|
|
发表于 2021-3-29 10:48:06
|
查看: 3201 |
回复: 0
在crackme和reserve me 的板块中..花几天时间跟踪一些牛人的crack.结果小菜我被crack,晕.但也发现自己的缺点..
就是对密码学的算法也不够熟悉..看来要学好破解,还要学很多东西,呵呵
这个没技术含量,老鸟就过吧...本人灌水的..
攻不下难的..
拿了个软柿子,就分析下..
1.确定关键的地方用GetDlgItemA,
错误没提示..
2.也可以通过找字符串,good job! crack..确定关键的算法位置
00401212 . /0F85 B6000000 jnz 004012CE
00401218 . |A1 28694000 mov eax, dword ptr [406928] ; Case 3EB of switch 00401208
0040121D . |8B35 C0504000 mov esi, dword ptr [<&USER32.GetDlgI>; USER32.GetDlgItemTextA
00401223 . |68 FF000000 push 0FF ; /Count = FF (255.)
00401228 . |68 30694000 push 00406930 ; |chenji
0040122D . |68 E8030000 push 3E8 ; |ControlID = 3E8 (1000.)
00401232 . |50 push eax ; |hWnd => 0002023E ('[v0!d] Crackme - v0.01',class='#32770')
00401233 . |FFD6 call esi ; \GetDlgItemTextA
00401235 . |8B0D 28694000 mov ecx, dword ptr [406928]
0040123B . |68 FF000000 push 0FF ; /Count = FF (255.)
00401240 . |68 306A4000 push 00406A30 ; |111111111
00401245 . |68 EA030000 push 3EA ; |ControlID = 3EA (1002.)
0040124A . |51 push ecx ; |hWnd => 0002023E ('[v0!d] Crackme - v0.01',class='#32770')
0040124B . |FFD6 call esi ; \GetDlgItemTextA
0040124D . |68 306A4000 push 00406A30 ; 111111111
00401252 . |68 30694000 push 00406930 ; chenji
00401257 |E8 A4FDFFFF call 00401000 ; 关键算法..
0040125C . |83C4 08 add esp, 8
0040125F . |83F8 01 cmp eax, 1
00401262 . |A3 646C4000 mov dword ptr [406C64], eax
00401267 . |75 65 jnz short 004012CE
00401269 . |8B15 28694000 mov edx, dword ptr [406928]
0040126F . |6A 40 push 40 ; /Style = MB_OK|MB_ICONASTERISK|MB_APPLMODAL
00401271 . |68 80604000 push 00406080 ; |good job! - cracked!
00401276 . |68 50604000 push 00406050 ; |send your solution to : v0id2k1@hotmail.com
0040127B . |52 push edx ; |hOwner => 0002023E ('[v0!d] Crackme - v0.01',class='#32770')
0040127C . |FF15 C4504000 call dword ptr [<&USER32.MessageBoxA>>; \MessageBoxA
00401282 . |B8 01000000 mov eax, 1
00401287 . |5E pop esi
00401288 . |C2 1000 retn 10
F7,算法:
刚进去看这些代码,还真以为是牛b的算法..结果..哎..
