好友
阅读权限30
听众
最后登录1970-1-1
|
CM是什么?Crackme是什么?这是什么东西?楼主发的什么?
他们都是一些公开给别人尝试破解的小程序,制作 Crackme 的人可能是程序员,想测试一下自己的软件保护技术,也可能是一位 Cracker,想挑战一下其它 Cracker 的破解实力,也可能是一些正在学习破解的人,自己编一些小程序给自己破解,KeyGenMe是要求别人做出它的 keygen (序号产生器), ReverseMe 要求别人把它的算法做出逆向分析, UnpackMe 是要求别人把它成功脱壳,本版块禁止回复非技术无关水贴。
本帖最后由 HPKEr 于 2010-3-1 12:58 编辑
【文章标题】: 虎年:CrackMe算法分析
【文章作者】: HPKEr
【软件名称】: CrackMe
【软件大小】: 21.28 KB
【下载地址】: http://xz.qupan.com/down/945520_5928700.html
【编写语言】: Microsoft Visual C++ 6.0
【使用工具】: OD PEID0.95
【操作平台】: Windows XP SP3
【作者声明】: 只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!
--------------------------------------------------------------------------------
【详细过程】
1.OD载入查找字符串插件搜索发现:“sorry! serial incorrect!”跟随过去。到段首0010114F处,F2下断。
2.Ctrl+F2重新载入,F9运行,填写内容如下:“NAME:guapi TEAM:guagua SERIAL:123456”。
3.点击“TRY SERIAL”按钮,断在0010114F处。
0040114F /$ 55 PUSH EBP
00401150 |. 8BEC MOV EBP,ESP
00401152 |. 83EC 30 SUB ESP,30
00401155 |. 6A 01 PUSH 1
00401157 |. 6A 40 PUSH 40
00401159 |. E8 B6030000 CALL CrackMe.00401514
0040115E |. 83C4 08 ADD ESP,8
00401161 |. 8945 F8 MOV DWORD PTR SS:[EBP-8],EAX
00401164 |. 6A 01 PUSH 1
00401166 |. 6A 40 PUSH 40
00401168 |. E8 A7030000 CALL CrackMe.00401514
0040116D |. 83C4 08 ADD ESP,8
00401170 |. 8945 E4 MOV DWORD PTR SS:[EBP-1C],EAX
00401173 |. 6A 01 PUSH 1
00401175 |. 6A 40 PUSH 40
00401177 |. E8 98030000 CALL CrackMe.00401514
0040117C |. 83C4 08 ADD ESP,8
0040117F |. 8945 D8 MOV DWORD PTR SS:[EBP-28],EAX
00401182 |. 6A 40 PUSH 40 ; /Count = 40 (64.)
00401184 |. 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8] ; |
00401187 |. 50 PUSH EAX ; |Buffer
00401188 |. 68 EA030000 PUSH 3EA ; |ControlID = 3EA (1002.)
0040118D |. 8B4D 08 MOV ECX,DWORD PTR SS:[EBP+8] ; |
00401190 |. 51 PUSH ECX ; |hWnd
00401191 |. FF15 AC604000 CALL DWORD PTR DS:[<&USER32.GetDlgItemTe>; \获取NAME字符数为:05
00401197 |. 8845 D0 MOV BYTE PTR SS:[EBP-30],AL
0040119A |. 6A 40 PUSH 40 ; /Count = 40 (64.)
0040119C |. 8B55 E4 MOV EDX,DWORD PTR SS:[EBP-1C] ; |
0040119F |. 52 PUSH EDX ; |Buffer
004011A0 |. 68 EB030000 PUSH 3EB ; |ControlID = 3EB (1003.)
004011A5 |. 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8] ; |
004011A8 |. 50 PUSH EAX ; |hWnd
004011A9 |. FF15 AC604000 CALL DWORD PTR DS:[<&USER32.GetDlgItemTe>; \获取TEAM字符数为:06
004011AF |. 8845 E8 MOV BYTE PTR SS:[EBP-18],AL
004011B2 |. 6A 40 PUSH 40 ; /Count = 40 (64.)
004011B4 |. 8B4D D8 MOV ECX,DWORD PTR SS:[EBP-28] ; |
004011B7 |. 51 PUSH ECX ; |Buffer
004011B8 |. 68 EC030000 PUSH 3EC ; |ControlID = 3EC (1004.)
