-
-
[原创]看雪CTF2016 第18题简单分析-18-ELyt
-
发表于: 2016-12-7 16:46
-
本CM主要特点有2:
1.用了DIV指令,当除数为0时异常,改变了程序走向,来验证前9位SN,计算结果不正确时不产生异常,也就到不了第2步
2.用了一个简单的8位VM虚拟机来验证SN[10-20],通过则提示成功
对于VM,本人实在是没怎么接触过,只是以前看过一些大神们的分析文章,知道大致的分析方法,不过主要还是人肉 :(,也是看到这个VM还算简单,就人肉了一下,要是复杂的,一定玩不下去了.
下面作一个简单的分析
00401120 $ 55 push ebp
00401121 . 8BEC mov ebp, esp
00401123 . 6A FF push -1
00401125 . 68 C0804000 push 004080C0
0040112A . 68 18454000 push 00404518 ; 入口点
0040112F . 64:A1 00000000 mov eax, fs:[0]
00401135 . 50 push eax
00401136 . 64:8925 00000000 mov fs:[0], esp ; 安装 <???> SE 处理程序
0040113D . 81C4 6CFFFFFF add esp, -94
00401143 . 53 push ebx
00401144 . 56 push esi
00401145 . 57 push edi
00401146 . 8965 E8 mov [ebp-18], esp
00401149 . 8DBD 5CFFFFFF lea edi, [ebp-0A4]
0040114F . B9 23000000 mov ecx, 23
00401154 . B8 CCCCCCCC mov eax, CCCCCCCC
00401159 . F3:AB rep stos dword ptr [edi]
0040115B . 6A 0C push 0C ; /Arg1 = 0C
0040115D . E8 09320000 call 0040436B ; \Crackme.0040436B
00401162 . 83C4 04 add esp, 4
00401165 . 8945 DC mov [ebp-24], eax
00401168 . C745 B8 00000000 mov dword ptr [ebp-48], 0
0040116F . B9 08000000 mov ecx, 8
00401174 . 33C0 xor eax, eax
00401176 . 8D7D BC lea edi, [ebp-44]
00401179 . F3:AB rep stos dword ptr [edi]
0040117B . C745 B4 00000000 mov dword ptr [ebp-4C], 0
00401182 . C745 AC 00000000 mov dword ptr [ebp-54], 0
00401189 . C745 A8 01000000 mov dword ptr [ebp-58], 1
00401190 . A1 B0804000 mov eax, [4080B0]
00401195 . 8945 9C mov [ebp-64], eax
00401198 . 8B0D B4804000 mov ecx, [4080B4]
0040119E . 894D A0 mov [ebp-60], ecx
004011A1 . 66:8B15 B8804000 mov dx, [4080B8]
004011A8 . 66:8955 A4 mov [ebp-5C], dx
004011AC . 8D05 AC114000 lea eax, [4011AC]
004011B2 . 83C0 10 add eax, 10
004011B5 . 50 push eax
004011B6 . C3 retn ; 跳转到 4011BC
004011B7 90 nop
004011B8 90 nop
004011B9 90 nop
004011BA 90 nop
004011BB 90 nop
004011BC 90 nop
004011BD 90 nop
004011BE 90 nop
004011BF 90 nop
004011C0 . 90 nop
004011C1 . 90 nop
004011C2 . 90 nop
004011C3 /. C745 FC 00000000 mov dword ptr [ebp-4], 0
004011CA |. 8B45 F8 mov eax, [ebp-8]
004011CD |. 8945 E4 mov [ebp-1C], eax
004011D0 |. 8B45 E4 mov eax, [ebp-1C]
004011D3 |. 8945 E0 mov [ebp-20], eax
004011D6 |. 8B4D DC mov ecx, [ebp-24]
004011D9 |. 8B55 E0 mov edx, [ebp-20]
004011DC |. 8B02 mov eax, [edx]
004011DE |. 8901 mov [ecx], eax
004011E0 |. 8B4D DC mov ecx, [ebp-24]
004011E3 |. 8B55 E0 mov edx, [ebp-20]
004011E6 |. 8B42 04 mov eax, [edx+4]
004011E9 |. 8941 04 mov [ecx+4], eax
004011EC |. 8B4D E0 mov ecx, [ebp-20]
004011EF |. 8B51 08 mov edx, [ecx+8]
