好友
阅读权限40
听众
最后登录1970-1-1
|
我是用户
发表于 2014-3-10 21:42
CM是什么?Crackme是什么?这是什么东西?楼主发的什么?
他们都是一些公开给别人尝试破解的小程序,制作 Crackme 的人可能是程序员,想测试一下自己的软件保护技术,也可能是一位 Cracker,想挑战一下其它 Cracker 的破解实力,也可能是一些正在学习破解的人,自己编一些小程序给自己破解,KeyGenMe是要求别人做出它的 keygen (序号产生器), ReverseMe 要求别人把它的算法做出逆向分析, UnpackMe 是要求别人把它成功脱壳,本版块禁止回复非技术无关水贴。
前言:感谢Kido提供算法支持,我这里就不多说啦,嘿嘿。
现在让我们来一层层剥掉草莓的外衣。
第一步:脱壳
载入OD,看特征很明显是UPX的壳,ESP定律或者单步脱掉,显示是E语言的程序
第二步:分析
打开程序,跳出未注册对话框,搜索字符串,没有发现提示信息,但有好多串十六进制数字,猜想字符串经过了加密。
我们下按钮事件定位到关键处,代码如下:
[C++] 纯文本查看 复制代码 004016E2 55 push ebp
004016E3 8BEC mov ebp, esp
004016E5 81EC 34000000 sub esp, 0x34
004016EB C745 FC 0000000>mov dword ptr [ebp-0x4], 0x0
004016F2 C745 F8 0000000>mov dword ptr [ebp-0x8], 0x0
004016F9 68 14000000 push 0x14
004016FE E8 961C0000 call <VirtualAlloc>
00401703 83C4 04 add esp, 0x4
00401706 8945 F4 mov dword ptr [ebp-0xC], eax
00401709 8BF8 mov edi, eax
0040170B BE 0B6F4700 mov esi, 00476F0B
00401710 AD lods dword ptr [esi]
00401711 AB stos dword ptr es:[edi]
00401712 AD lods dword ptr [esi]
00401713 AB stos dword ptr es:[edi]
00401714 33C0 xor eax, eax
00401716 AB stos dword ptr es:[edi]
00401717 AB stos dword ptr es:[edi]
00401718 AB stos dword ptr es:[edi]
00401719 C745 F0 0000000>mov dword ptr [ebp-0x10], 0x0
00401720 C745 EC 0000000>mov dword ptr [ebp-0x14], 0x0
00401727 68 04000080 push 0x80000004
0040172C 6A 00 push 0x0
0040172E A1 18EA4900 mov eax, dword ptr [0x49EA18]
00401733 85C0 test eax, eax
00401735 75 05 jnz short 0040173C
00401737 B8 C06C4700 mov eax, 00476CC0
0040173C 50 push eax
0040173D 68 04000080 push 0x80000004
00401742 6A 00 push 0x0
00401744 68 D06C4700 push 00476CD0 ; AD04E9F801BF0DB6
00401749 68 02000000 push 0x2
0040174E B8 01000000 mov eax, 0x1
00401753 BB C0AD4400 mov ebx, offset <DES解密>
00401758 E8 541C0000 call 004033B1
0040175D 83C4 1C add esp, 0x1C
00401760 8945 E8 mov dword ptr [ebp-0x18], eax ; 35
00401763 68 04000080 push 0x80000004
00401768 6A 00 push 0x0
0040176A 8B45 E8 mov eax, dword ptr [ebp-0x18]
0040176D 85C0 test eax, eax
0040176F 75 05 jnz short 00401776
00401771 B8 C06C4700 mov eax, 00476CC0
00401776 50 push eax
00401777 68 01000000 push 0x1
0040177C BB 40374000 mov ebx, offset <字符转HEX>
00401781 E8 1F1C0000 call 004033A5
00401786 83C4 10 add esp, 0x10
00401789 8945 E4 mov dword ptr [ebp-0x1C], eax ; 5
0040178C 8B5D E8 mov ebx, dword ptr [ebp-0x18]
0040178F 85DB test ebx, ebx
00401791 74 09 je short 0040179C
00401793 53 push ebx
00401794 E8 FA1B0000 call <VirtualFree>
00401799 83C4 04 add esp, 0x4
0040179C 8B45 E4 mov eax, dword ptr [ebp-0x1C]
0040179F A3 14EA4900 mov dword ptr [0x49EA14], eax
004017A4 68 00000000 push 0x0
004017A9 BB 20344000 mov ebx, offset <取目录名> ; j
004017AE E8 F21B0000 call 004033A5
004017B3 83C4 04 add esp, 0x4
004017B6 8945 E8 mov dword ptr [ebp-0x18], eax
004017B9 68 04000080 push 0x80000004
004017BE 6A 00 push 0x0
004017C0 A1 18EA4900 mov eax, dword ptr [0x49EA18]
004017C5 85C0 test eax, eax
004017C7 75 05 jnz short 004017CE
004017C9 B8 C06C4700 mov eax, 00476CC0
004017CE 50 push eax
004017CF 68 04000080 push 0x80000004
004017D4 6A 00 push 0x0
004017D6 68 E16C4700 push 00476CE1 ; C3C67669019F120876D61E59C4CEC2FD
004017DB 68 02000000 push 0x2
004017E0 B8 01000000 mov eax, 0x1
004017E5 BB C0AD4400 mov ebx, offset <DES解密>
004017EA E8 C21B0000 call 004033B1
004017EF 83C4 1C add esp, 0x1C
004017F2 8945 E4 mov dword ptr [ebp-0x1C], eax ; \KeyFile.dat
004017F5 FF75 E4 push dword ptr [ebp-0x1C]
004017F8 FF75 E8 push dword ptr [ebp-0x18]
004017FB B9 02000000 mov ecx, 0x2
00401800 E8 BDFDFFFF call <连接字符串>
00401805 83C4 08 add esp, 0x8
00401808 8945 E0 mov dword ptr [ebp-0x20], eax
