- UID
- 36431
注册时间2007-11-2
阅读权限20
最后登录1970-1-1
以武会友
 
该用户从未签到
|
anti crackme 有点难度 学问很深的 参看pediy 一篇文章很详细、
http://bbs.pediy.com/showthread.php?threadid=10361
CrackMe采用了SetUnhandledExceptionFilter异常,定时器,内置父进程检查,SMC防爆自校验.
bp ExitProcess这个断点无效
00401558 |. E8 F3000000 CALL <JMP.&KERNEL32.SetUnhandledExceptio>; \SetUnhandledExceptionFilter
0040155D |. A3 68304000 MOV DWORD PTR DS:[403068],EAX 走过跳到系统领空nop ?
00401562 |. 33C0 XOR EAX,EAX
00401564 C700 01000000 MOV DWORD PTR DS:[EAX],1
004015C8 |. 6A 00 PUSH 0 ; |hOwner = NULL
004015CA |. 6A 01 PUSH 1 ; |pTemplate = 1
004015CC |. FF35 70304000 PUSH DWORD PTR DS:[403070] ; |hInst = 00400000
004015D2 |. E8 07000000 CALL <JMP.&USER32.DialogBoxParamA> ; \DialogBoxParamA
走过退出调试 ?
77D3B10C > 8BFF MOV EDI,EDI ; ntdll.7C930738
77D3B10E 55 PUSH EBP
77D3B10F 8BEC MOV EBP,ESP
77D3B111 53 PUSH EBX
77D3B112 56 PUSH ESI
77D3B113 8B75 08 MOV ESI,DWORD PTR SS:[EBP+8]
77D3B116 6A 00 PUSH 0
77D3B118 FF75 0C PUSH DWORD PTR SS:[EBP+C]
alt+m 下断401000
00401356 /. 55 PUSH EBP
00401357 |. 8BEC MOV EBP,ESP
00401359 |. 53 PUSH EBX
0040135A |. 57 PUSH EDI
0040135B |. 56 PUSH ESI
0040135C |. 8B45 0C MOV EAX,DWORD PTR SS:[EBP+C]
0040137E |> \3D 10010000 CMP EAX,110
00401383 |. 75 7B JNZ SHORT XiaoZi'C.00401400
00401385 |. E8 94FCFFFF CALL XiaoZi'C.0040101E ?
0040138A |. 68 00100000 PUSH 1000 ; /RsrcName = 4096.
0040138F |. FF35 70304000 PUSH DWORD PTR DS:[403070] ; |hInst = 00400000
00401395 |. E8 56020000 CALL <JMP.&USER32.LoadIconA> ; \LoadIconA
0040139A |. 50 PUSH EAX ; /lParam
0040139B |. 6A 01 PUSH 1 ; |wParam = 1
0040101E /$ 55 PUSH EBP
0040101F |. 8BEC MOV EBP,ESP
00401021 |. 81C4 D4FEFFFF ADD ESP,-12C
00401027 |. 68 28010000 PUSH 128 ; /Length = 128 (296.)
0040102C |. 8D85 D8FEFFFF LEA EAX,DWORD PTR SS:[EBP-128] ; |
00401032 |. 50 PUSH EAX ; |Destination
00401033 |. E8 12060000 CALL <JMP.&KERNEL32.RtlZeroMemory> ; \RtlZeroMemory
00401038 |. C785 D8FEFFFF>MOV DWORD PTR SS:[EBP-128],128
00401063 |. /EB 1F JMP SHORT XiaoZi'C.00401084
00401065 |> |E8 B0050000 /CALL <JMP.&KERNEL32.GetCurrentProcessId>; [GetCurrentProcessId
0040106A |. |3B85 E0FEFFFF |CMP EAX,DWORD PTR SS:[EBP-120]
00401070 |. |74 26 |JE SHORT XiaoZi'C.00401098 ?
