好友
阅读权限10
听众
最后登录1970-1-1
|
CM是什么?Crackme是什么?这是什么东西?楼主发的什么?
他们都是一些公开给别人尝试破解的小程序,制作 Crackme 的人可能是程序员,想测试一下自己的软件保护技术,也可能是一位 Cracker,想挑战一下其它 Cracker 的破解实力,也可能是一些正在学习破解的人,自己编一些小程序给自己破解,KeyGenMe是要求别人做出它的 keygen (序号产生器), ReverseMe 要求别人把它的算法做出逆向分析, UnpackMe 是要求别人把它成功脱壳,本版块禁止回复非技术无关水贴。
本帖最后由 Chief 于 2012-11-12 22:59 编辑
【软件名称】Bigman's Crackme6
分析:打开文件随便填上name和Serial点Check没反应,
没办法直接od下断点:GetDlgItemTextA和GetWindowTextA
点Check在GetDlgItemTextA处断下
在GetDlgItemTextA下一句下断!方便下一次调试
按按ALT+F9回到程序领空。
来到此代码处:
00401528 |. 68 00010000 push 0x100 ; /Count = 100
(256.)
0040152D |. 8D85 00FFFFFF lea eax,[local.64] ; |
00401533 |. 50 push eax ; |Buffer
00401534 |. 6A 65 push 0x65 ; |ControlID = 65
(101.)
00401536 |. FF75 08 push [arg.1] ; |hWnd
00401539 |. E8 FA010000 call crackme6.00401738 ; \GetDlgItemTextA
0040153E 89C3 mov ebx,eax
00401540 09DB or ebx,ebx//name长度不能为0,为空直接死掉
00401542 |. 75 04 jnz Xcrackme6.00401548
00401544 |. 31C0 xor eax,eax
00401546 |. EB 50 jmp Xcrackme6.00401598
00401548 |> BF BC020000 mov edi,0x2BC
0040154D |. BE 30000000 mov esi,0x30
00401552 |. B8 48000000 mov eax,0x48
00401557 |. 99 cdq
00401558 |. F7FB idiv ebx ; 0x48/nameLen
0040155A |. 29C6 sub esi,eax ; 30-0x48/nameLen
0040155C |. 8D34B6 lea esi,dword ptr ds:[esi+esi*4] ; (30-
0x48/nameLen)*5
0040155F |. 29F7 sub edi,esi ; 2bc-((30-
0x48/nameLen)*5)
00401561 |. 6BFF 6B imul edi,edi,0x6B ; (2bc-(30-
0x48/nameLen)*5)*6b
00401564 |. 81EF 6CCF0000 sub edi,0xCF6C ; (2bc-(30-
0x48/nameLen)*5)*6b - cf6c
0040156A |. 81FF 00230000 cmp edi,0x2300
00401570 |. 7F 08 jg Xcrackme6.0040157A///////////////////判断edi在190和2300之
间否侧。你懂的!
00401572 |. 81FF 90010000 cmp edi,0x190
00401578 |. 7D 04 jge Xcrackme6.0040157E
0040157A |> 31C0 xor eax,eax
0040157C |. EB 1A jmp Xcrackme6.00401598
0040157E |> 8D85 00FFFFFF lea eax,[local.64]
00401584 |. 50 push eax ; name//用户名地址
00401585 |. 53 push ebx ; nameLen用户名长度
00401586 |. FF75 08 push [arg.1]
00401589 |. E8 77FDFFFF call crackme6.00401305///////F7进入call
00401305 /$ 55 push ebp
00401306 |. 89E5 mov ebp,esp
00401308 |. 81EC 2C040000 sub esp,0x42C
0040130E |. 53 push ebx
0040130F |. 56 push esi
00401310 |. 57 push edi
00401311 |. 8DBD FCFEFFFF lea edi,[local.65] ; Serial//输入的序
列号,从后面的代码可以看出
00401317 |. 8D35 38204000 lea esi,dword ptr ds:[0x402038]
0040131D |. B9 40000000 mov ecx,0x40
00401322 |. F3:A5 rep movs dword ptr es:[edi],dword ptr ds>
00401324 |. 8DBD E1FBFFFF lea edi,dword ptr ss:[ebp-0x41F] ; MidSerial//中间生
成的序列号
0040132A |. 8D35 38214000 lea esi,dword ptr ds:[0x402138]
00401330 |. B9 40000000 mov ecx,0x40
00401335 |. F3:A5 rep movs dword ptr es:[edi],dword ptr ds>
00401337 |. 8DBD E1FDFFFF lea edi,dword ptr ss:[ebp-0x21F] ; buf3p[40]
0040133D |. 8D35 38224000 lea esi,dword ptr ds:[0x402238]
00401343 |. B9 40000000 mov ecx,0x40
00401348 |. F3:A5 rep movs dword ptr es:[edi],dword ptr ds>
0040134A |. 8DBD E1FCFFFF lea edi,dword ptr ss:[ebp-0x31F] ; buf4[40]
