160个CrackMe 028 Cosh.2

Posted

tags:

篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了160个CrackMe 028 Cosh.2相关的知识,希望对你有一定的参考价值。

首先PEID查壳:
技术分享
没有壳,位码验证:
技术分享

发现了错误字符串,于是OD中查找参考文本字符串进行跟进:
技术分享

在OD中找到相应的分支结构:

技术分享

在上面的函数头部下断点,单步键入,分析代码:简单,略过,最后发现实际没有算法,就是serial硬编码,把十六进制转换成ASCII码即可。

004014CA   .  56            push esi
004014CB   .  8BF1          mov esi,ecx
004014CD   .  57            push edi
004014CE   .  8DBE A0000000 lea edi,dword ptr ds:[esi+0xA0]
004014D4   .  8BCF          mov ecx,edi
004014D6   .  E8 6F030000   call <jmp.&MFC42.#3876>
004014DB   .  8B1D FC214000 mov ebx,dword ptr ds:[<&USER32.PostQuitMessage>]    ;  user32.PostQuitMessage
004014E1   .  83F8 05       cmp eax,0x5                                         ;  ;获取name字符串的长度,判断是否大于5
004014E4   .  7E 50         jle short CoSH_2.00401536                           ;  ;字符串长度小于等于5,错误
004014E6   .  8D6E 60       lea ebp,dword ptr ds:[esi+0x60]
004014E9   .  8BCD          mov ecx,ebp
004014EB   .  E8 5A030000   call <jmp.&MFC42.#3876>                             ;  ;获取serial字符串的长度
004014F0   .  83F8 05       cmp eax,0x5                                         ;  ;判断是否大于5
004014F3   .  7E 41         jle short CoSH_2.00401536                           ;  ;字符串长度小于等于5,错误
004014F5   .  8D86 E0000000 lea eax,dword ptr ds:[esi+0xE0]
004014FB   .  8BCF          mov ecx,edi
004014FD   .  50            push eax
004014FE   .  E8 41030000   call <jmp.&MFC42.#3874>
00401503   .  8DBE E4000000 lea edi,dword ptr ds:[esi+0xE4]
00401509   .  8BCD          mov ecx,ebp
0040150B   .  57            push edi
0040150C   .  E8 33030000   call <jmp.&MFC42.#3874>
00401511   .  8B07          mov eax,dword ptr ds:[edi]
00401513   .  8038 36       cmp byte ptr ds:[eax],0x36                          ;  ;serila的第一个与0x36比较
00401516   .  75 1E         jnz short CoSH_2.00401536
00401518   .  8078 01 32    cmp byte ptr ds:[eax+0x1],0x32                      ;  ;serila的第二个字符与0x32比较
0040151C   .  75 18         jnz short CoSH_2.00401536
0040151E   .  8078 02 38    cmp byte ptr ds:[eax+0x2],0x38                      ;  ;serila的第三个字符与0x38比较
00401522   .  75 12         jnz short CoSH_2.00401536
00401524   .  8078 03 37    cmp byte ptr ds:[eax+0x3],0x37                      ;  ;serila的第四个字符与0x37比较
00401528   .  75 0C         jnz short CoSH_2.00401536
0040152A   .  8078 04 2D    cmp byte ptr ds:[eax+0x4],0x2D                      ;  ;serila的第五个字符与0x2D比较
0040152E   .  75 06         jnz short CoSH_2.00401536
00401530   .  8078 05 41    cmp byte ptr ds:[eax+0x5],0x41                      ;  ;serila的第六个字符与0x41比较
00401534   .  74 17         je short CoSH_2.0040154D
00401536   >  6A 00         push 0x0
00401538   .  68 64304000   push CoSH_2.00403064                                ;  ASCII "ERROR"
0040153D   .  68 38304000   push CoSH_2.00403038                                ;  ASCII "One of the Details you entered was wrong"
00401542   .  8BCE          mov ecx,esi
00401544   .  E8 F5020000   call <jmp.&MFC42.#4224>
00401549   .  6A 00         push 0x0
0040154B   .  FFD3          call ebx                                            ;  user32.PostQuitMessage
0040154D   >  8D8E E0000000 lea ecx,dword ptr ds:[esi+0xE0]
00401553   .  8D5424 14     lea edx,dword ptr ss:[esp+0x14]
00401557   .  51            push ecx
00401558   .  68 2C304000   push CoSH_2.0040302C                                ;  ASCII "Well done,"
0040155D   .  52            push edx
0040155E   .  E8 D5020000   call <jmp.&MFC42.#926>

检验一下serial:
6287-A
技术分享

最后,根据程序的流程写注册机
C++:

#include <iostream>
#include <cstring>
using namespace std;

#define N 100
int main()
{
    char name[N];
    char serial_true[N]={0x36,0x32,0x38,0x37,0x2D,0x41};
    char serial_false[N];
    cout<<"Please input your name:"<<endl;
    cin>>name;
    cout<<"Please input your serial:"<<endl;
    cin>>serial_false;
    if(strlen(name)<=5||strlen(serial_false)<=5)
    {
        cout<<"Error!"<<endl;
        return 0;
    }
    else
    {
        cout<<"True serial is only behind the string:"<<endl;
        for(int i=0;i<=6;i++)
        {
            cout<<serial_true[i];
        }
        cout<<endl;
    }
    return 0;
}

运行结果:
技术分享

真是水题..

以上是关于160个CrackMe 028 Cosh.2的主要内容,如果未能解决你的问题,请参考以下文章

[CrackMe]160个CrackMe之19

[CrackMe]160个CrackMe之19

[CrackMe]160个CrackMe之40

[CrackMe]160个CrackMe之40

第一次CM--CosH.2

160个CrackMe 029 Cosh.3