首页
社区
课程
招聘
问答 CTF 排行榜 知识库 工具下载 峰会 看雪商城 证书查询
  1. 社区
  2. CTF对抗
    3. 发新帖
[原创]对 rocky CM 的分析
发表于: 2015-2-6 15:59 6750

[原创]对 rocky CM 的分析

Lnairan 活跃值
1
2015-2-6 15:59
6750

标 题: 【原创】对 rocky CM 的分析
作 者:Lnairan
时 间: 2015-02-06
链 接: http://bbs.pediy.com/showthread.php?p=1352236#post1352236

CrackMe连接:http://bbs.pediy.com/showthread.php?t=97460

这个CM是  2009 Crackme 竞赛第三回 rocky组的CM
我技术很菜分析一个程序分析的很慢,所以想通过CM来提高一下逆向分析程序和算法的速度,不知道什么时候才能有提高,什么时候才能达到像高手那样
如果有哪位高手有比较快的提高的方法还请指点一下

第一次写分析而且本身技术很菜,如果有错误的地方还希望高手在笑过之后给于指正

打开程序在每个 GetWindowTextA 函数上下断
0040E7BB  /$  55            push    ebp
0040E7BC  |.  8BEC          mov     ebp, esp
0040E7BE  |.  56            push    esi
0040E7BF  |.  57            push    edi
0040E7C0  |.  8B7D 08       mov     edi, dword ptr [ebp+8]
0040E7C3  |.  FF75 0C       push    dword ptr [ebp+C]
0040E7C6  |.  8BCF          mov     ecx, edi
0040E7C8  |.  E8 A8FFFFFF   call    0040E775
0040E7CD  |.  833F 00       cmp     dword ptr [edi], 0
0040E7D0  |.  8BF0          mov     esi, eax
0040E7D2  |.  74 28         je      short 0040E7FC
0040E7D4  |.  56            push    esi                            ; /hWnd
0040E7D5  |.  FF15 6C124100 call    dword ptr [<&USER32.GetWindowT>; \GetWindowTextLengthA
0040E7DB  |.  8D48 01       lea     ecx, dword ptr [eax+1]
0040E7DE  |.  51            push    ecx
0040E7DF  |.  8B4D 10       mov     ecx, dword ptr [ebp+10]
0040E7E2  |.  50            push    eax
0040E7E3  |.  E8 98BDFFFF   call    0040A580
0040E7E8  |.  50            push    eax                            ; |Buffer
0040E7E9  |.  56            push    esi                            ; |hWnd
0040E7EA  |.  FF15 70124100 call    dword ptr [<&USER32.GetWindowT>; \GetWindowTextA 读入用户名
0040E7F0  |.  8B4D 10       mov     ecx, dword ptr [ebp+10]
0040E7F3  |.  6A FF         push    -1
0040E7F5  |.  E8 5EBDFFFF   call    0040A558
0040E7FA  |.  EB 0B         jmp     short 0040E807

一路F8执行到返回   返回到 4012A7 处
00401290   .  56            push    esi
00401291   .  8BF1          mov     esi, ecx
00401293   .  57            push    edi
00401294   .  8B7C24 0C     mov     edi, dword ptr [esp+C]
00401298   .  8D46 5C       lea     eax, dword ptr [esi+5C]
0040129B   .  50            push    eax								;指向获得的字符串指针
0040129C   .  68 E9030000   push    3E9
004012A1   .  57            push    edi
004012A2   .  E8 14D50000   call    0040E7BB                       ;获得用户名
004012A7   .  8D4E 60       lea     ecx, dword ptr [esi+60]
004012AA   .  51            push    ecx
004012AB   .  68 EA030000   push    3EA
004012B0   .  57            push    edi
004012B1   .  E8 05D50000   call    0040E7BB                       ;获得密码
004012B6   .  83C6 64       add     esi, 64
004012B9   .  56            push    esi
004012BA   .  68 EB030000   push    3EB
004012BF   .  57            push    edi
004012C0   .  E8 F6D40000   call    0040E7BB						;获取第三个Edit框的内容
004012C5   .  5F            pop     edi
004012C6   .  5E            pop     esi
004012C7   .  C2 0400       retn    4

