crackme-160
1. acid burn.exe
我们的分析方法很简单而暴力: 找到判断输入错误的逻辑然后jmp掉
我们很容易的发现 错误后 会弹出一个窗口提示输入错误 这个窗口是一个windows api叫MessageBox 定义于user32.dll
那么我们在弹出后 在x64dbg中按下F12停止进程 然后通过函数堆栈的调用关系来找到调用弹出MessageBox的地方
然后我们在调用堆栈找到了MessageBox的这一行
地址=0019F668
返回到=0042A1AE
返回自=776B4945
大小=3C
方=用户模块
注释=user32.MessageBoxA+45
注意 MessageBoxA是MessageBox的实现 在这里可以理解为rust中 MessageBoxA实现了MessageBox trait
我们直接跟踪到 返回到 也就是调用它的地方
0042A16D | C3 | ret |
0042A16E | 8BC0 | mov eax,eax |
0042A170 | 55 | push ebp |
0042A171 | 8BEC | mov ebp,esp |
0042A173 | 83C4 F4 | add esp,FFFFFFF4 |
0042A176 | 53 | push ebx |
0042A177 | 56 | push esi |
0042A178 | 57 | push edi |
0042A179 | 8BF9 | mov edi,ecx |
0042A17B | 8BF2 | mov esi,edx |
0042A17D | 8BD8 | mov ebx,eax |
0042A17F | E8 7CB4FDFF | call <JMP.&GetActiveWindow> |
0042A184 | 8945 F8 | mov dword ptr ss:[ebp-8],eax |
0042A187 | 33C0 | xor eax,eax |
0042A189 | E8 12A0FFFF | call acid burn.4241A0 |
0042A18E | 8945 F4 | mov dword ptr ss:[ebp-C],eax |
0042A191 | 33C0 | xor eax,eax |
0042A193 | 55 | push ebp |
0042A194 | 68 D0A14200 | push acid burn.42A1D0 |
0042A199 | 64:FF30 | push dword ptr fs:[eax] |
0042A19C | 64:8920 | mov dword ptr fs:[eax],esp |
0042A19F | 8B45 08 | mov eax,dword ptr ss:[ebp+8] |
0042A1A2 | 50 | push eax |
0042A1A3 | 57 | push edi |
0042A1A4 | 56 | push esi |
0042A1A5 | 8B43 24 | mov eax,dword ptr ds:[ebx+24] |
0042A1A8 | 50 | push eax |
0042A1A9 | E8 FAB5FDFF | call <JMP.&MessageBoxA> |
我们从0042A1A9的call <JMP.&MessageBoxA>一直观察到0042A16D的ret , 因为ret是上一个函数的返回指令 和这个地方没关系.
我们发现这一块的汇编并没有和跳转相关的逻辑 所以继续向上走
然后在0042A1A9设置断点 在函数的第一个语句0042A170也下个断点 然后再跑一次程序
跑到函数头后 我们再次通过调用堆栈定位到调用它的位置
地址=0019F6A4
返回到=0042FB37
返回自=0042A170
大小=38
方=用户模块
注释=acid burn.0042A170
可以看到是0042FB37调用的它 那么我们直接定位
0042FA74 | jmp acid burn.42FB37 |
0042FA79 | lea edx,dword ptr ss:[ebp-10] | [ebp-10]:"Enter your serial here !"
0042FA7C | mov eax,dword ptr ds:[ebx+1DC] | eax:&"d稝", [ebx+1DC]:&"d稝"
0042FA82 | call acid burn.41AA58 |
0042FA87 | mov eax,dword ptr ss:[ebp-10] | [ebp-10]:"Enter your serial here !"
