9

[原创]看雪2016 第二十六题 CrackMe逆向分析

HighHand 2017-1-1 12:28 1802
该题为父进程调试子进程,父进程注入代码到子进程,修改eip执行并返回结果。
将crackme拖入IDA中,找到 _main
  puts(aIcrackmeE);
  puts(aFIVSIg);
  v12 = -27;
  v15 = -27;
  v17 = -27;
  Parameter = -62;
  v8 = -14;
  v9 = -17;
  v10 = -23;
  v11 = -20;
  v13 = -14;
  v14 = -82;
  v16 = -8;
  v18 = 0;
  v3 = 0;
  do
    *(&Parameter + v3++) += 0x80u;
  while ( v3 < 11 );
  v4 = CreateThread(0, 0, StartAddress, &Parameter, 0, &ThreadId);
  if ( v4 )
  {
    CloseHandle(v4);
    Sleep(0xBB8u);
    v20 = 0;
    v21 = 0;
    v22 = 0;
    sn = 0;
    v23 = 0;
    v24 = 0;
    v25 = 0;
    scanf(a21s, &sn);
    sub_401060(&sn);
    sub_4010D0(&sn);
    system(aPause);
    result = 0;
  }


首先创建了一个线程,在线程中通过CreateProcessA启动了 Broiler.exe 子进程并调试,通过WaitForDebugEvent 监视子进程的调试事件。

401060对sn进行编码且长度为21,编码方式如下
  v1 = 0;
  v2 = *a1;
  do
  {
    v3 = (*a1 >> 2) ^ BYTE1(v2);
    a1[v1] = v3;
    v2 = 0x22FC * (v2 >> 2) + 5478 * (v2 + (unsigned __int8)v3);
    a1[v1] ^= 0x41u;
    ++v1;
  }
  while ( v1 < 21 );


编码完成后进入 4010D0,这个函数有好多赋值操作,其主要工作函数如下
  result = CreateToolhelp32Snapshot(2u, 0);
  v4 = result;
  if ( result != (HANDLE)-1 )
  {
    if ( Process32First(result, &pe) )
    {
      while ( strcmp(pe.szExeFile, aBroiler_exe) )
      {
        if ( !Process32Next(v4, &pe) )
          goto LABEL_7;
      }
      v2 = pe.th32ProcessID;
    }
LABEL_7:
    CloseHandle(v4);
    if ( !v2 )
    {
      MessageBoxA(0, 0, Caption, 0);
      exit(1);
    }

查找 Broiler.exe 进程,没有找到则提示 .data:0040A040 Caption         db '注入失败',0     

   Context.ContextFlags = 0x10001;
    GetThreadContext(v1, &Context);
    dword_40CA70 = Context.Eip;
    v6 = OpenProcess(0x1F0FFFu, 1, v2);
    v7 = v6;
    if ( v6 )
    {
      v8 = VirtualAllocEx(v6, 0, 0x200u, 0x1000u, 0x40u);
      dword_40CA6C = (int)v8;
      if ( v8 )
      {
        dword_40C948 = (int)v8;
        if ( WriteProcessMemory(v7, v8, a1, 21u, 0) )


获取线程环境,打开进程并分配进程内存,将 编码后的sn 写入刚刚分配的内存中。

          v9 = VirtualAllocEx(v7, 0, 0x1000u, 0x1000u, 0x40u);
          dword_40CA68 = (int)v9;
          if ( v9 )
          {
            te.dwSize = dword_40CA6C;
            v11 = 104;
            WriteProcessMemory(v7, v9, &v11, 1u, 0);
            WriteProcessMemory(v7, (LPVOID)(dword_40CA68 + 1), &te, 4u, 0);
            if ( WriteProcessMemory(v7, (LPVOID)(dword_40CA68 + 5), &v12, 0x134u, 0) )
            {
              v10 = hObject;
              Context.Eip = dword_40CA68;
              SetThreadContext(hObject, &Context);
              ResumeThread(v10);
              CloseHandle(v7);
              CloseHandle(v10);
              result = HANDLE_FLAG_INHERIT;
            }