004011F2 |. 83C2 06 add edx, 6
004011F5 |. 8B45 DC mov eax, [ebp-24]
004011F8 |. 8950 08 mov [eax+8], edx
004011FB |. 8B45 DC mov eax, [ebp-24]
004011FE |. 8945 F8 mov [ebp-8], eax
00401201 |. 8B4D 0C mov ecx, [ebp+0C]
00401204 |. 51 push ecx ; /Arg1
00401205 |. E8 E6300000 call 004042F0 ; \Crackme.004042F0
0040120A |. 83C4 04 add esp, 4
0040120D |. 8945 B4 mov [ebp-4C], eax
00401210 |. 837D B4 0D cmp dword ptr [ebp-4C], 0D
00401214 |. 0F8C 11010000 jl 0040132B
0040121A |. C745 AC 00000000 mov dword ptr [ebp-54], 0
00401221 |. C745 B0 0D000000 mov dword ptr [ebp-50], 0D ; //从第14位开始测试
00401228 |. EB 09 jmp short 00401233
0040122A |> 8B55 B0 /mov edx, [ebp-50]
0040122D |. 83C2 01 |add edx, 1
00401230 |. 8955 B0 |mov [ebp-50], edx
00401233 |> 8B45 B0 |mov eax, [ebp-50]
00401236 |. 3B45 B4 |cmp eax, [ebp-4C]
00401239 |. 7D 27 |jge short 00401262
0040123B |. 8B4D 0C |mov ecx, [ebp+0C]
0040123E |. 034D B0 |add ecx, [ebp-50]
00401241 |. 0FBE11 |movsx edx, byte ptr [ecx]
00401244 |. 83FA 30 |cmp edx, 30 ; //SN[14-20]必须为数字
00401247 |. 7C 0E |jl short 00401257
00401249 |. 8B45 0C |mov eax, [ebp+0C]
0040124C |. 0345 B0 |add eax, [ebp-50]
0040124F |. 0FBE08 |movsx ecx, byte ptr [eax]
00401252 |. 83F9 39 |cmp ecx, 39
00401255 |. 7E 09 |jle short 00401260
00401257 |> C745 AC 01000000 |mov dword ptr [ebp-54], 1
0040125E |. EB 02 |jmp short 00401262
00401260 |>^ EB C8 \jmp short 0040122A
00401262 |> 837D AC 00 cmp dword ptr [ebp-54], 0
00401266 |. 0F85 BF000000 jne 0040132B
0040126C |. C745 B0 00000000 mov dword ptr [ebp-50], 0
00401273 |. EB 09 jmp short 0040127E
00401275 |> 8B55 B0 /mov edx, [ebp-50]
00401278 |. 83C2 01 |add edx, 1
0040127B |. 8955 B0 |mov [ebp-50], edx
0040127E |> 837D B0 08 |cmp dword ptr [ebp-50], 8
00401282 |. 7F 1F |jg short 004012A3
00401284 |. 8B45 0C |mov eax, [ebp+0C]
00401287 |. 0345 B0 |add eax, [ebp-50]
0040128A |. 0FBE08 |movsx ecx, byte ptr [eax]
0040128D |. 8B55 B0 |mov edx, [ebp-50]
00401290 |. 0FBE4415 9C |movsx eax, byte ptr [edx+ebp
00401295 |. 33C8 |xor ecx, eax
00401297 |. 83E9 41 |sub ecx, 41
0040129A |. 8B55 B0 |mov edx, [ebp-50]
0040129D |. 894C95 B8 |mov [edx*4+ebp-48], ecx ; //计算前SN[1-9]]位 SN2[i] = SN[i] ^ key[i] - 'A'
004012A1 |.^ EB D2 \jmp short 00401275
004012A3 |> 837D B8 01 cmp dword ptr [ebp-48], 1 ; //SN2[1]必须 > 1
004012A7 |. 7F 07 jg short 004012B0
004012A9 |. C745 AC 01000000 mov dword ptr [ebp-54], 1
004012B0 |> C745 B0 00000000 mov dword ptr [ebp-50], 0
004012B7 |. EB 09 jmp short 004012C2
004012B9 |> 8B45 B0 /mov eax, [ebp-50]
004012BC |. 83C0 01 |add eax, 1
