飘云阁模仿Nisy的思路写出了我的第一个crackme

专业路过 发表于 2010-6-3 22:58:39

模仿Nisy的思路写出了我的第一个crackme

本帖最后由专业路过于 2010-6-4 12:14 编辑

思路完全来自于Nisy的那个crackme,然后加入了自己的一点猥琐,算法简单,代码简短,欢迎测试强度

satng 发表于 2010-6-4 12:14:45

看看/:001

whypro 发表于 2010-6-4 12:25:56

支持专业路过！

sdnyzjzx 发表于 2010-6-4 12:27:43

支持专业路过！三小组的高手！

zhenrar 发表于 2010-6-4 12:31:15

支持了下载看看

assume 发表于 2010-6-4 13:15:18

前来支持牛人

jsjrj01 发表于 2010-7-31 14:51:56

啊，感觉好难呀

rwxqaz 发表于 2010-11-14 21:17:04

看看在说了。有对难呀

mingyuan 发表于 2010-12-30 15:55:29

好猥琐，不断创建线程
00401740/$A1 5C564200 mov eax,dword ptr ds:
00401745|.85C0       test eax,eax                                        ;线程创建
00401747    75 18       jnz short First_Cr.00401761
00401749|.68 5C564200 push First_Cr.0042565C                            ; /pThreadId = First_Cr.0042565C
0040174E|.6A 00       push 0x0                                           ; |CreationFlags = 0
00401750|.6A 00       push 0x0                                           ; |pThreadParm = NULL
00401752|.68 40164000 push First_Cr.00401640                            ; |ThreadFunction = First_Cr.00401640
00401757|.6A 00       push 0x0                                           ; |StackSize = 0
00401759|.6A 00       push 0x0                                           ; |pSecurity = NULL
0040175B|.FF15 14524100 call dword ptr ds:[<&KERNEL32.CreateThread>]       ; \CreateThread
00401761\>C3          retn

线程函数
00401640/.55          push ebp                                           ;创建一个新线程
00401641|.8BEC       mov ebp,esp
00401643|.6A FF       push -0x1
00401645|.68 68554100 push First_Cr.00415568
0040164A|.68 44274000 push First_Cr.00402744                            ;SE 处理程序安装
0040164F|.64:A1 0000000>mov eax,dword ptr fs:
00401655|.50          push eax
00401656|.64:8925 00000>mov dword ptr fs:,esp
0040165D|.83EC 14    sub esp,0x14
00401660|.53          push ebx
00401661|.56          push esi
00401662|.57          push edi
00401663|.8965 E8    mov ,esp
00401666|.33F6       xor esi,esi
00401668|.8975 FC    mov ,esi
0040166B|.6A 50       push 0x50                                           ; /Timeout = 80. ms
0040166D|.FF15 18524100 call dword ptr ds:[<&KERNEL32.Sleep>]             ; \Sleep
00401673|.8975 E4    mov ,esi
00401676|.56          push esi
00401677|.E8 E10F0000 call First_Cr.0040265D
0040167C|.50          push eax
0040167D|.E8 AC0F0000 call First_Cr.0040262E
00401682|.83C4 08    add esp,0x8
00401685|.E8 B10F0000 call First_Cr.0040263B
0040168A|.99          cdq
0040168B|.B9 E8030000 mov ecx,0x3E8
00401690|.F7F9       idiv ecx
00401692|.8955 E0    mov ,edx
00401695|.8D34D5 000000>lea esi,dword ptr ds:
0040169C|.2BF2       sub esi,edx
0040169E|.D1E6       shl esi,1
004016A0|.8D9E A81F4200 lea ebx,dword ptr ds:
004016A6|.8BFB       mov edi,ebx
004016A8|.83C9 FF    or ecx,-0x1
004016AB|.33C0       xor eax,eax
004016AD|.F2:AE       repne scas byte ptr es:
004016AF|.F7D1       not ecx
004016B1|.49          dec ecx
004016B2|.83F9 0C    cmp ecx,0xC
004016B5|.75 35       jnz short First_Cr.004016EC
004016B7|>8945 DC    /mov ,eax
004016BA|.83F8 0B    |cmp eax,0xB
004016BD|.7F 0A       |jg short First_Cr.004016C9
004016BF|.0FBE1403    |movsx edx,byte ptr ds:
004016C3|.0155 E4    |add ,edx
004016C6|.40          |inc eax
004016C7|.^ EB EE       \jmp short First_Cr.004016B7
004016C9|>817D E4 A8030>cmp ,0x3A8
004016D0|.75 1A       jnz short First_Cr.004016EC
004016D2|.8D86 AE1F4200 lea eax,dword ptr ds:
004016D8|.50          push eax
004016D9|.E8 12FFFFFF call First_Cr.004015F0
004016DE|.68 A8030000 push 0x3A8
004016E3|.53          push ebx
004016E4|.E8 F7FDFFFF call First_Cr.004014E0
004016E9|.83C4 0C    add esp,0xC
004016EC|>C745 FC FFFFF>mov ,-0x1
004016F3|.C705 5C564200>mov dword ptr ds:,0x0
004016FD|.8B4D F0    mov ecx,
00401700|.64:890D 00000>mov dword ptr fs:,ecx
00401707|.5F          pop edi
00401708|.5E          pop esi
00401709|.5B          pop ebx
0040170A|.8BE5       mov esp,ebp
0040170C|.5D          pop ebp
0040170D\.C2 0400    retn 0x4
00401710 .B8 01000000 mov eax,0x1
00401715 .C3          retn
00401716 .8B65 E8    mov esp,dword ptr ss:
00401719 .C705 5C564200>mov dword ptr ds:,0x0
00401723 .C745 FC FFFFF>mov dword ptr ss:,-0x1
0040172A .8B4D F0    mov ecx,dword ptr ss:
0040172D .64:890D 00000>mov dword ptr fs:,ecx
00401734 .5F          pop edi
00401735 .5E          pop esi
00401736 .5B          pop ebx
00401737 .8BE5       mov esp,ebp
00401739 .5D          pop ebp
0040173A .C2 0400    retn 0x4