之后就是对用户名和注册码进行是否为空的判断,简单的判断过后会来到

004018A6   > \8D56 FE       lea     edx, dword ptr [esi-2]		   ;SerialLen - 2
004018A9   .  B8 56555555   mov     eax, 55555556 				   ;优化除法
004018AE   .  F7EA          imul    edx
004018B0   .  8BC2          mov     eax, edx
004018B2   .  C1E8 1F       shr     eax, 1F
004018B5   .  03D0          add     edx, eax
004018B7   .  8BEA          mov     ebp, edx                       ;(SerialLen - 2) / 3
004018B9   .  3BE9          cmp     ebp, ecx                       ;ecx中是用户名的长度
004018BB   .  74 1F         je      short 004018DC				   ;相等才能继续执行
004018BD   .  8D4B 64       lea     ecx, dword ptr [ebx+64]
004018C0   .  68 B8604100   push    004160B8
004018C5   .  51            push    ecx
004018C6   .  E8 9C6F0000   call    00408867
004018CB   .  83C4 08       add     esp, 8
004018CE   .  8BCB          mov     ecx, ebx
004018D0   .  6A 00         push    0

00401A3D   .  8B7424 20     mov     esi, dword ptr [esp+20]         ;SerialLen - NameLen * 2
00401A41   .  33FF          xor     edi, edi						;i
00401A43   .  85F6          test    esi, esi
00401A45   .  7E 31         jle     short 00401A78
00401A47   .  8B4C24 1C     mov     ecx, dword ptr [esp+1C]
00401A4B   .  894C24 14     mov     dword ptr [esp+14], ecx
00401A4F   >  8A0C17        mov     cl, byte ptr [edi+edx]          ;Serial3[i]   Serial 分组后的第三组
00401A52   .  33C0          xor     eax, eax						;j
00401A54   >  3A4C04 6C     cmp     cl, byte ptr [esp+eax+6C]       ;Box2[j] 401577处的代码初始化两个常量数组,这里使用的是第二个
00401A58   .  74 08         je      short 00401A62
00401A5A   .  40            inc     eax
00401A5B   .  83F8 3E       cmp     eax, 3E
00401A5E   .^ 7C F4         jl      short 00401A54
00401A60   .  EB 06         jmp     short 00401A68
00401A62   >  8B4C24 14     mov     ecx, dword ptr [esp+14]			;Array[i] 存放第三组用户名在Box2中对应的索引
00401A66   .  8901          mov     dword ptr [ecx], eax
00401A68   >  8B4C24 14     mov     ecx, dword ptr [esp+14]
00401A6C   .  47            inc     edi
00401A6D   .  83C1 04       add     ecx, 4
00401A70   .  3BFE          cmp     edi, esi
00401A72   .  894C24 14     mov     dword ptr [esp+14], ecx
00401A76   .^ 7C D7         jl      short 00401A4F
00401A78   > \8D4E 01       lea     ecx, dword ptr [esi+1]          ;SerialLen - NameLen * 2 + 1
00401A7B   .  8BFA          mov     edi, edx                        ;Serial3
00401A7D   .  8BD1          mov     edx, ecx
00401A7F   .  33C0          xor     eax, eax
00401A81   .  C1E9 02       shr     ecx, 2
00401A84   .  F3:AB         rep     stos dword ptr es:[edi]
00401A86   .  8BCA          mov     ecx, edx
00401A88   .  56            push    esi								;SerialLen - NameLen * 2
00401A89   .  83E1 03       and     ecx, 3
00401A8C   .  F3:AA         rep     stos byte ptr es:[edi]
00401A8E   .  8B4424 20     mov     eax, dword ptr [esp+20]         ;Array
00401A92   .  8BCB          mov     ecx, ebx
00401A94   .  50            push    eax
00401A95   .  E8 A6F9FFFF   call    00401440                        
00401440  /$  8B4424 08     mov     eax, dword ptr [esp+8]			;SerialLen - NameLen * 2
00401444  |.  85C0          test    eax, eax
00401446  |.  0F8E A5000000 jle     004014F1
0040144C  |.  8D50 02       lea     edx, dword ptr [eax+2]
0040144F  |.  B8 ABAAAAAA   mov     eax, AAAAAAAB					;除法优化
00401454  |.  F7E2          mul     edx
00401456  |.  8B4C24 04     mov     ecx, dword ptr [esp+4]          ;Array
0040145A  |.  53            push    ebx
0040145B  |.  55            push    ebp
0040145C  |.  56            push    esi
0040145D  |.  D1EA          shr     edx, 1
0040145F  |.  57            push    edi
00401460  |.  8D79 08       lea     edi, dword ptr [ecx+8]