0040180B 8B5D E8 mov ebx, dword ptr [ebp-0x18]
0040180E 85DB test ebx, ebx
00401810 74 09 je short 0040181B
00401812 53 push ebx
00401813 E8 7B1B0000 call <VirtualFree>
00401818 83C4 04 add esp, 0x4
0040181B 8B5D E4 mov ebx, dword ptr [ebp-0x1C]
0040181E 85DB test ebx, ebx
00401820 74 09 je short 0040182B
00401822 53 push ebx
00401823 E8 6B1B0000 call <VirtualFree>
00401828 83C4 04 add esp, 0x4
0040182B 8B45 E0 mov eax, dword ptr [ebp-0x20]
0040182E 50 push eax
0040182F 8B5D FC mov ebx, dword ptr [ebp-0x4]
00401832 85DB test ebx, ebx
00401834 74 09 je short 0040183F
00401836 53 push ebx
00401837 E8 571B0000 call <VirtualFree>
0040183C 83C4 04 add esp, 0x4
0040183F 58 pop eax
00401840 8945 FC mov dword ptr [ebp-0x4], eax
00401843 68 00000000 push 0x0
00401848 BB 40344000 mov ebx, offset <取文件名> ; j
0040184D E8 531B0000 call 004033A5
00401852 83C4 04 add esp, 0x4
00401855 8945 E8 mov dword ptr [ebp-0x18], eax
00401858 68 04000080 push 0x80000004
0040185D 6A 00 push 0x0
0040185F 8B45 E8 mov eax, dword ptr [ebp-0x18]
00401862 85C0 test eax, eax
00401864 75 05 jnz short 0040186B
00401866 B8 C06C4700 mov eax, 00476CC0
0040186B 50 push eax
0040186C 68 01000000 push 0x1
00401871 B8 01000000 mov eax, 0x1
00401876 BB 30AE4400 mov ebx, offset <CRC32>
0040187B E8 311B0000 call 004033B1
00401880 83C4 10 add esp, 0x10
00401883 8945 E4 mov dword ptr [ebp-0x1C], eax ; eax=crc32值
00401886 8B5D E8 mov ebx, dword ptr [ebp-0x18]
00401889 85DB test ebx, ebx
0040188B 74 09 je short 00401896
0040188D 53 push ebx
0040188E E8 001B0000 call <VirtualFree>
00401893 83C4 04 add esp, 0x4
00401896 68 01030080 push 0x80000301
0040189B 6A 00 push 0x0
0040189D FF75 E4 push dword ptr [ebp-0x1C]
004018A0 68 01000000 push 0x1
004018A5 BB C03B4000 mov ebx, offset <HEX转字符>
004018AA E8 F61A0000 call 004033A5
004018AF 83C4 10 add esp, 0x10
004018B2 8945 E0 mov dword ptr [ebp-0x20], eax
004018B5 8B45 E0 mov eax, dword ptr [ebp-0x20]
004018B8 50 push eax
004018B9 8B1D 1CEA4900 mov ebx, dword ptr [0x49EA1C]
004018BF 85DB test ebx, ebx
004018C1 74 09 je short 004018CC
004018C3 53 push ebx
004018C4 E8 CA1A0000 call <VirtualFree>
004018C9 83C4 04 add esp, 0x4
004018CC 58 pop eax
004018CD A3 1CEA4900 mov dword ptr [0x49EA1C], eax
004018D2 68 01030080 push 0x80000301
004018D7 6A 00 push 0x0
004018D9 68 00000000 push 0x0
004018DE 68 01000000 push 0x1
004018E3 B8 01000000 mov eax, 0x1
004018E8 BB 30AC4400 mov ebx, offset <取硬盘特征码>
004018ED E8 BF1A0000 call 004033B1
004018F2 83C4 10 add esp, 0x10
004018F5 8945 E8 mov dword ptr [ebp-0x18], eax
004018F8 8B45 E8 mov eax, dword ptr [ebp-0x18]
004018FB 50 push eax
004018FC 8B1D 20EA4900 mov ebx, dword ptr [0x49EA20]
00401902 85DB test ebx, ebx
00401904 74 09 je short 0040190F
00401906 53 push ebx
00401907 E8 871A0000 call <VirtualFree>
0040190C 83C4 04 add esp, 0x4
0040190F 58 pop eax
00401910 A3 20EA4900 mov dword ptr [0x49EA20], eax
00401915 68 C06C4700 push 00476CC0
0040191A FF35 20EA4900 push dword ptr [0x49EA20]
00401920 E8 F9FCFFFF call <比较> ; 判断硬盘特征码是否存在
00401925 83C4 08 add esp, 0x8
00401928 83F8 00 cmp eax, 0x0
0040192B 0F85 3B000000 jnz 0040196C
00401931 68 04000080 push 0x80000004
00401936 6A 00 push 0x0
00401938 68 026D4700 push 00476D02
0040193D 68 01030080 push 0x80000301
00401942 6A 00 push 0x0
00401944 68 00000000 push 0x0
00401949 68 04000080 push 0x80000004
0040194E 6A 00 push 0x0
00401950 68 096D4700 push 00476D09 ; (不支持本系统)
00401955 68 03000000 push 0x3
0040195A BB 303D4000 mov ebx, 00403D30
0040195F E8 411A0000 call 004033A5 ; 信息框
1.对各HEX字符串进行解密,并进行连接,字符串为:CM目录\KeyFile.Dat。
2.取文件名,对CM进行CRC32效验,得出效验码。
3.取硬盘特征码,并判断是否存在,不存在则弹出对话框,不支持本系统.
PS:其实虚拟机取的到硬盘特征码,一般为00000000000000000000001,过长,作为DES密钥会失败,后面会提。
[C++] 纯文本查看 复制代码 0040196C 68 04000080 push 0x80000004
00401971 6A 00 push 0x0
00401973 A1 18EA4900 mov eax, dword ptr [0x49EA18]
00401978 85C0 test eax, eax
0040197A 75 05 jnz short 00401981
0040197C B8 C06C4700 mov eax, 00476CC0
00401981 50 push eax
00401982 68 04000080 push 0x80000004
00401987 6A 00 push 0x0
00401989 A1 20EA4900 mov eax, dword ptr [0x49EA20]
0040198E 85C0 test eax, eax
00401990 75 05 jnz short 00401997
00401992 B8 C06C4700 mov eax, 00476CC0
00401997 50 push eax
00401998 68 02000000 push 0x2
0040199D B8 01000000 mov eax, 0x1
004019A2 BB 50AD4400 mov ebx, offset <DES加密>
004019A7 E8 051A0000 call 004033B1 ; 对硬盘特征码进行加密
004019AC 83C4 1C add esp, 0x1C
004019AF 8945 E8 mov dword ptr [ebp-0x18], eax
004019B2 68 04000080 push 0x80000004
004019B7 6A 00 push 0x0
004019B9 8B45 E8 mov eax, dword ptr [ebp-0x18]
004019BC 85C0 test eax, eax
004019BE 75 05 jnz short 004019C5
004019C0 B8 C06C4700 mov eax, 00476CC0
004019C5 50 push eax
004019C6 68 01000000 push 0x1
004019CB BB A03C4000 mov ebx, 00403CA0
004019D0 E8 D0190000 call 004033A5
004019D5 83C4 10 add esp, 0x10
004019D8 8B5D E8 mov ebx, dword ptr [ebp-0x18]
004019DB 85DB test ebx, ebx
004019DD 74 09 je short 004019E8
004019DF 53 push ebx
004019E0 E8 AE190000 call <VirtualFree>
004019E5 83C4 04 add esp, 0x4
004019E8 68 04000080 push 0x80000004
004019ED 6A 00 push 0x0
004019EF 8B45 FC mov eax, dword ptr [ebp-0x4]
004019F2 85C0 test eax, eax
004019F4 75 05 jnz short 004019FB
004019F6 B8 C06C4700 mov eax, 00476CC0
004019FB 50 push eax
004019FC 68 01000000 push 0x1
00401A01 BB F03B4000 mov ebx, offset <判断文件存在>
00401A06 E8 9A190000 call 004033A5
00401A0B 83C4 10 add esp, 0x10
00401A0E 8945 E4 mov dword ptr [ebp-0x1C], eax
00401A11 837D E4 01 cmp dword ptr [ebp-0x1C], 0x1
00401A15 0F85 F0050000 jnz 0040200B
00401A1B 68 04000080 push 0x80000004
00401A20 6A 00 push 0x0
00401A22 8B45 FC mov eax, dword ptr [ebp-0x4]
00401A25 85C0 test eax, eax
00401A27 75 05 jnz short 00401A2E
00401A29 B8 C06C4700 mov eax, 00476CC0
00401A2E 50 push eax
00401A2F 68 01000000 push 0x1
00401A34 BB 103C4000 mov ebx, offset <读文件>
00401A39 E8 67190000 call 004033A5
00401A3E 83C4 10 add esp, 0x10
00401A41 8945 E8 mov dword ptr [ebp-0x18], eax ; eax为KeyFile.dat里的值
00401A44 FF35 20EA4900 push dword ptr [0x49EA20]
00401A4A FF35 1CEA4900 push dword ptr [0x49EA1C]
00401A50 B9 02000000 mov ecx, 0x2
00401A55 E8 68FBFFFF call <连接字符串> ; CRC32+硬盘特征码
00401A5A 83C4 08 add esp, 0x8
00401A5D 8945 E4 mov dword ptr [ebp-0x1C], eax
00401A60 68 04000080 push 0x80000004
00401A65 6A 00 push 0x0
00401A67 8B45 E4 mov eax, dword ptr [ebp-0x1C]
00401A6A 85C0 test eax, eax
00401A6C 75 05 jnz short 00401A73
00401A6E B8 C06C4700 mov eax, 00476CC0
00401A73 50 push eax
00401A74 68 05000080 push 0x80000005
00401A79 6A 00 push 0x0
00401A7B 8B45 E8 mov eax, dword ptr [ebp-0x18]
00401A7E 85C0 test eax, eax
00401A80 75 05 jnz short 00401A87
00401A82 B8 226D4700 mov eax, 00476D22
00401A87 50 push eax
00401A88 68 02000000 push 0x2
00401A8D B8 01000000 mov eax, 0x1
00401A92 BB 70AC4400 mov ebx, offset <Blowfish解密>
00401A97 E8 15190000 call 004033B1 ; 用CRC32+硬盘特征码对KeyFile.dat解密