又分配一块内存且为可执行属性,将代码写入,设置线程环境设置为写入的代码地址,通过dump获取代码的数据为

001D0000    68 00000200     push    20000					;编码后的sn地址
001D0005    C745 FC 0000000>mov     dword ptr [ebp-4], 0
001D000C    8965 FC         mov     dword ptr [ebp-4], esp
001D000F    8B45 FC         mov     eax, dword ptr [ebp-4]
001D0012    B3 2A           mov     bl, 2A
001D0014    B2 3F           mov     dl, 3F
001D0016    C645 C4 8C      mov     byte ptr [ebp-3C], 8C
001D001A    8B08            mov     ecx, dword ptr [eax]
001D001C    B0 B6           mov     al, 0B6
001D001E    C645 C5 4C      mov     byte ptr [ebp-3B], 4C
001D0022    C645 C6 96      mov     byte ptr [ebp-3A], 96
001D0026    C645 C7 5B      mov     byte ptr [ebp-39], 5B
001D002A    885D C8         mov     byte ptr [ebp-38], bl
001D002D    8855 C9         mov     byte ptr [ebp-37], dl
001D0030    8845 CA         mov     byte ptr [ebp-36], al
001D0033    C645 CB 5B      mov     byte ptr [ebp-35], 5B
001D0037    885D CC         mov     byte ptr [ebp-34], bl
001D003A    C645 CD 11      mov     byte ptr [ebp-33], 11
001D003E    C645 CE B1      mov     byte ptr [ebp-32], 0B1
001D0042    C645 CF 15      mov     byte ptr [ebp-31], 15
001D0046    C645 D0 AC      mov     byte ptr [ebp-30], 0AC
001D004A    C645 D1 C3      mov     byte ptr [ebp-2F], 0C3
001D004E    C645 D2 53      mov     byte ptr [ebp-2E], 53
001D0052    8845 D3         mov     byte ptr [ebp-2D], al
001D0055    885D D4         mov     byte ptr [ebp-2C], bl
001D0058    8855 D5         mov     byte ptr [ebp-2B], dl
001D005B    C645 D6 B2      mov     byte ptr [ebp-2A], 0B2
001D005F    C645 D7 FC      mov     byte ptr [ebp-29], 0FC
001D0063    C645 D8 69      mov     byte ptr [ebp-28], 69
001D0067    C645 D9 10      mov     byte ptr [ebp-27], 10
001D006B    C645 DA BF      mov     byte ptr [ebp-26], 0BF
001D006F    C645 DB FD      mov     byte ptr [ebp-25], 0FD
001D0073    8845 DC         mov     byte ptr [ebp-24], al
001D0076    C645 DD 5B      mov     byte ptr [ebp-23], 5B
001D007A    8855 DE         mov     byte ptr [ebp-22], dl
001D007D    894D E4         mov     dword ptr [ebp-1C], ecx
001D0080    C745 E0 1500000>mov     dword ptr [ebp-20], 15		;注意[epb-21]位置为 FF,下面说明
001D0087    8D55 C4         lea     edx, dword ptr [ebp-3C]
001D008A    8D45 C4         lea     eax, dword ptr [ebp-3C]
001D008D    C745 F4 0000000>mov     dword ptr [ebp-C], 0
001D0094    8955 EC         mov     dword ptr [ebp-14], edx
001D0097    8945 F0         mov     dword ptr [ebp-10], eax
001D009A    8B55 F0         mov     edx, dword ptr [ebp-10]
001D009D    8B45 EC         mov     eax, dword ptr [ebp-14]
001D00A0    33FF            xor     edi, edi
001D00A2    8955 FC         mov     dword ptr [ebp-4], edx
001D00A5    897D E8         mov     dword ptr [ebp-18], edi
