- UID
- 55012
注册时间2008-9-1
阅读权限90
最后登录1970-1-1
版主
 
TA的每日心情 | 奋斗
2015-10-29 08:08 |
|---|
签到天数: 3 天 [LV.2]偶尔看看I
|
作者:creantan (PYG解密小组)邮箱:creantan@gmail.com
今天简单分析下2个MAC平台下的crackme,我觉得和win下没有什么大的区别,要说有的话就是一些分析工具没有WIN下方便,哈哈。
工具列表:
Hopper disassembler(静态分析)
lldb (动态调试)
撸起:
先来个最简单的,直接用Hopper disassembler分析:
直接吧第一个crackme拖到Hopper里面,看下左边窗口,看下这个crackme的Labels
很容易就找到这个methed实现methImpl_AppDelegate_checkifisok_
点击它看下汇编:
- 0x0000000100001110 55 push rbp
- 0x0000000100001111 4889E5 mov rbp, rsp
- 0x0000000100001114 4883EC70 sub rsp, 0x70
- 0x0000000100001118 488D0551180000 lea rax, qword [ds:cfstring_Length_of_the_serial_string_is___lx] ; @"Length of the serial string is: %lx"
- 0x000000010000111f 488D0DBA160000 lea rcx, qword [ds:objc_msg_length] ; @selector(length)
- 0x0000000100001126 4C8D0523180000 lea r8, qword [ds:cfstring_Length_of_the_name_string_is___lx] ; @"Length of the name string is: %lx"
- 0x000000010000112d 4C8D0DFC170000 lea r9, qword [ds:cfstring_uh_] ; @"uh?"
- 0x0000000100001134 48897DF8 mov qword [ss:rbp-0x70+var_104], rdi
- 0x0000000100001138 488975F0 mov qword [ss:rbp-0x70+var_96], rsi
- 0x000000010000113c 488955E8 mov qword [ss:rbp-0x70+var_88], rdx
- 0x0000000100001140 4C89CF mov rdi, r9
- 0x0000000100001143 488945B0 mov qword [ss:rbp-0x70+var_32], rax
- 0x0000000100001147 B000 mov al, 0x0
- 0x0000000100001149 4C8945A8 mov qword [ss:rbp-0x70+var_24], r8
- 0x000000010000114d 48894DA0 mov qword [ss:rbp-0x70+var_16], rcx
- 0x0000000100001151 E8C6030000 call imp___stubs__NSLog
- 0x0000000100001156 488B4DF8 mov rcx, qword [ss:rbp-0x70+var_104]
- 0x000000010000115a 488B152F190000 mov rdx, qword [ds:0x100002a90]
- 0x0000000100001161 488B0C11 mov rcx, qword [ds:rcx+rdx]
- 0x0000000100001165 488B350C160000 mov rsi, qword [ds:objc_sel_stringValue] ; @selector(stringValue)
- 0x000000010000116c 4889CF mov rdi, rcx
- 0x000000010000116f E8B4030000 call imp___stubs__objc_msgSend
- 0x0000000100001174 488945E0 mov qword [ss:rbp-0x70+var_80], rax
- 0x0000000100001178 488B45E0 mov rax, qword [ss:rbp-0x70+var_80]
- 0x000000010000117c 4889C7 mov rdi, rax
- 0x000000010000117f 488B75A0 mov rsi, qword [ss:rbp-0x70+var_16]
- 0x0000000100001183 FF1557160000 call qword [ds:objc_msg_length] ; @selector(length)
- 0x0000000100001189 488945D8 mov qword [ss:rbp-0x70+var_72], rax
- 0x000000010000118d 488B75D8 mov rsi, qword [ss:rbp-0x70+var_72]
- 0x0000000100001191 488B7DA8 mov rdi, qword [ss:rbp-0x70+var_24]
- 0x0000000100001195 B000 mov al, 0x0
- 0x0000000100001197 E880030000 call imp___stubs__NSLog
- 0x000000010000119c 488B4DF8 mov rcx, qword [ss:rbp-0x70+var_104]
- 0x00000001000011a0 488B15F1180000 mov rdx, qword [ds:0x100002a98]
