首页
社区
课程
招聘
[原创]一个crackme的算法分析。。。
发表于: 2010-12-1 14:28 4094

[原创]一个crackme的算法分析。。。

2010-12-1 14:28
4094
这个软件挺烦的,一直用加减乘除和异或作变换。。
几次运算的思路一样,就是换换常数,我快跟得没耐心了。

用dede得到注册按钮地址:0042DAD4   
  下好断点。

0042DB02  |.  A3 44F74200   mov dword ptr ds:[42F744],eax
0042DB07  |.  6A 00         push 0                                   ; /pFileSystemNameSize = NULL
0042DB09  |.  6A 00         push 0                                   ; |pFileSystemNameBuffer = NULL
0042DB0B  |.  68 4CF74200   push crackme.0042F74C                    ; |pFileSystemFlags = crackme.0042F74C
0042DB10  |.  68 48F74200   push crackme.0042F748                    ; |pMaxFilenameLength = crackme.0042F748
0042DB15  |.  A1 44F74200   mov eax,dword ptr ds:[42F744]            ; |
0042DB1A  |.  50            push eax                                 ; |pVolumeSerialNumber => 009E6B88
0042DB1B  |.  6A 00         push 0                                   ; |MaxVolumeNameSize = 0
0042DB1D  |.  6A 00         push 0                                   ; |VolumeNameBuffer = NULL
0042DB1F  |.  6A 00         push 0                                   ; |RootPathName = NULL
0042DB21  |.  E8 5E75FDFF   call <jmp.&kernel32.GetVolumeInformation>; \GetVolumeInformationA
0042DB26  |.  A1 44F74200   mov eax,dword ptr ds:[42F744]
0042DB2B  |.  8B00          mov eax,dword ptr ds:[eax]
0042DB2D  |.  A3 50F74200   mov dword ptr ds:[42F750],eax
0042DB32  |.  8D55 FC       lea edx,[local.1]
0042DB35  |.  8B83 E0010000 mov eax,dword ptr ds:[ebx+1E0]
0042DB3B  |.  E8 E8C6FEFF   call crackme.0041A228                    ;  ddsoft
0042DB40  |.  837D FC 00    cmp [local.1],0
0042DB44  |.  75 1A         jnz short crackme.0042DB60
0042DB46  |.  6A 00         push 0                                   ; /Arg1 = 00000000
0042DB48  |.  66:8B0D 1CDD4>mov cx,word ptr ds:[42DD1C]              ; |
0042DB4F  |.  B2 02         mov dl,2                                 ; |
0042DB51  |.  B8 28DD4200   mov eax,crackme.0042DD28                 ; |ASCII "Please typ in your name !!"
0042DB56  |.  E8 E5F2FFFF   call crackme.0042CE40                    ; \crackme.0042CE40
0042DB5B  |.  E9 90010000   jmp crackme.0042DCF0
0042DB60  |>  8D55 FC       lea edx,[local.1]
0042DB63  |.  8B83 E0010000 mov eax,dword ptr ds:[ebx+1E0]
0042DB69  |.  E8 BAC6FEFF   call crackme.0041A228
0042DB6E  |.  8B45 FC       mov eax,[local.1]
0042DB71  |.  E8 4A5CFDFF   call crackme.004037C0
0042DB76  |.  83F8 06       cmp eax,6                                ;  注册名长度大于等于6
0042DB79  |.  7D 1A         jge short crackme.0042DB95
0042DB7B  |.  6A 00         push 0                                   ; /Arg1 = 00000000
0042DB7D  |.  66:8B0D 1CDD4>mov cx,word ptr ds:[42DD1C]              ; |
0042DB84  |.  B2 02         mov dl,2                                 ; |
0042DB86  |.  B8 4CDD4200   mov eax,crackme.0042DD4C                 ; |ASCII "Type at least 6 chars for your name! !"
0042DB8B  |.  E8 B0F2FFFF   call crackme.0042CE40                    ; \crackme.0042CE40
0042DB90  |.  E9 5B010000   jmp crackme.0042DCF0
0042DB95  |>  8D55 FC       lea edx,[local.1]
0042DB98  |.  8B83 E4010000 mov eax,dword ptr ds:[ebx+1E4]
0042DB9E  |.  E8 85C6FEFF   call crackme.0041A228                    ;  取注册码
0042DBA3  |.  837D FC 00    cmp [local.1],0
0042DBA7  |.  75 1A         jnz short crackme.0042DBC3
0042DBA9  |.  6A 00         push 0                                   ; /Arg1 = 00000000
0042DBAB  |.  66:8B0D 1CDD4>mov cx,word ptr ds:[42DD1C]              ; |
0042DBB2  |.  B2 02         mov dl,2                                 ; |
0042DBB4  |.  B8 7CDD4200   mov eax,crackme.0042DD7C                 ; |ASCII "Please enter your serial !"
0042DBB9  |.  E8 82F2FFFF   call crackme.0042CE40                    ; \crackme.0042CE40
0042DBBE  |.  E9 2D010000   jmp crackme.0042DCF0
0042DBC3  |>  8BC7          mov eax,edi
0042DBC5  |.  E8 7A59FDFF   call crackme.00403544
0042DBCA  |.  C706 02000000 mov dword ptr ds:[esi],2
0042DBD0  |>  8D55 FC       /lea edx,[local.1]
0042DBD3  |.  8B83 E0010000 |mov eax,dword ptr ds:[ebx+1E0]
0042DBD9  |.  E8 4AC6FEFF   |call crackme.0041A228
0042DBDE  |.  8B45 FC       |mov eax,[local.1]
0042DBE1  |.  8B16          |mov edx,dword ptr ds:[esi]
0042DBE3  |.  0FB64410 FF   |movzx eax,byte ptr ds:[eax+edx-1]
0042DBE8  |.  8D55 F8       |lea edx,[local.2]
0042DBEB  |.  E8 8889FDFF   |call crackme.00406578                   ;  将字符的ascii变为10进制。
0042DBF0  |.  8B55 F8       |mov edx,[local.2]
0042DBF3  |.  8BC7          |mov eax,edi
0042DBF5  |.  E8 CE5BFDFF   |call crackme.004037C8
0042DBFA  |.  FF06          |inc dword ptr ds:[esi]
0042DBFC  |.  833E 07       |cmp dword ptr ds:[esi],7                ;  循环取注册名的前2,3,4,5,6共5个字符
0042DBFF  |.^ 75 CF         \jnz short crackme.0042DBD0
0042DC01  |.  8D45 F8       lea eax,[local.2]
0042DC04  |.  50            push eax
0042DC05  |.  B9 03000000   mov ecx,3
0042DC0A  |.  BA 01000000   mov edx,1
0042DC0F  |.  8B07          mov eax,dword ptr ds:[edi]
0042DC11  |.  E8 AE5DFDFF   call crackme.004039C4                    ;  取1到3位
0042DC16  |.  8B45 F8       mov eax,[local.2]
0042DC19  |.  E8 8A89FDFF   call crackme.004065A8
0042DC1E  |.  A3 58F74200   mov dword ptr ds:[42F758],eax            ;  结果放到0042f758
0042DC23  |.  8BC7          mov eax,edi
0042DC25  |.  E8 1A59FDFF   call crackme.00403544
0042DC2A  |.  8BC3          mov eax,ebx
0042DC2C  |.  E8 B3FCFFFF   call crackme.0042D8E4
0042DC31  |.  A1 50F74200   mov eax,dword ptr ds:[42F750]
0042DC36  |.  A3 50F74200   mov dword ptr ds:[42F750],eax            ;  16062E9D放到0042F750
0042DC3B  |.  8BC3          mov eax,ebx
0042DC3D  |.  E8 F2FCFFFF   call crackme.0042D934
0042DC42  |.  A1 58F74200   mov eax,dword ptr ds:[42F758]
0042DC47  |.  A3 58F74200   mov dword ptr ds:[42F758],eax
0042DC4C  |.  8BC3          mov eax,ebx
0042DC4E  |.  E8 35FDFFFF   call crackme.0042D988
0042DC53  |.  8BC3          mov eax,ebx                              ;  4
0042DC55  |.  E8 7EFDFFFF   call crackme.0042D9D8
0042DC5A  |.  A1 58F74200   mov eax,dword ptr ds:[42F758]
0042DC5F  |.  A3 58F74200   mov dword ptr ds:[42F758],eax
0042DC64  |.  8BC3          mov eax,ebx
0042DC66  |.  E8 B1FDFFFF   call crackme.0042DA1C
0042DC6B  |.  8BC3          mov eax,ebx
0042DC6D  |.  E8 B6FDFFFF   call crackme.0042DA28
0042DC72  |.  A1 58F74200   mov eax,dword ptr ds:[42F758]
0042DC77  |.  A3 58F74200   mov dword ptr ds:[42F758],eax
0042DC7C  |.  8BC3          mov eax,ebx
0042DC7E  |.  E8 B1FDFFFF   call crackme.0042DA34
0042DC83  |.  8BC3          mov eax,ebx
0042DC85  |.  E8 F2FDFFFF   call crackme.0042DA7C
0042DC8A  |.  8BC3          mov eax,ebx
0042DC8C  |.  E8 0BFEFFFF   call crackme.0042DA9C
0042DC91  |.  A1 50F74200   mov eax,dword ptr ds:[42F750]
0042DC96  |.  0105 58F74200 add dword ptr ds:[42F758],eax
0042DC9C  |.  8D55 FC       lea edx,[local.1]
0042DC9F  |.  8B83 E4010000 mov eax,dword ptr ds:[ebx+1E4]
0042DCA5  |.  E8 7EC5FEFF   call crackme.0041A228
0042DCAA  |.  8B45 FC       mov eax,[local.1]
0042DCAD  |.  E8 F688FDFF   call crackme.004065A8
0042DCB2  |.  A3 60F74200   mov dword ptr ds:[42F760],eax
0042DCB7  |.  A1 58F74200   mov eax,dword ptr ds:[42F758]
0042DCBC  |.  3B05 60F74200 cmp eax,dword ptr ds:[42F760]
0042DCC2  |.  75 17         jnz short crackme.0042DCDB
0042DCC4  |.  6A 00         push 0                                   ; /Arg1 = 00000000
0042DCC6  |.  66:8B0D 1CDD4>mov cx,word ptr ds:[42DD1C]              ; |
0042DCCD  |.  B2 02         mov dl,2                                 ; |
0042DCCF  |.  B8 A0DD4200   mov eax,crackme.0042DDA0                 ; |ASCII "Good Serial, Thanks For trying this Crackme bY nIabI !"
0042DCD4  |.  E8 67F1FFFF   call crackme.0042CE40                    ; \crackme.0042CE40
0042DCD9  |.  EB 15         jmp short crackme.0042DCF0
0042DCDB  |>  6A 00         push 0                                   ; /Arg1 = 00000000
0042DCDD  |.  66:8B0D 1CDD4>mov cx,word ptr ds:[42DD1C]              ; |
0042DCE4  |.  B2 02         mov dl,2                                 ; |
0042DCE6  |.  B8 E0DD4200   mov eax,crackme.0042DDE0                 ; |ASCII "Bad Name Or Serial Number !!!!!"
0042DCEB  |.  E8 50F1FFFF   call crackme.0042CE40                    ; \crackme.0042CE40