00401350 |. 8D35 38234000 lea esi,dword ptr ds:[0x402338]
00401356 |. B9 40000000 mov ecx,0x40
0040135B |. F3:A5 rep movs dword ptr es:[edi],dword ptr ds>
0040135D |. 8DBD DCFBFFFF lea edi,[local.265] ; buf5[5]
00401363 |. 8D35 38244000 lea esi,dword ptr ds:[0x402438]
00401369 |. B9 05000000 mov ecx,0x5
0040136E |. F3:A4 rep movs byte ptr es:[edi],byte ptr ds:[>
00401370 |. 8DBD D6FBFFFF lea edi,dword ptr ss:[ebp-0x42A] ; buf6[3] = "%s-%d"
00401376 |. 8D35 3D244000 lea esi,dword ptr ds:[0x40243D]
0040137C |. B9 03000000 mov ecx,0x3
00401381 |. F3:66:A5 rep movs word ptr es:[edi],word ptr ds:[>
00401384 |. 8DBD E1FEFFFF lea edi,dword ptr ss:[ebp-0x11F] ; char26[27] = 26个
大写的英文字母
0040138A |. 8D35 43244000 lea esi,dword ptr ds:[0x402443]
00401390 |. B9 1B000000 mov ecx,0x1B
00401395 |. F3:A4 rep movs byte ptr es:[edi],byte ptr ds:[>
00401397 |. C745 FC 00000>mov [local.1],0x0
0040139E |. 68 00010000 push 0x100 ; /Count = 100
(256.)
004013A3 |. 8D85 E1FCFFFF lea eax,dword ptr ss:[ebp-0x31F] ; |
004013A9 |. 50 push eax ; |Buffer
004013AA |. 6A 66 push 0x66 ; |ControlID = 66
(102.)
004013AC |. FF75 08 push [arg.1] ; |hWnd
004013AF |. E8 84030000 call crackme6.00401738 ; \GetDlgItemTextA
004013B4 |. 09C0 or eax,eax ; 获取Serial
004013B6 |. 0F84 48010000 je crackme6.00401504
004013BC |. B8 CF110000 mov eax,0x11CF
004013C1 |. 0FB68D E1FCFF>movzx ecx,byte ptr ss:[ebp-0x31F] ; ecx = Serial[0];
004013C8 |. 99 cdq
004013C9 |. F7F9 idiv ecx
004013CB |. 83FA 17 cmp edx,0x17 ; 11cf%Serial[0]
==17不相等的话!你也是懂的
004013CE |. 74 07 je Xcrackme6.004013D7
004013D0 |. 31C0 xor eax,eax
004013D2 |. E9 2D010000 jmp crackme6.00401504
004013D7 |> 31DB xor ebx,ebx
004013D9 |. EB 0B jmp Xcrackme6.004013E6
004013DB |> 8B45 10 /mov eax,[arg.3]
004013DE |. 0FBE0418 |movsx eax,byte ptr ds:[eax+ebx]
004013E2 |. 0145 FC |add [local.1],eax ; sum = name累加(
把用户名的每个字节的ascii码累加)
004013E5 |. 43 |inc ebx
004013E6 |> 3B5D 0C cmp ebx,[arg.2]
004013E9 |.^ 7C F0 \jl Xcrackme6.004013DB
004013EB |. 31DB xor ebx,ebx
004013ED |. E9 83000000 jmp crackme6.00401475 ; for
(i=0;i<nameLen;++i)//一个for循环
004013F2 |> 8B55 10 /mov edx,[arg.3]
004013F5 |. 0FBE3C1A |movsx edi,byte ptr ds:[edx+ebx] ; name
004013F9 |. 8B75 FC |mov esi,[local.1] ; sum
004013FC |. 89D9 |mov ecx,ebx
004013FE |. C1E1 02 |shl ecx,0x2
00401401 |. 89DA |mov edx,ebx
00401403 |. 42 |inc edx
00401404 |. 29D1 |sub ecx,edx ; n = i*4-(i+1)
00401406 |. 0FB68C0D E1FE>|movzx ecx,byte ptr ss:[ebp+ecx-0x11F] ; 26个字母的第i*4-
(i+1)
0040140E |. 89FA |mov edx,edi
00401410 |. 31CA |xor edx,ecx ; name[n] xor
char26[i*4-(i+1)]
00401412 |. 89F1 |mov ecx,esi
00401414 |. 0FAFCB |imul ecx,ebx ; sum*i
00401417 |. 29F1 |sub ecx,esi ; sum*i-sum
00401419 |. 89CE |mov esi,ecx
0040141B |. 83F6 FF |xor esi,0xFFFFFFFF ; sum*i-sum xor -1
0040141E |. 8DB432 4D0100>|lea esi,dword ptr ds:[edx+esi+0x14D] ; esi = ((name
xor char26[i*4-(i+1)) + (sum*i-sum xor -1)) +0x14d
00401425 |. 8B4D 0C |mov ecx,[arg.2]
