-
-
Crack me #2 by _HellDashX_[原创]
-
发表于: 2005-5-13 19:20 5739
-
为了庆祝申请帐号成功,发一篇,菜籽一只,还请见晾!
目标:Crack me #2 by _HellDashX_
目的:pediy论坛要交篇文章才能注册,只有硬着头皮上了。
工具:PEid v0.92,OllyDbg v1.10(Step 2) 聆风听雨 汉化,LordPE Deluxe,Import REConstructor v1.4.2+ 汉化版
要求:Only needs disable ALL NAGS!/去除所有的Nag
用PEid v0.92查出是 FSG 2.0 -> bart/xt ,手头没有脱壳机。手动脱,Go,Go,Go!用OllyDbg打开,提示入口点在代码外部,点确定,程序停在
00400154 > 8725 00AB4000 xchg dword ptr ds:[40AB00], esp
代码如下:
00400154 > 8725 00AB4000 xchg dword ptr ds:[40AB00], esp
0040015A 61 popad
0040015B 94 xchg eax, esp
0040015C 55 push ebp
0040015D A4 movs byte ptr es:[edi], byte ptr ds:[>
0040015E B6 80 mov dh, 80
00400160 FF13 call dword ptr ds:[ebx]
00400162 ^73 F9 jnb short Crackme_.0040015D
00400164 33C9 xor ecx, ecx
00400166 FF13 call dword ptr ds:[ebx]
00400168 73 16 jnb short Crackme_.00400180
0040016A 33C0 xor eax, eax
0040016C FF13 call dword ptr ds:[ebx]
0040016E 73 1F jnb short Crackme_.0040018F
00400170 B6 80 mov dh, 80
00400172 41 inc ecx
00400173 B0 10 mov al, 10
00400175 FF13 call dword ptr ds:[ebx]
00400177 12C0 adc al, al
00400179 ^73 FA jnb short Crackme_.00400175
0040017B 75 3A jnz short Crackme_.004001B7
0040017D AA stos byte ptr es:[edi]
0040017E ^EB E0 jmp short Crackme_.00400160
00400180 FF53 08 call dword ptr ds:[ebx+8]
00400183 02F6 add dh, dh
00400185 83D9 01 sbb ecx, 1
00400188 75 0E jnz short Crackme_.00400198
0040018A FF53 04 call dword ptr ds:[ebx+4]
0040018D EB 24 jmp short Crackme_.004001B3
0040018F AC lods byte ptr ds:[esi]
00400190 D1E8 shr eax, 1
00400192 74 2D je short Crackme_.004001C1
00400194 13C9 adc ecx, ecx
00400196 EB 18 jmp short Crackme_.004001B0
00400198 91 xchg eax, ecx
00400199 48 dec eax
0040019A C1E0 08 shl eax, 8
0040019D AC lods byte ptr ds:[esi]
0040019E FF53 04 call dword ptr ds:[ebx+4]
004001A1 3B43 F8 cmp eax, dword ptr ds:[ebx-8]
004001A4 73 0A jnb short Crackme_.004001B0
004001A6 80FC 05 cmp ah, 5
004001A9 73 06 jnb short Crackme_.004001B1
004001AB 83F8 7F cmp eax, 7F
004001AE 77 02 ja short Crackme_.004001B2
004001B0 41 inc ecx
004001B1 41 inc ecx
004001B2 95 xchg eax, ebp
004001B3 8BC5 mov eax, ebp
004001B5 B6 00 mov dh, 0
004001B7 56 push esi
004001B8 8BF7 mov esi, edi
004001BA 2BF0 sub esi, eax
004001BC F3:A4 rep movs byte ptr es:[edi], byte ptr>
004001BE 5E pop esi
004001BF ^EB 9F jmp short Crackme_.00400160
004001C1 5E pop esi
004001C2 AD lods dword ptr ds:[esi]
004001C3 97 xchg eax, edi
004001C4 AD lods dword ptr ds:[esi]
004001C5 50 push eax
004001C6 FF53 10 call dword ptr ds:[ebx+10]
004001C9 95 xchg eax, ebp
004001CA 8B07 mov eax, dword ptr ds:[edi]
004001CC 40 inc eax
004001CD ^78 F3 js short Crackme_.004001C2
004001CF 75 03 jnz short Crackme_.004001D4
004001D1 FF63 0C jmp dword ptr ds:[ebx+C]
004001D4 50 push eax
004001D5 55 push ebp
004001D6 FF53 14 call dword ptr ds:[ebx+14]
004001D9 AB stos dword ptr es:[edi]
004001DA ^EB EE jmp short Crackme_.004001CA
004001DC 33C9 xor ecx, ecx
004001DE 41 inc ecx
004001DF FF13 call dword ptr ds:[ebx]
004001E1 13C9 adc ecx, ecx
004001E3 FF13 call dword ptr ds:[ebx]
004001E5 ^72 F8 jb short Crackme_.004001DF
004001E7 C3 retn
004001E8 02D2 add dl, dl
004001EA 75 05 jnz short Crackme_.004001F1
004001EC 8A16 mov dl, byte ptr ds:[esi]
004001EE 46 inc esi
004001EF 12D2 adc dl, dl
004001F1 C3 retn
004001F2 4B dec ebx
004001F3 45 inc ebp
004001F4 52 push edx
004001F5 4E dec esi
004001F6 45 inc ebp
004001F7 4C dec esp
004001F8 3332 xor esi, dword ptr ds:[edx]
一路F8发现在40017E和400160间老循环,用鼠标点击
00400180 FF53 08 call dword ptr ds:[ebx+8] ; Crackme_.004001DE
按F4运行到该行,代码如下
00400180 FF53 08 call dword ptr ds:[ebx+8]
00400183 02F6 add dh, dh
00400185 83D9 01 sbb ecx, 1
00400188 75 0E jnz short Crackme_.00400198
0040018A FF53 04 call dword ptr ds:[ebx+4]
0040018D EB 24 jmp short Crackme_.004001B3
0040018F AC lods byte ptr ds:[esi]
00400190 D1E8 shr eax, 1
00400192 74 2D je short Crackme_.004001C1
00400194 13C9 adc ecx, ecx
00400196 EB 18 jmp short Crackme_.004001B0
00400198 91 xchg eax, ecx
00400199 48 dec eax
0040019A C1E0 08 shl eax, 8
0040019D AC lods byte ptr ds:[esi]
