好友
阅读权限30
听众
最后登录1970-1-1
|
本帖最后由 L4Nce 于 2014-10-24 22:41 编辑
 听说第二题无解, 直接将分析发出来吧
通过分析字符串,可以快速到达关键call
address=00401B50
00401C5B |> \8D4424 3C lea eax,dword ptr ss:[esp+0x3C] //此处eax指向码表的地址
00401C5F |. E8 4C020000 call CrackMe2.00401EB0 //经过此call 后生成一个码表
生成一个不是E就是F的表
大小为0x654
我定义他为 int iBIAO[0x195]
具体如下
细心能发现 每隔5个必定是EE FF EE FF
然后就是此处了
[C++] 纯文本查看 复制代码
00401C70 |> /0FBE843C 9806>/movsx eax,byte ptr ss:[esp+edi+0x698] //依次取出用户名
00401C78 |. |8BC8 |mov ecx,eax
00401C7A |. |C1F9 04 |sar ecx,0x4 ///对ascii码进行运算
00401C7D |. |83E1 0F |and ecx,0xF
00401C80 |. |83E0 0F |and eax,0xF
00401C83 |. |8BF0 |mov esi,eax
00401C85 |. |83F9 09 |cmp ecx,0x9
00401C88 |. |76 0E |jbe short CrackMe2.00401C98
00401C8A |. |B8 398EE338 |mov eax,0x38E38E39
00401C8F |. |F7E1 |mul ecx
00401C91 |. |D1EA |shr edx,1
00401C93 |. |6BD2 F7 |imul edx,edx,-0x9
00401C96 |. |03CA |add ecx,edx
00401C98 |> |83FE 09 |cmp esi,0x9
00401C9B |. |76 0E |jbe short CrackMe2.00401CAB
00401C9D |. |B8 398EE338 |mov eax,0x38E38E39
00401CA2 |. |F7E6 |mul esi
00401CA4 |. |D1EA |shr edx,1
00401CA6 |. |6BD2 F7 |imul edx,edx,-0x9
00401CA9 |. |03F2 |add esi,edx
00401CAB |> |8D04CE |lea eax,dword ptr ds:[esi+ecx*8]
00401CAE |. |03C1 |add eax,ecx
00401CB0 |. |47 |inc edi
00401CB1 |. |8D1480 |lea edx,dword ptr ds:[eax+eax*4] //注意这句 eax*5
00401CB4 |. |894C24 30 |mov dword ptr ss:[esp+0x30],ecx
00401CB8 |. |897424 34 |mov dword ptr ss:[esp+0x34],esi
00401CBC |. |C74494 3C FFE>|mov dword ptr ss:[esp+edx*4+0x3C],0xEEFFEEFF //运算后的结果负值进去码表
00401CC4 |. |3BFB |cmp edi,ebx
00401CC6 |.^\7C A8 \jl short CrackMe2.00401C70
从此处开始 ESP+0X3C指向的是iBIAO[0]
所以
00401CBC |. |C74494 3C FFE>|mov dword ptr ss:[esp+edx*4+0x3C],0xEEFFEEFF
相等于 iBIAO[edx] //int 4字节
注意00401CB1 此句代码,所以edx必然为5的倍数.
粗略翻译成C++ 渣代码 别吐槽 没有对码表进行初始化,
[C++] 纯文本查看 复制代码 int iBiao[0x195];
UpdateData(TRUE);
int iBiao[0x195];
CString cstr_tmp;
char ca=0;
int iesi,iecx,i,itmp;
m_cstr_key="";
for (i=0;i<0x51;i++) //初始化码表
{
iBiao[5*i]=0xffeeffee;
}
for (i=0;i<=m_cstr_user.GetLength();i++) //对用户名每字节对应进行码表的写入错误的值
{
ca=m_cstr_user[i];
iecx=ca;
iesi=ca;
iecx>>=4;
iecx&=0xf;
iesi&=0xf;
if (iecx>9)
{
itmp=iecx;
itmp=itmp/9;
itmp=itmp*-9;
iecx+=itmp;
}
if (iesi>9)
{
itmp=iesi;
itmp=itmp/9;
itmp=itmp*-9;
iesi+=itmp;
}
itmp=iesi+iecx*8;
itmp+=iecx;
itmp*=5;
iBiao[itmp]=0xeeffeeff;
}
下面就是对注册码进行处理了
[C++] 纯文本查看 复制代码 00401CD0 |. /0F8E BD000000 jle CrackMe2.00401D93
00401CD6 |. |BB FEFEFEFE mov ebx,0xFEFEFEFE
00401CDB |. |EB 03 jmp short CrackMe2.00401CE0
00401CDD | |8D49 00 lea ecx,dword ptr ds:[ecx]
00401CE0 |> |0FBE843C A406>/movsx eax,byte ptr ss:[esp+edi+0x6A4]
00401CE8 |. |8BC8 |mov ecx,eax
00401CEA |. |C1F9 04 |sar ecx,0x4
00401CED |. |83E1 0F |and ecx,0xF
00401CF0 |. |83E0 0F |and eax,0xF
00401CF3 |. |8BF0 |mov esi,eax
00401CF5 |. |83F9 09 |cmp ecx,0x9
00401CF8 |. |76 0E |jbe short CrackMe2.00401D08
00401CFA |. |B8 398EE338 |mov eax,0x38E38E39
00401CFF |. |F7E1 |mul ecx
00401D01 |. |D1EA |shr edx,1
00401D03 |. |6BD2 F7 |imul edx,edx,-0x9
