刚学破解,通过看雪论坛上的一些技术文章,从看雪论坛上下了一个Crackme,试着破解了第一个CrackMe,获得了注册码,附上说明,同时申请邀请码。
软件名称:CrackMe.exe
编制语言:Microsoft Visual C++ 6.0
破解工具:IDA Pro 5.5
将Crackme拖入IDA中,稍等片刻后,反汇编完成。找到关键函数GetWindowTextA,并下断点,运行,随意输入用户名和注册码,点击注册按钮,被断点拦下。
部分代码如下
------------------------------------------------------------------------------------------------------
.text:00401375 call esi ; GetDlgItem<---------------下断点
.text:00401377 mov edi, ds:GetWindowTextA<-------关键语句
.text:0040137D push eax ; hWnd
.text:0040137E call edi ; GetWindowTextA<--------调用API函数,获得用户名
.text:00401380 lea ecx, [esp+810h+var_800]
.text:00401384 push 400h ; nMaxCount
.text:00401389 push ecx ; lpString
.text:0040138A push 3E9h ; nIDDlgItem
.text:0040138F push ebp ; hDlg
.text:00401390 call esi ; GetDlgItem
.text:00401392 push eax ; hWnd
.text:00401393 call edi ; GetWindowTextA<--------调用API函数,获得用户名
.text:00401395 lea edx, [esp+810h+String]
.text:0040139C lea esi, [esp+810h+var_800]
.text:004013A0 push edx
.text:004013A1 call sub_401020<------------- calculate the key这是根据你输入的用户名计算注册号的函数 运行完此句后,查看寄存器EAX的值,里面的内容,就是正确的注册码!
.text:004013A6 add esp, 4
.text:004013A9
.text:004013A9 loc_4013A9: ; CODE XREF: DialogFunc+BBj
.text:004013A9 mov dl, [eax]
.text:004013AB mov bl, [esi]
.text:004013AD mov cl, dl
.text:004013AF cmp dl, bl
.text:004013B1 jnz short loc_4013D1
.text:004013B3 test cl, cl
.text:004013B5 jz short loc_4013CD
.text:004013B7 mov dl, [eax+1]
.text:004013BA mov bl, [esi+1]
.text:004013BD mov cl, dl
.text:004013BF cmp dl, bl
.text:004013C1 jnz short loc_4013D1
.text:004013C3 add eax, 2
.text:004013C6 add esi, 2
.text:004013C9 test cl, cl
.text:004013CB jnz short loc_4013A9
.text:004013CD
.text:004013CD loc_4013CD: ; CODE XREF: DialogFunc+A5j
.text:004013CD xor eax, eax
.text:004013CF jmp short loc_4013D6
.text:004013D1 ; ---------------------------------------------------------------------------
.text:004013D1
.text:004013D1 loc_4013D1: ; CODE XREF: DialogFunc+A1j
.text:004013D1 ; DialogFunc+B1j
.text:004013D1 sbb eax, eax
.text:004013D3 sbb eax, 0FFFFFFFFh
.text:004013D6
.text:004013D6 loc_4013D6: ; CODE XREF: DialogFunc+BFj
.text:004013D6 pop edi
.text:004013D7 pop esi
.text:004013D8 pop ebx
.text:004013D9 test eax, eax
.text:004013DB push 0 ; uType
.text:004013DD push offset Caption ; "信息"
.text:004013E2 jnz short loc_4013FC<------------关键跳转。若注册码正确,则不跳转,否则跳转到失败处,在此也可以通过修改汇编指令来实现爆破,一般向我这样的菜鸟才会爆破软件
.text:004013E4 push offset Text ; "注册成功!"
.text:004013E9 push ebp ; hWnd
.text:004013EA call ds:MessageBoxA
.text:004013F0 xor eax, eax
.text:004013F2 pop ebp
.text:004013F3 add esp, 800h
.text:004013F9 retn 10h
.text:004013FC ; ---------------------------------------------------------------------------
.text:004013FC
.text:004013FC loc_4013FC: ; CODE XREF: DialogFunc+D2j
.text:004013FC push offset aVSZGb ; "注册失败!"