0040019E FF53 04 call dword ptr ds:[ebx+4]
004001A1 3B43 F8 cmp eax, dword ptr ds:[ebx-8]
004001A4 73 0A jnb short Crackme_.004001B0
004001A6 80FC 05 cmp ah, 5
004001A9 73 06 jnb short Crackme_.004001B1
004001AB 83F8 7F cmp eax, 7F
004001AE 77 02 ja short Crackme_.004001B2
004001B0 41 inc ecx
004001B1 41 inc ecx
004001B2 95 xchg eax, ebp
004001B3 8BC5 mov eax, ebp
004001B5 B6 00 mov dh, 0
004001B7 56 push esi
004001B8 8BF7 mov esi, edi
004001BA 2BF0 sub esi, eax
004001BC F3:A4 rep movs byte ptr es:[edi], byte ptr>
004001BE 5E pop esi
004001BF ^EB 9F jmp short Crackme_.00400160
继续F8,发现在4001BF又跳回400160,用鼠标点
004001C1 5E pop esi ; Crackme_.0040216C
按F4,运行到该行,代码如下:
004001BF ^EB 9F jmp short Crackme_.00400160
004001C1 5E pop esi
004001C2 AD lods dword ptr ds:[esi]
004001C3 97 xchg eax, edi
004001C4 AD lods dword ptr ds:[esi]
004001C5 50 push eax
004001C6 FF53 10 call dword ptr ds:[ebx+10]
004001C9 95 xchg eax, ebp
004001CA 8B07 mov eax, dword ptr ds:[edi] ; Crackme_.004022B9
004001CC 40 inc eax
004001CD ^78 F3 js short Crackme_.004001C2
004001CF 75 03 jnz short Crackme_.004001D4
004001D1 FF63 0C jmp dword ptr ds:[ebx+C]
004001D4 50 push eax
004001D5 55 push ebp
004001D6 FF53 14 call dword ptr ds:[ebx+14]
004001D9 AB stos dword ptr es:[edi]
004001DA ^EB EE jmp short Crackme_.004001CA
同样一路F8,特别注意这一行
004001D5 55 push ebp
在右边的注释栏里可以看到一堆API的名称,看到出来在恢复IAT,很多循环,可以一路F8跟,也可以点
004001D1 -FF63 0C jmp dword ptr ds:[ebx+C] ; Crackme_.00401000
F4运行到这,注意右边注释Crackme_.00401000,哈哈!OEP! F8跟进,代码如下:
00401000 6A db 6A ; CHAR 'j'
00401001 00 db 00
00401002 E8 db E8
00401003 3F db 3F ; CHAR '?'
00401004 02 db 02
00401005 00 db 00
00401006 00 db 00
00401007 A3 db A3
00401008 00 db 00
不对啊?别急 Ctrl+A 或者 右击-〉分析-〉分析代码,代码如下:
00401000 . 6A 00 push 0 ; /pModule = NULL
00401002 . E8 3F020000 call Crackme_.00401246 ; \GetModuleHandleA
00401007 . A3 00304000 mov dword ptr ds:[403000], eax
0040100C . E8 2F020000 call Crackme_.00401240 ; [GetCommandLineA
00401011 . E8 36020000 call Crackme_.0040124C
00401016 . A3 04304000 mov dword ptr ds:[403004], eax
0040101B . 6A 0A push 0A ; /Arg4 = 0000000A
0040101D . FF35 04304000 push dword ptr ds:[403004] ; |Arg3 = 00000000
00401023 . 6A 00 push 0 ; |Arg2 = 00000000
00401025 . FF35 00304000 push dword ptr ds:[403000] ; |Arg1 = 00000000
0040102B . E8 06000000 call Crackme_.00401036 ; \Crackme_.00401036
00401030 . 50 push eax ; /ExitCode
00401031 . E8 04020000 call Crackme_.0040123A ; \ExitProcess
00401036 /$ 55 push ebp
00401037 |. 8BEC mov ebp, esp
00401039 |. 83C4 B4 add esp, -4C
0040103C |. C745 D0 300000>mov dword ptr ss:[ebp-30], 30
00401043 |. C745 D4 030000>mov dword ptr ss:[ebp-2C], 3
0040104A |. C745 D8 031140>mov dword ptr ss:[ebp-28], Crackme_.>
00401051 |. C745 DC 000000>mov dword ptr ss:[ebp-24], 0
00401058 |. C745 E0 1E0000>mov dword ptr ss:[ebp-20], 1E
0040105F |. FF75 08 push dword ptr ss:[ebp+8]
00401062 |. 8F45 E4 pop dword ptr ss:[ebp-1C]
00401065 |. C745 F0 100000>mov dword ptr ss:[ebp-10], 10
0040106C |. C745 F4 102700>mov dword ptr ss:[ebp-C], 2710
00401073 |. C745 F8 542040>mov dword ptr ss:[ebp-8], Crackme_.0>; ASCII "DLGCLASS"
0040107A |. 68 007F0000 push 7F00 ; /RsrcName = IDI_APPLICATION
0040107F |. 6A 00 push 0 ; |hInst = NULL
00401081 |. E8 84010000 call Crackme_.0040120A ; \LoadIconA
00401086 |. 8945 E8 mov dword ptr ss:[ebp-18], eax
00401089 |. 8945 FC mov dword ptr ss:[ebp-4], eax
0040108C |. 68 007F0000 push 7F00 ; /RsrcName = IDC_ARROW
00401091 |. 6A 00 push 0 ; |hInst = NULL
00401093 |. E8 6C010000 call Crackme_.00401204 ; \LoadCursorA
00401098 |. 8945 EC mov dword ptr ss:[ebp-14], eax
0040109B |. 8D45 D0 lea eax, dword ptr ss:[ebp-30]
0040109E |. 50 push eax ; /pWndClassEx
0040109F |. E8 78010000 call Crackme_.0040121C ; \RegisterClassExA
004010A4 |. 6A 00 push 0 ; /lParam = 0
004010A6 |. 68 03114000 push Crackme_.00401103 ; |pDlgProc = Crackme_.00401103
004010AB |. 6A 00 push 0 ; |hOwner = NULL
004010AD |. 68 E8030000 push 3E8 ; |pTemplate = 3E8
004010B2 |. FF35 00304000 push dword ptr ds:[403000] ; |hInst = NULL
004010B8 |. E8 29010000 call Crackme_.004011E6 ; \CreateDialogParamA
