Thema: Relativ einfaches Crackme
Einzelnen Beitrag anzeigen
Alt 04.01.09, 17:29   #6 (permalink)
CoRe0153
 
Registriert seit: 07.01.07
CoRe0153 Leistung: Facit NTK
Likes: 0
Standard
1. Crackme in Olly laden
2. Search for -> All intermodular calls
3. Breakpoint bei fgets (liesst die Eigabe in den EAX Register ein)
4. Run program (F9)

Code:
004010F0  /> 55             PUSH EBP
004010F1  |. 8BEC           MOV EBP,ESP
004010F3  |. 81EC AC000000  SUB ESP,0AC
004010F9  |. 53             PUSH EBX
004010FA  |. 56             PUSH ESI
004010FB  |. 57             PUSH EDI
004010FC  |. C745 98 000000>MOV DWORD PTR SS:[EBP-68],0
00401103  |. 68 44574000    PUSH crackme_.00405744                   ; /format = "password:"
00401108  |. FF15 D0824000  CALL DWORD PTR DS:[<&MSVCR90D.printf>]   ; \printf
0040110E  |. 83C4 04        ADD ESP,4
00401111  |. FF15 D4824000  CALL DWORD PTR DS:[<&MSVCR90D.__iob_func>;  MSVCR90D.__p__iob
00401117  |. 50             PUSH EAX                                 ; /stream
00401118  |. 6A 63          PUSH 63                                  ; |n = 63 (99.)
0040111A  |. 8D45 9C        LEA EAX,DWORD PTR SS:[EBP-64]            ; |
0040111D  |. 50             PUSH EAX                                 ; |s
0040111E  |. FF15 D8824000  CALL DWORD PTR DS:[<&MSVCR90D.fgets>]    ; \fgets -> Eingabe in EAX speichern
00401124  |. 83C4 0C        ADD ESP,0C
00401127  |. 8D45 9C        LEA EAX,DWORD PTR SS:[EBP-64]
0040112A  |. 50             PUSH EAX                                 ; /s
0040112B  |. E8 8C000000    CALL <JMP.&MSVCR90D.strlen>              ; \strlen -> laenge des Strings in EAX speichern
00401130  |. 83C4 04        ADD ESP,4
00401133  |. C64405 9B 00   MOV BYTE PTR SS:[EBP+EAX-65],0
00401138  |. 8D45 9C        LEA EAX,DWORD PTR SS:[EBP-64]
0040113B  |. 50             PUSH EAX
0040113C  |. E8 C4FEFFFF    CALL crackme_.00401005                   ;  Algo -> mit F7 naeher anschauen
00401141  |. 83C4 04        ADD ESP,4
00401144  |. 8945 98        MOV DWORD PTR SS:[EBP-68],EAX
00401147  |. 837D 98 00     CMP DWORD PTR SS:[EBP-68],0
0040114B  |. 74 0C          JE SHORT crackme_.00401159
0040114D  |. C785 54FFFFFF >MOV DWORD PTR SS:[EBP-AC],crackme_.00405>;  ASCII "ok"
00401157  |. EB 0A          JMP SHORT crackme_.00401163
00401159  |> C785 54FFFFFF >MOV DWORD PTR SS:[EBP-AC],crackme_.00405>;  ASCII "falsch"
00401163  |> 8B85 54FFFFFF  MOV EAX,DWORD PTR SS:[EBP-AC]
00401169  |. 50             PUSH EAX                                 ; /<%s>
0040116A  |. 68 28574000    PUSH crackme_.00405728                   ; |format = "Password %s
"
0040116F  |. FF15 D0824000  CALL DWORD PTR DS:[<&MSVCR90D.printf>]   ; \printf
00401175  |. 83C4 08        ADD ESP,8
00401178  |. 68 20574000    PUSH crackme_.00405720                   ; /command = "pause"
0040117D  |. FF15 DC824000  CALL DWORD PTR DS:[<&MSVCR90D.system>]   ; \system
00401183  |. 83C4 04        ADD ESP,4
00401186  |. 33C0           XOR EAX,EAX
00401188  |. 5F             POP EDI
00401189  |. 5E             POP ESI
0040118A  |. 5B             POP EBX
0040118B  |. 8BE5           MOV ESP,EBP
0040118D  |. 5D             POP EBP
0040118E  \. C3             RETN