00401072 |. |8D85 D8FEFFFF |LEA EAX,DWORD PTR SS:[EBP-128]
00401078 |. |50 |PUSH EAX ; /pProcessentry
00401108 |. 68 7C364000 PUSH XiaoZi'C.0040367C ; |String1 = "C:\WINDOWS\Explorer.EXE"
0040110D |. E8 50050000 CALL <JMP.&KERNEL32.lstrcmpA> ; \lstrcmpA
00401112 |. 85C0 TEST EAX,EAX
00401114 |. 74 68 JE SHORT XiaoZi'C.0040117E ?关键
00401116 |. EB 12 JMP SHORT XiaoZi'C.0040112A
00401118 |. 5C 53 79 73 7>ASCII "\System32\cmd.ex"
调用堆栈: 主线程, 条目 8
地址=0012FB88
堆栈=77D505CF
函数过程 / 参数=? USER32.MessageBoxExA
调用来自=USER32.77D505CA
结构=0012FB84
004011EF > \A1 56304000 mov eax, [403056]关键算法
004011F4 . 83F8 06 cmp eax, 6
004011F7 . 0F8C 97000000 jl 00401294
004011FD . 50 push eax
004011FE . 59 pop ecx
004011FF . 8D35 00304000 lea esi, [403000]
00401205 . 8D3D 74304000 lea edi, [403074]
0040120B > 33C0 xor eax, eax
0040120D . 33DB xor ebx, ebx
0040120F . 8B07 mov eax, [edi]
00401211 . 8B1E mov ebx, [esi]
00401213 . 25 FF000000 and eax, 0FF
00401218 . 81E3 FF000000 and ebx, 0FF
0040121E . 33C3 xor eax, ebx
00401220 . 0305 4E304000 add eax, [40304E]
00401226 . A3 4E304000 mov [40304E], eax
0040122B . 46 inc esi
0040122C . 47 inc edi
0040122D .^ E2 DC loopd short 0040120B
0040122F . 33C9 xor ecx, ecx
00401231 . 8B0D 5A304000 mov ecx, [40305A]
00401237 . 8D35 25304000 lea esi, [403025]
0040123D . 8D3D F4304000 lea edi, [4030F4]
00401243 > 33C0 xor eax, eax
00401245 . 33DB xor ebx, ebx
00401247 . 8B07 mov eax, [edi]
00401249 . 8B1E mov ebx, [esi]
0040124B . 25 FF000000 and eax, 0FF
00401250 . 81E3 FF000000 and ebx, 0FF
00401256 . 33C3 xor eax, ebx
00401258 . 0305 52304000 add eax, [403052]
0040125E . A3 52304000 mov [403052], eax
00401263 . 46 inc esi
00401264 . 47 inc edi
00401265 .^ E2 DC loopd short 00401243
00401267 . A1 52304000 mov eax, [403052]
0040126C . 8B1D 4A304000 mov ebx, [40304A]
00401274 . /75 3A jnz short 004012B0 ?关键跳
00401276 . |8505 4E304000 test [40304E], eax
0040127C . |75 32 jnz short 004012B0 ?关键跳
0040127E . |6A 00 push 0
00401280 . |68 98114000 push 00401198 ; ASCII "Yeah"
00401285 . |68 C4114000 push 004011C4
0040128A . |6A 00 push 0
0040128C . |A1 84384000 mov eax, [403884]
00401291 . |FFD0 call eax
00401293 . |C3 retn
00401294 > |68 9A124000 push 0040129A
00401299 . |C3 retn
0040129A . |6A 00 push 0
0040129C . |68 9F114000 push 0040119F ; ASCII "Error"
004012A1 . |68 E2114000 push 004011E2
004012A6 . |6A 00 push 0
004012A8 . |A1 84384000 mov eax, [403884]
004012AD . |FFD0 call eax
004012AF . |C3 retn
004012B0 > \6A 00 push 0
004012A6 . 6A 00 push 0
004012A8 . A1 84384000 mov eax, [403884]
004012AD . FFD0 call eax ; USER32.MessageBoxA
用户名太短
命令行分别
hw 00401274
hw 0040127C
00401301 /$ B8 74124000 MOV EAX,55.00401274
00401306 |. A3 90384000 MOV DWORD PTR DS:[403890],EAX
0040130B |. 8B18 MOV EBX,DWORD PTR DS:[EAX]
0040130D |. 66:81FB 753A CMP BX,3A75 ?
00401312 |. 74 41 JE SHORT 55.00401355
00401314 |. 68 94384000 PUSH 55.00403894 ; /pOldProtect = 55.00403894
00401319 |. 6A 40 PUSH 40 ; |NewProtect = PAGE_EXECUTE_READWRITE
0040131B |. 6A 10 PUSH 10 ; |Size = 10 (16.)
0040131D |. FF35 90384000 PUSH DWORD PTR DS:[403890] ; |Address = 55.00401274
00401323 |. E8 2E030000 CALL <JMP.&KERNEL32.VirtualProtect> ; \VirtualProtect
00401328 |. A1 90384000 MOV EAX,DWORD PTR DS:[403890]
0040132D |. BB 753A0000 MOV EBX,3A75
00401332 |. 66:8918 MOV WORD PTR DS:[EAX],BX
00401335 |. B8 7C124000 MOV EAX,55.0040127C
0040133A |. A3 90384000 MOV DWORD PTR DS:[403890],EAX
0040133F |. 8B18 MOV EBX,DWORD PTR DS:[EAX]
00401341 |. 66:81FB 7532 CMP BX,3275 ?