004012BF |. 8945 B0 |mov [ebp-50], eax
004012C2 |> 837D B0 08 |cmp dword ptr [ebp-50], 8
004012C6 |. 7D 1B |jge short 004012E3
004012C8 |. 8B4D B0 |mov ecx, [ebp-50]
004012CB |. 8B55 B0 |mov edx, [ebp-50]
004012CE |. 8B448D B8 |mov eax, [ecx*4+ebp-48] ; //SN2必须为递增
004012D2 |. 3B4495 BC |cmp eax, [edx*4+ebp-44]
004012D6 |. 7C 09 |jl short 004012E1
004012D8 |. C745 AC 01000000 |mov dword ptr [ebp-54], 1
004012DF |. EB 02 |jmp short 004012E3
004012E1 |>^ EB D6 \jmp short 004012B9
004012E3 |> 837D AC 00 cmp dword ptr [ebp-54], 0
004012E7 |. 75 42 jne short 0040132B
004012E9 |. C745 A8 01000000 mov dword ptr [ebp-58], 1 ; //D=1
004012F0 |. C745 B0 00000000 mov dword ptr [ebp-50], 0 ; //for(i=0;i<9;i++)
004012F7 |. EB 09 jmp short 00401302
004012F9 |> 8B4D B0 /mov ecx, [ebp-50]
004012FC |. 83C1 01 |add ecx, 1
004012FF |. 894D B0 |mov [ebp-50], ecx
00401302 |> 837D B0 09 |cmp dword ptr [ebp-50], 9
00401306 |. 7D 10 |jge short 00401318
00401308 |. 8B55 B0 |mov edx, [ebp-50]
0040130B |. 8B45 A8 |mov eax, [ebp-58]
0040130E |. 0FAF4495 B8 |imul eax, [edx*4+ebp-48] ; //D = D * SN2[i]
00401313 |. 8945 A8 |mov [ebp-58], eax
00401316 |.^ EB E1 \jmp short 004012F9
00401318 |> B9 86204C0D mov ecx, 0D4C2086 ; //D 必须为 0xD4C2086才能使除数为0
0040131D |. 2B4D A8 sub ecx, [ebp-58]
00401320 |. B8 64000000 mov eax, 64
00401325 |. 99 cdq
00401326 |. F7F9 idiv ecx ; //这儿ECX必须为0才能到下一步
00401328 |. 8945 A8 mov [ebp-58], eax
0040132B |> C745 FC FFFFFFFF mov dword ptr [ebp-4], -1
00401332 \. EB 3F jmp short 00401373
00401334 /. 8B45 EC mov eax, [ebp-14]
00401337 \. C3 retn
00401338 /. 8B65 E8 mov esp, [ebp-18]
0040133B |. 33C0 xor eax, eax
0040133D \. C3 retn
0040133E /. 8B65 E8 mov esp, [ebp-18] ; //0作除数除法异常来到这儿
00401341 |. 8B55 0C mov edx, [ebp+0C]
00401344 |. 52 push edx
00401345 |. 8B45 08 mov eax, [ebp+8]
00401348 |. 50 push eax
00401349 |. E8 62000000 call 004013B0 ; //用虚拟机验证SN[10-13]='cool',SN[14-20]='1531223',通过则提示成功
0040134E |. 83C4 08 add esp, 8
00401351 |. 837D DC 00 cmp dword ptr [ebp-24], 0
00401355 |. 74 13 je short 0040136A
00401357 |. 8B4D DC mov ecx, [ebp-24]
0040135A |. 51 push ecx
0040135B |. E8 242F0000 call 00404284
00401360 |. 83C4 04 add esp, 4
00401363 |. C745 DC 00000000 mov dword ptr [ebp-24], 0
0040136A |> C745 FC FFFFFFFF mov dword ptr [ebp-4], -1
00401371 \. EB 19 jmp short 0040138C
00401373 /> 837D DC 00 cmp dword ptr [ebp-24], 0
00401377 |. 74 13 je short 0040138C
00401379 |. 8B55 DC mov edx, [ebp-24]
0040137C |. 52 push edx
0040137D |. E8 022F0000 call 00404284
00401382 |. 83C4 04 add esp, 4