00401000 /$ 53 push ebx
00401001 |. 8B5C24 0C mov ebx, dword ptr [esp+C]
00401005 |. 55 push ebp
00401006 |. 56 push esi
00401007 |. 8B7424 10 mov esi, dword ptr [esp+10]
0040100B |. 8A0B mov cl, byte ptr [ebx] ; 伪码
0040100D |. 33ED xor ebp, ebp
0040100F |. 57 push edi
00401010 |. 8A06 mov al, byte ptr [esi] ; 注册名
00401012 |. 3AC1 cmp al, cl
00401014 0F85 69010000 jnz 00401183 ; 这是第一个比较
0040101A |. 8BFE mov edi, esi
0040101C |. 83C9 FF or ecx, FFFFFFFF
0040101F |. 33C0 xor eax, eax
00401021 |. F2:AE repne scas byte ptr es:[edi]
00401023 |. F7D1 not ecx
00401025 |. 49 dec ecx
00401026 |. 83F9 05 cmp ecx, 5 ; 注册名必须大于5
00401029 |. 0F82 54010000 jb 00401183
0040102F |. 807B 01 2D cmp byte ptr [ebx+1], 2D ; 注册码第二个,必须是'-'
00401033 0F85 4A010000 jnz 00401183
00401039 |. 8BFE mov edi, esi
0040103B |. 83C9 FF or ecx, FFFFFFFF
0040103E |. 33C0 xor eax, eax
00401040 |. 33D2 xor edx, edx
00401042 |. F2:AE repne scas byte ptr es:[edi]
00401044 |. F7D1 not ecx
00401046 |. 49 dec ecx
00401047 |. 74 17 je short 00401060
00401049 |> 0FBE0C32 /movsx ecx, byte ptr [edx+esi] ; 第一个传给ecx
0040104D |. 03E9 |add ebp, ecx
0040104F |. 8BFE |mov edi, esi
00401051 |. 83C9 FF |or ecx, FFFFFFFF
00401054 |. 33C0 |xor eax, eax
00401056 |. 42 |inc edx
00401057 |. F2:AE |repne scas byte ptr es:[edi]
00401059 |. F7D1 |not ecx
0040105B |. 49 |dec ecx
0040105C |. 3BD1 |cmp edx, ecx
0040105E |.^ 72 E9 \jb short 00401049 ; 计算注册码的值
00401060 |> 81C5 64600000 add ebp, 6064 ; 再加上0x6064
00401066 |. 55 push ebp ; ebp=62D5
00401067 |. 68 34604000 push 00406034 ; %lu
0040106C |. 68 306B4000 push 00406B30 ; ASCII "50009"
00401071 |. E8 B6030000 call 0040142C
00401076 |. 8A16 mov dl, byte ptr [esi]
00401078 |. 8BFE mov edi, esi
0040107A |. 83C9 FF or ecx, FFFFFFFF
0040107D |. 33C0 xor eax, eax
0040107F |. 8815 446B4000 mov byte ptr [406B44], dl
00401085 |. C605 456B4000>mov byte ptr [406B45], 2D
0040108C |. F2:AE repne scas byte ptr es:[edi]
0040108E |. F7D1 not ecx
00401090 |. 49 dec ecx
00401091 |. 0FBE4431 FF movsx eax, byte ptr [ecx+esi-1]
00401096 |. 50 push eax
00401097 |. E8 C4020000 call 00401360 ; 貌似这个没什么算法
0040109C |. A2 466B4000 mov byte ptr [406B46], al
004010A1 |. BF 306B4000 mov edi, 00406B30 ; ASCII "50009"
004010A6 |. 83C9 FF or ecx, FFFFFFFF
004010A9 |. 33C0 xor eax, eax
004010AB |. F2:AE repne scas byte ptr es:[edi]
004010AD |. F7D1 not ecx
004010AF |. 2BF9 sub edi, ecx
004010B1 |. 81C5 64600000 add ebp, 6064
004010B7 |. 8BF7 mov esi, edi
004010B9 |. 8BD1 mov edx, ecx
004010BB |. BF 446B4000 mov edi, 00406B44
004010C0 |. 83C9 FF or ecx, FFFFFFFF
004010C3 |. F2:AE repne scas byte ptr es:[edi]
004010C5 |. 8BCA mov ecx, edx
004010C7 |. 4F dec edi
004010C8 |. C1E9 02 shr ecx, 2
004010CB |. F3:A5 rep movs dword ptr es:[edi], dword p>
004010CD |. 8BCA mov ecx, edx
004010CF |. 55 push ebp
004010D0 |. 83E1 03 and ecx, 3
004010D3 |. 68 34604000 push 00406034 ; %lu
004010D8 |. F3:A4 rep movs byte ptr es:[edi], byte ptr>
004010DA |. BF 30604000 mov edi, 00406030 ; -
004010DF |. 83C9 FF or ecx, FFFFFFFF
004010E2 |. F2:AE repne scas byte ptr es:[edi]
004010E4 |. F7D1 not ecx
004010E6 |. 2BF9 sub edi, ecx
004010E8 |. 68 306B4000 push 00406B30 ; ASCII "50009"
004010ED |. 8BF7 mov esi, edi
004010EF |. 8BD1 mov edx, ecx
004010F1 |. BF 446B4000 mov edi, 00406B44
004010F6 |. 83C9 FF or ecx, FFFFFFFF
004010F9 |. F2:AE repne scas byte ptr es:[edi]
004010FB |. 8BCA mov ecx, edx
004010FD |. 4F dec edi
004010FE |. C1E9 02 shr ecx, 2
00401101 |. F3:A5 rep movs dword ptr es:[edi], dword p>
00401103 |. 8BCA mov ecx, edx
00401105 |. 83E1 03 and ecx, 3
00401108 |. F3:A4 rep movs byte ptr es:[edi], byte ptr>
0040110A |. E8 1D030000 call 0040142C
0040110F |. BF 306B4000 mov edi, 00406B30 ; ASCII "50009"
00401114 |. 83C9 FF or ecx, FFFFFFFF
00401117 |. 33C0 xor eax, eax
00401119 |. 83C4 1C add esp, 1C
0040111C |. F2:AE repne scas byte ptr es:[edi]
0040111E |. F7D1 not ecx
00401120 |. 2BF9 sub edi, ecx
00401122 |. 8BF7 mov esi, edi
00401124 |. 8BD1 mov edx, ecx
00401126 |. BF 446B4000 mov edi, 00406B44
0040112B |. 83C9 FF or ecx, FFFFFFFF
0040112E |. F2:AE repne scas byte ptr es:[edi]
00401130 |. 8BCA mov ecx, edx
00401132 |. 4F dec edi
00401133 |. C1E9 02 shr ecx, 2
00401136 |. F3:A5 rep movs dword ptr es:[edi], dword p>
00401138 |. 8BCA mov ecx, edx
0040113A |. 8BC3 mov eax, ebx
0040113C |. 83E1 03 and ecx, 3
0040113F |. F3:A4 rep movs byte ptr es:[edi], byte ptr>
00401141 |. BE 446B4000 mov esi, 00406B44
00401146 |> 8A10 /mov dl, byte ptr [eax] ; 这里应该是注册码的比较
00401148 |. 8A1E |mov bl, byte ptr [esi]
0040114A |. 8ACA |mov cl, dl
0040114C |. 3AD3 |cmp dl, bl
0040114E |. 75 25 |jnz short 00401175
00401150 |. 84C9 |test cl, cl
00401152 |. 74 16 |je short 0040116A
00401154 |. 8A50 01 |mov dl, byte ptr [eax+1]
00401157 |. 8A5E 01 |mov bl, byte ptr [esi+1]
0040115A |. 8ACA |mov cl, dl
0040115C |. 3AD3 |cmp dl, bl
0040115E |. 75 15 |jnz short 00401175
00401160 |. 83C0 02 |add eax, 2
00401163 |. 83C6 02 |add esi, 2
00401166 |. 84C9 |test cl, cl
00401168 |.^ 75 DC \jnz short 00401146
0040116A |> 33C0 xor eax, eax
0040116C |. 33D2 xor edx, edx
0040116E |. 85C0 test eax, eax
00401170 |. 0F94C2 sete dl
