吾爱破解2012CM大赛破文--zeif

AloneWolf · 发表于 2012-5-4 14:25

今天看了下这个CrackMe,有点时间,简单的写一下破文.
此CrackMe有线程断点检测,而注册验证采用消息的方式,且消息ID采用RegisterWindowMessage函数获得,增加了一点隐蔽性
不过感觉算法有点怪怪的,且不知道是BUG,还是传说中的迷魂汤,用户名没有用到...

00401490 >/$  60          pushad       //DLL入口函数,对EXE文件入口断点检测,返回为1就OK了
00401491  |.  9C          pushfd
00401492  |.  E8 00000000 call 00401497                      ;  00401497
00401497  |$  58          pop    eax
00401498  |.  05 E9110000 add    eax, 11E9
0040149D  |.  33C9       xor    ecx, ecx
0040149F  |.  90          nop
004014A0  |.  90          nop
004014A1  |.  90          nop
004014A2  |.  8BD8       mov    ebx, eax
004014A4  |.  2D EB100000 sub    eax, 10EB
004014A9  |.  8BD0       mov    edx, eax
004014AB  |.  90          nop
004014AC  |.  90          nop
004014AD  |>  33C0       /xor    eax, eax
004014AF  |.  8A0411       |mov    al, [ecx+edx]
004014B2  |.  8A2419       |mov    ah, [ecx+ebx]
004014B5  |.  3AC4       |cmp    al, ah
004014B7  |.  75 0E       |jnz    short 004014C7                ;  004014C7
004014B9  |.  41          |inc    ecx
004014BA  |.  83F9 10    |cmp    ecx, 10
004014BD  |.^ 75 EE       \jnz    short 004014AD                ;  004014AD
004014BF  |.  9D          popfd
004014C0  |.  61          popad
004014C1  |.  33C0       xor    eax, eax
004014C3  |.  40          inc    eax
004014C4  |.  C2 0C00    retn 0C
004014C7  |>  90          nop
004014C8  |.  90          nop
004014C9  |.  90          nop
004014CA  |.  90          nop
004014CB  \>- EB FE       jmp    short 004014CB                ;  004014CB

00401230    55          push ebp       //断点检测函数;直接改RETN
00401231  |.  8BEC       mov    ebp, esp
00401233  |.  83EC 1C    sub    esp, 1C
00401236  |.  53          push ebx
00401237  |.  56          push esi
00401238  |.  57          push edi
00401239  |.  FF15 1C904000 call [40901C]                      ; [GetCurrentProcess
0040123F  |.  8945 FC    mov    [ebp-4], eax
00401242  |.  6A 20       push 20                            ; /HeapSize = 20 (32.)
00401244  |.  6A 08       push 8                               ; |Flags = HEAP_ZERO_MEMORY
00401246  |.  FF15 88904000 call [409088]                      ; |[GetProcessHeap
0040124C  |.  50          push eax                            ; |hHeap
0040124D  |.  FF15 8C904000 call [40908C]                      ; \HeapAlloc
00401253  |.  8945 F0    mov    [ebp-10], eax
00401256  |.  C745 F4 00000>mov    dword ptr [ebp-C], 0
0040125D  |.  C745 F8 00000>mov    dword ptr [ebp-8], 0
00401264  |>  837D F8 11 /cmp    dword ptr [ebp-8], 11
00401268  |.  0F8D C8000000 |jge    00401336                      ;  00401336
0040126E  |.  8B45 F8    |mov    eax, [ebp-8]
00401271  |.  8B0D E0CD4000 |mov    ecx, [40CDE0]
00401277  |.  8B1481       |mov    edx, [ecx+eax*4]
0040127A  |.  8955 E4    |mov    [ebp-1C], edx
0040127D  |.  C745 E8 00000>|mov    dword ptr [ebp-18], 0
00401284  |.  8D45 E8    |lea    eax, [ebp-18]
00401287  |.  50          |push eax                            ; /pOldProtect
00401288  |.  6A 40       |push 40                            ; |NewProtect = PAGE_EXECUTE_READWRITE
0040128A  |.  6A 20       |push 20                            ; |Size = 20 (32.)
0040128C  |.  8B4D E4    |mov    ecx, [ebp-1C]                ; |
0040128F  |.  83E9 0A    |sub    ecx, 0A                      ; |
00401292  |.  51          |push ecx                            ; |Address
00401293  |.  FF15 90904000 |call [409090]                      ; \VirtualProtect
00401299  |.  8D55 E8    |lea    edx, [ebp-18]
0040129C  |.  52          |push edx                            ; /pBytesRead
0040129D  |.  6A 10       |push 10                            ; |BytesToRead = 10 (16.)
0040129F  |.  8B45 F0    |mov    eax, [ebp-10]                ; |
004012A2  |.  50          |push eax                            ; |Buffer
004012A3  |.  8B4D E4    |mov    ecx, [ebp-1C]                ; |
004012A6  |.  83E9 0A    |sub    ecx, 0A                      ; |
004012A9  |.  51          |push ecx                            ; |pBaseAddress
004012AA  |.  8B55 FC    |mov    edx, [ebp-4]                   ; |
004012AD  |.  52          |push edx                            ; |hProcess
004012AE  |.  FF15 18904000 |call [409018]                      ; \ReadProcessMemory
004012B4  |.  FF15 14904000 |call [409014]                      ; [GetLastError
004012BA  |.  8945 EC    |mov    [ebp-14], eax
004012BD  |.  837D EC 00 |cmp    dword ptr [ebp-14], 0
004012C1  |.  75 0B       |jnz    short 004012CE                ;  004012CE
004012C3  |.  8B45 F0    |mov    eax, [ebp-10]
004012C6  |.  0FB648 01    |movzx ecx, byte ptr [eax+1]
004012CA  |.  85C9       |test ecx, ecx
004012CC  |.  75 19       |jnz    short 004012E7                ;  004012E7
004012CE  |>  8B55 F8    |mov    edx, [ebp-8]
004012D1  |.  A1 E0CD4000 |mov    eax, [40CDE0]
004012D6  |.  8B0C90       |mov    ecx, [eax+edx*4]
004012D9  |.  894D E4    |mov    [ebp-1C], ecx
004012DC  |.  8B55 E4    |mov    edx, [ebp-1C]
004012DF  |.  83C2 01    |add    edx, 1
004012E2  |.  8955 E4    |mov    [ebp-1C], edx
004012E5  |.  EB 0F       |jmp    short 004012F6                ;  004012F6
004012E7  |>  8B45 F0    |mov    eax, [ebp-10]
004012EA  |.  8945 E4    |mov    [ebp-1C], eax
004012ED  |.  8B4D E4    |mov    ecx, [ebp-1C]
004012F0  |.  83C1 0B    |add    ecx, 0B
004012F3  |.  894D E4    |mov    [ebp-1C], ecx
004012F6  |>  60          |pushad
004012F7  |.  9C          |pushfd
004012F8  |.  33C0       |xor    eax, eax
004012FA  |.  33C9       |xor    ecx, ecx
004012FC  |.  8B45 E4    |mov    eax, [ebp-1C]
004012FF  |>  83EC 04    |/sub    esp, 4
00401302  |.  890424       ||mov    [esp], eax
00401305  |.  3E:8A00    ||mov    al, [eax]
00401308  |.  2C 66       ||sub    al, 66
0040130A  |.  3C 66       ||cmp    al, 66
0040130C  |.  75 10       ||jnz    short 0040131E                ;  0040131E
0040130E  |.  8BC4       ||mov    eax, esp
00401310  |.  83C0 04    ||add    eax, 4
00401313  |.  3E:8B00    ||mov    eax, [eax]
00401316  |.  50          ||push eax
00401317  |.  B8 E0114000 ||mov    eax, 4011E0
0040131C  |.  FFE0       ||jmp    eax
0040131E  |>  58          ||pop    eax
0040131F  |.  41          ||inc    ecx
00401320  |.  48          ||dec    eax
00401321  |.  83F9 0B    ||cmp    ecx, 0B
00401324  |.^ 75 D9       |\jnz    short 004012FF                ;  004012FF
00401326  |.  9D          |popfd
00401327  |.  61          |popad
00401328  |.  8B55 F8    |mov    edx, [ebp-8]
0040132B  |.  83C2 01    |add    edx, 1
0040132E  |.  8955 F8    |mov    [ebp-8], edx
00401331  |.^ E9 2EFFFFFF \jmp    00401264                      ;  00401264
00401336  |>  8B45 F0    mov    eax, [ebp-10]
00401339  |.  50          push eax                            ; /pMemory
0040133A  |.  6A 01       push 1                               ; |Flags = HEAP_NO_SERIALIZE
0040133C  |.  FF15 88904000 call [409088]                      ; |[GetProcessHeap
00401342  |.  50          push eax                            ; |hHeap
00401343  |.  FF15 48904000 call [409048]                      ; \HeapFree
00401349  |.  32C0       xor    al, al
0040134B  |.  5F          pop    edi
0040134C  |.  5E          pop    esi
0040134D  |.  5B          pop    ebx
0040134E  |.  8BE5       mov    esp, ebp
00401350  |.  5D          pop    ebp
00401351  \.  C3          retn

00402040  |> \3D 11010000 cmp    eax, 111    //按下注册按钮,开始取输入数据
00402045  |.^ 0F85 9FFEFFFF jnz    00401EEA                      ;  00401EEA
0040204B  |.  81FF E9030000 cmp    edi, 3E9                      ;  Case 111 (WM_COMMAND) of switch 00401E55
00402051  |.  0F85 B2000000 jnz    00402109                      ;  00402109
00402057  |.  8B15 F0CD4000 mov    edx, [40CDF0]
0040205D  |.  68 00040000 push 400
00402062  |.  6A 00       push 0
00402064  |.  52          push edx
00402065  |.  E8 06040000 call 00402470                      //清Buffer
0040206A  |.  8B35 64914000 mov    esi, [409164]                   ;  USER32.GetDlgItem
00402070  |.  68 EA030000 push 3EA
00402075  |.  6A 02       push 2
00402077  |.  56          push esi
00402078  |.  E8 13F7FFFF call 00401790                      //取用户名控件(帽似有BUG?少个主窗口句柄??取不到控件???
0040207D  |.  8B0D F0CD4000 mov    ecx, [40CDF0]
00402083  |.  8B3D 68914000 mov    edi, [409168]                   ;  USER32.GetWindowTextA
00402089  |.  68 00040000 push 400
0040208E  |.  51          push ecx
0040208F  |.  50          push eax
00402090  |.  6A 03       push 3
00402092  |.  57          push edi
00402093  |.  E8 F8F6FFFF call 00401790                      //取用户名文本
00402098  |.  8B15 F4CD4000 mov    edx, [40CDF4]
0040209E  |.  68 00040000 push 400
004020A3  |.  6A 00       push 0
004020A5  |.  52          push edx
004020A6  |.  E8 C5030000 call 00402470                      //清Buffer
004020AB  |.  8B5D 08    mov    ebx, [ebp+8]
004020AE  |.  68 EC030000 push 3EC
004020B3  |.  53          push ebx
004020B4  |.  6A 02       push 2
004020B6  |.  56          push esi
004020B7  |.  E8 D4F6FFFF call 00401790                      //取注册码控件
004020BC  |.  8B0D F4CD4000 mov    ecx, [40CDF4]
004020C2  |.  83C4 48    add    esp, 48
004020C5  |.  68 00040000 push 400
004020CA  |.  51          push ecx
004020CB  |.  50          push eax
004020CC  |.  6A 03       push 3
004020CE  |.  57          push edi
004020CF  |.  E8 BCF6FFFF call 00401790                      //取注册码文本
004020D4  |.  8B15 F0CD4000 mov    edx, [40CDF0]                   ; |
004020DA  |.  A1 F4CD4000 mov    eax, [40CDF4]                   ; |
004020DF  |.  0FB70D 00C040>movzx ecx, word ptr [40C000]          ; |
004020E6  |.  52          push edx                            ; |Arg6 => 005D0978
004020E7  |.  8B15 6C914000 mov    edx, [40916C]                   ; |USER32.PostMessageA
004020ED  |.  50          push eax                            ; |Arg5 => 005D0D80
004020EE  |.  51          push ecx                            ; |Arg4
004020EF  |.  53          push ebx                            ; |Arg3
004020F0  |.  6A 04       push 4                               ; |Arg2 = 00000004
004020F2  |.  52          push edx                            ; |Arg1 => 76BF3BAA
004020F3  |.  E8 88F9FFFF call 00401A80                      //发送已输入消息
004020F8  |.  83C4 2C    add    esp, 2C
004020FB  |.  5F          pop    edi
004020FC  |.  5E          pop    esi
004020FD  |.  B8 01000000 mov    eax, 1
00402102  |.  5B          pop    ebx
00402103  |.  8BE5       mov    esp, ebp
00402105  |.  5D          pop    ebp
00402106  |.  C2 1000    retn 10

00401EEA  |>  0FB70D 00C040>movzx ecx, word ptr [40C000] //收到已输入消息,开始计算
00401EF1  |. |3BC1       cmp    eax, ecx
00401EF3  |. |0F85 85020000 jnz    0040217E                      ;  0040217E
00401EF9  |. |68 00080000 push 800
00401EFE  |. |8D95 9CF7FFFF lea    edx, [ebp-864]
00401F04  |. |6A 00       push 0
00401F06  |. |52          push edx
00401F07  |. |E8 64050000 call 00402470                      //清Buffer
00401F0C  |. |A1 F0CD4000 mov    eax, [40CDF0]
00401F11  |. |8B1D 28904000 mov    ebx, [409028]                   ;  kernel32.lstrcatA
00401F17  |. |83C4 0C    add    esp, 0C
00401F1A  |. |50          push eax                            ; /StringToAdd => ""
00401F1B  |. |8D8D 9CF7FFFF lea    ecx, [ebp-864]                ; |
00401F21  |. |51          push ecx                            ; |ConcatString
00401F22  |. |FFD3       call ebx                            ; \lstrcatA
00401F24  |. |8B15 F4CD4000 mov    edx, [40CDF4]
00401F2A  |. |52          push edx                            ; /StringToAdd => "JustDoYouBest"
00401F2B  |. |8D85 9CF7FFFF lea    eax, [ebp-864]                ; |
00401F31  |. |50          push eax                            ; |ConcatString
00401F32  |. |FFD3       call ebx                            ; \lstrcatA
00401F34  |. |8D8D 9CF7FFFF lea    ecx, [ebp-864]    //Buffer = 用户名 + 注册码
00401F3A  |. |51          push ecx                            ; /Arg1
00401F3B  |. |E8 20F4FFFF call 00401360                      //调用计算函数,传入用户名 + 注册码
00401F40  |. |83C4 04    add    esp, 4
00401F43  |. |3D 2C131512 cmp    eax, 1215132C    //结果为0x1215132C则成功
00401F48  |. |0F85 C6010000 jnz    00402114                      ;  00402114
00401F4E  |. |8B15 40924000 mov    edx, [409240]
00401F54  |. |A1 44924000 mov    eax, [409244]
00401F59  |. |8A0D 48924000 mov    cl, [409248]
00401F5F  |. |2B7D 14    sub    edi, [ebp+14]
00401F62  |. |8955 F4    mov    [ebp-C], edx
00401F65  |. |8945 F8    mov    [ebp-8], eax
00401F68  |. |0FBED2       movsx edx, dl
00401F6B  |. |8D45 F4    lea    eax, [ebp-C]
00401F6E  |. |50          push eax
00401F6F  |. |884D FC    mov    [ebp-4], cl
00401F72  |. |8B0D 58914000 mov    ecx, [409158]                   ;  USER32.RegisterWindowMessageA
00401F78  |. |33FA       xor    edi, edx
00401F7A  |. |6A 01       push 1
00401F7C  |. |81F7 66660000 xor    edi, 6666
00401F82  |. |51          push ecx
00401F83  |. |897D F4    mov    [ebp-C], edi
00401F86  |. |E8 05F8FFFF call 00401790                      //注册成功消息ID
00401F8B  |. |03C7       add    eax, edi
00401F8D  |. |6A 00       push 0
00401F8F  |. |66:A3 04C0400>mov    [40C004], ax
00401F95  |. |57          push edi
00401F96  |. |E9 C0010000 jmp    0040215B                      ;  0040215B
0040215B  |> \0FB7D0       movzx edx, ax                         ; |
0040215E  |.  A1 6C914000 mov    eax, [40916C]                   ; |
00402163  |.  52          push edx                            ; |Arg4
00402164  |.  56          push esi                            ; |Arg3
00402165  |.  6A 04       push 4                               ; |Arg2 = 00000004
00402167  |.  50          push eax                            ; |Arg1 => 76BF3BAA
00402168  |.  E8 13F9FFFF call 00401A80                      //发送注册成功消息
0040216D  |.  83C4 24    add    esp, 24
00402170  |.  5F          pop    edi
00402171  |.  5E          pop    esi
00402172  |.  B8 01000000 mov    eax, 1
00402177  |.  5B          pop    ebx
00402178  |.  8BE5       mov    esp, ebp
0040217A  |.  5D          pop    ebp
0040217B  |.  C2 1000    retn 10

0040217E  |> \0FB70D 04C040>movzx ecx, word ptr [40C004] //收到注册成功消息
00402185  |.  3BC1       cmp    eax, ecx
00402187  |.  75 5E       jnz    short 004021E7                ;  004021E7
00402189  |.  6A 10       push 10                            ; /HeapSize = 10 (16.)
0040218B  |.  6A 08       push 8                               ; |Flags = HEAP_ZERO_MEMORY
0040218D  |.  BE D9E8A2CC mov    esi, CCA2E8D9                   ; |
00402192  |.  BF ACE7A688 mov    edi, 88A6E7AC                   ; |
00402197  |.  33DB       xor    ebx, ebx                      ; |
00402199  |.  FF15 88904000 call [409088]                      ; |[GetProcessHeap
0040219F  |.  50          push eax                            ; |hHeap
004021A0  |.  FF15 8C904000 call [40908C]                      ; \HeapAlloc
004021A6  |.  8B55 EC    mov    edx, [ebp-14]
004021A9  |.  53          push ebx
004021AA  |.  8930       mov    [eax], esi
004021AC  |.  68 1E924000 push 40921E
004021B1  |.  8978 04    mov    [eax+4], edi
004021B4  |.  50          push eax
004021B5  |.  8958 08    mov    [eax+8], ebx
004021B8  |.  53          push ebx
004021B9  |.  8950 0C    mov    [eax+C], edx
004021BC  |.  E8 FFF3FFFF call 004015C0                      //成功字串解码
004021C1  |.  53          push ebx                            ; |Arg8
004021C2  |.  53          push ebx                            ; |Arg7
004021C3  |.  50          push eax                            ; |Arg6
004021C4  |.  A1 2C904000 mov    eax, [40902C]                   ; |
004021C9  |.  68 90104000 push 401090                         ; |Arg5 = 00401090
004021CE  |.  53          push ebx                            ; |Arg4
004021CF  |.  53          push ebx                            ; |Arg3
004021D0  |.  6A 06       push 6                               ; |Arg2 = 00000006
004021D2  |.  50          push eax                            ; |Arg1 => 74F434A5
004021D3  |.  E8 B8F5FFFF call 00401790                      //显示字串
004021D8  |.  83C4 30    add    esp, 30
004021DB  |.  5F          pop    edi
004021DC  |.  5E          pop    esi
004021DD  |.  8D43 01    lea    eax, [ebx+1]
004021E0  |.  5B          pop    ebx
004021E1  |.  8BE5       mov    esp, ebp
004021E3  |.  5D          pop    ebp
004021E4  |.  C2 1000    retn 10
004015C0  /$  55          push ebp       //解码串函数
004015C1  |.  8BEC       mov    ebp, esp
004015C3  |.  81EC 00080000 sub    esp, 800
004015C9  |.  53          push ebx
004015CA  |.  56          push esi
004015CB  |.  57          push edi
004015CC  |.  8B3D 88904000 mov    edi, [409088]                   ;  kernel32.GetProcessHeap
004015D2  |.  6A 08       push 8                               ; /HeapSize = 8
004015D4  |.  6A 08       push 8                               ; |Flags = HEAP_ZERO_MEMORY
004015D6  |.  FFD7       call edi                            ; |[GetProcessHeap
004015D8  |.  8B1D 8C904000 mov    ebx, [40908C]                   ; |ntdll.RtlAllocateHeap
004015DE  |.  50          push eax                            ; |hHeap
004015DF  |.  FFD3       call ebx                            ; \HeapAlloc
004015E1  |.  6A 10       push 10                            ; /HeapSize = 10 (16.)
004015E3  |.  8BF0       mov    esi, eax                      ; |
004015E5  |.  6A 08       push 8                               ; |Flags = HEAP_ZERO_MEMORY
004015E7  |.  C706 04000000 mov    dword ptr [esi], 4             ; |
004015ED  |.  FFD7       call edi                            ; |[GetProcessHeap
004015EF  |.  50          push eax                            ; |hHeap
004015F0  |.  FFD3       call ebx                            ; \HeapAlloc
004015F2  |.  8B4D 08    mov    ecx, [ebp+8]
004015F5  |.  8B7D 0C    mov    edi, [ebp+C]
004015F8  |.  8946 04    mov    [esi+4], eax
004015FB  |.  8908       mov    [eax], ecx
004015FD  |.  8B56 04    mov    edx, [esi+4]
00401600  |.  8B4D 10    mov    ecx, [ebp+10]
00401603  |.  897A 04    mov    [edx+4], edi
00401606  |.  8B46 04    mov    eax, [esi+4]
00401609  |.  8948 08    mov    [eax+8], ecx
0040160C  |.  8B56 04    mov    edx, [esi+4]
0040160F  |.  8B45 14    mov    eax, [ebp+14]
00401612  |.  68 00080000 push 800
00401617  |.  8D8D 00F8FFFF lea    ecx, [ebp-800]
0040161D  |.  6A 00       push 0
0040161F  |.  51          push ecx
00401620  |.  8942 0C    mov    [edx+C], eax
00401623  |.  E8 480E0000 call 00402470                      //清Buffer
00401628  |.  8B15 F4CD4000 mov    edx, [40CDF4]
0040162E  |.  8B1D 28904000 mov    ebx, [409028]                   ;  kernel32.lstrcatA
00401634  |.  83C4 0C    add    esp, 0C
00401637  |.  52          push edx                            ; /StringToAdd => "JustDoYouBest"
00401638  |.  8D85 00F8FFFF lea    eax, [ebp-800]                ; |
0040163E  |.  50          push eax                            ; |ConcatString
0040163F  |.  FFD3       call ebx                            ; \lstrcatA
00401641  |.  8B0D F0CD4000 mov    ecx, [40CDF0]
00401647  |.  51          push ecx                            ; /StringToAdd => ""
00401648  |.  8D95 00F8FFFF lea    edx, [ebp-800]                ; |
0040164E  |.  52          push edx                            ; |ConcatString
0040164F  |.  FFD3       call ebx                            ; \lstrcatA
00401651  |.  8D85 00F8FFFF lea    eax, [ebp-800]    //Buffer = 注册码 + 用户名
00401657  |.  50          push eax                            ; /Arg1
00401658  |.  E8 03FDFFFF call 00401360                      //调用计算函数
0040165D  |.  83C4 04    add    esp, 4
00401660  |.  3D 2C131512 cmp    eax, 1215132C    //计算正确否
00401665  |.  75 07       jnz    short 0040166E                ;  0040166E
00401667  |.  B8 1F2E1F2E mov    eax, 2E1F2E1F    //正确则装载解密的KEY
0040166C  |.  EB 0F       jmp    short 0040167D                ;  0040167D
0040166E  |>  8D8D 00F8FFFF lea    ecx, [ebp-800]
00401674  |.  51          push ecx                            ; /Arg1
00401675  |.  E8 E6FCFFFF call 00401360                      ; \CrackMe.00401360
0040167A  |.  83C4 04    add    esp, 4
0040167D  |>  33D2       xor    edx, edx
0040167F  |.  3917       cmp    [edi], edx
00401681  |.  74 0E       je    short 00401691                ;  00401691
00401683  |.  8BCF       mov    ecx, edi
00401685  |>  3101       /xor    [ecx], eax    //XOR 解密
00401687  |.  42          |inc    edx
00401688  |.  833C97 00    |cmp    dword ptr [edi+edx*4], 0
0040168C  |.  8D0C97       |lea    ecx, [edi+edx*4]
0040168F  |.^ 75 F4       \jnz    short 00401685                ;  00401685
00401691  |>  5F          pop    edi
00401692  |.  8BC6       mov    eax, esi
00401694  |.  5E          pop    esi
00401695  |.  5B          pop    ebx
00401696  |.  8BE5       mov    esp, ebp
00401698  |.  5D          pop    ebp
00401699  \.  C3          retn

00401360  /$  55          push ebp       //计算函数
00401361  |.  8BEC       mov    ebp, esp
00401363  |.  57          push edi
00401364  |.  8B7D 08    mov    edi, [ebp+8]
00401367  |.  8BC7       mov    eax, edi
00401369  |.  8D50 01    lea    edx, [eax+1]
0040136C  |.  8D6424 00    lea    esp, [esp]
00401370  |>  8A08       /mov    cl, [eax]
00401372  |.  40          |inc    eax
00401373  |.  84C9       |test cl, cl
00401375  |.^ 75 F9       \jnz    short 00401370                //取串长度
00401377  |.  2BC2       sub    eax, edx
00401379  |.  83F8 04    cmp    eax, 4
0040137C  |.  73 05       jnb    short 00401383                //要大于等于4
0040137E  |.  33C0       xor    eax, eax
00401380  |.  5F          pop    edi
00401381  |.  5D          pop    ebp
00401382  |.  C3          retn
00401383  |>  807F 04 00 cmp    byte ptr [edi+4], 0 //从第四个开始
00401387  |.  8D4F 04    lea    ecx, [edi+4]
0040138A  |.  BA 66666666 mov    edx, 66666666    //初值
0040138F  |.  74 0E       je    short 0040139F                ;  0040139F
00401391  |.  56          push esi
00401392  |.  8B37       mov    esi, [edi]    //取前四个
00401394  |.  8BC1       mov    eax, ecx
00401396  |>  40          /inc    eax
00401397  |.  33D6       |xor    edx, esi
00401399  |.  8038 00    |cmp    byte ptr [eax], 0 //多一个字符就多XOR一次,也就是说串长为单数结果就是0x66666666 XOR 前四个字符,双就是0x66666666
0040139C  |.^ 75 F8       \jnz    short 00401396                ;  00401396
0040139E  |.  5E          pop    esi
0040139F  |>  8915 E4CD4000 mov    [40CDE4], edx    //保存结果
004013A5  |.  8A11       mov    dl, [ecx]
004013A7  |.  84D2       test dl, dl
004013A9  |.  74 0B       je    short 004013B6                ;  004013B6
004013AB  |.  8BC1       mov    eax, ecx
004013AD  |.  8D49 00    lea    ecx, [ecx]
004013B0  |>  40          /inc    eax
004013B1  |.  8038 00    |cmp    byte ptr [eax], 0
004013B4  |.^ 75 FA       \jnz    short 004013B0                ;  004013B0
004013B6  |>  B8 66666666 mov    eax, 66666666
004013BB  |.  84D2       test dl, dl
004013BD  |.  74 0A       je    short 004013C9                ;  004013C9
004013BF  |.  8B17       mov    edx, [edi]
004013C1  |>  41          /inc    ecx
004013C2  |.  33C2       |xor    eax, edx
004013C4  |.  8039 00    |cmp    byte ptr [ecx], 0 //同前面一样
004013C7  |.^ 75 F8       \jnz    short 004013C1                ;  004013C1
004013C9  |>  5F          pop    edi
004013CA  |.  5D          pop    ebp
004013CB  \.  C3          retn