001D00A8    8945 F8         mov     dword ptr [ebp-8], eax
001D00AB    8B75 FC         mov     esi, dword ptr [ebp-4]
001D00AE    33D2            xor     edx, edx
001D00B0    8B45 F8         mov     eax, dword ptr [ebp-8]
001D00B3    8A19            mov     bl, byte ptr [ecx]
001D00B5    8A0410          mov     al, byte ptr [eax+edx]
001D00B8    3AD8            cmp     bl, al
001D00BA    75 22           jnz     short 001D00DE
001D00BC    8D0C17          lea     ecx, dword ptr [edi+edx]
001D00BF    8B7D F4         mov     edi, dword ptr [ebp-C]
001D00C2    8D3C4F          lea     edi, dword ptr [edi+ecx*2]
001D00C5    03CF            add     ecx, edi
001D00C7    0FBEFB          movsx   edi, bl
001D00CA    0FBE4C0D C4     movsx   ecx, byte ptr [ebp+ecx-3C]
001D00CF    33CF            xor     ecx, edi
001D00D1    CC              int3					;这里触发异常由crackme调试进程修改为nop;sub
001D00D2    02C1            add     al, cl
001D00D4    8B4D E4         mov     ecx, dword ptr [ebp-1C]
001D00D7    F62E            imul    byte ptr [esi]
001D00D9    8B7D E8         mov     edi, dword ptr [ebp-18]
001D00DC    8801            mov     byte ptr [ecx], al
001D00DE    42              inc     edx
001D00DF    83C6 09         add     esi, 9
001D00E2    83FA 04         cmp     edx, 4
001D00E5  ^ 7C C9           jl      short 001D00B0
001D00E7    8B5D FC         mov     ebx, dword ptr [ebp-4]
001D00EA    8B55 F8         mov     edx, dword ptr [ebp-8]
001D00ED    83C7 03         add     edi, 3
001D00F0    43              inc     ebx
001D00F1    83C2 03         add     edx, 3
001D00F4    83FF 06         cmp     edi, 6
001D00F7    895D FC         mov     dword ptr [ebp-4], ebx
001D00FA    897D E8         mov     dword ptr [ebp-18], edi
001D00FD    8955 F8         mov     dword ptr [ebp-8], edx
001D0100  ^ 7C A9           jl      short 001D00AB
001D0102    8B45 F4         mov     eax, dword ptr [ebp-C]
001D0105    8B7D F0         mov     edi, dword ptr [ebp-10]
001D0108    8B75 EC         mov     esi, dword ptr [ebp-14]
001D010B    40              inc     eax
001D010C    83C7 03         add     edi, 3
001D010F    83C6 09         add     esi, 9
001D0112    83F8 03         cmp     eax, 3
001D0115    8945 F4         mov     dword ptr [ebp-C], eax
001D0118    897D F0         mov     dword ptr [ebp-10], edi
001D011B    8975 EC         mov     dword ptr [ebp-14], esi
001D011E  ^ 0F8C 76FFFFFF   jl      001D009A
001D0124    8B45 E0         mov     eax, dword ptr [ebp-20]
001D0127    41              inc     ecx
001D0128    48              dec     eax
001D0129    894D E4         mov     dword ptr [ebp-1C], ecx
001D012C    8945 E0         mov     dword ptr [ebp-20], eax
001D012F  ^ 0F85 52FFFFFF   jnz     001D0087

