CrackMe analysis 02/24 Update SLTechnology News&Howtos

CrackMe analysis

2025-02-24 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Network Security >

Shulou(Shulou.com)06/01 Report--

0x00 process analysis

Prompt for account password

Picture 2

Enter and prompt you to re-enter

Load OD

Picture 3

String search

Find the main function

Picture 4

Stop here at 00401060 at this time, it's a

00401060 / $83EC 30 sub esp,0x30 / / assign stack frame

00401063 |. 68 FC804000 push Crackme.004080FC; input your name:

00401068 |. E8 6C020000 call Crackme.004012D9// printf

0040106D |. 8D4424 1C lea eax,dword ptr ss: [esp+0x1C]

00401071 |. 50 push eax

00401072 |. 68 F8804000 push Crackme.004080F8; s

00401077 |. E8 46020000 call Crackme.004012C2

0040107C |. 68 E4804000 push Crackme.004080E4; input your pass:

00401081 |. E8 53020000 call Crackme.004012D9// scanf

00401086 |. 8D4C24 10 lea ecx,dword ptr ss: [esp+0x10]

0040108A |. 51 push ecx

0040108B |. 68 F8804000 push Crackme.004080F8; s

00401090 |. E8 2D020000 call Crackme.004012C2; scanf ()

00401095 |. 8D5424 18 lea edx,dword ptr ss: [esp+0x18]; edx account address

00401099 |. 8D4424 30 lea eax,dword ptr ss: [esp+0x30]; eax storage password address

0040109D |. 52 push edx

0040109E |. 50 push eax

0040109F |. E8 5CFFFFFF call Crackme.00401000//call parameter is two addresses edx eax

004010A4 |. 83C4 20 add esp,0x20// balanced stack

004010A7 |. 84C0 test al,al// if al is 0, then zf = 1, then je holds.

004010A9 |. 74 19 je XCrackme.004010C4 / / A prompt try again will be skipped here

Picture 5

Here is the correct or error.

004010A9 |. / 74 19 je XCrackme.004010C4

004010AB |. | | 68 D8804000 push Crackme.004080D8; good job!\ n |

004010B0 |. | | E8 24020000 call Crackme.004012D9 |

004010B5 |. | | 68 C0804000 push Crackme.004080C0; the key is: md5 (pass) |

004010BA |. | | E8 1A020000 call Crackme.004012D9 |

004010BF |. | | 83C4 08 add esp,0x8 |

004010C2 |. | | EB 0D jmp XCrackme.004010D1 |

004010C4 | >\ 68 B4804000 push Crackme.004080B4; try again!

004010C9 |. E8 0B020000 call Crackme.004012D9

0x01 verification function analysis entry point

0040109F |. E8 5CFFFFFF call Crackme.00401000 / / Verification function

00401000 / $55 push ebp

00401001 |. 56 push esi

00401002 |. 8B7424 0C mov esi,dword ptr ss: [esp+0xC]; Parameter 1

00401006 |. 57 push edi

00401007 |. 8BFE mov edi,esi

00401009 |. 83C9 FF or ecx,0xFFFFFFFF

0040100C |. 33C0 xor eax,eax

0040100E |. 8B5424 14 mov edx,dword ptr ss: [esp+0x14]; Parameter 2

00401012 |. F2:AE repne scas byte ptr es: [edi]; length

00401014 |. F7D1 not ecx

00401016 |. 49 dec ecx

00401017 |. 8BFA mov edi,edx; edi storage password address

00401019 |. 8BE9 mov ebp,ecx; ebp account length

0040101B |. 83C9 FF or ecx,0xFFFFFFFF

0040101E |. F2:AE repne scas byte ptr es: [edi]

00401020 |. F7D1 not ecx

00401022 |. 49 dec ecx; password length

00401023 |. 3BE9 cmp ebp,ecx; length comparison

00401025 |. 74 06 je XCrackme.0040102D; equal length to continue unequal exit

00401027 |. 5F pop edi

00401028 |. 5E pop esi

00401029 |. 32C0 xor al,al

0040102B |. 5D pop ebp

0040102C |. C3 retn

0040102D | > 33C0 xor eax,eax

0040102F |. 85ED test ebp,ebp

00401031 |. 7E 19 jle XCrackme.0040104C

00401033 |. 53 push ebx

00401034 |. BF 30804000 mov edi,Crackme.00408030; global variables use edi to store the array first address

00401039 | > 8A0F / mov cl,byte ptr ds: [edi]; cl= [edi+eax]

0040103B |. 8A1C10 | mov bl,byte ptr ds: [eax+edx]; bl= password address + eax

0040103E |. 32D9 | xor bl,cl; password = password xor array [eax]

00401040 |. 83C7 04 | add edi,0x4; next element

00401043 |. 881C10 | mov byte ptr ds: [eax+edx], bl

00401046 |. 40 | inc eax; eax++

00401047 |. 3BC5 | cmp eax,ebp; eax

< strlen(密码) 00401049 |.^ 7C EE \jl XCrackme.00401039 ; eax < ebp 0040104B |. 5B pop ebx 0040104C |>

8BFA mov edi,edx

0040104E |. 8BCD mov ecx,ebp

00401050 |. 33D2 xor edx,edx

00401052 |. F3:A6 repe cmps byte ptr es: [edi], byte ptr ds: [esi]

00401054 |. 8BC2 mov eax,edx

00401056 |. 5F pop edi

00401057 |. 5E pop esi

00401058 |. 5D pop ebp

00401059 |. 0F94C0 sete al// equal al = 1

0040105C. C3 retn

Table value for encryption

Picture 6

First of all, judge whether the length of the account password is equal.

Picture 7

If the length is equal, then first xor each element in the password with the number at 00408030 to get the current password

Then compare the password with the account number

Picture 8

Esi stores the account number edi as the password

If sete zf = 1, then al = 1

Picture 9

That's it.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.

*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.