对某个CrackMe的简单还原（一)

我是用户 · 发表于 2013-9-6 17:09

【软件名称】: CrackMe1
【作者邮箱】: 2714608453@qq.com
【下载地址】: 见附件
【软件语言】: Decv++4.3
【使用工具】: OD
【操作平台】: XP SP2
【作者声明】: 只是感兴趣，没有其他目的。失误之处敬请诸位大侠赐教!

废话不多说,直接上代码。
CrackMe核心代码如下:

[AppleScript] 纯文本查看 复制代码

00401290  /$  55            push ebp
00401291  |.  89E5          mov ebp,esp
00401293  |.  81EC B8000000 sub esp,0xB8
00401299  |.  83E4 F0       and esp,-0x10
0040129C  |.  B8 00000000   mov eax,0x0
004012A1  |.  83C0 0F       add eax,0xF
004012A4  |.  83C0 0F       add eax,0xF
004012A7  |.  C1E8 04       shr eax,0x4
004012AA  |.  C1E0 04       shl eax,0x4
004012AD  |.  8985 74FFFFFF mov [local.35],eax
004012B3  |.  8B85 74FFFFFF mov eax,[local.35]
004012B9  |.  E8 D2050000   call CrackMe.00401890
004012BE  |.  E8 6D020000   call CrackMe.00401530
004012C3  |.  C70424 003040>mov dword ptr ss:[esp],CrackMe.00403000           ; ||||ASCII "title CrackMe"
004012CA  |.  E8 D1060000   call <jmp.&msvcrt.system>                         ; |||\system
004012CF  |.  A1 0E304000   mov eax,dword ptr ds:[0x40300E]                   ; |||
004012D4  |.  8945 D8       mov [local.10],eax                                ; |||
004012D7  |.  A1 12304000   mov eax,dword ptr ds:[0x403012]                   ; |||
004012DC  |.  8945 DC       mov [local.9],eax                                 ; |||
004012DF  |.  A1 16304000   mov eax,dword ptr ds:[0x403016]                   ; |||
004012E4  |.  8945 E0       mov [local.8],eax                                 ; |||
004012E7  |.  A1 1A304000   mov eax,dword ptr ds:[0x40301A]                   ; |||
004012EC  |.  8945 E4       mov [local.7],eax                                 ; |||
004012EF  |.  0FB605 1E3040>movzx eax,byte ptr ds:[0x40301E]                  ; |||
004012F6  |.  8845 E8       mov byte ptr ss:[ebp-0x18],al                     ; |||
004012F9  |.  A1 20304000   mov eax,dword ptr ds:[0x403020]                   ; |||
004012FE  |.  8945 B8       mov [local.18],eax                                ; |||
00401301  |.  A1 24304000   mov eax,dword ptr ds:[0x403024]                   ; |||
00401306  |.  8945 BC       mov [local.17],eax                                ; |||
00401309  |.  A1 28304000   mov eax,dword ptr ds:[0x403028]                   ; |||
0040130E  |.  8945 C0       mov [local.16],eax                                ; |||
00401311  |.  A1 2C304000   mov eax,dword ptr ds:[0x40302C]                   ; |||
00401316  |.  8945 C4       mov [local.15],eax                                ; |||
00401319  |.  A1 30304000   mov eax,dword ptr ds:[0x403030]                   ; |||
0040131E  |.  8945 C8       mov [local.14],eax                                ; |||
00401321  |.  A1 34304000   mov eax,dword ptr ds:[0x403034]                   ; |||
00401326  |.  8945 CC       mov [local.13],eax                                ; |||
00401329  |.  A1 38304000   mov eax,dword ptr ds:[0x403038]                   ; |||
0040132E  |.  8945 D0       mov [local.12],eax                                ; |||
00401331  |.  A1 3C304000   mov eax,dword ptr ds:[0x40303C]                   ; |||
00401336  |.  8945 D4       mov [local.11],eax                                ; |||
00401339  |.  A1 40304000   mov eax,dword ptr ds:[0x403040]                   ; |||
0040133E  |.  8945 98       mov [local.26],eax                                ; |||
00401341  |.  A1 44304000   mov eax,dword ptr ds:[0x403044]                   ; |||
00401346  |.  8945 9C       mov [local.25],eax                                ; |||
00401349  |.  A1 48304000   mov eax,dword ptr ds:[0x403048]                   ; |||
0040134E  |.  8945 A0       mov [local.24],eax                                ; |||
00401351  |.  A1 4C304000   mov eax,dword ptr ds:[0x40304C]                   ; |||
00401356  |.  8945 A4       mov [local.23],eax                                ; |||
00401359  |.  A1 50304000   mov eax,dword ptr ds:[0x403050]                   ; |||
0040135E  |.  8945 A8       mov [local.22],eax                                ; |||
00401361  |.  A1 54304000   mov eax,dword ptr ds:[0x403054]                   ; |||
00401366  |.  8945 AC       mov [local.21],eax                                ; |||
00401369  |.  A1 58304000   mov eax,dword ptr ds:[0x403058]                   ; |||
0040136E  |.  8945 B0       mov [local.20],eax                                ; |||
00401371  |.  0FB705 5C3040>movzx eax,word ptr ds:[0x40305C]                  ; |||
00401378  |.  66:8945 B4    mov word ptr ss:[ebp-0x4C],ax                     ; |||
0040137C  |.  8D45 D8       lea eax,[local.10]                                ; |||
0040137F  |.  890424        mov dword ptr ss:[esp],eax                        ; |||
00401382  |.  E8 09060000   call <jmp.&msvcrt.puts>                           ; ||\puts
00401387  |.  8D45 88       lea eax,[local.30]                                ; ||
0040138A  |.  894424 14     mov dword ptr ss:[esp+0x14],eax                   ; ||arc5
0040138E  |.  8D45 96       lea eax,dword ptr ss:[ebp-0x6A]                   ; ||
00401391  |.  894424 10     mov dword ptr ss:[esp+0x10],eax                   ; ||arc4
00401395  |.  8D45 8C       lea eax,[local.29]                                ; ||
00401398  |.  894424 0C     mov dword ptr ss:[esp+0xC],eax                    ; ||arc3
0040139C  |.  8D45 97       lea eax,dword ptr ss:[ebp-0x69]                   ; ||
0040139F  |.  894424 08     mov dword ptr ss:[esp+0x8],eax                    ; ||arc2
004013A3  |.  8D45 90       lea eax,[local.28]                                ; ||
004013A6  |.  894424 04     mov dword ptr ss:[esp+0x4],eax                    ; ||arc1
004013AA  |.  C70424 5E3040>mov dword ptr ss:[esp],CrackMe.0040305E           ; ||ASCII "%d%c%d%c%d"
004013B1  |.  E8 CA050000   call <jmp.&msvcrt.scanf>                          ; |\scanf
004013B6  |.  8B55 90       mov edx,[local.28]                                ; |msvcrt.77BFC2DE
004013B9  |.  89D0          mov eax,edx                                       ; |
004013BB  |.  C1E0 02       shl eax,0x2                                       ; |
004013BE  |.  01D0          add eax,edx                                       ; |
004013C0  |.  01C0          add eax,eax                                       ; |
004013C2  |.  8945 84       mov [local.31],eax                                ; |Local.31=local.28*A
004013C5  |.  8D45 84       lea eax,[local.31]                                ; |
004013C8  |.  8300 7D       add dword ptr ds:[eax],0x7D                       ; |
004013CB  |.  8B45 84       mov eax,[local.31]                                ; |ntdll.7C930060
004013CE  |.  01C0          add eax,eax                                       ; |Local.31=(Local.31+0x7D)*2
004013D0  |.  8945 84       mov [local.31],eax                                ; |
004013D3  |.  8D45 84       lea eax,[local.31]                                ; |
004013D6  |.  FF00          inc dword ptr ds:[eax]                            ; |Local.31++
004013D8  |.  8D45 84       lea eax,[local.31]                                ; |
004013DB  |.  8328 15       sub dword ptr ds:[eax],0x15                       ; |Local.31-=0x15
004013DE  |.  8D45 84       lea eax,[local.31]                                ; |
004013E1  |.  8300 58       add dword ptr ds:[eax],0x58                       ; |Local.31+=0x58
004013E4  |.  8B45 90       mov eax,[local.28]                                ; |msvcrt.77BFC2DE
004013E7  |.  01C0          add eax,eax                                       ; |
004013E9  |.  8945 80       mov [local.32],eax                                ; |Local.32=Local.28*2
004013EC  |.  8D45 80       lea eax,[local.32]                                ; |
004013EF  |.  8100 FD000000 add dword ptr ds:[eax],0xFD                       ; |Local.32+=0xFD
004013F5  |.  8B45 80       mov eax,[local.32]                                ; |ntdll.7C92E920
004013F8  |.  01C0          add eax,eax                                       ; |Local.32*=2
004013FA  |.  8945 80       mov [local.32],eax                                ; |
004013FD  |.  8D45 80       lea eax,[local.32]                                ; |
00401400  |.  FF00          inc dword ptr ds:[eax]                            ; |Local.32++
00401402  |.  8B45 80       mov eax,[local.32]                                ; |ntdll.7C92E920
00401405  |.  0345 84       add eax,[local.31]                                ; |ntdll.7C930060
00401408  |.  83C0 02       add eax,0x2                                       ; |
0040140B  |.  8945 80       mov [local.32],eax                                ; |Local.32=Local.32+Local.31+2
0040140E  |.  8B45 8C       mov eax,[local.29]                                ; |ntdll.7C93005D
00401411  |.  3B45 84       cmp eax,[local.31]                                ; |if(Local.31==Local.29)
00401414  |.  75 15         jnz short CrackMe.0040142B                        ; |
00401416  |.  8B45 88       mov eax,[local.30]                                ; |
00401419  |.  3B45 80       cmp eax,[local.32]                                ; |if(Local.32==Local.30)
0040141C  |.  75 0D         jnz short CrackMe.0040142B                        ; |
0040141E  |.  8D45 B8       lea eax,[local.18]                                ; |
00401421  |.  890424        mov dword ptr ss:[esp],eax                        ; |
00401424  |.  E8 67050000   call <jmp.&msvcrt.puts>                           ; \puts
00401429  |.  EB 17         jmp short CrackMe.00401442
0040142B  |>  8D45 98       lea eax,[local.26]                                ; ||
0040142E  |.  890424        mov dword ptr ss:[esp],eax                        ; ||
00401431  |.  E8 5A050000   call <jmp.&msvcrt.puts>                           ; |\puts
00401436  |.  C70424 693040>mov dword ptr ss:[esp],CrackMe.00403069           ; |ASCII "Pause >NUL"
0040143D  |.  E8 5E050000   call <jmp.&msvcrt.system>                         ; \system
00401442  |>  C9            leave
00401443  \.  C3            retn

原CrackMe是用DECV++写的，还原后的代码是由VC6.0写的,顺代提一下，scanf是用%c来作输入的分隔符的.

[C++] 纯文本查看 复制代码

#include "stdafx.h"
#include <stdlib.h>

char cFaule[]="Ops! Wrong serial, try again.";
char cRight[]="Right Crack, now write a KeyGen.";
char cTip[]="Type your serial.";

int main(int argc, char* argv[])
{

	char c1,c2;
	int i1,i2,i3;
    int dwTemp31,dwTemp32;
    system("title CrackMe");
	puts(cTip);
	scanf("%d%c%d%c%d",&i1,&c1,&i2,&c2,&i3);
	dwTemp31=(i1*0xA+0x7D)*2+1-0x14+0x58;
	dwTemp32=(i2*2+0xFD)*2+1+dwTemp31;
	if (dwTemp31==i2)
	{
		if (dwTemp32==i3)
		{
			puts(cRight);
			return 0;
		}
	}
	puts(cFaule);	
	system("Pause >Nul");
	
	return 0;
}

LoongKing · 发表于 2013-9-6 17:17

只能膜拜！

马斯维尔 · 发表于 2013-9-6 17:29

厉害啊，我就只能分析出来，但是不会写算法。

小雨细无声 · 发表于 2013-9-6 17:31

{:1_928:}膜拜大神

trustguan · 发表于 2013-9-6 17:40

楼主很厉害

wo1004774811 · 发表于 2013-9-6 18:39

近距离膜拜！{:1_928:}

qiusuo · 发表于 2013-9-6 18:53

只能膜拜！

泛舟商务 · 发表于 2013-9-6 19:00

楼主留QQ了哦！

米粒 · 发表于 2013-9-6 20:19

只能膜拜只能膜拜

海角天涯 · 发表于 2013-10-5 21:26

膜拜膜拜

帐号		自动登录	找回密码
密码			注册[Register]

[原创] 对某个CrackMe的简单还原（一)

免费评分