004010BD |. 6A 01 push 1 ; /ShowState = SW_SHOWNORMAL
004010BF |. FF35 08304000 push dword ptr ds:[403008] ; |hWnd = NULL
004010C5 |. E8 5E010000 call Crackme_.00401228 ; \ShowWindow
004010CA |. FF35 08304000 push dword ptr ds:[403008] ; /hWnd = NULL
004010D0 |. E8 5F010000 call Crackme_.00401234 ; \UpdateWindow
004010D5 |> 6A 00 /push 0 ; /MsgFilterMax = 0
004010D7 |. 6A 00 |push 0 ; |MsgFilterMin = 0
004010D9 |. 6A 00 |push 0 ; |hWnd = NULL
004010DB |. 8D45 B4 |lea eax, dword ptr ss:[ebp-4C] ; |
004010DE |. 50 |push eax ; |pMsg
004010DF |. E8 1A010000 |call Crackme_.004011FE ; \GetMessageA
004010E4 |. 0BC0 |or eax, eax
004010E6 |. 74 14 |je short Crackme_.004010FC
004010E8 |. 8D45 B4 |lea eax, dword ptr ss:[ebp-4C]
004010EB |. 50 |push eax ; /pMsg
004010EC |. E8 3D010000 |call Crackme_.0040122E ; \TranslateMessage
004010F1 |. 8D45 B4 |lea eax, dword ptr ss:[ebp-4C]
004010F4 |. 50 |push eax ; /pMsg
004010F5 |. E8 FE000000 |call Crackme_.004011F8 ; \DispatchMessageA
004010FA |.^EB D9 \jmp short Crackme_.004010D5
004010FC |> 8B45 BC mov eax, dword ptr ss:[ebp-44]
004010FF |. C9 leave
00401100 \. C2 1000 retn 10
00401103 /. 55 push ebp
00401104 |. 8BEC mov ebp, esp
00401106 |. 8B45 0C mov eax, dword ptr ss:[ebp+C]
00401109 |. 3D 10010000 cmp eax, 110
0040110E |. 75 32 jnz short Crackme_.00401142
00401110 |. FF75 08 push dword ptr ss:[ebp+8]
00401113 |. 8F05 08304000 pop dword ptr ds:[403008]
00401119 |. 6A 00 push 0 ; /Timerproc = NULL
0040111B |. 68 10270000 push 2710 ; |Timeout = 10000. ms
00401120 |. 6A 00 push 0 ; |TimerID = 0
00401122 |. FF35 08304000 push dword ptr ds:[403008] ; |hWnd = NULL
00401128 |. E8 F5000000 call Crackme_.00401222 ; \SetTimer
0040112D |. 6A 00 push 0 ; /Style = MB_OK|MB_APPLMODAL
0040112F |. 6A 00 push 0 ; |Title = NULL
00401131 |. 68 A2204000 push Crackme_.004020A2 ; |Text = "I am the starting nag. Disable me!"
00401136 |. 6A 00 push 0 ; |hOwner = NULL
00401138 |. E8 D3000000 call Crackme_.00401210 ; \MessageBoxA
0040113D |. E9 9D000000 jmp Crackme_.004011DF
00401142 |> 3D 11010000 cmp eax, 111
00401147 |. 75 3A jnz short Crackme_.00401183
00401149 |. 8B45 10 mov eax, dword ptr ss:[ebp+10]
0040114C |. 25 FFFF0000 and eax, 0FFFF
00401151 |. 3D E9030000 cmp eax, 3E9
00401156 |. 75 12 jnz short Crackme_.0040116A
00401158 |. 6A 00 push 0 ; /Style = MB_OK|MB_APPLMODAL
0040115A |. 6A 00 push 0 ; |Title = NULL
0040115C |. 68 E6204000 push Crackme_.004020E6 ; |Text = "I am the button nag. Disable me!"
00401161 |. 6A 00 push 0 ; |hOwner = NULL
00401163 |. E8 A8000000 call Crackme_.00401210 ; \MessageBoxA
00401168 |. EB 75 jmp short Crackme_.004011DF
0040116A |> 3D EA030000 cmp eax, 3EA
0040116F |. 75 6E jnz short Crackme_.004011DF
00401171 |. 6A 00 push 0 ; /Style = MB_OK|MB_APPLMODAL
00401173 |. 6A 00 push 0 ; |Title = NULL
00401175 |. 68 27214000 push Crackme_.00402127 ; |Text = "Crackme #2 by _HellDashX_
Only disable all nag and send a solution"
0040117A |. 6A 00 push 0 ; |hOwner = NULL
0040117C |. E8 8F000000 call Crackme_.00401210 ; \MessageBoxA
00401181 |. EB 5C jmp short Crackme_.004011DF
00401183 |> 3D 13010000 cmp eax, 113
00401188 |. 75 12 jnz short Crackme_.0040119C
0040118A |. 6A 00 push 0 ; /Style = MB_OK|MB_APPLMODAL
0040118C |. 6A 00 push 0 ; |Title = NULL
0040118E |. 68 07214000 push Crackme_.00402107 ; |Text = "I am the timer nag. Disable me!"
00401193 |. 6A 00 push 0 ; |hOwner = NULL
00401195 |. E8 76000000 call Crackme_.00401210 ; \MessageBoxA
0040119A |. EB 43 jmp short Crackme_.004011DF
0040119C |> 83F8 10 cmp eax, 10
0040119F |. 75 0A jnz short Crackme_.004011AB
004011A1 |. FF75 08 push dword ptr ss:[ebp+8] ; /hWnd
004011A4 |. E8 49000000 call Crackme_.004011F2 ; \DestroyWindow
004011A9 |. EB 34 jmp short Crackme_.004011DF
004011AB |> 837D 0C 02 cmp dword ptr ss:[ebp+C], 2
004011AF |. 75 19 jnz short Crackme_.004011CA
004011B1 |. 6A 00 push 0 ; /Style = MB_OK|MB_APPLMODAL
004011B3 |. 6A 00 push 0 ; |Title = NULL
004011B5 |. 68 C5204000 push Crackme_.004020C5 ; |Text = "I am the finish nag. Disable me!"
