crackme_crypto

目标是解析flag,为一个序列号

image-20220924212335536 image-20220924212358413

查看PE文件,可见是一个win32程序,32位exe,并且加壳了,加壳工具是tElock,首先脱壳得到脱壳后的文件。

用IDA反编译:

image-20220924212940285

分析DialogFunc,获取最终的flag;

image-20220925151918644

此处应该是获取了两个输入,用户名和序列号。

image-20220924213216124

DialogFunc中可分析出由一个子函数控制着序列号正确与否,接着去分析sub_401610,该函数接受的参数是lpString,也是输入的序列号,尝试去找到该序列号的正确匹配结果;

查看sub_401610函数的伪代码,其中又调用了其他函数过程,挨个分析吧;

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
int __cdecl sub_401610(int a1, LPCSTR lpString)
{
  int v2; // eax
  __int16 v3; // si
  char *v4; // eax
  char *v5; // ebx
  unsigned __int16 v6; // ax
  signed int v7; // esi
  char v8; // dl
  int result; // eax
  int v10; // eax
  char *v11; // esi
  char *v12; // edi
  signed int v13; // ecx
  bool v14; // cf
  bool v15; // zf
  signed int v16; // eax
  char v17; // [esp+0h] [ebp-1CCh]
  char v18; // [esp+4h] [ebp-1C8h]
  char v19; // [esp+5Ch] [ebp-170h]
  char v20; // [esp+64h] [ebp-168h]
  char v21; // [esp+6Ch] [ebp-160h]
  char v22; // [esp+6Dh] [ebp-15Fh]
  char v23; // [esp+6Eh] [ebp-15Eh]
  char v24; // [esp+6Fh] [ebp-15Dh]
  char v25; // [esp+70h] [ebp-15Ch]
  char v26; // [esp+71h] [ebp-15Bh]
  char v27; // [esp+72h] [ebp-15Ah]
  char v28; // [esp+73h] [ebp-159h]
  char v29; // [esp+74h] [ebp-158h]
  int v30; // [esp+178h] [ebp-54h]
  int v31; // [esp+17Ch] [ebp-50h]
  int v32; // [esp+180h] [ebp-4Ch]
  int v33; // [esp+184h] [ebp-48h]
  char v34; // [esp+188h] [ebp-44h]
  int v35; // [esp+1A8h] [ebp-24h]
  char *v36; // [esp+1BCh] [ebp-10h]
  int v37; // [esp+1C8h] [ebp-4h]

  v36 = &v17;
  sub_401000(&v17);
  v37 = 0;
  v2 = lstrlenA(lpString);
  v3 = v2;
  v4 = (char *)operator new(v2);
  v5 = v4;
  v6 = sub_401020(lpString, v4, v3);
  if ( (signed int)v6 < 8 )
  {
    sub_4092DC(v5);
    v37 = -1;
    nullsub_1(&v17);
    result = 0;
  }
  else
  {
    v5[v6] = 0;
    v7 = 8;
    if ( (signed int)v6 <= 8 )
    {
LABEL_8:
      sub_408310(&v18);
      v10 = lstrlenA(String);
      sub_408340(&v18, String, v10);
      sub_4085F0(&v18);
      v21 = 41;
      v22 = 71;
      v23 = 7;
      v24 = -123;
      v25 = -121;
      v26 = 51;
      v27 = 37;
      v28 = 68;
      sub_408FF0(&v21, 8, &v29);
      sub_4090F0(v5, 8, &v29);
      v11 = &v19;
      v12 = v5;
      v13 = 8;
      v16 = 0;
      v14 = 0;
      v15 = 1;
      do
      {
        if ( !v13 )
          break;
        v14 = (unsigned __int8)*v11 < (unsigned __int8)*v12;
        v15 = *v11++ == *v12++;
        --v13;
      }
      while ( v15 );
      if ( !v15 )
      {
        if ( v14 )
          v16 = -2;
        ++v16;
      }
      if ( v16 )
      {
        sub_4092DC(v5);
        v37 = -1;
        nullsub_1(&v17);
        result = 0;
      }
      else
      {
        v30 = 0;
        v31 = 0;
        v32 = 0;
        v33 = 0;
        sub_4071D0(v5 + 8, (int)&v30);
        sub_4092DC(v5);
        sub_4071D0(a65537, (int)&v31);
        sub_406ED0(aB80a90bf53c6c9, (int)&v32);
        sub_405E40(v30, v31, v32, &v33);
        sub_4014F0(&v20, 8, &v34);
        v35 = 0;
        sub_406ED0(&v34, (int)&v35);
        if ( sub_402290(v35, v33) )
        {
          v37 = -1;
          nullsub_1(&v17);
          result = 0;
        }
        else
        {
          v37 = -1;
          nullsub_1(&v17);
          result = 1;
        }
      }
    }
    else
    {
      while ( 1 )
      {
        v8 = v5[v7];
        if ( v8 < 48 || v8 > 57 )
          break;
        if ( ++v7 >= v6 )
          goto LABEL_8;
      }
      sub_4092DC(v5);
      v37 = -1;
      nullsub_1(&v17);
      result = 0;
    }
  }
  return result;
}
image-20220924213626537

追踪lpString的长度,