00401385 |. C745 DC 00000000 mov dword ptr [ebp-24], 0
0040138C |> 8B4D F0 mov ecx, [ebp-10]
0040138F |. 64:890D 00000000 mov fs:[0], ecx
00401396 |. 5F pop edi
00401397 |. 5E pop esi
00401398 |. 5B pop ebx
00401399 |. 81C4 A4000000 add esp, 0A4
0040139F |. 3BEC cmp ebp, esp
004013A1 |. E8 C62E0000 call 0040426C ; [Crackme.0040426C
004013A6 |. 8BE5 mov esp, ebp
004013A8 |. 5D pop ebp
004013A9 \. C3 retn
设注册码为SN
程序验证流程大致为:
CONST BYTE key[9] = {0x33,0x21,0x22,0x21,0x35,0x7c,0x62,0x65,0x6e}
for(i=13;i<lenSN;i++){
if(SN[i] < '0' || SN[i] >'9'){
//失败
}
}
for(i=0;i<9;i++){
SN2 = (SN[i] ^ key) - 'A';
}
if(SN2[0] <= 1){
//失败
}
for(i=0;i<8;i++){
if(SN2[i] >= SN2[i+1]){
//失败
}
}
for(i=0,d=1;i<9;i++){
d *= SN2[i];
}
if(d != 0xD4C2086){
//失败
}
后面VM部分通过人肉,得出大致的验证为(分析中可能有错漏,SN[13-15]暴力跑出二组数据153 和 371,不过只有一组(153)能通过):
if(strlen(SN) != 20){
//失败
}
if(strncmp(SN + 9, "cool", 4)){
//失败
}
为了简单一点,以下SN[x] 为 (SN[x] - '0')
if(SN[13] * 100 + SN[14] * 10 + SN[15] != SN[13]*SN[13]*SN[13] + SN[14]*SN[14]*SN[14] + SN[15]*SN[15]*SN[15]){
//失败
}
if(SN[16] * 10 + SN[17] + SN[18]*10 + SN[19] != 35){
//失败
}
if((SN[16] * 10 + SN[17]) * 4 + (SN[18] * 10 + SN[19]) * 2 != 94){
//失败
}
//成功
由以上分析,分段暴力跑出 SN[0-8] = 'pediy2016', SN[13-15] = '153', SN[16-19] = '1223', VM中分析得到 SN[9-12] = 'cool'
最终注册码为: pediy2016cool1531223
1.用了DIV指令,当除数为0时异常,改变了程序走向,来验证前9位SN,计算结果不正确时不产生异常,也就到不了第2步
2.用了一个简单的8位VM虚拟机来验证SN[10-20],通过则提示成功
对于VM,本人实在是没怎么接触过,只是以前看过一些大神们的分析文章,知道大致的分析方法,不过主要还是人肉 :(,也是看到这个VM还算简单,就人肉了一下,要是复杂的,一定玩不下去了.
下面作一个简单的分析
00401120 $ 55 push ebp
00401121 . 8BEC mov ebp, esp
00401123 . 6A FF push -1
00401125 . 68 C0804000 push 004080C0
0040112A . 68 18454000 push 00404518 ; 入口点
0040112F . 64:A1 00000000 mov eax, fs:[0]
00401135 . 50 push eax
00401136 . 64:8925 00000000 mov fs:[0], esp ; 安装 <???> SE 处理程序
0040113D . 81C4 6CFFFFFF add esp, -94
00401143 . 53 push ebx
00401144 . 56 push esi
00401145 . 57 push edi
00401146 . 8965 E8 mov [ebp-18], esp
00401149 . 8DBD 5CFFFFFF lea edi, [ebp-0A4]
0040114F . B9 23000000 mov ecx, 23
00401154 . B8 CCCCCCCC mov eax, CCCCCCCC
00401159 . F3:AB rep stos dword ptr [edi]
0040115B . 6A 0C push 0C ; /Arg1 = 0C
0040115D . E8 09320000 call 0040436B ; \Crackme.0040436B
00401162 . 83C4 04 add esp, 4
00401165 . 8945 DC mov [ebp-24], eax
00401168 . C745 B8 00000000 mov dword ptr [ebp-48], 0
0040116F . B9 08000000 mov ecx, 8
00401174 . 33C0 xor eax, eax
00401176 . 8D7D BC lea edi, [ebp-44]
00401179 . F3:AB rep stos dword ptr [edi]
0040117B . C745 B4 00000000 mov dword ptr [ebp-4C], 0
00401182 . C745 AC 00000000 mov dword ptr [ebp-54], 0
