[暑假活动后续] 追码+爆破 之 第一个Crackme
本帖最后由 Kris 于 2011-8-11 22:57 编辑[ 破文标题 ] 追码+爆破 之 第一个Crackme
[ 破文作者 ] Kris
[ 作者邮箱 ] ZzhEMail@Foxmail.Com
[ 破解工具 ] OD,LordPE
[ 破解平台 ] Windows Xp
[ 软件名称 ] 第一个Crackme
[ 原版下载 ] http://www.52pojie.cn/thread-101696-1-1.html
[ 破解声明 ] 仅供交流学习技术,若教程中有不对之处,希望各位大大即使指正!
破解过程:
1.
载入OD并运行,随意输入用户名和注册码,点击确定,发现没有任何反应,于是查找字符串
发现关键字符串
双击来到汇编代码,并找出其首段,然后再在首段下断点,因为有调用这种字符串的代码,很可能就是按钮事件验证注册码是否正确的代码
2.
下断之后再次点击确定按钮,将中断于此.接下来就是分析代码了
00401B80/.55 push ebp
00401B81|.8BEC mov ebp,esp
00401B83|.6A FF push -0x1
00401B85|.68 E33B5200 push crackme.00523BE3
00401B8A|.64:A1 0000000>mov eax,dword ptr fs:
00401B90|.50 push eax
00401B91|.83EC 18 sub esp,0x18
00401B94|.53 push ebx
00401B95|.56 push esi
00401B96|.57 push edi
00401B97|.A1 10FE5600 mov eax,dword ptr ds:
00401B9C|.33C5 xor eax,ebp
00401B9E|.50 push eax
00401B9F|.8D45 F4 lea eax,
00401BA2|.64:A3 0000000>mov dword ptr fs:,eax
00401BA8|.8BF9 mov edi,ecx
00401BAA|.897D DC mov ,edi
00401BAD|.E8 8B520000 call crackme.00406E3D
00401BB2|.33C9 xor ecx,ecx
00401BB4|.33DB xor ebx,ebx
00401BB6|.3BC3 cmp eax,ebx
00401BB8|.0F95C1 setne cl
00401BBB|.3BCB cmp ecx,ebx
00401BBD|.75 0A jnz Xcrackme.00401BC9
00401BBF|.68 05400080 push 0x80004005
00401BC4|.E8 B7F9FFFF call crackme.00401580
00401BC9|>8B10 mov edx,dword ptr ds:
00401BCB|.8BC8 mov ecx,eax
00401BCD|.8B42 0C mov eax,dword ptr ds:
00401BD0|.FFD0 call eax
00401BD2|.83C0 10 add eax,0x10
00401BD5|.8945 EC mov ,eax
00401BD8|.895D FC mov ,ebx
00401BDB|.E8 5D520000 call crackme.00406E3D
00401BE0|.33C9 xor ecx,ecx
00401BE2|.3BC3 cmp eax,ebx
00401BE4|.0F95C1 setne cl
00401BE7|.3BCB cmp ecx,ebx
00401BE9|.75 0A jnz Xcrackme.00401BF5
00401BEB|.68 05400080 push 0x80004005
00401BF0|.E8 8BF9FFFF call crackme.00401580
00401BF5|>8B10 mov edx,dword ptr ds:
00401BF7|.8BC8 mov ecx,eax
00401BF9|.8B42 0C mov eax,dword ptr ds:
00401BFC|.FFD0 call eax
00401BFE|.83C0 10 add eax,0x10
00401C01|.8945 F0 mov ,eax
00401C04|.8D4D EC lea ecx,
00401C07|.51 push ecx
00401C08|.68 E8030000 push 0x3E8
00401C0D|.8BCF mov ecx,edi
00401C0F|.C645 FC 01 mov byte ptr ss:,0x1
00401C13|.E8 69020100 call crackme.00411E81
00401C18|.8BC8 mov ecx,eax
00401C1A|.E8 BFE10000 call crackme.0040FDDE ;获取到了用户名到ECX中
00401C1F|.8D55 F0 lea edx,
00401C22|.52 push edx
00401C23|.68 E9030000 push 0x3E9
00401C28|.8BCF mov ecx,edi
00401C2A|.E8 52020100 call crackme.00411E81
00401C2F|.8BC8 mov ecx,eax
00401C31|.E8 A8E10000 call crackme.0040FDDE ;获取到了注册码到ECX中
00401C36|.6A 0C push 0xC
00401C38|.E8 620A0000 call crackme.0040269F
00401C3D|.8BF0 mov esi,eax
00401C3F|.83C4 04 add esp,0x4
00401C42|.8975 E0 mov ,esi
00401C45|.C645 FC 02 mov byte ptr ss:,0x2
00401C49|.3BF3 cmp esi,ebx
00401C4B|.74 18 je Xcrackme.00401C65
00401C4D|.68 80075500 push crackme.00550780 ;ASCII "52pojie"
00401C52|.895E 04 mov dword ptr ds:,ebx
00401C55|.C746 08 01000>mov dword ptr ds:,0x1
00401C5C|.E8 8F5E1100 call crackme.00517AF0 ;52pojie转换为UNICODE,因为刚才获取到的用户名和密码也是UNICODE的
