【吾爱破解2014CrackMe大赛】【第二组】

a070458 · 发表于 2014-10-24 19:49

本帖最后由 L4Nce 于 2014-10-24 22:41 编辑

听说第二题无解,  直接将分析发出来吧
通过分析字符串,可以快速到达关键call
address=00401B50

00401C5B  |> \8D4424 3C    lea eax,dword ptr ss:[esp+0x3C]    //此处eax指向码表的地址
00401C5F  |.  E8 4C020000 call CrackMe2.00401EB0       //经过此call 后生成一个码表
生成一个不是E就是F的表
大小为0x654
我定义他为  int iBIAO[0x195]
具体如下
QQ截图20141024185507.png

细心能发现每隔5个必定是EE FF EE FF
然后就是此处了

[C++] 纯文本查看 复制代码

01

02

03

04

05

06

07

08

09

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

00401C70  |> /0FBE843C 9806>/movsx eax,byte ptr ss:[esp+edi+0x698]      //依次取出用户名     
00401C78  |. |8BC8          |mov ecx,eax
00401C7A  |. |C1F9 04       |sar ecx,0x4                            ///对ascii码进行运算
00401C7D  |. |83E1 0F       |and ecx,0xF
00401C80  |. |83E0 0F       |and eax,0xF
00401C83  |. |8BF0          |mov esi,eax
00401C85  |. |83F9 09       |cmp ecx,0x9
00401C88  |. |76 0E         |jbe short CrackMe2.00401C98
00401C8A  |. |B8 398EE338   |mov eax,0x38E38E39
00401C8F  |. |F7E1          |mul ecx
00401C91  |. |D1EA          |shr edx,1
00401C93  |. |6BD2 F7       |imul edx,edx,-0x9
00401C96  |. |03CA          |add ecx,edx
00401C98  |> |83FE 09       |cmp esi,0x9
00401C9B  |. |76 0E         |jbe short CrackMe2.00401CAB
00401C9D  |. |B8 398EE338   |mov eax,0x38E38E39
00401CA2  |. |F7E6          |mul esi
00401CA4  |. |D1EA          |shr edx,1
00401CA6  |. |6BD2 F7       |imul edx,edx,-0x9
00401CA9  |. |03F2          |add esi,edx
00401CAB  |> |8D04CE        |lea eax,dword ptr ds:[esi+ecx*8]
00401CAE  |. |03C1          |add eax,ecx
00401CB0  |. |47            |inc edi
00401CB1  |. |8D1480        |lea edx,dword ptr ds:[eax+eax*4]                        //注意这句  eax*5
00401CB4  |. |894C24 30     |mov dword ptr ss:[esp+0x30],ecx
00401CB8  |. |897424 34     |mov dword ptr ss:[esp+0x34],esi
00401CBC  |. |C74494 3C FFE>|mov dword ptr ss:[esp+edx*4+0x3C],0xEEFFEEFF    //运算后的结果负值进去码表
00401CC4  |. |3BFB          |cmp edi,ebx
00401CC6  |.^\7C A8         \jl short CrackMe2.00401C70

从此处开始  ESP+0X3C指向的是iBIAO[0]

所以
00401CBC |. |C74494 3C FFE>|mov dword ptr ss:[esp+edx*4+0x3C],0xEEFFEEFF
相等于 iBIAO[edx]    //int  4字节

注意00401CB1  此句代码,所以edx必然为5的倍数.
粗略翻译成C++ 渣代码  别吐槽  没有对码表进行初始化,

[C++] 纯文本查看 复制代码

01

02

03

04

05

06

07

08

09

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

int iBiao[0x195];
     UpdateData(TRUE);
 
         int iBiao[0x195];
             CString cstr_tmp;
             char ca=0;
             int iesi,iecx,i,itmp;                
             m_cstr_key="";
             for (i=0;i<0x51;i++)                //初始化码表
             {
                     iBiao[5*i]=0xffeeffee;
             }
             for (i=0;i<=m_cstr_user.GetLength();i++)   //对用户名每字节对应进行码表的写入错误的值
             {
                     ca=m_cstr_user[i];
                     iecx=ca;
                     iesi=ca;
                     iecx>>=4;
                     iecx&=0xf;
                     iesi&=0xf;
                     if (iecx>9)
                     {
                             itmp=iecx;
                             itmp=itmp/9;
                             itmp=itmp*-9;
                             iecx+=itmp;
                     }
                     if (iesi>9)
                     {
                             itmp=iesi;
                             itmp=itmp/9;
                             itmp=itmp*-9;
                             iesi+=itmp;
                     }
                     itmp=iesi+iecx*8;
                     itmp+=iecx;
                     itmp*=5;
                     iBiao[itmp]=0xeeffeeff;
             }

