对某个CrackMe的简单还原(一)
【软件名称】: CrackMe1【作者邮箱】: 2714608453@qq.com
【下载地址】: 见附件
【软件语言】: Decv++4.3
【使用工具】: OD
【操作平台】: XP SP2
【作者声明】: 只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!
废话不多说,直接上代码。
CrackMe核心代码如下:
00401290/$55 push ebp
00401291|.89E5 mov ebp,esp
00401293|.81EC B8000000 sub esp,0xB8
00401299|.83E4 F0 and esp,-0x10
0040129C|.B8 00000000 mov eax,0x0
004012A1|.83C0 0F add eax,0xF
004012A4|.83C0 0F add eax,0xF
004012A7|.C1E8 04 shr eax,0x4
004012AA|.C1E0 04 shl eax,0x4
004012AD|.8985 74FFFFFF mov ,eax
004012B3|.8B85 74FFFFFF mov eax,
004012B9|.E8 D2050000 call CrackMe.00401890
004012BE|.E8 6D020000 call CrackMe.00401530
004012C3|.C70424 003040>mov dword ptr ss:,CrackMe.00403000 ; ||||ASCII "title CrackMe"
004012CA|.E8 D1060000 call <jmp.&msvcrt.system> ; |||\system
004012CF|.A1 0E304000 mov eax,dword ptr ds: ; |||
004012D4|.8945 D8 mov ,eax ; |||
004012D7|.A1 12304000 mov eax,dword ptr ds: ; |||
004012DC|.8945 DC mov ,eax ; |||
004012DF|.A1 16304000 mov eax,dword ptr ds: ; |||
004012E4|.8945 E0 mov ,eax ; |||
004012E7|.A1 1A304000 mov eax,dword ptr ds: ; |||
004012EC|.8945 E4 mov ,eax ; |||
004012EF|.0FB605 1E3040>movzx eax,byte ptr ds: ; |||
004012F6|.8845 E8 mov byte ptr ss:,al ; |||
004012F9|.A1 20304000 mov eax,dword ptr ds: ; |||
004012FE|.8945 B8 mov ,eax ; |||
00401301|.A1 24304000 mov eax,dword ptr ds: ; |||
00401306|.8945 BC mov ,eax ; |||
00401309|.A1 28304000 mov eax,dword ptr ds: ; |||
0040130E|.8945 C0 mov ,eax ; |||
00401311|.A1 2C304000 mov eax,dword ptr ds: ; |||
00401316|.8945 C4 mov ,eax ; |||
00401319|.A1 30304000 mov eax,dword ptr ds: ; |||
0040131E|.8945 C8 mov ,eax ; |||
00401321|.A1 34304000 mov eax,dword ptr ds: ; |||
00401326|.8945 CC mov ,eax ; |||
00401329|.A1 38304000 mov eax,dword ptr ds: ; |||
0040132E|.8945 D0 mov ,eax ; |||
00401331|.A1 3C304000 mov eax,dword ptr ds: ; |||
00401336|.8945 D4 mov ,eax ; |||
00401339|.A1 40304000 mov eax,dword ptr ds: ; |||
0040133E|.8945 98 mov ,eax ; |||
00401341|.A1 44304000 mov eax,dword ptr ds: ; |||
00401346|.8945 9C mov ,eax ; |||
00401349|.A1 48304000 mov eax,dword ptr ds: ; |||
0040134E|.8945 A0 mov ,eax ; |||
00401351|.A1 4C304000 mov eax,dword ptr ds: ; |||
00401356|.8945 A4 mov ,eax ; |||
00401359|.A1 50304000 mov eax,dword ptr ds: ; |||
0040135E|.8945 A8 mov ,eax ; |||
00401361|.A1 54304000 mov eax,dword ptr ds: ; |||
00401366|.8945 AC mov ,eax ; |||
00401369|.A1 58304000 mov eax,dword ptr ds: ; |||
0040136E|.8945 B0 mov ,eax ; |||
00401371|.0FB705 5C3040>movzx eax,word ptr ds: ; |||
00401378|.66:8945 B4 mov word ptr ss:,ax ; |||
0040137C|.8D45 D8 lea eax, ; |||
0040137F|.890424 mov dword ptr ss:,eax ; |||
00401382|.E8 09060000 call <jmp.&msvcrt.puts> ; ||\puts
00401387|.8D45 88 lea eax, ; ||
0040138A|.894424 14 mov dword ptr ss:,eax ; ||arc5
0040138E|.8D45 96 lea eax,dword ptr ss: ; ||
00401391|.894424 10 mov dword ptr ss:,eax ; ||arc4
00401395|.8D45 8C lea eax, ; ||
00401398|.894424 0C mov dword ptr ss:,eax ; ||arc3
0040139C|.8D45 97 lea eax,dword ptr ss: ; ||
0040139F|.894424 08 mov dword ptr ss:,eax ; ||arc2
004013A3|.8D45 90 lea eax, ; ||
004013A6|.894424 04 mov dword ptr ss:,eax ; ||arc1
004013AA|.C70424 5E3040>mov dword ptr ss:,CrackMe.0040305E ; ||ASCII "%d%c%d%c%d"
004013B1|.E8 CA050000 call <jmp.&msvcrt.scanf> ; |\scanf
004013B6|.8B55 90 mov edx, ; |msvcrt.77BFC2DE
004013B9|.89D0 mov eax,edx ; |
004013BB|.C1E0 02 shl eax,0x2 ; |
004013BE|.01D0 add eax,edx ; |
004013C0|.01C0 add eax,eax ; |
004013C2|.8945 84 mov ,eax ; |Local.31=local.28*A
004013C5|.8D45 84 lea eax, ; |
004013C8|.8300 7D add dword ptr ds:,0x7D ; |
004013CB|.8B45 84 mov eax, ; |ntdll.7C930060
004013CE|.01C0 add eax,eax ; |Local.31=(Local.31+0x7D)*2
004013D0|.8945 84 mov ,eax ; |
004013D3|.8D45 84 lea eax, ; |
004013D6|.FF00 inc dword ptr ds: ; |Local.31++
004013D8|.8D45 84 lea eax, ; |
004013DB|.8328 15 sub dword ptr ds:,0x15 ; |Local.31-=0x15
004013DE|.8D45 84 lea eax, ; |
004013E1|.8300 58 add dword ptr ds:,0x58 ; |Local.31+=0x58
004013E4|.8B45 90 mov eax, ; |msvcrt.77BFC2DE
004013E7|.01C0 add eax,eax ; |
004013E9|.8945 80 mov ,eax ; |Local.32=Local.28*2
004013EC|.8D45 80 lea eax, ; |
004013EF|.8100 FD000000 add dword ptr ds:,0xFD ; |Local.32+=0xFD
004013F5|.8B45 80 mov eax, ; |ntdll.7C92E920
004013F8|.01C0 add eax,eax ; |Local.32*=2
004013FA|.8945 80 mov ,eax ; |
004013FD|.8D45 80 lea eax, ; |
00401400|.FF00 inc dword ptr ds: ; |Local.32++
00401402|.8B45 80 mov eax, ; |ntdll.7C92E920
00401405|.0345 84 add eax, ; |ntdll.7C930060
00401408|.83C0 02 add eax,0x2 ; |
0040140B|.8945 80 mov ,eax ; |Local.32=Local.32+Local.31+2
0040140E|.8B45 8C mov eax, ; |ntdll.7C93005D
00401411|.3B45 84 cmp eax, ; |if(Local.31==Local.29)
00401414|.75 15 jnz short CrackMe.0040142B ; |
00401416|.8B45 88 mov eax, ; |
00401419|.3B45 80 cmp eax, ; |if(Local.32==Local.30)
0040141C|.75 0D jnz short CrackMe.0040142B ; |
0040141E|.8D45 B8 lea eax, ; |
00401421|.890424 mov dword ptr ss:,eax ; |
00401424|.E8 67050000 call <jmp.&msvcrt.puts> ; \puts
00401429|.EB 17 jmp short CrackMe.00401442
0040142B|>8D45 98 lea eax, ; ||
0040142E|.890424 mov dword ptr ss:,eax ; ||
00401431|.E8 5A050000 call <jmp.&msvcrt.puts> ; |\puts
00401436|.C70424 693040>mov dword ptr ss:,CrackMe.00403069 ; |ASCII "Pause >NUL"
0040143D|.E8 5E050000 call <jmp.&msvcrt.system> ; \system
00401442|>C9 leave
00401443\.C3 retn
原CrackMe是用DECV++写的,还原后的代码是由VC6.0写的,顺代提一下,scanf是用%c来作输入的分隔符的.
#include "stdafx.h"
#include <stdlib.h>
char cFaule[]="Ops! Wrong serial, try again.";
char cRight[]="Right Crack, now write a KeyGen.";
char cTip[]="Type your serial.";
int main(int argc, char* argv[])
{
char c1,c2;
int i1,i2,i3;
int dwTemp31,dwTemp32;
system("title CrackMe");
puts(cTip);
scanf("%d%c%d%c%d",&i1,&c1,&i2,&c2,&i3);
dwTemp31=(i1*0xA+0x7D)*2+1-0x14+0x58;
dwTemp32=(i2*2+0xFD)*2+1+dwTemp31;
if (dwTemp31==i2)
{
if (dwTemp32==i3)
{
puts(cRight);
return 0;
}
}
puts(cFaule);
system("Pause >Nul");
return 0;
}
只能膜拜! 厉害啊,我就只能分析出来,但是不会写算法。 {:1_928:}膜拜大神 楼主很厉害 近距离膜拜!{:1_928:}
只能膜拜! 楼主留QQ了哦! 只能膜拜只能膜拜 膜拜膜拜
页:
[1]
2