004011BD |. 8B55 08 MOV EDX,DWORD PTR SS:[EBP+8] ; |
004011C0 |. 52 PUSH EDX ; |hWnd
004011C1 |. FF15 AC604000 CALL DWORD PTR DS:[<&USER32.GetDlgItemTe>; \获取SERIAL字符数为:06
004011C7 |. 8845 F0 MOV BYTE PTR SS:[EBP-10],AL
004011CA |. C645 E0 00 MOV BYTE PTR SS:[EBP-20],0 ; 循环变量
004011CE |> C645 D4 00 /MOV BYTE PTR SS:[EBP-2C],0
004011D2 |. 8B45 E0 |MOV EAX,DWORD PTR SS:[EBP-20]
004011D5 |. 25 FF000000 |AND EAX,0FF ; EAX AND OFF清零
004011DA |. 8B4D F8 |MOV ECX,DWORD PTR SS:[EBP-8]
004011DD |. 8A1401 |MOV DL,BYTE PTR DS:[ECX+EAX] ; NAME:guagua第一个字母十六进制67入DL
004011E0 |. 8855 F4 |MOV BYTE PTR SS:[EBP-C],DL ; 储存DL临时变量
004011E3 |. 8B45 F4 |MOV EAX,DWORD PTR SS:[EBP-C]
004011E6 |. 25 FF000000 |AND EAX,0FF ; 运算结果为:67
004011EB |. 8B4D E8 |MOV ECX,DWORD PTR SS:[EBP-18] ; 取TEAM:guagua长度为06
004011EE |. 81E1 FF000000 |AND ECX,0FF ; 运算结果为:06
004011F4 |. 33C1 |XOR EAX,ECX ; EAX与ECX进行XOR结果为:61
004011F6 |. 8845 F4 |MOV BYTE PTR SS:[EBP-C],AL ; 将AL:61临时变量存储在堆栈
004011F9 |. 8B55 F4 |MOV EDX,DWORD PTR SS:[EBP-C] ; 将变量61入EDX
004011FC |. 81E2 FF000000 |AND EDX,0FF ; 运算结果为:61
00401202 |. 33C0 |XOR EAX,EAX ; EAX清零
00401204 |. A0 14764000 |MOV AL,BYTE PTR DS:[407614] ; 将十六进制1E送入AL
00401209 |. 33D0 |XOR EDX,EAX ; EDX与EAX异或结果为:7F
0040120B |. 8855 F4 |MOV BYTE PTR SS:[EBP-C],DL
0040120E |. C645 DC 00 |MOV BYTE PTR SS:[EBP-24],0
00401212 |. EB 09 |JMP SHORT CrackMe.0040121D
00401214 |> 8A4D DC |/MOV CL,BYTE PTR SS:[EBP-24] ; (初始化 cpu 选择状态)
00401217 |. 80C1 01 ||ADD CL,1 ; 计数器CL=1
0040121A |. 884D DC ||MOV BYTE PTR SS:[EBP-24],CL ; 将CL临时变量存储于堆栈
0040121D |> 8B55 DC | MOV EDX,DWORD PTR SS:[EBP-24]
00401220 |. 81E2 FF000000 ||AND EDX,0FF ; EDX清零
00401226 |. 8B45 E8 ||MOV EAX,DWORD PTR SS:[EBP-18] ; 取TEAM:guagua长度
00401229 |. 25 FF000000 ||AND EAX,0FF ; EAX=06
0040122E |. 3BD0 ||CMP EDX,EAX ; EDX与EAX比较
00401230 |. 7D 20 ||JGE SHORT CrackMe.00401252 ; 结果高于等于0跳至00401252处
00401232 |. 8B4D F4 ||MOV ECX,DWORD PTR SS:[EBP-C]
00401235 |. 81E1 FF000000 ||AND ECX,0FF ; ECX=7F
0040123B |. 8B55 DC ||MOV EDX,DWORD PTR SS:[EBP-24]
0040123E |. 81E2 FF000000 ||AND EDX,0FF ; EDX清零
00401244 |. 8B45 E4 ||MOV EAX,DWORD PTR SS:[EBP-1C] ; TEAM:guagua入EAX
00401247 |. 0FBE1410 ||MOVSX EDX,BYTE PTR DS:[EAX+EDX] ; TEAM:guagua第一个字母'g'符号扩展至EDX
0040124B |. 33CA ||XOR ECX,EDX ; 7F与67异或,ECX=18。
0040124D |. 884D F4 ||MOV BYTE PTR SS:[EBP-C],CL ; CL=18、6D、C、6B、1E、7F存入堆栈
00401250 |.^ EB C2 |\JMP SHORT CrackMe.00401214 ; 循环
00401252 |> 8B45 F4 |MOV EAX,DWORD PTR SS:[EBP-C] ; 7F入EAX
00401255 |. 25 FF000000 |AND EAX,0FF ; 结果为:7F
0040125A |. C1F8 02 |SAR EAX,2 ; 算术右移2位,结果为:1F
0040125D |. 8845 F4 |MOV BYTE PTR SS:[EBP-C],AL
00401260 |. C645 DC 00 |MOV BYTE PTR SS:[EBP-24],0
