k4n3.exe 一个练习的crackme
本人也是菜鸟一个,看了别人的后,手也有点痒,拿它搞了一下算法。我操,去了我一个晚上时间!现把过程copy下来与菜鸟分享。不详细的地方可别怪我呀:)
004011E4 |. 8B45 08 mov eax,dword ptr ss:[ebp+8]
004011E7 |. 8D55 94 lea edx,dword ptr ss:[ebp-6C]
004011EA |. 6A 13 push 13 ; /Count = 13 (19.)
004011EC |. 52 push edx ; |Buffer
004011ED |. 68 E9030000 push 3E9 ; |ControlID = 3E9 (1001.)
004011F2 |. 50 push eax ; |hWnd
004011F3 |. FFD7 call edi ; \GetDlgItemTextA
004011F5 |. 6BC0 03 imul eax,eax,3 ; 输入码位数*3给eax
004011F8 |. C1E0 02 shl eax,2 ; eax中的数*4
004011FB |. 05 CD000000 add eax,0CD ; 再加上0CD
00401200 |. 8945 FC mov dword ptr ss:[ebp-4],eax
00401203 |. 817D FC A5010000 cmp dword ptr ss:[ebp-4],1A5 ; 与1A5比较,不等则完蛋
0040120A |. 0F85 BC000000 jnz k4n3.004012CC ; 反推得输入码必须有18位
00401210 |. 33C0 xor eax,eax
00401212 |. 8A45 94 mov al,byte ptr ss:[ebp-6C] ; 第一个输入码给al
00401215 |. 84C0 test al,al
00401217 |. 74 13 je short k4n3.0040122C
00401219 |. 8D4D 94 lea ecx,dword ptr ss:[ebp-6C] ; 输入码地址给ecx(12fa10)
0040121C |> 3C 30 /cmp al,30
0040121E |. 0F82 C6000000 |jb k4n3.004012EA ; 各字符>=30
00401224 |. 8A41 01 |mov al,byte ptr ds:[ecx+1]
00401227 |. 41 |inc ecx
00401228 |. 84C0 |test al,al
0040122A |.^ 75 F0 \jnz short k4n3.0040121C
0040122C |> E8 CFFDFFFF call k4n3.00401000 ; 各寄清0
00401231 |. 8D85 2CFFFFFF lea eax,dword ptr ss:[ebp-D4] ; name地址给eax(12f9a8)
00401237 |. 50 push eax
00401238 |. E8 43FEFFFF call k4n3.00401080 ; 由name产生一串数A。进入 (3)
0040123D |. 8945 FC mov dword ptr ss:[ebp-4],eax
00401240 |. E8 BBFDFFFF call k4n3.00401000
00401245 |. 8D8D 2CFFFFFF lea ecx,dword ptr ss:[ebp-D4]
0040124B |. 56 push esi
0040124C |. 51 push ecx
0040124D |. E8 BEFDFFFF call k4n3.00401010 ; NAME字符长度为1-64
00401252 |. 83C4 0C add esp,0C
00401255 |. 33C9 xor ecx,ecx
00401257 |> 8B45 FC /mov eax,dword ptr ss:[ebp-4] ; 第一次ebp-4的值为数A,此循环由数A生成串1
0040125A |. 33D2 |xor edx,edx ; edx清0
0040125C |. BE 1A000000 |mov esi,1A
00401261 |. F7F6 |div esi ; eax/1a
00401263 |. 8A9415 10FFFFFF |mov dl,byte ptr ss:[ebp+edx-F0] ; 查表,把A-Z中的一个给ebp+ecx-38
0040126A |. 88540D C8 |mov byte ptr ss:[ebp+ecx-38],dl ;生成串1
0040126E |. 8B45 FC |mov eax,dword ptr ss:[ebp-4] ;ebp-4 ---->eax
00401271 |. C1E0 03 |shl eax,3 ;eax逻辑左移3位
00401274 |. BA 45230100 |mov edx,12345 ;12345 --->edx
00401279 |. F7E8 |imul eax
0040127B |. 03C2 |add eax,edx ;eax <----eax+edx