.text:00401401 push ebp ; hWnd
.text:00401402 call ds:MessageBoxA
----------------------------------------------------------------------------------------------------
按f7进入 sub_401020 『calculate the key』函数
仔仔细细 认认真真看汇编代码
.text:00401015 ; ---------------------------------------------------------------------------
.text:00401018 align 10h
.text:00401020
.text:00401020 ; =============== S U B R O U T I N E =======================================
.text:00401020
.text:00401020
.text:00401020 sub_401020 proc near ; CODE XREF: DialogFunc+91p
.text:00401020
.text:00401020 var_10= dword ptr -10h
.text:00401020 var_C= dword ptr -0Ch
.text:00401020 var_8= dword ptr -8
.text:00401020 var_4= byte ptr -4
.text:00401020 arg_0= dword ptr 4
.text:00401020
.text:00401020 sub esp, 10h
.text:00401023 mov eax, dword_406050
.text:00401028 mov ecx, dword_406054
.text:0040102E push ebx
.text:0040102F mov [esp+14h+var_10], eax
.text:00401033 mov al, byte_40605C
.text:00401038 push esi
.text:00401039 mov esi, [esp+18h+arg_0]
.text:0040103D push edi
.text:0040103E mov [esp+1Ch+var_C], ecx
.text:00401042 mov [esp+1Ch+var_4], al
.text:00401046 mov edi, esi
.text:00401048 or ecx, 0FFFFFFFFh
.text:0040104B xor eax, eax
.text:0040104D xor ebx, ebx
.text:0040104F repne scasb
.text:00401051 mov edx, dword_406058
.text:00401057 not ecx
.text:00401059 dec ecx
.text:0040105A mov [esp+1Ch+var_8], edx
.text:0040105E jz short loc_401083
.text:00401060 mov edx, 1
.text:00401065
.text:00401065 loc_401065: ; CODE XREF: sub_401020+61j /*计算输入的字符串(用户名)的总和*/
.text:00401065 movsx ecx, byte ptr [esi+edx-1]
.text:0040106A imul ecx, edx
.text:0040106D add ebx, ecx
.text:0040106F mov edi, esi
.text:00401071 or ecx, 0FFFFFFFFh
.text:00401074 xor eax, eax
.text:00401076 inc edx
.text:00401077 repne scasb
.text:00401079 not ecx
.text:0040107B dec ecx
.text:0040107C lea eax, [edx-1]
.text:0040107F cmp eax, ecx
.text:00401081 jb short loc_401065
.text:00401083
.text:00401083 loc_401083: ; CODE XREF: sub_401020+3Ej/*计算注册机的前五位*/
.text:00401083 xor esi, esi
.text:00401085
.text:00401085 loc_401085: ; CODE XREF: sub_401020+AAj
.text:00401085 movsx ecx, byte ptr [esp+esi+1Ch+var_10] ;
.text:0040108A add ecx, esi
.text:0040108C xor edx, edx
.text:0040108E add ecx, ebx ;
.text:00401090 mov edi, 0Ah
.text:00401095 mov eax, ecx
.text:00401097 div edi
.text:00401099 cmp edx, 9 ; switch 10 cases
.text:0040109C ja short loc_4010C6 ; default
.text:0040109E xor eax, eax
.text:004010A0 mov al, ds:byte_4012B0[edx]
.text:004010A6 jmp ds:off_4012A8[eax*4] ; switch jump
.text:004010AD
.text:004010AD loc_4010AD: ; DATA XREF: .text:off_4012A8o
.text:004010AD add dl, 30h ; 生成数字字符
.text:004010B0 jmp short loc_4010C0
.text:004010B2 ; ---------------------------------------------------------------------------
.text:004010B2
.text:004010B2 loc_4010B2: ; CODE XREF: sub_401020+86j
.text:004010B2 ; DATA XREF: .text:off_4012A8o
.text:004010B2 mov eax, ecx ; jumptable 004010A6 cases 5-9
.text:004010B4 xor edx, edx
.text:004010B6 mov ecx, 1Ah ; 生成大写字母字符
.text:004010BB div ecx
.text:004010BD add dl, 41h
.text:004010C0
.text:004010C0 loc_4010C0: ; CODE XREF: sub_401020+90j
.text:004010C0 mov byte_406030[esi], dl
.text:004010C6
.text:004010C6 loc_4010C6: ; CODE XREF: sub_401020+7Cj
.text:004010C6 inc esi ; default
.text:004010C7 cmp esi, 5
.text:004010CA jb short loc_401085 ;
.text:004010CC xor esi, esi
.text:004010CE
.text:004010CE loc_4010CE: ; CODE XREF: sub_401020+FBj /*计算注册机的7-11位*/
.text:004010CE movsx ecx, byte ptr [esp+esi+1Ch+var_10]
.text:004010D3 lea edx, [esi+6]
.text:004010D6 mov edi, 0Ah
.text:004010DB imul ecx, edx
.text:004010DE imul ecx, ebx
.text:004010E1 mov eax, ecx
.text:004010E3 xor edx, edx
.text:004010E5 div edi
.text:004010E7 cmp edx, 9 ; switch 10 cases
.text:004010EA ja short loc_401114 ; default
.text:004010EC xor eax, eax
.text:004010EE mov al, ds:byte_4012C4[edx]
.text:004010F4 jmp ds:off_4012BC[eax*4] ; switch jump
.text:004010FB
.text:004010FB loc_4010FB: ; DATA XREF: .text:off_4012BCo
.text:004010FB add dl, 30h ; jumptable 004010F4 cases 0-4
.text:004010FE jmp short loc_40110E
.text:00401100 ; ---------------------------------------------------------------------------
.text:00401100
.text:00401100 loc_401100: ; CODE XREF: sub_401020+D4j
.text:00401100 ; DATA XREF: .text:off_4012BCo
.text:00401100 mov eax, ecx ; jumptable 004010F4 cases 5-9
.text:00401102 xor edx, edx
.text:00401104 mov ecx, 1Ah
.text:00401109 div ecx
.text:0040110B add dl, 41h
.text:0040110E
.text:0040110E loc_40110E: ; CODE XREF: sub_401020+DEj
.text:0040110E mov byte_406036[esi], dl
.text:00401114
.text:00401114 loc_401114: ; CODE XREF: sub_401020+CAj
.text:00401114 inc esi ; default
.text:00401115 lea edx, [esi+6]
.text:00401118 cmp edx, 0Bh
.text:0040111B jb short loc_4010CE
.text:0040111D lea edi, [esp+1Ch+var_10]
.text:00401121 push ebp
.text:00401122 mov esi, 0Ch
.text:00401127 sub edi, 0Bh ;
.text:0040112A
.text:0040112A loc_40112A: ; CODE XREF: sub_401020+14Ej/*计算注册机的13-17位*/
.text:0040112A movsx ecx, byte ptr [edi+esi]
.text:0040112E and ecx, esi
.text:00401130 xor edx, edx
.text:00401132 and ecx, ebx
.text:00401134 mov ebp, 0Ah
.text:00401139 mov eax, ecx
.text:0040113B div ebp
.text:0040113D cmp edx, 9 ; switch 10 cases
.text:00401140 ja short loc_40116A ; default
.text:00401142 xor eax, eax
.text:00401144 mov al, ds:byte_4012D8[edx]
.text:0040114A jmp ds:off_4012D0[eax*4] ; switch jump
.text:00401151
.text:00401151 loc_401151: ; DATA XREF: .text:off_4012D0o
.text:00401151 add dl, 30h ; jumptable 0040114A cases 0-4
.text:00401154 jmp short loc_401164
.text:00401156 ; ---------------------------------------------------------------------------
.text:00401156
.text:00401156 loc_401156: ; CODE XREF: sub_401020+12Aj
.text:00401156 ; DATA XREF: .text:off_4012D0o
.text:00401156 mov eax, ecx ; jumptable 0040114A cases 5-9