00401D06 |. |03CA |add ecx,edx
00401D08 |> |83FE 09 |cmp esi,0x9
00401D0B |. |76 0E |jbe short CrackMe2.00401D1B
00401D0D |. |B8 398EE338 |mov eax,0x38E38E39
00401D12 |. |F7E6 |mul esi
00401D14 |. |D1EA |shr edx,1
00401D16 |. |6BD2 F7 |imul edx,edx,-0x9
00401D19 |. |03F2 |add esi,edx
00401D1B |> |8D04CE |lea eax,dword ptr ds:[esi+ecx*8]
00401D1E |. |03C1 |add eax,ecx
00401D20 |. |8D0C80 |lea ecx,dword ptr ds:[eax+eax*4]
00401D23 |. |03C9 |add ecx,ecx
00401D25 |. |03C9 |add ecx,ecx
00401D27 |. |395C0C 40 |cmp dword ptr ss:[esp+ecx+0x40],ebx
00401D2B |. |74 10 |je short CrackMe2.00401D3D
00401D2D |. |8D5480 D3 |lea edx,dword ptr ds:[eax+eax*4-0x2D]
00401D31 |. |817494 3C 111>|xor dword ptr ss:[esp+edx*4+0x3C],0x11111111
00401D39 |. |8D5494 3C |lea edx,dword ptr ss:[esp+edx*4+0x3C]
00401D3D |> |395C0C 44 |cmp dword ptr ss:[esp+ecx+0x44],ebx
00401D41 |. |74 15 |je short CrackMe2.00401D58
00401D43 |. |8D5480 D3 |lea edx,dword ptr ds:[eax+eax*4-0x2D]
00401D47 |. |8B5494 3C |mov edx,dword ptr ss:[esp+edx*4+0x3C]
00401D4B |. |81F2 11111111 |xor edx,0x11111111
00401D51 |. |89940C F00000>|mov dword ptr ss:[esp+ecx+0xF0],edx
00401D58 |> |395C0C 48 |cmp dword ptr ss:[esp+ecx+0x48],ebx
00401D5C |. |74 12 |je short CrackMe2.00401D70
00401D5E |. |8D5480 D3 |lea edx,dword ptr ds:[eax+eax*4-0x2D]
00401D62 |. |8B5494 3C |mov edx,dword ptr ss:[esp+edx*4+0x3C]
00401D66 |. |81F2 11111111 |xor edx,0x11111111
00401D6C |. |89540C 28 |mov dword ptr ss:[esp+ecx+0x28],edx
00401D70 |> |395C0C 4C |cmp dword ptr ss:[esp+ecx+0x4C],ebx
00401D74 |. |74 12 |je short CrackMe2.00401D88
00401D76 |. |8D4480 D3 |lea eax,dword ptr ds:[eax+eax*4-0x2D]
00401D7A |. |8B5484 3C |mov edx,dword ptr ss:[esp+eax*4+0x3C]
00401D7E |. |81F2 11111111 |xor edx,0x11111111
00401D84 |. |89540C 50 |mov dword ptr ss:[esp+ecx+0x50],edx
00401D88 |> |47 |inc edi
00401D89 |. |3B7C24 10 |cmp edi,dword ptr ss:[esp+0x10] //注意这里,貌似不是和注册码的长度相等的 所以他会再往后面读取未知字节
00401D8D |.^|0F8C 4DFFFFFF \jl CrackMe2.00401CE0
注意此处
00401D89 |. |3B7C24 10 |cmp edi,dword ptr ss:[esp+0x10] //注意这里,貌似不是和注册码的长度相等的 所以他会再往后面读取未知字节
貌似会比注册码长度+4
大致翻译一下可能有错
[C++] 纯文本查看 复制代码
for (i=0;i<=m_cstr_key.GetLength();i++)
{
int iebx=0xfefefefe,ieax,iedx;
iecx=ca;
iecx>>=4;
iesi=ca;
iecx&=0xf;
iesi&=0xf;
if(iecx>9){
itmp=iecx;
itmp=itmp/9;
itmp=itmp*-9;
iecx=iecx+itmp;
}
if(iesi>9){
itmp=iesi;
itmp=itmp/9;
itmp=itmp*-9;
iesi=iesi+itmp;
}
itmp=iesi+iecx*8;
itmp+=iecx;
ieax=itmp;
itmp=itmp*5;
if (iBiao[iecx/4+0x1]!=iebx)
{
iedx=ieax*5-0x2d;
iBiao[iedx]^=0x11111111;
iedx=iBiao[iedx];
}
if (iBiao[iecx/4+0x2]!=iebx)
{
iedx=ieax*5-0x2d;
iedx=iBiao[iedx];
iBiao[iecx/4+0x2d]=iedx^0x11111111;
}
if (iBiao[iecx/4+0x3]!=iebx)
{
iedx=ieax*5-0x2d;
iedx=iBiao[iedx];
iBiao[iecx/4-5]=iedx^0x11111111;
}
if (iBiao[iecx/4+0x4]!=iebx)
{
iedx=ieax*5-0x2d;
iedx=iBiao[iedx];
iBiao[iecx/4+5]=iedx^0x11111111;
}
int isum=0;
for (i=0;i<=0x51;i++){
isum+=iBiao[5*i];
}
if (isum==0x0xFA9EFA4E)
{
MessageBox("GOOD!");
}
}
}
可以看出如果iecx=0或者负数 iebx=iBiao[iecx/4-5]; 可能就会越界!
