📄 具体做法.txt
字号:
一个简单的CrackMe的破解:
一.脱壳
1.查壳,用PEiD查看,可知加壳软件为:
UPX 0.89.6 - 1.02 / 1.05 - 1.24 -> Markus & Laszlo
2.手动脱壳:
UPX是一个简单的压缩壳,可以手动脱壳,使用ESP定律法查找OEP,
打开OD,载入程序,设置硬件断点HW 0012FFC0;得到OEP=00401000
3.获取内存映像:
打开LordPE,选择要脱壳的进程,将进程映像完整转存,保存为dump.exe;
4.修复IAT:
打开ImportREC,输入OEP,自动搜索IAT,得到IAT Address:00001FFC,size:00000040
点击修复抓取文件,得到dump_.exe就是脱壳后的源程序,将其改名为unpacked.exe;
(也可以用PEiD的插件自动脱壳)
二.破解
平台:OllyDbg1.1+WinXP_SP2
1.运行脱壳后的程序unpacked.exe,熟悉界面,就是比较简单的UN-SN模式;
2.用OD载入unpacked.exe,尝试最简单的API断点,查找发现有可疑的GetDlgItemText,
查找所有模块调用,还好,只有两处调用,于是在所有GetDlgItemText调用处设置断点.
程序在004010E2处断下:
;用户名 addr: 004034B0
;序列号 addr: 00403190
004010D3 6A 50 PUSH 50
004010D5 68 B0344000 PUSH unpacked.004034B0 ; ASCII "bj20080808"
004010DA 68 DE000000 PUSH 0DE
004010DF FF75 08 PUSH DWORD PTR SS:[EBP+8]
004010E2 E8 43020000 CALL <JMP.&USER32.GetDlgItemTextA> ;获取用户名
004010E7 83F8 05 CMP EAX,5 ;判断用户名长度
004010EA 7D 26 JGE SHORT unpacked.00401112 ;如果长度>=5,跳L1
004010EC B8 66354000 MOV EAX,unpacked.00403566
004010F1 E8 05020000 CALL unpacked.004012FB
004010F6 6A 40 PUSH 40
004010F8 68 52354000 PUSH unpacked.00403552 ; ASCII "TSRh CrackMe *Easy*"
004010FD 68 00304000 PUSH unpacked.00403000 ; ASCII "Invalid Serial!"
00401102 6A 00 PUSH 0
00401104 E8 27020000 CALL <JMP.&USER32.MessageBoxA>
00401109 33C0 XOR EAX,EAX
0040110B 5E POP ESI
0040110C 5F POP EDI
0040110D 5B POP EBX
0040110E C9 LEAVE
0040110F C2 1000 RETN 10
;;;;;;;;;;;;L1:
00401112 E8 DC000000 CALL unpacked.004011F3 ;call 过程1
00401117 6A 50 PUSH 50
00401119 68 90314000 PUSH unpacked.00403190 ; ASCII "2008"
0040111E 68 4D010000 PUSH 14D
00401123 FF75 08 PUSH DWORD PTR SS:[EBP+8]
00401126 E8 FF010000 CALL <JMP.&USER32.GetDlgItemTextA> ;继续获取序列号
0040112B A1 90314000 MOV EAX,DWORD PTR DS:[403190] ;获取前4个字节
00401130 3D 74737268 CMP EAX,68727374 ;判断是否前缀为tsrh
00401135 75 23 JNZ SHORT unpacked.0040115A ;如果不是,跳L2,注册失败!!
00401137 05 20320000 ADD EAX,3220 ;eax = eax + 0x3220
0040113C 50 PUSH EAX ;
0040113D 33C0 XOR EAX,EAX ;eax=0
0040113F E8 EA000000 CALL unpacked.0040122E ;call 过程2
00401144 58 POP EAX ;
00401145 85C0 TEST EAX,EAX ;判断EAX是否为0
00401147 74 11 JE SHORT unpacked.0040115A ;如果EAX==0,注册失败!!
00401149 33C2 XOR EAX,EDX ;eax = eax ^ edx
0040114B 8BD0 MOV EDX,EAX ;edx = eax
0040114D 8BF0 MOV ESI,EAX ;esi = eax
0040114F 33C0 XOR EAX,EAX ;eax = 0
00401151 E8 31010000 CALL unpacked.00401287 ;call 过程3
00401156 84C0 TEST AL,AL ;判断al是否为0
00401158 75 1F JNZ SHORT unpacked.00401179 ;如果不为0,注册成功!!