00401C61|.8906 mov dword ptr ds:,eax
00401C63|.EB 02 jmp Xcrackme.00401C67
00401C65|>33F6 xor esi,esi
00401C67|>C645 FC 01 mov byte ptr ss:,0x1
00401C6B|.8975 E0 mov ,esi
00401C6E|.3BF3 cmp esi,ebx
00401C70|.75 0A jnz Xcrackme.00401C7C
00401C72|.68 0E000780 push 0x8007000E
00401C77|.E8 545E1100 call crackme.00517AD0
00401C7C|>8D45 E0 lea eax,
00401C7F|.50 push eax
00401C80|.8D4D E8 lea ecx,
00401C83|.C645 FC 03 mov byte ptr ss:,0x3
00401C87|.51 push ecx
00401C88|.8B4D EC mov ecx,
00401C8B|.E8 20040000 call crackme.004020B0
00401C90|.83C4 08 add esp,0x8
00401C93|.C645 FC 04 mov byte ptr ss:,0x4
00401C97|.8B00 mov eax,dword ptr ds:
00401C99|.3BC3 cmp eax,ebx
00401C9B|.74 04 je Xcrackme.00401CA1
00401C9D|.8B00 mov eax,dword ptr ds: ;到这里后eax=用户名+52pojie
00401C9F|.EB 02 jmp Xcrackme.00401CA3
00401CA1|>33C0 xor eax,eax
00401CA3|>50 push eax
00401CA4|.8D4D E4 lea ecx,
00401CA7|.E8 64060000 call crackme.00402310
00401CAC|.C645 FC 06 mov byte ptr ss:,0x6
00401CB0|.8B45 E8 mov eax,
00401CB3|.3BC3 cmp eax,ebx
00401CB5|.8B1D 1C645200 mov ebx,dword ptr ds:[<&KERNEL32.Interlo>;kernel32.InterlockedDecrement
00401CBB|.74 40 je Xcrackme.00401CFD
00401CBD|.8BF8 mov edi,eax
00401CBF|.83C0 08 add eax,0x8
00401CC2|.50 push eax ; /pVar
00401CC3|.FFD3 call ebx ; \InterlockedDecrement
00401CC5|.85C0 test eax,eax
00401CC7|.75 2A jnz Xcrackme.00401CF3
00401CC9|.85FF test edi,edi
00401CCB|.74 26 je Xcrackme.00401CF3
00401CCD|.8B07 mov eax,dword ptr ds:
00401CCF|.85C0 test eax,eax
00401CD1|.74 07 je Xcrackme.00401CDA
00401CD3|.50 push eax
00401CD4|.FF15 80645200 call dword ptr ds:[<&OLEAUT32.#6>] ;OLEAUT32.SysFreeString
00401CDA|>8B47 04 mov eax,dword ptr ds:
00401CDD|.85C0 test eax,eax
00401CDF|.74 09 je Xcrackme.00401CEA
00401CE1|.50 push eax
00401CE2|.E8 E7090000 call crackme.004026CE
00401CE7|.83C4 04 add esp,0x4
00401CEA|>57 push edi
00401CEB|.E8 DE090000 call crackme.004026CE
00401CF0|.83C4 04 add esp,0x4
00401CF3|>8B7D DC mov edi,
00401CF6|.C745 E8 00000>mov ,0x0
00401CFD|>8D56 08 lea edx,dword ptr ds:
00401D00|.52 push edx
00401D01|.C645 FC 07 mov byte ptr ss:,0x7
00401D05|.FFD3 call ebx
00401D07|.85C0 test eax,eax
00401D09|.75 26 jnz Xcrackme.00401D31
00401D0B|.8B06 mov eax,dword ptr ds:
00401D0D|.85C0 test eax,eax
00401D0F|.74 07 je Xcrackme.00401D18
00401D11|.50 push eax
00401D12|.FF15 80645200 call dword ptr ds:[<&OLEAUT32.#6>] ;OLEAUT32.SysFreeString
00401D18|>8B46 04 mov eax,dword ptr ds:
00401D1B|.85C0 test eax,eax
00401D1D|.74 09 je Xcrackme.00401D28
00401D1F|.50 push eax
00401D20|.E8 A9090000 call crackme.004026CE
00401D25|.83C4 04 add esp,0x4
00401D28|>56 push esi
00401D29|.E8 A0090000 call crackme.004026CE
00401D2E|.83C4 04 add esp,0x4
00401D31|>8B75 E4 mov esi,
00401D34|.33C0 xor eax,eax
00401D36|.85F6 test esi,esi
00401D38|.0F95C0 setne al
00401D3B|.85C0 test eax,eax
00401D3D|.75 0A jnz Xcrackme.00401D49