由以上分析不难看出,由于没有取到用户名,所以注册成功否与用户名无关
注册码需满足:前四个字母 XOR 0x66666666 == 0x1215132C 且长度为单数就可注册成功
而 0x66666666 XOR 0x1215132C = 0x7473754A 即 Just 开头的长度为单的串都可以作为注册码

不过对于那个DLL偶有点迷惑,DLL文件入口已超出了ImageSize也还可以正常加载?
还请高人指点一下...

小明无敌 · 发表于 2012-5-4 14:30

谁能给我解释一下这是啥。
看不懂啊

Dangzki · 发表于 2012-5-4 16:24

补充一点，这个样本创建了一个线程，使用了GetThreadContext和SetThreadContext，将CONTEXT.Dr0 ~ Dr7 几个调试寄存器进行清零，反调试。

.text:004019F0                push ebp
.text:004019F1                mov    ebp, esp
.text:004019F3                sub    esp, 2CCh
.text:004019F9                push esi
.text:004019FA                call ds:GetCurrentThread
.text:00401A00                mov    ecx, ds:GetThreadContext
.text:00401A06                mov    esi, eax
.text:00401A08                lea    eax, [ebp+var_2CC]
.text:00401A0E                push eax
.text:00401A0F                push esi
.text:00401A10                push 2
.text:00401A12                push ecx
.text:00401A13                call Call_API_    ; GetThreadContext
.text:00401A18                add    esp, 10h
.text:00401A1B                test eax, eax
.text:00401A1D                jnz    short loc_401A26
.text:00401A1F                mov    al, 1
.text:00401A21                pop    esi
.text:00401A22                mov    esp, ebp
.text:00401A24                pop    ebp
.text:00401A25                retn
.text:00401A26 ; ---------------------------------------------------------------------------
.text:00401A26
.text:00401A26 loc_401A26:                            ; CODE XREF: Clean_Debug_Reg+2Dj
.text:00401A26                xor    eax, eax
.text:00401A28                lea    edx, [ebp+var_2CC]
.text:00401A2E                push edx
.text:00401A2F                push esi
.text:00401A30                mov    [ebp+var_2C8], eax
.text:00401A36                mov    [ebp+var_2C4], eax
.text:00401A3C                mov    [ebp+var_2C0], eax
.text:00401A42                mov    [ebp+var_2BC], eax
.text:00401A48                mov    [ebp+var_2B8], eax
.text:00401A4E                mov    [ebp+var_2B4], eax
.text:00401A54                mov    [ebp+var_2B0], eax
.text:00401A5A                mov    [ebp+var_2AC], eax
.text:00401A60                mov    eax, ds:SetThreadContext
.text:00401A65                push 2
.text:00401A67                push eax
.text:00401A68                call Call_API_    ; SetThreadContext
.text:00401A6D                add    esp, 10h
.text:00401A70                xor    al, al
.text:00401A72                pop    esi
.text:00401A73                mov    esp, ebp
.text:00401A75                pop    ebp
.text:00401A76                retn
.text:00401A76 Clean_Debug_Reg endp

zeif · 发表于 2012-5-4 20:33

膜拜大牛

291196966 · 发表于 2012-5-4 20:41

膜拜大师

Dangzki · 发表于 2012-5-4 21:38

zeif 发表于 2012-5-4 20:33
膜拜大牛

膜拜CM作者

热火朝天 · 发表于 2012-5-4 22:09

请问能不能给出CM的下载地址？想跟着大牛学习一下

AloneWolf · 发表于 2012-5-7 17:58

热火朝天发表于 2012-5-4 22:09
请问能不能给出CM的下载地址？想跟着大牛学习一下

http://down.52pojie.cn/2012CM/

Hoe · 发表于 2012-7-16 14:50

大牛。

帐号		自动登录	找回密码
密码			注册[Register]

[CrackMe] 吾爱破解2012CM大赛破文--zeif

免费评分