第一次触发int3异常,修改指令,第二次触发int3异常则检查注册码是否有效。
处理int3异常的函数在401FA0
        ReadProcessMemory(v12, v11, &Buffer, 0x15u, (SIZE_T *)&hProcess);
        v13 = 0;
        v14 = 0;
        do
        {
          if ( *(&Buffer + v14) != *(&v16 + v14) )
            ++v13;
          ++v14;
        }
        while ( v14 < 21 );
        if ( !v13 )
        {
          MessageBoxA(0, 0, aJ_0, 0);
          exit(1);
        }

读取处理后的sn,与指定数据进行比较,如下:
EF 86 85 0C D2 89 64 A6 9E C8 CC 70 00 90 09 F4 28 6E 5A 04 F9


基于以上条件可以在OD中写段程序进行穷举
穷举代码如下
00401000   > /68 00A04000   push    0040A000
00401005   . |C745 FC 00000>mov     dword ptr [ebp-4], 0
0040100C   . |8965 FC       mov     dword ptr [ebp-4], esp
0040100F   . |8B45 FC       mov     eax, dword ptr [ebp-4]
00401012   . |B3 2A         mov     bl, 2A
00401014   . |B2 3F         mov     dl, 3F
00401016   . |C645 C4 8C    mov     byte ptr [ebp-3C], 8C
0040101A   . |8B08          mov     ecx, dword ptr [eax]
0040101C   . |B0 B6         mov     al, 0B6
0040101E   . |C645 C5 4C    mov     byte ptr [ebp-3B], 4C
00401022   . |C645 C6 96    mov     byte ptr [ebp-3A], 96
00401026   . |C645 C7 5B    mov     byte ptr [ebp-39], 5B
0040102A   . |885D C8       mov     byte ptr [ebp-38], bl
0040102D   . |8855 C9       mov     byte ptr [ebp-37], dl
00401030   . |8845 CA       mov     byte ptr [ebp-36], al
00401033   . |C645 CB 5B    mov     byte ptr [ebp-35], 5B
00401037   . |885D CC       mov     byte ptr [ebp-34], bl
0040103A   . |C645 CD 11    mov     byte ptr [ebp-33], 11
0040103E   . |C645 CE B1    mov     byte ptr [ebp-32], 0B1
00401042   . |C645 CF 15    mov     byte ptr [ebp-31], 15
00401046   . |C645 D0 AC    mov     byte ptr [ebp-30], 0AC
0040104A   . |C645 D1 C3    mov     byte ptr [ebp-2F], 0C3
0040104E   . |C645 D2 53    mov     byte ptr [ebp-2E], 53
00401052   . |8845 D3       mov     byte ptr [ebp-2D], al
00401055   . |885D D4       mov     byte ptr [ebp-2C], bl
00401058   . |8855 D5       mov     byte ptr [ebp-2B], dl
0040105B   . |C645 D6 B2    mov     byte ptr [ebp-2A], 0B2
0040105F     |C645 D7 FC    mov     byte ptr [ebp-29], 0FC
00401063   . |C645 D8 69    mov     byte ptr [ebp-28], 69
00401067   . |C645 D9 10    mov     byte ptr [ebp-27], 10
0040106B   . |C645 DA BF    mov     byte ptr [ebp-26], 0BF
0040106F   . |C645 DB FD    mov     byte ptr [ebp-25], 0FD
00401073   . |8845 DC       mov     byte ptr [ebp-24], al
00401076   . |C645 DD 5B    mov     byte ptr [ebp-23], 5B
0040107A   . |8855 DE       mov     byte ptr [ebp-22], dl
0040107D   . |894D E4       mov     dword ptr [ebp-1C], ecx
00401080   . |C745 E0 15000>mov     dword ptr [ebp-20], 15
00401087   > |8D55 C4       lea     edx, dword ptr [ebp-3C]
0040108A   . |8D45 C4       lea     eax, dword ptr [ebp-3C]
0040108D   . |C745 F4 00000>mov     dword ptr [ebp-C], 0
00401094   . |8955 EC       mov     dword ptr [ebp-14], edx
00401097   . |8945 F0       mov     dword ptr [ebp-10], eax
0040109A   > |8B55 F0       mov     edx, dword ptr [ebp-10]
0040109D   . |8B45 EC       mov     eax, dword ptr [ebp-14]
004010A0   . |33FF          xor     edi, edi
004010A2   . |8955 FC       mov     dword ptr [ebp-4], edx
004010A5   . |897D E8       mov     dword ptr [ebp-18], edi
004010A8   . |8945 F8       mov     dword ptr [ebp-8], eax
004010AB   > |8B75 FC       mov     esi, dword ptr [ebp-4]
004010AE   . |33D2          xor     edx, edx
004010B0   > |8B45 F8       mov     eax, dword ptr [ebp-8]
004010B3   . |8A19          mov     bl, byte ptr [ecx]
004010B5   . |8A0410        mov     al, byte ptr [eax+edx]
004010B8   . |3AD8          cmp     bl, al
004010BA   . |75 22         jnz     short 004010DE
004010BC   . |8D0C17        lea     ecx, dword ptr [edi+edx]
004010BF   . |8B7D F4       mov     edi, dword ptr [ebp-C]
004010C2   . |8D3C4F        lea     edi, dword ptr [edi+ecx*2]
004010C5   . |03CF          add     ecx, edi
004010C7   . |0FBEFB        movsx   edi, bl
004010CA   . |0FBE4C0D C4   movsx   ecx, byte ptr [ebp+ecx-3C]
