【吾爱2013CM大赛解答】----CrackMe -- 苏紫方璇
本帖最后由 小试锋芒 于 2013-12-23 08:15 编辑1、PEID查壳:Microsoft Visual C++ 6.0
2、OD载入,设置API断点,不知道哪个能断下来,把四个都勾选上。
3、F9运行,输入任意用户名和注册码,点击注册,断下来了:
4、返回到程序领空:
00401744 8B8D C4FEFFFF mov ecx,dword ptr ss:
0040174A E8 43060000 call <jmp.&MFC42.#6334> ; 取注册码
0040174F 6A 00 push 0
00401751 8B8D C4FEFFFF mov ecx,dword ptr ss:
00401757 E8 36060000 call <jmp.&MFC42.#6334> ; 取用户名
0040175C 8B8D C4FEFFFF mov ecx,dword ptr ss:
00401762 8B51 60 mov edx,dword ptr ds:
00401765 8995 CCFEFFFF mov dword ptr ss:,edx
0040176B 8D85 E4FEFFFF lea eax,dword ptr ss:
00401771 50 push eax
00401772 8B8D CCFEFFFF mov ecx,dword ptr ss:
00401778 51 push ecx
00401779 E8 92FDFFFF call CrackMe.00401510 ; 算法CALL,F7跟进
0040177E 83C4 08 add esp,8
00401781 8B95 C4FEFFFF mov edx,dword ptr ss:
00401787 8B42 64 mov eax,dword ptr ds:
0040178A 8985 C8FEFFFF mov dword ptr ss:,eax
00401790 8B8D C8FEFFFF mov ecx,dword ptr ss: ; 假码
00401796 898D A8FEFFFF mov dword ptr ss:,ecx
0040179C 8D95 E4FEFFFF lea edx,dword ptr ss: ; 真码
004017A2 8995 A4FEFFFF mov dword ptr ss:,edx
004017A8 8B85 A4FEFFFF mov eax,dword ptr ss: ; 这个循环就是逐位进行真假码的比较
004017AE 8A08 mov cl,byte ptr ds:
004017B0 888D A3FEFFFF mov byte ptr ss:,cl
004017B6 8B95 A8FEFFFF mov edx,dword ptr ss:
004017BC 3A0A cmp cl,byte ptr ds:
004017BE 75 46 jnz short CrackMe.00401806
004017C0 80BD A3FEFFFF 0>cmp byte ptr ss:,0
004017C7 74 31 je short CrackMe.004017FA
004017C9 8B85 A4FEFFFF mov eax,dword ptr ss:
004017CF 8A48 01 mov cl,byte ptr ds:
004017D2 888D A2FEFFFF mov byte ptr ss:,cl
004017D8 8B95 A8FEFFFF mov edx,dword ptr ss:
004017DE 3A4A 01 cmp cl,byte ptr ds:
004017E1 75 23 jnz short CrackMe.00401806
004017E3 8385 A4FEFFFF 0>add dword ptr ss:,2
004017EA 8385 A8FEFFFF 0>add dword ptr ss:,2
004017F1 80BD A2FEFFFF 0>cmp byte ptr ss:,0
004017F8^ 75 AE jnz short CrackMe.004017A8
004017FA C785 9CFEFFFF 0>mov dword ptr ss:,0
00401804 EB 0B jmp short CrackMe.00401811
00401806 1BC0 sbb eax,eax
00401808 83D8 FF sbb eax,-1
0040180B 8985 9CFEFFFF mov dword ptr ss:,eax
00401811 8B8D 9CFEFFFF mov ecx,dword ptr ss:
00401817 898D 98FEFFFF mov dword ptr ss:,ecx
0040181D 83BD 98FEFFFF 0>cmp dword ptr ss:,0
00401824 75 07 jnz short CrackMe.0040182D
00401826^ E9 11FEFFFF jmp CrackMe.0040163C
0040182B EB 05 jmp short CrackMe.00401832
0040182D^ E9 06FFFFFF jmp CrackMe.00401738
00401832 8B4D F0 mov ecx,dword ptr ss:
00401835 64:890D 0000000>mov dword ptr fs:,ecx
0040183C 5F pop edi
0040183D 5E pop esi
0040183E 5B pop ebx
0040183F 8BE5 mov esp,ebp
00401841 5D pop ebp
00401842 C3 retn
5、可以很容易的发现,是明码比较,跟进算法CALL;