00401346 |. 74 0D JE SHORT 55.00401355
00401348 |. A1 90384000 MOV EAX,DWORD PTR DS:[403890]
0040134D |. BB 75320000 MOV EBX,3275
00401352 |. 66:8918 MOV WORD PTR DS:[EAX],BX
00401355 \> C3 RETN
bp ExitProcess
0012FFB8 00000000
0012FFBC 004015DE /CALL 到 ExitProcess 来自 66.004015D9
0012FFC0 00000000 \ExitCode = 0
0012FFC4 7C816FD7 返回到 kernel32.7C816FD7
0012FFC8 7C930738 ntdll.7C930738
bp SetTimer
0012FD40 004013BB /CALL 到 SetTimer 来自 66.004013B6
0012FD44 003B04DC |hWnd = 003B04DC ('CrackeMe',class='#32770')
0012FD48 00000006 |TimerID = 6
0012FD4C 000003E8 |Timeout = 1000. ms
0012FD50 00000000 \Timerproc = NULL
0012FD54 00401356 66.00401356
004013D7 . 83F8 FF CMP EAX,-1
004013DA 0F84 1C010000 JE 66.004014FC 时间效验关键跳
004013E0 . 6A 00 PUSH 0 ; /Timerproc = NULL
004013E2 . 68 10270000 PUSH 2710 ; |Timeout = 10000. ms
004013E7 . 6A 05 PUSH 5 ; |TimerID = 5
004013E9 . FF75 08 PUSH DWORD PTR SS:[EBP+8] ; |hWnd
004013EC . E8 0B020000 CALL <JMP.&USER32.SetTimer> ; \SetTimer时间效验
004013F1 . C705 4A304000>MOV DWORD PTR DS:[40304A],1
004013FB . E9 FC000000 JMP 66.004014FC
00401400 > 3D 13010000 CMP EAX,113
00401405 . 75 33 JNZ SHORT 66.0040143A
00401407 . 8B45 10 MOV EAX,DWORD PTR SS:[EBP+10]
0040140A . 83F8 05 CMP EAX,5
0040140D . 75 13 JNZ SHORT 66.00401422
0040140F . 6A 00 PUSH 0 ; /lParam = 0
00401411 . 6A 00 PUSH 0 ; |wParam = 0
00401413 . 6A 10 PUSH 10 ; |Message = WM_CLOSE
00401415 . FF75 08 PUSH DWORD PTR SS:[EBP+8] ; |hWnd
hread 将文件中的数据读入内存缓冲区
hwrite 将数据从内存缓冲区写入一个文件
SMC技术修改代码必然有内存写入事件,这里内存写入断点无效,用Hw吧。
00401564 |. C700 01000000 mov dword ptr ds:[eax],1 //SetUnhandledExceptio反跟踪
修改为
00401564 90 nop
00401565 90 nop
00401566 90 nop
00401567 90 nop
00401568 90 nop
00401569 90 nop
00401114 |. 74 68 je short XiaoZi'C.0040117E //父进程校验。
修改为
00401114 /EB 68 jmp short XiaoZi'C.0040117E
004011F7 /0F8C 97000000 jl XiaoZi'C.00401294
修改为
004011F7 90 nop
004011F8 90 nop
004011F9 90 nop
004011FA 90 nop
004011FB 90 nop
004011FC 90 nop
00401274 . /75 3A jnz short XiaoZi'C.004012B0
修改为
00401274 90 nop
00401275 90 nop
0040127C /75 32 jnz short XiaoZi'C.004012B0
修改为
0040127C 90 nop
0040127D 90 nop
0040130D 66:81FB 753A cmp bx,3A75
自己和自己比,当然永远校验通过。
0040130D 66:3BDB cmp bx,bx
00401310 90 nop
00401311 90 nop
00401341 66:81FB 7532 cmp bx,3275
自己和自己比,当然永远校验通过。
00401341 66:3BDB cmp bx,bx
00401344 90 nop
00401345 90 nop
自动退出了 ok 这个挺有意思的 呵呵~! |
评分
-
查看全部评分
|
IP卡
发表于 2008-3-31 23:49:55
提升卡
置顶卡
变色卡
千斤顶
显身卡
发表于 2008-3-31 23:54:58
发表于 2008-4-1 22:38:46
发表于 2008-4-13 17:36:31
发表于 2008-4-16 07:00:46
发表于 2008-4-25 14:23:17