【吾爱2013CM大赛解答】-- KeyGenMe2013-追码分析
【吾爱2013CM大赛解答】-- KeyGenMe2013-追码分析【作者】: zxcfvasd
【操作平台】: xp sp3
【使用工具】: OD
【作者声明】:小菜一个,若有失误之处,请大大赐教~
详细分析:
下GetWindowText断点,然后就可以找到程序的关键点了
00401321 .57 push edi
00401322 .E8 E1C80100 call KeyGenMe.0041DC08 ;获取用户名
00401327 .8D4E 64 lea ecx,dword ptr ds:
0040132A .51 push ecx
0040132B .68 EA030000 push 0x3EA
00401330 .57 push edi
00401331 .E8 D2C80100 call KeyGenMe.0041DC08 ;机器码
00401336 .83C6 68 add esi,0x68
00401339 .56 push esi
0040133A .68 E9030000 push 0x3E9
0040133F .57 push edi
00401340 .E8 C3C80100 call KeyGenMe.0041DC08 ;注册码
004015F9 .E8 188A0000 call KeyGenMe.0040A016 ;mbscmp
004015FE .83C4 08 add esp,0x8 ;此函数判断是否有输入用户名
00401601 .85C0 test eax,eax
00401603 .74 77 je XKeyGenMe.0040167C
00401605 .8B46 68 mov eax,dword ptr ds: ;注册码
00401608 .8D7E 68 lea edi,dword ptr ds:
0040160B .68 B0E04200 push KeyGenMe.0042E0B0
00401610 .50 push eax
00401611 .E8 008A0000 call KeyGenMe.0040A016 ;判断是否输入注册码
00401616 .83C4 08 add esp,0x8
单步到关键call
算法就是分别处理用户名,机器码,有很多浮点指令跟起比较累,算法部分就没有具体看了。
004018A6|> /0FBE4B 01 /movsx ecx,byte ptr ds: ;MCode
004018AA|. |0FBEC0 |movsx eax,al
004018AD|. |894424 10 |mov dword ptr ss:,eax
004018B1|. |DB4424 10 |fild dword ptr ss: ;整数转化为长双精FP80压栈(压到st0)
004018B5|. |894C24 10 |mov dword ptr ss:,ecx
004018B9|. |DD5C24 30 |fstp qword ptr ss: ;将浮点寄存器数保存到指定地址
004018BD|. |DB4424 10 |fild dword ptr ss:
004018C1|. |8B4C24 34 |mov ecx,dword ptr ss:
004018C5|. |DD5C24 10 |fstp qword ptr ss:
004018C9|. |8B5424 14 |mov edx,dword ptr ss:
004018CD|. |8B4424 10 |mov eax,dword ptr ss:
004018D1|. |52 |push edx
004018D2|. |8B5424 34 |mov edx,dword ptr ss:
004018D6|. |50 |push eax
004018D7|. |68 32545E40 |push 0x405E5432
004018DC|. |68 87A757CA |push 0xCA57A787
004018E1|. |51 |push ecx
004018E2|. |52 |push edx
004018E3|. |8BCE |mov ecx,esi
004018E5|. |E8 D6030000 |call KeyGenMe.00401CC0
004018EA|. |83EC 08 |sub esp,0x8
004018ED|. |8BCE |mov ecx,esi
004018EF|. |DD1C24 |fstp qword ptr ss:
004018F2|. |E8 19020000 |call KeyGenMe.00401B10
004018F7|. |DD5C24 30 |fstp qword ptr ss:
004018FB|. |8B4424 34 |mov eax,dword ptr ss:
004018FF|. |8B4C24 30 |mov ecx,dword ptr ss:
00401903|. |8B5424 24 |mov edx,dword ptr ss:
00401907|. |50 |push eax
00401908|. |8B4424 24 |mov eax,dword ptr ss:
接下来就是将输入的注册码与处理过的机器码和用户名做比较,要的到注册码进行单步跟踪就可以发现了
004019ED|> /8D7E 07 /lea edi,dword ptr ds:
004019F0|. |8BC1 |mov eax,ecx
004019F2|. |33D2 |xor edx,edx
004019F4|. |F7F7 |div edi
004019F6|. |33D2 |xor edx,edx
004019F8|. |8BF8 |mov edi,eax
004019FA|. |8BC1 |mov eax,ecx
004019FC|. |F7F6 |div esi
004019FE|. |33D2 |xor edx,edx
00401A00|. |03C7 |add eax,edi
00401A02|. |BF 1A000000 |mov edi,0x1A
00401A07|. |F7F7 |div edi
00401A09|. |8A442E F8 |mov al,byte ptr ds:
00401A0D|. |80C2 41 |add dl,0x41
00401A10|. |3AC2 |cmp al,dl
00401A12|. |0F85 AC000000 |jnz KeyGenMe.00401AC4
00401A18|. |46 |inc esi
00401A19|. |8D56 F8 |lea edx,dword ptr ds:
00401A1C|. |83FA 04 |cmp edx,0x4
00401A1F|.^\7C CC \jl XKeyGenMe.004019ED
00401A21|.807D 04 2D cmp byte ptr ss:,0x2D
00401A25|.74 0A je XKeyGenMe.00401A31
00401A27|.33C0 xor eax,eax
00401A29|.5F pop edi
00401A2A|.5E pop esi
00401A2B|.5D pop ebp
00401A2C|.5B pop ebx
00401A2D|.8BE5 mov esp,ebp
00401A2F|.5D pop ebp
00401A30|.C3 retn
00401A31|>B8 08000000 mov eax,0x8
00401A36|.BB 05000000 mov ebx,0x5
00401A3B|.2BC5 sub eax,ebp
00401A3D|.8D75 05 lea esi,dword ptr ss:
00401A40|.8D3C89 lea edi,dword ptr ds:
00401A43|.894424 10 mov dword ptr ss:,eax
00401A47|.EB 04 jmp XKeyGenMe.00401A4D
00401A49|>8B4424 10 /mov eax,dword ptr ss:
00401A4D|>8D2C30 lea ebp,dword ptr ds:
00401A50|.8BC1 |mov eax,ecx
00401A52|.33D2 |xor edx,edx
00401A54|.F7F5 |div ebp
00401A56|.BD 1A000000 |mov ebp,0x1A
00401A5B|.8BC2 |mov eax,edx
00401A5D|.33D2 |xor edx,edx
00401A5F|.03C7 |add eax,edi
00401A61|.F7F5 |div ebp
00401ACE|> \BE 0F000000 mov esi,0xF
00401AD3|>8BC1 mov eax,ecx ;ecx = 20D76D
00401AD5|.33D2 xor edx,edx
00401AD7|.F7F6 div esi
00401AD9|.8BC1 mov eax,ecx ;eax = 20D76D
00401ADB|.8BDA mov ebx,edx ;前一个除法余数
00401ADD|.33D2 xor edx,edx
00401ADF|.F7F6 div esi
00401AE1|.33D2 xor edx,edx
00401AE3|.03C3 add eax,ebx ;商值+余数
00401AE5|.BB 1A000000 mov ebx,0x1A
00401AEA|.F7F3 div ebx ;23089/0x1A
00401AEC|.8A043E mov al,byte ptr ds:
00401AEF|.80C2 41 add dl,0x41
00401AF2|.3AC2 cmp al,dl
00401AF4|.^ 75 CE jnz XKeyGenMe.00401AC4
00401AF6|.46 inc esi ;temp =F++;
00401AF7|.83FE 13 cmp esi,0x13
00401AFA|.^ 7C D7 jl XKeyGenMe.00401AD3
00401AFC|.5F pop edi
00401AFD|.B8 01000000 mov eax,0x1
页:
[1]