0040127D |. 8945 FC |mov dword ptr ss:[ebp-4],eax ;eax --->ebp-4
00401280 |. 41 |inc ecx
00401281 |. 83F9 12 |cmp ecx,12
00401284 |.^ 72 D1 \jb short k4n3.00401257 ; 循环18次
00401286 |. E8 75FDFFFF call k4n3.00401000
0040128B |. 33C0 xor eax,eax
0040128D |> 8A4C05 94 /mov cl,byte ptr ss:[ebp+eax-6C] ; 把输入码依次给dl
00401291 |. 8A5405 C8 |mov dl,byte ptr ss:[ebp+eax-38] ;串1依次给dl
00401295 |. 80E9 30 |sub cl,30
00401298 |. 32D1 |xor dl,cl
0040129A |. 885405 C8 |mov byte ptr ss:[ebp+eax-38],dl
0040129E |. 40 |inc eax
0040129F |. 83F8 12 |cmp eax,12
004012A2 |.^ 72 E9 \jb short k4n3.0040128D
004012A4 |. E8 57FDFFFF call k4n3.00401000
004012A9 |. 8D55 C8 lea edx,dword ptr ss:[ebp-38]
004012AC |. 52 push edx
004012AD |. E8 5EFEFFFF call k4n3.00401110 产生串3。 进入(见1)
004012B2 |. E8 49FDFFFF call k4n3.00401000 各寄清0
004012B7 |. 8D45 C8 lea eax,dword ptr ss:[ebp-38]
004012BA |. 68 14514000 push k4n3.00405114 ; ASCII "KEYGENNING4NEWBIES"-->标为串B
004012BF |. 50 push eax
004012C0 |. E8 6BFEFFFF call k4n3.00401130 字符串比较。 进入(见2)
004012C5 |. 83C4 0C add esp,0C
004012C8 |. 85C0 test eax,eax
004012CA |. 75 3C jnz short k4n3.00401308
004012CC |> 8B4D 08 mov ecx,dword ptr ss:[ebp+8]
004012CF |. 6A 10 push 10 ; /Style = MB_OK|MB_ICONHAND|MB_APPLMODAL
004012D1 |. 68 0C514000 push k4n3.0040510C ; |Title = "Error"
004012D6 |. 68 FC504000 push k4n3.004050FC ; |Text = "Bad Serial :o("
004012DB |. 51 push ecx ; |hOwner
004012DC |. FF15 AC404000 call dword ptr ds:[<&USER32.Messag>; \MessageBoxA
004012E2 |. 5F pop edi
004012E3 |. 33C0 xor eax,eax
004012E5 |. 5E pop esi
004012E6 |. 8BE5 mov esp,ebp
004012E8 |. 5D pop ebp
004012E9 |. C3 retn
004012EA |> 8B55 08 mov edx,dword ptr ss:[ebp+8]
004012ED |. 6A 10 push 10 ; /Style = MB_OK|MB_ICONHAND|MB_APPLMODAL
004012EF |. 68 0C514000 push k4n3.0040510C ; |Title = "Error"
004012F4 |. 68 FC504000 push k4n3.004050FC ; |Text = "Bad Serial :o("
004012F9 |. 52 push edx ; |hOwner
004012FA |. FF15 AC404000 call dword ptr ds:[<&USER32.Messag>; \MessageBoxA
00401300 |. 5F pop edi
00401301 |. 33C0 xor eax,eax
00401303 |. 5E pop esi
00401304 |. 8BE5 mov esp,ebp
00401306 |. 5D pop ebp
00401307 |. C3 retn
00401308 |> 8B55 08 mov edx,dword ptr ss:[ebp+8]
0040130B |. 6A 40 push 40 ; /Style = MB_OK|MB_ICONASTERISK|MB_APPLMODAL
0040130D |. 68 F4504000 push k4n3.004050F4 ; |Title = "Great !"
