这两个程序都是比较简单但是还是比较有趣的,都是汇编直接编写,没有加壳,分析如下:
033:
od载入进行关键点的分析:
代码如下:
00401241 . 3BC3 cmp eax,ebx
00401243 . 74 07 je short Cruehead.0040124C
00401245 . E8 18010000 call Cruehead.00401362
0040124A .^ EB 9A jmp short Cruehead.004011E6
0040124C > E8 FC000000 call Cruehead.0040134D
00401251 .^ EB 93 jmp short Cruehead.004011E6
如果eax和ebx相等,那么成功,那么分析eax和ebx。上面有一句pop eax,我们往上看代码
00401228 . 68 8E214000 push Cruehead.0040218E
0040122D . E8 4C010000 call Cruehead.0040137E
00401232 . 50 push eax
00401233 . 68 7E214000 push Cruehead.0040217E
00401238 . E8 9B010000 call Cruehead.004013D8
这两个call分析一下,然后程序就非常清楚了
0040137E /$ 8B7424 04 mov esi,dword ptr ss:[esp+0x4]
00401382 |. 56 push esi ; Cruehead.<ModuleEntryPoint>
00401383 |> 8A06 /mov al,byte ptr ds:[esi]
00401385 |. 84C0 |test al,al
00401387 |. 74 13 |je short Cruehead.0040139C
00401389 |. 3C 41 |cmp al,0x41
0040138B |. 72 1F |jb short Cruehead.004013AC
0040138D |. 3C 5A |cmp al,0x5A
0040138F |. 73 03 |jnb short Cruehead.00401394
00401391 |. 46 |inc esi ; Cruehead.<ModuleEntryPoint>
00401392 |.^ EB EF |jmp short Cruehead.00401383
00401394 |> E8 39000000 |call Cruehead.004013D2
00401399 |. 46 |inc esi ; Cruehead.<ModuleEntryPoint>
0040139A |.^ EB E7 \jmp short Cruehead.00401383
0040139C |> 5E pop esi ; kernel32.76D38744
0040139D |. E8 20000000 call Cruehead.004013C2
004013A2 |. 81F7 78560000 xor edi,0x5678
004013A8 |. 8BC7 mov eax,edi ; Cruehead.<ModuleEntryPoint>
004013D8 /$ 33C0 xor eax,eax
004013DA |. 33FF xor edi,edi ; Cruehead.<ModuleEntryPoint>
004013DC |. 33DB xor ebx,ebx
004013DE |. 8B7424 04 mov esi,dword ptr ss:[esp+0x4]
004013E2 |> B0 0A /mov al,0xA
004013E4 |. 8A1E |mov bl,byte ptr ds:[esi]
004013E6 |. 84DB |test bl,bl
004013E8 |. 74 0B |je short Cruehead.004013F5
004013EA |. 80EB 30 |sub bl,0x30
004013ED |. 0FAFF8 |imul edi,eax
004013F0 |. 03FB |add edi,ebx
004013F2 |. 46 |inc esi ; Cruehead.<ModuleEntryPoint>
004013F3 |.^ EB ED \jmp short Cruehead.004013E2
004013F5 |> 81F7 34120000 xor edi,0x1234
004013FB |. 8BDF mov ebx,edi ; Cruehead.<ModuleEntryPoint>
004013FD \. C3 retn
分析程序的意图如下:
name = "FOYJOG"
value = 0
for i in name:
value+=ord(i)
print hex(value^0x5678)
name2 = "A794"
value2 = 0
for i in name2:
value2 = value2 * 0xA
value2 += (ord(i)-0x30)
print value2
print hex(value2^0x1234)
print hex(0x57b6^0x1234)
print chr(17+48),chr(7+48),chr(9+48),chr(4+48)
ok,只要慢慢分析,得到对称的name和serial。FOYJOG的结果如下:A794
034
这个程序需要分析一下:我们直接看代码:
00401016 |. 6A 00 push 0x0 ; /hTemplateFile = NULL
00401018 |. 68 80000000 push 0x80 ; |Attributes = NORMAL
0040101D |. 6A 03 push 0x3 ; |Mode = OPEN_EXISTING
0040101F |. 6A 00 push 0x0 ; |pSecurity = NULL