越界取出的值 再也不是E 或者F了
后面就是循环3次相加码表的值了
[C++] 纯文本查看 复制代码
00401D9C |. 8D51 03 lea edx,dword ptr ds:[ecx+0x3]
00401D9F |. 90 nop
00401DA0 |> 8BB0 74FFFFFF /mov esi,dword ptr ds:[eax-0x8C]
00401DA6 |. 0370 88 |add esi,dword ptr ds:[eax-0x78]
00401DA9 |. 05 1C020000 |add eax,0x21C
00401DAE |. 03B0 80FDFFFF |add esi,dword ptr ds:[eax-0x280]
00401DB4 |. 03B0 94FDFFFF |add esi,dword ptr ds:[eax-0x26C]
00401DBA |. 03B0 A8FDFFFF |add esi,dword ptr ds:[eax-0x258]
00401DC0 |. 03B0 BCFDFFFF |add esi,dword ptr ds:[eax-0x244]
00401DC6 |. 03B0 D0FDFFFF |add esi,dword ptr ds:[eax-0x230]
00401DCC |. 03B0 F8FDFFFF |add esi,dword ptr ds:[eax-0x208]
00401DD2 |. 03B0 E4FDFFFF |add esi,dword ptr ds:[eax-0x21C]
00401DD8 |. 03CE |add ecx,esi
00401DDA |. 8BB0 ACFEFFFF |mov esi,dword ptr ds:[eax-0x154]
00401DE0 |. 03B0 98FEFFFF |add esi,dword ptr ds:[eax-0x168]
00401DE6 |. 03B0 84FEFFFF |add esi,dword ptr ds:[eax-0x17C]
00401DEC |. 03B0 70FEFFFF |add esi,dword ptr ds:[eax-0x190]
00401DF2 |. 03B0 5CFEFFFF |add esi,dword ptr ds:[eax-0x1A4]
00401DF8 |. 03B0 48FEFFFF |add esi,dword ptr ds:[eax-0x1B8]
00401DFE |. 03B0 34FEFFFF |add esi,dword ptr ds:[eax-0x1CC]
00401E04 |. 03B0 20FEFFFF |add esi,dword ptr ds:[eax-0x1E0]
00401E0A |. 03B0 0CFEFFFF |add esi,dword ptr ds:[eax-0x1F4]
00401E10 |. 03CE |add ecx,esi
00401E12 |. 8BB0 60FFFFFF |mov esi,dword ptr ds:[eax-0xA0]
00401E18 |. 03B0 4CFFFFFF |add esi,dword ptr ds:[eax-0xB4]
00401E1E |. 03B0 38FFFFFF |add esi,dword ptr ds:[eax-0xC8]
00401E24 |. 03B0 24FFFFFF |add esi,dword ptr ds:[eax-0xDC]
00401E2A |. 03B0 10FFFFFF |add esi,dword ptr ds:[eax-0xF0]
00401E30 |. 03B0 FCFEFFFF |add esi,dword ptr ds:[eax-0x104]
00401E36 |. 03B0 E8FEFFFF |add esi,dword ptr ds:[eax-0x118]
00401E3C |. 03B0 D4FEFFFF |add esi,dword ptr ds:[eax-0x12C]
00401E42 |. 03B0 C0FEFFFF |add esi,dword ptr ds:[eax-0x140]
00401E48 |. 03CE |add ecx,esi
00401E4A |. 4A |dec edx
00401E4B |.^ 0F85 4FFFFFFF \jnz CrackMe2.00401DA0
这里我大胆的用原始表格的值覆盖回去 ,果断相加出正确的值
其实慢慢看代码发现其实就相加
isum+=iBiao[5*i]; 5的倍数.
所以其他都是混乱视线的.
一开始 我从 0x00 到0xff 一直遍历结果 貌似都没有找到可用的组合能在他检测注册码的时候还原原来的值 估计注册码检测算法写错了~或者我数学能力不够
听说写错了 我发出分析吧
时间不够 可能有些地方写错, 欢迎指正~
keygenmeforblack.rar
(13.23 KB, 下载次数: 30)
附上代码 可能有错~
|
免费评分
-
查看全部评分
|
[复制链接]
发表于 2014-10-24 19:49
