独树一帜wp
在crackme和reserve me 的板块中..花几天时间跟踪一些牛人的crack.结果小菜我被crack,晕.但也发现自己的缺点..就是对密码学的算法也不够熟悉..看来要学好破解,还要学很多东西,呵呵
这个没技术含量,老鸟就过吧...本人灌水的..
攻不下难的..
拿了个软柿子,就分析下..
1.确定关键的地方用GetDlgItemA,
错误没提示..
2.也可以通过找字符串,good job! crack..确定关键的算法位置
00401212 . /0F85 B6000000 jnz 004012CE
00401218 . |A1 28694000 mov eax, dword ptr ;Case 3EB of switch 00401208
0040121D . |8B35 C0504000 mov esi, dword ptr [<&USER32.GetDlgI>;USER32.GetDlgItemTextA
00401223 . |68 FF000000 push 0FF ; /Count = FF (255.)
00401228 . |68 30694000 push 00406930 ; |chenji
0040122D . |68 E8030000 push 3E8 ; |ControlID = 3E8 (1000.)
00401232 . |50 push eax ; |hWnd => 0002023E (' Crackme - v0.01',class='#32770')
00401233 . |FFD6 call esi ; \GetDlgItemTextA
00401235 . |8B0D 28694000 mov ecx, dword ptr
0040123B . |68 FF000000 push 0FF ; /Count = FF (255.)
00401240 . |68 306A4000 push 00406A30 ; |111111111
00401245 . |68 EA030000 push 3EA ; |ControlID = 3EA (1002.)
0040124A . |51 push ecx ; |hWnd => 0002023E (' Crackme - v0.01',class='#32770')
0040124B . |FFD6 call esi ; \GetDlgItemTextA
0040124D . |68 306A4000 push 00406A30 ;111111111
00401252 . |68 30694000 push 00406930 ;chenji
00401257 |E8 A4FDFFFF call 00401000 ;关键算法..
0040125C . |83C4 08 add esp, 8
0040125F . |83F8 01 cmp eax, 1
00401262 . |A3 646C4000 mov dword ptr , eax
00401267 . |75 65 jnz short 004012CE
00401269 . |8B15 28694000 mov edx, dword ptr
0040126F . |6A 40 push 40 ; /Style = MB_OK|MB_ICONASTERISK|MB_APPLMODAL
00401271 . |68 80604000 push 00406080 ; |good job! - cracked!
00401276 . |68 50604000 push 00406050 ; |send your solution to : v0id2k1@hotmail.com
0040127B . |52 push edx ; |hOwner => 0002023E (' Crackme - v0.01',class='#32770')
0040127C . |FF15 C4504000 call dword ptr [<&USER32.MessageBoxA>>; \MessageBoxA
00401282 . |B8 01000000 mov eax, 1
00401287 . |5E pop esi
00401288 . |C2 1000 retn 10
F7,算法:
刚进去看这些代码,还真以为是牛b的算法..结果..哎..
00401000/$53 push ebx
00401001|.8B5C24 0C mov ebx, dword ptr
00401005|.55 push ebp
00401006|.56 push esi
00401007|.8B7424 10 mov esi, dword ptr
0040100B|.8A0B mov cl, byte ptr ;伪码
0040100D|.33ED xor ebp, ebp
0040100F|.57 push edi
00401010|.8A06 mov al, byte ptr ;注册名
00401012|.3AC1 cmp al, cl
00401014 0F85 69010000 jnz 00401183 ;这是第一个比较
0040101A|.8BFE mov edi, esi
0040101C|.83C9 FF or ecx, FFFFFFFF
0040101F|.33C0 xor eax, eax
00401021|.F2:AE repne scas byte ptr es:
00401023|.F7D1 not ecx
00401025|.49 dec ecx
00401026|.83F9 05 cmp ecx, 5 ;注册名必须大于5
00401029|.0F82 54010000 jb 00401183
0040102F|.807B 01 2D cmp byte ptr , 2D ;注册码第二个,必须是'-'
00401033 0F85 4A010000 jnz 00401183
00401039|.8BFE mov edi, esi
0040103B|.83C9 FF or ecx, FFFFFFFF
0040103E|.33C0 xor eax, eax
00401040|.33D2 xor edx, edx
00401042|.F2:AE repne scas byte ptr es:
00401044|.F7D1 not ecx
00401046|.49 dec ecx
00401047|.74 17 je short 00401060
00401049|>0FBE0C32 /movsx ecx, byte ptr ;第一个传给ecx
0040104D|.03E9 |add ebp, ecx
0040104F|.8BFE |mov edi, esi
00401051|.83C9 FF |or ecx, FFFFFFFF
00401054|.33C0 |xor eax, eax
00401056|.42 |inc edx
00401057|.F2:AE |repne scas byte ptr es:
00401059|.F7D1 |not ecx
0040105B|.49 |dec ecx
0040105C|.3BD1 |cmp edx, ecx
0040105E|.^ 72 E9 \jb short 00401049 ;计算注册码的值
00401060|>81C5 64600000 add ebp, 6064 ;再加上0x6064
00401066|.55 push ebp ;ebp=62D5
00401067|.68 34604000 push 00406034 ;%lu
0040106C|.68 306B4000 push 00406B30 ;ASCII "50009"
00401071|.E8 B6030000 call 0040142C
00401076|.8A16 mov dl, byte ptr
00401078|.8BFE mov edi, esi
0040107A|.83C9 FF or ecx, FFFFFFFF
0040107D|.33C0 xor eax, eax
0040107F|.8815 446B4000 mov byte ptr , dl
00401085|.C605 456B4000>mov byte ptr , 2D
0040108C|.F2:AE repne scas byte ptr es:
0040108E|.F7D1 not ecx
00401090|.49 dec ecx
00401091|.0FBE4431 FF movsx eax, byte ptr
00401096|.50 push eax
00401097|.E8 C4020000 call 00401360 ;貌似这个没什么算法
0040109C|.A2 466B4000 mov byte ptr , al
004010A1|.BF 306B4000 mov edi, 00406B30 ;ASCII "50009"
004010A6|.83C9 FF or ecx, FFFFFFFF
004010A9|.33C0 xor eax, eax
004010AB|.F2:AE repne scas byte ptr es:
004010AD|.F7D1 not ecx
004010AF|.2BF9 sub edi, ecx
004010B1|.81C5 64600000 add ebp, 6064
004010B7|.8BF7 mov esi, edi
004010B9|.8BD1 mov edx, ecx
004010BB|.BF 446B4000 mov edi, 00406B44
004010C0|.83C9 FF or ecx, FFFFFFFF
004010C3|.F2:AE repne scas byte ptr es:
004010C5|.8BCA mov ecx, edx
004010C7|.4F dec edi
004010C8|.C1E9 02 shr ecx, 2
004010CB|.F3:A5 rep movs dword ptr es:, dword p>
004010CD|.8BCA mov ecx, edx
004010CF|.55 push ebp
004010D0|.83E1 03 and ecx, 3
004010D3|.68 34604000 push 00406034 ;%lu
004010D8|.F3:A4 rep movs byte ptr es:, byte ptr>
004010DA|.BF 30604000 mov edi, 00406030 ;-
004010DF|.83C9 FF or ecx, FFFFFFFF
004010E2|.F2:AE repne scas byte ptr es:
004010E4|.F7D1 not ecx
004010E6|.2BF9 sub edi, ecx
004010E8|.68 306B4000 push 00406B30 ;ASCII "50009"
004010ED|.8BF7 mov esi, edi
004010EF|.8BD1 mov edx, ecx
004010F1|.BF 446B4000 mov edi, 00406B44
004010F6|.83C9 FF or ecx, FFFFFFFF
004010F9|.F2:AE repne scas byte ptr es:
004010FB|.8BCA mov ecx, edx
004010FD|.4F dec edi
004010FE|.C1E9 02 shr ecx, 2
00401101|.F3:A5 rep movs dword ptr es:, dword p>
00401103|.8BCA mov ecx, edx
00401105|.83E1 03 and ecx, 3
00401108|.F3:A4 rep movs byte ptr es:, byte ptr>
0040110A|.E8 1D030000 call 0040142C
0040110F|.BF 306B4000 mov edi, 00406B30 ;ASCII "50009"
00401114|.83C9 FF or ecx, FFFFFFFF
00401117|.33C0 xor eax, eax
00401119|.83C4 1C add esp, 1C
0040111C|.F2:AE repne scas byte ptr es:
0040111E|.F7D1 not ecx
00401120|.2BF9 sub edi, ecx
00401122|.8BF7 mov esi, edi
00401124|.8BD1 mov edx, ecx
00401126|.BF 446B4000 mov edi, 00406B44
0040112B|.83C9 FF or ecx, FFFFFFFF
0040112E|.F2:AE repne scas byte ptr es:
00401130|.8BCA mov ecx, edx
00401132|.4F dec edi
00401133|.C1E9 02 shr ecx, 2
00401136|.F3:A5 rep movs dword ptr es:, dword p>
00401138|.8BCA mov ecx, edx
0040113A|.8BC3 mov eax, ebx
0040113C|.83E1 03 and ecx, 3
0040113F|.F3:A4 rep movs byte ptr es:, byte ptr>
00401141|.BE 446B4000 mov esi, 00406B44
00401146|>8A10 /mov dl, byte ptr ;这里应该是注册码的比较
00401148|.8A1E |mov bl, byte ptr
0040114A|.8ACA |mov cl, dl
0040114C|.3AD3 |cmp dl, bl
0040114E|.75 25 |jnz short 00401175
00401150|.84C9 |test cl, cl
00401152|.74 16 |je short 0040116A
00401154|.8A50 01 |mov dl, byte ptr
00401157|.8A5E 01 |mov bl, byte ptr
0040115A|.8ACA |mov cl, dl
0040115C|.3AD3 |cmp dl, bl
0040115E|.75 15 |jnz short 00401175
00401160|.83C0 02 |add eax, 2
00401163|.83C6 02 |add esi, 2
00401166|.84C9 |test cl, cl
00401168|.^ 75 DC \jnz short 00401146
0040116A|>33C0 xor eax, eax
0040116C|.33D2 xor edx, edx
0040116E|.85C0 test eax, eax
00401170|.0F94C2 sete dl
00401173|.EB 12 jmp short 00401187
00401175|>1BC0 sbb eax, eax
00401177|.83D8 FF sbb eax, -1
0040117A|.33D2 xor edx, edx
0040117C|.85C0 test eax, eax
0040117E|.0F94C2 sete dl
00401181|.EB 04 jmp short 00401187
00401183|>8B5424 14 mov edx, dword ptr
00401187|>B9 40000000 mov ecx, 40
0040118C|.33C0 xor eax, eax
0040118E|.BF 446B4000 mov edi, 00406B44
00401193|.F3:AB rep stos dword ptr es:
00401195|.5F pop edi
00401196|.5E pop esi
00401197|.5D pop ebp
00401198|.8BC2 mov eax, edx
0040119A|.5B pop ebx
0040119B\.C3 retn
关键call的算法..代码很长就..但全都是乱七八糟的无用代码
00401071|.E8 B6030000 call 0040142C 这个算法,分析..代
0040142C/$55 push ebp
0040142D|.8BEC mov ebp, esp
0040142F|.83EC 20 sub esp, 20
00401432|.8B45 08 mov eax, dword ptr
00401435|.56 push esi
00401436|.8945 E8 mov dword ptr , eax
00401439|.8945 E0 mov dword ptr , eax
0040143C|.8D45 10 lea eax, dword ptr
0040143F|.C745 EC 42000>mov dword ptr , 42 ;初始42给12FAE8
00401446|.50 push eax
00401447|.8D45 E0 lea eax, dword ptr
0040144A|.FF75 0C push dword ptr
0040144D|.C745 E4 FFFFF>mov dword ptr , 7FFFFFFF
00401454|.50 push eax ;这里放进了,49977,不知道干什么
00401455|.E8 3C050000 call 00401996 ;这个算法比较大
0040145A|.83C4 0C add esp, 0C
0040145D|.FF4D E4 dec dword ptr
00401460|.8BF0 mov esi, eax
00401462|.78 08 js short 0040146C
00401464|.8B45 E0 mov eax, dword ptr
00401467|.8020 00 and byte ptr , 0
0040146A|.EB 0D jmp short 00401479 ;这里是跳过的哦
0040146C|>8D45 E0 lea eax, dword ptr
0040146F|.50 push eax
00401470|.6A 00 push 0
00401472|.E8 0A040000 call 00401881
00401477|.59 pop ecx
00401478|.59 pop ecx
00401479|>8BC6 mov eax, esi
0040147B|.5E pop esi
0040147C|.C9 leave
0040147D\.C3 retn
这里面还有个,更长,别被他吓住..简单分析下..