00401312 |. 68 B0504000 push k4n3.004050B0 ; |Text = "Wow you did it... Now write a valid keygen with NO ASM RIPPING :X"
00401317 |. 52 push edx ; |hOwner
00401318 |. FF15 AC404000 call dword ptr ds:[<&USER32.Messag>; \MessageBoxA
0040131E |. 5F pop edi
0040131F |. 33C0 xor eax,eax
00401321 |. 5E pop esi
00401322 |. 8BE5 mov esp,ebp
00401324 |. 5D pop ebp
00401325 |. C3 retn
(1)
00401110 /$ 8B4C24 04 mov ecx,dword ptr ss:[esp+4]
00401114 |. 33C0 xor eax,eax
00401116 |> 8A1408 /mov dl,byte ptr ds:[eax+ecx] ; 把串2依次给dl
00401119 |. 32D0 |xor dl,al ; dl与循环数al与或
0040111B |. 881408 |mov byte ptr ds:[eax+ecx],dl ; 与或结束放入eax+ecx
0040111E |. 40 |inc eax
0040111F |. 83F8 12 |cmp eax,12
00401122 |.^ 72 F2 \jb short k4n3.00401116 ; 产生串3
00401124 \. C3 retn
(2)caall 401130
00401130 /$ 8B4424 08 mov eax,dword ptr ss:[esp+8] ; k4n3.00405114
00401134 |. 53 push ebx
00401135 |. 56 push esi
00401136 |. 8B7424 0C mov esi,dword ptr ss:[esp+C]
0040113A |. 33C9 xor ecx,ecx
0040113C |. 2BF0 sub esi,eax
0040113E |> 8A1406 /mov dl,byte ptr ds:[esi+eax] ; 串3与串B逐个比较,若对则eax赋1,否则赋0
00401141 |. 8A18 |mov bl,byte ptr ds:[eax]
00401143 |. 3AD3 |cmp dl,bl
00401145 |. 75 0F |jnz short k4n3.00401156 ********B 破解点 jz short k4n3.00401156
00401147 |. 41 |inc ecx
00401148 |. 40 |inc eax
00401149 |. 83F9 12 |cmp ecx,12
0040114C |.^ 72 F0 \jb short k4n3.0040113E
0040114E |. 5E pop esi
0040114F |. B8 01000000 mov eax,1
00401154 |. 5B pop ebx
00401155 |. C3 retn
00401156 |> 5E pop esi
00401157 |. 33C0 xor eax,eax ******A 破解点 mov eax ,1
00401159 |. 5B pop ebx
0040115A \. C3 retn
(3)
00401080 /$ 55 push ebp
00401081 |. 8BEC mov ebp,esp
00401083 |. 51 push ecx
00401084 |. 53 push ebx
00401085 |. 56 push esi
00401086 |. 57 push edi
00401087 |. 68 80504000 push k4n3.00405080 ; ASCII "eheh"
0040108C |. 6A 00 push 0
0040108E |. E8 ADFFFFFF call k4n3.00401040 ; "eheh"->68656865给eax,见(4)
00401093 |. 83C4 08 add esp,8
00401096 |. 8BD8 mov ebx,eax ; ebx<-"68656865"
00401098 |. E8 63FFFFFF call k4n3.00401000 ; 各寄存器清0
0040109D |. BF 70504000 mov edi,k4n3.00405070 ; ASCII " is a whore."
