環境：

windows xp sp3

工具：

OD，exeinfope

查殼：

用exeinfope查殼，發現沒有殼而且是vc編譯的

隨便輸入一個name和serial，name = "12345" serial = "678910"

彈出錯誤窗口，OD載入后直接搜索字符串，然后反匯編窗口跟隨

文本字串參考位于 Brad_Sob:.text 地址 反匯編 文本字串 0040157D push Brad_Sob.00404020 ASCII "CrackMe" 00401582 push Brad_Sob.00404028 ASCII "User Name must have at least 5 characters." 00401618 jmp XBrad_Sob.004015C7 (初始 CPU 選擇) 0040161E push Brad_Sob.00404054 ASCII "%lu" 00401669 mov esi,Brad_Sob.00404058 ASCII "Correct!! " 0040168E mov esi,Brad_Sob.00404078 ASCII "<BrD-SoB> " 004016B3 mov esi,Brad_Sob.00404098 ASCII "Incorrect!!, Try Again." 004016D1 mov esi,Brad_Sob.004040B0 ASCII "Correct way to go, You Got It." 004016F3 push Brad_Sob.004040D0 ASCII "CrackMe" 00401765 push Brad_Sob.004040D8 ASCII "CrackMe" 00401F75 push 0x10000 UNICODE "=::=::\"
這一次看上去好像很復雜，其實仔細一分析是挺簡單的