.text:00401158 xor edx, edx
.text:0040115A mov ecx, 1Ah
.text:0040115F div ecx
.text:00401161 add dl, 41h
.text:00401164
.text:00401164 loc_401164: ; CODE XREF: sub_401020+134j
.text:00401164 mov byte_406030[esi], dl
.text:0040116A
.text:0040116A loc_40116A: ; CODE XREF: sub_401020+120j
.text:0040116A inc esi ; default
.text:0040116B cmp esi, 11h
.text:0040116E jl short loc_40112A
.text:00401170 lea edi, [esp+20h+var_10]
.text:00401174 mov esi, 12h
.text:00401179 sub edi, 10h ;
.text:0040117C
.text:0040117C loc_40117C: ; CODE XREF: sub_401020+1A0j /*计算注册机的19-23位*/
.text:0040117C movsx ecx, byte ptr [edi+esi]
.text:00401180 or ecx, esi
.text:00401182 xor edx, edx
.text:00401184 or ecx, ebx
.text:00401186 mov ebp, 0Ah
.text:0040118B mov eax, ecx
.text:0040118D div ebp
.text:0040118F cmp edx, 9 ; switch 10 cases
.text:00401192 ja short loc_4011BC ; default
.text:00401194 xor eax, eax
.text:00401196 mov al, ds:byte_4012EC[edx]
.text:0040119C jmp ds:off_4012E4[eax*4] ; switch jump
.text:004011A3
.text:004011A3 loc_4011A3: ; DATA XREF: .text:off_4012E4o
.text:004011A3 add dl, 30h ; jumptable 0040119C cases 0-3,9
.text:004011A6 jmp short loc_4011B6
.text:004011A8 ; ---------------------------------------------------------------------------
.text:004011A8
.text:004011A8 loc_4011A8: ; CODE XREF: sub_401020+17Cj
.text:004011A8 ; DATA XREF: .text:off_4012E4o
.text:004011A8 mov eax, ecx ; jumptable 0040119C cases 4-8
.text:004011AA xor edx, edx
.text:004011AC mov ecx, 1Ah
.text:004011B1 div ecx
.text:004011B3 add dl, 41h
.text:004011B6
.text:004011B6 loc_4011B6: ; CODE XREF: sub_401020+186j
.text:004011B6 mov byte_406030[esi], dl
.text:004011BC
.text:004011BC loc_4011BC: ; CODE XREF: sub_401020+172j
.text:004011BC inc esi ; default
.text:004011BD cmp esi, 17h
.text:004011C0 jl short loc_40117C
.text:004011C2 lea ebp, [esp+20h+arg_0+3]
.text:004011C6 mov esi, 18h
.text:004011CB sub ebp, 18h ;
.text:004011CE
.text:004011CE loc_4011CE: ; CODE XREF: sub_401020+20Fj/*计算注册机的25-29位*/
.text:004011CE lea edi, [esp+20h+var_10]
.text:004011D2 or ecx, 0FFFFFFFFh
.text:004011D5 xor eax, eax
.text:004011D7 mov edx, esi
.text:004011D9 repne scasb
.text:004011DB not ecx
.text:004011DD dec ecx
.text:004011DE mov edi, 0Ah
.text:004011E3 not edx
.text:004011E5 movsx ecx, byte ptr [ecx+ebp]
.text:004011E9 imul ecx, esi
.text:004011EC imul ecx, esi
.text:004011EF add edx, esi
.text:004011F1 add ecx, ebx
.text:004011F3 and edx, esi
.text:004011F5 or ecx, edx
.text:004011F7 xor edx, edx
.text:004011F9 mov eax, ecx
.text:004011FB div edi
.text:004011FD cmp edx, 9 ; switch 10 cases
.text:00401200 ja short loc_40122A ; default
.text:00401202 xor eax, eax
.text:00401204 mov al, ds:byte_401300[edx]
.text:0040120A jmp ds:off_4012F8[eax*4] ; switch jump
.text:00401211
.text:00401211 loc_401211: ; DATA XREF: .text:off_4012F8o
.text:00401211 add dl, 30h ; jumptable 0040120A cases 0-4
.text:00401214 jmp short loc_401224
