好友
阅读权限10
听众
最后登录1970-1-1
|
Kris
发表于 2011-8-11 21:50
CM是什么?Crackme是什么?这是什么东西?楼主发的什么?
他们都是一些公开给别人尝试破解的小程序,制作 Crackme 的人可能是程序员,想测试一下自己的软件保护技术,也可能是一位 Cracker,想挑战一下其它 Cracker 的破解实力,也可能是一些正在学习破解的人,自己编一些小程序给自己破解,KeyGenMe是要求别人做出它的 keygen (序号产生器), ReverseMe 要求别人把它的算法做出逆向分析, UnpackMe 是要求别人把它成功脱壳,本版块禁止回复非技术无关水贴。
本帖最后由 Kris 于 2011-8-11 22:57 编辑
[ 破文标题 ] 追码+爆破 之 第一个Crackme
[ 破文作者 ] Kris
[ 作者邮箱 ] ZzhEMail@Foxmail.Com
[ 破解工具 ] OD,LordPE
[ 破解平台 ] Windows Xp
[ 软件名称 ] 第一个Crackme
[ 原版下载 ] http://www.52pojie.cn/thread-101696-1-1.html
[ 破解声明 ] 仅供交流学习技术,若教程中有不对之处,希望各位大大即使指正!
破解过程:
1.
载入OD并运行,随意输入用户名和注册码,点击确定,发现没有任何反应,于是查找字符串
发现关键字符串
双击来到汇编代码,并找出其首段,然后再在首段下断点,因为有调用这种字符串的代码,很可能就是按钮事件验证注册码是否正确的代码
2.
下断之后再次点击确定按钮,将中断于此.接下来就是分析代码了
00401B80 /. 55 push ebp
00401B81 |. 8BEC mov ebp,esp
00401B83 |. 6A FF push -0x1
00401B85 |. 68 E33B5200 push crackme.00523BE3
00401B8A |. 64:A1 0000000>mov eax,dword ptr fs:[0]
00401B90 |. 50 push eax
00401B91 |. 83EC 18 sub esp,0x18
00401B94 |. 53 push ebx
00401B95 |. 56 push esi
00401B96 |. 57 push edi
00401B97 |. A1 10FE5600 mov eax,dword ptr ds:[0x56FE10]
00401B9C |. 33C5 xor eax,ebp
00401B9E |. 50 push eax
00401B9F |. 8D45 F4 lea eax,[local.3]
00401BA2 |. 64:A3 0000000>mov dword ptr fs:[0],eax
00401BA8 |. 8BF9 mov edi,ecx
00401BAA |. 897D DC mov [local.9],edi
00401BAD |. E8 8B520000 call crackme.00406E3D
00401BB2 |. 33C9 xor ecx,ecx
00401BB4 |. 33DB xor ebx,ebx
00401BB6 |. 3BC3 cmp eax,ebx
00401BB8 |. 0F95C1 setne cl
00401BBB |. 3BCB cmp ecx,ebx
00401BBD |. 75 0A jnz Xcrackme.00401BC9
00401BBF |. 68 05400080 push 0x80004005
00401BC4 |. E8 B7F9FFFF call crackme.00401580
00401BC9 |> 8B10 mov edx,dword ptr ds:[eax]
00401BCB |. 8BC8 mov ecx,eax
00401BCD |. 8B42 0C mov eax,dword ptr ds:[edx+0xC]
00401BD0 |. FFD0 call eax
00401BD2 |. 83C0 10 add eax,0x10
00401BD5 |. 8945 EC mov [local.5],eax
00401BD8 |. 895D FC mov [local.1],ebx
00401BDB |. E8 5D520000 call crackme.00406E3D
00401BE0 |. 33C9 xor ecx,ecx
00401BE2 |. 3BC3 cmp eax,ebx
00401BE4 |. 0F95C1 setne cl
00401BE7 |. 3BCB cmp ecx,ebx
00401BE9 |. 75 0A jnz Xcrackme.00401BF5
00401BEB |. 68 05400080 push 0x80004005
00401BF0 |. E8 8BF9FFFF call crackme.00401580
00401BF5 |> 8B10 mov edx,dword ptr ds:[eax]
00401BF7 |. 8BC8 mov ecx,eax
00401BF9 |. 8B42 0C mov eax,dword ptr ds:[edx+0xC]
00401BFC |. FFD0 call eax
00401BFE |. 83C0 10 add eax,0x10
00401C01 |. 8945 F0 mov [local.4],eax
00401C04 |. 8D4D EC lea ecx,[local.5]
00401C07 |. 51 push ecx
00401C08 |. 68 E8030000 push 0x3E8
00401C0D |. 8BCF mov ecx,edi