00401463  |.  895424 18     mov     dword ptr [esp+18], edx         ;(SerialLen - NameLen * 2 + 2) / 3
00401467  |>  8B5F F8       /mov     ebx, dword ptr [edi-8]         ;Array[m]
0040146A  |.  8B4F FC       |mov     ecx, dword ptr [edi-4]         ;Array[m+1]
0040146D  |.  8B37          |mov     esi, dword ptr [edi]           ;Array[m+2]
0040146F  |.  BD 3E000000   |mov     ebp, 3E
00401474  |.  8D04DB        |lea     eax, dword ptr [ebx+ebx*8]
00401477  |.  83C7 0C       |add     edi, 0C                        ;m += 3
0040147A  |.  8D1443        |lea     edx, dword ptr [ebx+eax*2]     ;Array[m] * 19
0040147D  |.  8D0489        |lea     eax, dword ptr [ecx+ecx*4]
00401480  |.  8D04C1        |lea     eax, dword ptr [ecx+eax*8]     ;Array[m+1] * 41
00401483  |.  03D0          |add     edx, eax						
00401485  |.  8D04F5 000000>|lea     eax, dword ptr [esi*8]
0040148C  |.  2BC6          |sub     eax, esi						;Array[m+2] * 7
0040148E  |.  8D0482        |lea     eax, dword ptr [edx+eax*4]
00401491  |.  33D2          |xor     edx, edx
00401493  |.  F7F5          |div     ebp
00401495  |.  8BC1          |mov     eax, ecx                       ;Array[m+1]
00401497  |.  C1E0 05       |shl     eax, 5
0040149A  |.  2BC1          |sub     eax, ecx
0040149C  |.  D1E0          |shl     eax, 1                         ;Array[m+1] * 62
0040149E  |.  895424 14     |mov     dword ptr [esp+14], edx
004014A2  |.  8D149B        |lea     edx, dword ptr [ebx+ebx*4]
004014A5  |.  8D0490        |lea     eax, dword ptr [eax+edx*4]     ;Array[m+1] * 62 + Array[m] * 20
004014A8  |.  8D1476        |lea     edx, dword ptr [esi+esi*2]
004014AB  |.  C1E2 04       |shl     edx, 4
004014AE  |.  2BD6          |sub     edx, esi
004014B0  |.  03C2          |add     eax, edx
004014B2  |.  33D2          |xor     edx, edx
004014B4  |.  F7F5          |div     ebp
004014B6  |.  8D0489        |lea     eax, dword ptr [ecx+ecx*4]
004014B9  |.  8D0C81        |lea     ecx, dword ptr [ecx+eax*4]     ;Array[m+1] * 21
004014BC  |.  8D04D9        |lea     eax, dword ptr [ecx+ebx*8]
004014BF  |.  8D0C76        |lea     ecx, dword ptr [esi+esi*2]
004014C2  |.  8BEA          |mov     ebp, edx
004014C4  |.  8D14C9        |lea     edx, dword ptr [ecx+ecx*8]
004014C7  |.  D1E2          |shl     edx, 1
004014C9  |.  2BD6          |sub     edx, esi                       ;Array[m+2] * 53  
004014CB  |.  B9 3E000000   |mov     ecx, 3E
004014D0  |.  03C2          |add     eax, edx
004014D2  |.  33D2          |xor     edx, edx
004014D4  |.  F7F1          |div     ecx
004014D6  |.  FF4C24 18     |dec     dword ptr [esp+18]
004014DA  |.  8957 EC       |mov     dword ptr [edi-14], edx
004014DD  |.  8B5424 14     |mov     edx, dword ptr [esp+14]
004014E1  |.  8957 F0       |mov     dword ptr [edi-10], edx
004014E4  |.  896F F4       |mov     dword ptr [edi-C], ebp
004014E7  |.^ 0F85 7AFFFFFF \jnz     00401467
004014ED  |.  5F            pop     edi
004014EE  |.  5E            pop     esi
004014EF  |.  5D            pop     ebp
004014F0  |.  5B            pop     ebx
004014F1  \>  C2 0800       retn    8
00401A9A   .  8B4C24 20     mov     ecx, dword ptr [esp+20]         ;SerialLen - NameLen * 2
00401A9E   .  8B5424 1C     mov     edx, dword ptr [esp+1C]         ;Array
00401AA2   .  8D048D 000000>lea     eax, dword ptr [ecx*4]
00401AA9   .  2B7410 FC     sub     esi, dword ptr [eax+edx-4]		;esi = 第三组注册码的长度
00401AAD   .  83EE 02       sub     esi, 2							
00401AB0   .  0F88 08010000 js      00401BBE                        ;跳转到错误
00401AB6   .  8D0CB5 000000>lea     ecx, dword ptr [esi*4]
00401ABD   .  51            push    ecx
00401ABE   .  E8 FD7D0000   call    004098C0