00401A9C 83C4 1C add esp, 0x1C
00401A9F 8945 E0 mov dword ptr [ebp-0x20], eax
00401AA2 8B5D E8 mov ebx, dword ptr [ebp-0x18]
00401AA5 85DB test ebx, ebx
00401AA7 74 09 je short 00401AB2
00401AA9 53 push ebx
00401AAA E8 E4180000 call <VirtualFree>
00401AAF 83C4 04 add esp, 0x4
00401AB2 8B5D E4 mov ebx, dword ptr [ebp-0x1C]
00401AB5 85DB test ebx, ebx
00401AB7 74 09 je short 00401AC2
00401AB9 53 push ebx
00401ABA E8 D4180000 call <VirtualFree>
00401ABF 83C4 04 add esp, 0x4
00401AC2 68 05000080 push 0x80000005
00401AC7 6A 00 push 0x0
00401AC9 8B45 E0 mov eax, dword ptr [ebp-0x20]
00401ACC 85C0 test eax, eax
00401ACE 75 05 jnz short 00401AD5
00401AD0 B8 226D4700 mov eax, 00476D22
00401AD5 50 push eax
00401AD6 68 01000000 push 0x1
00401ADB BB B03A4000 mov ebx, offset <字节集转字符串>
00401AE0 E8 C0180000 call 004033A5
00401AE5 83C4 10 add esp, 0x10
00401AE8 8945 DC mov dword ptr [ebp-0x24], eax
00401AEB 8B5D E0 mov ebx, dword ptr [ebp-0x20]
00401AEE 85DB test ebx, ebx
00401AF0 74 09 je short 00401AFB
00401AF2 53 push ebx
00401AF3 E8 9B180000 call <VirtualFree>
00401AF8 83C4 04 add esp, 0x4
00401AFB 8B45 DC mov eax, dword ptr [ebp-0x24]
00401AFE 50 push eax
00401AFF 8B5D F8 mov ebx, dword ptr [ebp-0x8]
00401B02 85DB test ebx, ebx
00401B04 74 09 je short 00401B0F
00401B06 53 push ebx
00401B07 E8 87180000 call <VirtualFree>
00401B0C 83C4 04 add esp, 0x4
00401B0F 58 pop eax
00401B10 8945 F8 mov dword ptr [ebp-0x8], eax
00401B13 6A 00 push 0x0
00401B15 6A 00 push 0x0
00401B17 6A 00 push 0x0
00401B19 68 04000080 push 0x80000004
00401B1E 6A 00 push 0x0
00401B20 68 2A6D4700 push 00476D2A ; /
00401B25 68 04000080 push 0x80000004
00401B2A 6A 00 push 0x0
00401B2C 8B45 F8 mov eax, dword ptr [ebp-0x8]
00401B2F 85C0 test eax, eax
00401B31 75 05 jnz short 00401B38
00401B33 B8 C06C4700 mov eax, 00476CC0
00401B38 50 push eax
00401B39 68 03000000 push 0x3
00401B3E BB 70384000 mov ebx, offset <对字符串进行/分割>
00401B43 E8 5D180000 call 004033A5
00401B48 83C4 28 add esp, 0x28
00401B4B 8945 E8 mov dword ptr [ebp-0x18], eax
00401B4E 8B45 E8 mov eax, dword ptr [ebp-0x18]
00401B51 50 push eax
00401B52 8B5D F4 mov ebx, dword ptr [ebp-0xC]
00401B55 53 push ebx
00401B56 8B0B mov ecx, dword ptr [ebx]
00401B58 83C3 04 add ebx, 0x4
00401B5B 85C9 test ecx, ecx
00401B5D 74 11 je short 00401B70
00401B5F 8B03 mov eax, dword ptr [ebx] ; 字符串数组数目
00401B61 83C3 04 add ebx, 0x4
00401B64 49 dec ecx
00401B65 74 05 je short 00401B6C
00401B67 0FAF03 imul eax, dword ptr [ebx]
00401B6A ^ EB F5 jmp short 00401B61
00401B6C 8BC8 mov ecx, eax
00401B6E 85C9 test ecx, ecx
00401B70 0F84 19000000 je 00401B8F
00401B76 51 push ecx
00401B77 8B03 mov eax, dword ptr [ebx]
00401B79 85C0 test eax, eax
00401B7B 74 0B je short 00401B88
00401B7D 53 push ebx
00401B7E 50 push eax
00401B7F E8 0F180000 call <VirtualFree>
00401B84 83C4 04 add esp, 0x4
00401B87 5B pop ebx
00401B88 83C3 04 add ebx, 0x4
00401B8B 59 pop ecx
00401B8C 49 dec ecx
00401B8D ^ 75 E7 jnz short 00401B76
00401B8F E8 FF170000 call <VirtualFree>
00401B94 83C4 04 add esp, 0x4
00401B97 58 pop eax
00401B98 8945 F4 mov dword ptr [ebp-0xC], eax
00401B9B 8B5D F4 mov ebx, dword ptr [ebp-0xC]
00401B9E E8 61F4FFFF call 00401004 ; 取字符数组个数?