00401D3F|.68 05400080 push 0x80004005
00401D44|.E8 37F8FFFF call crackme.00401580
00401D49|>8B45 F0 mov eax,
00401D4C|.8BCE mov ecx,esi
00401D4E|.8BFF mov edi,edi
00401D50|>66:8B10 /mov dx,word ptr ds: ;dx=注册码的某一字节
00401D53|.66:3B11 |cmp dx,word ptr ds: ;word =用户名的某一字节
00401D56|.75 1E |jnz Xcrackme.00401D76 ;两者不同则跳走
00401D58|.66:85D2 |test dx,dx
00401D5B|.74 15 |je Xcrackme.00401D72
00401D5D|.66:8B50 02 |mov dx,word ptr ds:
00401D61|.66:3B51 02 |cmp dx,word ptr ds:
00401D65|.75 0F |jnz Xcrackme.00401D76 ;以上这三句和前面一样,继续在比较
00401D67|.83C0 04 |add eax,0x4
00401D6A|.83C1 04 |add ecx,0x4
00401D6D|.66:85D2 |test dx,dx
00401D70|.^ 75 DE \jnz Xcrackme.00401D50 ;这里比较就得出正确的Key必须满足:注册码=用户名+52pojie
00401D72|>33C0 xor eax,eax
00401D74|.EB 05 jmp Xcrackme.00401D7B
00401D76|>1BC0 sbb eax,eax
00401D78|.83D8 FF sbb eax,-0x1
00401D7B|>85C0 test eax,eax
00401D7D|.0F94C0 sete al
00401D80|.84C0 test al,al
00401D82|.74 13 je Xcrackme.00401D97 ;关键跳,如果前面比较正确,那么不跳,否则就跳,所以NOP掉即完成爆破
00401D84|.6A 00 push 0x0
00401D86|.6A 00 push 0x0
00401D88|.68 88075500 push crackme.00550788
00401D8D|.8BCF mov ecx,edi
00401D8F|.E8 DFBC0000 call crackme.0040DA73
00401D94|.8B75 E4 mov esi,
00401D97|>8D46 F0 lea eax,dword ptr ds:
00401D9A|.C645 FC 01 mov byte ptr ss:,0x1
00401D9E|.8D48 0C lea ecx,dword ptr ds:
00401DA1|.83CA FF or edx,0xFFFFFFFF
00401DA4|.F0:0FC111 lock xadd dword ptr ds:,edx
00401DA8|.4A dec edx
00401DA9|.85D2 test edx,edx
00401DAB|.7F 0A jg Xcrackme.00401DB7
00401DAD|.8B08 mov ecx,dword ptr ds:
00401DAF|.8B11 mov edx,dword ptr ds:
00401DB1|.50 push eax
00401DB2|.8B42 04 mov eax,dword ptr ds:
00401DB5|.FFD0 call eax
00401DB7|>C645 FC 00 mov byte ptr ss:,0x0
00401DBB|.8B45 F0 mov eax,
00401DBE|.83C0 F0 add eax,-0x10
00401DC1|.8D48 0C lea ecx,dword ptr ds:
00401DC4|.83CA FF or edx,0xFFFFFFFF
00401DC7|.F0:0FC111 lock xadd dword ptr ds:,edx
00401DCB|.4A dec edx
00401DCC|.85D2 test edx,edx
00401DCE|.7F 0A jg Xcrackme.00401DDA
00401DD0|.8B08 mov ecx,dword ptr ds:
00401DD2|.8B11 mov edx,dword ptr ds:
00401DD4|.50 push eax
00401DD5|.8B42 04 mov eax,dword ptr ds:
00401DD8|.FFD0 call eax
00401DDA|>C745 FC FFFFF>mov ,-0x1
00401DE1|.8B45 EC mov eax,
00401DE4|.83C0 F0 add eax,-0x10
00401DE7|.8D48 0C lea ecx,dword ptr ds:
00401DEA|.83CA FF or edx,0xFFFFFFFF
00401DED|.F0:0FC111 lock xadd dword ptr ds:,edx
00401DF1|.4A dec edx
00401DF2|.85D2 test edx,edx
00401DF4|.7F 0A jg Xcrackme.00401E00
00401DF6|.8B08 mov ecx,dword ptr ds:
00401DF8|.8B11 mov edx,dword ptr ds:
00401DFA|.50 push eax
00401DFB|.8B42 04 mov eax,dword ptr ds:
00401DFE|.FFD0 call eax
00401E00|>8B4D F4 mov ecx,
00401E03|.64:890D 00000>mov dword ptr fs:,ecx
00401E0A|.59 pop ecx
00401E0B|.5F pop edi
00401E0C|.5E pop esi
00401E0D|.5B pop ebx
00401E0E|.8BE5 mov esp,ebp
00401E10|.5D pop ebp
00401E11\.C3 retn
破解总结:
1.通过字符串找到关键代码
2.分析代码,得出:用户名+52pojie=注册码
3.找到比较代码,继而找到关键跳,爆破之
第一个来膜拜 大牛... 第二个膜拜。这个是好东西啊。我不会破解CM。刚好看看 膜拜xxx
我去看下程序了
页:
[1]