;;;;;;;;;;;;L2:失败之路
0040115A B8 85354000 MOV EAX,unpacked.00403585
0040115F E8 97010000 CALL unpacked.004012FB
00401164 6A 10 PUSH 10
00401166 68 52354000 PUSH unpacked.00403552 ; ASCII "TSRh CrackMe *Easy*"
0040116B 68 00304000 PUSH unpacked.00403000 ; ASCII "Invalid Serial!"
00401170 6A 00 PUSH 0
00401172 E8 B9010000 CALL <JMP.&USER32.MessageBoxA>
00401177 EB 1D JMP SHORT unpacked.00401196
;;;;;;;;;;;;L3:成功之路
00401179 B8 95354000 MOV EAX,unpacked.00403595
0040117E E8 78010000 CALL unpacked.004012FB
00401183 6A 40 PUSH 40
00401185 68 52354000 PUSH unpacked.00403552 ; ASCII "TSRh CrackMe *Easy*"
0040118A 68 00304000 PUSH unpacked.00403000 ; ASCII "Invalid Serial!"
0040118F 6A 00 PUSH 0
00401191 E8 9A010000 CALL <JMP.&USER32.MessageBoxA>
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
00401196 EB 52 JMP SHORT unpacked.004011EA ;跳L4
00401198 817D 10 0903000>CMP DWORD PTR SS:[EBP+10],309
0040119F 75 17 JNZ SHORT unpacked.004011B8
004011A1 6A 00 PUSH 0
004011A3 6A 00 PUSH 0
004011A5 6A 00 PUSH 0
004011A7 68 24354000 PUSH unpacked.00403524 ; ASCII "http://zor.org/tsrh"
004011AC 6A 00 PUSH 0
004011AE FF75 08 PUSH DWORD PTR SS:[EBP+8]
004011B1 E8 A4010000 CALL <JMP.&SHELL32.ShellExecuteA>
004011B6 EB 32 JMP SHORT unpacked.004011EA
004011B8 817D 10 7803000>CMP DWORD PTR SS:[EBP+10],378
004011BF 75 17 JNZ SHORT unpacked.004011D8
004011C1 6A 00 PUSH 0
004011C3 6A 00 PUSH 0
004011C5 6A 00 PUSH 0
004011C7 68 38354000 PUSH unpacked.00403538 ; ASCII "mailto:tsrh@tsrh-mail.net"
004011CC 6A 00 PUSH 0
004011CE FF75 08 PUSH DWORD PTR SS:[EBP+8]
004011D1 E8 84010000 CALL <JMP.&SHELL32.ShellExecuteA>
004011D6 EB 12 JMP SHORT unpacked.004011EA
004011D8 817D 10 BC01000>CMP DWORD PTR SS:[EBP+10],1BC
004011DF 75 09 JNZ SHORT unpacked.004011EA
004011E1 53 PUSH EBX
004011E2 FF75 08 PUSH DWORD PTR SS:[EBP+8]
004011E5 E8 3A010000 CALL <JMP.&USER32.EndDialog>
;;;;;;;;;;;;L4
004011EA 33C0 XOR EAX,EAX
004011EC 5E POP ESI
004011ED 5F POP EDI
004011EE 5B POP EBX
004011EF C9 LEAVE ;leave= (mov esp,ebp
;pop ebp)
004011F0 C2 1000 RETN 10
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>;过程1,计算注册号
004011F3 A3 14354000 MOV DWORD PTR DS:[403514],EAX ;DS:[403514] = 用户名长度
004011F8 BF D3070000 MOV EDI,7D3 ;EDI = 7D3
004011FD 033D 14354000 ADD EDI,DWORD PTR DS:[403514] ;EDI = EDI + 用户名长度
00401203 57 PUSH EDI ;存EDI
00401204 68 1B354000 PUSH unpacked.0040351B ; ASCII "tsrh-%d-"
00401209 68 20334000 PUSH unpacked.00403320 ; ASCII "tsrh-2013-"
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -