环境
windows xp sp3
工具
exeinfo pe ollydbg
查壳
无壳的汇编程序(OD载入的出来的)
测试
当name输入为数字时,会弹出两次错误框。
OD载入搜字符串,发现有两个地方:
0040134D /$ 6A 30 push 0x30 ; /Style = MB_OK|MB_ICONEXCLAMATION|MB_APPLMODAL
0040134F |. 68 29214000 push Cruehead.00402129 ; |Title = "Good work!"
00401354 |. 68 34214000 push Cruehead.00402134 ; |Text = "Great work, mate!
Now try the next CrackMe!"
00401359 |. FF75 08 push [arg.1] ; |hOwner
0040135C |. E8 D9000000 call <jmp.&USER32.MessageBoxA> ; \MessageBoxA
00401361 \. C3 retn
00401362 /$ 6A 00 push 0x0 ; /BeepType = MB_OK
00401364 |. E8 AD000000 call <jmp.&USER32.MessageBeep> ; \MessageBeep
00401369 |. 6A 30 push 0x30 ; /Style = MB_OK|MB_ICONEXCLAMATION|MB_APPLMODAL
0040136B |. 68 60214000 push Cruehead.00402160 ; |Title = "No luck!"
00401370 |. 68 69214000 push Cruehead.00402169 ; |Text = "No luck there, mate!"
00401375 |. FF75 08 push [arg.1] ; |hOwner
00401378 |. E8 BD000000 call <jmp.&USER32.MessageBoxA> ; \MessageBoxA
0040137D \. C3 retn
0040137E /$ 8B7424 04 mov esi,dword ptr ss:[esp+0x4]
00401382 |. 56 push esi
00401383 |> 8A06 /mov al,byte ptr ds:[esi]
00401385 |. 84C0 |test al,al
00401387 |. 74 13 |je XCruehead.0040139C
00401389 |. 3C 41 |cmp al,0x41
0040138B |. 72 1F |jb XCruehead.004013AC
0040138D |. 3C 5A |cmp al,0x5A
0040138F |. 73 03 |jnb XCruehead.00401394
00401391 |. 46 |inc esi
00401392 |.^ EB EF |jmp XCruehead.00401383
00401394 |> E8 39000000 |call Cruehead.004013D2
00401399 |. 46 |inc esi
0040139A |.^ EB E7 \jmp XCruehead.00401383
0040139C |> 5E pop esi
0040139D |. E8 20000000 call Cruehead.004013C2
004013A2 |. 81F7 78560000 xor edi,0x5678
004013A8 |. 8BC7 mov eax,edi
004013AA |. EB 15 jmp XCruehead.004013C1
004013AC |> 5E pop esi
004013AD |. 6A 30 push 0x30 ; /Style = MB_OK|MB_ICONEXCLAMATION|MB_APPLMODAL
004013AF |. 68 60214000 push Cruehead.00402160 ; |Title = "No luck!"
004013B4 |. 68 69214000 push Cruehead.00402169 ; |Text = "No luck there, mate!"
004013B9 |. FF75 08 push [arg.1] ; |hOwner
004013BC |. E8 79000000 call <jmp.&USER32.MessageBoxA> ; \MessageBoxA
004013C1 \> C3 retn可以猜测出会有两次判断,当第一次错误时,弹出的错误消息框是[004013BC]的,然后再会弹出[00401378]的消息框。于是可以下断点,看看第一次显示错误消息框的函数是在哪里调用的。
004011E6 > 5B pop ebx
004011E7 . |5F pop edi
004011E8 . |5E pop esi
004011E9 . |C9 leave
004011EA . |C2 1000 retn 0x10
004011ED > |6A 00 push 0x0 ; /lParam = NULL
004011EF . |68 0A134000 push Cruehead.0040130A ; |DlgProc = Cruehead.0040130A
004011F4 . |FF75 08 push dword ptr ss:[ebp+0x8] ; |hOwner
004011F7 . |68 1F214000 push Cruehead.0040211F ; |pTemplate = "DLG_ABOUT"
004011FC . |FF35 CA204000 push dword ptr ds:[0x4020CA] ; |hInst = 00400000
00401202 . |E8 99020000 call <jmp.&USER32.DialogBoxParamA> ; \DialogBoxParamA
00401207 .^ EB DD jmp XCruehead.004011E6
00401209 > |6A 00 push 0x0 ; /lParam = NULL
0040120B . |68 53124000 push Cruehead.00401253 ; |DlgProc = Cruehead.00401253
00401210 . |FF75 08 push dword ptr ss:[ebp+0x8] ; |hOwner
00401213 . |68 15214000 push Cruehead.00402115 ; |pTemplate = "DLG_REGIS"
00401218 . |FF35 CA204000 push dword ptr ds:[0x4020CA] ; |hInst = 00400000
