160个CrackMe之020

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21

00465249    43              inc ebx
0046524A    80FA 00         cmp dl,0x0
0046524D  ^ 74 E8           je short 00465237
0046524F    03F2            add esi,edx
00465251  ^ EB F0           jmp short 00465243
00465253    58              pop eax
00465254    2E:0385 6302000>add eax,dword ptr cs:[ebp+0x263]
0046525B    05 67020000     add eax,0x267
00465260    5D              pop ebp
00465261    5B              pop ebx
00465262  - E9 E153FEFF     jmp 0044A648                            ; // jmp 大跳转

0044A648    55              push ebp                                ; 程序入口
0044A649    8BEC            mov ebp,esp
0044A64B    83C4 F4         add esp,-0xC
0044A64E    B8 78A44400     mov eax,0044A478                        ; UNICODE "9"
0044A653    E8 14B8FBFF     call 00405E6C                           ; 在这里下断会发现eax="MZP"，程序的描述信息
0044A658    A1 84BD4400     mov eax,dword ptr ds:[0x44BD84]
0044A65D    8B00            mov eax,dword ptr ds:[eax]
0044A65F    E8 CC5BFFFF     call 00440230
0044A664    8B0D 58BE4400   mov ecx,dword ptr ds:[0x44BE58]         ; BuLLeT_8.0044C8C8

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17

Unit1::TForm1.Button1Click
 0044A2E8    push       ebp
 0044A2E9    mov        ebp,esp
 0044A2EB    xor        ecx,ecx
 0044A2ED    push       ecx
 0044A2EE    push       ecx
 0044A2EF    push       ecx
 0044A2F0    push       ecx
 0044A2F1    push       ebx
 0044A2F2    push       esi
 0044A2F3    mov        ebx,eax
 0044A2F5    xor        eax,eax
 0044A2F7    push       ebp
 0044A2F8    push       44A3E4
 0044A2FD    push       dword ptr fs:[eax]
 0044A300    mov        dword ptr fs:[eax],esp
 0044A303    lea        edx,[ebp-4]

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141

0044A2E8  /.  55            push ebp                                 ;  点击按钮后运行的函数入口
0044A2E9  |.  8BEC          mov ebp,esp
0044A2EB  |.  33C9          xor ecx,ecx
0044A2ED  |.  51            push ecx
0044A2EE  |.  51            push ecx
0044A2EF  |.  51            push ecx
0044A2F0  |.  51            push ecx
0044A2F1  |.  53            push ebx
0044A2F2  |.  56            push esi
0044A2F3  |.  8BD8          mov ebx,eax
0044A2F5  |.  33C0          xor eax,eax
0044A2F7  |.  55            push ebp
0044A2F8  |.  68 E4A34400   push new_BuLL.0044A3E4
0044A2FD  |.  64:FF30       push dword ptr fs:[eax]
0044A300  |.  64:8920       mov dword ptr fs:[eax],esp
0044A303  |.  8D55 FC       lea edx,[local.1]
0044A306  |.  8B83 C8020000 mov eax,dword ptr ds:[ebx+0x2C8]
0044A30C  |.  E8 FBA0FDFF   call new_BuLL.0042440C
0044A311  |.  8B45 FC       mov eax,[local.1]                        ;  输入的序列号：1234
0044A314  |.  E8 EFD6FBFF   call new_BuLL.00407A08
0044A319  |.  8BF0          mov esi,eax
0044A31B  |.  8B45 FC       mov eax,[local.1]
0044A31E  |.  E8 5DD7FBFF   call new_BuLL.00407A80
0044A323  |.  52            push edx
0044A324  |.  50            push eax
0044A325  |.  8BC6          mov eax,esi                              ;  将序列号转为16进制：1234 =》 4D2
0044A327  |.  99            cdq                                      ;  现在，EDX存储高32位，EAX存储低32位
0044A328  |.  030424        add eax,dword ptr ss:[esp]               ;  说明：eax == ss:[esp]
0044A32B  |.  135424 04     adc edx,dword ptr ss:[esp+0x4]           ;  是用于执行带进位的加法操作
0044A32F  |.  83C4 08       add esp,0x8
0044A332  |.  52            push edx
0044A333  |.  50            push eax
0044A334  |.  8BC6          mov eax,esi
0044A336  |.  99            cdq
0044A337  |.  030424        add eax,dword ptr ss:[esp]               ;  * 3
0044A33A  |.  135424 04     adc edx,dword ptr ss:[esp+0x4]
0044A33E  |.  83C4 08       add esp,0x8
0044A341  |.  52            push edx
0044A342  |.  50            push eax
0044A343  |.  8D55 F8       lea edx,[local.2]
0044A346  |.  B8 06000000   mov eax,0x6
0044A34B  |.  E8 78D6FBFF   call new_BuLL.004079C8
0044A350  |.  8B55 F8       mov edx,[local.2]                        ;  "000E76"
0044A353  |.  8B83 CC020000 mov eax,dword ptr ds:[ebx+0x2CC]
0044A359  |.  E8 DEA0FDFF   call new_BuLL.0042443C
0044A35E  |.  8D55 F4       lea edx,[local.3]
0044A361  |.  8B83 CC020000 mov eax,dword ptr ds:[ebx+0x2CC]
0044A367  |.  E8 A0A0FDFF   call new_BuLL.0042440C
0044A36C  |.  8B45 F4       mov eax,[local.3]                        ;  "000E76"
0044A36F  |.  50            push eax
0044A370  |.  8D55 F0       lea edx,[local.4]
0044A373  |.  8B83 F0020000 mov eax,dword ptr ds:[ebx+0x2F0]
0044A379  |.  E8 8EA0FDFF   call new_BuLL.0042440C
0044A37E  |.  8B55 F0       mov edx,[local.4]                        ;  固定的："3E74984B"
0044A381  |.  58            pop eax                                  ;  user32.77D18830
0044A382  |.  E8 6198FBFF   call new_BuLL.00403BE8                   ;  字符串比较
0044A387      75 0F         jnz short new_BuLL.0044A398              ;  关键的跳转
0044A389  |.  B2 01         mov dl,0x1
0044A38B  |.  8B83 FC020000 mov eax,dword ptr ds:[ebx+0x2FC]
0044A391  |.  E8 669FFDFF   call new_BuLL.004242FC
0044A396  |.  EB 11         jmp short new_BuLL.0044A3A9
0044A398  |>  8B83 D4020000 mov eax,dword ptr ds:[ebx+0x2D4]
0044A39E  |.  8B50 34       mov edx,dword ptr ds:[eax+0x34]
0044A3A1  |.  83EA 0A       sub edx,0xA
0044A3A4  |.  E8 4398FDFF   call new_BuLL.00423BEC
0044A3A9  |>  8B83 D4020000 mov eax,dword ptr ds:[ebx+0x2D4]
0044A3AF  |.  8378 34 32    cmp dword ptr ds:[eax+0x34],0x32
0044A3B3  |.  7D 07         jge short new_BuLL.0044A3BC
0044A3B5  |.  8BC3          mov eax,ebx
0044A3B7  |.  E8 302EFFFF   call new_BuLL.0043D1EC
0044A3BC  |>  33C0          xor eax,eax
0044A3BE  |.  5A            pop edx                                  ;  user32.77D18830
0044A3BF  |.  59            pop ecx                                  ;  user32.77D18830
0044A3C0  |.  59            pop ecx                                  ;  user32.77D18830
0044A3C1  |.  64:8910       mov dword ptr fs:[eax],edx
0044A3C4  |.  68 EBA34400   push new_BuLL.0044A3EB
0044A3C9  |>  8D45 F0       lea eax,[local.4]
0044A3CC  |.  BA 02000000   mov edx,0x2
0044A3D1  |.  E8 AA94FBFF   call new_BuLL.00403880
0044A3D6  |.  8D45 F8       lea eax,[local.2]
0044A3D9  |.  BA 02000000   mov edx,0x2
0044A3DE  |.  E8 9D94FBFF   call new_BuLL.00403880
0044A3E3  \.  C3            retn
0044A3E4   .^ E9 AF8EFBFF   jmp new_BuLL.00403298
0044A3E9   .^ EB DE         jmp short new_BuLL.0044A3C9
0044A3EB   .  5E            pop esi                                  ;  user32.77D18830
0044A3EC   .  5B            pop ebx                                  ;  user32.77D18830
0044A3ED   .  8BE5          mov esp,ebp
0044A3EF   .  5D            pop ebp                                  ;  user32.77D18830
0044A3F0   .  C3            retn
0044A3F1      8D40 00       lea eax,dword ptr ds:[eax]
0044A3F4   .  BA 78000000   mov edx,0x78
0044A3F9   .  8B80 D4020000 mov eax,dword ptr ds:[eax+0x2D4]
0044A3FF   .  E8 E897FDFF   call new_BuLL.00423BEC
0044A404   .  C3            retn
0044A405      8D40 00       lea eax,dword ptr ds:[eax]
0044A408   .  A1 84BD4400   mov eax,dword ptr ds:[0x44BD84]
0044A40D   .  8B00          mov eax,dword ptr ds:[eax]
0044A40F   .  E8 7C59FFFF   call new_BuLL.0043FD90
0044A414   .  C3            retn
0044A415      8D40 00       lea eax,dword ptr ds:[eax]
0044A418   .  55            push ebp
0044A419   .  8BEC          mov ebp,esp
0044A41B   .  33C0          xor eax,eax
0044A41D   .  55            push ebp
0044A41E   .  68 3DA44400   push new_BuLL.0044A43D
0044A423   .  64:FF30       push dword ptr fs:[eax]
0044A426   .  64:8920       mov dword ptr fs:[eax],esp
0044A429   .  FF05 CCC84400 inc dword ptr ds:[0x44C8CC]
0044A42F   .  33C0          xor eax,eax
0044A431   .  5A            pop edx                                  ;  user32.77D18830
0044A432   .  59            pop ecx                                  ;  user32.77D18830
0044A433   .  59            pop ecx                                  ;  user32.77D18830
0044A434   .  64:8910       mov dword ptr fs:[eax],edx
0044A437   .  68 44A44400   push new_BuLL.0044A444
0044A43C   >  C3            retn                                     ;  RET 用作跳转到 0044A444
0044A43D   .^ E9 568EFBFF   jmp new_BuLL.00403298
0044A442   .^ EB F8         jmp short new_BuLL.0044A43C
0044A444   >  5D            pop ebp                                  ;  user32.77D18830
0044A445   .  C3            retn
0044A446      8BC0          mov eax,eax
0044A448   .  832D CCC84400>sub dword ptr ds:[0x44C8CC],0x1
0044A44F   .  C3            retn
0044A450   .  55            push ebp
0044A451   .  8BEC          mov ebp,esp
0044A453   .  33C0          xor eax,eax
0044A455   .  55            push ebp
0044A456   .  68 6FA44400   push new_BuLL.0044A46F
0044A45B   .  64:FF30       push dword ptr fs:[eax]
0044A45E   .  64:8920       mov dword ptr fs:[eax],esp
0044A461   .  33C0          xor eax,eax
0044A463   .  5A            pop edx                                  ;  user32.77D18830
0044A464   .  59            pop ecx                                  ;  user32.77D18830
0044A465   .  59            pop ecx                                  ;  user32.77D18830
0044A466   .  64:8910       mov dword ptr fs:[eax],edx
0044A469   .  68 76A44400   push new_BuLL.0044A476
0044A46E   >  C3            retn                                     ;  RET 用作跳转到 0044A476
0044A46F   .^ E9 248EFBFF   jmp new_BuLL.00403298
0044A474   .^ EB F8         jmp short new_BuLL.0044A46E
0044A476   >  5D            pop ebp                                  ;  user32.77D18830
0044A477   .  C3            retn