好友
阅读权限40
听众
最后登录1970-1-1
|
小试锋芒
发表于 2013-12-23 08:14
CM是什么?Crackme是什么?这是什么东西?楼主发的什么?
他们都是一些公开给别人尝试破解的小程序,制作 Crackme 的人可能是程序员,想测试一下自己的软件保护技术,也可能是一位 Cracker,想挑战一下其它 Cracker 的破解实力,也可能是一些正在学习破解的人,自己编一些小程序给自己破解,KeyGenMe是要求别人做出它的 keygen (序号产生器), ReverseMe 要求别人把它的算法做出逆向分析, UnpackMe 是要求别人把它成功脱壳,本版块禁止回复非技术无关水贴。
本帖最后由 小试锋芒 于 2013-12-23 08:15 编辑
1、PEID查壳:Microsoft Visual C++ 6.0
2、OD载入,设置API断点,不知道哪个能断下来,把四个都勾选上。
3、F9运行,输入任意用户名和注册码,点击注册,断下来了:
4、返回到程序领空:
[AppleScript] 纯文本查看 复制代码 00401744 8B8D C4FEFFFF mov ecx,dword ptr ss:[ebp-13C]
0040174A E8 43060000 call <jmp.&MFC42.#6334> ; 取注册码
0040174F 6A 00 push 0
00401751 8B8D C4FEFFFF mov ecx,dword ptr ss:[ebp-13C]
00401757 E8 36060000 call <jmp.&MFC42.#6334> ; 取用户名
0040175C 8B8D C4FEFFFF mov ecx,dword ptr ss:[ebp-13C]
00401762 8B51 60 mov edx,dword ptr ds:[ecx+60]
00401765 8995 CCFEFFFF mov dword ptr ss:[ebp-134],edx
0040176B 8D85 E4FEFFFF lea eax,dword ptr ss:[ebp-11C]
00401771 50 push eax
00401772 8B8D CCFEFFFF mov ecx,dword ptr ss:[ebp-134]
00401778 51 push ecx
00401779 E8 92FDFFFF call CrackMe.00401510 ; 算法CALL,F7跟进
0040177E 83C4 08 add esp,8
00401781 8B95 C4FEFFFF mov edx,dword ptr ss:[ebp-13C]
00401787 8B42 64 mov eax,dword ptr ds:[edx+64]
0040178A 8985 C8FEFFFF mov dword ptr ss:[ebp-138],eax
00401790 8B8D C8FEFFFF mov ecx,dword ptr ss:[ebp-138] ; 假码
00401796 898D A8FEFFFF mov dword ptr ss:[ebp-158],ecx
0040179C 8D95 E4FEFFFF lea edx,dword ptr ss:[ebp-11C] ; 真码
004017A2 8995 A4FEFFFF mov dword ptr ss:[ebp-15C],edx
004017A8 8B85 A4FEFFFF mov eax,dword ptr ss:[ebp-15C] ; 这个循环就是逐位进行真假码的比较
004017AE 8A08 mov cl,byte ptr ds:[eax]
004017B0 888D A3FEFFFF mov byte ptr ss:[ebp-15D],cl
004017B6 8B95 A8FEFFFF mov edx,dword ptr ss:[ebp-158]
004017BC 3A0A cmp cl,byte ptr ds:[edx]
004017BE 75 46 jnz short CrackMe.00401806
004017C0 80BD A3FEFFFF 0>cmp byte ptr ss:[ebp-15D],0
004017C7 74 31 je short CrackMe.004017FA
004017C9 8B85 A4FEFFFF mov eax,dword ptr ss:[ebp-15C]
004017CF 8A48 01 mov cl,byte ptr ds:[eax+1]
004017D2 888D A2FEFFFF mov byte ptr ss:[ebp-15E],cl
004017D8 8B95 A8FEFFFF mov edx,dword ptr ss:[ebp-158]
004017DE 3A4A 01 cmp cl,byte ptr ds:[edx+1]
004017E1 75 23 jnz short CrackMe.00401806
004017E3 8385 A4FEFFFF 0>add dword ptr ss:[ebp-15C],2
004017EA 8385 A8FEFFFF 0>add dword ptr ss:[ebp-158],2
004017F1 80BD A2FEFFFF 0>cmp byte ptr ss:[ebp-15E],0
004017F8 ^ 75 AE jnz short CrackMe.004017A8
004017FA C785 9CFEFFFF 0>mov dword ptr ss:[ebp-164],0
00401804 EB 0B jmp short CrackMe.00401811
00401806 1BC0 sbb eax,eax
00401808 83D8 FF sbb eax,-1
0040180B 8985 9CFEFFFF mov dword ptr ss:[ebp-164],eax
00401811 8B8D 9CFEFFFF mov ecx,dword ptr ss:[ebp-164]
00401817 898D 98FEFFFF mov dword ptr ss:[ebp-168],ecx
0040181D 83BD 98FEFFFF 0>cmp dword ptr ss:[ebp-168],0
00401824 75 07 jnz short CrackMe.0040182D
00401826 ^ E9 11FEFFFF jmp CrackMe.0040163C
0040182B EB 05 jmp short CrackMe.00401832
0040182D ^ E9 06FFFFFF jmp CrackMe.00401738
00401832 8B4D F0 mov ecx,dword ptr ss:[ebp-10]