004011BA |. 6A 00 push 0 ; |hOwner = NULL
004011BC |. E8 4F000000 call Crackme_.00401210 ; \MessageBoxA
004011C1 |. 6A 00 push 0 ; /ExitCode = 0
004011C3 |. E8 4E000000 call Crackme_.00401216 ; \PostQuitMessage
004011C8 |. EB 15 jmp short Crackme_.004011DF
004011CA |> FF75 14 push dword ptr ss:[ebp+14] ; /lParam
004011CD |. FF75 10 push dword ptr ss:[ebp+10] ; |wParam
004011D0 |. FF75 0C push dword ptr ss:[ebp+C] ; |Message
004011D3 |. FF75 08 push dword ptr ss:[ebp+8] ; |hWnd
004011D6 |. E8 11000000 call Crackme_.004011EC ; \DefWindowProcA
004011DB |. C9 leave
004011DC |. C2 1000 retn 10
004011DF |> 33C0 xor eax, eax
004011E1 |. C9 leave
004011E2 \. C2 1000 retn 10
004011E5 CC int3
004011E6 $-FF25 44204000 jmp dword ptr ds:[402044] ; user32.CreateDialogParamA
004011EC $-FF25 48204000 jmp dword ptr ds:[402048] ; user32.DefWindowProcA
004011F2 $-FF25 40204000 jmp dword ptr ds:[402040] ; user32.DestroyWindow
004011F8 $-FF25 3C204000 jmp dword ptr ds:[40203C] ; user32.DispatchMessageA
004011FE $-FF25 28204000 jmp dword ptr ds:[402028] ; user32.GetMessageA
00401204 $-FF25 18204000 jmp dword ptr ds:[402018] ; user32.LoadCursorA
0040120A $-FF25 1C204000 jmp dword ptr ds:[40201C] ; user32.LoadIconA
00401210 $-FF25 20204000 jmp dword ptr ds:[402020] ; user32.MessageBoxA
00401216 $-FF25 24204000 jmp dword ptr ds:[402024] ; user32.PostQuitMessage
0040121C $-FF25 4C204000 jmp dword ptr ds:[40204C] ; user32.RegisterClassExA
00401222 $-FF25 2C204000 jmp dword ptr ds:[40202C] ; user32.SetTimer
00401228 $-FF25 30204000 jmp dword ptr ds:[402030] ; user32.ShowWindow
0040122E $-FF25 34204000 jmp dword ptr ds:[402034] ; user32.TranslateMessage
00401234 $-FF25 38204000 jmp dword ptr ds:[402038] ; user32.UpdateWindow
0040123A .-FF25 0C204000 jmp dword ptr ds:[40200C] ; kernel32.ExitProcess
00401240 $-FF25 08204000 jmp dword ptr ds:[402008] ; kernel32.GetCommandLineA
00401246 $-FF25 10204000 jmp dword ptr ds:[402010] ; kernel32.GetModuleHandleA
0040124C $-FF25 00204000 jmp dword ptr ds:[402000]
哈哈哈哈,成功,用LoadPE 完全dump,得到dumped.exe。运行,5555,应用程序初始化错误,当然的了输入表没修复嘛,打开Import REConstructor v1.4.2+选择运行中的程序crackme,输入OEP 1000,IAT 自动搜索,哈哈,成功,可是别急,在这里Import REConstructor 把大小搞错了,查看刚才的代码知道大小为4c,点获得输入信息,啊!只有一个无效指针,别急,点rva:002014 ptr 7Fffffff,右击->剪切指针,再点rva:002050 ptr 7Fffffff,右击->剪切指针。ok!没有更多的无效指针。点修理抓取文件,选择dumped.exe得到dumped_.exe。运行,555555,还是没法运行!!
不急,用OllyDbg打开dumped_.exe,点
00401011 |. E8 36020000 call dumped_.0040124C
右击-〉二进制-〉用Nop填充。再右击-〉复制到可执行文件-〉全部修正,提示框,点 全部复制,出来新窗口。再在新窗口右击-〉保存文件。改个名字,如dumped_1.exe,运行,耶!可以运行了!你说还有Nag,那是我们还没破解嘛!啊,别扔石头,刚才半天不是在脱壳嘛!用PEid查,MASM32 / TASM32 不是,Nag爆破就是了。
再用OllyDbg打开dumped_1.exe,把
0040112D |. 6A 00 push 0 ; /Style = MB_OK|MB_APPLMODAL
0040112F |. 6A 00 push 0 ; |Title = NULL
00401131 |. 68 A2204000 push dumped_1.004020A2 ; |Text = "I am the starting nag. Disable me!"
00401136 |. 6A 00 push 0 ; |hOwner = NULL
00401138 |. E8 D3000000 call <jmp.&user32.MessageBoxA> ; \MessageBoxA
。。。。。
。。。。。
00401158 |. 6A 00 push 0 ; /Style = MB_OK|MB_APPLMODAL
0040115A |. 6A 00 push 0 ; |Title = NULL
0040115C |. 68 E6204000 push dumped_1.004020E6 ; |Text = "I am the button nag. Disable me!"
00401161 |. 6A 00 push 0 ; |hOwner = NULL
00401163 |. E8 A8000000 call <jmp.&user32.MessageBoxA> ; \MessageBoxA
。。。。。
。。。。。
0040118A |. 6A 00 push 0 ; /Style = MB_OK|MB_APPLMODAL
0040118C |. 6A 00 push 0 ; |Title = NULL
0040118E |. 68 07214000 push dumped_1.00402107 ; |Text = "I am the timer nag. Disable me!"
00401193 |. 6A 00 push 0 ; |hOwner = NULL
00401195 |. E8 76000000 call <jmp.&user32.MessageBoxA> ; \MessageBoxA
。。。。。
。。。。。
004011B1 |. 6A 00 push 0 ; /Style = MB_OK|MB_APPLMODAL
004011B3 |. 6A 00 push 0 ; |Title = NULL
004011B5 |. 68 C5204000 push dumped_1.004020C5 ; |Text = "I am the finish nag. Disable me!"
004011BA |. 6A 00 push 0 ; |hOwner = NULL
004011BC |. E8 4F000000 call <jmp.&user32.MessageBoxA> ; \MessageBoxA
全部右击-〉二进制-〉用Nop填充,再保存为dumped_2.exe,运行。Yeah!!成功了。第一篇破(烂)文(章)产生了。
PS:原程序里菜单是无效的,下次有时间再把给菜单加功能的文章给写了。
tom
2005.05.05
目标:Crack me #2 by _HellDashX_
目的:pediy论坛要交篇文章才能注册,只有硬着头皮上了。
工具:PEid v0.92,OllyDbg v1.10(Step 2) 聆风听雨 汉化,LordPE Deluxe,Import REConstructor v1.4.2+ 汉化版
要求:Only needs disable ALL NAGS!/去除所有的Nag
用PEid v0.92查出是 FSG 2.0 -> bart/xt ,手头没有脱壳机。手动脱,Go,Go,Go!用OllyDbg打开,提示入口点在代码外部,点确定,程序停在
00400154 > 8725 00AB4000 xchg dword ptr ds:[40AB00], esp
代码如下:
00400154 > 8725 00AB4000 xchg dword ptr ds:[40AB00], esp
0040015A 61 popad
0040015B 94 xchg eax, esp
0040015C 55 push ebp
0040015D A4 movs byte ptr es:[edi], byte ptr ds:[>
0040015E B6 80 mov dh, 80
00400160 FF13 call dword ptr ds:[ebx]
00400162 ^73 F9 jnb short Crackme_.0040015D
00400164 33C9 xor ecx, ecx
00400166 FF13 call dword ptr ds:[ebx]
00400168 73 16 jnb short Crackme_.00400180
0040016A 33C0 xor eax, eax
0040016C FF13 call dword ptr ds:[ebx]
0040016E 73 1F jnb short Crackme_.0040018F
00400170 B6 80 mov dh, 80
00400172 41 inc ecx
00400173 B0 10 mov al, 10
00400175 FF13 call dword ptr ds:[ebx]
00400177 12C0 adc al, al
00400179 ^73 FA jnb short Crackme_.00400175
0040017B 75 3A jnz short Crackme_.004001B7
0040017D AA stos byte ptr es:[edi]
0040017E ^EB E0 jmp short Crackme_.00400160
00400180 FF53 08 call dword ptr ds:[ebx+8]
00400183 02F6 add dh, dh
00400185 83D9 01 sbb ecx, 1
00400188 75 0E jnz short Crackme_.00400198
0040018A FF53 04 call dword ptr ds:[ebx+4]
0040018D EB 24 jmp short Crackme_.004001B3
0040018F AC lods byte ptr ds:[esi]
00400190 D1E8 shr eax, 1
00400192 74 2D je short Crackme_.004001C1
00400194 13C9 adc ecx, ecx
00400196 EB 18 jmp short Crackme_.004001B0
00400198 91 xchg eax, ecx
00400199 48 dec eax
0040019A C1E0 08 shl eax, 8
0040019D AC lods byte ptr ds:[esi]
0040019E FF53 04 call dword ptr ds:[ebx+4]
004001A1 3B43 F8 cmp eax, dword ptr ds:[ebx-8]
004001A4 73 0A jnb short Crackme_.004001B0
004001A6 80FC 05 cmp ah, 5
004001A9 73 06 jnb short Crackme_.004001B1
004001AB 83F8 7F cmp eax, 7F
004001AE 77 02 ja short Crackme_.004001B2
004001B0 41 inc ecx
004001B1 41 inc ecx
004001B2 95 xchg eax, ebp
004001B3 8BC5 mov eax, ebp
004001B5 B6 00 mov dh, 0
004001B7 56 push esi
004001B8 8BF7 mov esi, edi
004001BA 2BF0 sub esi, eax
004001BC F3:A4 rep movs byte ptr es:[edi], byte ptr>
004001BE 5E pop esi
004001BF ^EB 9F jmp short Crackme_.00400160
004001C1 5E pop esi
004001C2 AD lods dword ptr ds:[esi]
004001C3 97 xchg eax, edi
004001C4 AD lods dword ptr ds:[esi]
004001C5 50 push eax
004001C6 FF53 10 call dword ptr ds:[ebx+10]
004001C9 95 xchg eax, ebp
004001CA 8B07 mov eax, dword ptr ds:[edi]
004001CC 40 inc eax
004001CD ^78 F3 js short Crackme_.004001C2
004001CF 75 03 jnz short Crackme_.004001D4
004001D1 FF63 0C jmp dword ptr ds:[ebx+C]
004001D4 50 push eax
004001D5 55 push ebp
004001D6 FF53 14 call dword ptr ds:[ebx+14]
004001D9 AB stos dword ptr es:[edi]
004001DA ^EB EE jmp short Crackme_.004001CA
004001DC 33C9 xor ecx, ecx
004001DE 41 inc ecx
004001DF FF13 call dword ptr ds:[ebx]
004001E1 13C9 adc ecx, ecx
004001E3 FF13 call dword ptr ds:[ebx]
004001E5 ^72 F8 jb short Crackme_.004001DF
004001E7 C3 retn
004001E8 02D2 add dl, dl
004001EA 75 05 jnz short Crackme_.004001F1
004001EC 8A16 mov dl, byte ptr ds:[esi]
004001EE 46 inc esi
004001EF 12D2 adc dl, dl
004001F1 C3 retn
004001F2 4B dec ebx
004001F3 45 inc ebp
004001F4 52 push edx
004001F5 4E dec esi
004001F6 45 inc ebp
004001F7 4C dec esp
004001F8 3332 xor esi, dword ptr ds:[edx]
一路F8发现在40017E和400160间老循环,用鼠标点击
00400180 FF53 08 call dword ptr ds:[ebx+8] ; Crackme_.004001DE
按F4运行到该行,代码如下
00400180 FF53 08 call dword ptr ds:[ebx+8]
00400183 02F6 add dh, dh
00400185 83D9 01 sbb ecx, 1
00400188 75 0E jnz short Crackme_.00400198
0040018A FF53 04 call dword ptr ds:[ebx+4]
0040018D EB 24 jmp short Crackme_.004001B3
0040018F AC lods byte ptr ds:[esi]
00400190 D1E8 shr eax, 1
00400192 74 2D je short Crackme_.004001C1
00400194 13C9 adc ecx, ecx
00400196 EB 18 jmp short Crackme_.004001B0
00400198 91 xchg eax, ecx