- 0x00000001000011a7 488B0C11 mov rcx, qword [ds:rcx+rdx]
- 0x00000001000011ab 488B35C6150000 mov rsi, qword [ds:objc_sel_stringValue] ; @selector(stringValue)
- 0x00000001000011b2 4889CF mov rdi, rcx
- 0x00000001000011b5 E86E030000 call imp___stubs__objc_msgSend
- 0x00000001000011ba 488945D0 mov qword [ss:rbp-0x70+var_64], rax
- 0x00000001000011be 488B45D0 mov rax, qword [ss:rbp-0x70+var_64]
- 0x00000001000011c2 4889C7 mov rdi, rax
- 0x00000001000011c5 488B75A0 mov rsi, qword [ss:rbp-0x70+var_16]
- 0x00000001000011c9 FF1511160000 call qword [ds:objc_msg_length] ; @selector(length)
- 0x00000001000011cf 488945C8 mov qword [ss:rbp-0x70+var_56], rax
- 0x00000001000011d3 488B75C8 mov rsi, qword [ss:rbp-0x70+var_56]
- 0x00000001000011d7 488B7DB0 mov rdi, qword [ss:rbp-0x70+var_32]
- 0x00000001000011db B000 mov al, 0x0
- 0x00000001000011dd E83A030000 call imp___stubs__NSLog
- 0x00000001000011e2 48817DC80A000000 cmp qword [ss:rbp-0x70+var_56], 0xa
- 0x00000001000011ea 0F86BF000000 jbe 0x1000012af //判断密码长度是否大于10
- ; Basic Block Input Regs: rbp - Killed Regs: <nothing>
- 0x00000001000011f0 48817DC80F000000 cmp qword [ss:rbp-0x70+var_56], 0xf
- 0x00000001000011f8 0F83B1000000 jnc 0x1000012af //判断密码长度是否小于15
- ; Basic Block Input Regs: rbp - Killed Regs: <nothing>
- 0x00000001000011fe 48817DD807000000 cmp qword [ss:rbp-0x70+var_72], 0x7
- 0x0000000100001206 0F86A3000000 jbe 0x1000012af //判断用户名长度是否大于7
- ; Basic Block Input Regs: rbp - Killed Regs: <nothing>
- 0x000000010000120c 48817DD80F000000 cmp qword [ss:rbp-0x70+var_72], 0xf
- 0x0000000100001214 0F8395000000 jnc 0x1000012af // 判断用户名长度是否小于15
- ; Basic Block Input Regs: <nothing> - Killed Regs: rax rcx rdx rbp rsi rdi
- 0x000000010000121a 488D05CF150000 lea rax, qword [ds:objc_msg_isEqualToString_] ; @selector(isEqualToString:)
- 0x0000000100001221 488D0D68170000 lea rcx, qword [ds:cfstring_] ; @""
- 0x0000000100001228 488B15D9150000 mov rdx, qword [ds:bind__OBJC_CLASS_$_NSCharacterSet]
- 0x000000010000122f 488B354A150000 mov rsi, qword [ds:objc_sel_alphanumericCharacterSet] ; @selector(alphanumericCharacterSet)
- 0x0000000100001236 4889D7 mov rdi, rdx
- 0x0000000100001239 48894598 mov qword [ss:rbp-0x70+var_8], rax
- 0x000000010000123d 48894D90 mov qword [ss:rbp-0x70+var_0], rcx
- 0x0000000100001241 E8E2020000 call imp___stubs__objc_msgSend //获取字母和数字集合 NSCharacterSet *alphanumericSet = [ NSCharacterSetalphanumericCharacterSet ];
- 0x0000000100001246 488945C0 mov qword [ss:rbp-0x70+var_48], rax
- 0x000000010000124a 488B45D0 mov rax, qword [ss:rbp-0x70+var_64]
- 0x000000010000124e 488B55C0 mov rdx, qword [ss:rbp-0x70+var_48]
- 0x0000000100001252 488B352F150000 mov rsi, qword [ds:objc_sel_stringByTrimmingCharactersInSet_] ; @selector(stringByTrimmingCharactersInSet:)
