160个CrackMe之033

cjt included in 逆向

2023-08-02 2023-08-03 2081 words 5 minutes

进入主界面Help->Register，Name输入：

根据弹出的错误提示框，字符串定位：

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158


00401226   .^\74 BE         je short Cruehead.004011E6
00401228   .  68 8E214000   push Cruehead.0040218E                   ;  "BCDEF"
0040122D   .  E8 4C010000   call Cruehead.0040137E                   ;  转为大写
00401232   .  50            push eax                                 ;  0x572C
00401233   .  68 7E214000   push Cruehead.0040217E                   ;  "6789"
00401238   .  E8 9B010000   call Cruehead.004013D8                   ;  serial校验
0040123D   .  83C4 04       add esp,0x4
00401240   .  58            pop eax                                  ;  0x572C
00401241   .  3BC3          cmp eax,ebx                              ;   0x8B1
00401243   .  74 07         je short Cruehead.0040124C
00401245   .  E8 18010000   call Cruehead.00401362                   ;  调用第二错误提示框
0040124A   .^ EB 9A         jmp short Cruehead.004011E6
0040124C   >  E8 FC000000   call Cruehead.0040134D                   ;  成功流程
00401251   .^ EB 93         jmp short Cruehead.004011E6
00401253  /.  C8 000000     enter 0x0,0x0
00401257  |.  53            push ebx
00401258  |.  56            push esi
00401259  |.  57            push edi
0040125A  |.  817D 0C 10010>cmp [arg.2],0x110
00401261  |.  74 34         je short Cruehead.00401297
00401263  |.  817D 0C 11010>cmp [arg.2],0x111
0040126A  |.  74 35         je short Cruehead.004012A1
0040126C  |.  837D 0C 10    cmp [arg.2],0x10
00401270  |.  0F84 81000000 je Cruehead.004012F7
00401276  |.  817D 0C 01020>cmp [arg.2],0x201
0040127D  |.  74 0C         je short Cruehead.0040128B
0040127F  |.  B8 00000000   mov eax,0x0
00401284  |>  5F            pop edi                                  ;  00150178
00401285  |.  5E            pop esi                                  ;  00150178
00401286  |.  5B            pop ebx                                  ;  00150178
00401287  |.  C9            leave
00401288  |.  C2 1000       retn 0x10
0040128B  |>  6A 01         push 0x1                                 ; /Erase = TRUE
0040128D  |.  6A 00         push 0x0                                 ; |pRect = NULL
0040128F  |.  FF75 08       push [arg.1]                             ; |hWnd = 00000230
00401292  |.  E8 B5010000   call <jmp.&USER32.InvalidateRect>        ; \InvalidateRect
00401297  |>  FF75 08       push [arg.1]                             ; /hWnd = 00000230
0040129A  |.  E8 95010000   call <jmp.&USER32.SetFocus>              ; \SetFocus
0040129F  |.^ EB E3         jmp short Cruehead.00401284
004012A1  |>  33C0          /xor eax,eax
004012A3  |.  817D 10 EB030>|cmp [arg.3],0x3EB
004012AA  |.  74 4B         |je short Cruehead.004012F7
004012AC  |.  817D 10 EA030>|cmp [arg.3],0x3EA
004012B3  |.  75 3B         |jnz short Cruehead.004012F0
004012B5  |.  6A 0B         |push 0xB                                ; /Count = B (11.)
004012B7  |.  68 8E214000   |push Cruehead.0040218E                  ; |12345
004012BC  |.  68 E8030000   |push 0x3E8                              ; |ControlID = 3E8 (1000.)
004012C1  |.  FF75 08       |push [arg.1]                            ; |hWnd = 00000230
004012C4  |.  E8 07020000   |call <jmp.&USER32.GetDlgItemTextA>      ; \GetDlgItemTextA
004012C9  |.  83F8 01       |cmp eax,0x1
004012CC  |.  C745 10 EB030>|mov [arg.3],0x3EB
004012D3  |.^ 72 CC         \jb short Cruehead.004012A1
004012D5  |.  6A 0B         push 0xB                                 ; /Count = B (11.)
004012D7  |.  68 7E214000   push Cruehead.0040217E                   ; |789
004012DC  |.  68 E9030000   push 0x3E9                               ; |ControlID = 3E9 (1001.)
004012E1  |.  FF75 08       push [arg.1]                             ; |hWnd = 00000230
004012E4  |.  E8 E7010000   call <jmp.&USER32.GetDlgItemTextA>       ; \GetDlgItemTextA
004012E9  |.  B8 01000000   mov eax,0x1
004012EE  |.  EB 07         jmp short Cruehead.004012F7
004012F0  |>  B8 00000000   mov eax,0x0
004012F5  |.^ EB 8D         jmp short Cruehead.00401284
004012F7  |>  50            push eax                                 ; /Result = 0x0
004012F8  |.  FF75 08       push [arg.1]                             ; |hWnd = 00000230
004012FB  |.  E8 B2010000   call <jmp.&USER32.EndDialog>             ; \EndDialog
00401300  |.  B8 01000000   mov eax,0x1
00401305  \.^ E9 7AFFFFFF   jmp Cruehead.00401284
0040130A  /.  C8 000000     enter 0x0,0x0
0040130E  |.  53            push ebx
0040130F  |.  56            push esi
00401310  |.  57            push edi
00401311  |.  817D 0C 11010>cmp [arg.2],0x111
00401318  |.  74 12         je short Cruehead.0040132C
0040131A  |.  837D 0C 10    cmp [arg.2],0x10
0040131E  |.  74 15         je short Cruehead.00401335
00401320  |.  B8 00000000   mov eax,0x0
00401325  |>  5F            pop edi                                  ;  00150178
00401326  |.  5E            pop esi                                  ;  00150178
00401327  |.  5B            pop ebx                                  ;  00150178
00401328  |.  C9            leave
00401329  |.  C2 1000       retn 0x10
0040132C  |>  817D 10 F2030>cmp [arg.3],0x3F2