//注册按钮处的核心代码
00401770 .53          push ebx
00401771 .56          push esi                                           ;First_Cr.004154E0
00401772 .57          push edi
00401773 .8BD9       mov ebx,ecx
00401775 .6A 01       push 0x1
00401777 .E8 96E80000 call First_Cr.00410012
0040177C .8B43 5C    mov eax,dword ptr ds:
0040177F .8378 F8 0C cmp dword ptr ds:,0xC                      ;注册码的个数要等于0XC
00401783    0F85 C1000000 jnz First_Cr.0040184A                               ;(Initial CPU selection)
00401789 .BA 88D14100 mov edx,First_Cr.0041D188                         ;
0040178E >BF A0A04100 mov edi,First_Cr.0041A0A0                         ;我能更猥琐，呵呵，直接把failed 改成 OK!
00401793 .83C9 FF    or ecx,-0x1
00401796 .33C0       xor eax,eax
00401798 .F2:AE       repne scas byte ptr es:
0040179A .F7D1       not ecx
0040179C .2BF9       sub edi,ecx
0040179E .8BC1       mov eax,ecx
004017A0 .8BF7       mov esi,edi
004017A2 .8BFA       mov edi,edx
004017A4 .83C2 14    add edx,0x14
004017A7 .C1E9 02    shr ecx,0x2
004017AA .F3:A5       rep movs dword ptr es:,dword ptr ds:
004017AC .8BC8       mov ecx,eax
004017AE .83E1 03    and ecx,0x3
004017B1 .81FA 941F4200 cmp edx,First_Cr.00421F94
004017B7 .F3:A4       rep movs byte ptr es:,byte ptr ds:
004017B9 .^ 7E D3       jle short First_Cr.0040178E
004017BB .BA A81F4200 mov edx,First_Cr.00421FA8                         ;123
004017C0 >8B7B 5C    mov edi,dword ptr ds:
004017C3 .83C9 FF    or ecx,-0x1
004017C6 .33C0       xor eax,eax
004017C8 .F2:AE       repne scas byte ptr es:
004017CA .F7D1       not ecx
004017CC .2BF9       sub edi,ecx
004017CE .8BC1       mov eax,ecx
004017D0 .8BF7       mov esi,edi
004017D2 .8BFA       mov edi,edx
004017D4 .83C2 0E    add edx,0xE
004017D7 .C1E9 02    shr ecx,0x2
004017DA .F3:A5       rep movs dword ptr es:,dword ptr ds:
004017DC .8BC8       mov ecx,eax
004017DE .83E1 03    and ecx,0x3
004017E1 .81FA 4A564200 cmp edx,First_Cr.0042564A
004017E7 .F3:A4       rep movs byte ptr es:,byte ptr ds:
004017E9 .^ 7E D5       jle short First_Cr.004017C0
004017EB .E8 50FFFFFF call First_Cr.00401740
004017F0 .8B35 10524100 mov esi,dword ptr ds:[<&KERNEL32.GetTickCount>]    ;kernel32.GetTickCount
004017F6 .FFD6       call esi                                           ; [GetTickCount
004017F8 .68 D0070000 push 0x7D0                                        ; /Timeout = 2000. ms
004017FD .8BF8       mov edi,eax                                        ; |
004017FF .FF15 18524100 call dword ptr ds:[<&KERNEL32.Sleep>]             ; \Sleep
00401805 .FFD6       call esi                                           ; [GetTickCount
00401807 .2BC7       sub eax,edi
00401809 .3D 34080000 cmp eax,0x834                                     ;一个检测时间的反调试，比较2次时间差是否大于0x834ms ,如果大于，就直接return
0040180E .77 3A       ja short First_Cr.0040184A