- 0x0000000100001259 4889C7 mov rdi, rax
- 0x000000010000125c E8C7020000 call imp___stubs__objc_msgSend //格式化密码,去除密码中含alphanumericSet中的字符 NSString *trimmedString = [passwdString stringByTrimmingCharactersInSet:alphanumericSet];
- 0x0000000100001261 4889C7 mov rdi, rax
- 0x0000000100001264 488B7598 mov rsi, qword [ss:rbp-0x70+var_8]
- 0x0000000100001268 488B5590 mov rdx, qword [ss:rbp-0x70+var_0]
- 0x000000010000126c FF157E150000 call qword [ds:objc_msg_isEqualToString_] ; @selector(isEqualToString:)//判断trimmedString是否和@“”空串相等
- 0x0000000100001272 8845BF mov byte [ss:rbp-0x70+var_47], al
- 0x0000000100001275 807DBF00 cmp byte [ss:rbp-0x70+var_47], 0x0
- 0x0000000100001279 0F8418000000 je 0x100001297 //不等则显示错误
- ; Basic Block Input Regs: rbp - Killed Regs: rax rsi rdi
- 0x000000010000127f 488B45F8 mov rax, qword [ss:rbp-0x70+var_104]
- 0x0000000100001283 488B3506150000 mov rsi, qword [ds:objc_sel_yes] ; @selector(yes)
- 0x000000010000128a 4889C7 mov rdi, rax
- 0x000000010000128d E896020000 call imp___stubs__objc_msgSend
- 0x0000000100001292 E913000000 jmp 0x1000012aa
- ; Basic Block Input Regs: rbp - Killed Regs: rax rsi rdi
- 0x0000000100001297 488B45F8 mov rax, qword [ss:rbp-0x70+var_104] ; XREF=0x100001279
- 0x000000010000129b 488B35F6140000 mov rsi, qword [ds:objc_sel_no] ; @selector(no)
- 0x00000001000012a2 4889C7 mov rdi, rax
- 0x00000001000012a5 E87E020000 call imp___stubs__objc_msgSend
- ; Basic Block Input Regs: <nothing> - Killed Regs: <nothing>
- 0x00000001000012aa E913000000 jmp 0x1000012c2 ; XREF=0x100001292
- ; Basic Block Input Regs: rbp - Killed Regs: rax rsi rdi
- 0x00000001000012af 488B45F8 mov rax, qword [ss:rbp-0x70+var_104] ; XREF=0x1000011ea, 0x1000011f8, 0x100001206, 0x100001214
- 0x00000001000012b3 488B35DE140000 mov rsi, qword [ds:objc_sel_no] ; @selector(no)
- 0x00000001000012ba 4889C7 mov rdi, rax
- 0x00000001000012bd E866020000 call imp___stubs__objc_msgSend
- ; Basic Block Input Regs: <nothing> - Killed Regs: rsp rbp
- 0x00000001000012c2 4883C470 add rsp, 0x70 ; XREF=0x1000012aa
- 0x00000001000012c6 5D pop rbp
- 0x00000001000012c7 C3 ret
/**
* 用户名密码验证
* 用户名密码长度验证,密码字母和数字验证,密码只能包含数字和字母
* @return 返回YES or NO
*/
-(BOOL)checkifisok{
NSString* name = [nameTextField text];
NSString* serial = [serialTextField text];
int nameLength = [name length];
int serialLength = [serial length];
if(serialLength > 10 && serialLength < 15){
if(nameLength > 7 && nameLength < 15){
NSCharacterSet *alphanumericSet = [NSCharacterSet alphanumericCharacterSet];
NSString *trimmedString = [serial stringByTrimmingCharactersInSet:alphanumericSet];
if([trimmedString isEqualToString:@""]){
returnYES;
}
