OllyDbg笔记1-crackme3
2022-03-17 本文已影响0人
牵手生活
crackeme3.exe部分注解
image.png
1:fun触发提示错误的
00440EB0 /. 55 push ebp
00440EB1 |. 8BEC mov ebp,esp
00440EB3 |. 6A 00 push 0x0
00440EB5 |. 53 push ebx
00440EB6 |. 8BD8 mov ebx,eax
00440EB8 |. 33C0 xor eax,eax
00440EBA |. 55 push ebp
00440EBB |. 68 BA0F4400 push crackme3.00440FBA
00440EC0 |. 64:FF30 push dword ptr fs:[eax]
00440EC3 |. 64:8920 mov dword ptr fs:[eax],esp
00440EC6 |. 8D55 FC lea edx,[local.1]
00440EC9 |. 8B83 C4020000 mov eax,dword ptr ds:[ebx+0x2C4]
00440ECF |. E8 4CFFFDFF call crackme3.00420E20
00440ED4 |. 837D FC 00 cmp [local.1],0x0
00440ED8 |. 75 18 jnz short crackme3.00440EF2
00440EDA |. 6A 00 push 0x0
00440EDC |. B9 C80F4400 mov ecx,crackme3.00440FC8 ; ASCII "No Name entered"
00440EE1 |. BA D80F4400 mov edx,crackme3.00440FD8 ; ASCII "Enter a Name!"
00440EE6 |. A1 442C4400 mov eax,dword ptr ds:[0x442C44]
00440EEB |. 8B00 mov eax,dword ptr ds:[eax]
00440EED |. E8 76C1FFFF call crackme3.0043D068
00440EF2 |> 8D55 FC lea edx,[local.1]
00440EF5 |. 8B83 C8020000 mov eax,dword ptr ds:[ebx+0x2C8]
00440EFB |. E8 20FFFDFF call crackme3.00420E20
00440F00 |. 837D FC 00 cmp [local.1],0x0
00440F04 |. 75 18 jnz short crackme3.00440F1E
00440F06 |. 6A 00 push 0x0
00440F08 |. B9 E80F4400 mov ecx,crackme3.00440FE8 ; ASCII "No Serial entered"
00440F0D |. BA FC0F4400 mov edx,crackme3.00440FFC ; ASCII "Enter a Serial!"
00440F12 |. A1 442C4400 mov eax,dword ptr ds:[0x442C44]
00440F17 |. 8B00 mov eax,dword ptr ds:[eax]
00440F19 |. E8 4AC1FFFF call crackme3.0043D068
00440F1E |> 8D55 FC lea edx,[local.1]
00440F21 |. 8B83 C4020000 mov eax,dword ptr ds:[ebx+0x2C4]
00440F27 |. E8 F4FEFDFF call crackme3.00420E20
00440F2C |. 8B45 FC mov eax,[local.1] ; 把我们输入的内容送到EAX,我这里是“CCDebuger”
00440F2F |. BA 14104400 mov edx,crackme3.00441014 ; ASCII "Registered User"
00440F34 |. E8 F32BFCFF call crackme3.00403B2C ; fun-关键,要用F7跟进去-判断用户名与Registered User是否一致
00440F39 |. 75 51 jnz short crackme3.00440F8C ; 跳走,提示Wrong Serial;ry again
00440F3B |. 8D55 FC lea edx,[local.1]
00440F3E |. 8B83 C8020000 mov eax,dword ptr ds:[ebx+0x2C8]
00440F44 |. E8 D7FEFDFF call crackme3.00420E20
00440F49 |. 8B45 FC mov eax,[local.1]
00440F4C |. BA 2C104400 mov edx,crackme3.0044102C ; ASCII "GFX-754-IER-954"
00440F51 |. E8 D62BFCFF call crackme3.00403B2C ; fun--同上用户名和系列号通用fun判断密码关键,要用F7跟进去
00440F56 |. 75 1A jnz short crackme3.00440F72 ; 跳走,提示Wrong Serial;ry again
00440F58 |. 6A 00 push 0x0
00440F5A |. B9 3C104400 mov ecx,crackme3.0044103C ; ASCII "CrackMe cracked successfully"
00440F5F |. BA 5C104400 mov edx,crackme3.0044105C ; ASCII "Congrats! You cracked this CrackMe!"