00401173 |. EB 12 jmp short 00401187
00401175 |> 1BC0 sbb eax, eax
00401177 |. 83D8 FF sbb eax, -1
0040117A |. 33D2 xor edx, edx
0040117C |. 85C0 test eax, eax
0040117E |. 0F94C2 sete dl
00401181 |. EB 04 jmp short 00401187
00401183 |> 8B5424 14 mov edx, dword ptr [esp+14]
00401187 |> B9 40000000 mov ecx, 40
0040118C |. 33C0 xor eax, eax
0040118E |. BF 446B4000 mov edi, 00406B44
00401193 |. F3:AB rep stos dword ptr es:[edi]
00401195 |. 5F pop edi
00401196 |. 5E pop esi
00401197 |. 5D pop ebp
00401198 |. 8BC2 mov eax, edx
0040119A |. 5B pop ebx
0040119B \. C3 retn
关键call的算法..代码很长就..但全都是乱七八糟的无用代码
00401071 |. E8 B6030000 call 0040142C 这个算法,分析..代
0040142C /$ 55 push ebp
0040142D |. 8BEC mov ebp, esp
0040142F |. 83EC 20 sub esp, 20
00401432 |. 8B45 08 mov eax, dword ptr [ebp+8]
00401435 |. 56 push esi
00401436 |. 8945 E8 mov dword ptr [ebp-18], eax
00401439 |. 8945 E0 mov dword ptr [ebp-20], eax
0040143C |. 8D45 10 lea eax, dword ptr [ebp+10]
0040143F |. C745 EC 42000>mov dword ptr [ebp-14], 42 ; 初始42给12FAE8
00401446 |. 50 push eax
00401447 |. 8D45 E0 lea eax, dword ptr [ebp-20]
0040144A |. FF75 0C push dword ptr [ebp+C]
0040144D |. C745 E4 FFFFF>mov dword ptr [ebp-1C], 7FFFFFFF
00401454 |. 50 push eax ; 这里放进了,49977,不知道干什么
00401455 |. E8 3C050000 call 00401996 ; 这个算法比较大
0040145A |. 83C4 0C add esp, 0C
0040145D |. FF4D E4 dec dword ptr [ebp-1C]
00401460 |. 8BF0 mov esi, eax
00401462 |. 78 08 js short 0040146C
00401464 |. 8B45 E0 mov eax, dword ptr [ebp-20]
00401467 |. 8020 00 and byte ptr [eax], 0
0040146A |. EB 0D jmp short 00401479 ; 这里是跳过的哦
0040146C |> 8D45 E0 lea eax, dword ptr [ebp-20]
0040146F |. 50 push eax
00401470 |. 6A 00 push 0
00401472 |. E8 0A040000 call 00401881
00401477 |. 59 pop ecx
00401478 |. 59 pop ecx
00401479 |> 8BC6 mov eax, esi
0040147B |. 5E pop esi
0040147C |. C9 leave
0040147D \. C3 retn
这里面还有个,更长,别被他吓住..简单分析下..
就是上面通过注册名的得到的那个数的16进制转化为10进制;
00401097 |. E8 C4020000 call 00401360 ; 貌似这个没什么算法
这个call的作用仅仅是注册码的最后一个字符,如果是小写变成大写...
00401360 /$ 55 push ebp
00401361 |. 8BEC mov ebp, esp
00401363 |. 51 push ecx
00401364 |. 833D 806C4000>cmp dword ptr [406C80], 0
0040136B |. 53 push ebx
0040136C |. 75 1D jnz short 0040138B
0040136E |. 8B45 08 mov eax, dword ptr [ebp+8]
00401371 |. 83F8 61 cmp eax, 61
00401374 |. 0F8C AF000000 jl 00401429
0040137A |. 83F8 7A cmp eax, 7A
0040137D |. 0F8F A6000000 jg 00401429
00401383 |. 83E8 20 sub eax, 20
00401386 |. E9 9E000000 jmp 00401429
0040138B |> 8B5D 08 mov ebx, dword ptr [ebp+8]
0040138E |. 81FB 00010000 cmp ebx, 100
00401394 |. 7D 28 jge short 004013BE