00401020  /> 55             PUSH EBP
00401021  |. 8BEC           MOV EBP,ESP
00401023  |. 83EC 4C        SUB ESP,4C
00401026  |. 53             PUSH EBX
00401027  |. 56             PUSH ESI
00401028  |. 57             PUSH EDI
00401029  |. C745 FC 000000>MOV DWORD PTR SS:[EBP-4],0
00401030  |. C745 F4 000000>MOV DWORD PTR SS:[EBP-C],0
00401037  |. 8B45 08        MOV EAX,DWORD PTR SS:[EBP+8]
0040103A  |. 50             PUSH EAX                                 ; /s
0040103B  |. E8 7C010000    CALL <JMP.&MSVCR90D.strlen>              ; \strlen
00401040  |. 83C4 04        ADD ESP,4
00401043  |. 83F8 0A        CMP EAX,0A                               ;  Muss 10 Zeichen lang sein
00401046  |. 75 72          JNZ SHORT crackme_.004010BA
00401048  |. 8B45 08        MOV EAX,DWORD PTR SS:[EBP+8]
0040104B  |. 0FBE48 09      MOVSX ECX,BYTE PTR DS:[EAX+9]
0040104F  |. 83F9 78        CMP ECX,78                               ;  10te Zeichen == hex(78)=x?
00401052  |. 74 18          JE SHORT crackme_.0040106C
00401054  |. 8B45 08        MOV EAX,DWORD PTR SS:[EBP+8]
00401057  |. 0FBE48 09      MOVSX ECX,BYTE PTR DS:[EAX+9]
0040105B  |. 83F9 79        CMP ECX,79                               ;  10te Zeichen == hex(79)=y?
0040105E  |. 74 0C          JE SHORT crackme_.0040106C
00401060  |. 8B45 08        MOV EAX,DWORD PTR SS:[EBP+8]
00401063  |. 0FBE48 09      MOVSX ECX,BYTE PTR DS:[EAX+9]
00401067  |. 83F9 7A        CMP ECX,7A                               ;  10te Zeichen == hex(7A)=z?
0040106A  |. 75 4E          JNZ SHORT crackme_.004010BA
0040106C  |> 8B45 08        MOV EAX,DWORD PTR SS:[EBP+8]
0040106F  |. 8A48 03        MOV CL,BYTE PTR DS:[EAX+3]               ;  CL = 4te Zeichen
00401072  |. 884D F8        MOV BYTE PTR SS:[EBP-8],CL
00401075  |. 8B45 08        MOV EAX,DWORD PTR SS:[EBP+8]
00401078  |. 8A48 05        MOV CL,BYTE PTR DS:[EAX+5]               ;  CL = 6te Zeichen
0040107B  |. 884D F9        MOV BYTE PTR SS:[EBP-7],CL
0040107E  |. 8B45 08        MOV EAX,DWORD PTR SS:[EBP+8]
00401081  |. 8A48 07        MOV CL,BYTE PTR DS:[EAX+7]               ;  CL = 8te Zeichen
00401084  |. 884D FA        MOV BYTE PTR SS:[EBP-6],CL
00401087  |. C645 FB 00     MOV BYTE PTR SS:[EBP-5],0
0040108B  |. 8D45 F8        LEA EAX,DWORD PTR SS:[EBP-8]             ;  EAX = 4te + 6te + 8te Zeichen
0040108E  |. 50             PUSH EAX                                 ; /s
0040108F  |. FF15 E8824000  CALL DWORD PTR DS:[<&MSVCR90D.atoi>]     ; \atoi
00401095  |. 83C4 04        ADD ESP,4
00401098  |. 8945 F4        MOV DWORD PTR SS:[EBP-C],EAX
0040109B  |. 837D F4 64     CMP DWORD PTR SS:[EBP-C],64              ;  hex(64)
0040109F  |. 74 12          JE SHORT crackme_.004010B3
004010A1  |. 817D F4 DE0000>CMP DWORD PTR SS:[EBP-C],0DE             ;  hex(DE)
004010A8  |. 74 09          JE SHORT crackme_.004010B3
004010AA  |. 817D F4 BC0100>CMP DWORD PTR SS:[EBP-C],1BC             ;  hex(1BC)
004010B1  |. 75 07          JNZ SHORT crackme_.004010BA
004010B3  |> C745 FC 010000>MOV DWORD PTR SS:[EBP-4],1               ;  FLAG FOR SUCCESS!
004010BA  |> 8B45 FC        MOV EAX,DWORD PTR SS:[EBP-4]
004010BD  |. 5F             POP EDI
004010BE  |. 5E             POP ESI
004010BF  |. 5B             POP EBX
004010C0  |. 8BE5           MOV ESP,EBP
004010C2  |. 5D             POP EBP
004010C3  \. C3             RETN
CoRe0153 ist offline   Mit Zitat antworten
 

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61