00401810 .33C0       xor eax,eax
00401812 .B9 88D14100 mov ecx,First_Cr.0041D188                         ;我能更猥琐，呵呵，直接把failed 改成 OK!
00401817 >8039 66    cmp byte ptr ds:,0x66
0040181A .75 32       jnz short First_Cr.0040184E                         ;比较地址 0x0041d188处的第一个字节是不是 0x66 ，如果不是就弹出提示窗口，可能是成功把。
0040181C .83C1 14    add ecx,0x14
0040181F .40          inc eax
00401820 .81F9 941F4200 cmp ecx,First_Cr.00421F94
00401826 .^ 7E EF       jle short First_Cr.00401817
00401828 .6A 30       push 0x30                                           ; /Style = MB_OK|MB_ICONEXCLAMATION|MB_APPLMODAL
0040182A .68 C0A04100 push First_Cr.0041A0C0                            ; |提示
0040182F .68 88D14100 push First_Cr.0041D188                            ; |failed
00401834 .6A 00       push 0x0                                           ; |hOwner = NULL
00401836 .FF15 90534100 call dword ptr ds:[<&USER32.MessageBoxA>]          ; \MessageBoxA
0040183C .B9 AC0D0000 mov ecx,0xDAC
00401841 .33C0       xor eax,eax
00401843 .BF A81F4200 mov edi,First_Cr.00421FA8                         ;123
00401848 .F3:AB       rep stos dword ptr es:
0040184A >5F          pop edi
0040184B .5E          pop esi
0040184C .5B          pop ebx
0040184D .C3          retn
0040184E >8D0480    lea eax,dword ptr ds:
00401851 .6A 30       push 0x30                                           ; /Style = MB_OK|MB_ICONEXCLAMATION|MB_APPLMODAL
00401853 .68 C0A04100 push First_Cr.0041A0C0                            ; |提示
00401858 .8D1C85 88D141>lea ebx,dword ptr ds:             ; |
0040185F .53          push ebx                                           ; |Text
00401860 .6A 00       push 0x0                                           ; |hOwner = NULL
00401862 .FF15 90534100 call dword ptr ds:[<&USER32.MessageBoxA>]          ; \MessageBoxA
00401868 .B9 AC0D0000 mov ecx,0xDAC
0040186D .33C0       xor eax,eax
0040186F .BF A81F4200 mov edi,First_Cr.00421FA8                         ;123
00401874 .F3:AB       rep stos dword ptr es:
00401876 .BF A0A04100 mov edi,First_Cr.0041A0A0                         ;failed
0040187B .83C9 FF    or ecx,-0x1
0040187E .F2:AE       repne scas byte ptr es:
00401880 .F7D1       not ecx
00401882 .2BF9       sub edi,ecx
00401884 .8BD1       mov edx,ecx
00401886 .8BF7       mov esi,edi
00401888 .8BFB       mov edi,ebx
0040188A .C1E9 02    shr ecx,0x2
0040188D .F3:A5       rep movs dword ptr es:,dword ptr ds:
0040188F .8BCA       mov ecx,edx
00401891 .83E1 03    and ecx,0x3
00401894 .F3:A4       rep movs byte ptr es:,byte ptr ds:
00401896 .5F          pop edi
00401897 .5E          pop esi
00401898 .5B          pop ebx
00401899 .C3          retn

附上图片，此crackme 非常猥琐。

nofriend 发表于 2010-12-30 20:01:59

膜拜，学习

页: [1] 2

飘云阁's Archiver

模仿Nisy的思路 写出了我的第一个crackme

模仿Nisy的思路写出了我的第一个crackme