00401428 |. 89DA |mov edx,ebx ; ebx = i
0040142A |. 83C2 03 |add edx,0x3 ; i+3
0040142D |. 0FAFCA |imul ecx,edx ; nameLen*(i+3)
00401430 |. 0FAFCF |imul ecx,edi ; nameLen*(i+3)
*name
00401433 |. 89F0 |mov eax,esi
00401435 |. 01C8 |add eax,ecx ; alg = (nameLen*
(i+3)*name) + (((name xor char26[i*4-(i+1)) + (sum*i-sum xor -1)) +0x14d)
00401437 |. B9 0A000000 |mov ecx,0xA
0040143C |. 31D2 |xor edx,edx
0040143E |. F7F1 |div ecx
00401440 |. 83C2 30 |add edx,0x30 ; alg%a + 30
00401443 |. 88941D FCFEFF>|mov byte ptr ss:[ebp+ebx-0x104],dl ; midSerial =
alg%a + 30
0040144A |. 0FB6BC1D FCFE>|movzx edi,byte ptr ss:[ebp+ebx-0x104]
00401452 |. 81F7 ACAD0000 |xor edi,0xADAC
00401458 |. 89DE |mov esi,ebx
0040145A |. 83C6 02 |add esi,0x2 ; i+2
0040145D |. 89F8 |mov eax,edi
0040145F |. 0FAFC6 |imul eax,esi ; midSerial xor
ADAC *(i+2)
00401462 |. B9 0A000000 |mov ecx,0xA
00401467 |. 99 |cdq
00401468 |. F7F9 |idiv ecx
0040146A |. 83C2 30 |add edx,0x30 ; (midSerial xor
ADAC *(i+2))%a
0040146D |. 88941D FCFEFF>|mov byte ptr ss:[ebp+ebx-0x104],dl
00401474 |. 43 |inc ebx
00401475 |> 3B5D 0C cmp ebx,[arg.2]
00401478 |.^ 0F8C 74FFFFFF \jl crackme6.004013F2 ; 一系列的运算得到
中间注册码(根据name)算法我基本上已经写的很清楚了!
0040147E |. 8D85 FCFEFFFF lea eax,[local.65] ; 中间注册码
00401484 |. 50 push eax
00401485 |. 6A 54 push 0x54 ; T
00401487 |. 8D85 DCFBFFFF lea eax,[local.265] ; wsprintf(s,"%c
%s",'T',midSerial);
0040148D |. 50 push eax ; |Format
0040148E |. 8D85 E1FBFFFF lea eax,dword ptr ss:[ebp-0x41F] ; |
00401494 |. 50 push eax ; |TmidSerial
00401495 |. E8 CE020000 call crackme6.00401768 ; \wsprintfA
0040149A |. 8B7D 0C mov edi,[arg.2]
0040149D |. 89F8 mov eax,edi
0040149F |. 0FAF45 FC imul eax,[local.1] ; sum * nameLen
004014A3 |. B9 64000000 mov ecx,0x64
004014A8 |. 99 cdq
004014A9 |. F7F9 idiv ecx
004014AB |. 89D7 mov edi,edx
004014AD |. 83C7 30 add edi,0x30 ; (sum * nameLen)%
64 +30
004014B0 |. 57 push edi
004014B1 |. 8DBD E1FBFFFF lea edi,dword ptr ss:[ebp-0x41F] ; TmidSerial
004014B7 |. 57 push edi
004014B8 |. 8DBD D6FBFFFF lea edi,dword ptr ss:[ebp-0x42A]
004014BE |. 57 push edi ; |Format
004014BF |. 8DBD E1FDFFFF lea edi,dword ptr ss:[ebp-0x21F] ; |TmidSerial-
004014C5 |. 57 push edi ; |s
004014C6 |. E8 9D020000 call crackme6.00401768 ; \wsprintfA
004014CB |. 83C4 20 add esp,0x20 ; wsprintf
(TmidSerial-,"%s-%d",midSerial,edi);
004014CE |. 8D8D E1FDFFFF lea ecx,dword ptr ss:[ebp-0x21F]//由上个中间注册码得到的注册
码是“Txxxx-xx”形式
004014D4 |. 83C8 FF or eax,0xFFFFFFFF
004014D7 |> 40 /inc eax
004014D8 |. 803C01 00 |cmp byte ptr ds:[ecx+eax],0x0
004014DC |.^ 75 F9 \jnz Xcrackme6.004014D7 ; TmidSerial-Len 由
上个中间注册码得到的注册码的长度
004014DE |. 50 push eax
004014DF |. 8D85 E1FCFFFF lea eax,dword ptr ss:[ebp-0x31F] ; midSerial我们输入
的注册码地址
004014E5 |. 50 push eax
004014E6 |. 8D85 E1FDFFFF lea eax,dword ptr ss:[ebp-0x21F]
004014EC |. 50 push eax ; TmidSerial- 由上
个中间注册码得到的注册码
004014ED |. E8 D0FDFFFF call crackme6.004012C2/////F7进入,X她 ^_^!