00401510/$83EC 08 sub esp,8 ;算法call
00401513|.53 push ebx
00401514|.8B5C24 10 mov ebx,dword ptr ss:
00401518|.57 push edi
00401519|.8BFB mov edi,ebx
0040151B|.83C9 FF or ecx,FFFFFFFF
0040151E|.33C0 xor eax,eax
00401520|.F2:AE repne scas byte ptr es:
00401522|.F7D1 not ecx
00401524|.49 dec ecx
00401525|.C64424 08 25mov byte ptr ss:,25
0040152A|.85C9 test ecx,ecx
0040152C|.C64424 09 30mov byte ptr ss:,30
00401531|.C64424 0A 32mov byte ptr ss:,32
00401536|.C64424 0B 58mov byte ptr ss:,58
0040153B|.C64424 0C 00mov byte ptr ss:,0
00401540|.7E 34 jle short CrackMe.00401576
00401542|.55 push ebp
00401543|.8B2D C8314000 mov ebp,dword ptr ds:[<&MSVCRT.sprintf>] ;msvcrt.sprintf
00401549|.56 push esi
0040154A|.8B7424 20 mov esi,dword ptr ss:
0040154E|.8BF9 mov edi,ecx
00401550|>33C0 /xor eax,eax
00401552|.8A03 |mov al,byte ptr ds: ;al = 用户名的ascii值
00401554|.8D0440 |lea eax,dword ptr ds: ;eax = eax * 3
00401557|.99 |cdq
00401558|.2BC2 |sub eax,edx
0040155A|.D1F8 |sar eax,1 ;右移一位
0040155C|.25 FF000000 |and eax,0FF
00401561|.50 |push eax
00401562|.8D4424 14 |lea eax,dword ptr ss: ;"%02X"进行格式化
00401566|.50 |push eax
00401567|.56 |push esi
00401568|.FFD5 |call ebp
0040156A|.83C4 0C |add esp,0C
0040156D|.83C6 02 |add esi,2
00401570|.43 |inc ebx
00401571|.4F |dec edi
00401572|.^ 75 DC \jnz short CrackMe.00401550
00401574|.5E pop esi
00401575|.5D pop ebp
00401576|>5F pop edi
00401577|.5B pop ebx
00401578|.83C4 08 add esp,8
0040157B\.C3 retn
6、算法部分,就是将用户名的每一位的ascii值乘以3,得到的结果右移一位,再转换成16进制的字符串形式,最后连接起来!
7、下面给出Delphi的注册机源码
用户名:小试锋芒
注册码:38F12F3E125924F3
unit Unit1;
interface
uses
Windows, Messages, SysUtils, Variants, Classes, Graphics, Controls, Forms,
Dialogs, StdCtrls, Menus, jpeg, ExtCtrls, Buttons;
type
TForm1 = class(TForm)
img1: TImage;
grp1: TGroupBox;
lbl1: TLabel;
Edit1: TEdit;
lbl3: TLabel;
btn1: TBitBtn;
lbl2: TLabel;
Edit2: TEdit;
procedure Edit1Click(Sender: TObject);
procedure btn1Click(Sender: TObject);
private
{ Private declarations }
public
{ Public declarations }
end;
var
Form1: TForm1;
implementation
{$R *.dfm}
procedure TForm1.Edit1Click(Sender: TObject);
begin
Edit1.Clear;
end;
procedure TForm1.btn1Click(Sender: TObject);
var
i,j,m,n : Integer;
Name, RegCode, str1,str2 : string;
begin
Name := Edit1.Text;
RegCode := '';
i := Length(Name);
for j:=1 to i do
begin
m := Byte(Name);
m := m *3 ;
asm
mov eax, m
sar eax,1
and eax,$FF
mov n, eax
end;
RegCode:=RegCode + IntToHex(n,2);
end;
Edit2.Text := RegCode;
end;
end.
厉害啊。。。
支持了。
好厉害呀,学习了。 今年的高手是谁{:301_987:} 围观大婶
求跟随您的脚步~~{:1_918:} 看不懂!!!! 不知道下一届是什么时候 抓紧时间学习 争取拿到2014的徽章
页:
[1]