004014DF /. 55 push ebp 004014E0 |. 8BEC mov ebp,esp 004014E2 |. 6A FF push -0x1 004014E4 |. 68 8F204000 push Brad_Sob.0040208F ; SE 處理程序安裝 004014E9 |. 64:A1 0000000>mov eax,dword ptr fs:[0] 004014EF |. 50 push eax 004014F0 |. 64:8925 00000>mov dword ptr fs:[0],esp 004014F7 |. 81EC B4010000 sub esp,0x1B4 004014FD |. 56 push esi 004014FE |. 57 push edi 004014FF |. 898D 40FEFFFF mov [local.112],ecx 00401505 |. C745 F0 45632>mov [local.4],0x81276345 0040150C |. 68 AC414000 push Brad_Sob.004041AC 00401511 |. 8D4D EC lea ecx,[local.5] 00401514 |. E8 77080000 call <jmp.&MFC42.#537> 00401519 |. C745 FC 00000>mov [local.1],0x0 00401520 |. 68 B0414000 push Brad_Sob.004041B0 00401525 |. 8D4D E8 lea ecx,[local.6] 00401528 |. E8 63080000 call <jmp.&MFC42.#537> 0040152D |. C645 FC 01 mov byte ptr ss:[ebp-0x4],0x1 00401531 |. 68 B4414000 push Brad_Sob.004041B4 00401536 |. 8D4D DC lea ecx,[local.9] 00401539 |. E8 52080000 call <jmp.&MFC42.#537> 0040153E |. C645 FC 02 mov byte ptr ss:[ebp-0x4],0x2 00401542 |. 8D45 EC lea eax,[local.5] 00401545 |. 50 push eax 00401546 |. 68 E8030000 push 0x3E8 0040154B |. 8B8D 40FEFFFF mov ecx,[local.112] 00401551 |. E8 34080000 call <jmp.&MFC42.#3097> ; 讀Name 00401556 |. 8D4D E8 lea ecx,[local.6] 00401559 |. 51 push ecx 0040155A |. 68 E9030000 push 0x3E9 0040155F |. 8B8D 40FEFFFF mov ecx,[local.112] 00401565 |. E8 20080000 call <jmp.&MFC42.#3097> ; 讀serial 0040156A |. 8D4D EC lea ecx,[local.5] 0040156D |. E8 DE020000 call Brad_Sob.00401850 ; 讀Name的長度出來 00401572 |. 8945 E4 mov [local.7],eax 00401575 |. 837D E4 05 cmp [local.7],0x5 ; serial最少5個字符 00401579 |. 7D 43 jge XBrad_Sob.004015BE 0040157B |. 6A 40 push 0x40 0040157D |. 68 20404000 push Brad_Sob.00404020 ; ASCII "CrackMe" 00401582 |. 68 28404000 push Brad_Sob.00404028 ; ASCII "User Name must have at least 5 characters." 00401587 |. 8B8D 40FEFFFF mov ecx,[local.112] 0040158D |. E8 F2070000 call <jmp.&MFC42.#4224> 00401592 |. C645 FC 01 mov byte ptr ss:[ebp-0x4],0x1 00401596 |. 8D4D DC lea ecx,[local.9] 00401599 |. E8 C2070000 call <jmp.&MFC42.#800> 0040159E |. C645 FC 00 mov byte ptr ss:[ebp-0x4],0x0 004015A2 |. 8D4D E8 lea ecx,[local.6] 004015A5 |. E8 B6070000 call <jmp.&MFC42.#800> 004015AA |. C745 FC FFFFF>mov [local.1],-0x1 004015B1 |. 8D4D EC lea ecx,[local.5] 004015B4 |. E8 A7070000 call <jmp.&MFC42.#800> 004015B9 |. E9 F9010000 jmp Brad_Sob.004017B7 004015BE |> C745 E0 00000>mov [local.8],0x0 ; 初始化,i從0開始 004015C5 |. EB 09 jmp XBrad_Sob.004015D0 004015C7 |> 8B55 E0 /mov edx,[local.8] 004015CA |. 83C2 01 |add edx,0x1 004015CD |. 8955 E0 |mov [local.8],edx ; 取出來+1再放回去 004015D0 |> 8B45 E0 mov eax,[local.8] 004015D3 |. 3B45 E4 |cmp eax,[local.7] ; 比較次數是Name的長度 004015D6 |. 7D 42 |jge XBrad_Sob.0040161A ; 跳出循環 004015D8 |. 8B4D E0 |mov ecx,[local.8] 004015DB |. 51 |push ecx 004015DC |. 8D4D EC |lea ecx,[local.5] ; Name 004015DF |. E8 1C030000 |call Brad_Sob.00401900 004015E4 |. 0FBED0 |movsx edx,al ; al是第i個字符，i為循環次數 004015E7 |. 8B45 F0 |mov eax,[local.4] 004015EA |. 03C2 |add eax,edx ; 加上一個常量 004015EC |. 