00401835 64:890D 0000000>mov dword ptr fs:[0],ecx
0040183C 5F pop edi
0040183D 5E pop esi
0040183E 5B pop ebx
0040183F 8BE5 mov esp,ebp
00401841 5D pop ebp
00401842 C3 retn
5、可以很容易的发现,是明码比较,跟进算法CALL;
[AppleScript] 纯文本查看 复制代码 00401510 /$ 83EC 08 sub esp,8 ; 算法call
00401513 |. 53 push ebx
00401514 |. 8B5C24 10 mov ebx,dword ptr ss:[esp+10]
00401518 |. 57 push edi
00401519 |. 8BFB mov edi,ebx
0040151B |. 83C9 FF or ecx,FFFFFFFF
0040151E |. 33C0 xor eax,eax
00401520 |. F2:AE repne scas byte ptr es:[edi]
00401522 |. F7D1 not ecx
00401524 |. 49 dec ecx
00401525 |. C64424 08 25 mov byte ptr ss:[esp+8],25
0040152A |. 85C9 test ecx,ecx
0040152C |. C64424 09 30 mov byte ptr ss:[esp+9],30
00401531 |. C64424 0A 32 mov byte ptr ss:[esp+A],32
00401536 |. C64424 0B 58 mov byte ptr ss:[esp+B],58
0040153B |. C64424 0C 00 mov byte ptr ss:[esp+C],0
00401540 |. 7E 34 jle short CrackMe.00401576
00401542 |. 55 push ebp
00401543 |. 8B2D C8314000 mov ebp,dword ptr ds:[<&MSVCRT.sprintf>] ; msvcrt.sprintf
00401549 |. 56 push esi
0040154A |. 8B7424 20 mov esi,dword ptr ss:[esp+20]
0040154E |. 8BF9 mov edi,ecx
00401550 |> 33C0 /xor eax,eax
00401552 |. 8A03 |mov al,byte ptr ds:[ebx] ; al = 用户名[i]的ascii值
00401554 |. 8D0440 |lea eax,dword ptr ds:[eax+eax*2] ; eax = eax * 3
00401557 |. 99 |cdq
00401558 |. 2BC2 |sub eax,edx
0040155A |. D1F8 |sar eax,1 ; 右移一位
0040155C |. 25 FF000000 |and eax,0FF
00401561 |. 50 |push eax
00401562 |. 8D4424 14 |lea eax,dword ptr ss:[esp+14] ; "%02X"进行格式化
00401566 |. 50 |push eax
00401567 |. 56 |push esi
00401568 |. FFD5 |call ebp
0040156A |. 83C4 0C |add esp,0C
0040156D |. 83C6 02 |add esi,2
00401570 |. 43 |inc ebx
00401571 |. 4F |dec edi
00401572 |.^ 75 DC \jnz short CrackMe.00401550
00401574 |. 5E pop esi
00401575 |. 5D pop ebp
00401576 |> 5F pop edi
00401577 |. 5B pop ebx
00401578 |. 83C4 08 add esp,8
0040157B \. C3 retn
6、算法部分,就是将用户名的每一位的ascii值乘以3,得到的结果右移一位,再转换成16进制的字符串形式,最后连接起来!
7、下面给出Delphi的注册机源码
用户名:小试锋芒
注册码:38F12F3E125924F3
[Delphi] 纯文本查看 复制代码 unit Unit1;
interface
uses
Windows, Messages, SysUtils, Variants, Classes, Graphics, Controls, Forms,
Dialogs, StdCtrls, Menus, jpeg, ExtCtrls, Buttons;
type
TForm1 = class(TForm)
img1: TImage;
grp1: TGroupBox;
lbl1: TLabel;
Edit1: TEdit;
lbl3: TLabel;
btn1: TBitBtn;
lbl2: TLabel;
Edit2: TEdit;
procedure Edit1Click(Sender: TObject);
procedure btn1Click(Sender: TObject);
private
{ Private declarations }
public
{ Public declarations }
end;
var
Form1: TForm1;
implementation
{$R *.dfm}
procedure TForm1.Edit1Click(Sender: TObject);
begin
Edit1.Clear;
end;
procedure TForm1.btn1Click(Sender: TObject);
var
i,j,m,n : Integer;
Name, RegCode, str1,str2 : string;
begin
Name := Edit1.Text;
RegCode := '';
i := Length(Name);
for j:=1 to i do
begin
m := Byte(Name[j]);
m := m *3 ;
asm
mov eax, m
sar eax,1
and eax,$FF
mov n, eax
end;
RegCode:=RegCode + IntToHex(n,2);
end;
Edit2.Text := RegCode;
end;
end.
|
免费评分
-
查看全部评分
|
[复制链接]
发表于 2013-12-23 09:27