就是上面通过注册名的得到的那个数的16进制转化为10进制;
00401097|.E8 C4020000 call 00401360 ;貌似这个没什么算法
这个call的作用仅仅是注册码的最后一个字符,如果是小写变成大写...
00401360/$55 push ebp
00401361|.8BEC mov ebp, esp
00401363|.51 push ecx
00401364|.833D 806C4000>cmp dword ptr , 0
0040136B|.53 push ebx
0040136C|.75 1D jnz short 0040138B
0040136E|.8B45 08 mov eax, dword ptr
00401371|.83F8 61 cmp eax, 61
00401374|.0F8C AF000000 jl 00401429
0040137A|.83F8 7A cmp eax, 7A
0040137D|.0F8F A6000000 jg 00401429
00401383|.83E8 20 sub eax, 20
00401386|.E9 9E000000 jmp 00401429
0040138B|>8B5D 08 mov ebx, dword ptr
0040138E|.81FB 00010000 cmp ebx, 100
00401394|.7D 28 jge short 004013BE
00401396|.833D AC624000>cmp dword ptr , 1
0040139D|.7E 0C jle short 004013AB
0040139F|.6A 02 push 2
004013A1|.53 push ebx
004013A2|.E8 65040000 call 0040180C
004013A7|.59 pop ecx
004013A8|.59 pop ecx
004013A9|.EB 0B jmp short 004013B6
004013AB|>A1 A0604000 mov eax, dword ptr
004013B0|.8A0458 mov al, byte ptr
004013B3|.83E0 02 and eax, 2
004013B6|>85C0 test eax, eax
004013B8|.75 04 jnz short 004013BE
004013BA|>8BC3 mov eax, ebx
004013BC|.EB 6B jmp short 00401429
004013BE|>8B15 A0604000 mov edx, dword ptr ;vcrkme01.004060AA
004013C4|.8BC3 mov eax, ebx
004013C6|.C1F8 08 sar eax, 8
004013C9|.0FB6C8 movzx ecx, al
004013CC|.F6444A 01 80test byte ptr , 80
004013D1|.74 0E je short 004013E1
004013D3|.8065 0A 00 and byte ptr , 0
004013D7|.8845 08 mov byte ptr , al
004013DA|.885D 09 mov byte ptr , bl
004013DD|.6A 02 push 2
004013DF|.EB 09 jmp short 004013EA
004013E1|>8065 09 00 and byte ptr , 0
004013E5|.885D 08 mov byte ptr , bl
004013E8|.6A 01 push 1
004013EA|>58 pop eax
004013EB|.8D4D FC lea ecx, dword ptr
004013EE|.6A 01 push 1
004013F0|.6A 00 push 0
004013F2|.6A 03 push 3
004013F4|.51 push ecx
004013F5|.50 push eax
004013F6|.8D45 08 lea eax, dword ptr
004013F9|.50 push eax
004013FA|.68 00020000 push 200
004013FF|.FF35 806C4000 push dword ptr
00401405|.E8 B3010000 call 004015BD
0040140A|.83C4 20 add esp, 20
0040140D|.85C0 test eax, eax
0040140F|.^ 74 A9 je short 004013BA
00401411|.83F8 01 cmp eax, 1
00401414|.75 06 jnz short 0040141C
00401416|.0FB645 FC movzx eax, byte ptr
0040141A|.EB 0D jmp short 00401429
0040141C|>0FB645 FD movzx eax, byte ptr
00401420|.0FB64D FC movzx ecx, byte ptr
00401424|.C1E0 08 shl eax, 8
00401427|.0BC1 or eax, ecx
00401429|>5B pop ebx
0040142A|.C9 leave
0040142B\.C3 retn
然后我的注册机:
#include <iostream>
#include <string>
using namespace std;
int main(int argc,char*argv[])
{
string ss;
char s;
cin>>s;
ss=s;
unsigned int j=0;
cout<<ss<<'-';
for(int i=0;i<ss.length();i++)
{
j+=int(s);
if(i==ss.length()-1)
if(s>='a'&&s<='z')
cout<<char(s-0x20);
else
cout<<char(s);
}
j+=0x6064;
cout<<j<<'-';
j+=0x6064;
cout<<j<<endl;
return 0;
}
页:
[1]