00401333  |.  75 11         jnz short Cruehead.00401346
00401335  |>  6A 00         push 0x0                                 ; /Result = 0x0
00401337  |.  FF75 08       push [arg.1]                             ; |hWnd = 00000230
0040133A  |.  E8 73010000   call <jmp.&USER32.EndDialog>             ; \EndDialog
0040133F  |.  B8 01000000   mov eax,0x1
00401344  |.^ EB DF         jmp short Cruehead.00401325
00401346  |>  B8 00000000   mov eax,0x0
0040134B  \.^ EB D8         jmp short Cruehead.00401325
0040134D  /$  6A 30         push 0x30                                ; /Style = MB_OK|MB_ICONEXCLAMATION|MB_APPLMODAL
0040134F  |.  68 29214000   push Cruehead.00402129                   ; |Good work!
00401354  |.  68 34214000   push Cruehead.00402134                   ; |Great work, mate!\rNow try the next CrackMe!
00401359  |.  FF75 08       push [arg.1]                             ; |hOwner = 00000230
0040135C  |.  E8 D9000000   call <jmp.&USER32.MessageBoxA>           ; \MessageBoxA
00401361  \.  C3            retn
00401362  /$  6A 00         push 0x0                                 ; /BeepType = MB_OK
00401364  |.  E8 AD000000   call <jmp.&USER32.MessageBeep>           ; \MessageBeep
00401369  |.  6A 30         push 0x30                                ; /Style = MB_OK|MB_ICONEXCLAMATION|MB_APPLMODAL
0040136B  |.  68 60214000   push Cruehead.00402160                   ; |No luck!
00401370  |.  68 69214000   push Cruehead.00402169                   ; |No luck there, mate!
00401375  |.  FF75 08       push [arg.1]                             ; |hOwner = 00000230
00401378  |.  E8 BD000000   call <jmp.&USER32.MessageBoxA>           ; \第二个 错误提示框  对于serial
0040137D  \.  C3            retn
0040137E  /$  8B7424 04     mov esi,dword ptr ss:[esp+0x4]           ;  "BCDEF"
00401382  |.  56            push esi
00401383  |>  8A06          /mov al,byte ptr ds:[esi]                ;  name[i]
00401385  |.  84C0          |test al,al
00401387  |.  74 13         |je short Cruehead.0040139C              ;  空字符结束循环
00401389  |.  3C 41         |cmp al,0x41                             ;  A
0040138B  |.  72 1F         |jb short Cruehead.004013AC              ;  al小于0x41跳转到第一个错误提示框，对于name
0040138D  |.  3C 5A         |cmp al,0x5A                             ;  Z
0040138F  |.  73 03         |jnb short Cruehead.00401394             ;  al大于0x5A跳转
00401391  |.  46            |inc esi
00401392  |.^ EB EF         |jmp short Cruehead.00401383
00401394  |>  E8 39000000   |call Cruehead.004013D2                  ;  name[i] - 0x20
00401399  |.  46            |inc esi
0040139A  |.^ EB E7         \jmp short Cruehead.00401383
0040139C  |>  5E            pop esi                                  ;  "BCDEF"
0040139D  |.  E8 20000000   call Cruehead.004013C2                   ;  用于serial校验的计算
004013A2  |.  81F7 78560000 xor edi,0x5678                           ;  edi = 0x154 ^ 0x5678
004013A8  |.  8BC7          mov eax,edi                              ;  0x572C
004013AA  |.  EB 15         jmp short Cruehead.004013C1
004013AC  |>  5E            pop esi                                  ;  00150178
004013AD  |.  6A 30         push 0x30                                ; /Style = MB_OK|MB_ICONEXCLAMATION|MB_APPLMODAL
004013AF  |.  68 60214000   push Cruehead.00402160                   ; |No luck!
004013B4  |.  68 69214000   push Cruehead.00402169                   ; |No luck there, mate!
004013B9  |.  FF75 08       push [arg.1]                             ; |hOwner = 00000230
004013BC  |.  E8 79000000   call <jmp.&USER32.MessageBoxA>           ; \第一个 错误提示框  对于name
004013C1  \>  C3            retn
004013C2  /$  33FF          xor edi,edi                              ;  edi = 0
004013C4  |.  33DB          xor ebx,ebx                              ;  ebx = 0
004013C6  |>  8A1E          /mov bl,byte ptr ds:[esi]                ;  BCDEF
004013C8  |.  84DB          |test bl,bl
004013CA  |.  74 05         |je short Cruehead.004013D1
004013CC  |.  03FB          |add edi,ebx
004013CE  |.  46            |inc esi
004013CF  |.^ EB F5         \jmp short Cruehead.004013C6
004013D1  \>  C3            retn                                     ;  edi = 0x154
004013D2  /$  2C 20         sub al,0x20
004013D4  |.  8806          mov byte ptr ds:[esi],al
004013D6  \.  C3            retn
004013D7   .  C3            retn
004013D8  /$  33C0          xor eax,eax                              ;  eax = 0
004013DA  |.  33FF          xor edi,edi                              ;  edi = 0
004013DC  |.  33DB          xor ebx,ebx                              ;  ebx = 0
004013DE  |.  8B7424 04     mov esi,dword ptr ss:[esp+0x4]           ;  serial
004013E2  |>  B0 0A         /mov al,0xA
004013E4  |.  8A1E          |mov bl,byte ptr ds:[esi]                ;  serial
004013E6  |.  84DB          |test bl,bl
004013E8  |.  74 0B         |je short Cruehead.004013F5
004013EA  |.  80EB 30       |sub bl,0x30
004013ED  |.  0FAFF8        |imul edi,eax
004013F0  |.  03FB          |add edi,ebx
004013F2  |.  46            |inc esi
004013F3  |.^ EB ED         \jmp short Cruehead.004013E2
004013F5  |>  81F7 34120000 xor edi,0x1234
004013FB  |.  8BDF          mov ebx,edi                              ;  0x8B1
004013FD  \.  C3            retn