00400199 48 dec eax
0040019A C1E0 08 shl eax, 8
0040019D AC lods byte ptr ds:[esi]
0040019E FF53 04 call dword ptr ds:[ebx+4]
004001A1 3B43 F8 cmp eax, dword ptr ds:[ebx-8]
004001A4 73 0A jnb short Crackme_.004001B0
004001A6 80FC 05 cmp ah, 5
004001A9 73 06 jnb short Crackme_.004001B1
004001AB 83F8 7F cmp eax, 7F
004001AE 77 02 ja short Crackme_.004001B2
004001B0 41 inc ecx
004001B1 41 inc ecx
004001B2 95 xchg eax, ebp
004001B3 8BC5 mov eax, ebp
004001B5 B6 00 mov dh, 0
004001B7 56 push esi
004001B8 8BF7 mov esi, edi
004001BA 2BF0 sub esi, eax
004001BC F3:A4 rep movs byte ptr es:[edi], byte ptr>
004001BE 5E pop esi
004001BF ^EB 9F jmp short Crackme_.00400160
继续F8,发现在4001BF又跳回400160,用鼠标点
004001C1 5E pop esi ; Crackme_.0040216C
按F4,运行到该行,代码如下:
004001BF ^EB 9F jmp short Crackme_.00400160
004001C1 5E pop esi
004001C2 AD lods dword ptr ds:[esi]
004001C3 97 xchg eax, edi
004001C4 AD lods dword ptr ds:[esi]
004001C5 50 push eax
004001C6 FF53 10 call dword ptr ds:[ebx+10]
004001C9 95 xchg eax, ebp
004001CA 8B07 mov eax, dword ptr ds:[edi] ; Crackme_.004022B9
004001CC 40 inc eax
004001CD ^78 F3 js short Crackme_.004001C2
004001CF 75 03 jnz short Crackme_.004001D4
004001D1 FF63 0C jmp dword ptr ds:[ebx+C]
004001D4 50 push eax
004001D5 55 push ebp
004001D6 FF53 14 call dword ptr ds:[ebx+14]
004001D9 AB stos dword ptr es:[edi]
004001DA ^EB EE jmp short Crackme_.004001CA
同样一路F8,特别注意这一行
004001D5 55 push ebp
在右边的注释栏里可以看到一堆API的名称,看到出来在恢复IAT,很多循环,可以一路F8跟,也可以点
004001D1 -FF63 0C jmp dword ptr ds:[ebx+C] ; Crackme_.00401000
F4运行到这,注意右边注释Crackme_.00401000,哈哈!OEP! F8跟进,代码如下:
00401000 6A db 6A ; CHAR 'j'
00401001 00 db 00
00401002 E8 db E8
00401003 3F db 3F ; CHAR '?'
00401004 02 db 02
00401005 00 db 00
00401006 00 db 00
00401007 A3 db A3
00401008 00 db 00
不对啊?别急 Ctrl+A 或者 右击-〉分析-〉分析代码,代码如下:
00401000 . 6A 00 push 0 ; /pModule = NULL
00401002 . E8 3F020000 call Crackme_.00401246 ; \GetModuleHandleA
00401007 . A3 00304000 mov dword ptr ds:[403000], eax
0040100C . E8 2F020000 call Crackme_.00401240 ; [GetCommandLineA
00401011 . E8 36020000 call Crackme_.0040124C
00401016 . A3 04304000 mov dword ptr ds:[403004], eax
0040101B . 6A 0A push 0A ; /Arg4 = 0000000A
0040101D . FF35 04304000 push dword ptr ds:[403004] ; |Arg3 = 00000000
00401023 . 6A 00 push 0 ; |Arg2 = 00000000
00401025 . FF35 00304000 push dword ptr ds:[403000] ; |Arg1 = 00000000
0040102B . E8 06000000 call Crackme_.00401036 ; \Crackme_.00401036
00401030 . 50 push eax ; /ExitCode
00401031 . E8 04020000 call Crackme_.0040123A ; \ExitProcess
00401036 /$ 55 push ebp
00401037 |. 8BEC mov ebp, esp
00401039 |. 83C4 B4 add esp, -4C
0040103C |. C745 D0 300000>mov dword ptr ss:[ebp-30], 30
00401043 |. C745 D4 030000>mov dword ptr ss:[ebp-2C], 3
0040104A |. C745 D8 031140>mov dword ptr ss:[ebp-28], Crackme_.>
00401051 |. C745 DC 000000>mov dword ptr ss:[ebp-24], 0
00401058 |. C745 E0 1E0000>mov dword ptr ss:[ebp-20], 1E
0040105F |. FF75 08 push dword ptr ss:[ebp+8]
00401062 |. 8F45 E4 pop dword ptr ss:[ebp-1C]
00401065 |. C745 F0 100000>mov dword ptr ss:[ebp-10], 10
0040106C |. C745 F4 102700>mov dword ptr ss:[ebp-C], 2710
00401073 |. C745 F8 542040>mov dword ptr ss:[ebp-8], Crackme_.0>; ASCII "DLGCLASS"
0040107A |. 68 007F0000 push 7F00 ; /RsrcName = IDI_APPLICATION
0040107F |. 6A 00 push 0 ; |hInst = NULL
00401081 |. E8 84010000 call Crackme_.0040120A ; \LoadIconA
00401086 |. 8945 E8 mov dword ptr ss:[ebp-18], eax
00401089 |. 8945 FC mov dword ptr ss:[ebp-4], eax
0040108C |. 68 007F0000 push 7F00 ; /RsrcName = IDC_ARROW
00401091 |. 6A 00 push 0 ; |hInst = NULL
00401093 |. E8 6C010000 call Crackme_.00401204 ; \LoadCursorA
00401098 |. 8945 EC mov dword ptr ss:[ebp-14], eax
0040109B |. 8D45 D0 lea eax, dword ptr ss:[ebp-30]
0040109E |. 50 push eax ; /pWndClassEx
0040109F |. E8 78010000 call Crackme_.0040121C ; \RegisterClassExA
004010A4 |. 6A 00 push 0 ; /lParam = 0
004010A6 |. 68 03114000 push Crackme_.00401103 ; |pDlgProc = Crackme_.00401103
004010AB |. 6A 00 push 0 ; |hOwner = NULL
004010AD |. 68 E8030000 push 3E8 ; |pTemplate = 3E8
004010B2 |. FF35 00304000 push dword ptr ds:[403000] ; |hInst = NULL