004010CF   . |33CF          xor     ecx, edi
004010D1   . |90            nop
004010D2   . |2AC1          sub     al, cl
004010D4   . |8B4D E4       mov     ecx, dword ptr [ebp-1C]
004010D7   . |F62E          imul    byte ptr [esi]
004010D9   . |8B7D E8       mov     edi, dword ptr [ebp-18]
004010DC   . |8801          mov     byte ptr [ecx], al
004010DE   > |42            inc     edx
004010DF   . |83C6 09       add     esi, 9
004010E2   . |83FA 04       cmp     edx, 4
004010E5   .^|7C C9         jl      short 004010B0
004010E7   . |8B5D FC       mov     ebx, dword ptr [ebp-4]
004010EA   . |8B55 F8       mov     edx, dword ptr [ebp-8]
004010ED   . |83C7 03       add     edi, 3
004010F0   . |43            inc     ebx
004010F1   . |83C2 03       add     edx, 3
004010F4   . |83FF 06       cmp     edi, 6
004010F7   . |895D FC       mov     dword ptr [ebp-4], ebx
004010FA   . |897D E8       mov     dword ptr [ebp-18], edi
004010FD   . |8955 F8       mov     dword ptr [ebp-8], edx
00401100   .^|7C A9         jl      short 004010AB
00401102   . |8B45 F4       mov     eax, dword ptr [ebp-C]
00401105   . |8B7D F0       mov     edi, dword ptr [ebp-10]
00401108   . |8B75 EC       mov     esi, dword ptr [ebp-14]
0040110B   . |40            inc     eax
0040110C   . |83C7 03       add     edi, 3
0040110F   . |83C6 09       add     esi, 9
00401112   . |83F8 03       cmp     eax, 3
00401115   . |8945 F4       mov     dword ptr [ebp-C], eax
00401118   . |897D F0       mov     dword ptr [ebp-10], edi
0040111B   . |8975 EC       mov     dword ptr [ebp-14], esi
0040111E   .^|0F8C 76FFFFFF jl      0040109A
00401124   . |8B45 E0       mov     eax, dword ptr [ebp-20]
00401127   . |41            inc     ecx
00401128   . |48            dec     eax
00401129   . |894D E4       mov     dword ptr [ebp-1C], ecx
0040112C   . |8945 E0       mov     dword ptr [ebp-20], eax
0040112F   .^|0F85 52FFFFFF jnz     00401087
00401135   . |90            nop
00401136   > |A1 60A04000   mov     eax, dword ptr [40A060]
0040113B   . |8A98 00A04000 mov     bl, byte ptr [eax+40A000]
00401141   . |3A98 20A04000 cmp     bl, byte ptr [eax+40A020]
00401147   . |74 27         je      short 00401170
00401149   . |90            nop
0040114A   . |90            nop
0040114B   . |90            nop
0040114C   . |90            nop
0040114D   . |FE80 40A04000 inc     byte ptr [eax+40A040]
00401153   . |B9 20000000   mov     ecx, 20
00401158   . |BE 40A04000   mov     esi, 0040A040
0040115D   . |BF 00A04000   mov     edi, 0040A000
00401162   . |F3:A4         rep     movs byte ptr es:[edi], byte ptr>
00401164   .^\E9 97FEFFFF   jmp     00401000
00401169      90            nop
0040116A      90            nop
0040116B      90            nop
0040116C      90            nop
0040116D      90            nop
0040116E      90            nop
0040116F      90            nop
00401170   >  FF05 60A04000 inc     dword ptr [40A060]
00401176   .^ EB BE         jmp     short 00401136
00401178      90            nop                                      ; |
00401179      90            nop                                      ; |


穷举所需数据如下
0040A000  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0040A010  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0040A020  EF 86 85 0C D2 89 64 A6 9E C8 CC 70 00 90 09 F4  飭?覊d忍p.??
0040A030  28 6E 5A 04 F9 FB 0E 02 4D EF 01 D4 E8 B0 19 EB  (nZM?澡??
0040A040  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0040A050  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0040A060  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
0040A070  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................


注意[epb-21]位置为 FF,如果为0,穷举结果首字节为EF,这样是无解的。可以通过OD调式子进程,中断后查看 EBP-21对应的值来进行填充。

穷举结果如下:
0040A040  5B 11 4C 0C B6 89 2A 53 9E B1 CC 15 00 8C 09 B2  [L.秹*S灡?.??
0040A050  28 6E 5A 04 F9                                   (nZ?


反向编码为 sn=k00000000000000000000
最新回复 (0)
返回