00401189 . C745 A8 01000000 mov dword ptr [ebp-58], 1
00401190 . A1 B0804000 mov eax, [4080B0]
00401195 . 8945 9C mov [ebp-64], eax
00401198 . 8B0D B4804000 mov ecx, [4080B4]
0040119E . 894D A0 mov [ebp-60], ecx
004011A1 . 66:8B15 B8804000 mov dx, [4080B8]
004011A8 . 66:8955 A4 mov [ebp-5C], dx
004011AC . 8D05 AC114000 lea eax, [4011AC]
004011B2 . 83C0 10 add eax, 10
004011B5 . 50 push eax
004011B6 . C3 retn ; 跳转到 4011BC
004011B7 90 nop
004011B8 90 nop
004011B9 90 nop
004011BA 90 nop
004011BB 90 nop
004011BC 90 nop
004011BD 90 nop
004011BE 90 nop
004011BF 90 nop
004011C0 . 90 nop
004011C1 . 90 nop
004011C2 . 90 nop
004011C3 /. C745 FC 00000000 mov dword ptr [ebp-4], 0
004011CA |. 8B45 F8 mov eax, [ebp-8]
004011CD |. 8945 E4 mov [ebp-1C], eax
004011D0 |. 8B45 E4 mov eax, [ebp-1C]
004011D3 |. 8945 E0 mov [ebp-20], eax
004011D6 |. 8B4D DC mov ecx, [ebp-24]
004011D9 |. 8B55 E0 mov edx, [ebp-20]
004011DC |. 8B02 mov eax, [edx]
004011DE |. 8901 mov [ecx], eax
004011E0 |. 8B4D DC mov ecx, [ebp-24]
004011E3 |. 8B55 E0 mov edx, [ebp-20]
004011E6 |. 8B42 04 mov eax, [edx+4]
004011E9 |. 8941 04 mov [ecx+4], eax
004011EC |. 8B4D E0 mov ecx, [ebp-20]
004011EF |. 8B51 08 mov edx, [ecx+8]
004011F2 |. 83C2 06 add edx, 6
004011F5 |. 8B45 DC mov eax, [ebp-24]
004011F8 |. 8950 08 mov [eax+8], edx
004011FB |. 8B45 DC mov eax, [ebp-24]
004011FE |. 8945 F8 mov [ebp-8], eax
00401201 |. 8B4D 0C mov ecx, [ebp+0C]
00401204 |. 51 push ecx ; /Arg1
00401205 |. E8 E6300000 call 004042F0 ; \Crackme.004042F0
0040120A |. 83C4 04 add esp, 4
0040120D |. 8945 B4 mov [ebp-4C], eax
00401210 |. 837D B4 0D cmp dword ptr [ebp-4C], 0D
00401214 |. 0F8C 11010000 jl 0040132B
0040121A |. C745 AC 00000000 mov dword ptr [ebp-54], 0
00401221 |. C745 B0 0D000000 mov dword ptr [ebp-50], 0D ; //从第14位开始测试
00401228 |. EB 09 jmp short 00401233
0040122A |> 8B55 B0 /mov edx, [ebp-50]
0040122D |. 83C2 01 |add edx, 1
00401230 |. 8955 B0 |mov [ebp-50], edx
00401233 |> 8B45 B0 |mov eax, [ebp-50]
00401236 |. 3B45 B4 |cmp eax, [ebp-4C]
00401239 |. 7D 27 |jge short 00401262
0040123B |. 8B4D 0C |mov ecx, [ebp+0C]
0040123E |. 034D B0 |add ecx, [ebp-50]
00401241 |. 0FBE11 |movsx edx, byte ptr [ecx]
00401244 |. 83FA 30 |cmp edx, 30 ; //SN[14-20]必须为数字
00401247 |. 7C 0E |jl short 00401257
00401249 |. 8B45 0C |mov eax, [ebp+0C]
0040124C |. 0345 B0 |add eax, [ebp-50]
0040124F |. 0FBE08 |movsx ecx, byte ptr [eax]
00401252 |. 83F9 39 |cmp ecx, 39
00401255 |. 7E 09 |jle short 00401260
00401257 |> C745 AC 01000000 |mov dword ptr [ebp-54], 1
