-
-
[原创]终极菜鸟crackme算法分析+注册机
-
发表于: 2009-11-7 12:16 3473
-
【破文标题】终极菜鸟crackme算法分析
【破文作者】patapon
【破解工具】PEID OllyDbg
【破解平台】Windows XP
【原版下载】http://bbs.pediy.com/showthread.php?t=93021
【破解声明】只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!
------------------------------------------------------------------------
【破解过程】首先PEID查壳,显示为Borland Delphi 6.0 - 7.0。用OD载入,在4808DC下断点。F9运行,输入name:pediy,code:123456。点击register,cm断下,F8单步往下分析:
004808DC /. 55 push ebp
004808DD |. 8BEC mov ebp, esp
004808DF |. B9 0A000000 mov ecx, 0A
004808E4 |> 6A 00 /push 0
004808E6 |. 6A 00 |push 0
004808E8 |. 49 |dec ecx
004808E9 |.^ 75 F9 \jnz short 004808E4
004808EB |. 51 push ecx
004808EC |. 53 push ebx
004808ED |. 56 push esi
004808EE |. 8BD8 mov ebx, eax
004808F0 |. 33C0 xor eax, eax
004808F2 |. 55 push ebp
004808F3 |. 68 340B4800 push 00480B34
004808F8 |. 64:FF30 push dword ptr fs:[eax]
004808FB |. 64:8920 mov dword ptr fs:[eax], esp
004808FE |. 8D55 FC lea edx, dword ptr [ebp-4]
00480901 |. 8B83 00030000 mov eax, dword ptr [ebx+300]
00480907 |. E8 684DFBFF call 00435674 ; 取name长度
0048090C |. 8D55 F8 lea edx, dword ptr [ebp-8]
0048090F |. 8B83 04030000 mov eax, dword ptr [ebx+304]
00480915 |. E8 5A4DFBFF call 00435674 ; 取code长度
0048091A |. 8D45 F0 lea eax, dword ptr [ebp-10]
0048091D |. 50 push eax
0048091E |. 8D55 EC lea edx, dword ptr [ebp-14]
00480921 |. A1 F43C4800 mov eax, dword ptr [483CF4] ; [483CF4]=0xA42100
00480926 |. E8 494DFBFF call 00435674
0048092B |. 8B45 EC mov eax, dword ptr [ebp-14]
0048092E |. B9 01000000 mov ecx, 1
00480933 |. BA 1C000000 mov edx, 1C
00480938 |. E8 4B3EF8FF call 00404788
0048093D |. 8B45 F0 mov eax, dword ptr [ebp-10]
00480940 |. 50 push eax
00480941 |. 8D45 E8 lea eax, dword ptr [ebp-18]
00480944 |. 50 push eax
00480945 |. 8D55 E4 lea edx, dword ptr [ebp-1C]
00480948 |. A1 F43C4800 mov eax, dword ptr [483CF4]
0048094D |. E8 224DFBFF call 00435674
00480952 |. 8B45 E4 mov eax, dword ptr [ebp-1C]
00480955 |. B9 0C000000 mov ecx, 0C
0048095A |. BA 02000000 mov edx, 2
0048095F |. E8 243EF8FF call 00404788
00480964 |. 8B55 E8 mov edx, dword ptr [ebp-18]
00480967 |. 8D45 F4 lea eax, dword ptr [ebp-C]
0048096A |. 59 pop ecx
0048096B |. E8 043CF8FF call 00404574
00480970 |. 837D FC 00 cmp dword ptr [ebp-4], 0 ; 是否输入了name
00480974 |. 0F84 70010000 je 00480AEA
0048097A |. 837D F8 00 cmp dword ptr [ebp-8], 0 ; 是否输入了code
0048097E |. 0F84 66010000 je 00480AEA
00480984 |. 8D45 E0 lea eax, dword ptr [ebp-20]
00480987 |. E8 C0FAFFFF call 0048044C ; 取计算机名
0048098C |. 8B45 E0 mov eax, dword ptr [ebp-20]