来到这里了!!!马上就要搞定了!!!
004012C2 /$ 55 push ebp
004012C3 |. 89E5 mov ebp,esp
004012C5 |. 53 push ebx
004012C6 |. 56 push esi
004012C7 |. 57 push edi
004012C8 |. 8B5D 10 mov ebx,[arg.3] ; TmidSerial-Len
004012CB |. 31F6 xor esi,esi
004012CD |. 46 inc esi
004012CE |. EB 29 jmp Xcrackme6.004012F9 ; for(i = 1; i<
TmidSerial-Len;++i)又一for循环
004012D0 |> 8B55 08 /mov edx,[arg.1] ; TmidSerial-
004012D3 |. 0FBE3C32 |movsx edi,byte ptr ds:[edx+esi] ; TmidSerial_
004012D7 |. 89F8 |mov eax,edi
004012D9 |. 83F0 20 |xor eax,0x20 ; TmidSerial-
xor 20
004012DC |. B9 0A000000 |mov ecx,0xA
004012E1 |. 99 |cdq
004012E2 |. F7F9 |idiv ecx
004012E4 |. 89D7 |mov edi,edx
004012E6 |. 83C7 30 |add edi,0x30 ; (TmidSerial-
xor 20)%a +30//算法很现了!
004012E9 |. 8B55 0C |mov edx,[arg.2] ; midSerial
004012EC |. 0FBE1432 |movsx edx,byte ptr ds:[edx+esi]
004012F0 |. 39D7 |cmp edi,edx
004012F2 |. 74 04 |je Xcrackme6.004012F8//这里是关键跳了!爆破只要把这里改成jmp
就把她X掉了
004012F4 |. 31C0 |xor eax,eax//eax清零,这里的eax就是一个标志,注册成功是1,否
则是0
004012F6 |. EB 08 |jmp Xcrackme6.00401300
004012F8 |> 46 |inc esi
004012F9 |> 39DE cmp esi,ebx
004012FB |.^ 7C D3 \jl Xcrackme6.004012D0
004012FD |. 31C0 xor eax,eax
004012FF |. 40 inc eax
00401300 |> 5F pop edi
00401301 |. 5E pop esi
00401302 |. 5B pop ebx
00401303 |. 5D pop ebp
00401304 \. C3 retn
没了···呵呵!!
算法过程比较清晰了,
整个过程eax就是一个标志,注册成功是1,否则是0
下面是我写的注册机!!
/*
Bigman's Crackme6注册机
2012年11月12日21:16:51
作者:lori
*/
#include <stdio.h>
#include <string.h>
int main(void)
{
int nameLen;
char Serial[0x100] = {0};
char name [0x100] = {0};
char char26[] = "ABCDEFGHIJKLMNOPQRSTUVWXYZ";
while(scanf("%s",name))
{
nameLen = strlen(name);
int CheckName = ((0x2bc-(0x30-0x48/nameLen)*5)*0x6b - 0xcf6c);
//对用户名的判断
if( CheckName >= 0x2300)
{
printf("用户名太短,需要大于3位\n");
continue;
}
if(CheckName <= 0x190)
{
printf("用户名过,需要小于9位\n");
continue;
}
int NameSum = 0;
int i = 0;
for(i = 0;i<nameLen;++i)
{
NameSum += name;
}
for(i = 0;i<nameLen;++i)
{
int n = i*4 - (i+1);
int ch = char26[n];
ch = (nameLen*(i+3)*name) + (ch ^ name) + ((NameSum*i - NameSum) ^
0xffffffff) + 0x14d ;
Serial[i+1] = ((((ch % 0xa +0x30) ^ 0xADAC)*(i+2)) % 0xa) + 0x30;
}
*Serial = 'T';
int tem = (NameSum * nameLen)%0x64 +0x30;
*(Serial+nameLen+1) = '-';
*(Serial+nameLen+2) = tem/10+'0';
*(Serial+nameLen+3) = tem%10+'0';
for(i = 1;Serial != NULL;++i)
{
Serial = (Serial^0x20)%0xa +0x30;
}
printf("%s\n",Serial);
}
return 0;
}
|
|
发表于 2012-11-12 21:33
发表于 2012-11-12 21:46
|
发表于 2012-11-12 21:52