0040121E . |E8 7D020000 call <jmp.&USER32.DialogBoxParamA> ; \DialogBoxParamA
00401223 . |83F8 00 cmp eax,0x0
00401226 .^ 74 BE je XCruehead.004011E6
00401228 . |68 8E214000 push Cruehead.0040218E ; ASCII "123456",这是输入的name
0040122D . |E8 4C010000 call Cruehead.0040137E ; 第一个错误消息框弹出位置
00401232 . |50 push eax
00401233 . |68 7E214000 push Cruehead.0040217E ; ASCII "12345",这是输入的serial
00401238 . |E8 9B010000 call Cruehead.004013D8 ; 第二个比较点
0040123D . |83C4 04 add esp,0x4
00401240 . |58 pop eax
00401241 . |3BC3 cmp eax,ebx
00401243 . |74 07 je XCruehead.0040124C
00401245 . |E8 18010000 call Cruehead.00401362 ; 第二次消息框弹出位置
0040124A .^ EB 9A jmp XCruehead.004011E6
0040124C > |E8 FC000000 call Cruehead.0040134D ; 正确消息框弹出
00401251 .^\EB 93 jmp XCruehead.004011E6这样就可以在两个关键call的位置下断点分析了。
第一个call的分析:
0040137E /$ 8B7424 04 mov esi,dword ptr ss:[esp+0x4]
00401382 |. 56 push esi
00401383 |> 8A06 /mov al,byte ptr ds:[esi]
00401385 |. 84C0 |test al,al
00401387 |. 74 13 |je XCruehead.0040139C
00401389 |. 3C 41 |cmp al,0x41
0040138B |. 72 1F |jb XCruehead.004013AC ; 如果有比'A'小的就跳出循环,弹出错误
0040138D |. 3C 5A |cmp al,0x5A
0040138F |. 73 03 |jnb XCruehead.00401394 ; 如果有比'Z'大的就减0x20
00401391 |. 46 |inc esi
00401392 |.^ EB EF |jmp XCruehead.00401383
00401394 |> E8 39000000 |call Cruehead.004013D2 ; 这里就是减0x20
00401399 |. 46 |inc esi
0040139A |.^ EB E7 \jmp XCruehead.00401383
0040139C |> 5E pop esi
0040139D |. E8 20000000 call Cruehead.004013C2 ; 这里是将字符串的每个字符的ascii值加起来
004013A2 |. 81F7 78560000 xor edi,0x5678
004013A8 |. 8BC7 mov eax,edi
004013AA |. EB 15 jmp XCruehead.004013C1
004013AC |> 5E pop esi
004013AD |. 6A 30 push 0x30 ; /Style = MB_OK|MB_ICONEXCLAMATION|MB_APPLMODAL
004013AF |. 68 60214000 push Cruehead.00402160 ; |Title = "No luck!"
004013B4 |. 68 69214000 push Cruehead.00402169 ; |Text = "No luck there, mate!"
004013B9 |. FF75 08 push [arg.1] ; |hOwner
004013BC |. E8 79000000 call <jmp.&USER32.MessageBoxA> ; \MessageBoxA
004013C1 \> C3 retn
004013C2 /$ 33FF xor edi,edi
004013C4 |. 33DB xor ebx,ebx
004013C6 |> 8A1E /mov bl,byte ptr ds:[esi]
004013C8 |. 84DB |test bl,bl
004013CA |. 74 05 |je XCruehead.004013D1
004013CC |. 03FB |add edi,ebx
004013CE |. 46 |inc esi
004013CF |.^ EB F5 \jmp XCruehead.004013C6
004013D1 \> C3 retn其实就是按一定要求处理name然后再将name中每个字符加起来后异或0x5678
第二个call的分析:
004013D8 /$ 33C0 xor eax,eax
004013DA |. 33FF xor edi,edi
004013DC |. 33DB xor ebx,ebx
004013DE |. 8B7424 04 mov esi,dword ptr ss:[esp+0x4]
004013E2 |> B0 0A /mov al,0xA
004013E4 |. 8A1E |mov bl,byte ptr ds:[esi]
004013E6 |. 84DB |test bl,bl
004013E8 |. 74 0B |je XCruehead.004013F5
004013EA |. 80EB 30 |sub bl,0x30
004013ED |. 0FAFF8 |imul edi,eax
004013F0 |. 03FB |add edi,ebx
004013F2 |. 46 |inc esi
004013F3 |.^ EB ED \jmp XCruehead.004013E2
004013F5 |> 81F7 34120000 xor edi,0x1234
004013FB |. 8BDF mov ebx,edi
004013FD \. C3 retn这里是将serial的内容转成16进制后与0x1234进行异或运算。
最后比较两个call的返回值是否相同,不同的话会弹出第二个错误消息框。如果相同的话会弹出正确的消息框。
如:
name:1
serial:4661
就会弹出两个消息框,一个错误的,一个正确的。
name:gnubd
serial:17724
![Unicode与JavaScript详解 [很好的文章转]](http://www.admin10000.com/UploadFiles/Document/201412/11/20141211191421353409.PNG)
