Ruhua.CrackMe研究了几天....要求输入帐号密码随意输入后提示错误。载入OD主线任务00401410.53pushebx00401411.55pushebp00401412.56pushe

Ruhua.CrackMe

研究了几天....

要求输入帐号密码

随意输入后提示错误。

载入 OD 主线任务

00401410 . 53 push ebx

00401411 . 55 push ebp

00401412 . 56 push esi

00401413 . 57 push edi

00401414 . 8BF9 mov edi,ecx

00401416 . 6A 01 push 0x1

00401418 . E8 93030000 call <jmp.&MFC42.#823> ; 分配内存

0040141D . 83C4 04 add esp,0x4

00401420 . 85C0 test eax,eax

00401422 . 74 07 je Xruhua.0040142B ; eax

00401424 . C600 18 mov byte ptr ds:[eax],0x18 ; eax为一个堆地址 [eax]=18

00401427 . 8BD8 mov ebx,eax ; 移栈

00401429 . EB 02 jmp Xruhua.0040142D

0040142B > 33DB xor ebx,ebx

0040142D > 6A 01 push 0x1

0040142F . E8 7C030000 call <jmp.&MFC42.#823>

00401434 . 83C4 04 add esp,0x4

00401437 . 85C0 test eax,eax

00401439 . 74 07 je Xruhua.00401442

0040143B . C600 18 mov byte ptr ds:[eax],0x18

0040143E . 8BF0 mov esi,eax

00401440 . EB 02 jmp Xruhua.00401444

00401442 > 33F6 xor esi,esi

00401444 > 6A 14 push 0x14

00401446 . 53 push ebx

00401447 . 8D8F A0000000 lea ecx,dword ptr ds:[edi+0xA0]

0040144D . E8 58030000 call <jmp.&MFC42.#3873> ; GetDlgItemText 获取帐号

00401452 . 6A 14 push 0x14

00401454 . 56 push esi

00401455 . 8D4F 60 lea ecx,dword ptr ds:[edi+0x60]

00401458 . E8 4D030000 call <jmp.&MFC42.#3873> ; GetDlgItemText 获取密码

0040145D . 8BFB mov edi,ebx

0040145F . 83C9 FF or ecx,0xFFFFFFFF

00401462 . 33C0 xor eax,eax

00401464 . F2:AE repne scas byte ptr es:[edi] ; 串搜索

00401466 . F7D1 not ecx

00401468 . 49 dec ecx ; ecx = 6

00401469 . 8BFE mov edi,esi

0040146B . 8BE9 mov ebp,ecx ; 帐号

0040146D . 83C9 FF or ecx,0xFFFFFFFF

00401470 . F2:AE repne scas byte ptr es:[edi]

00401472 . F7D1 not ecx

00401474 . 49 dec ecx

00401475 . 83FD 0A cmp ebp,0xA ; 帐号长度＞10 结束

00401478 . 77 60 ja Xruhua.004014DA

0040147A . 83F9 0A cmp ecx,0xA ; 密码长度＞10 结束

0040147D . 77 5B ja Xruhua.004014DA

0040147F . 53 push ebx

00401480 . E8 7B000000 call ruhua.00401500 ; 账户每个元素 xor 3 - 0x14

00401485 . 56 push esi

00401486 . E8 A5000000 call ruhua.00401530 ; 密码每个元素 add 2 xor 0x10

0040148B . 83C4 08 add esp,0x8

0040148E > 8A0B mov cl,byte ptr ds:[ebx] ; cl存加密后的账户

00401490 . 8A16 mov dl,byte ptr ds:[esi] ; dl 存加密后的密码

00401492 . 8AC1 mov al,cl

00401494 . 3ACA cmp cl,dl

00401496 75 1E jnz Xruhua.004014B6 ; 关键跳

00401498 . 84C0 test al,al

0040149A . 74 16 je Xruhua.004014B2 ; al = 0 跳

0040149C . 8A53 01 mov dl,byte ptr ds:[ebx+0x1]

