【破文标题】新手-Crackme
【破文作者】仙果
【破解工具】OD,IDA
【破解平台】Windows XP SP2
【软件简介】从看雪上下载的。。。
【破解声明】纯属爱好
------------------------------------------------------------------------
【破解过程】
破解一直都是自己的弱项,尤其是算法,某日从看雪上下载一个crackme,放了两天,正好今天周六,好毒的太阳也没有心情出去耍,干脆就来破解下这个好了。想到,马上开工。
PEID检测为VC++6.0编写,无壳,还好,不然还要脱壳,又麻烦。
OD载入分析,F9运行,输入0123456789提示“Your Password Is Invalid!”,大喜,马上"超级字符串参考",结果发现字符都被加密过,加密算法未知。
只有老老实实的分析了,通过分析,发现字符串的解密函数
CALL 破解我.004018E0:
004018E0 PUSH EDI
004018E1 MOV EDI,DWORD PTR SS:[ESP+C] ; 破解我.00404084
004018E5 PUSH EDI ; /String
004018E6 CALL DWORD PTR DS:[<&KERNEL32.lstrlenA>] ; \lstrlenA //得到字符串长度
004018EC XOR ECX,ECX
004018EE DEC EAX
004018EF TEST EAX,EAX
004018F1 JL SHORT 破解我.00401917
004018F3 PUSH EBP
004018F4 PUSH ESI
004018F5 MOV ESI,DWORD PTR SS:[ESP+10]
004018F9 LEA EDX,DWORD PTR DS:[EAX+1]
004018FC MOV ECX,ESI
004018FE SUB EDI,ESI
00401900 MOV EBP,EDX
00401902 /MOV AL,BYTE PTR DS:[EDI+ECX]
00401905 |XOR AL,22 //解密的KEY
00401907 |MOV BYTE PTR DS:[ECX],AL
00401909 |INC ECX
0040190A |DEC EDX
0040190B \JNZ SHORT 破解我.00401902
0040190D MOV BYTE PTR DS:[ESI+EBP],0
00401911 MOV EAX,ESI
00401913 POP ESI
00401914 POP EBP
00401915 POP EDI
00401916 RETN
00401917 MOV EAX,DWORD PTR SS:[ESP+8]
0040191B POP EDI
0040191C MOV BYTE PTR DS:[ECX+EAX],0
00401920 RETN
00401921 NOP
其实解密的函数很简单,只是简单的异或0x22,据此自己写了段代码来还原加密后的字符串,如下:
#include <windows.h>
#include <string.h>
#include <stdio.h>
unsigned char encode[500]=
"\x7B\x4D\x57\x50\x02\x72\x43\x51\x51\x55\x4D\x50\x46\x02\x6B\x51"//Your Password Is Invalid!
"\x02\x6B\x4C\x54\x43\x4E\x4B\x46\x03\x00\x00\x00\x7B\x4D\x57\x02"
"\x43\x50\x47\x02\x74\x47\x50\x5B\x02\x6C\x60\x03\x00\x00\x00\x00"//You are Very NB!
"\x49\x47\x50\x4C\x47\x4E\x11\x10\x0C\x46\x4E\x4E\x00\x00\x00\x00"
"\x57\x51\x47\x50\x11\x10\x0C\x46\x4E\x4E\x00\x00\x65\x47\x56\x72"
"\x50\x4D\x41\x63\x46\x46\x50\x47\x51\x51\x00\x00\x65\x47\x56\x75"
"\x4B\x4C\x46\x4D\x55\x76\x47\x5A\x56\x63\x00\x00\x6D\x52\x47\x4C"
"\x72\x50\x4D\x41\x47\x51\x51\x00\x75\x50\x4B\x56\x47\x72\x50\x4D"
"\x41\x47\x51\x51\x6F\x47\x4F\x4D\x50\x5B\x00\x00\x51\x53\x00\x00"
"\x61\x50\x47\x43\x56\x47\x76\x4A\x50\x47\x43\x46\x00\x00\x00\x00"
"\x70\x47\x43\x46\x72\x50\x4D\x41\x47\x51\x51\x6F\x47\x4F\x4D\x50"
"\x5B\x00\x00\x00\x71\x4E\x47\x47\x52\x00\x00\x00\x65\x47\x56\x61"
"\x57\x50\x50\x47\x4C\x56\x72\x50\x4D\x41\x47\x51\x51\x6B\x46\x00";
int main()
{
unsigned char decode[500];
int i;
int nLen;
nLen=sizeof(encode)-1;
for (i=0; i<nLen;i++)
{
decode[i] = encode[i] ^ 0x22;
printf("%c",decode[i]);
}
}
以下是解密后的字符串
Your Password Is Invalid!"""You are Very NB!""""kernel32.dll""""user32.dll""GetP
rocAddress""GetWindowTextA""OpenProcess"WriteProcessMemory""sq""CreateThread"
ReadProcessMemory"""Sleep"""GetCurrentProcessId