}else{
returnNO
}
}else{
returnNO;
}}
lldb crackme2.app
r
ctl+c
br s -a 0x2a9e
- 0x00002a9e 55 push ebp
- 0x00002a9f 89E5 mov ebp,esp
- 0x00002aa1 57 push edi
- 0x00002aa2 56 push esi
- 0x00002aa3 53 push ebx
- 0x00002aa4 83EC3C sub esp,0x3c
- 0x00002aa7 A140400000 mov eax, dword [ds:objc_msg_length] ; @selector(length)
- 0x00002aac 89442404 mov dword [ss:esp+0x4],eax
- 0x00002ab0 8B4510 mov eax, dword [ss:ebp-0x48+arg_8]
- 0x00002ab3 890424 mov dword [ss:esp],eax
- 0x00002ab6 E8A3250000 call imp___jump_table__objc_msgSend
- 0x00002abb 83F808 cmp eax,0x8 //判断注册码长度是否为8位
- 0x00002abe 0F858A010000 jne 0x2c4e //不等跳往错误提示
- ; Basic Block Input Regs: ecx ebx ebp - Killed Regs: eax ecx ebx esp ebp esi edi
- 0x00002ac4 A144400000 mov eax, dword [ds:objc_msg_lossyCString]; @selector(lossyCString)
- 0x00002ac9 BE04000000 mov esi,0x4 //esi初始化为4
- 0x00002ace 31DB xor ebx,ebx
- 0x00002ad0 89442404 mov dword [ss:esp+0x4],eax
- 0x00002ad4 8B4514 mov eax, dword [ss:ebp-0x48+arg_C]
- 0x00002ad7 890424 mov dword [ss:esp],eax
- 0x00002ada E87F250000 call imp___jump_table__objc_msgSend
- 0x00002adf 890424 mov dword [ss:esp],eax
- 0x00002ae2 89C7 mov edi,eax
- 0x00002ae4 E87A250000 call imp___jump_table__strlen
- 0x00002ae9 31C9 xor ecx,ecx
- 0x00002aeb 8945D0 mov dword [ss:ebp-0x48+var_24],eax
- 0x00002aee EB37 jmp 0x2b27
- ; Basic Block Input Regs: ebx esi edi - Killed Regs: eax ecx edx ebx ebp esi
- 0x00002af0 0FBE041F movsx eax, byte [ds:edi+ebx] ; XREF=0x2b2a //取用户名的一个字符
- 0x00002af4 43 inc ebx //循环累加器
- 0x00002af5 0FAFC6 imul eax,esi //取出来的字符与esi相乘
- 0x00002af8 83C604 add esi,0x4 //esi+4
- 0x00002afb 89C2 mov edx,eax
- 0x00002afd C1E204 shl edx,0x4 //edx << 0x4
- 0x00002b00 29C2 sub edx,eax
- 0x00002b02 B8AD8BDB68 mov eax,0x68db8bad
- 0x00002b07 8D8C0A9A020000 lea ecx, dword [ds:edx+ecx+0x29a]
- 0x00002b0e F7E9 imul ecx
- 0x00002b10 89C8 mov eax,ecx
- 0x00002b12 C1F81F sar eax,0x1f
- 0x00002b15 C1FA0C sar edx,0xc
- 0x00002b18 29C2 sub edx,eax
- 0x00002b1a 89C8 mov eax,ecx
- 0x00002b1c 69D210270000 imul edx,edx,0x2710
- 0x00002b22 29D0 sub eax,edx
- 0x00002b24 8945E0 mov dword [ss:ebp-0x48+var_40],eax
- ; Basic Block Input Regs: ebx ebp - Killed Regs: <nothing>
- 0x00002b27 395DD0 cmp dword [ss:ebp-0x48+var_24],ebx ; XREF=0x2aee
- 0x00002b2a 77C4 jnbe 0x2af0
- ; Basic Block Input Regs: ecx ebx ebp edi - Killed Regs: eax ecx ebx esp ebp esi
- 0x00002b2c 8B45E0 mov eax, dword [ss:ebp-0x48+var_40]
- 0x00002b2f BE04000000 mov esi,0x4
- 0x00002b34 31DB xor ebx,ebx
- 0x00002b36 C744240878300000 mov dword [ss:esp+0x8],0x3078 ; @"%i"
- 0x00002b3e 8944240C mov dword [ss:esp+0xc],eax
- 0x00002b42 A128400000 mov eax, dword [ds:objc_msg_stringWithFormat_]; @selector(stringWithFormat:)
