crack一简单的反调试软件 KGM1Tal.exe
本帖最后由 ja3klyTim9k 于 2013-11-12 09:22 编辑作为吾爱破解的新人,第一次发帖.最近刚开始学习逆向,对很多东西都还不是很懂,所以此贴适合初学者观看,大牛请略过,,,
得益学校一大牛指点,前两天发给我一个软件,带有反调试的CM,从来没有接触过这些东东呀,心里顿感压力,作为菜鸟的我们果断首先百度,发现网上果然是大牛云集的地方,终获一方案,果断跟随学习,到目前,算是基本了解此软件的一些运行原理,下面详解:
一如破解的顺序,首先拖入PEid中探求有无壳,发现没壳;接下来打开软件探求破解之道,发现随意输入密码后会弹出“Try Again,something did not work right.”于是果断拖入OD,先前说过此软件带有反调试,所以在OD中很多断点根本无法准确断下,经过反复调试,确认用消息断点下断,于是,首先F9运行起来,“查看”->“窗口”,刷新如下:
在&Redister上右键选择在CLASSPRO上设置消息断点..如下图:
设置好后点击运行的软件上的Register按键,然后选择OD上的M按钮,或者alt+m快捷键,进入下面:
在00401000上右键“在访问上设置断点”(至于为什么在此处设置断点,相信你们都应该有一些理解,一般软件在载入内存后,默认的偏移地址的1000,这个你可以在PEIDEPSection后面的“>”可以看到:
所以我们在此下断点,直接F9运行,它会断在程序的入口处执行,如下图:
00401230 /.55 push ebp
00401231 |.8BEC mov ebp,esp
00401233 |.817D 0C 10010>cmp ,0x110 ;--110 消息断点WM_INITDIALOG
0040123A|.75 1E jnz short KGM1Tal.0040125A
0040123C|.68 057F0000 push 0x7F05 ; /RsrcName =IDI_WINLOGO
00401241 |.6A 00 push 0x0 ; |hInst = NULL
00401243 |.E8 5A030000 call<jmp.&user32.LoadIconA> ; \LoadIconA
00401248 |.50 push eax ; /lParam =7FFDD000
00401249 |.6A 01 push 0x1 ; |wParam = 1
0040124B |.68 80000000 push 0x80 ; |Message =WM_SETICON
00401250 |.FF75 08 push ; |hWnd = 1A00A2
00401253 |.E8 56030000 call<jmp.&user32.SendMessageA> ; \SendMessageA
00401258 |.EB 36 jmp short KGM1Tal.00401290
0040125A|>817D 0C11010>cmp ,0x111 ;--消息断点111是WM_COMMAND
00401261 75 1D jnz short KGM1Tal.00401280
00401263 |.817D 10 E9030>cmp,0x3E9
0040126A 75 24 jnz short KGM1Tal.00401290
0040126C|.E8 A8020000 call KGM1Tal.00401519 ;<--F7跟进
00401519$BF 96124000 mov edi,KGM1Tal.00401296 ; 入口地址
0040151E.B9 00010000 mov ecx,0x100 ecx为下面REPNE的循环次数
00401523.B0 99 mov al,0x99
00401525.34 55 xor al,0x55 ; 0x99与0x55异或得到0xcc
00401527.F2:AE repne scas byte ptr es: ; 检查有无INT3断点,在401296--401395内不能有断点,否则出错
00401529.85C9 test ecx,ecx
0040152B.74 06 je short KGM1Tal.00401533 ; --此处必须跳转,否则出错
0040152D.5E pop esi ;KGM1Tal.00401271
0040152E.33F6 xor esi,esi ;KGM1Tal.00401230
00401530.57 push edi ;KGM1Tal.00401396
00401531.^ EB C2 jmp short KGM1Tal.004014F5
00401533>C3 retn
00401271 |.E8 33020000 call KGM1Tal.004014A9 ; <--F7跟进,检测有没有对GETDLGITEM下断
004014A9 $BE 9C154000 movesi,<jmp.&user32.GetDlgItem>; 入口地址
004014AE.8B7E 02 mov edi,dword ptr ds:;<&user32.GetDlgItemTextA>
004014B1.8B3F movedi,dword ptr ds:
004014B3.B9 06000000 mov ecx,0x6
004014B8.B0 CC mov al,0xCC