00401C0F |. C645 FC 01 mov byte ptr ss:[ebp-0x4],0x1
00401C13 |. E8 69020100 call crackme.00411E81
00401C18 |. 8BC8 mov ecx,eax
00401C1A |. E8 BFE10000 call crackme.0040FDDE ; 获取到了用户名到ECX中
00401C1F |. 8D55 F0 lea edx,[local.4]
00401C22 |. 52 push edx
00401C23 |. 68 E9030000 push 0x3E9
00401C28 |. 8BCF mov ecx,edi
00401C2A |. E8 52020100 call crackme.00411E81
00401C2F |. 8BC8 mov ecx,eax
00401C31 |. E8 A8E10000 call crackme.0040FDDE ; 获取到了注册码到ECX中
00401C36 |. 6A 0C push 0xC
00401C38 |. E8 620A0000 call crackme.0040269F
00401C3D |. 8BF0 mov esi,eax
00401C3F |. 83C4 04 add esp,0x4
00401C42 |. 8975 E0 mov [local.8],esi
00401C45 |. C645 FC 02 mov byte ptr ss:[ebp-0x4],0x2
00401C49 |. 3BF3 cmp esi,ebx
00401C4B |. 74 18 je Xcrackme.00401C65
00401C4D |. 68 80075500 push crackme.00550780 ; ASCII "52pojie"
00401C52 |. 895E 04 mov dword ptr ds:[esi+0x4],ebx
00401C55 |. C746 08 01000>mov dword ptr ds:[esi+0x8],0x1
00401C5C |. E8 8F5E1100 call crackme.00517AF0 ; 52pojie转换为UNICODE,因为刚才获取到的用户名和密码也是UNICODE的
00401C61 |. 8906 mov dword ptr ds:[esi],eax
00401C63 |. EB 02 jmp Xcrackme.00401C67
00401C65 |> 33F6 xor esi,esi
00401C67 |> C645 FC 01 mov byte ptr ss:[ebp-0x4],0x1
00401C6B |. 8975 E0 mov [local.8],esi
00401C6E |. 3BF3 cmp esi,ebx
00401C70 |. 75 0A jnz Xcrackme.00401C7C
00401C72 |. 68 0E000780 push 0x8007000E
00401C77 |. E8 545E1100 call crackme.00517AD0
00401C7C |> 8D45 E0 lea eax,[local.8]
00401C7F |. 50 push eax
00401C80 |. 8D4D E8 lea ecx,[local.6]
00401C83 |. C645 FC 03 mov byte ptr ss:[ebp-0x4],0x3
00401C87 |. 51 push ecx
00401C88 |. 8B4D EC mov ecx,[local.5]
00401C8B |. E8 20040000 call crackme.004020B0
00401C90 |. 83C4 08 add esp,0x8
00401C93 |. C645 FC 04 mov byte ptr ss:[ebp-0x4],0x4
00401C97 |. 8B00 mov eax,dword ptr ds:[eax]
00401C99 |. 3BC3 cmp eax,ebx
00401C9B |. 74 04 je Xcrackme.00401CA1
00401C9D |. 8B00 mov eax,dword ptr ds:[eax] ; 到这里后eax=用户名+52pojie
00401C9F |. EB 02 jmp Xcrackme.00401CA3
00401CA1 |> 33C0 xor eax,eax
00401CA3 |> 50 push eax
00401CA4 |. 8D4D E4 lea ecx,[local.7]
00401CA7 |. E8 64060000 call crackme.00402310
00401CAC |. C645 FC 06 mov byte ptr ss:[ebp-0x4],0x6
00401CB0 |. 8B45 E8 mov eax,[local.6]
00401CB3 |. 3BC3 cmp eax,ebx
00401CB5 |. 8B1D 1C645200 mov ebx,dword ptr ds:[<&KERNEL32.Interlo>; kernel32.InterlockedDecrement
00401CBB |. 74 40 je Xcrackme.00401CFD
00401CBD |. 8BF8 mov edi,eax
00401CBF |. 83C0 08 add eax,0x8
00401CC2 |. 50 push eax ; /pVar
00401CC3 |. FFD3 call ebx ; \InterlockedDecrement