004010A2 |. 83C9 FF or ecx,FFFFFFFF
004010A5 |. 33C0 xor eax,eax
004010A7 |. F2:AE repne scas byte ptr es:[edi] ; es:[edi]=20
004010A9 |. F7D1 not ecx ; ecx=d
004010AB |. 2BF9 sub edi,ecx
004010AD |. 8BF7 mov esi,edi
004010AF |. 8B7D 08 mov edi,dword ptr ss:[ebp+8]
004010B2 |. 8BD1 mov edx,ecx
004010B4 |. 83C9 FF or ecx,FFFFFFFF
004010B7 |. F2:AE repne scas byte ptr es:[edi] ; edi="x"
004010B9 |. 8BCA mov ecx,edx
004010BB |. 4F dec edi
004010BC |. C1E9 02 shr ecx,2 ; ecx->3
004010BF |. F3:A5 rep movs dword ptr es:[edi],dword ptr ds:[esi]
004010C1 |. 8BCA mov ecx,edx ; edx=0000000d
004010C3 |. 83E1 03 and ecx,3 ; ecx=00000001
004010C6 |. F3:A4 rep movs byte ptr es:[edi],byte ptr ds:[esi]
004010C8 |. 33FF xor edi,edi
004010CA |. 33F6 xor esi,esi
004010CC |> 8B45 08 /mov eax,dword ptr ss:[ebp+8] ; 此循环的目的是产生一串数A
004010CF |. 50 |push eax ; eax=12f9a8("xsy is a whore")
004010D0 |. 56 |push esi
004010D1 |. E8 6AFFFFFF |call k4n3.00401040 ; 此call的目的是从eax中每次取4位变成ascii码->EAX
004010D6 |. 8B8E 30504000 |mov ecx,dword ptr ds:[esi+405030] ; 如第一次取“xsy "->20797378
004010DC |. 83C4 08 |add esp,8 ; 第二次取"is a"->61207369,循环10H次
004010DF |. 33CF |xor ecx,edi
004010E1 |. 03C1 |add eax,ecx
004010E3 |. 8945 FC |mov dword ptr ss:[ebp-4],eax
004010E6 |. C145 FC 07 |rol dword ptr ss:[ebp-4],7
004010EA |. 8B45 FC |mov eax,dword ptr ss:[ebp-4]
004010ED |. 83C6 04 |add esi,4
004010F0 |. 33D8 |xor ebx,eax
004010F2 |. 47 |inc edi
004010F3 |. 83FE 40 |cmp esi,40
004010F6 |.^ 7C D4 \jl short k4n3.004010CC
004010F8 |. 5F pop edi
004010F9 |. 8BC3 mov eax,ebx
004010FB |. 5E pop esi
004010FC |. 5B pop ebx
004010FD |. 8BE5 mov esp,ebp
004010FF |. 5D pop ebp
00401100 \. C3 retn
(4)
00401040 /$ 8B4C24 04 mov ecx,dword ptr ss:[esp+4]
00401044 |. 56 push esi
00401045 |. 8B7424 0C mov esi,dword ptr ss:[esp+C]
00401049 |. 33C0 xor eax,eax
0040104B |. 33D2 xor edx,edx
0040104D |. 8A4431 03 mov al,byte ptr ds:[ecx+esi+3] ; 取四位数的最后一位
00401051 |. 8A5431 02 mov dl,byte ptr ds:[ecx+esi+2] ; 取四位数的倒数第二位
00401055 |. C1E0 08 shl eax,8 ; eax(如"h:00000068")逻辑左移8位->00006800
00401058 |. 03C2 add eax,edx ; eax+edx->eax
0040105A |. 33D2 xor edx,edx
0040105C |. 8A5431 01 mov dl,byte ptr ds:[ecx+esi+1]
00401060 |. C1E0 08 shl eax,8
00401063 |. 03C2 add eax,edx
00401065 |. 33D2 xor edx,edx
00401067 |. 8A1431 mov dl,byte ptr ds:[ecx+esi]
0040106A |. 5E pop esi ; name位数->esi
0040106B |. C1E0 08 shl eax,8
0040106E |. 03C2 add eax,edx
00401070 \. C3 retn
小结:通过以上分析可有多种破解方法在上面的破解点A或B任一处改变即可。
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)