- 0x00002b47 89442404 mov dword [ss:esp+0x4],eax
- 0x00002b4b A154400000 mov eax, dword [ds:cls_NSString]
- 0x00002b50 890424 mov dword [ss:esp],eax
- 0x00002b53 E806250000 call imp___jump_table__objc_msgSend //将结果格式化为NSString
- 0x00002b58 893C24 mov dword [ss:esp],edi
- 0x00002b5b 8945D8 mov dword [ss:ebp-0x48+var_32],eax
- 0x00002b5e E800250000 call imp___jump_table__strlen
- 0x00002b63 31C9 xor ecx,ecx
- 0x00002b65 8945D4 mov dword [ss:ebp-0x48+var_28],eax
- 0x00002b68 EB32 jmp 0x2b9c
- ; Basic Block Input Regs: ebx esi edi - Killed Regs: eax ecx edx ebx ebp esi
- 0x00002b6a 0FBE041F movsx eax, byte [ds:edi+ebx] ; XREF=0x2b9f
- 0x00002b6e 43 inc ebx
- 0x00002b6f 0FAFC6 imul eax,esi
- 0x00002b72 83C608 add esi,0x8
- 0x00002b75 8D1480 lea edx, dword [ds:eax+eax*4]
- 0x00002b78 8D54502D lea edx, dword [ds:eax+edx*2+0x2d]
- 0x00002b7c B8AD8BDB68 mov eax,0x68db8bad
- 0x00002b81 01D1 add ecx,edx
- 0x00002b83 F7E9 imul ecx
- 0x00002b85 89C8 mov eax,ecx
- 0x00002b87 C1F81F sar eax,0x1f
- 0x00002b8a C1FA0C sar edx,0xc
- 0x00002b8d 29C2 sub edx,eax
- 0x00002b8f 89C8 mov eax,ecx
- 0x00002b91 69D210270000 imul edx,edx,0x2710
- 0x00002b97 29D0 sub eax,edx
- 0x00002b99 8945E4 mov dword [ss:ebp-0x48+var_44],eax
- ; Basic Block Input Regs: ebx ebp - Killed Regs: <nothing>
- 0x00002b9c 3B5DD4 cmp ebx, dword [ss:ebp-0x48+var_28] ; XREF=0x2b68
- 0x00002b9f 72C9 jc 0x2b6a
- ; Basic Block Input Regs: ebx ebp - Killed Regs: eax ebx esp ebp esi edi
- 0x00002ba1 8B45E4 mov eax, dword [ss:ebp-0x48+var_44]
- 0x00002ba4 BE04000000 mov esi,0x4
- 0x00002ba9 31DB xor ebx,ebx
- 0x00002bab C744240878300000 mov dword [ss:esp+0x8],0x3078 ; @"%i"
- 0x00002bb3 BF04000000 mov edi,0x4
- 0x00002bb8 8944240C mov dword [ss:esp+0xc],eax
- 0x00002bbc A128400000 mov eax, dword [ds:objc_msg_stringWithFormat_]; @selector(stringWithFormat:)
- 0x00002bc1 89442404 mov dword [ss:esp+0x4],eax
- 0x00002bc5 A154400000 mov eax, dword [ds:cls_NSString]
- 0x00002bca 890424 mov dword [ss:esp],eax
- 0x00002bcd E88C240000 call imp___jump_table__objc_msgSend //将结果格式化为NSString
- 0x00002bd2 895C2408 mov dword [ss:esp+0x8],ebx
- 0x00002bd6 8974240C mov dword [ss:esp+0xc],esi
- 0x00002bda 8945DC mov dword [ss:ebp-0x48+var_36],eax
- 0x00002bdd A148400000 mov eax, dword [ds:objc_msg_substringWithRange_]; @selector(substringWithRange:)
- 0x00002be2 89442404 mov dword [ss:esp+0x4],eax
- 0x00002be6 8B4510 mov eax, dword [ss:ebp-0x48+arg_8]
- 0x00002be9 890424 mov dword [ss:esp],eax
- 0x00002bec E86D240000 call imp___jump_table__objc_msgSend //截取密码前4位验证
- 0x00002bf1 89742408 mov dword [ss:esp+0x8],esi
- 0x00002bf5 897C240C mov dword [ss:esp+0xc],edi
- 0x00002bf9 89C3 mov ebx,eax