00401CC5 |. 85C0 test eax,eax
00401CC7 |. 75 2A jnz Xcrackme.00401CF3
00401CC9 |. 85FF test edi,edi
00401CCB |. 74 26 je Xcrackme.00401CF3
00401CCD |. 8B07 mov eax,dword ptr ds:[edi]
00401CCF |. 85C0 test eax,eax
00401CD1 |. 74 07 je Xcrackme.00401CDA
00401CD3 |. 50 push eax
00401CD4 |. FF15 80645200 call dword ptr ds:[<&OLEAUT32.#6>] ; OLEAUT32.SysFreeString
00401CDA |> 8B47 04 mov eax,dword ptr ds:[edi+0x4]
00401CDD |. 85C0 test eax,eax
00401CDF |. 74 09 je Xcrackme.00401CEA
00401CE1 |. 50 push eax
00401CE2 |. E8 E7090000 call crackme.004026CE
00401CE7 |. 83C4 04 add esp,0x4
00401CEA |> 57 push edi
00401CEB |. E8 DE090000 call crackme.004026CE
00401CF0 |. 83C4 04 add esp,0x4
00401CF3 |> 8B7D DC mov edi,[local.9]
00401CF6 |. C745 E8 00000>mov [local.6],0x0
00401CFD |> 8D56 08 lea edx,dword ptr ds:[esi+0x8]
00401D00 |. 52 push edx
00401D01 |. C645 FC 07 mov byte ptr ss:[ebp-0x4],0x7
00401D05 |. FFD3 call ebx
00401D07 |. 85C0 test eax,eax
00401D09 |. 75 26 jnz Xcrackme.00401D31
00401D0B |. 8B06 mov eax,dword ptr ds:[esi]
00401D0D |. 85C0 test eax,eax
00401D0F |. 74 07 je Xcrackme.00401D18
00401D11 |. 50 push eax
00401D12 |. FF15 80645200 call dword ptr ds:[<&OLEAUT32.#6>] ; OLEAUT32.SysFreeString
00401D18 |> 8B46 04 mov eax,dword ptr ds:[esi+0x4]
00401D1B |. 85C0 test eax,eax
00401D1D |. 74 09 je Xcrackme.00401D28
00401D1F |. 50 push eax
00401D20 |. E8 A9090000 call crackme.004026CE
00401D25 |. 83C4 04 add esp,0x4
00401D28 |> 56 push esi
00401D29 |. E8 A0090000 call crackme.004026CE
00401D2E |. 83C4 04 add esp,0x4
00401D31 |> 8B75 E4 mov esi,[local.7]
00401D34 |. 33C0 xor eax,eax
00401D36 |. 85F6 test esi,esi
00401D38 |. 0F95C0 setne al
00401D3B |. 85C0 test eax,eax
00401D3D |. 75 0A jnz Xcrackme.00401D49
00401D3F |. 68 05400080 push 0x80004005
00401D44 |. E8 37F8FFFF call crackme.00401580
00401D49 |> 8B45 F0 mov eax,[local.4]
00401D4C |. 8BCE mov ecx,esi
00401D4E |. 8BFF mov edi,edi
00401D50 |> 66:8B10 /mov dx,word ptr ds:[eax] ; dx=注册码的某一字节
00401D53 |. 66:3B11 |cmp dx,word ptr ds:[ecx] ; word [ecx]=用户名的某一字节
00401D56 |. 75 1E |jnz Xcrackme.00401D76 ; 两者不同则跳走
00401D58 |. 66:85D2 |test dx,dx
00401D5B |. 74 15 |je Xcrackme.00401D72
00401D5D |. 66:8B50 02 |mov dx,word ptr ds:[eax+0x2]
00401D61 |. 66:3B51 02 |cmp dx,word ptr ds:[ecx+0x2]
00401D65 |. 75 0F |jnz Xcrackme.00401D76 ; 以上这三句和前面一样,继续在比较
00401D67 |. 83C0 04 |add eax,0x4
00401D6A |. 83C1 04 |add ecx,0x4
00401D6D |. 66:85D2 |test dx,dx
00401D70 |.^ 75 DE \jnz Xcrackme.00401D50 ; 这里比较就得出正确的Key必须满足:注册码=用户名+52pojie