0048098F |. E8 38FDFFFF call 004806CC ; 跟进
跟进48098F的CALL后,分析如下:
004806CC /$ 55 push ebp
004806CD |. 8BEC mov ebp, esp
004806CF |. 33C9 xor ecx, ecx
004806D1 |. 51 push ecx
004806D2 |. 51 push ecx
004806D3 |. 51 push ecx
004806D4 |. 51 push ecx
004806D5 |. 53 push ebx
004806D6 |. 8945 FC mov dword ptr [ebp-4], eax
004806D9 |. 8B45 FC mov eax, dword ptr [ebp-4]
004806DC |. E8 3740F8FF call 00404718
004806E1 |. 33C0 xor eax, eax
004806E3 |. 55 push ebp
004806E4 |. 68 58074800 push 00480758
004806E9 |. 64:FF30 push dword ptr fs:[eax]
004806EC |. 64:8920 mov dword ptr fs:[eax], esp
004806EF |. 8D45 F8 lea eax, dword ptr [ebp-8]
004806F2 |. E8 713BF8FF call 00404268
004806F7 |. 8D45 F4 lea eax, dword ptr [ebp-C]
004806FA |. 50 push eax
004806FB |. B9 03000000 mov ecx, 3
00480700 |. BA 01000000 mov edx, 1
00480705 |. 8B45 FC mov eax, dword ptr [ebp-4]
00480708 |. E8 7B40F8FF call 00404788
0048070D |. BB 01000000 mov ebx, 1
00480712 |> 8D55 F0 /lea edx, dword ptr [ebp-10]
00480715 |. 8B45 FC |mov eax, dword ptr [ebp-4]
00480718 |. 0FB64418 FF |movzx eax, byte ptr [eax+ebx-1]
0048071D |. E8 CE7DF8FF |call 004084F0 ; 计算机名前3为ASCII码值转换为十进制
00480722 |. 8B55 F0 |mov edx, dword ptr [ebp-10]
00480725 |. 8D45 F8 |lea eax, dword ptr [ebp-8]
00480728 |. E8 033EF8FF |call 00404530 ; 连接
0048072D |. 43 |inc ebx
0048072E |. 83FB 04 |cmp ebx, 4
00480731 |.^ 75 DF \jnz short 00480712
00480733 |. 8B45 F8 mov eax, dword ptr [ebp-8]
00480736 |. E8 F17EF8FF call 0040862C
0048073B |. 8BD8 mov ebx, eax
0048073D |. 33C0 xor eax, eax
0048073F |. 5A pop edx
00480740 |. 59 pop ecx
00480741 |. 59 pop ecx
00480742 |. 64:8910 mov dword ptr fs:[eax], edx
00480745 |. 68 5F074800 push 0048075F
0048074A |> 8D45 F0 lea eax, dword ptr [ebp-10]
0048074D |. BA 04000000 mov edx, 4
00480752 |. E8 353BF8FF call 0040428C
00480757 \. C3 retn
00480758 .^ E9 E734F8FF jmp 00403C44
0048075D .^ EB EB jmp short 0048074A
0048075F . 8BC3 mov eax, ebx
00480761 . 5B pop ebx
00480762 . 8BE5 mov esp, ebp
00480764 . 5D pop ebp
00480765 . C3 retn
00480994 |. 8BF0 mov esi, eax
00480996 |. 8B45 FC mov eax, dword ptr [ebp-4]
00480999 |. E8 F6FBFFFF call 00480594 ; 跟进
跟进480999的CALL后分析如下:
00480594 /$ 55 push ebp
00480595 |. 8BEC mov ebp, esp
00480597 |. 51 push ecx
00480598 |. 53 push ebx
00480599 |. 8945 FC mov dword ptr [ebp-4], eax
0048059C |. 8B45 FC mov eax, dword ptr [ebp-4]
0048059F |. E8 7441F8FF call 00404718
004805A4 |. 33C0 xor eax, eax
004805A6 |. 55 push ebp
004805A7 |. 68 E9054800 push 004805E9
004805AC |. 64:FF30 push dword ptr fs:[eax]
