这个软件挺烦的,一直用加减乘除和异或作变换。。
几次运算的思路一样,就是换换常数,我快跟得没耐心了。
用dede得到注册按钮地址:0042DAD4
下好断点。
0042DB02 |. A3 44F74200 mov dword ptr ds:[42F744],eax
0042DB07 |. 6A 00 push 0 ; /pFileSystemNameSize = NULL
0042DB09 |. 6A 00 push 0 ; |pFileSystemNameBuffer = NULL
0042DB0B |. 68 4CF74200 push crackme.0042F74C ; |pFileSystemFlags = crackme.0042F74C
0042DB10 |. 68 48F74200 push crackme.0042F748 ; |pMaxFilenameLength = crackme.0042F748
0042DB15 |. A1 44F74200 mov eax,dword ptr ds:[42F744] ; |
0042DB1A |. 50 push eax ; |pVolumeSerialNumber => 009E6B88
0042DB1B |. 6A 00 push 0 ; |MaxVolumeNameSize = 0
0042DB1D |. 6A 00 push 0 ; |VolumeNameBuffer = NULL
0042DB1F |. 6A 00 push 0 ; |RootPathName = NULL
0042DB21 |. E8 5E75FDFF call <jmp.&kernel32.GetVolumeInformation>; \GetVolumeInformationA
0042DB26 |. A1 44F74200 mov eax,dword ptr ds:[42F744]
0042DB2B |. 8B00 mov eax,dword ptr ds:[eax]
0042DB2D |. A3 50F74200 mov dword ptr ds:[42F750],eax
0042DB32 |. 8D55 FC lea edx,[local.1]
0042DB35 |. 8B83 E0010000 mov eax,dword ptr ds:[ebx+1E0]
0042DB3B |. E8 E8C6FEFF call crackme.0041A228 ; ddsoft
0042DB40 |. 837D FC 00 cmp [local.1],0
0042DB44 |. 75 1A jnz short crackme.0042DB60
0042DB46 |. 6A 00 push 0 ; /Arg1 = 00000000
0042DB48 |. 66:8B0D 1CDD4>mov cx,word ptr ds:[42DD1C] ; |
0042DB4F |. B2 02 mov dl,2 ; |
0042DB51 |. B8 28DD4200 mov eax,crackme.0042DD28 ; |ASCII "Please typ in your name !!"
0042DB56 |. E8 E5F2FFFF call crackme.0042CE40 ; \crackme.0042CE40
0042DB5B |. E9 90010000 jmp crackme.0042DCF0
0042DB60 |> 8D55 FC lea edx,[local.1]
0042DB63 |. 8B83 E0010000 mov eax,dword ptr ds:[ebx+1E0]
0042DB69 |. E8 BAC6FEFF call crackme.0041A228
0042DB6E |. 8B45 FC mov eax,[local.1]
0042DB71 |. E8 4A5CFDFF call crackme.004037C0
0042DB76 |. 83F8 06 cmp eax,6 ; 注册名长度大于等于6
0042DB79 |. 7D 1A jge short crackme.0042DB95
0042DB7B |. 6A 00 push 0 ; /Arg1 = 00000000
0042DB7D |. 66:8B0D 1CDD4>mov cx,word ptr ds:[42DD1C] ; |
0042DB84 |. B2 02 mov dl,2 ; |
0042DB86 |. B8 4CDD4200 mov eax,crackme.0042DD4C ; |ASCII "Type at least 6 chars for your name! !"
0042DB8B |. E8 B0F2FFFF call crackme.0042CE40 ; \crackme.0042CE40
0042DB90 |. E9 5B010000 jmp crackme.0042DCF0
0042DB95 |> 8D55 FC lea edx,[local.1]
0042DB98 |. 8B83 E4010000 mov eax,dword ptr ds:[ebx+1E4]
0042DB9E |. E8 85C6FEFF call crackme.0041A228 ; 取注册码
0042DBA3 |. 837D FC 00 cmp [local.1],0
0042DBA7 |. 75 1A jnz short crackme.0042DBC3
0042DBA9 |. 6A 00 push 0 ; /Arg1 = 00000000
0042DBAB |. 66:8B0D 1CDD4>mov cx,word ptr ds:[42DD1C] ; |
0042DBB2 |. B2 02 mov dl,2 ; |
0042DBB4 |. B8 7CDD4200 mov eax,crackme.0042DD7C ; |ASCII "Please enter your serial !"
