《pediy crackme 2007》序列号Bigman's Crackme6逆向过程

《pediy crackme 2007》序列号Bigman's Crackme6

逆向过程

现在查看buffer参数的内容在左下方的内存窗口"CTRL+G"再输入EBP-100查看到了BUFFER的内存，也就是我输到软件里面的帐号，以确定刚刚调用的这个API GetDlgItemTextA是获取帐号用了。。然后单步，一直到1589这个call

发现他压入了刚刚的字符串、字符串长度、句柄，可疑，F7步入函数，观察函数的特征，发现这个函数也调用了GetDlgItemTextA，然后还调用了sprintf，也就是说这个函数获取到我输入的密匙，还有字符串处理。

代码:

00401305 /$ 55 push ebp

00401306 |. 89E5 mov ebp, esp

00401308 |. 81EC 2C040000 sub esp, 42C ; 开辟42C个字节空间

0040130E |. 53 push ebx

0040130F |. 56 push esi

00401310 |. 57 push edi

00401311 |. 8DBD FCFEFFFF lea edi, dword ptr [ebp-104]

00401317 |. 8D35 38204000 lea esi, dword ptr [402038]

0040131D |. B9 40000000 mov ecx, 40

00401322 |. F3:A5 rep movs dword ptr es:[edi], dword ptr

[esi] ; memcpy(ebp104,402038,sizeof()=0x40);

00401324 |. 8DBD E1FBFFFF lea edi, dword ptr [ebp-41F]

0040132A |. 8D35 38214000 lea esi, dword ptr [402138]

00401330 |. B9 40000000 mov ecx, 40

00401335 |. F3:A5 rep movs dword ptr es:[edi], dword ptr

[esi] ; memcpy(ebp41f,402138,40);

00401337 |. 8DBD E1FDFFFF lea edi, dword ptr [ebp-21F]

0040133D |. 8D35 38224000 lea esi, dword ptr [402238]

00401343 |. B9 40000000 mov ecx, 40

00401348 |. F3:A5 rep movs dword ptr es:[edi], dword ptr

[esi] ; memcpy(ebp21f,402238,40);

0040134A |. 8DBD E1FCFFFF lea edi, dword ptr [ebp-31F]

00401350 |. 8D35 38234000 lea esi, dword ptr [402338]

00401356 |. B9 40000000 mov ecx, 40

0040135B |. F3:A5 rep movs dword ptr es:[edi], dword ptr

[esi] ; memcpy(ebp31f,402338,5);

0040135D |. 8DBD DCFBFFFF lea edi, dword ptr [ebp-424]

00401363 |. 8D35 38244000 lea esi, dword ptr [402438]

00401369 |. B9 05000000 mov ecx, 5

0040136E |. F3:A4 rep movs byte ptr es:[edi], byte ptr

[esi] ; memcpy(ebp424,402438,5);

00401370 |. 8DBD D6FBFFFF lea edi, dword ptr [ebp-42A]

00401376 |. 8D35 3D244000 lea esi, dword ptr [40243D]

0040137C |. B9 03000000 mov ecx, 3

00401381 |. F3:66:A5 rep movs word ptr es:[edi], word ptr

[esi] ; memcpy(ebp42a,40243d,3);

00401384 |. 8DBD E1FEFFFF lea edi, dword ptr [ebp-11F]

0040138A |. 8D35 43244000 lea esi, dword ptr [402443]

00401390 |. B9 1B000000 mov ecx, 1B

00401395 |. F3:A4 rep movs byte ptr es:[edi], byte ptr

[esi] ; memcpy(ebp11f,402443,0x1b);

00401397 |. C745 FC 00000>mov dword ptr [ebp-4], 0 ; int ebp4=0; 0040139E |. 68 00010000 push 100 ; /Count = 100 (256.) 004013A3 |. 8D85 E1FCFFFF lea eax, dword ptr [ebp-31F] ; |

004013A9 |. 50 push eax ; |Buffer

004013AA |. 6A 66 push 66 ; |ControlID = 66 (102.) 004013AC |. FF75 08 push dword ptr [ebp+8] ; |hWnd

004013AF |. E8 84030000 call <jmp.&USER32.GetDlgItemTextA> ;

\GetDlgItemTextA

004013B4 |. 09C0 or eax, eax

004013B6 |. 0F84 48010000 je 00401504 ; if(eax==0)return; 004013BC |. B8 CF110000 mov eax, 11CF ; eax=11cf; 004013C1 |. 0FB68D E1FCFF>movzx ecx, byte ptr

[ebp-31F] ; ecx=ebp31F[0]

004013C8 |. 99 cdq

004013C9 |. F7F9 idiv ecx ; edx,eax/ecs=eax..........edx

004013CB |. 83FA 17 cmp edx, 17

004013CE |. 74 07 je short 004013D7 ; if(eax%ecx!=0x17) 004013D0 |. 31C0 xor eax, eax ; { eax=0;

004013D2 |. E9 2D010000 jmp 00401504 ; }else

004013D7 |> 31DB xor ebx, ebx ; { ebx=0;

004013D9 |. EB 0B jmp short 004013E6 ; while(ebx<ebpC) 004013DB |> 8B45 10 /mov eax, dword ptr

[ebp+10] ; ebp4+=ebp10[ebx++];

004013DE |. 0FBE0418 |movsx eax, byte ptr [eax+ebx]

004013E2 |. 0145 FC |add dword ptr [ebp-4], eax

004013E5 |. 43 |inc ebx

004013E6 |> 3B5D 0C cmp ebx, dword ptr [ebp+C]

004013E9 |.^ 7C F0 \jl short 004013DB ; 此处循环，在else逻辑内

004013EB |. 31DB xor ebx, ebx ; ebx=0;

004013ED |. E9 83000000 jmp 00401475 ; 跳转循环判断

004013F2 |> 8B55 10 /mov edx, dword ptr

[ebp+10] ; edx=[ebp10][0].....while(ebx<ebpC)循环体内 004013F5 |. 0FBE3C1A |movsx edi, byte ptr [edx+ebx]

004013F9 |. 8B75 FC |mov esi, dword ptr [ebp-4] ; esi=ebp4 004013FC |. 89D9 |mov ecx, ebx ; ecx=ebx; 004013FE |. C1E1 02 |shl ecx, 2 ; ecx*=4; 00401401 |. 89DA |mov edx, ebx ; edx=ebx; 00401403 |. 42 |inc edx ; edx++; 00401404 |. 29D1 |sub ecx, edx ; ecx-=edx; 00401406 |. 0FB68C0D E1FE>|movzx ecx, byte ptr [ebp+ecx-11F] ; ecx=ebp11f[ecx]

0040140E |. 89FA |mov edx, edi 00401410 |. 31CA |xor edx, ecx 00401412 |. 89F1 |mov ecx, esi 00401414 |. 0FAFCB |imul ecx, ebx 00401417 |. 29F1 |sub ecx, esi 00401419 |. 89CE |mov esi, ecx 0040141B |. 83F6 FF |xor esi, FFFFFFFF 0040141E |. 8DB432 4D0100>|lea esi, dword ptr [edx+esi+14D] 00401425 |. 8B4D 0C |mov ecx, dword ptr [ebp+C] 00401428 |. 89DA |mov edx, ebx 0040142A |. 83C2 03 |add edx, 3 0040142D |. 0FAFCA |imul ecx, edx 00401430 |. 0FAFCF |imul ecx, edi 00401433 |. 89F0 |mov eax, esi 00401435 |. 01C8 |add eax, ecx 00401437 |. B9 0A000000 |mov ecx, 0A 0040143C |. 31D2 |xor edx, edx 0040143E |. F7F1 |div ecx 00401440 |. 83C2 30 |add edx, 30

00401443 |. 88941D FCFEFF>|mov byte ptr [ebp+ebx-104], dl 0040144A |. 0FB6BC1D FCFE>|movzx edi, byte ptr [ebp+ebx-104] 00401452 |. 81F7 ACAD0000 |xor edi, 0ADAC 00401458 |. 89DE |mov esi, ebx 0040145A |. 83C6 02 |add esi, 2 0040145D |. 89F8 |mov eax, edi 0040145F |. 0FAFC6 |imul eax, esi 00401462 |. B9 0A000000 |mov ecx, 0A 00401467 |. 99 |cdq 00401468 |. F7F9 |idiv ecx 0040146A |. 83C2 30 |add edx, 30

0040146D |. 88941D FCFEFF>|mov byte ptr [ebp+ebx-104], dl 00401474 |. 43 |inc ebx

00401475 |> 3B5D 0C cmp ebx, dword ptr [ebp+C]

; edx=edi ; edx^=ecx ; ecx=esi ; ecx*=ebx ; ecx=esi ; esi=ecx ; esi=~esi;

00401478 |.^ 0F8C 74FFFFFF \jl 004013F2 ; for2此处循环在else分支内

0040147E |. 8D85 FCFEFFFF lea eax, dword ptr [ebp-104]

00401484 |. 50 push eax

00401485 |. 6A 54 push 54

00401487 |. 8D85 DCFBFFFF lea eax, dword ptr [ebp-424]

0040148D |. 50 push eax ; |Format

0040148E |. 8D85 E1FBFFFF lea eax, dword ptr [ebp-41F] ; |

00401494 |. 50 push eax ; |s

00401495 |. E8 CE020000 call <jmp.&USER32.wsprintfA>

0040149A |. 8B7D 0C mov edi, dword ptr [ebp+C]

0040149D |. 89F8 mov eax, edi

0040149F |. 0FAF45 FC imul eax, dword ptr [ebp-4]

004014A3 |. B9 64000000 mov ecx, 64

004014A8 |. 99 cdq

004014A9 |. F7F9 idiv ecx

004014AB |. 89D7 mov edi, edx

004014AD |. 83C7 30 add edi, 30

004014B0 |. 57 push edi

004014B1 |. 8DBD E1FBFFFF lea edi, dword ptr [ebp-41F]

004014B7 |. 57 push edi

004014B8 |. 8DBD D6FBFFFF lea edi, dword ptr [ebp-42A]

004014BE |. 57 push edi

004014BF |. 8DBD E1FDFFFF lea edi, dword ptr [ebp-21F]

004014C5 |. 57 push edi

004014C6 |. E8 9D020000 call <jmp.&USER32.wsprintfA>

004014CB |. 83C4 20 add esp, 20

004014CE |. 8D8D E1FDFFFF lea ecx, dword ptr [ebp-21F]

004014D4 |. 83C8 FF or eax, FFFFFFFF

004014D7 |> 40 /inc eax

004014D8 |. 803C01 00 |cmp byte ptr [ecx+eax], 0

004014DC |.^ 75 F9 \jnz short 004014D7

004014DE |. 50 push eax

004014DF |. 8D85 E1FCFFFF lea eax, dword ptr [ebp-31F]

004014E5 |. 50 push eax

004014E6 |. 8D85 E1FDFFFF lea eax, dword ptr [ebp-21F]

004014EC |. 50 push eax

004014ED |. E8 D0FDFFFF call 004012C2

004014F2 |. 83C4 0C add esp, 0C

004014F5 |. 83F8 00 cmp eax, 0

004014F8 |. 75 07 jnz short 00401501

004014FA |. B8 00000000 mov eax, 0

004014FF |. EB 03 jmp short 00401504

00401501 |> 31C0 xor eax, eax ; \wsprintfA ; |Format ; | ; |s ; \wsprintfA

00401503 |. 40 inc eax

00401504 |> 5F pop edi

00401505 |. 5E pop esi

00401506 |. 5B pop ebx

00401507 |. C9 leave

00401508 \. C3 retn

分析程序大概流程：初始化栈，然后定义了数组，调用memcpy进行数组初始化，获输入的密匙，如果得到的密匙长度为零，直接反回0，否则继续。

然后就是对莫运算的一个判断，如果余数不为0x17则跳到函数尾，结束当前函数，否则继续。 看到这种结构，一眼就能判定是循环，如图：

点击图片以查看大图

图片名称: 图像 005.jpg

查看次数: 0

文件大小: 89.4 KB

文件 ID : 97424

很容易转换为C里面的for(ebx=0;ebx<ebp_C,ebx++)ebp_4+=ebp_10[ebx];

此循环后边紧跟一个循环且在同一层次上。。因为二者循环体（左边那根黑线）没有交叉的地方。 而且能判定这两个循环在if else的同一分支上，因为点击“004013D2 |. /E9

2D010000 jmp 00401504”这一行的时候左边的红线把刚刚的两个函数的逻辑都给包起来了。。 然后调用连两个wsprintf函数，后call 004012C2。而且后边这些逻辑和前面两个循环一样是在同一个逻辑里。然后我得出了函数的大体运行流程：

代码:

int func(int hw,int len,char* pUser)

{

memcpy(......);

memcpy(......);

......................

memcpy(......);

GetDlgItemTextA;

if(len==0)return 0;

if(%!=0x17)

{

eax=0;

}

else

{

for();

for();

sprintf();

sprintf();

eax=call 004012C2;

}

return eax;