8945 F0 |mov [local.4],eax 004015EF |. 8B4D E0 |mov ecx,[local.8] ; i 004015F2 |. C1E1 08 |shl ecx,0x8 ; i*2^8 004015F5 |. 8B55 F0 |mov edx,[local.4] 004015F8 |. 33D1 |xor edx,ecx ; 異或運算 004015FA |. 8955 F0 |mov [local.4],edx 004015FD |. 8B45 E0 |mov eax,[local.8] 00401600 |. 83C0 01 |add eax,0x1 ; i+1 00401603 |. 8B4D E4 |mov ecx,[local.7] ; Name長度 00401606 |. 0FAF4D E0 |imul ecx,[local.8] ; Name長度*i 0040160A |. F7D1 |not ecx ; 取反 0040160C |. 0FAFC1 |imul eax,ecx ; *(i+1) 0040160F |. 8B55 F0 |mov edx,[local.4] ; 常量改變 00401612 |. 0FAFD0 |imul edx,eax 00401615 |. 8955 F0 |mov [local.4],edx 00401618 |.^ EB AD \jmp XBrad_Sob.004015C7 0040161A |> 8B45 F0 mov eax,[local.4] 0040161D |. 50 push eax 0040161E |. 68 54404000 push Brad_Sob.00404054 ; ASCII "%lu"，這里可以看出是8進制表示 00401623 |. 8D4D DC lea ecx,[local.9] 00401626 |. 51 push ecx 00401627 |. E8 52070000 call <jmp.&MFC42.#2818> 0040162C |. 83C4 0C add esp,0xC ; ecx就是serial 0040162F |. 8D4D DC lea ecx,[local.9] 00401632 |. E8 79020000 call Brad_Sob.004018B0 00401637 |. 50 push eax ; 這是真正的serial 00401638 |. 8D4D E8 lea ecx,[local.6] ; 輸入的serial 0040163B |. E8 80020000 call Brad_Sob.004018C0 ; 這里顯然是比較 00401640 |. 85C0 test eax,eax 00401642 |. 0F85 FF000000 jnz Brad_Sob.00401747 00401648 |. 8D8D ACFEFFFF lea ecx,[local.85] 0040164E |. E8 19070000 call <jmp.&MFC42.#540> 00401653 |. C645 FC 03 mov byte ptr ss:[ebp-0x4],0x3 00401657 |. 6A 66 push 0x66 00401659 |. 8D8D ACFEFFFF lea ecx,[local.85] 0040165F |. E8 02070000 call <jmp.&MFC42.#4160> 00401664 |. B9 07000000 mov ecx,0x7 00401669 |. BE 58404000 mov esi,Brad_Sob.00404058 ; ASCII "Correct!! " 0040166E |. 8DBD 48FEFFFF lea edi,[local.110] 00401674 |. F3:A5 rep movs dword ptr es:[edi],dword ptr ds:[esi] 00401676 |. 66:A5 movs word ptr es:[edi],word ptr ds:[esi] 00401678 |. A4 movs byte ptr es:[edi],byte ptr ds:[esi] 00401679 |. B9 11000000 mov ecx,0x11 0040167E |. 33C0 xor eax,eax 00401680 |. 8DBD 67FEFFFF lea edi,dword ptr ss:[ebp-0x199] 00401686 |. F3:AB rep stos dword ptr es:[edi] 00401688 |. AA stos byte ptr es:[edi] 00401689 |. B9 07000000 mov ecx,0x7 0040168E |. BE 78404000 mov esi,Brad_Sob.00404078 ; ASCII "<BrD-SoB> " 00401693 |. 8DBD 14FFFFFF lea edi,[local.59] 00401699 |. F3:A5 rep movs dword ptr es:[edi],dword ptr ds:[esi] 0040169B |. 66:A5 movs word ptr es:[edi],word ptr ds:[esi] 0040169D |. B9 11000000 mov ecx,0x11 004016A2 |. 33C0 xor eax,eax 004016A4 |. 8DBD 32FFFFFF lea edi,dword ptr ss:[ebp-0xCE] 004016AA |. F3:AB rep stos dword ptr es:[edi] 004016AC |. 66:AB stos word ptr es:[edi] 004016AE |. B9 06000000 mov ecx,0x6 004016B3 |. BE 98404000 mov esi,Brad_Sob.00404098 ; ASCII "Incorrect!!, Try Again." 004016B8 |. 8DBD 78FFFFFF lea edi,[local.34] 004016BE |. F3:A5 rep movs dword ptr es:[edi],dword ptr ds:[esi] 004016C0 |. B9 13000000 mov ecx,0x13 004016C5 |. 33C0 xor eax,eax 004016C7 |. 8D7D 90 lea edi,[local.28] 004016CA |. F3:AB rep stos dword ptr es:[edi] 004016CC |. B9 07000000 mov ecx,0x7 004016D1 |. BE B0404000 mov esi,Brad_Sob.004040B0 ; ASCII "Correct way to go, You Got It." 004016D6 |. 