0042DBB9 |. E8 82F2FFFF call crackme.0042CE40 ; \crackme.0042CE40
0042DBBE |. E9 2D010000 jmp crackme.0042DCF0
0042DBC3 |> 8BC7 mov eax,edi
0042DBC5 |. E8 7A59FDFF call crackme.00403544
0042DBCA |. C706 02000000 mov dword ptr ds:[esi],2
0042DBD0 |> 8D55 FC /lea edx,[local.1]
0042DBD3 |. 8B83 E0010000 |mov eax,dword ptr ds:[ebx+1E0]
0042DBD9 |. E8 4AC6FEFF |call crackme.0041A228
0042DBDE |. 8B45 FC |mov eax,[local.1]
0042DBE1 |. 8B16 |mov edx,dword ptr ds:[esi]
0042DBE3 |. 0FB64410 FF |movzx eax,byte ptr ds:[eax+edx-1]
0042DBE8 |. 8D55 F8 |lea edx,[local.2]
0042DBEB |. E8 8889FDFF |call crackme.00406578 ; 将字符的ascii变为10进制。
0042DBF0 |. 8B55 F8 |mov edx,[local.2]
0042DBF3 |. 8BC7 |mov eax,edi
0042DBF5 |. E8 CE5BFDFF |call crackme.004037C8
0042DBFA |. FF06 |inc dword ptr ds:[esi]
0042DBFC |. 833E 07 |cmp dword ptr ds:[esi],7 ; 循环取注册名的前2,3,4,5,6共5个字符
0042DBFF |.^ 75 CF \jnz short crackme.0042DBD0
0042DC01 |. 8D45 F8 lea eax,[local.2]
0042DC04 |. 50 push eax
0042DC05 |. B9 03000000 mov ecx,3
0042DC0A |. BA 01000000 mov edx,1
0042DC0F |. 8B07 mov eax,dword ptr ds:[edi]
0042DC11 |. E8 AE5DFDFF call crackme.004039C4 ; 取1到3位
0042DC16 |. 8B45 F8 mov eax,[local.2]
0042DC19 |. E8 8A89FDFF call crackme.004065A8
0042DC1E |. A3 58F74200 mov dword ptr ds:[42F758],eax ; 结果放到0042f758
0042DC23 |. 8BC7 mov eax,edi
0042DC25 |. E8 1A59FDFF call crackme.00403544
0042DC2A |. 8BC3 mov eax,ebx
0042DC2C |. E8 B3FCFFFF call crackme.0042D8E4
0042DC31 |. A1 50F74200 mov eax,dword ptr ds:[42F750]
0042DC36 |. A3 50F74200 mov dword ptr ds:[42F750],eax ; 16062E9D放到0042F750
0042DC3B |. 8BC3 mov eax,ebx
0042DC3D |. E8 F2FCFFFF call crackme.0042D934
0042DC42 |. A1 58F74200 mov eax,dword ptr ds:[42F758]
0042DC47 |. A3 58F74200 mov dword ptr ds:[42F758],eax
0042DC4C |. 8BC3 mov eax,ebx
0042DC4E |. E8 35FDFFFF call crackme.0042D988
0042DC53 |. 8BC3 mov eax,ebx ; 4
0042DC55 |. E8 7EFDFFFF call crackme.0042D9D8
0042DC5A |. A1 58F74200 mov eax,dword ptr ds:[42F758]
0042DC5F |. A3 58F74200 mov dword ptr ds:[42F758],eax
0042DC64 |. 8BC3 mov eax,ebx
0042DC66 |. E8 B1FDFFFF call crackme.0042DA1C
0042DC6B |. 8BC3 mov eax,ebx
0042DC6D |. E8 B6FDFFFF call crackme.0042DA28
0042DC72 |. A1 58F74200 mov eax,dword ptr ds:[42F758]
0042DC77 |. A3 58F74200 mov dword ptr ds:[42F758],eax
0042DC7C |. 8BC3 mov eax,ebx
0042DC7E |. E8 B1FDFFFF call crackme.0042DA34
0042DC83 |. 8BC3 mov eax,ebx
0042DC85 |. E8 F2FDFFFF call crackme.0042DA7C