004010B8 |. E8 29010000 call Crackme_.004011E6 ; \CreateDialogParamA
004010BD |. 6A 01 push 1 ; /ShowState = SW_SHOWNORMAL
004010BF |. FF35 08304000 push dword ptr ds:[403008] ; |hWnd = NULL
004010C5 |. E8 5E010000 call Crackme_.00401228 ; \ShowWindow
004010CA |. FF35 08304000 push dword ptr ds:[403008] ; /hWnd = NULL
004010D0 |. E8 5F010000 call Crackme_.00401234 ; \UpdateWindow
004010D5 |> 6A 00 /push 0 ; /MsgFilterMax = 0
004010D7 |. 6A 00 |push 0 ; |MsgFilterMin = 0
004010D9 |. 6A 00 |push 0 ; |hWnd = NULL
004010DB |. 8D45 B4 |lea eax, dword ptr ss:[ebp-4C] ; |
004010DE |. 50 |push eax ; |pMsg
004010DF |. E8 1A010000 |call Crackme_.004011FE ; \GetMessageA
004010E4 |. 0BC0 |or eax, eax
004010E6 |. 74 14 |je short Crackme_.004010FC
004010E8 |. 8D45 B4 |lea eax, dword ptr ss:[ebp-4C]
004010EB |. 50 |push eax ; /pMsg
004010EC |. E8 3D010000 |call Crackme_.0040122E ; \TranslateMessage
004010F1 |. 8D45 B4 |lea eax, dword ptr ss:[ebp-4C]
004010F4 |. 50 |push eax ; /pMsg
004010F5 |. E8 FE000000 |call Crackme_.004011F8 ; \DispatchMessageA
004010FA |.^EB D9 \jmp short Crackme_.004010D5
004010FC |> 8B45 BC mov eax, dword ptr ss:[ebp-44]
004010FF |. C9 leave
00401100 \. C2 1000 retn 10
00401103 /. 55 push ebp
00401104 |. 8BEC mov ebp, esp
00401106 |. 8B45 0C mov eax, dword ptr ss:[ebp+C]
00401109 |. 3D 10010000 cmp eax, 110
0040110E |. 75 32 jnz short Crackme_.00401142
00401110 |. FF75 08 push dword ptr ss:[ebp+8]
00401113 |. 8F05 08304000 pop dword ptr ds:[403008]
00401119 |. 6A 00 push 0 ; /Timerproc = NULL
0040111B |. 68 10270000 push 2710 ; |Timeout = 10000. ms
00401120 |. 6A 00 push 0 ; |TimerID = 0
00401122 |. FF35 08304000 push dword ptr ds:[403008] ; |hWnd = NULL
00401128 |. E8 F5000000 call Crackme_.00401222 ; \SetTimer
0040112D |. 6A 00 push 0 ; /Style = MB_OK|MB_APPLMODAL
0040112F |. 6A 00 push 0 ; |Title = NULL
00401131 |. 68 A2204000 push Crackme_.004020A2 ; |Text = "I am the starting nag. Disable me!"
00401136 |. 6A 00 push 0 ; |hOwner = NULL
00401138 |. E8 D3000000 call Crackme_.00401210 ; \MessageBoxA
0040113D |. E9 9D000000 jmp Crackme_.004011DF
00401142 |> 3D 11010000 cmp eax, 111
00401147 |. 75 3A jnz short Crackme_.00401183
00401149 |. 8B45 10 mov eax, dword ptr ss:[ebp+10]
0040114C |. 25 FFFF0000 and eax, 0FFFF
00401151 |. 3D E9030000 cmp eax, 3E9
00401156 |. 75 12 jnz short Crackme_.0040116A
00401158 |. 6A 00 push 0 ; /Style = MB_OK|MB_APPLMODAL
0040115A |. 6A 00 push 0 ; |Title = NULL
0040115C |. 68 E6204000 push Crackme_.004020E6 ; |Text = "I am the button nag. Disable me!"
00401161 |. 6A 00 push 0 ; |hOwner = NULL
00401163 |. E8 A8000000 call Crackme_.00401210 ; \MessageBoxA
00401168 |. EB 75 jmp short Crackme_.004011DF
0040116A |> 3D EA030000 cmp eax, 3EA
0040116F |. 75 6E jnz short Crackme_.004011DF
00401171 |. 6A 00 push 0 ; /Style = MB_OK|MB_APPLMODAL
00401173 |. 6A 00 push 0 ; |Title = NULL
00401175 |. 68 27214000 push Crackme_.00402127 ; |Text = "Crackme #2 by _HellDashX_
Only disable all nag and send a solution"
0040117A |. 6A 00 push 0 ; |hOwner = NULL
0040117C |. E8 8F000000 call Crackme_.00401210 ; \MessageBoxA
00401181 |. EB 5C jmp short Crackme_.004011DF
00401183 |> 3D 13010000 cmp eax, 113
00401188 |. 75 12 jnz short Crackme_.0040119C
0040118A |. 6A 00 push 0 ; /Style = MB_OK|MB_APPLMODAL
0040118C |. 6A 00 push 0 ; |Title = NULL
0040118E |. 68 07214000 push Crackme_.00402107 ; |Text = "I am the timer nag. Disable me!"
00401193 |. 6A 00 push 0 ; |hOwner = NULL
00401195 |. E8 76000000 call Crackme_.00401210 ; \MessageBoxA
0040119A |. EB 43 jmp short Crackme_.004011DF
0040119C |> 83F8 10 cmp eax, 10
0040119F |. 75 0A jnz short Crackme_.004011AB
004011A1 |. FF75 08 push dword ptr ss:[ebp+8] ; /hWnd
004011A4 |. E8 49000000 call Crackme_.004011F2 ; \DestroyWindow
004011A9 |. EB 34 jmp short Crackme_.004011DF
004011AB |> 837D 0C 02 cmp dword ptr ss:[ebp+C], 2
004011AF |. 75 19 jnz short Crackme_.004011CA
004011B1 |. 6A 00 push 0 ; /Style = MB_OK|MB_APPLMODAL
004011B3 |. 6A 00 push 0 ; |Title = NULL
004011B5 |. 68 C5204000 push Crackme_.004020C5 ; |Text = "I am the finish nag. Disable me!"