下面就是对注册码进行处理了

[C++] 纯文本查看 复制代码

01

02

03

04

05

06

07

08

09

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

00401CD0  |. /0F8E BD000000 jle CrackMe2.00401D93
00401CD6  |. |BB FEFEFEFE   mov ebx,0xFEFEFEFE
00401CDB  |. |EB 03         jmp short CrackMe2.00401CE0
00401CDD  |  |8D49 00       lea ecx,dword ptr ds:[ecx]
00401CE0  |> |0FBE843C A406>/movsx eax,byte ptr ss:[esp+edi+0x6A4]
00401CE8  |. |8BC8          |mov ecx,eax
00401CEA  |. |C1F9 04       |sar ecx,0x4
00401CED  |. |83E1 0F       |and ecx,0xF
00401CF0  |. |83E0 0F       |and eax,0xF
00401CF3  |. |8BF0          |mov esi,eax
00401CF5  |. |83F9 09       |cmp ecx,0x9
00401CF8  |. |76 0E         |jbe short CrackMe2.00401D08
00401CFA  |. |B8 398EE338   |mov eax,0x38E38E39
00401CFF  |. |F7E1          |mul ecx
00401D01  |. |D1EA          |shr edx,1
00401D03  |. |6BD2 F7       |imul edx,edx,-0x9
00401D06  |. |03CA          |add ecx,edx
00401D08  |> |83FE 09       |cmp esi,0x9
00401D0B  |. |76 0E         |jbe short CrackMe2.00401D1B
00401D0D  |. |B8 398EE338   |mov eax,0x38E38E39
00401D12  |. |F7E6          |mul esi
00401D14  |. |D1EA          |shr edx,1
00401D16  |. |6BD2 F7       |imul edx,edx,-0x9
00401D19  |. |03F2          |add esi,edx
00401D1B  |> |8D04CE        |lea eax,dword ptr ds:[esi+ecx*8]
00401D1E  |. |03C1          |add eax,ecx
00401D20  |. |8D0C80        |lea ecx,dword ptr ds:[eax+eax*4]
00401D23  |. |03C9          |add ecx,ecx
00401D25  |. |03C9          |add ecx,ecx
00401D27  |. |395C0C 40     |cmp dword ptr ss:[esp+ecx+0x40],ebx
00401D2B  |. |74 10         |je short CrackMe2.00401D3D
00401D2D  |. |8D5480 D3     |lea edx,dword ptr ds:[eax+eax*4-0x2D]
00401D31  |. |817494 3C 111>|xor dword ptr ss:[esp+edx*4+0x3C],0x11111111
00401D39  |. |8D5494 3C     |lea edx,dword ptr ss:[esp+edx*4+0x3C]
00401D3D  |> |395C0C 44     |cmp dword ptr ss:[esp+ecx+0x44],ebx
00401D41  |. |74 15         |je short CrackMe2.00401D58
00401D43  |. |8D5480 D3     |lea edx,dword ptr ds:[eax+eax*4-0x2D]
00401D47  |. |8B5494 3C     |mov edx,dword ptr ss:[esp+edx*4+0x3C]
00401D4B  |. |81F2 11111111 |xor edx,0x11111111
00401D51  |. |89940C F00000>|mov dword ptr ss:[esp+ecx+0xF0],edx
00401D58  |> |395C0C 48     |cmp dword ptr ss:[esp+ecx+0x48],ebx
00401D5C  |. |74 12         |je short CrackMe2.00401D70
00401D5E  |. |8D5480 D3     |lea edx,dword ptr ds:[eax+eax*4-0x2D]
00401D62  |. |8B5494 3C     |mov edx,dword ptr ss:[esp+edx*4+0x3C]
00401D66  |. |81F2 11111111 |xor edx,0x11111111
00401D6C  |. |89540C 28     |mov dword ptr ss:[esp+ecx+0x28],edx
00401D70  |> |395C0C 4C     |cmp dword ptr ss:[esp+ecx+0x4C],ebx
00401D74  |. |74 12         |je short CrackMe2.00401D88
00401D76  |. |8D4480 D3     |lea eax,dword ptr ds:[eax+eax*4-0x2D]
00401D7A  |. |8B5484 3C     |mov edx,dword ptr ss:[esp+eax*4+0x3C]
00401D7E  |. |81F2 11111111 |xor edx,0x11111111
00401D84  |. |89540C 50     |mov dword ptr ss:[esp+ecx+0x50],edx
00401D88  |> |47            |inc edi
00401D89  |. |3B7C24 10     |cmp edi,dword ptr ss:[esp+0x10]               //注意这里,貌似不是和注册码的长度相等的  所以他会再往后面读取未知字节                
00401D8D  |.^|0F8C 4DFFFFFF \jl CrackMe2.00401CE0

