吾爱破解crackme 033 034

这两个程序都是比较简单但是还是比较有趣的,都是汇编直接编写,没有加壳,分析如下:
033:
od载入进行关键点的分析:
代码如下:

00401241   .  3BC3          cmp eax,ebx
00401243   .  74 07         je short Cruehead.0040124C
00401245   .  E8 18010000   call Cruehead.00401362
0040124A   .^ EB 9A         jmp short Cruehead.004011E6
0040124C   >  E8 FC000000   call Cruehead.0040134D
00401251   .^ EB 93         jmp short Cruehead.004011E6

如果eax和ebx相等,那么成功,那么分析eax和ebx。上面有一句pop eax,我们往上看代码

00401228   .  68 8E214000   push Cruehead.0040218E
0040122D   .  E8 4C010000   call Cruehead.0040137E
00401232   .  50            push eax
00401233   .  68 7E214000   push Cruehead.0040217E
00401238   .  E8 9B010000   call Cruehead.004013D8

这两个call分析一下,然后程序就非常清楚了

0040137E  /$  8B7424 04     mov esi,dword ptr ss:[esp+0x4]
00401382  |.  56            push esi                                 ;  Cruehead.<ModuleEntryPoint>
00401383  |>  8A06          /mov al,byte ptr ds:[esi]
00401385  |.  84C0          |test al,al
00401387  |.  74 13         |je short Cruehead.0040139C
00401389  |.  3C 41         |cmp al,0x41
0040138B  |.  72 1F         |jb short Cruehead.004013AC
0040138D  |.  3C 5A         |cmp al,0x5A
0040138F  |.  73 03         |jnb short Cruehead.00401394
00401391  |.  46            |inc esi                                 ;  Cruehead.<ModuleEntryPoint>
00401392  |.^ EB EF         |jmp short Cruehead.00401383
00401394  |>  E8 39000000   |call Cruehead.004013D2
00401399  |.  46            |inc esi                                 ;  Cruehead.<ModuleEntryPoint>
0040139A  |.^ EB E7         \jmp short Cruehead.00401383
0040139C  |>  5E            pop esi                                  ;  kernel32.76D38744
0040139D  |.  E8 20000000   call Cruehead.004013C2
004013A2  |.  81F7 78560000 xor edi,0x5678
004013A8  |.  8BC7          mov eax,edi                              ;  Cruehead.<ModuleEntryPoint>

004013D8  /$  33C0          xor eax,eax
004013DA  |.  33FF          xor edi,edi                              ;  Cruehead.<ModuleEntryPoint>
004013DC  |.  33DB          xor ebx,ebx
004013DE  |.  8B7424 04     mov esi,dword ptr ss:[esp+0x4]
004013E2  |>  B0 0A         /mov al,0xA
004013E4  |.  8A1E          |mov bl,byte ptr ds:[esi]
004013E6  |.  84DB          |test bl,bl
004013E8  |.  74 0B         |je short Cruehead.004013F5
004013EA  |.  80EB 30       |sub bl,0x30
004013ED  |.  0FAFF8        |imul edi,eax
004013F0  |.  03FB          |add edi,ebx
004013F2  |.  46            |inc esi                                 ;  Cruehead.<ModuleEntryPoint>
004013F3  |.^ EB ED         \jmp short Cruehead.004013E2
004013F5  |>  81F7 34120000 xor edi,0x1234
004013FB  |.  8BDF          mov ebx,edi                              ;  Cruehead.<ModuleEntryPoint>
004013FD  \.  C3            retn

分析程序的意图如下:

name = "FOYJOG"
value = 0
for i in name:
    value+=ord(i)
print hex(value^0x5678)  

name2 = "A794"
value2 = 0
for i in name2:
    value2 = value2 * 0xA 
    value2 += (ord(i)-0x30)
print value2
print hex(value2^0x1234)  

print hex(0x57b6^0x1234)

print chr(17+48),chr(7+48),chr(9+48),chr(4+48)

ok,只要慢慢分析,得到对称的name和serial。FOYJOG的结果如下:A794

034
这个程序需要分析一下:我们直接看代码:

00401016  |.  6A 00         push 0x0                                 ; /hTemplateFile = NULL
00401018  |.  68 80000000   push 0x80                                ; |Attributes = NORMAL
0040101D  |.  6A 03         push 0x3                                 ; |Mode = OPEN_EXISTING
0040101F  |.  6A 00         push 0x0                                 ; |pSecurity = NULL
00401021  |.  6A 03         push 0x3                                 ; |ShareMode = FILE_SHARE_READ|FILE_SHARE_WRITE
00401023  |.  68 000000C0   push 0xC0000000                          ; |Access = GENERIC_READ|GENERIC_WRITE
00401028  |.  68 D7204000   push Cruehead.004020D7                   ; |FileName = "CRACKME3.KEY"
0040102D  |.  E8 76040000   call <jmp.&KERNEL32.CreateFileA>         ; \CreateFileA
00401032  |.  83F8 FF       cmp eax,-0x1
00401035  |.  75 0C         jnz short Cruehead.00401043
00401037  |>  68 0E214000   push Cruehead.0040210E                   ;  ASCII "CrackMe v3.0             "
0040103C  |.  E8 B4020000   call Cruehead.004012F5
00401041  |.  EB 6B         jmp short Cruehead.004010AE
00401043  |>  A3 F5204000   mov dword ptr ds:[0x4020F5],eax
00401048  |.  B8 12000000   mov eax,0x12
0040104D  |.  BB 08204000   mov ebx,Cruehead.00402008
00401052  |.  6A 00         push 0x0                                 ; /pOverlapped = NULL
00401054  |.  68 A0214000   push Cruehead.004021A0                   ; |pBytesRead = Cruehead.004021A0
00401059  |.  50            push eax                                 ; |BytesToRead = 6AA20276 (1789002358.)
0040105A  |.  53            push ebx                                 ; |Buffer = 00254000
0040105B  |.  FF35 F5204000 push dword ptr ds:[0x4020F5]             ; |hFile = NULL
00401061  |.  E8 30040000   call <jmp.&KERNEL32.ReadFile>            ; \ReadFile
00401066  |.  833D A0214000>cmp dword ptr ds:[0x4021A0],0x12
0040106D  |.^ 75 C8         jnz short Cruehead.00401037
0040106F  |.  68 08204000   push Cruehead.00402008
00401074  |.  E8 98020000   call Cruehead.00401311
00401079  |.  8135 F9204000>xor dword ptr ds:[0x4020F9],0x12345678
00401083  |.  83C4 04       add esp,0x4
00401086  |.  68 08204000   push Cruehead.00402008
0040108B  |.  E8 AC020000   call Cruehead.0040133C
00401090  |.  83C4 04       add esp,0x4
00401093  |.  3B05 F9204000 cmp eax,dword ptr ds:[0x4020F9]
00401099  |.  0f94c0        sete al
0040109C  |.  50            push eax
0040109D  |.  84C0          test al,al

哦,原来是写一个注册文件,然后进行注册,程序名字为CRACKME3.KEY,字符串长度要为0x12.
程序的算法在 call Cruehead.00401311中可以得到。

00401311  /$  33C9          xor ecx,ecx                              ;  Cruehead.<ModuleEntryPoint>
00401313  |.  33C0          xor eax,eax
00401315  |.  8B7424 04     mov esi,dword ptr ss:[esp+0x4]
00401319  |.  B3 41         mov bl,0x41
0040131B  |>  8A06          /mov al,byte ptr ds:[esi]
0040131D  |.  32C3          |xor al,bl
0040131F  |.  8806          |mov byte ptr ds:[esi],al
00401321  |.  46            |inc esi                                 ;  Cruehead.<ModuleEntryPoint>
00401322  |.  FEC3          |inc bl
00401324  |.  0105 F9204000 |add dword ptr ds:[0x4020F9],eax
0040132A  |.  3C 00         |cmp al,0x0
0040132C  |.  74 07         |je short Cruehead.00401335
0040132E  |.  FEC1          |inc cl
00401330  |.  80FB 4F       |cmp bl,0x4F
00401333  |.^ 75 E6         \jnz short Cruehead.0040131B

分析如下:

name="fuzhenzhenshishuaibi"
name2=""
bl = 0x41
result = 0
for i in name:
    if(bl==0x4f):
        break
    result += ord(i)^bl
    name2 = name2 +chr(ord(i)^bl)
    bl += 1
print hex(result^0x12345678) 
print chr(0x12),chr(0x34),chr(0x45),chr(0x0d)

打印出发现,额,打印不出来,所以我们借助一下python进行文件的特殊字符输入:

python -c "print 'fuzhenzhenshis'+chr(0x0d)+chr(0x54)+chr(0x34)+chr(0x12)+'bi'" > CRACKME3.KEY

额,完成这里写图片描述

评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值