name:ddsoft ,key:123456789
软件用GetVolumeInformation得到一个序列号,好像是C盘序列号吧。仔细查查MSDN,
反正我的号码是:1084A2C7
软件计算我的name,将"dsoft"这5个字符10进制分别为100,115,111,102,116,变成字符串
ASCII "100115111102116")

再取前3位,记为char s[]="100"
int sum=0;
for(int i=0;i<3;i++)
{
  sum=(s[i]-0x30)*10+sum
}
得到结果为0x64
0x64*6=256
0x256/3 商为C8  ((C8+10)*2*9 ) ^ 5=F35

F35*6=00005B3E,再右移一位(sar),得2D9F,(2D9F+0xD)*0x36=0009A248
,(0009A248<<5+0009A248)=013DEB48,013DEB48 ^0x10=013DEB58 ···

(int(013DEB58*2*3)/3)+0xD=027BD6BD,027BD6BD*2*3*0x59 ^ 9=2E51EE3E

序列号:1084A2C7 左移2位,得42128B1C
42128B1C/3,商为16062E5E,(16062E5E ^3)+0x40=16062E9D,
((int(16062E9D*2*3)=842517AE,
此时edx=-1,所以842517AE idiv 5得到E73A9E56
(E73A9E56 ^ 0x25)+0x27=E73A9E9A
(E73A9E9A*5 ^ 22) +3=84251923
--------------------------------------
这里算法已经看到我标出的4这一步了,后面完全一样,很无聊 。呵呵!
此crackme故意不把序列号显示出来,但防止不了注册机的制作。。。呵呵,只要我们也调用
GetVolumeInformation,将第一个参数传NULL即可得到该序列号。

但Crackme的特点在于频繁使用相同的 加减乘除和异或 作算法运算。
没有什么技术含量。正因为如此我懒得继续看下去了。。。

写注册机的话,直接用C内联汇编 会非常简单。呵呵!
此crackme的最大漏洞在于一直使用两个全局变量作为两个运算值的结果,你只要多观察42F750和42F758两处内存数据的变换就清楚了。
作者以为两个运算不一次做完,而是一次会变换用户名,一会儿变换注册码,就能阻挡crack,实在是有点天真。。。
PS:我也是菜鸟,向大家学习!

[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)

上传的附件:
收藏
免费 0
支持
分享
最新回复 (2)
雪    币: 65
活跃值: (118)
能力值: ( LV6,RANK:90 )
在线值:
发帖
回帖
粉丝
2
沙发,分析的不错~
2010-12-1 14:55
0
雪    币: 205
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
3
我下载来破解试试 ths
2010-12-3 15:28
0
游客
登录 | 注册 方可回帖
返回
//