00440F64 |. A1 442C4400 mov eax,dword ptr ds:[0x442C44]
00440F69 |. 8B00 mov eax,dword ptr ds:[eax]
00440F6B |. E8 F8C0FFFF call crackme3.0043D068
00440F70 |. EB 32 jmp short crackme3.00440FA4
00440F72 |> 6A 00 push 0x0
00440F74 |. B9 80104400 mov ecx,crackme3.00441080 ; ASCII "Beggar off!"
00440F79 |. BA 8C104400 mov edx,crackme3.0044108C ; ASCII "Wrong Serial,try again!"
00440F7E |. A1 442C4400 mov eax,dword ptr ds:[0x442C44]
00440F83 |. 8B00 mov eax,dword ptr ds:[eax]
00440F85 |. E8 DEC0FFFF call crackme3.0043D068 ; err-窗口
00440F8A |. EB 18 jmp short crackme3.00440FA4
00440F8C |> 6A 00 push 0x0
00440F8E |. B9 80104400 mov ecx,crackme3.00441080 ; ASCII "Beggar off!"
00440F93 |. BA 8C104400 mov edx,crackme3.0044108C ; ASCII "Wrong Serial,try again!"
00440F98 |. A1 442C4400 mov eax,dword ptr ds:[0x442C44]
00440F9D |. 8B00 mov eax,dword ptr ds:[eax]
00440F9F |. E8 C4C0FFFF call crackme3.0043D068
00440FA4 |> 33C0 xor eax,eax
00440FA6 |. 5A pop edx ; 0019FA74
00440FA7 |. 59 pop ecx ; 0019FA74
00440FA8 |. 59 pop ecx ; 0019FA74
00440FA9 |. 64:8910 mov dword ptr fs:[eax],edx ; crackme3.0044102C
00440FAC |. 68 C10F4400 push crackme3.00440FC1
00440FB1 |> 8D45 FC lea eax,[local.1]
00440FB4 |. E8 E727FCFF call crackme3.004037A0
00440FB9 \. C3 retn
image.png
2:fun判断用户名、系列号同一个函数
00403B2C /$ 53 push ebx ; fun入口判断注册用户 --Registered User”与输入用户
00403B2D |. 56 push esi
00403B2E |. 57 push edi
00403B2F |. 89C6 mov esi,eax ; 把EAX内我们输入的用户名送到 ESI
00403B31 |. 89D7 mov edi,edx ; 把EDX内的数据“Registered User”送到EDI
00403B33 |. 39D0 cmp eax,edx ; 用“Registered User”和我们输入的用户名作比较
00403B35 |. 0F84 8F000000 je crackme3.00403BCA ; 相同则跳转
00403B3B |. 85F6 test esi,esi ; 看看ESI中输入的用户名是否有数据
00403B3D |. 74 68 je short crackme3.00403BA7 ; 用户名为空则跳
00403B3F |. 85FF test edi,edi
00403B41 |. 74 6B je short crackme3.00403BAE
00403B43 |. 8B46 FC mov eax,dword ptr ds:[esi-0x4] ; 用户名长度送EAX
00403B46 |. 8B57 FC mov edx,dword ptr ds:[edi-0x4] ; Registered User”字串的长度送EDX
00403B49 |. 29D0 sub eax,edx ; crackme3.0044102C
00403B4B |. 77 02 ja short crackme3.00403B4F ; 用户名长度大于“Registered User”长度则跳
00403B4D |. 01C2 add edx,eax ; 把减后值与“Registered User”长度相加,即用户名长度
00403B4F |> 52 push edx ; crackme3.0044102C
00403B50 |. C1EA 02 shr edx,0x2 ; 用户名长度值右移2位,这里相当于长度除以4
00403B53 |. 74 26 je short crackme3.00403B7B ; 上面的指令及这条指令就是判断用户名长度最少不能低于4
