anti crackme 有点难度 学问很深的 参看pediy 一篇文章很详细
anticrackme有点难度 学问很深的 参看pediy 一篇文章很详细、http://bbs.pediy.com/showthread.php?threadid=10361
CrackMe采用了SetUnhandledExceptionFilter异常,定时器,内置父进程检查,SMC防爆自校验.
bp ExitProcess这个断点无效
00401558|.E8 F3000000 CALL <JMP.&KERNEL32.SetUnhandledExceptio>; \SetUnhandledExceptionFilter
0040155D|.A3 68304000 MOV DWORD PTR DS:,EAX走过跳到系统领空nop ?
00401562|.33C0 XOR EAX,EAX
00401564 C700 01000000 MOV DWORD PTR DS:,1
004015C8|.6A 00 PUSH 0 ; |hOwner = NULL
004015CA|.6A 01 PUSH 1 ; |pTemplate = 1
004015CC|.FF35 70304000 PUSH DWORD PTR DS: ; |hInst = 00400000
004015D2|.E8 07000000 CALL <JMP.&USER32.DialogBoxParamA> ; \DialogBoxParamA
走过退出调试 ?
77D3B10C >8BFF MOV EDI,EDI ; ntdll.7C930738
77D3B10E 55 PUSH EBP
77D3B10F 8BEC MOV EBP,ESP
77D3B111 53 PUSH EBX
77D3B112 56 PUSH ESI
77D3B113 8B75 08 MOV ESI,DWORD PTR SS:
77D3B116 6A 00 PUSH 0
77D3B118 FF75 0C PUSH DWORD PTR SS:
alt+m 下断401000
00401356/.55 PUSH EBP
00401357|.8BEC MOV EBP,ESP
00401359|.53 PUSH EBX
0040135A|.57 PUSH EDI
0040135B|.56 PUSH ESI
0040135C|.8B45 0C MOV EAX,DWORD PTR SS:
0040137E|> \3D 10010000 CMP EAX,110
00401383|.75 7B JNZ SHORT XiaoZi'C.00401400
00401385|.E8 94FCFFFF CALL XiaoZi'C.0040101E ?
0040138A|.68 00100000 PUSH 1000 ; /RsrcName = 4096.
0040138F|.FF35 70304000 PUSH DWORD PTR DS: ; |hInst = 00400000
00401395|.E8 56020000 CALL <JMP.&USER32.LoadIconA> ; \LoadIconA
0040139A|.50 PUSH EAX ; /lParam
0040139B|.6A 01 PUSH 1 ; |wParam = 1
0040101E/$55 PUSH EBP
0040101F|.8BEC MOV EBP,ESP
00401021|.81C4 D4FEFFFF ADD ESP,-12C
00401027|.68 28010000 PUSH 128 ; /Length = 128 (296.)
0040102C|.8D85 D8FEFFFF LEA EAX,DWORD PTR SS: ; |
00401032|.50 PUSH EAX ; |Destination
00401033|.E8 12060000 CALL <JMP.&KERNEL32.RtlZeroMemory> ; \RtlZeroMemory
00401038|.C785 D8FEFFFF>MOV DWORD PTR SS:,128
00401063|. /EB 1F JMP SHORT XiaoZi'C.00401084
00401065|> |E8 B0050000 /CALL <JMP.&KERNEL32.GetCurrentProcessId>; [GetCurrentProcessId
0040106A|. |3B85 E0FEFFFF |CMP EAX,DWORD PTR SS:
00401070|. |74 26 |JE SHORT XiaoZi'C.00401098 ?
00401072|. |8D85 D8FEFFFF |LEA EAX,DWORD PTR SS:
00401078|. |50 |PUSH EAX ; /pProcessentry
00401108|.68 7C364000 PUSH XiaoZi'C.0040367C ; |String1 = "C:\WINDOWS\Explorer.EXE"
0040110D|.E8 50050000 CALL <JMP.&KERNEL32.lstrcmpA> ; \lstrcmpA
00401112|.85C0 TEST EAX,EAX
00401114|.74 68 JE SHORT XiaoZi'C.0040117E ?关键
00401116|.EB 12 JMP SHORT XiaoZi'C.0040112A
00401118|.5C 53 79 73 7>ASCII "\System32\cmd.ex"
调用堆栈: 主线程, 条目 8
地址=0012FB88
堆栈=77D505CF
函数过程 / 参数=? USER32.MessageBoxExA
调用来自=USER32.77D505CA
结构=0012FB84
004011EF > \A1 56304000 mov eax, 关键算法
004011F4 .83F8 06 cmp eax, 6
004011F7 .0F8C 97000000 jl 00401294
004011FD .50 push eax
004011FE .59 pop ecx
004011FF .8D35 00304000 lea esi,
00401205 .8D3D 74304000 lea edi,
0040120B >33C0 xor eax, eax
0040120D .33DB xor ebx, ebx
0040120F .8B07 mov eax,
00401211 .8B1E mov ebx,
00401213 .25 FF000000 and eax, 0FF
00401218 .81E3 FF000000 and ebx, 0FF
0040121E .33C3 xor eax, ebx
00401220 .0305 4E304000 add eax,
00401226 .A3 4E304000 mov , eax
0040122B .46 inc esi
0040122C .47 inc edi
0040122D .^ E2 DC loopd short 0040120B
0040122F .33C9 xor ecx, ecx
00401231 .8B0D 5A304000 mov ecx,
00401237 .8D35 25304000 lea esi,
0040123D .8D3D F4304000 lea edi,
00401243 >33C0 xor eax, eax
00401245 .33DB xor ebx, ebx
00401247 .8B07 mov eax,
00401249 .8B1E mov ebx,
0040124B .25 FF000000 and eax, 0FF
00401250 .81E3 FF000000 and ebx, 0FF
00401256 .33C3 xor eax, ebx
00401258 .0305 52304000 add eax,
0040125E .A3 52304000 mov , eax
00401263 .46 inc esi
00401264 .47 inc edi
00401265 .^ E2 DC loopd short 00401243
00401267 .A1 52304000 mov eax,
0040126C .8B1D 4A304000 mov ebx,
00401274 . /75 3A jnz short 004012B0 ?关键跳
00401276 . |8505 4E304000 test , eax
0040127C . |75 32 jnz short 004012B0 ?关键跳
0040127E . |6A 00 push 0
00401280 . |68 98114000 push 00401198 ;ASCII "Yeah"
00401285 . |68 C4114000 push 004011C4
0040128A . |6A 00 push 0
0040128C . |A1 84384000 mov eax,
00401291 . |FFD0 call eax
00401293 . |C3 retn
00401294 > |68 9A124000 push 0040129A
00401299 . |C3 retn
0040129A . |6A 00 push 0
0040129C . |68 9F114000 push 0040119F ;ASCII "Error"
004012A1 . |68 E2114000 push 004011E2
004012A6 . |6A 00 push 0
004012A8 . |A1 84384000 mov eax,
004012AD . |FFD0 call eax
004012AF . |C3 retn
004012B0 > \6A 00 push 0
004012A6 .6A 00 push 0
004012A8 .A1 84384000 mov eax,
004012AD .FFD0 call eax ;USER32.MessageBoxA
用户名太短
命令行分别
hw 00401274
hw 0040127C
00401301/$B8 74124000 MOV EAX,55.00401274
00401306|.A3 90384000 MOV DWORD PTR DS:,EAX
0040130B|.8B18 MOV EBX,DWORD PTR DS:
0040130D|.66:81FB 753ACMP BX,3A75 ?
00401312|.74 41 JE SHORT 55.00401355
00401314|.68 94384000 PUSH 55.00403894 ; /pOldProtect = 55.00403894
00401319|.6A 40 PUSH 40 ; |NewProtect = PAGE_EXECUTE_READWRITE
0040131B|.6A 10 PUSH 10 ; |Size = 10 (16.)
0040131D|.FF35 90384000 PUSH DWORD PTR DS: ; |Address = 55.00401274
00401323|.E8 2E030000 CALL <JMP.&KERNEL32.VirtualProtect> ; \VirtualProtect
00401328|.A1 90384000 MOV EAX,DWORD PTR DS:
0040132D|.BB 753A0000 MOV EBX,3A75
00401332|.66:8918 MOV WORD PTR DS:,BX
00401335|.B8 7C124000 MOV EAX,55.0040127C
0040133A|.A3 90384000 MOV DWORD PTR DS:,EAX
0040133F|.8B18 MOV EBX,DWORD PTR DS:
00401341|.66:81FB 7532CMP BX,3275 ?
00401346|.74 0D JE SHORT 55.00401355
00401348|.A1 90384000 MOV EAX,DWORD PTR DS:
0040134D|.BB 75320000 MOV EBX,3275
00401352|.66:8918 MOV WORD PTR DS:,BX
00401355\>C3 RETN
bp ExitProcess
0012FFB8 00000000
0012FFBC 004015DE/CALL 到 ExitProcess 来自 66.004015D9
0012FFC0 00000000\ExitCode = 0
0012FFC4 7C816FD7返回到 kernel32.7C816FD7
0012FFC8 7C930738ntdll.7C930738
bp SetTimer
0012FD40 004013BB/CALL 到 SetTimer 来自 66.004013B6
0012FD44 003B04DC|hWnd = 003B04DC ('CrackeMe',class='#32770')
0012FD48 00000006|TimerID = 6
0012FD4C 000003E8|Timeout = 1000. ms
0012FD50 00000000\Timerproc = NULL
0012FD54 0040135666.00401356
004013D7 .83F8 FF CMP EAX,-1
004013DA 0F84 1C010000 JE 66.004014FC 时间效验关键跳
004013E0 .6A 00 PUSH 0 ; /Timerproc = NULL
004013E2 .68 10270000 PUSH 2710 ; |Timeout = 10000. ms
004013E7 .6A 05 PUSH 5 ; |TimerID = 5
004013E9 .FF75 08 PUSH DWORD PTR SS: ; |hWnd
004013EC .E8 0B020000 CALL <JMP.&USER32.SetTimer> ; \SetTimer时间效验
004013F1 .C705 4A304000>MOV DWORD PTR DS:,1
004013FB .E9 FC000000 JMP 66.004014FC
00401400 >3D 13010000 CMP EAX,113
00401405 .75 33 JNZ SHORT 66.0040143A
00401407 .8B45 10 MOV EAX,DWORD PTR SS:
0040140A .83F8 05 CMP EAX,5
0040140D .75 13 JNZ SHORT 66.00401422
0040140F .6A 00 PUSH 0 ; /lParam = 0
00401411 .6A 00 PUSH 0 ; |wParam = 0
00401413 .6A 10 PUSH 10 ; |Message = WM_CLOSE
00401415 .FF75 08 PUSH DWORD PTR SS: ; |hWnd
hread 将文件中的数据读入内存缓冲区
hwrite 将数据从内存缓冲区写入一个文件
SMC技术修改代码必然有内存写入事件,这里内存写入断点无效,用Hw吧。
00401564 |.C700 01000000 mov dword ptr ds:,1//SetUnhandledExceptio反跟踪
修改为
00401564 90 nop
00401565 90 nop
00401566 90 nop
00401567 90 nop
00401568 90 nop
00401569 90 nop
00401114 |.74 68 je short XiaoZi'C.0040117E//父进程校验。
修改为
00401114 /EB 68 jmp short XiaoZi'C.0040117E
004011F7 /0F8C 97000000 jl XiaoZi'C.00401294
修改为
004011F7 90 nop
004011F8 90 nop
004011F9 90 nop
004011FA 90 nop
004011FB 90 nop
004011FC 90 nop
00401274 . /75 3A jnz short XiaoZi'C.004012B0
修改为
00401274 90 nop
00401275 90 nop
0040127C /75 32 jnz short XiaoZi'C.004012B0
修改为
0040127C 90 nop
0040127D 90 nop
0040130D 66:81FB 753A cmp bx,3A75
自己和自己比,当然永远校验通过。
0040130D 66:3BDB cmp bx,bx
00401310 90 nop
00401311 90 nop
00401341 66:81FB 7532 cmp bx,3275
自己和自己比,当然永远校验通过。
00401341 66:3BDB cmp bx,bx
00401344 90 nop
00401345 90 nop
自动退出了ok 这个挺有意思的 呵呵~!**** Hidden Message ***** 有录像么
看看 看看/:001 看看录像,学习是硬道理。 有录像好 啊,看看,谢谢楼主 这个一定得看.谢谢 看看,学习参考一下. 看看是什么东西啊学习一下 好文章,支持一下,收藏一份。 /:023 看起来很不错,顶一贴