- 0x00002bfb A148400000 mov eax, dword [ds:objc_msg_substringWithRange_]; @selector(substringWithRange:)
- 0x00002c00 89442404 mov dword [ss:esp+0x4],eax
- 0x00002c04 8B4510 mov eax, dword [ss:ebp-0x48+arg_8]
- 0x00002c07 890424 mov dword [ss:esp],eax
- 0x00002c0a E84F240000 call imp___jump_table__objc_msgSend//截取密码后4位验证
- 0x00002c0f 891C24 mov dword [ss:esp],ebx
- 0x00002c12 89C6 mov esi,eax
- 0x00002c14 8B45D8 mov eax, dword [ss:ebp-0x48+var_32]
- 0x00002c17 89442408 mov dword [ss:esp+0x8],eax
- 0x00002c1b A108400000 mov eax, dword [ds:objc_msg_isEqual_] ; @selector(isEqual:)
- 0x00002c20 89442404 mov dword [ss:esp+0x4],eax
- 0x00002c24 E835240000 call imp___jump_table__objc_msgSend //判断是否相等
- 0x00002c29 84C0 test al,al
- 0x00002c2b 7421 je 0x2c4e
- ; Basic Block Input Regs: ebp esi - Killed Regs: eax edx esp
- 0x00002c2d 8B45DC mov eax, dword [ss:ebp-0x48+var_36]
- 0x00002c30 893424 mov dword [ss:esp],esi
- 0x00002c33 89442408 mov dword [ss:esp+0x8],eax
- 0x00002c37 A108400000 mov eax, dword [ds:objc_msg_isEqual_] ; @selector(isEqual:)
- 0x00002c3c 89442404 mov dword [ss:esp+0x4],eax
- 0x00002c40 E819240000 call imp___jump_table__objc_msgSend//判断是否相等
- 0x00002c45 BA01000000 mov edx,0x1
- 0x00002c4a 84C0 test al,al
- 0x00002c4c 7502 jne 0x2c50
- ; Basic Block Input Regs: edx - Killed Regs: edx
- 0x00002c4e 31D2 xor edx,edx ; XREF=0x2abe, 0x2c2b
- ; Basic Block Input Regs: edx - Killed Regs: eax ebx esp esi edi
- 0x00002c50 83C43C add esp,0x3c ; XREF=0x2c4c
- 0x00002c53 89D0 mov eax,edx
- 0x00002c55 5B pop ebx
- 0x00002c56 5E pop esi
- 0x00002c57 5F pop edi
- 0x00002c58 C9 leave
- 0x00002c59 C3 ret
- KeyGen示例代码:
- int main(int argc, const char * argv[]) {
- @autoreleasepool {
-
- unsigned long nameLength = strlen(argv[1]);
- const char* index = argv[1];
- unsigned int eax = 0;
- int ecx=0,edx=0,esi = 4;
- int serial_1=0;
- long constValue = 0x68db8bad;
- for (int i = 0; i<nameLength; i++) {
- eax = (int)(*index);
- eax = eax * esi;
- esi+=4;
- edx = (eax << 0x4) - eax;
- ecx = edx + ecx+0x29a;
- edx = constValue*ecx >> 32;
- serial_1 = ecx - ((edx >> 0xc)-(ecx >> 0x1f)) * 0x2710;
- index++;
-
- }
- int serial_2=0;
- index = argv[1];
- eax = 0,ecx=0,edx=0,esi = 4;
-
- for (int i = 0; i<nameLength; i++) {
- eax = (int)(*index);
- eax = eax * esi;
- esi+=8;
- edx = eax+(eax+eax*4)*2+0x2d;
- ecx += edx;
- edx = constValue*ecx >> 32;
- serial_2 = ecx - ((edx >> 0xc) - (ecx >> 0x1f)) * 0x2710;
- index++;
- }
- NSLog(@"\nname:%s\nserial:%d%d",argv[1],serial_1,serial_2);
- }
- return 0;
- }
crackmes.zip
(71.4 KB, 下载次数: 23)
|
|
[复制链接]
IP卡
发表于 2014-10-20 14:49:47
提升卡
置顶卡
变色卡
千斤顶
显身卡
发表于 2014-10-20 20:22:00
发表于 2014-10-20 21:15:42
发表于 2014-10-21 18:39:14