00401D72 |> 33C0 xor eax,eax
00401D74 |. EB 05 jmp Xcrackme.00401D7B
00401D76 |> 1BC0 sbb eax,eax
00401D78 |. 83D8 FF sbb eax,-0x1
00401D7B |> 85C0 test eax,eax
00401D7D |. 0F94C0 sete al
00401D80 |. 84C0 test al,al
00401D82 |. 74 13 je Xcrackme.00401D97 ; 关键跳,如果前面比较正确,那么不跳,否则就跳,所以NOP掉即完成爆破
00401D84 |. 6A 00 push 0x0
00401D86 |. 6A 00 push 0x0
00401D88 |. 68 88075500 push crackme.00550788
00401D8D |. 8BCF mov ecx,edi
00401D8F |. E8 DFBC0000 call crackme.0040DA73
00401D94 |. 8B75 E4 mov esi,[local.7]
00401D97 |> 8D46 F0 lea eax,dword ptr ds:[esi-0x10]
00401D9A |. C645 FC 01 mov byte ptr ss:[ebp-0x4],0x1
00401D9E |. 8D48 0C lea ecx,dword ptr ds:[eax+0xC]
00401DA1 |. 83CA FF or edx,0xFFFFFFFF
00401DA4 |. F0:0FC111 lock xadd dword ptr ds:[ecx],edx
00401DA8 |. 4A dec edx
00401DA9 |. 85D2 test edx,edx
00401DAB |. 7F 0A jg Xcrackme.00401DB7
00401DAD |. 8B08 mov ecx,dword ptr ds:[eax]
00401DAF |. 8B11 mov edx,dword ptr ds:[ecx]
00401DB1 |. 50 push eax
00401DB2 |. 8B42 04 mov eax,dword ptr ds:[edx+0x4]
00401DB5 |. FFD0 call eax
00401DB7 |> C645 FC 00 mov byte ptr ss:[ebp-0x4],0x0
00401DBB |. 8B45 F0 mov eax,[local.4]
00401DBE |. 83C0 F0 add eax,-0x10
00401DC1 |. 8D48 0C lea ecx,dword ptr ds:[eax+0xC]
00401DC4 |. 83CA FF or edx,0xFFFFFFFF
00401DC7 |. F0:0FC111 lock xadd dword ptr ds:[ecx],edx
00401DCB |. 4A dec edx
00401DCC |. 85D2 test edx,edx
00401DCE |. 7F 0A jg Xcrackme.00401DDA
00401DD0 |. 8B08 mov ecx,dword ptr ds:[eax]
00401DD2 |. 8B11 mov edx,dword ptr ds:[ecx]
00401DD4 |. 50 push eax
00401DD5 |. 8B42 04 mov eax,dword ptr ds:[edx+0x4]
00401DD8 |. FFD0 call eax
00401DDA |> C745 FC FFFFF>mov [local.1],-0x1
00401DE1 |. 8B45 EC mov eax,[local.5]
00401DE4 |. 83C0 F0 add eax,-0x10
00401DE7 |. 8D48 0C lea ecx,dword ptr ds:[eax+0xC]
00401DEA |. 83CA FF or edx,0xFFFFFFFF
00401DED |. F0:0FC111 lock xadd dword ptr ds:[ecx],edx
00401DF1 |. 4A dec edx
00401DF2 |. 85D2 test edx,edx
00401DF4 |. 7F 0A jg Xcrackme.00401E00
00401DF6 |. 8B08 mov ecx,dword ptr ds:[eax]
00401DF8 |. 8B11 mov edx,dword ptr ds:[ecx]
00401DFA |. 50 push eax
00401DFB |. 8B42 04 mov eax,dword ptr ds:[edx+0x4]
00401DFE |. FFD0 call eax
00401E00 |> 8B4D F4 mov ecx,[local.3]
00401E03 |. 64:890D 00000>mov dword ptr fs:[0],ecx
00401E0A |. 59 pop ecx
00401E0B |. 5F pop edi
00401E0C |. 5E pop esi
00401E0D |. 5B pop ebx
00401E0E |. 8BE5 mov esp,ebp
00401E10 |. 5D pop ebp
00401E11 \. C3 retn
破解总结:
1.通过字符串找到关键代码
2.分析代码,得出:用户名+52pojie=注册码
3.找到比较代码,继而找到关键跳,爆破之
|
免费评分
-
查看全部评分
|