004805AF |. 64:8920 mov dword ptr fs:[eax], esp
004805B2 |. 33DB xor ebx, ebx
004805B4 |. 8B45 FC mov eax, dword ptr [ebp-4]
004805B7 |. E8 6C3FF8FF call 00404528
004805BC |. 85C0 test eax, eax
004805BE |. 7E 13 jle short 004805D3
004805C0 |. BA 01000000 mov edx, 1
004805C5 |> 8B4D FC /mov ecx, dword ptr [ebp-4] ; name各位ASCII码值求和
004805C8 |. 0FB64C11 FF |movzx ecx, byte ptr [ecx+edx-1]
004805CD |. 03D9 |add ebx, ecx
004805CF |. 42 |inc edx
004805D0 |. 48 |dec eax
004805D1 |.^ 75 F2 \jnz short 004805C5
004805D3 |> 33C0 xor eax, eax
004805D5 |. 5A pop edx
004805D6 |. 59 pop ecx
004805D7 |. 59 pop ecx
004805D8 |. 64:8910 mov dword ptr fs:[eax], edx
004805DB |. 68 F0054800 push 004805F0
004805E0 |> 8D45 FC lea eax, dword ptr [ebp-4]
004805E3 |. E8 803CF8FF call 00404268
004805E8 \. C3 retn
004805E9 .^ E9 5636F8FF jmp 00403C44
004805EE .^ EB F0 jmp short 004805E0
004805F0 . 8BC3 mov eax, ebx
004805F2 . 5B pop ebx
004805F3 . 59 pop ecx
004805F4 . 5D pop ebp
004805F5 . C3 retn
0048099E |. 03C6 add eax, esi ; 两者相加,和的十进制即为true code
004809A0 |. 8BF0 mov esi, eax
004809A2 |. 8D55 DC lea edx, dword ptr [ebp-24]
004809A5 |. 8BC6 mov eax, esi
004809A7 |. E8 447BF8FF call 004084F0
004809AC |. 8B45 DC mov eax, dword ptr [ebp-24] ; eax中即为真code
004809AF |. E8 E0FBFFFF call 00480594
004809B4 |. 8BF0 mov esi, eax
004809B6 |. 8B45 F8 mov eax, dword ptr [ebp-8]
004809B9 |. E8 D6FBFFFF call 00480594 ; 比较call
004809BE |. 3BF0 cmp esi, eax
004809C0 0F85 04010000 jnz 00480ACA ; 关键跳可以爆破
分析到这里我们总结一下这个cm的算法:
1.取计算机名字,将前三位的ASCII码值连接成为一个整数
2.将name各位的ASCII码值相加求和
3.将上面两个数相加,即为这个cm的真码
4.注册成功后,cm会将你的注册信息放在注册表的\SOFTWARE\Microsoft\Windows\CurrentVersion\Stephen位置,如果你还想再玩一遍,删除对应的键就可以了。
最后送上我用python写的注册机源代码:
import win32api
regname = raw_input("Please input your name:")
sum = 0
pcname = win32api.GetComputerName()
tempstring = ''
for i in range(0,3):
temp = ord(pcname[i])
tempstring = tempstring + str(temp)
for k in range(0, len(regname)):
sum = sum + ord(regname[k])
regcode = sum + int(tempstring)
print "Your registerion code is:", regcode
print "Press Enter key to exit..."
raw_input()
------------------------------------------------------------------------
【破解总结】希望管理员和版主看到能给个邀请码,小生这里先先谢过了 - -|||||||
------------------------------------------------------------------------
【版权声明】本文原创于看雪技术论坛, 转载请注明作者并保持文章的完整, 谢谢!
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)
赞赏
|
|
|---|---|
|
|
- [推荐]《BackTrack 4: 利用渗透测试保证系统安全》出版了 17425
- [原创]riijj CrackMe 14分析 6387
- [原创]不问年少cm魔术揭秘 12366
- [原创]asdfslw第一个crackme算法分析+注册机 5306