注意此处
00401D89 |. |3B7C24 10 |cmp edi,dword ptr ss:[esp+0x10] //注意这里,貌似不是和注册码的长度相等的所以他会再往后面读取未知字节
貌似会比注册码长度+4

大致翻译一下可能有错

[C++] 纯文本查看 复制代码

01

02

03

04

05

06

07

08

09

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

60

61

62

63

64

65

66

for (i=0;i<=m_cstr_key.GetLength();i++)
{
        int iebx=0xfefefefe,ieax,iedx;
        iecx=ca;
        iecx>>=4;
        iesi=ca;
        iecx&=0xf;
        iesi&=0xf;
        if(iecx>9){
                itmp=iecx;
                itmp=itmp/9;
                itmp=itmp*-9;
                iecx=iecx+itmp;
        }
         
        if(iesi>9){
                itmp=iesi;
                itmp=itmp/9;
                itmp=itmp*-9;
                iesi=iesi+itmp;
        }
         
        itmp=iesi+iecx*8;
        itmp+=iecx;
        ieax=itmp;
        itmp=itmp*5;
         
        if (iBiao[iecx/4+0x1]!=iebx)
        {
                 
                iedx=ieax*5-0x2d;
            iBiao[iedx]^=0x11111111;
                iedx=iBiao[iedx];
        }
        if (iBiao[iecx/4+0x2]!=iebx)
        {
                 
                iedx=ieax*5-0x2d;
                iedx=iBiao[iedx];
                iBiao[iecx/4+0x2d]=iedx^0x11111111;
        }
        if (iBiao[iecx/4+0x3]!=iebx)
        {
                 
                iedx=ieax*5-0x2d;
                iedx=iBiao[iedx];
                iBiao[iecx/4-5]=iedx^0x11111111;
        }
        if (iBiao[iecx/4+0x4]!=iebx)
        {
                 
                iedx=ieax*5-0x2d;
                iedx=iBiao[iedx];
                iBiao[iecx/4+5]=iedx^0x11111111;
        }
int isum=0;
        for (i=0;i<=0x51;i++){
                isum+=iBiao[5*i];
        }
        if (isum==0x0xFA9EFA4E)
        {
 
                MessageBox("GOOD!");
        }
}
}

可以看出如果iecx=0或者负数 iebx=iBiao[iecx/4-5]; 可能就会越界!

越界取出的值再也不是E 或者F了

后面就是循环3次相加码表的值了

[C++] 纯文本查看 复制代码

01

02

03

04

05

06

07

08

09

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

00401D9C  |.  8D51 03       lea edx,dword ptr ds:[ecx+0x3]
00401D9F  |.  90            nop
00401DA0  |>  8BB0 74FFFFFF /mov esi,dword ptr ds:[eax-0x8C]
00401DA6  |.  0370 88       |add esi,dword ptr ds:[eax-0x78]
00401DA9  |.  05 1C020000   |add eax,0x21C
00401DAE  |.  03B0 80FDFFFF |add esi,dword ptr ds:[eax-0x280]
00401DB4  |.  03B0 94FDFFFF |add esi,dword ptr ds:[eax-0x26C]
00401DBA  |.  03B0 A8FDFFFF |add esi,dword ptr ds:[eax-0x258]
00401DC0  |.  03B0 BCFDFFFF |add esi,dword ptr ds:[eax-0x244]
00401DC6  |.  03B0 D0FDFFFF |add esi,dword ptr ds:[eax-0x230]
00401DCC  |.  03B0 F8FDFFFF |add esi,dword ptr ds:[eax-0x208]
00401DD2  |.  03B0 E4FDFFFF |add esi,dword ptr ds:[eax-0x21C]
00401DD8  |.  03CE          |add ecx,esi
00401DDA  |.  8BB0 ACFEFFFF |mov esi,dword ptr ds:[eax-0x154]
00401DE0  |.  03B0 98FEFFFF |add esi,dword ptr ds:[eax-0x168]
00401DE6  |.  03B0 84FEFFFF |add esi,dword ptr ds:[eax-0x17C]
00401DEC  |.  03B0 70FEFFFF |add esi,dword ptr ds:[eax-0x190]
00401DF2  |.  03B0 5CFEFFFF |add esi,dword ptr ds:[eax-0x1A4]
00401DF8  |.  03B0 48FEFFFF |add esi,dword ptr ds:[eax-0x1B8]
00401DFE  |.  03B0 34FEFFFF |add esi,dword ptr ds:[eax-0x1CC]
00401E04  |.  03B0 20FEFFFF |add esi,dword ptr ds:[eax-0x1E0]
00401E0A  |.  03B0 0CFEFFFF |add esi,dword ptr ds:[eax-0x1F4]
00401E10  |.  03CE          |add ecx,esi
00401E12  |.  8BB0 60FFFFFF |mov esi,dword ptr ds:[eax-0xA0]
00401E18  |.  03B0 4CFFFFFF |add esi,dword ptr ds:[eax-0xB4]
00401E1E  |.  03B0 38FFFFFF |add esi,dword ptr ds:[eax-0xC8]
00401E24  |.  03B0 24FFFFFF |add esi,dword ptr ds:[eax-0xDC]
00401E2A  |.  03B0 10FFFFFF |add esi,dword ptr ds:[eax-0xF0]
00401E30  |.  03B0 FCFEFFFF |add esi,dword ptr ds:[eax-0x104]
00401E36  |.  03B0 E8FEFFFF |add esi,dword ptr ds:[eax-0x118]
00401E3C  |.  03B0 D4FEFFFF |add esi,dword ptr ds:[eax-0x12C]
00401E42  |.  03B0 C0FEFFFF |add esi,dword ptr ds:[eax-0x140]
00401E48  |.  03CE          |add ecx,esi
00401E4A  |.  4A            |dec edx
00401E4B  |.^ 0F85 4FFFFFFF \jnz CrackMe2.00401DA0

这里我大胆的用原始表格的值覆盖回去  ,果断相加出正确的值
其实慢慢看代码发现其实就相加
            isum+=iBiao[5*i]; 5的倍数.
所以其他都是混乱视线的.

一开始我从 0x00 到0xff 一直遍历结果  貌似都没有找到可用的组合能在他检测注册码的时候还原原来的值  估计注册码检测算法写错了~或者我数学能力不够

听说写错了  我发出分析吧

时间不够  可能有些地方写错, 欢迎指正~

keygenmeforblack.rar (13.23 KB, 下载次数: 30) 附上代码可能有错~

currwin · 发表于 2014-10-25 09:08

写得很详细，感谢

JollyRoger光 · 发表于 2014-10-25 09:21

支持楼主！

hack_koko · 发表于 2014-11-7 17:40

提示: 作者被禁止或删除内容自动屏蔽

hewap · 发表于 2016-4-16 19:25

很好的作品，学习了

wincorry · 发表于 2016-4-28 20:21

膜拜大神

wincorry · 发表于 2016-4-28 21:12

膜拜大神

o6o7o5 · 发表于 2016-5-1 01:08

膜拜大神

长剑相思 · 发表于 2016-6-1 16:05

很好的作品，学习了

烈枫寒 · 发表于 2016-6-9 14:25

虽然还是不太懂，但是很厉害

帐号		自动登录	找回密码
密码			注册[Register]

hack_koko hack_koko 当前离线好友阅读权限 0 听众最后登录 1970-1-1 头像被屏蔽	hack_koko 发表于 2014-11-7 17:40 《站点帮助文档》有什么问题来这里看看吧，这里有你想知道的内容！提示: 作者被禁止或删除内容自动屏蔽
	呼吁大家发布原创作品添加吾爱破解论坛标识！
	回复支持举报

[第二题] 【吾爱破解2014CrackMe大赛】【第二组】

免费评分