00401396 |. 833D AC624000>cmp dword ptr [4062AC], 1
0040139D |. 7E 0C jle short 004013AB
0040139F |. 6A 02 push 2
004013A1 |. 53 push ebx
004013A2 |. E8 65040000 call 0040180C
004013A7 |. 59 pop ecx
004013A8 |. 59 pop ecx
004013A9 |. EB 0B jmp short 004013B6
004013AB |> A1 A0604000 mov eax, dword ptr [4060A0]
004013B0 |. 8A0458 mov al, byte ptr [eax+ebx*2]
004013B3 |. 83E0 02 and eax, 2
004013B6 |> 85C0 test eax, eax
004013B8 |. 75 04 jnz short 004013BE
004013BA |> 8BC3 mov eax, ebx
004013BC |. EB 6B jmp short 00401429
004013BE |> 8B15 A0604000 mov edx, dword ptr [4060A0] ; vcrkme01.004060AA
004013C4 |. 8BC3 mov eax, ebx
004013C6 |. C1F8 08 sar eax, 8
004013C9 |. 0FB6C8 movzx ecx, al
004013CC |. F6444A 01 80 test byte ptr [edx+ecx*2+1], 80
004013D1 |. 74 0E je short 004013E1
004013D3 |. 8065 0A 00 and byte ptr [ebp+A], 0
004013D7 |. 8845 08 mov byte ptr [ebp+8], al
004013DA |. 885D 09 mov byte ptr [ebp+9], bl
004013DD |. 6A 02 push 2
004013DF |. EB 09 jmp short 004013EA
004013E1 |> 8065 09 00 and byte ptr [ebp+9], 0
004013E5 |. 885D 08 mov byte ptr [ebp+8], bl
004013E8 |. 6A 01 push 1
004013EA |> 58 pop eax
004013EB |. 8D4D FC lea ecx, dword ptr [ebp-4]
004013EE |. 6A 01 push 1
004013F0 |. 6A 00 push 0
004013F2 |. 6A 03 push 3
004013F4 |. 51 push ecx
004013F5 |. 50 push eax
004013F6 |. 8D45 08 lea eax, dword ptr [ebp+8]
004013F9 |. 50 push eax
004013FA |. 68 00020000 push 200
004013FF |. FF35 806C4000 push dword ptr [406C80]
00401405 |. E8 B3010000 call 004015BD
0040140A |. 83C4 20 add esp, 20
0040140D |. 85C0 test eax, eax
0040140F |.^ 74 A9 je short 004013BA
00401411 |. 83F8 01 cmp eax, 1
00401414 |. 75 06 jnz short 0040141C
00401416 |. 0FB645 FC movzx eax, byte ptr [ebp-4]
0040141A |. EB 0D jmp short 00401429
0040141C |> 0FB645 FD movzx eax, byte ptr [ebp-3]
00401420 |. 0FB64D FC movzx ecx, byte ptr [ebp-4]
00401424 |. C1E0 08 shl eax, 8
00401427 |. 0BC1 or eax, ecx
00401429 |> 5B pop ebx
0040142A |. C9 leave
0040142B \. C3 retn
然后我的注册机:
#include <iostream>
#include <string>
using namespace std;
int main(int argc,char*argv[])
{
string ss;
char s[100];
cin>>s;
ss=s;
unsigned int j=0;
cout<<ss[0]<<'-';
for(int i=0;i<ss.length();i++)
{
j+=int(s[i]);
if(i==ss.length()-1)
if(s[i]>='a'&&s[i]<='z')
cout<<char(s[i]-0x20);
else
cout<<char(s[i]);
}
j+=0x6064;
cout<<j<<'-';
j+=0x6064;
cout<<j<<endl;
return 0;
}
|
温馨提示:
1.如果您喜欢这篇帖子,请给作者点赞评分,点赞会增加帖子的热度,评分会给作者加学币。(评分不会扣掉您的积分,系统每天都会重置您的评分额度)。
2.回复帖子不仅是对作者的认可,还可以获得学币奖励,请尊重他人的劳动成果,拒绝做伸手党!
3.发广告、灌水回复等违规行为一经发现直接禁言,如果本帖内容涉嫌违规,请点击论坛底部的举报反馈按钮,也可以在【 投诉建议】板块发帖举报。
|
窥视卡
雷达卡
提升卡
置顶卡
关闭卡
开启卡
变色卡
千斤顶
照妖镜