00401264 |. EB 09 |JMP SHORT CrackMe.0040126F
00401266 |> 8A4D DC |/MOV CL,BYTE PTR SS:[EBP-24]
00401269 |. 80C1 01 ||ADD CL,1
0040126C |. 884D DC ||MOV BYTE PTR SS:[EBP-24],CL
0040126F |> 8B55 DC | MOV EDX,DWORD PTR SS:[EBP-24]
00401272 |. 81E2 FF000000 ||AND EDX,0FF ; EDX清零
00401278 |. 83FA 02 ||CMP EDX,2
0040127B |. 7D 26 ||JGE SHORT CrackMe.004012A3 ; 直到EDX值为2跳出循环
0040127D |. 8B45 E0 ||MOV EAX,DWORD PTR SS:[EBP-20]
00401280 |. 25 FF000000 ||AND EAX,0FF ; EAX值为0
00401285 |. 8B4D DC ||MOV ECX,DWORD PTR SS:[EBP-24]
00401288 |. 81E1 FF000000 ||AND ECX,0FF ; ECX值为0
0040128E |. 034D D8 ||ADD ECX,DWORD PTR SS:[EBP-28] ; SERIAL:123456
00401291 |. 8B55 DC ||MOV EDX,DWORD PTR SS:[EBP-24]
00401294 |. 81E2 FF000000 ||AND EDX,0FF ; EDX清零
0040129A |. 8A0441 ||MOV AL,BYTE PTR DS:[ECX+EAX*2]
0040129D |. 884415 FC ||MOV BYTE PTR SS:[EBP+EDX-4],AL
004012A1 |.^ EB C3 |\JMP SHORT CrackMe.00401266
004012A3 |> 8B4D DC |MOV ECX,DWORD PTR SS:[EBP-24]
004012A6 |. 81E1 FF000000 |AND ECX,0FF ; ECX=2
004012AC |. C6440D FC 00 |MOV BYTE PTR SS:[EBP+ECX-4],0
004012B1 |. 8D55 FC |LEA EDX,DWORD PTR SS:[EBP-4] ; 每次取SERIAL两位字符“12”“34”“56”“”“”到EDX
004012B4 |. 52 |PUSH EDX
004012B5 |. E8 4F020000 |CALL CrackMe.00401509 ; 第一次将十进制12转化为十六进制数为c,第二次将34转化为十六进制的22,第三次将56转化为十六进制的38,由于第四次和第五次,通过修改标志位取值为空。
004012BA |. 83C4 04 |ADD ESP,4
004012BD |. 8945 EC |MOV DWORD PTR SS:[EBP-14],EAX
004012C0 |. 8B45 F4 |MOV EAX,DWORD PTR SS:[EBP-C] ; EAX=1F
004012C3 |. 25 FF000000 |AND EAX,0FF ; EAX=1F
004012C8 |. 3945 EC |CMP DWORD PTR SS:[EBP-14],EAX ; c与1F比较,明显不相等,暂且先记下“1F、1B、1E、1A、1C”比较五次后就结束了。将字符串转化为十进制连接起来:3127302628这一串数字就是真SERIAL:3127302628
004012CB |. 75 04 |JNZ SHORT CrackMe.004012D1 ; 不为0,就跳。这个标志位不能让它,实现跳转,如果实现就没有办法跟出真注册码了。通过修改标志位让它不能实现跳转,目的就达到了。
004012CD |. C645 D4 01 |MOV BYTE PTR SS:[EBP-2C],1
004012D1 |> 8A4D E0 |MOV CL,BYTE PTR SS:[EBP-20]
004012D4 |. 80C1 01 |ADD CL,1 ; CL=1
004012D7 |. 884D E0 |MOV BYTE PTR SS:[EBP-20],CL
004012DA |. 8B55 E0 |MOV EDX,DWORD PTR SS:[EBP-20]
004012DD |. 81E2 FF000000 |AND EDX,0FF ; EDX=01
004012E3 |. 8B45 D0 |MOV EAX,DWORD PTR SS:[EBP-30] ; NAME:guapi位数
004012E6 |. 25 FF000000 |AND EAX,0FF ; EAX=05
004012EB |. 3BD0 |CMP EDX,EAX
004012ED |. 7D 12 |JGE SHORT CrackMe.00401301 ; 直到EDX=5时跳出循环
004012EF |. 8B4D D4 |MOV ECX,DWORD PTR SS:[EBP-2C]
004012F2 |. 81E1 FF000000 |AND ECX,0FF
004012F8 |. 83F9 01 |CMP ECX,1
004012FB |.^ 0F84 CDFEFFFF \JE CrackMe.004011CE
00401301 |> 8B55 D0 MOV EDX,DWORD PTR SS:[EBP-30] ; NAME:guapi位数入EDX
00401304 |. 81E2 FF000000 AND EDX,0FF
0040130A |. 85D2 TEST EDX,EDX
0040130C |. 74 19 JE SHORT CrackMe.00401327 ; 如果NAME为空就提示:“please! fill all fields!”
0040130E |. 8B45 E8 MOV EAX,DWORD PTR SS:[EBP-18]
00401311 |. 25 FF000000 AND EAX,0FF
00401316 |. 85C0 TEST EAX,EAX
00401318 |. 74 0D JE SHORT CrackMe.00401327 ; 如果TEAM为空就提示:“please! fill all fields!”
0040131A |. 8B4D F0 MOV ECX,DWORD PTR SS:[EBP-10] ; 206入ECX
0040131D |. 81E1 FF000000 AND ECX,0FF ; ECX=6
00401323 |. 85C9 TEST ECX,ECX
00401325 |. 75 16 JNZ SHORT CrackMe.0040133D ; 如果TEAM不为空就跳至0010133D处
00401327 |> 68 30704000 PUSH CrackMe.00407030 ; /please! fill all fields!
0040132C |. 68 F3030000 PUSH 3F3 ; |ControlID = 3F3 (1011.)
00401331 |. 8B55 08 MOV EDX,DWORD PTR SS:[EBP+8] ; |
00401334 |. 52 PUSH EDX ; |hWnd
00401335 |. FF15 B0604000 CALL DWORD PTR DS:[<&USER32.SetDlgItemTe>; \SetDlgItemTextA
0040133B |. EB 37 JMP SHORT CrackMe.00401374
0040133D |> 8B45 D4 MOV EAX,DWORD PTR SS:[EBP-2C] ; EAX=0
00401340 |. 25 FF000000 AND EAX,0FF
00401345 |. 83F8 01 CMP EAX,1
00401348 |. 75 16 JNZ SHORT CrackMe.00401360
0040134A |. 68 4C704000 PUSH CrackMe.0040704C ; /congratulations! serial correct!
0040134F |. 68 F3030000 PUSH 3F3 ; |ControlID = 3F3 (1011.)
00401354 |. 8B4D 08 MOV ECX,DWORD PTR SS:[EBP+8] ; |
00401357 |. 51 PUSH ECX ; |hWnd
00401358 |. FF15 B0604000 CALL DWORD PTR DS:[<&USER32.SetDlgItemTe>; \SetDlgItemTextA
0040135E |. EB 14 JMP SHORT CrackMe.00401374
00401360 |> 68 70704000 PUSH CrackMe.00407070 ; /sorry! serial incorrect!
00401365 |. 68 F3030000 PUSH 3F3 ; |ControlID = 3F3 (1011.)
0040136A |. 8B55 08 MOV EDX,DWORD PTR SS:[EBP+8] ; |
0040136D |. 52 PUSH EDX ; |hWnd
0040136E |. FF15 B0604000 CALL DWORD PTR DS:[<&USER32.SetDlgItemTe>; \SetDlgItemTextA
00401374 |> 33C0 XOR EAX,EAX
00401376 |. 8BE5 MOV ESP,EBP
00401378 |. 5D POP EBP
00401379 \. C3 RETN
0040137A /$ 8B4424 04 MOV EAX,DWORD PTR SS:[ESP+4]
0040137E |. A3 8C704000 MOV DWORD PTR DS:[40708C],EAX
00401383 \. C3 RETN
三组可用SERIAL:
1.当Positions位置为A时
NAEM:guapi
TEAM:guagua
SERIAL:2630273125
2.当Positions位置为B时
NAEM:guapi
TEAM:guagua
SERIAL:2925282430
3.当Positions位置为C时
NAEM:guapi
TEAM:guagua
SERIAL:3127302628
A.当Positions位置为A时,注册成功图:
B.当Positions位置为B时,注册成功图:
C.当Positions位置为C时,注册成功图:
--------------------------------------------------------------------------------
【经验总结】
1.此CrackMe爆破相当简单,只要将00401348 |. /75 16 JNZ SHORT CrackMe.00401360处反汇编代码NOP掉或者改
为JZ,就OK了。
2.总体感觉此CrackMe不是很难,特别适合新手练习,由于我也是今天早上仓促分析它,时间有限,有些地方写的不是很明
白,兄弟们只要仔细想,细心看,也不难明白。
--------------------------------------------------------------------------------
【版权声明】: 本文原创于HPKEr, 转载请注明作者并保持文章的完整, 谢谢!
2010年03月01日 12:45:02 |
|
发表于 2010-3-1 12:41