004014BA.F2:AE repne scas byte ptr es: ;--检测有没有对GETDLGITEM下断
004014BC.85C9 test ecx,ecx
004014BE.74 06 je short KGM1Tal.004014C6 ; --此处必须跳,不然出错
004014C0 .5E pop esi ;KGM1Tal.00401276
004014C1 .33F6 xor esi,esi ;KGM1Tal.0040159C
004014C3 .57 push edi ;user32.77D6AC0C
004014C4 .EB 2F jmp short KGM1Tal.004014F5
004014C6 >C3 retn
00401276 |.FF75 08 push
00401279 |.E8 18000000 call KGM1Tal.00401296 ;<-- 跟进
00401296$55 push ebp
00401297.8BEC mov ebp,esp
00401299.60 pushad
0040129A .BE FE124000mov esi,KGM1Tal.004012FE
0040129F .56 push esi ;KGM1Tal.0040159C
004012A0 .64:FF35 00000>push dword ptr fs:
004012A7 .64:8925 00000>mov dword ptr fs:,esp
004012AE.FF35 3C304000 push dword ptr ds: ; /Count = 1E (30.)
004012B4.68 00304000 push KGM1Tal.00403000 ; |Buffer = KGM1Tal.00403000
004012B9.68 EC030000 push 0x3EC ; |ControlID = 3EC(1004.)
004012BE.FF75 08 push dword ptr ss: ; |hWnd = 001A00A2('KeyGen1 - Taliesin',class='#32770')
004012C1 .E8 D6020000call <jmp.&user32.GetDlgItemTex>; \GetDlgItemTextA此处获取用户名
004012C6 .FF35 40304000 push dword ptrds: ; /Count = 14 (20.)
004012CC.68 23304000 push KGM1Tal.00403023 ; |Buffer = KGM1Tal.00403023
004012D1.68 ED030000 push 0x3ED ; |ControlID = 3ED(1005.)
004012D6.FF75 08 push dword ptr ss: ; |hWnd = 001A00A2('KeyGen1 - Taliesin',class='#32770')
004012D9.E8 BE020000 call <jmp.&user32.GetDlgItemTex>;\GetDlgItemTextA此处获取密码
004012DE.E8 4F000000 callKGM1Tal.00401332 跟进
00401332$33C0 xor eax,eax
00401334.B9 00000000 mov ecx,0x0
00401339.BE 23304000 mov esi,KGM1Tal.00403023 ;ASCII "HAOHAOXUEXI"
0040133E.8A06 mov al,byte ptr ds:
00401340.EB 10 jmp short KGM1Tal.00401352
00401342>0FB6C0 movzxeax,al
00401345.80B8 50314000>cmp byte ptrds:,0x2 ;判断是否为大写,2为大写,其他的则为符号或者小写,此处可以用DD 403150命令看下此处的内存
寄存器数据如下:
0040315009090900004031540909090900403158090506090040315C090905090040316009090909004031640909090900403168090909090040316C090909090040317005050506004031740505050900403178040405050040317C040504050040318001010101004031840101010100403188050501010040318C050505050040319002020209004031940202020200403198020202020040319C02020202004031A002020202004031A402020202004031A805020202
所以我们大概可以明白为什么是和0x2比较了,继续向下分析:
0040134C /75 0A jnzshort KGM1Tal.00401358 ;不是则跳,所以密码必须为大写
0040134E. |41 inc ecx
0040134F . |8A0431 mov al,byte ptr ds:
00401352> |3C00 cmp al,0x0 ;判断密码是否取完
00401354.^|77 EC ja shortKGM1Tal.00401342
00401356. |EB 07 jmp short KGM1Tal.0040135F
00401358> \C605 44304000>mov byte ptr ds:,0x40
0040135F >BE 00304000mov esi,KGM1Tal.00403000 ; ASCII "jackylin"
00401364.33C9 xor ecx,ecx
00401366.B8 01000000 mov eax,0x1
0040136B.33D2 xor edx,edx
0040136D.C705 45304000>mov dword ptrds:,0x0
00401377>B9 00000000 mov ecx,0x0
0040137C .8A0C32 mov cl,byte ptr ds:
0040137F .80F900 cmp cl,0x0 ;判断用户名是否取完
00401382.74 09 je short KGM1Tal.0040138D
00401384.42 inc edx
00401385.000D 45304000 add byte ptrds:,cl ;将用户名所有字符的ascll码值相加,得到和SUM1
0040138B.^ EB EA jmp shortKGM1Tal.00401377
0040138D>A1 45304000 mov eax,dword ptr ds:
00401392.B9 18000000 mov ecx,0x18
00401397.99 cdq
00401398.F7F9 idiv ecx
0040139A .8815 4F304000mov byte ptr ds:,dl
004013A0 .8A0D44304000 mov cl,byte ptr ds:
004013A6 .80F940 cmp cl,0x40 ;如果之前不是大写的话,这里就不会跳转,不跳则错,所以密码必须大写
004013A9 75 05 jnz short KGM1Tal.004013B0 ;此处必须跳
004013AB E9 45010000 jmp KGM1Tal.004014F5
004013B0>E9 CB000000 jmp KGM1Tal.00401480
004013B5.C3 retn
00401480> \E8 8B000000 callKGM1Tal.00401510 ;--F7跟进
00401510 $A024304000 mov al,byte ptrds: ;--此处将密码的第二个字符移入al中,你若不确定,可以用DD 403024命令查看该地址的ASCLL码
00401515 .3C 45 cmp al,0x45 ; --- - ---比较,不等则跳
00401517 ^ 75 DC jnz short KGM1Tal.004014F5
00401519 $BF96124000 mov edi,KGM1Tal.00401296 ; --- ---入口地址
0040151E .B900010000 mov ecx,0x100
00401523 .B099 mov al,0x99
00401525 .3455 xor al,0x55 ;0x99与0x55异或得到0xcc
00401527 . F2:AE repne scas byte ptres: ;检查有无INT3断点,在401296--401395内不能有断点,否则出错
00401529 .85C9 test ecx,ecx
0040152B .7406 je short KGM1Tal.00401533 ;--此处必须跳转,否则出错
0040152D . 5E pop esi ;KGM1Tal.00401485
0040152E .33F6 xor esi,esi ;KGM1Tal.00403000
00401530 . 57 push edi ;KGM1Tal.00401396
00401531 .^ EB C2 jmp short KGM1Tal.004014F5
00401533 > C3 retn
00401485 . 33DB xor ebx,ebx
00401487 .BF80144000 mov edi,KGM1Tal.00401480
0040148C .83EF60 sub edi,0x60
0040148F .B8DE000000 mov eax,0xDE
00401494 .83F0 12 xor eax,0x12 ;0x60与0x12异或得到CC
00401497 .B959000000 mov ecx,0x59
0040149C . F2:AE repne scas byte ptres: ;--检查00401420-00401479处有无断点
0040149E .85C9 test ecx,ecx
004014A0 .74 06 je short KGM1Tal.004014A8 ;--此处必须跳转,否则失败
004014A2 .5E pop esi ;KGM1Tal.004012E3
004014A3 .33F6 xor esi,esi ;KGM1Tal.00403000
004014A5 .57 push edi ; KGM1Tal.00401479
004014A6 .EB 4D jmp short KGM1Tal.004014F5
004014A8 >C3 retn
004012E8 .E8 C9000000 call KGM1Tal.004013B6 ;--F7跟进
004013B6 $ 55 push ebp
004013B7 .8BEC mov ebp,esp
004013B9 .6823304000 push KGM1Tal.00403023 ;ASCII "HAOHAOXUEXI"
004013BE .E87D010000 call KGM1Tal.00401540 ;--F7跟进
00401540/$ 8B4424 04 mov eax,dword ptrss: ;--取密码
00401544|. 83E8 04 sub eax,0x4 ;--此段代码主要作用是用一个循环依次比较在密码的第几位为零,即密码的位数是多少
00401547|>83C0 04 /add eax,0x4
0040154A|. 8038 00 |cmp byte ptrds:,0x0
0040154D|.7430 |je short KGM1Tal.0040157F
0040154F|. 8078 01 00 |cmp byte ptrds:,0x0
00401553|.7420 |je short KGM1Tal.00401575
00401555|. 8078 02 00 |cmp byte ptrds:,0x0
00401559|.7410 |je short KGM1Tal.0040156B
0040155B|. 8078 03 00 |cmp byte ptrds:,0x0
0040155F|.^ 75 E6 \jnz short KGM1Tal.00401547
00401561|. 2B4424 04 sub eax,dword ptrss: ;KGM1Tal.004012ED
00401565|.83C0 03 add eax,0x3
00401568|.C20400 retn 0x4
0040156B|> 2B4424 04 sub eax,dword ptrss: ;KGM1Tal.004012ED
0040156F|.83C0 02 add eax,0x2
00401572|.C20400 retn 0x4
00401575|> 2B4424 04 sub eax,dword ptrss: ; KGM1Tal.004012ED
00401579|.83C0 01 add eax,0x1
0040157C|.C20400 retn 0x4
0040157F|> 2B4424 04 sub eax,dword ptrss: ;KGM1Tal.004012ED
00401583\.C20400 retn 0x4
004013C3|.83F80A cmp eax,0xA ;--密码必须为十位
004013C6|.0F8529010000 jnz KGM1Tal2.004014F5
004013CC|.BE23304000 mov esi,KGM1Tal2.00403023 ;ASCII "HAOHAOXUEXI"
004013D1|.B800000000 mov eax,0x0
004013D6|.BB00000000 mov ebx,0x0
004013DB|.33C9 xor ecx,ecx
004013DD|.EB06 jmp short KGM1Tal2.004013E5
004013DF|>8A0C30 /mov cl,byte ptr ds:
004013E2|. 03D9 |add ebx,ecx ;---取密码的ASCLL码值相加得到SUM2
004013E4|. 40 |inc eax
004013E5|>83F8 09 cmp eax,0x9
004013E8|.^ 72 F5 \jb short KGM1Tal2.004013DF
004013EA|. 8BC3 mov eax,ebx
004013EC|.B909000000 mov ecx,0x9
004013F1|.99 cdq
004013F2|.F7F9 idiv ecx
004013F4|.A3 4A304000 mov dword ptr ds:,eax
004013F9|.8B7D 08 mov edi, ;KGM1Tal2.00403053
004013FC|.8A15 4F304000mov dl,byte ptr ds:
00401402|.8AC2 mov al,dl
00401404|.3C 18 cmp al,0x18
00401406|.7602 jbe short KGM1Tal2.0040140A
00401408|.2C 18 sub al,0x18
0040140A|> A2 4E304000 mov byte ptrds:,al
0040140F|.33C0 xor eax,eax
00401411|.A04E304000 mov al,byte ptr ds:
00401416|.8A2438 mov ah,byte ptr ds:
00401419|.8A36 mov dh,byte ptr ds: ;--移入第一位密码进行比较
0040141B|.38F4 cmp ah,dh
0040141D|.0F85 D2000000 jnz KGM1Tal2.004014F5
00401423|. 80EE 41 sub dh,0x41
00401426|. 8AF2 mov dh,dl
00401428|.B400 mov ah,0x0
0040142A|.A24E304000 mov byte ptr ds:,al
0040142F|.33C0 xor eax,eax
00401431|.A04E304000 mov al,byte ptr ds:
00401436|.02C2 add al,dl
00401438|.3C 18 cmp al,0x18
0040143A|.7602 jbe short KGM1Tal2.0040143E
0040143C|.2C 18 sub al,0x18 ;--若大于0x18就减去它
0040143E|> B9 02000000 mov ecx,0x2
00401443|.8A2438 mov ah,byte ptr ds:
00401446|.8A3431 mov dh,byte ptr ds: ; --移入密码第三位
00401449|.38F4 cmp ah,dh
0040144B|.0F85 A4000000jnz KGM1Tal2.004014F5
到这里各位童鞋是否觉得有点茫然,很正常,里面绕的弯子比较多,但是没事,一遍看不懂就多看两遍,你总会看懂的,我就是这样子的,继续往后分析:
00401451|. /EB 24 jmp short KGM1Tal2.00401477 ; - -此处代码比较第四位到第九位的密码
00401453|> |A2 4E304000 /mov byte ptr ds:,al
00401458|. |33C0 |xor eax,eax
0040145A|. |A0 4E304000 |mov al,byte ptr ds:
0040145F|. |80EE 41 |sub dh,0x41
00401462|. |8AD6 |mov dl,dh
00401464|. |41 |inc ecx
00401465|. |02C2 |add al,dl
00401467|. |3C18 |cmp al,0x18
00401469|. |76 02 |jbe short KGM1Tal2.0040146D
0040146B|. |2C18 |sub al,0x18
0040146D|> |8A2438 |mov ah,byte ptr ds:
00401470|. |8A3431 |mov dh,byte ptr ds:
00401473|. |38F4 |cmp ah,dh
00401475|. |75 7E |jnz short KGM1Tal2.004014F5
00401477|> \83F908 cmp ecx,0x8
0040147A|.^ 72 D7 \jb short KGM1Tal2.00401453
0040147C|. C9 leave
0040147D\.C20400 retn 0x4
004012ED .E8DC010000 call KGM1Tal2.004014CE ; ---f7跟进
004014CE/$BE23304000 mov esi,KGM1Tal2.00403023 ;ASCII "HAOHAOXUEXI"
004014D3|.A1 4A304000mov eax,dword ptr ds:
004014D8|.8A5E 09 mov bl,byte ptr ds: ; ---取密码最后一位
004014DB|. 38D8 cmp al,bl
004014DD|.7516 jnz short KGM1Tal2.004014F5
004014DF|.B8 6C304000mov eax,KGM1Tal2.0040306C ;ASCII "Great Job!"
004014E4|.8BD8 mov ebx,eax
004014E6|.83C3 0B add ebx,0xB
到此就算跟完了,各位童鞋是否已经睡着,但是不急,我们确实已经跟完了,细细回想发现过程其实也不是很难,只是内容较多…
最后附带两个链接,里面有原版的软件和一个破解补丁…希望各位童鞋好好学习,天天向上…第一次的贴被提出字迹太乱,希望想认真看着帖子的人多提意见,我会继续编辑修改,不好意思...:keai
软件地址链接: http://pan.baidu.com/share/link?shareid=481844&uk=1344482023破解补丁链接:http://pan.baidu.com/share/link?shareid=481840&uk=1344482023
内容很乱,图片也看不到,建议先在草稿箱整理好以后在发出来! 图挂了!!!!!! 良辰美景 发表于 2013-11-12 01:32 static/image/common/back.gif
内容很乱,图片也看不到,建议先在草稿箱整理好以后在发出来!
不好意思哈,第一次发帖,不知道这些,现在改过来了,应该看得到了吧!!{:1_890:}
RichieChan 发表于 2013-11-12 01:45 static/image/common/back.gif
图挂了!!!!!!
刚刚在修改中,现在可以看了.
yc016 发表于 2013-11-12 01:52 static/image/common/back.gif
表示图全挂了= =、
现在应该可以看了
看不懂这些代码啊啊啊啊啊 ja3klyTim9k 发表于 2013-11-12 01:54 static/image/common/back.gif
现在应该可以看了
额,,把原文图片搞上来了,现在可以了.{:1_906:}
正在学习中 谢谢分享