00401500  /$  8B4C24 0C     mov     ecx, dword ptr [esp+C]			;index 第三组注册码的长度
00401504  |.  53            push    ebx
00401505  |.  56            push    esi
00401506  |.  8B7424 0C     mov     esi, dword ptr [esp+C]			;Array
0040150A  |.  57            push    edi
0040150B  |.  8BC1          mov     eax, ecx                        ;index
0040150D  |.  8B7C8E FC     mov     edi, dword ptr [esi+ecx*4-4]    ;Array[index-1]
00401511  |.  8B5C8E F8     mov     ebx, dword ptr [esi+ecx*4-8]    ;Array[index-2]
00401515  |.  2BC7          sub     eax, edi
00401517  |.  83E8 02       sub     eax, 2
0040151A  |.  85C0          test    eax, eax
0040151C  |.  7E 21         jle     short 0040153F					;index - Array[index-1] - 2 需要大于0 否则退出函数
0040151E  |.  8B4C24 14     mov     ecx, dword ptr [esp+14]         ;暂时叫 Array2
00401522  |.  55            push    ebp
00401523  |.  2BF1          sub     esi, ecx
00401525  |.  8BF8          mov     edi, eax
00401527  |>  8B040E        /mov     eax, dword ptr [esi+ecx]
0040152A  |.  33D2          |xor     edx, edx
0040152C  |.  03C3          |add     eax, ebx
0040152E  |.  BD 3E000000   |mov     ebp, 3E
00401533  |.  F7F5          |div     ebp
00401535  |.  83C1 04       |add     ecx, 4
00401538  |.  4F            |dec     edi
00401539  |.  8951 FC       |mov     dword ptr [ecx-4], edx
0040153C  |.^ 75 E9         \jnz     short 00401527
0040153E  |.  5D            pop     ebp
0040153F  |>  5F            pop     edi
00401540  |.  5E            pop     esi
00401541  |.  5B            pop     ebx
00401542  \.  C2 0C00       retn    0C

[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课

收藏
免费 3
支持
分享
最新回复 (2)
Lnju
雪    币: 115
活跃值: (5142)
能力值: ( LV4,RANK:50 )
在线值:
发帖
回帖
粉丝
私信
2
感谢分享!
2015-3-19 17:44
0
当阳桥
雪    币: 211
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
私信
3
感谢分享,学习了。
2015-3-21 16:59
0
游客
登录 | 注册 方可回帖
回帖 表情 雪币赚取及消费
高级回复
返回