004011BA |. 6A 00 push 0 ; |hOwner = NULL
004011BC |. E8 4F000000 call Crackme_.00401210 ; \MessageBoxA
004011C1 |. 6A 00 push 0 ; /ExitCode = 0
004011C3 |. E8 4E000000 call Crackme_.00401216 ; \PostQuitMessage
004011C8 |. EB 15 jmp short Crackme_.004011DF
004011CA |> FF75 14 push dword ptr ss:[ebp+14] ; /lParam
004011CD |. FF75 10 push dword ptr ss:[ebp+10] ; |wParam
004011D0 |. FF75 0C push dword ptr ss:[ebp+C] ; |Message
004011D3 |. FF75 08 push dword ptr ss:[ebp+8] ; |hWnd
004011D6 |. E8 11000000 call Crackme_.004011EC ; \DefWindowProcA
004011DB |. C9 leave
004011DC |. C2 1000 retn 10
004011DF |> 33C0 xor eax, eax
004011E1 |. C9 leave
004011E2 \. C2 1000 retn 10
004011E5 CC int3
004011E6 $-FF25 44204000 jmp dword ptr ds:[402044] ; user32.CreateDialogParamA
004011EC $-FF25 48204000 jmp dword ptr ds:[402048] ; user32.DefWindowProcA
004011F2 $-FF25 40204000 jmp dword ptr ds:[402040] ; user32.DestroyWindow
004011F8 $-FF25 3C204000 jmp dword ptr ds:[40203C] ; user32.DispatchMessageA
004011FE $-FF25 28204000 jmp dword ptr ds:[402028] ; user32.GetMessageA
00401204 $-FF25 18204000 jmp dword ptr ds:[402018] ; user32.LoadCursorA
0040120A $-FF25 1C204000 jmp dword ptr ds:[40201C] ; user32.LoadIconA
00401210 $-FF25 20204000 jmp dword ptr ds:[402020] ; user32.MessageBoxA
00401216 $-FF25 24204000 jmp dword ptr ds:[402024] ; user32.PostQuitMessage
0040121C $-FF25 4C204000 jmp dword ptr ds:[40204C] ; user32.RegisterClassExA
00401222 $-FF25 2C204000 jmp dword ptr ds:[40202C] ; user32.SetTimer
00401228 $-FF25 30204000 jmp dword ptr ds:[402030] ; user32.ShowWindow
0040122E $-FF25 34204000 jmp dword ptr ds:[402034] ; user32.TranslateMessage
00401234 $-FF25 38204000 jmp dword ptr ds:[402038] ; user32.UpdateWindow
0040123A .-FF25 0C204000 jmp dword ptr ds:[40200C] ; kernel32.ExitProcess
00401240 $-FF25 08204000 jmp dword ptr ds:[402008] ; kernel32.GetCommandLineA
00401246 $-FF25 10204000 jmp dword ptr ds:[402010] ; kernel32.GetModuleHandleA
0040124C $-FF25 00204000 jmp dword ptr ds:[402000]
哈哈哈哈,成功,用LoadPE 完全dump,得到dumped.exe。运行,5555,应用程序初始化错误,当然的了输入表没修复嘛,打开Import REConstructor v1.4.2+选择运行中的程序crackme,输入OEP 1000,IAT 自动搜索,哈哈,成功,可是别急,在这里Import REConstructor 把大小搞错了,查看刚才的代码知道大小为4c,点获得输入信息,啊!只有一个无效指针,别急,点rva:002014 ptr 7Fffffff,右击->剪切指针,再点rva:002050 ptr 7Fffffff,右击->剪切指针。ok!没有更多的无效指针。点修理抓取文件,选择dumped.exe得到dumped_.exe。运行,555555,还是没法运行!!
不急,用OllyDbg打开dumped_.exe,点
00401011 |. E8 36020000 call dumped_.0040124C
右击-〉二进制-〉用Nop填充。再右击-〉复制到可执行文件-〉全部修正,提示框,点 全部复制,出来新窗口。再在新窗口右击-〉保存文件。改个名字,如dumped_1.exe,运行,耶!可以运行了!你说还有Nag,那是我们还没破解嘛!啊,别扔石头,刚才半天不是在脱壳嘛!用PEid查,MASM32 / TASM32 不是,Nag爆破就是了。
再用OllyDbg打开dumped_1.exe,把
0040112D |. 6A 00 push 0 ; /Style = MB_OK|MB_APPLMODAL
0040112F |. 6A 00 push 0 ; |Title = NULL
00401131 |. 68 A2204000 push dumped_1.004020A2 ; |Text = "I am the starting nag. Disable me!"
00401136 |. 6A 00 push 0 ; |hOwner = NULL
00401138 |. E8 D3000000 call <jmp.&user32.MessageBoxA> ; \MessageBoxA
。。。。。
。。。。。
00401158 |. 6A 00 push 0 ; /Style = MB_OK|MB_APPLMODAL
0040115A |. 6A 00 push 0 ; |Title = NULL
0040115C |. 68 E6204000 push dumped_1.004020E6 ; |Text = "I am the button nag. Disable me!"
00401161 |. 6A 00 push 0 ; |hOwner = NULL
00401163 |. E8 A8000000 call <jmp.&user32.MessageBoxA> ; \MessageBoxA
。。。。。
。。。。。
0040118A |. 6A 00 push 0 ; /Style = MB_OK|MB_APPLMODAL
0040118C |. 6A 00 push 0 ; |Title = NULL
0040118E |. 68 07214000 push dumped_1.00402107 ; |Text = "I am the timer nag. Disable me!"
00401193 |. 6A 00 push 0 ; |hOwner = NULL
00401195 |. E8 76000000 call <jmp.&user32.MessageBoxA> ; \MessageBoxA
。。。。。
。。。。。
004011B1 |. 6A 00 push 0 ; /Style = MB_OK|MB_APPLMODAL
004011B3 |. 6A 00 push 0 ; |Title = NULL
004011B5 |. 68 C5204000 push dumped_1.004020C5 ; |Text = "I am the finish nag. Disable me!"
004011BA |. 6A 00 push 0 ; |hOwner = NULL
004011BC |. E8 4F000000 call <jmp.&user32.MessageBoxA> ; \MessageBoxA
全部右击-〉二进制-〉用Nop填充,再保存为dumped_2.exe,运行。Yeah!!成功了。第一篇破(烂)文(章)产生了。
PS:原程序里菜单是无效的,下次有时间再把给菜单加功能的文章给写了。
tom
2005.05.05
赞赏
赞赏
雪币:
留言: