PYG 5.4 Cracker 小组 课外练习13
要求1)爆破
2)追码
3)内存注册机
4)算法分析(选做)
练习的目的只在于巩固学习成果.
希望大家积极相互交流相.互讨论.
++++++++++++++++++++++++
提示:
这个练手的东东是在工具包的内在练习了,原来没加壳。
这次加壳提升为练习,附件也打包了那个加壳软件,Enjoy! 脱壳、追码成功! 猫为什么用低版本的peid?/:D;P 原帖由 hyd009 于 2006-5-23 22:03 发表
猫为什么用低版本的peid?/:D;P
兄弟怎么样说?
呵呵..经过几天的学习..终于明白一点追码过程了!
脱完壳用PEID查是Borland Delphi 6.0 - 7.0追码
00450391|> \8D55 E4 lea edx,
00450394|.8B86 00030000 mov eax,
0045039A|.E8 59F1FDFF call 0042F4F8
0045039F|.8B45 E4 mov eax,
004503A2|.8B55 FC mov edx,
004503A5|.E8 5E42FBFF call 00404608
004503AA|.75 1B jnz short 004503C7
004503AC|.6A 40 push 40
004503AE|.68 60044500 push 00450460 ;ok:
004503B3|.68 64044500 push 00450464 ;恭喜你,注册成功!
004503B8|.8BC6 mov eax, esi
004503BA|.E8 AD57FEFF call 00435B6C
004503BF|.50 push eax ; |hOwner
004503C0|.E8 7769FBFF call <jmp.&user32.MessageBoxA> ; \MessageBoxA
004503C5|.EB 19 jmp short 004503E0
004503C7|
>6A 30 push 30
004503C9|.68 28044500 push 00450428 ;error:
004503CE|.68 78044500 push 00450478 ;序列号不对呀,请再试试! //用查找字符插件到这里再断这里
004503D3|.8BC6 mov eax, esi
004503D5|.E8 9257FEFF call 00435B6C
004503DA|.50 push eax ; |hOwner
004503DB|.E8 5C69FBFF call <jmp.&user32.MessageBoxA> ; \MessageBoxA
004503E0|>33C0 xor eax, eax
004503E2|.5A pop edx
004503E3|.59 pop ecx
004503E4|.59 pop ecx
004503E5|.64:8910 mov fs:, edx
004503E8|.68 1F044500 push 0045041F
004503ED|>8D45 E4 lea eax,
004503F0|.E8 173EFBFF call 0040420C
F2断后F9运行输入用户名agonyboy 注册码:agonyboy111
右下角的框框里会出来这些信息
0012F3C4 00450428ASCII "Error:"
0012F3C8 00000030
0012F3CC 0012F730指向下一个 SEH 记录的指针
0012F3D0 00450418SE处理程序
0012F3D4 0012F400
0012F3D8 0012F57C
0012F3DC 0042870CCrackme1.0042870C
0012F3E0 00984404
0012F3E4 00985458ASCII "agonyboy111" //这个是我随便输的注册码
0012F3E8 00985428ASCII "79"
0012F3EC 00985400ASCII "agonyboy"
0012F3F0 009853D0ASCII "agonyboy"
0012F3F4 009853B8ASCII "agonyboy"
0012F3F8 009853E8ASCII "agonyboy"
0012F3FC 00985438ASCII "61676F6E79626F79" //这个就是正确的了
http://fying.98idc.com/aaa.jpg
[ 本帖最后由 枫影 于 2006-5-26 10:22 编辑 ] 请问其他的 朋友究竟是 手脱 还是 软件脱的?
请指教!
我是用fly 大侠的 OD脱壳脚本脱壳的其他的方法不会 虚心学习ing
内存注册机
[ 本帖最后由 vacant 于 2006-5-26 16:03 编辑 ] 原帖由 vacant 于 2006-5-26 15:52 发表
请问其他的 朋友究竟是 手脱 还是 软件脱的?
请指教!
我是用fly 大侠的 OD脱壳脚本脱壳的其他的方法不会 虚心学习ing
内存注册机
ESP定律手脱... /:D自报
我是手脱的!
OK载入。。找到入口就行了 根据ESP定律,设SP-4处硬件断点,中断两次,看到0046DFA2- E9 F926FEFF jmp Crackme1.004506A0
再F8一次,就看到OEP了
004506A0/> /55 push ebp
004506A1|. |8BEC mov ebp, esp
004506A3|. |83C4 F0 add esp, -10
004506A6|. |B8 30054500 mov eax, Crackme1.00450530
004506AB|. |E8 C85EFBFF call Crackme1.00406578
004506B0|. |A1 241E4500 mov eax,
004506B5|. |8B00 mov eax,
。。。。。。。。。。。。。
在4506A0处右键DUMP PROCESS就可以保存了,存为DUMP。EXE。很幸运,脱壳后直接可运行。
用DEDE反编译DEDE,找到BUTTON1CLICK处理方法,可看到如下代码。
004502B4 55 push ebp
004502B5 8BEC mov ebp, esp
004502B7 33C9 xor ecx, ecx
004502B9 51 push ecx
004502BA 51 push ecx
004502BB 51 push ecx
004502BC 51 push ecx
004502BD 51 push ecx
004502BE 51 push ecx
004502BF 51 push ecx
004502C0 53 push ebx
004502C1 56 push esi
004502C2 57 push edi
004502C3 8BF0 mov esi, eax
004502C5 33C0 xor eax, eax
004502C7 55 push ebp
004502C8 6818044500 push $00450418
***** TRY
|
004502CD 64FF30 push dword ptr fs:
004502D0 648920 mov fs:, esp
004502D3 8D55F4 lea edx,
* Reference to control Edit1 : N.A.
|
004502D6 8B86F8020000 mov eax,
* Reference to: Controls.TControl.GetText(TControl):TCaption;
|
004502DC E817F2FDFF call 0042F4F8
004502E1 837DF400 cmp dword ptr , +$00
004502E5 751E jnz 00450305
004502E7 6A30 push $30
* Possible String Reference to: 'Error:'
|
004502E9 6828044500 push $00450428
* Possible String Reference to: '请输入用户名和序列号!'
|
004502EE 6830044500 push $00450430
004502F3 8BC6 mov eax, esi
* Reference to: Controls.TWinControl.GetHandle(TWinControl):HWND;
| or: QComCtrls.TTrackBar.GetHandle(TTrackBar):QClxSliderH;
| or: QComCtrls.TCustomViewControl.GetHandle(TCustomViewControl):QListViewH;
| or: QComCtrls.TCustomViewControl.ViewportHandle(TCustomViewControl):QWidgetH;
| or: QComCtrls.TCustomHeaderControl.GetHandle(TCustomHeaderControl):QHeaderH;
| or: QComCtrls.TCustomSpinEdit.GetHandle(TCustomSpinEdit):QClxSpinBoxH;
|
004502F5 E87258FEFF call 00435B6C
004502FA 50 push eax
|
004502FB E83C6AFBFF call 00406D3C
00450300 E9DB000000 jmp 004503E0
00450305 8D55F0 lea edx,
* Reference to control Edit1 : N.A.
|
00450308 8B86F8020000 mov eax,
* Reference to: Controls.TControl.GetText(TControl):TCaption;
|
0045030E E8E5F1FDFF call 0042F4F8
00450313 8B45F0 mov eax,
* Reference to: System.@LStrLen(String):Integer;
| or: System.@DynArrayLength;
| or: System.DynArraySize(Pointer):Integer;
| or: Variants.DynArraySize(Pointer):Integer;
|
00450316 E8A941FBFF call 004044C4
0045031B 83F804 cmp eax, +$04
0045031E 7D1E jnl 0045033E
00450320 6A30 push $30
* Possible String Reference to: 'Error:'
|
00450322 6828044500 push $00450428
* Possible String Reference to: '用户名至少四个字符!'
|
00450327 6848044500 push $00450448
0045032C 8BC6 mov eax, esi
* Reference to: Controls.TWinControl.GetHandle(TWinControl):HWND;
| or: QComCtrls.TTrackBar.GetHandle(TTrackBar):QClxSliderH;
| or: QComCtrls.TCustomViewControl.GetHandle(TCustomViewControl):QListViewH;
| or: QComCtrls.TCustomViewControl.ViewportHandle(TCustomViewControl):QWidgetH;
| or: QComCtrls.TCustomHeaderControl.GetHandle(TCustomHeaderControl):QHeaderH;
| or: QComCtrls.TCustomSpinEdit.GetHandle(TCustomSpinEdit):QClxSpinBoxH;
|
0045032E E83958FEFF call 00435B6C
00450333 50 push eax
|
00450334 E8036AFBFF call 00406D3C
00450339 E9A2000000 jmp 004503E0
0045033E 8D55F8 lea edx,
* Reference to control Edit1 : N.A.
|
00450341 8B86F8020000 mov eax,
* Reference to: Controls.TControl.GetText(TControl):TCaption;
|
00450347 E8ACF1FDFF call 0042F4F8
0045034C 8D55EC lea edx,
* Reference to control Edit1 : N.A.
|
0045034F 8B86F8020000 mov eax,
* Reference to: Controls.TControl.GetText(TControl):TCaption;
|
00450355 E89EF1FDFF call 0042F4F8
0045035A 8B45EC mov eax,
* Reference to: System.@LStrLen(String):Integer;
| or: System.@DynArrayLength;
| or: System.DynArraySize(Pointer):Integer;
| or: Variants.DynArraySize(Pointer):Integer;
|
0045035D E86241FBFF call 004044C4
00450362 8BD8 mov ebx, eax
00450364 85DB test ebx, ebx
00450366 7E29 jle 00450391
00450368 BF01000000 mov edi, $00000001
0045036D 8B45F8 mov eax,
00450370 0FB64438FF movzx eax, byte ptr
00450375 8D4DE8 lea ecx,
00450378 BA02000000 mov edx, $00000002
* Reference to: SysUtils.IntToHex(Integer;Integer):AnsiString;overload;
|
0045037D E88E7FFBFF call 00408310
00450382 8B55E8 mov edx,
00450385 8D45FC lea eax,
* Reference to: System.@LStrCat;
|
00450388 E83F41FBFF call 004044CC
0045038D 47 inc edi
0045038E 4B dec ebx
0045038F 75DC jnz 0045036D
00450391 8D55E4 lea edx,
* Reference to control Edit2 : N.A.
|
00450394 8B8600030000 mov eax,
* Reference to: Controls.TControl.GetText(TControl):TCaption;
|
0045039A E859F1FDFF call 0042F4F8
0045039F 8B45E4 mov eax,
004503A2 8B55FC mov edx,
* Reference to: System.@LStrCmp;
|
004503A5 E85E42FBFF call 00404608
004503AA 751B jnz 004503C7
004503AC 6A40 push $40
* Possible String Reference to: 'ok:'
|
004503AE 6860044500 push $00450460
* Possible String Reference to: '恭喜你,注册成功!'
|
004503B3 6864044500 push $00450464
004503B8 8BC6 mov eax, esi
* Reference to: Controls.TWinControl.GetHandle(TWinControl):HWND;
| or: QComCtrls.TTrackBar.GetHandle(TTrackBar):QClxSliderH;
| or: QComCtrls.TCustomViewControl.GetHandle(TCustomViewControl):QListViewH;
| or: QComCtrls.TCustomViewControl.ViewportHandle(TCustomViewControl):QWidgetH;
| or: QComCtrls.TCustomHeaderControl.GetHandle(TCustomHeaderControl):QHeaderH;
| or: QComCtrls.TCustomSpinEdit.GetHandle(TCustomSpinEdit):QClxSpinBoxH;
|
004503BA E8AD57FEFF call 00435B6C
004503BF 50 push eax
|
004503C0 E87769FBFF call 00406D3C
004503C5 EB19 jmp 004503E0
004503C7 6A30 push $30
* Possible String Reference to: 'Error:'
|
004503C9 6828044500 push $00450428
* Possible String Reference to: '序列号不对呀,请再试试!'
|
004503CE 6878044500 push $00450478
004503D3 8BC6 mov eax, esi
* Reference to: Controls.TWinControl.GetHandle(TWinControl):HWND;
| or: QComCtrls.TTrackBar.GetHandle(TTrackBar):QClxSliderH;
| or: QComCtrls.TCustomViewControl.GetHandle(TCustomViewControl):QListViewH;
| or: QComCtrls.TCustomViewControl.ViewportHandle(TCustomViewControl):QWidgetH;
| or: QComCtrls.TCustomHeaderControl.GetHandle(TCustomHeaderControl):QHeaderH;
| or: QComCtrls.TCustomSpinEdit.GetHandle(TCustomSpinEdit):QClxSpinBoxH;
|
004503D5 E89257FEFF call 00435B6C
004503DA 50 push eax
|
004503DB E85C69FBFF call 00406D3C
004503E0 33C0 xor eax, eax
004503E2 5A pop edx
004503E3 59 pop ecx
004503E4 59 pop ecx
004503E5 648910 mov fs:, edx
****** FINALLY
|
* Possible String Reference to: '_^[嬪]?
|
004503E8 681F044500 push $0045041F
004503ED 8D45E4 lea eax,
* Reference to: System.@LStrClr(void;void);
|
004503F0 E8173EFBFF call 0040420C
004503F5 8D45E8 lea eax,
* Reference to: System.@LStrClr(void;void);
|
004503F8 E80F3EFBFF call 0040420C
004503FD 8D45EC lea eax,
00450400 BA03000000 mov edx, $00000003
* Reference to: System.@LStrArrayClr(void;void;Integer);
|
00450405 E8263EFBFF call 00404230
0045040A 8D45F8 lea eax,
0045040D BA02000000 mov edx, $00000002
* Reference to: System.@LStrArrayClr(void;void;Integer);
|
00450412 E8193EFBFF call 00404230
00450417 C3 ret
* Reference to: System.@HandleFinally;
|
00450418 E91738FBFF jmp 00403C34
0045041D EBCE jmp 004503ED
****** END
|
0045041F 5F pop edi
00450420 5E pop esi
00450421 5B pop ebx
00450422 8BE5 mov esp, ebp
00450424 5D pop ebp
00450425 C3 ret
分析后,猜测注册码的生成是根据用户名转成十六进制而成的。
用OD载入DUMP。EXE,在比较处下断
004503A5|.E8 5E42FBFF call dump13.00404608
执行到时可看到寄存器值为
EAX 00D8541C ASCII "78787878"
ECX 77D187FF user32.77D187FF
EDX 00D85404 ASCII "6A746A74"
EAX为输入的注册码,EDX为实际注册码,确实是用户名16进制码。
可在4503A5处用做内存注册机,中断一次,读出EDX就可以了。也可写自己的用户名转16进制的程序。