主程序调用：

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12


00401228   .  68 8E214000   push Cruehead.0040218E                   ;  "BCDEF"
0040122D   .  E8 4C010000   call Cruehead.0040137E                   ;  转为大写
00401232   .  50            push eax                                 ;  0x572C
00401233   .  68 7E214000   push Cruehead.0040217E                   ;  "6789"
00401238   .  E8 9B010000   call Cruehead.004013D8                   ;  serial校验，将字符串数据转换为10进制数值
0040123D   .  83C4 04       add esp,0x4
00401240   .  58            pop eax                                  ;  0x572C
00401241   .  3BC3          cmp eax,ebx                              ;   0x8B1
00401243   .  74 07         je short Cruehead.0040124C
00401245   .  E8 18010000   call Cruehead.00401362                   ;  调用第二错误提示框
0040124A   .^ EB 9A         jmp short Cruehead.004011E6
0040124C   >  E8 FC000000   call Cruehead.0040134D                   ;  成功流程

线将name进行计算，算是转为大写，之后再将name进行累加，再与0x5678进行异或运算用于serial校验的计算，然后对serial进行数据操作(将字符串数据转换为10进制数值)，得到的结果与name计算的结果进行数值比较：

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46


#include <iostream>

int main() {
	char name[] = "bcdefzz";
	char serial[] = "6789";
	
	// 将 name 转为大写 
	for (int i = 0; name[i] != 0; i++) {
		// A
		if (name[i] < 0x41) {
			printf("Error 1\n");
			break;
		}

		// Z
		if (name[i] > 0x5A) {
			name[i] = name[i] - 0x20;
		}
	}

	// 用于serial校验的计算
	int k = 0;
	for (int i = 0; name[i] != 0; i++) {
		k += name[i];
	}
	k ^= 0x5678;

	// serical校验，将字符串数据转换为10进制数值
	int edi = 0;
	for (int i = 0, al = 0xA; serial[i] != 0; i++, al = 0xA) {
		edi = edi * al;
		edi += serial[i] - 0x30;
	}
	edi = edi ^ 0x1234;

	// k = 0x5470, edi = 0x8b1
	// 数值比较
	if (edi == k) {
		printf("succeed");
	}
	else {
		printf("Error 2\n");
	}

	return 0;
}

反推：

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28


void Crackme33() {
	char name[] = "bcdefzz";

	// 将 name 转为大写 
	for (int i = 0; name[i] != 0; i++) {
		// A
		if (name[i] < 0x41) {
			printf("Error 1\n");
			break;
		}

		// Z
		if (name[i] > 0x5A) {
			name[i] = name[i] - 0x20;
		}
	}

	int k = 0;
	for (int i = 0; name[i] != 0; i++) {
		k += name[i];
	}
    k ^= 0x5678;

	int serial = k ^ 0x1234;

	// 将10进制数值大于为字符串数据
	printf("serial %d\n\n", serial);
}