00401021 |. 6A 03 push 0x3 ; |ShareMode = FILE_SHARE_READ|FILE_SHARE_WRITE
00401023 |. 68 000000C0 push 0xC0000000 ; |Access = GENERIC_READ|GENERIC_WRITE
00401028 |. 68 D7204000 push Cruehead.004020D7 ; |FileName = "CRACKME3.KEY"
0040102D |. E8 76040000 call <jmp.&KERNEL32.CreateFileA> ; \CreateFileA
00401032 |. 83F8 FF cmp eax,-0x1
00401035 |. 75 0C jnz short Cruehead.00401043
00401037 |> 68 0E214000 push Cruehead.0040210E ; ASCII "CrackMe v3.0 "
0040103C |. E8 B4020000 call Cruehead.004012F5
00401041 |. EB 6B jmp short Cruehead.004010AE
00401043 |> A3 F5204000 mov dword ptr ds:[0x4020F5],eax
00401048 |. B8 12000000 mov eax,0x12
0040104D |. BB 08204000 mov ebx,Cruehead.00402008
00401052 |. 6A 00 push 0x0 ; /pOverlapped = NULL
00401054 |. 68 A0214000 push Cruehead.004021A0 ; |pBytesRead = Cruehead.004021A0
00401059 |. 50 push eax ; |BytesToRead = 6AA20276 (1789002358.)
0040105A |. 53 push ebx ; |Buffer = 00254000
0040105B |. FF35 F5204000 push dword ptr ds:[0x4020F5] ; |hFile = NULL
00401061 |. E8 30040000 call <jmp.&KERNEL32.ReadFile> ; \ReadFile
00401066 |. 833D A0214000>cmp dword ptr ds:[0x4021A0],0x12
0040106D |.^ 75 C8 jnz short Cruehead.00401037
0040106F |. 68 08204000 push Cruehead.00402008
00401074 |. E8 98020000 call Cruehead.00401311
00401079 |. 8135 F9204000>xor dword ptr ds:[0x4020F9],0x12345678
00401083 |. 83C4 04 add esp,0x4
00401086 |. 68 08204000 push Cruehead.00402008
0040108B |. E8 AC020000 call Cruehead.0040133C
00401090 |. 83C4 04 add esp,0x4
00401093 |. 3B05 F9204000 cmp eax,dword ptr ds:[0x4020F9]
00401099 |. 0f94c0 sete al
0040109C |. 50 push eax
0040109D |. 84C0 test al,al
哦,原来是写一个注册文件,然后进行注册,程序名字为CRACKME3.KEY,字符串长度要为0x12.
程序的算法在 call Cruehead.00401311中可以得到。
00401311 /$ 33C9 xor ecx,ecx ; Cruehead.<ModuleEntryPoint>
00401313 |. 33C0 xor eax,eax
00401315 |. 8B7424 04 mov esi,dword ptr ss:[esp+0x4]
00401319 |. B3 41 mov bl,0x41
0040131B |> 8A06 /mov al,byte ptr ds:[esi]
0040131D |. 32C3 |xor al,bl
0040131F |. 8806 |mov byte ptr ds:[esi],al
00401321 |. 46 |inc esi ; Cruehead.<ModuleEntryPoint>
00401322 |. FEC3 |inc bl
00401324 |. 0105 F9204000 |add dword ptr ds:[0x4020F9],eax
0040132A |. 3C 00 |cmp al,0x0
0040132C |. 74 07 |je short Cruehead.00401335
0040132E |. FEC1 |inc cl
00401330 |. 80FB 4F |cmp bl,0x4F
00401333 |.^ 75 E6 \jnz short Cruehead.0040131B
分析如下:
name="fuzhenzhenshishuaibi"
name2=""
bl = 0x41
result = 0
for i in name:
if(bl==0x4f):
break
result += ord(i)^bl
name2 = name2 +chr(ord(i)^bl)
bl += 1
print hex(result^0x12345678)
print chr(0x12),chr(0x34),chr(0x45),chr(0x0d)
打印出发现,额,打印不出来,所以我们借助一下python进行文件的特殊字符输入:
python -c "print 'fuzhenzhenshis'+chr(0x0d)+chr(0x54)+chr(0x34)+chr(0x12)+'bi'" > CRACKME3.KEY
额,完成