0040149F . 8A4E 01 mov cl,byte ptr ds:[esi+0x1]

004014A2 . 8AC2 mov al,dl

004014A4 . 3AD1 cmp dl,cl

004014A6 . 75 0E jnz Xruhua.004014B6

004014A8 . 83C3 02 add ebx,0x2

004014AB . 83C6 02 add esi,0x2

004014AE . 84C0 test al,al ; al = 0

004014B0 ^ 75 DC jnz Xruhua.0040148E ; while

004014B2 > 33C0 xor eax,eax

004014B4 . EB 05 jmp Xruhua.004014BB

004014B6 > 1BC0 sbb eax,eax

004014B8 . 83D8 FF sbb eax,-0x1

004014BB > 85C0 test eax,eax ; eax=0?

004014BD 75 1B jnz Xruhua.004014DA ; ZF = 0

004014BF . 85ED test ebp,ebp

004014C1 74 17 je Xruhua.004014DA

004014C3 . 50 push eax ; /Style

004014C4 . 68 50304000 push ruhua.00403050 ; |Ok

004014C9 . 68 2C304000 push ruhua.0040302C ; |Congratulations!This is the key!

004014CE . 50 push eax ; |hOwner

004014CF . FF15 D8214000 call dword ptr ds:[<&USER32.MessageBoxA>>; /MessageBoxA

004014D5 . 5F pop edi

004014D6 . 5E pop esi

004014D7 . 5D pop ebp

004014D8 . 5B pop ebx

004014D9 . C3 retn

004014DA > 6A 00 push 0x0 ; /Style = MB_OK|MB_APPLMODAL

004014DC . 68 28304000 push ruhua.00403028 ; |Msg

004014E1 . 68 20304000 push ruhua.00403020 ; |Wrong!

004014E6 . 6A 00 push 0x0 ; |hOwner = NULL

004014E8 . FF15 D8214000 call dword ptr ds:[<&USER32.MessageBoxA>>; /MessageBoxA

004014EE . 5F pop edi

004014EF . 5E pop esi

004014F0 . 5D pop ebp

004014F1 . 5B pop ebx

004014F2 . C3 retn

基本流程就是输入帐号密码，进入帐号加密子程序，进入密码加密子程序

上图是帐号密码的子程序

上图为帐号加密过程

上图为密码加密过程

这一段比较模糊，不是很懂,最后翻看IDA 最后得知是strcmp()操作，也即将原来加密后的帐号与加密后的密码进行比较，若相同则OK.

IDA XX后的代码，果然是最强王者级别逆向工具。

int __thiscall sub_401410(void *this)

{

void *v1; // edi@1

int v2; // eax@1

char *v3; // ebx@2

int v4; // eax@4

char *v5; // esi@5

unsigned int v6; // kr04_4@7

unsigned int v7; // kr0C_4@7

int result; // eax@11

v1 = this;

v2 = operator new();

if ( v2 )

{

*(_BYTE *)v2 = 24;

v3 = (char *)v2;

}

else

{

v3 = 0;

}

v4 = operator new();

if ( v4 )

{

*(_BYTE *)v4 = 24;

v5 = (char *)v4;

}

else

{

v5 = 0;

}

CWnd::GetWindowTextA((CWnd *)((char *)v1 + 160), v3, 20);

CWnd::GetWindowTextA((CWnd *)((char *)v1 + 96), v5, 20);

v6 = strlen(v3) + 1; // v6 帐号

// v7 密码

v7 = strlen(v5) + 1;

if ( v6 - 1 > 0xA || v7 - 1 > 0xA || (sub_401500(v3), sub_401530(v5), strcmp(v3, v5)) || v6 == 1 )

result = MessageBoxA(0, "Wrong!", "Msg", 0);

else

result = MessageBoxA(0, "Congratulations!This is the key!", "Ok", 0);

return result;

}

目录CONTENT

Ruhua.CrackMe

Ruhua.CrackMe

载入 OD 主线任务

评论区