0042FA8A | movzx eax,byte ptr ds:[eax] | eax:&"d稝"
0042FA8D | imul dword ptr ds:[431750] |
0042FA93 | mov dword ptr ds:[431750],eax | eax:&"d稝"
0042FA98 | mov eax,dword ptr ds:[431750] | eax:&"d稝"
0042FA9D | add dword ptr ds:[431750],eax | eax:&"d稝"
0042FAA3 | lea eax,dword ptr ss:[ebp-4] | [ebp-04]:"CW"
0042FAA6 | mov edx,acid burn.42FBAC | edx:"Sorry , The serial is incorect !", 42FBAC:"CW"
0042FAAB | call acid burn.403708 |
0042FAB0 | lea eax,dword ptr ss:[ebp-8] | [ebp-08]:"CRACKED"
0042FAB3 | mov edx,acid burn.42FBB8 | edx:"Sorry , The serial is incorect !", 42FBB8:"CRACKED"
0042FAB8 | call acid burn.403708 |
0042FABD | push dword ptr ss:[ebp-4] | [ebp-04]:"CW"
0042FAC0 | push acid burn.42FBC8 |
0042FAC5 | lea edx,dword ptr ss:[ebp-18] | [ebp-18]:"6560"
0042FAC8 | mov eax,dword ptr ds:[431750] | eax:&"d稝"
0042FACD | call acid burn.406718 |
0042FAD2 | push dword ptr ss:[ebp-18] | [ebp-18]:"6560"
0042FAD5 | push acid burn.42FBC8 |
0042FADA | push dword ptr ss:[ebp-8] | [ebp-08]:"CRACKED"
0042FADD | lea eax,dword ptr ss:[ebp-C] | [ebp-0C]:"CW-6560-CRACKED"
0042FAE0 | mov edx,5 | edx:"Sorry , The serial is incorect !"
0042FAE5 | call acid burn.4039AC |
0042FAEA | lea edx,dword ptr ss:[ebp-10] | [ebp-10]:"Enter your serial here !"
0042FAED | mov eax,dword ptr ds:[ebx+1E0] | eax:&"d稝", [ebx+1E0]:&"d稝"
0042FAF3 | call acid burn.41AA58 |
0042FAF8 | mov edx,dword ptr ss:[ebp-10] | [ebp-10]:"Enter your serial here !"
0042FAFB | mov eax,dword ptr ss:[ebp-C] | [ebp-0C]:"CW-6560-CRACKED"
0042FAFE | call acid burn.4039FC |
0042FB03 | jne acid burn.42FB1F |
0042FB05 | push 0 |
0042FB07 | mov ecx,acid burn.42FBCC | ecx:"Try Again!", 42FBCC:"Congratz !!"
0042FB0C | mov edx,acid burn.42FBD8 | edx:"Sorry , The serial is incorect !", 42FBD8:"Good job dude =)"
0042FB11 | mov eax,dword ptr ds:[430A48] | eax:&"d稝"
0042FB16 | mov eax,dword ptr ds:[eax] | eax:&"d稝", [eax]:"d稝"
0042FB18 | call acid burn.42A170 |
0042FB1D | jmp acid burn.42FB37 |
0042FB1F | push 0 |
0042FB21 | mov ecx,acid burn.42FB74 | ecx:"Try Again!", 42FB74:"Try Again!"
0042FB26 | mov edx,acid burn.42FB80 | edx:"Sorry , The serial is incorect !", 42FB80:"Sorry , The serial is incorect !"
0042FB2B | mov eax,dword ptr ds:[430A48] | eax:&"d稝"
0042FB30 | mov eax,dword ptr ds:[eax] | eax:&"d稝", [eax]:"d稝"
0042FB32 | call acid burn.42A170 |
0042FB37 | xor eax,eax | eax:&"d稝"
可以看到0042FB32就是call42A170的地方. 我们找到了条件跳转
0042FB03 | jne acid burn.42FB1F |
按照汇编 他的意思是若ZF=1 则不发生跳转 若ZF=0 则跳到b2FB1F 其实我们已经可以猜到给jne取反为je就能跳过失败的逻辑 我们试试把jne变成je 果然通过了.
0042FAFE | call acid burn.4039FC |
0042FB03 | jne acid burn.42FB1F |
我们在0042FAFE处打下断点 并再跑一便程序 然后观察寄存器的值
EAX : 02408980 "CW-8938-CRACKED"
EBX : 02404E94 &"d稝"
ECX : 298E508D
EDX : 02406604 "myservi"
EBP : 0019F6A8
ESP : 0019F67C
ESI : 00000A2F L'ਯ'
EDI : 02408C5C &"d稝"
EIP : 0042FAFE acid burn.0042FAFE
EFLAGS : 00000300 L'̀'
ZF : 0
OF : 0
CF : 0
PF : 0
SF : 0
TF : 1 L'ā'
AF : 0 L"IME"
DF : 0
IF : 1
可以看到EDX就是我们输入的密码 而EAX是一个特殊的字符串 我们有理由的可以猜测 在经过name的映射下 正确的密码是EAX的特殊字符串 所以我们试一试在程序中不改变name 把EAX的字符串复制到密码 可以发现正确了