00403B55 |> 8B0E /mov ecx,dword ptr ds:[esi] ; ????把我们输入的用户名送到ECX
00403B57 |. 8B1F |mov ebx,dword ptr ds:[edi]
00403B59 |. 39D9 |cmp ecx,ebx
00403B5B |. 75 58 |jnz short crackme3.00403BB5 ; 不等则完蛋
00403B5D |. 4A |dec edx ; crackme3.0044102C
00403B5E |. 74 15 |je short crackme3.00403B75
00403B60 |. 8B4E 04 |mov ecx,dword ptr ds:[esi+0x4]
00403B63 |. 8B5F 04 |mov ebx,dword ptr ds:[edi+0x4]
00403B66 |. 39D9 |cmp ecx,ebx
00403B68 |. 75 4B |jnz short crackme3.00403BB5
00403B6A |. 83C6 08 |add esi,0x8
00403B6D |. 83C7 08 |add edi,0x8
00403B70 |. 4A |dec edx ; crackme3.0044102C
00403B71 |.^ 75 E2 \jnz short crackme3.00403B55
00403B73 |. EB 06 jmp short crackme3.00403B7B
00403B75 |> 83C6 04 add esi,0x4
00403B78 |. 83C7 04 add edi,0x4
00403B7B |> 5A pop edx ; crackme3.00440F56
00403B7C |. 83E2 03 and edx,0x3
00403B7F |. 74 22 je short crackme3.00403BA3
00403B81 |. 8B0E mov ecx,dword ptr ds:[esi] ; crackme3.0043EB70
00403B83 |. 8B1F mov ebx,dword ptr ds:[edi]
00403B85 |. 38D9 cmp cl,bl
00403B87 |. 75 41 jnz short crackme3.00403BCA
00403B89 |. 4A dec edx ; crackme3.0044102C
00403B8A |. 74 17 je short crackme3.00403BA3
00403B8C |. 38FD cmp ch,bh
00403B8E |. 75 3A jnz short crackme3.00403BCA
00403B90 |. 4A dec edx ; crackme3.0044102C
00403B91 |. 74 10 je short crackme3.00403BA3
00403B93 |. 81E3 0000FF00 and ebx,0xFF0000
00403B99 |. 81E1 0000FF00 and ecx,0xFF0000
00403B9F |. 39D9 cmp ecx,ebx
00403BA1 |. 75 27 jnz short crackme3.00403BCA
00403BA3 |> 01C0 add eax,eax
00403BA5 |. EB 23 jmp short crackme3.00403BCA
00403BA7 |> 8B57 FC mov edx,dword ptr ds:[edi-0x4]
00403BAA |. 29D0 sub eax,edx ; crackme3.0044102C
00403BAC |. EB 1C jmp short crackme3.00403BCA
00403BAE |> 8B46 FC mov eax,dword ptr ds:[esi-0x4]
00403BB1 |. 29D0 sub eax,edx ; crackme3.0044102C
00403BB3 |. EB 15 jmp short crackme3.00403BCA
00403BB5 |> 5A pop edx ; crackme3.00440F56
00403BB6 |. 38D9 cmp cl,bl
00403BB8 |. 75 10 jnz short crackme3.00403BCA
00403BBA |. 38FD cmp ch,bh
00403BBC |. 75 0C jnz short crackme3.00403BCA
00403BBE |. C1E9 10 shr ecx,0x10
00403BC1 |. C1EB 10 shr ebx,0x10
00403BC4 |. 38D9 cmp cl,bl
00403BC6 |. 75 02 jnz short crackme3.00403BCA
00403BC8 |. 38FD cmp ch,bh
00403BCA |> 5F pop edi ; crackme3.00440F56
00403BCB |. 5E pop esi ; crackme3.00440F56
00403BCC |. 5B pop ebx ; crackme3.00440F56
00403BCD \. C3 retn
3:正确结果
用户:Registered User
系列号:GFX-754-IER-954
image.png
