD PTR DS:[EAX+EAX*4] ; tempiii=tempiii<<2 tempiii=5*tempiii
00455595 |. 3345 EC |XOR EAX,DWORD PTR SS:[EBP-14] ; tempiii^=tempii
00455598 |. 05 0F010000 |ADD EAX,10F ; tempiii+=0x10f
0045559D |. 83E8 00 |SUB EAX,0
004555A0 |. 8BF0 |MOV ESI,EAX ; tempi=tempiii
004555A2 |. 8D55 F0 |LEA EDX,DWORD PTR SS:[EBP-10]
004555A5 |. 8BC6 |MOV EAX,ESI
004555A7 |. E8 BC20FBFF |CALL 脱壳后.00407668 ; 208490
004555AC |. 8D55 E4 |LEA EDX,DWORD PTR SS:[EBP-1C]
004555AF |. 8B83 CC020000 |MOV EAX,DWORD PTR DS:[EBX+2CC]
004555B5 |. E8 EADFFCFF |CALL 脱壳后.004235A4 ; 123456
004555BA |. 8B45 E4 |MOV EAX,DWORD PTR SS:[EBP-1C] ; 返回 6
004555BD |. 50 |PUSH EAX
004555BE |. 8D55 DC |LEA EDX,DWORD PTR SS:[EBP-24]
004555C1 |. 8B83 D8020000 |MOV EAX,DWORD PTR DS:[EBX+2D8]
004555C7 |. E8 D8DFFCFF |CALL 脱壳后.004235A4
004555CC |. FF75 DC |PUSH DWORD PTR SS:[EBP-24]
004555CF |. 68 A0564500 |PUSH 脱壳后.004556A0 ; ASCII " -"
004555D4 |. FF75 F8 |PUSH DWORD PTR SS:[EBP-8]
004555D7 |. 68 AC564500 |PUSH 脱壳后.004556AC ; ASCII ".."
004555DC |. FF75 F4 |PUSH DWORD PTR SS:[EBP-C]
004555DF |. 68 B8564500 |PUSH 脱壳后.004556B8 ; ASCII ".-"
004555E4 |. FF75 F0 |PUSH DWORD PTR SS:[EBP-10]
004555E7 |. 68 C4564500 |PUSH 脱壳后.004556C4
004555EC |. 8D45 E0 |LEA EAX,DWORD PTR SS:[EBP-20]
004555EF |. BA 08000000 |MOV EDX,8
004555F4 |. E8 2BE5FAFF |CALL 脱壳后.00403B24 ; 连接这串
004555F9 |. 8B55 E0 |MOV EDX,DWORD PTR SS:[EBP-20]
004555FC |. 58 |POP EAX
004555FD |. E8 72E5FAFF |CALL 脱壳后.00403B74 ; code[]和这串数据不相等就是注册失败
00455602 |. 75 52 |JNZ SHORT 脱壳后.00455656
00455604 |. 8D55 E4 |LEA EDX,DWORD PTR SS:[EBP-1C]
00455607 |. 8B83 CC020000 |MOV EAX,DWORD PTR DS:[EBX+2CC]
0045560D |. E8 92DFFCFF |CALL 脱壳后.004235A4
00455612 |. 8B45 E4 |MOV EAX,DWORD PTR SS:[EBP-1C]
00455615 |. 50 |PUSH EAX
00455616 |. 8D55 E0 |LEA EDX,DWORD PTR SS:[EBP-20]
00455619 |. 8B83 D4020000 |MOV EAX,DWORD PTR DS:[EBX+2D4]
0045561F |. E8 80DFFCFF |CALL 脱壳后.004235A4
00455624 |. 8B55 E0 |MOV EDX,DWORD PTR SS:[EBP-20]
00455627 |. 58 |POP EAX
00455628 |. E8 47E5FAFF |CALL 脱壳后.00403B74
0045562D |. 75 18 |JNZ SHORT 脱壳后.00455647
0045562F |. 8D55 E4 |LEA EDX,DWORD PTR SS:[EBP-1C]
00455632 |. 8B83 D0020000 |MOV EAX,DWORD PTR DS:[EBX+2D0]
00455638 |. E8 67DFFCFF |CALL 脱壳后.004235A4
0045563D |. 8B45 E4 |MOV EAX,DWORD PTR SS:[EBP-1C]
00455640 |. E8 0BC1FEFF |CALL 脱壳后.00441750
00455645 |. EB 0F |JMP SHORT 脱壳后.00455656
00455647 |> A1 34764500 |MOV EAX,DWORD PTR DS:[457634]
0045564C |. 8B00 |MOV EAX,DWORD PTR DS:[EAX]
0045564E |. 8B10 |MOV EDX,DWORD PTR DS:[EAX]
00455650 |. FF92 CC000000 |CALL DWORD PTR DS:[EDX+CC]
00455656 |> 47 |INC EDI
00455657 |. FF4D E8 |DEC DWORD PTR SS:[EBP-18]
0045565A |.^ 0F85 EBFEFFFF /JNZ 脱壳后.0045554B
得到一组正确的key
asmzz
VL - -3585904..46119.-208490.
上面可知关键得call是CALL 脱壳后.00407668 处
跟进去看个究竟(只有明白算法才是王道)
发现这个crackme尤其是这个call里面的处理与第78个很像
。。。。。。。。。。。。
00407C67 . 8975 DC MOV DWORD PTR SS:[EBP-24],ESI
00407C6A . 51 PUSH ECX
00407C6B . 52 PUSH EDX
00407C6C . E8 96000000 CALL 脱壳后.00407D07 ; 重点,跟进去
00407C71 . 5A POP EDX
00407C72 . 8B5D E4 MOV EBX,DWORD PTR SS:[EBP-1C]
00407C75 . 29CB SUB EBX,ECX
。。。。
这个eax值是关键,从分析中可知这个eax来自call 00407668 前面计算的
00407E53 |> 8D75 9F LEA ESI,DWORD PTR SS:[EBP-61] ; 设eax为a1,i=7
00407E56 |> |31D2 /XOR EDX,EDX
00407E58 |. |F7F1 |DIV ECX ; a1=a1/0a
00407E5A |. |80C2 30 |ADD DL,30 ; temp=a1%0xa+0x30
00407E5D |. |80FA 3A |CMP DL,3A ; if temp <0x3a
00407E60 |. |72 03 |JB SHORT 脱壳后的.00407E65 ; else temp+=0x7
00407E62 |. |80C2 07 |ADD DL,7
00407E65 |> |4E |DEC ESI ; i--
00407E66 |. |8816 |MOV BYTE PTR DS:[ESI],DL ; buffer[i]=temp
00407E68 |. |09C0 |OR EAX,EAX
00407E6A |.^|75 EA /JNZ SHORT 脱壳后的.00407E56
00407E6C |. |8D4D 9F LEA ECX,DWORD PTR SS:[EBP-61
buffer得到就是那数
然后通过CALL 00403B24 传入4个常值将这个4个数字串连接起来
得到就是对应的key
剩下的不分析了,over