.text:00401216 ; ---------------------------------------------------------------------------
.text:00401216
.text:00401216 loc_401216: ; CODE XREF: sub_401020+1EAj
.text:00401216 ; DATA XREF: .text:off_4012F8o
.text:00401216 mov eax, ecx ; jumptable 0040120A cases 5-9
.text:00401218 xor edx, edx
.text:0040121A mov ecx, 1Ah
.text:0040121F div ecx
.text:00401221 add dl, 41h
.text:00401224
.text:00401224 loc_401224: ; CODE XREF: sub_401020+1F4j
.text:00401224 mov byte_406030[esi], dl
.text:0040122A
.text:0040122A loc_40122A: ; CODE XREF: sub_401020+1E0j
.text:0040122A inc esi ; default
.text:0040122B dec ebp
.text:0040122C cmp esi, 1Dh
.text:0040122F jb short loc_4011CE
.text:00401231 xor ecx, ecx
.text:00401233 mov bl, 50h
.text:00401235 pop ebp
.text:00401236
.text:00401236 loc_401236: ; CODE XREF: sub_401020+278j /*进一步加密,拒绝出现o和0,以免混淆*/
.text:00401236 mov al, byte_406030[ecx]
.text:0040123C cmp al, 2Dh ;
.text:0040123E jz short loc_401294
.text:00401240 cmp al, 30h
.text:00401242 jl short loc_40125E
.text:00401244 cmp al, 39h
.text:00401246 jg short loc_40125E
.text:00401248 movsx eax, al
.text:0040124B add eax, ecx
.text:0040124D xor edx, edx
.text:0040124F xor eax, 2
.text:00401252 mov esi, 1Ah
.text:00401257 div esi
.text:00401259 add dl, 41h
.text:0040125C jmp short loc_401272
.text:0040125E ; ---------------------------------------------------------------------------
.text:0040125E
.text:0040125E loc_40125E: ; CODE XREF: sub_401020+222j
.text:0040125E ; sub_401020+226j
.text:0040125E movsx eax, al
.text:00401261 add eax, ecx
.text:00401263 xor edx, edx
.text:00401265 xor eax, 3
.text:00401268 mov esi, 0Ah
.text:0040126D div esi
.text:0040126F add dl, 30h
.text:00401272
.text:00401272 loc_401272: ; CODE XREF: sub_401020+23Cj
.text:00401272 mov al, dl
.text:00401274 mov byte_406030[ecx], dl
.text:0040127A cmp al, 30h
.text:0040127C jnz short loc_401285
.text:0040127E mov byte_406030[ecx], 31h
.text:00401285
.text:00401285 loc_401285: ; CODE XREF: sub_401020+25Cj
.text:00401285 cmp byte_406030[ecx], 4Fh
.text:0040128C jnz short loc_401294
.text:0040128E mov byte_406030[ecx], bl
.text:00401294
.text:00401294 loc_401294: ; CODE XREF: sub_401020+21Ej
.text:00401294 ; sub_401020+26Cj
.text:00401294 inc ecx
.text:00401295 cmp ecx, 1Dh
.text:00401298 jb short loc_401236
.text:0040129A pop edi
.text:0040129B pop esi
.text:0040129C mov eax, offset byte_406030
.text:004012A1 pop ebx
.text:004012A2 add esp, 10h
.text:004012A5 retn
.text:004012A5 sub_401020 endp
.text:004012A5
.text:004012A5 ; ---------------------------------------------------------------------------
这些汇编代码花了我两天时间把它弄懂 并把它转化为c代码。获得的一对注册码是gaojianli/Y8WXB-ABGHE-KLIJP-MABQQ-W1U2Y。
小结:这个CrackMe是典型的明码型注册,程序本身也比较简单,也没有加壳。但是,对我这个刚刚接触破解在看雪论坛上活动了两周的菜鸟来说,实在是极大的鼓励。随后,我又相继破解了几个Crackme,包括非明码注册,无注册信息窗口注册等等。因此我想为我一朋友申请一个邀请码,我一朋友想转为正式会员。
crackme和编译好的注册机,c源代码在附件里。
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