0040125E |. EB 02 |jmp short 00401262
00401260 |>^ EB C8 \jmp short 0040122A
00401262 |> 837D AC 00 cmp dword ptr [ebp-54], 0
00401266 |. 0F85 BF000000 jne 0040132B
0040126C |. C745 B0 00000000 mov dword ptr [ebp-50], 0
00401273 |. EB 09 jmp short 0040127E
00401275 |> 8B55 B0 /mov edx, [ebp-50]
00401278 |. 83C2 01 |add edx, 1
0040127B |. 8955 B0 |mov [ebp-50], edx
0040127E |> 837D B0 08 |cmp dword ptr [ebp-50], 8
00401282 |. 7F 1F |jg short 004012A3
00401284 |. 8B45 0C |mov eax, [ebp+0C]
00401287 |. 0345 B0 |add eax, [ebp-50]
0040128A |. 0FBE08 |movsx ecx, byte ptr [eax]
0040128D |. 8B55 B0 |mov edx, [ebp-50]
00401290 |. 0FBE4415 9C |movsx eax, byte ptr [edx+ebp
00401295 |. 33C8 |xor ecx, eax
00401297 |. 83E9 41 |sub ecx, 41
0040129A |. 8B55 B0 |mov edx, [ebp-50]
0040129D |. 894C95 B8 |mov [edx*4+ebp-48], ecx ; //计算前SN[1-9]]位 SN2[i] = SN[i] ^ key[i] - 'A'
004012A1 |.^ EB D2 \jmp short 00401275
004012A3 |> 837D B8 01 cmp dword ptr [ebp-48], 1 ; //SN2[1]必须 > 1
004012A7 |. 7F 07 jg short 004012B0
004012A9 |. C745 AC 01000000 mov dword ptr [ebp-54], 1
004012B0 |> C745 B0 00000000 mov dword ptr [ebp-50], 0
004012B7 |. EB 09 jmp short 004012C2
004012B9 |> 8B45 B0 /mov eax, [ebp-50]
004012BC |. 83C0 01 |add eax, 1
004012BF |. 8945 B0 |mov [ebp-50], eax
004012C2 |> 837D B0 08 |cmp dword ptr [ebp-50], 8
004012C6 |. 7D 1B |jge short 004012E3
004012C8 |. 8B4D B0 |mov ecx, [ebp-50]
004012CB |. 8B55 B0 |mov edx, [ebp-50]
004012CE |. 8B448D B8 |mov eax, [ecx*4+ebp-48] ; //SN2必须为递增
004012D2 |. 3B4495 BC |cmp eax, [edx*4+ebp-44]
004012D6 |. 7C 09 |jl short 004012E1
004012D8 |. C745 AC 01000000 |mov dword ptr [ebp-54], 1
004012DF |. EB 02 |jmp short 004012E3
004012E1 |>^ EB D6 \jmp short 004012B9
004012E3 |> 837D AC 00 cmp dword ptr [ebp-54], 0
004012E7 |. 75 42 jne short 0040132B
004012E9 |. C745 A8 01000000 mov dword ptr [ebp-58], 1 ; //D=1
004012F0 |. C745 B0 00000000 mov dword ptr [ebp-50], 0 ; //for(i=0;i<9;i++)
004012F7 |. EB 09 jmp short 00401302
004012F9 |> 8B4D B0 /mov ecx, [ebp-50]
004012FC |. 83C1 01 |add ecx, 1
004012FF |. 894D B0 |mov [ebp-50], ecx
00401302 |> 837D B0 09 |cmp dword ptr [ebp-50], 9
00401306 |. 7D 10 |jge short 00401318
00401308 |. 8B55 B0 |mov edx, [ebp-50]
0040130B |. 8B45 A8 |mov eax, [ebp-58]
0040130E |. 0FAF4495 B8 |imul eax, [edx*4+ebp-48] ; //D = D * SN2[i]
00401313 |. 8945 A8 |mov [ebp-58], eax
00401316 |.^ EB E1 \jmp short 004012F9
00401318 |> B9 86204C0D mov ecx, 0D4C2086 ; //D 必须为 0xD4C2086才能使除数为0
0040131D |. 2B4D A8 sub ecx, [ebp-58]
00401320 |. B8 64000000 mov eax, 64
00401325 |. 99 cdq
00401326 |. F7F9 idiv ecx ; //这儿ECX必须为0才能到下一步
00401328 |. 8945 A8 mov [ebp-58], eax
0040132B |> C745 FC FFFFFFFF mov dword ptr [ebp-4], -1
00401332 \. EB 3F jmp short 00401373
00401334 /. 8B45 EC mov eax, [ebp-14]
00401337 \. C3 retn
00401338 /. 8B65 E8 mov esp, [ebp-18]
0040133B |. 33C0 xor eax, eax
0040133D \. C3 retn
0040133E /. 8B65 E8 mov esp, [ebp-18] ; //0作除数除法异常来到这儿
00401341 |. 8B55 0C mov edx, [ebp+0C]
00401344 |. 52 push edx
00401345 |. 8B45 08 mov eax, [ebp+8]
00401348 |. 50 push eax
00401349 |. E8 62000000 call 004013B0 ; //用虚拟机验证SN[10-13]='cool',SN[14-20]='1531223',通过则提示成功
0040134E |. 83C4 08 add esp, 8
00401351 |. 837D DC 00 cmp dword ptr [ebp-24], 0
00401355 |. 74 13 je short 0040136A
00401357 |. 8B4D DC mov ecx, [ebp-24]
0040135A |. 51 push ecx
0040135B |. E8 242F0000 call 00404284
00401360 |. 83C4 04 add esp, 4
00401363 |. C745 DC 00000000 mov dword ptr [ebp-24], 0
0040136A |> C745 FC FFFFFFFF mov dword ptr [ebp-4], -1
00401371 \. EB 19 jmp short 0040138C
00401373 /> 837D DC 00 cmp dword ptr [ebp-24], 0
00401377 |. 74 13 je short 0040138C
00401379 |. 8B55 DC mov edx, [ebp-24]
0040137C |. 52 push edx
0040137D |. E8 022F0000 call 00404284
00401382 |. 83C4 04 add esp, 4
00401385 |. C745 DC 00000000 mov dword ptr [ebp-24], 0
0040138C |> 8B4D F0 mov ecx, [ebp-10]
0040138F |. 64:890D 00000000 mov fs:[0], ecx
00401396 |. 5F pop edi
00401397 |. 5E pop esi
00401398 |. 5B pop ebx
00401399 |. 81C4 A4000000 add esp, 0A4
0040139F |. 3BEC cmp ebp, esp
004013A1 |. E8 C62E0000 call 0040426C ; [Crackme.0040426C
004013A6 |. 8BE5 mov esp, ebp
004013A8 |. 5D pop ebp
004013A9 \. C3 retn
设注册码为SN
程序验证流程大致为:
CONST BYTE key[9] = {0x33,0x21,0x22,0x21,0x35,0x7c,0x62,0x65,0x6e}
for(i=13;i<lenSN;i++){
if(SN[i] < '0' || SN[i] >'9'){
//失败
}
}
for(i=0;i<9;i++){
SN2 = (SN[i] ^ key) - 'A';
}
if(SN2[0] <= 1){
//失败
}
for(i=0;i<8;i++){
if(SN2[i] >= SN2[i+1]){
//失败
}
}
for(i=0,d=1;i<9;i++){
d *= SN2[i];
}
if(d != 0xD4C2086){
//失败
}
后面VM部分通过人肉,得出大致的验证为(分析中可能有错漏,SN[13-15]暴力跑出二组数据153 和 371,不过只有一组(153)能通过):
if(strlen(SN) != 20){
//失败
}
if(strncmp(SN + 9, "cool", 4)){
//失败
}
为了简单一点,以下SN[x] 为 (SN[x] - '0')
if(SN[13] * 100 + SN[14] * 10 + SN[15] != SN[13]*SN[13]*SN[13] + SN[14]*SN[14]*SN[14] + SN[15]*SN[15]*SN[15]){
//失败
}
if(SN[16] * 10 + SN[17] + SN[18]*10 + SN[19] != 35){
//失败
}
if((SN[16] * 10 + SN[17]) * 4 + (SN[18] * 10 + SN[19]) * 2 != 94){
//失败
}
//成功
由以上分析,分段暴力跑出 SN[0-8] = 'pediy2016', SN[13-15] = '153', SN[16-19] = '1223', VM中分析得到 SN[9-12] = 'cool'
最终注册码为: pediy2016cool1531223
|
|
|---|---|