00401BA3 B8 00000000 mov eax, 0x0
00401BA8 3BC1 cmp eax, ecx
00401BAA 7C 0D jl short 00401BB9 ; 为0表示解密错误,结束
00401BAC 68 01000000 push 0x1
00401BB1 E8 F5170000 call <EXIT>
00401BB6 83C4 04 add esp, 0x4
00401BB9 C1E0 02 shl eax, 0x2
00401BBC 03D8 add ebx, eax
00401BBE 895D E8 mov dword ptr [ebp-0x18], ebx
00401BC1 68 04000080 push 0x80000004
00401BC6 6A 00 push 0x0
00401BC8 A1 20EA4900 mov eax, dword ptr [0x49EA20]
00401BCD 85C0 test eax, eax
00401BCF 75 05 jnz short 00401BD6
00401BD1 B8 C06C4700 mov eax, 00476CC0
00401BD6 50 push eax
00401BD7 68 04000080 push 0x80000004
00401BDC 6A 00 push 0x0
00401BDE 8B5D E8 mov ebx, dword ptr [ebp-0x18]
00401BE1 8B03 mov eax, dword ptr [ebx]
00401BE3 85C0 test eax, eax
00401BE5 75 05 jnz short 00401BEC
00401BE7 B8 C06C4700 mov eax, 00476CC0
00401BEC 50 push eax
00401BED 68 02000000 push 0x2
00401BF2 B8 01000000 mov eax, 0x1
00401BF7 BB C0AD4400 mov ebx, offset <DES解密>
00401BFC E8 B0170000 call 004033B1 ; 对字符数组1进行DES解密
00401C01 83C4 1C add esp, 0x1C
00401C04 8945 E4 mov dword ptr [ebp-0x1C], eax ; 13E9CDB90
00401C07 68 02000080 push 0x80000002
00401C0C 6A 00 push 0x0
00401C0E 68 00000000 push 0x0
00401C13 6A 00 push 0x0
00401C15 6A 00 push 0x0
00401C17 6A 00 push 0x0
00401C19 68 04000080 push 0x80000004
00401C1E 6A 00 push 0x0
00401C20 A1 1CEA4900 mov eax, dword ptr [0x49EA1C]
00401C25 85C0 test eax, eax
00401C27 75 05 jnz short 00401C2E
00401C29 B8 C06C4700 mov eax, 00476CC0
00401C2E 50 push eax
00401C2F 68 04000080 push 0x80000004
00401C34 6A 00 push 0x0
00401C36 8B45 E4 mov eax, dword ptr [ebp-0x1C]
00401C39 85C0 test eax, eax
00401C3B 75 05 jnz short 00401C42
00401C3D B8 C06C4700 mov eax, 00476CC0
00401C42 50 push eax
00401C43 68 04000000 push 0x4
00401C48 BB 20374000 mov ebx, offset <找字符串在另一个字符串中出现的位置?>
00401C4D E8 53170000 call 004033A5
00401C52 83C4 34 add esp, 0x34
00401C55 8945 E0 mov dword ptr [ebp-0x20], eax
00401C58 8B5D E4 mov ebx, dword ptr [ebp-0x1C]
00401C5B 85DB test ebx, ebx
00401C5D 74 09 je short 00401C68
00401C5F 53 push ebx
00401C60 E8 2E170000 call <VirtualFree>
00401C65 83C4 04 add esp, 0x4
00401C68 8B45 E0 mov eax, dword ptr [ebp-0x20]
00401C6B 8945 F0 mov dword ptr [ebp-0x10], eax
00401C6E DB05 14EA4900 fild dword ptr [0x49EA14]
00401C74 DD5D E4 fstp qword ptr [ebp-0x1C]
00401C77 DD45 E4 fld qword ptr [ebp-0x1C]
00401C7A DB45 F0 fild dword ptr [ebp-0x10]
00401C7D DD5D DC fstp qword ptr [ebp-0x24] ; 5+2
00401C80 DC45 DC fadd qword ptr [ebp-0x24]
00401C83 DD5D D4 fstp qword ptr [ebp-0x2C]
00401C86 DD45 D4 fld qword ptr [ebp-0x2C]
00401C89 E8 2DFAFFFF call <将浮点存入寄存器>
00401C8E A3 14EA4900 mov dword ptr [0x49EA14], eax
00401C93 8B5D F4 mov ebx, dword ptr [ebp-0xC]
00401C96 E8 69F3FFFF call 00401004
00401C9B B8 02000000 mov eax, 0x2
00401CA0 3BC1 cmp eax, ecx
00401CA2 7C 0D jl short 00401CB1
00401CA4 68 01000000 push 0x1
00401CA9 E8 FD160000 call <EXIT>
00401CAE 83C4 04 add esp, 0x4
00401CB1 C1E0 02 shl eax, 0x2
00401CB4 03D8 add ebx, eax
00401CB6 895D E8 mov dword ptr [ebp-0x18], ebx
00401CB9 FF35 20EA4900 push dword ptr [0x49EA20]
00401CBF FF35 1CEA4900 push dword ptr [0x49EA1C]
00401CC5 B9 02000000 mov ecx, 0x2
00401CCA E8 F3F8FFFF call <连接字符串>
00401CCF 83C4 08 add esp, 0x8
00401CD2 8945 E4 mov dword ptr [ebp-0x1C], eax
00401CD5 68 01030080 push 0x80000301
00401CDA 6A 00 push 0x0
00401CDC 68 10000000 push 0x10
00401CE1 68 04000080 push 0x80000004
00401CE6 6A 00 push 0x0
00401CE8 8B45 E4 mov eax, dword ptr [ebp-0x1C]
00401CEB 85C0 test eax, eax
00401CED 75 05 jnz short 00401CF4
00401CEF B8 C06C4700 mov eax, 00476CC0
00401CF4 50 push eax
00401CF5 68 02000000 push 0x2
00401CFA BB 80354000 mov ebx, offset <从左向右取N个字符>
00401CFF E8 A1160000 call 004033A5
00401D04 83C4 1C add esp, 0x1C
00401D07 8945 E0 mov dword ptr [ebp-0x20], eax
00401D0A 8B5D E4 mov ebx, dword ptr [ebp-0x1C]
00401D0D 85DB test ebx, ebx
00401D0F 74 09 je short 00401D1A
00401D11 53 push ebx
00401D12 E8 7C160000 call <VirtualFree>
00401D17 83C4 04 add esp, 0x4
00401D1A 68 04000080 push 0x80000004
00401D1F 6A 00 push 0x0
00401D21 8B45 E0 mov eax, dword ptr [ebp-0x20]
00401D24 85C0 test eax, eax
00401D26 75 05 jnz short 00401D2D
00401D28 B8 C06C4700 mov eax, 00476CC0
00401D2D 50 push eax
00401D2E 68 04000080 push 0x80000004
00401D33 6A 00 push 0x0
00401D35 8B5D E8 mov ebx, dword ptr [ebp-0x18]
00401D38 8B03 mov eax, dword ptr [ebx]
00401D3A 85C0 test eax, eax
00401D3C 75 05 jnz short 00401D43
00401D3E B8 C06C4700 mov eax, 00476CC0
00401D43 50 push eax
00401D44 68 02000000 push 0x2
00401D49 B8 01000000 mov eax, 0x1
00401D4E BB C0AD4400 mov ebx, offset <DES解密>
00401D53 E8 59160000 call 004033B1 ; 对字符数组3进行DES解密
00401D58 83C4 1C add esp, 0x1C
00401D5B 8945 DC mov dword ptr [ebp-0x24], eax ; 2WD-WCAV9T236652
00401D5E 8B5D E0 mov ebx, dword ptr [ebp-0x20]
00401D61 85DB test ebx, ebx
00401D63 74 09 je short 00401D6E
00401D65 53 push ebx
00401D66 E8 28160000 call <VirtualFree>
00401D6B 83C4 04 add esp, 0x4
00401D6E 68 02000080 push 0x80000002
00401D73 6A 00 push 0x0
00401D75 68 00000000 push 0x0
00401D7A 6A 00 push 0x0
00401D7C 6A 00 push 0x0
00401D7E 6A 00 push 0x0
00401D80 68 04000080 push 0x80000004
00401D85 6A 00 push 0x0
00401D87 A1 20EA4900 mov eax, dword ptr [0x49EA20]
00401D8C 85C0 test eax, eax
00401D8E 75 05 jnz short 00401D95
00401D90 B8 C06C4700 mov eax, 00476CC0
00401D95 50 push eax
00401D96 68 04000080 push 0x80000004
00401D9B 6A 00 push 0x0
00401D9D 8B45 DC mov eax, dword ptr [ebp-0x24]
00401DA0 85C0 test eax, eax
00401DA2 75 05 jnz short 00401DA9
00401DA4 B8 C06C4700 mov eax, 00476CC0
00401DA9 50 push eax
00401DAA 68 04000000 push 0x4
00401DAF BB 20374000 mov ebx, offset <找字符串在另一个字符串中出现的位置?>
00401DB4 E8 EC150000 call 004033A5
00401DB9 83C4 34 add esp, 0x34
00401DBC 8945 D8 mov dword ptr [ebp-0x28], eax
00401DBF 8B5D DC mov ebx, dword ptr [ebp-0x24]
00401DC2 85DB test ebx, ebx
00401DC4 74 09 je short 00401DCF
00401DC6 53 push ebx
00401DC7 E8 C7150000 call <VirtualFree>
00401DCC 83C4 04 add esp, 0x4
00401DCF 8B45 D8 mov eax, dword ptr [ebp-0x28]
00401DD2 8945 EC mov dword ptr [ebp-0x14], eax
00401DD5 DB05 14EA4900 fild dword ptr [0x49EA14]
00401DDB DD5D E4 fstp qword ptr [ebp-0x1C]
00401DDE DD45 E4 fld qword ptr [ebp-0x1C]
00401DE1 DB45 EC fild dword ptr [ebp-0x14]
00401DE4 DD5D DC fstp qword ptr [ebp-0x24]
00401DE7 DC45 DC fadd qword ptr [ebp-0x24]
00401DEA DC05 2C6D4700 fadd qword ptr [0x476D2C]
00401DF0 DD5D D4 fstp qword ptr [ebp-0x2C]
00401DF3 DD45 D4 fld qword ptr [ebp-0x2C]
00401DF6 E8 C0F8FFFF call <将浮点存入寄存器>
00401DFB A3 14EA4900 mov dword ptr [0x49EA14], eax
00401E00 837D F0 01 cmp dword ptr [ebp-0x10], 0x1
00401E04 0F85 36000000 jnz 00401E40
00401E0A 68 04000080 push 0x80000004
00401E0F 6A 00 push 0x0
00401E11 68 346D4700 push 00476D34 ; /
00401E16 68 01030080 push 0x80000301
00401E1B 6A 00 push 0x0
00401E1D 68 00000000 push 0x0
00401E22 68 04000080 push 0x80000004
00401E27 6A 00 push 0x0
00401E29 68 3D6D4700 push 00476D3D ; /
00401E2E 68 03000000 push 0x3
00401E33 BB 303D4000 mov ebx, 00403D30
00401E38 E8 68150000 call 004033A5
00401E3D 83C4 28 add esp, 0x28
00401E40 837D EC 01 cmp dword ptr [ebp-0x14], 0x1
00401E44 0F85 36000000 jnz 00401E80
00401E4A 68 04000080 push 0x80000004
00401E4F 6A 00 push 0x0
00401E51 68 346D4700 push 00476D34 ; /
00401E56 68 01030080 push 0x80000301
00401E5B 6A 00 push 0x0
00401E5D 68 00000000 push 0x0
00401E62 68 04000080 push 0x80000004
00401E67 6A 00 push 0x0
00401E69 68 3D6D4700 push 00476D3D ; /
00401E6E 68 03000000 push 0x3
00401E73 BB 303D4000 mov ebx, 00403D30
00401E78 E8 28150000 call 004033A5
00401E7D 83C4 28 add esp, 0x28
00401E80 837D F0 00 cmp dword ptr [ebp-0x10], 0x0
00401E84 0F85 36000000 jnz 00401EC0
00401E8A 68 04000080 push 0x80000004
00401E8F 6A 00 push 0x0
00401E91 68 346D4700 push 00476D34 ; /
00401E96 68 01030080 push 0x80000301
00401E9B 6A 00 push 0x0
00401E9D 68 00000000 push 0x0
00401EA2 68 04000080 push 0x80000004
00401EA7 6A 00 push 0x0
00401EA9 68 3D6D4700 push 00476D3D ; /
00401EAE 68 03000000 push 0x3
00401EB3 BB 303D4000 mov ebx, 00403D30
00401EB8 E8 E8140000 call 004033A5
00401EBD 83C4 28 add esp, 0x28
00401EC0 837D EC 00 cmp dword ptr [ebp-0x14], 0x0
00401EC4 0F85 36000000 jnz 00401F00
00401ECA 68 04000080 push 0x80000004
00401ECF 6A 00 push 0x0
00401ED1 68 346D4700 push 00476D34 ; /
00401ED6 68 01030080 push 0x80000301
00401EDB 6A 00 push 0x0
00401EDD 68 00000000 push 0x0
00401EE2 68 04000080 push 0x80000004
00401EE7 6A 00 push 0x0
00401EE9 68 3D6D4700 push 00476D3D ; /
00401EEE 68 03000000 push 0x3
00401EF3 BB 303D4000 mov ebx, 00403D30
00401EF8 E8 A8140000 call 004033A5
00401EFD 83C4 28 add esp, 0x28
00401F00 8B5D F4 mov ebx, dword ptr [ebp-0xC]
00401F03 E8 FCF0FFFF call 00401004
00401F08 B8 01000000 mov eax, 0x1
00401F0D 3BC1 cmp eax, ecx
00401F0F 7C 0D jl short 00401F1E
00401F11 68 01000000 push 0x1
00401F16 E8 90140000 call <EXIT>
00401F1B 83C4 04 add esp, 0x4
00401F1E C1E0 02 shl eax, 0x2
00401F21 03D8 add ebx, eax
00401F23 895D E8 mov dword ptr [ebp-0x18], ebx
00401F26 FF35 20EA4900 push dword ptr [0x49EA20]