0042DC8A |. 8BC3 mov eax,ebx
0042DC8C |. E8 0BFEFFFF call crackme.0042DA9C
0042DC91 |. A1 50F74200 mov eax,dword ptr ds:[42F750]
0042DC96 |. 0105 58F74200 add dword ptr ds:[42F758],eax
0042DC9C |. 8D55 FC lea edx,[local.1]
0042DC9F |. 8B83 E4010000 mov eax,dword ptr ds:[ebx+1E4]
0042DCA5 |. E8 7EC5FEFF call crackme.0041A228
0042DCAA |. 8B45 FC mov eax,[local.1]
0042DCAD |. E8 F688FDFF call crackme.004065A8
0042DCB2 |. A3 60F74200 mov dword ptr ds:[42F760],eax
0042DCB7 |. A1 58F74200 mov eax,dword ptr ds:[42F758]
0042DCBC |. 3B05 60F74200 cmp eax,dword ptr ds:[42F760]
0042DCC2 |. 75 17 jnz short crackme.0042DCDB
0042DCC4 |. 6A 00 push 0 ; /Arg1 = 00000000
0042DCC6 |. 66:8B0D 1CDD4>mov cx,word ptr ds:[42DD1C] ; |
0042DCCD |. B2 02 mov dl,2 ; |
0042DCCF |. B8 A0DD4200 mov eax,crackme.0042DDA0 ; |ASCII "Good Serial, Thanks For trying this Crackme bY nIabI !"
0042DCD4 |. E8 67F1FFFF call crackme.0042CE40 ; \crackme.0042CE40
0042DCD9 |. EB 15 jmp short crackme.0042DCF0
0042DCDB |> 6A 00 push 0 ; /Arg1 = 00000000
0042DCDD |. 66:8B0D 1CDD4>mov cx,word ptr ds:[42DD1C] ; |
0042DCE4 |. B2 02 mov dl,2 ; |
0042DCE6 |. B8 E0DD4200 mov eax,crackme.0042DDE0 ; |ASCII "Bad Name Or Serial Number !!!!!"
0042DCEB |. E8 50F1FFFF call crackme.0042CE40 ; \crackme.0042CE40
name:ddsoft ,key:123456789
软件用GetVolumeInformation得到一个序列号,好像是C盘序列号吧。仔细查查MSDN,
反正我的号码是:1084A2C7
软件计算我的name,将"dsoft"这5个字符10进制分别为100,115,111,102,116,变成字符串
ASCII "100115111102116")
再取前3位,记为char s[]="100"
int sum=0;
for(int i=0;i<3;i++)
{
sum=(s[i]-0x30)*10+sum
}
得到结果为0x64
0x64*6=256
0x256/3 商为C8 ((C8+10)*2*9 ) ^ 5=F35
F35*6=00005B3E,再右移一位(sar),得2D9F,(2D9F+0xD)*0x36=0009A248
,(0009A248<<5+0009A248)=013DEB48,013DEB48 ^0x10=013DEB58 ···
(int(013DEB58*2*3)/3)+0xD=027BD6BD,027BD6BD*2*3*0x59 ^ 9=2E51EE3E
序列号:1084A2C7 左移2位,得42128B1C
42128B1C/3,商为16062E5E,(16062E5E ^3)+0x40=16062E9D,
((int(16062E9D*2*3)=842517AE,
此时edx=-1,所以842517AE idiv 5得到E73A9E56
(E73A9E56 ^ 0x25)+0x27=E73A9E9A
(E73A9E9A*5 ^ 22) +3=84251923
--------------------------------------
这里算法已经看到我标出的4这一步了,后面完全一样,很无聊 。呵呵!
此crackme故意不把序列号显示出来,但防止不了注册机的制作。。。呵呵,只要我们也调用
GetVolumeInformation,将第一个参数传NULL即可得到该序列号。
但Crackme的特点在于频繁使用相同的 加减乘除和异或 作算法运算。
没有什么技术含量。正因为如此我懒得继续看下去了。。。
写注册机的话,直接用C内联汇编 会非常简单。呵呵!
此crackme的最大漏洞在于一直使用两个全局变量作为两个运算值的结果,你只要多观察42F750和42F758两处内存数据的变换就清楚了。
作者以为两个运算不一次做完,而是一次会变换用户名,一会儿变换注册码,就能阻挡crack,实在是有点天真。。。
PS:我也是菜鸟,向大家学习!
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)