8DBD B0FEFFFF lea edi,[local.84] 004016DC |. F3:A5 rep movs dword ptr es:[edi],dword ptr ds:[esi] 004016DE |. 66:A5 movs word ptr es:[edi],word ptr ds:[esi] 004016E0 |. A4 movs byte ptr es:[edi],byte ptr ds:[esi] 004016E1 |. B9 11000000 mov ecx,0x11 004016E6 |. 33C0 xor eax,eax 004016E8 |. 8DBD CFFEFFFF lea edi,dword ptr ss:[ebp-0x131] 004016EE |. F3:AB rep stos dword ptr es:[edi] 004016F0 |. AA stos byte ptr es:[edi] 004016F1 |. 6A 40 push 0x40 004016F3 |. 68 D0404000 push Brad_Sob.004040D0 ; ASCII "CrackMe" 004016F8 |. 8D8D ACFEFFFF lea ecx,[local.85] 004016FE |. E8 AD010000 call Brad_Sob.004018B0 00401703 |. 50 push eax 00401704 |. 8B8D 40FEFFFF mov ecx,[local.112] 0040170A |. E8 75060000 call <jmp.&MFC42.#4224> 0040170F |. C645 FC 02 mov byte ptr ss:[ebp-0x4],0x2 00401713 |. 8D8D ACFEFFFF lea ecx,[local.85] 00401719 |. E8 42060000 call <jmp.&MFC42.#800> 0040171E |. C645 FC 01 mov byte ptr ss:[ebp-0x4],0x1 00401722 |. 8D4D DC lea ecx,[local.9] 00401725 |. E8 36060000 call <jmp.&MFC42.#800> 0040172A |. C645 FC 00 mov byte ptr ss:[ebp-0x4],0x0 0040172E |. 8D4D E8 lea ecx,[local.6] 00401731 |. E8 2A060000 call <jmp.&MFC42.#800> 00401736 |. C745 FC FFFFF>mov [local.1],-0x1 0040173D |. 8D4D EC lea ecx,[local.5] 00401740 |. E8 1B060000 call <jmp.&MFC42.#800> 00401745 |. EB 70 jmp XBrad_Sob.004017B7 00401747 |> 8D8D 44FEFFFF lea ecx,[local.111] 0040174D |. E8 1A060000 call <jmp.&MFC42.#540> 00401752 |. C645 FC 04 mov byte ptr ss:[ebp-0x4],0x4 00401756 |. 6A 67 push 0x67 00401758 |. 8D8D 44FEFFFF lea ecx,[local.111] 0040175E |. E8 03060000 call <jmp.&MFC42.#4160> 00401763 |. 6A 40 push 0x40 00401765 |. 68 D8404000 push Brad_Sob.004040D8 ; ASCII "CrackMe" 0040176A |. 8D8D 44FEFFFF lea ecx,[local.111] 00401770 |. E8 3B010000 call Brad_Sob.004018B0 00401775 |. 50 push eax 00401776 |. 8B8D 40FEFFFF mov ecx,[local.112] 0040177C |. E8 03060000 call <jmp.&MFC42.#4224> 00401781 |. C645 FC 02 mov byte ptr ss:[ebp-0x4],0x2 00401785 |. 8D8D 44FEFFFF lea ecx,[local.111] 0040178B |. E8 D0050000 call <jmp.&MFC42.#800> 00401790 |. C645 FC 01 mov byte ptr ss:[ebp-0x4],0x1 00401794 |. 8D4D DC lea ecx,[local.9] 00401797 |. E8 C4050000 call <jmp.&MFC42.#800> 0040179C |. C645 FC 00 mov byte ptr ss:[ebp-0x4],0x0 004017A0 |. 8D4D E8 lea ecx,[local.6] 004017A3 |. E8 B8050000 call <jmp.&MFC42.#800> 004017A8 |. C745 FC FFFFF>mov [local.1],-0x1 004017AF |. 8D4D EC lea ecx,[local.5] 004017B2 |. E8 A9050000 call <jmp.&MFC42.#800> 004017B7 |> 8B4D F4 mov ecx,[local.3] 004017BA |. 64:890D 00000>mov dword ptr fs:[0],ecx 004017C1 |. 5F pop edi 004017C2 |. 5E pop esi 004017C3 |. 8BE5 mov esp,ebp 004017C5 |. 5D pop ebp 004017C6 \. C3 retn
算法的主要思路是根據輸入的Name算出一個值，然后將這個值用8進制表示，表示結果就是serial。

具體的算法上面已經分析出。

var = 0x81276345; for(int i = 0;i < name_len; i++){var += name[i];int k = i << 8;var ^= k;int t = name_len * i;t = ~t;t *= (i + 1);var *= t;}printf("%lu\n",var);

總結

以上是生活随笔為你收集整理的160 - 19 Brad Soblesky.2的全部內容，希望文章能夠幫你解決所遇到的問題。

如果覺得生活随笔網站內容還不錯，歡迎將生活随笔推薦給好友。