00401F2C FF35 1CEA4900 push dword ptr [0x49EA1C]
00401F32 B9 02000000 mov ecx, 0x2
00401F37 E8 86F6FFFF call <连接字符串>
00401F3C 83C4 08 add esp, 0x8
00401F3F 8945 E4 mov dword ptr [ebp-0x1C], eax
00401F42 68 01030080 push 0x80000301
00401F47 6A 00 push 0x0
00401F49 68 10000000 push 0x10
00401F4E 68 04000080 push 0x80000004
00401F53 6A 00 push 0x0
00401F55 8B45 E4 mov eax, dword ptr [ebp-0x1C]
00401F58 85C0 test eax, eax
00401F5A 75 05 jnz short 00401F61
00401F5C B8 C06C4700 mov eax, 00476CC0
00401F61 50 push eax
00401F62 68 02000000 push 0x2
00401F67 BB 80354000 mov ebx, offset <从左向右取N个字符>
00401F6C E8 34140000 call 004033A5
00401F71 83C4 1C add esp, 0x1C
00401F74 8945 E0 mov dword ptr [ebp-0x20], eax
00401F77 8B5D E4 mov ebx, dword ptr [ebp-0x1C]
00401F7A 85DB test ebx, ebx
00401F7C 74 09 je short 00401F87
00401F7E 53 push ebx
00401F7F E8 0F140000 call <VirtualFree>
00401F84 83C4 04 add esp, 0x4
00401F87 68 04000080 push 0x80000004
00401F8C 6A 00 push 0x0
00401F8E 8B45 E0 mov eax, dword ptr [ebp-0x20]
00401F91 85C0 test eax, eax
00401F93 75 05 jnz short 00401F9A
00401F95 B8 C06C4700 mov eax, 00476CC0
00401F9A 50 push eax
00401F9B 68 04000080 push 0x80000004
00401FA0 6A 00 push 0x0
00401FA2 8B5D E8 mov ebx, dword ptr [ebp-0x18]
00401FA5 8B03 mov eax, dword ptr [ebx]
00401FA7 85C0 test eax, eax
00401FA9 75 05 jnz short 00401FB0
00401FAB B8 C06C4700 mov eax, 00476CC0
00401FB0 50 push eax
00401FB1 68 02000000 push 0x2
00401FB6 B8 01000000 mov eax, 0x1
00401FBB BB C0AD4400 mov ebx, offset <DES解密>
00401FC0 E8 EC130000 call 004033B1 ; 对字符数组2进行解密
00401FC5 83C4 1C add esp, 0x1C
00401FC8 8945 DC mov dword ptr [ebp-0x24], eax ; 解密完的是注册成功标志
00401FCB 8B5D E0 mov ebx, dword ptr [ebp-0x20]
00401FCE 85DB test ebx, ebx
00401FD0 74 09 je short 00401FDB
00401FD2 53 push ebx
00401FD3 E8 BB130000 call <VirtualFree>
00401FD8 83C4 04 add esp, 0x4
00401FDB 6A 00 push 0x0
00401FDD FF75 DC push dword ptr [ebp-0x24]
00401FE0 6A FF push -0x1
00401FE2 6A 0A push 0xA
00401FE4 68 79000116 push 0x16010079
00401FE9 68 01000152 push 0x52010001
00401FEE E8 AC130000 call 0040339F ; 设置按钮标题
以上代码为了好分析,patch了正确的数据,使用了二种算法,BlowFish和DES,字符串也是用DES加密的。
1.CRC32:3E9CDB90
HardDiskID:WD-WCAV9T236652
2.BlowFish Key=CRC32+HardDiskID
3.BlowFish对KeyFile.dat进行解密 得出KeyFile1.dat
4.KeyFile1.dat用两个分割符/分成了三个字符数组:str1/str2/str3
117D7A8497C0BB059CA1401A08725E84/349E701CDD0EFA28/53E725C38DA0732C5905DA8C0A881B9
5.利用HardDiskID对str1进行DES解密 结果应为1+CRC32
6.从左向右取CRC32+HardDiskID,0x10个字符,记为DES KEY3
利用DES KEY3对str3进行解密,结果应为2+HardDiskID
7.从左向右取CRC32+HardDiskID,0x10个字符,记为DES KEY2
利用DES KEY3对str2进行解密,结果应为注册成功
3.注册机的编写
搞懂了算法,我们把步骤反回去就好了。
1.取CM的CRC32=3E9CDB90,取HardDiskID,并连接CRC32与HardDiskID,记为BKEY
2.str1=对"1"+CRC32进行DES加密,DKEY1=HardDiskID
3.str2=对"注册成功"进行DES加密,DKEY2=BKEY的前0x10位
4.str3=对"2"+HardDiskID进行DES加密,DKEY3=KDEY2
5.将其连接str1/str2/str3,记为KeyFilestr;
6.利用BKEY对KeyFilestr进行加密。
源码就不放了。
注册机的使用具体见注册机说明.
PS:请将CM改为Xiaoy.exe
|
免费评分
-
查看全部评分
|
[复制链接]
|
发表于 2014-3-11 15:30
发表于 2014-3-10 22:32
