【文章名称】:[vo!d]crackme算法教程
【文章作者】:lnn1123
【组织名称】:PCG
【软件名称】:crackme
【破解难度】:低
============================================================
【软件介绍】
这些天郁闷的很,数学考试没有及格被班主任教训了,很是不爽,找了一个垃圾发泄一下,看官注意了,不是菜鸟就不要看了,不多说了,看一下CRACKME,没有加壳,好办,OD加载具体看下面分析。
============================================================
【破解分析过程】
没有错误提示,用老罗的插件,找到成功提示,并下好断点
00401218 . A1 28694000 MOV EAX,DWORD PTR DS:[406928] ; Case 3EB of switch 00401208
0040121D . 8B35 C0504000 MOV ESI,DWORD PTR DS:[<&USER32.GetDlgItemTextA>>; USER32.GetDlgItemTextA
00401223 . 68 FF000000 PUSH 0FF ; /Count = FF (255.)
00401228 . 68 30694000 PUSH vcrkme01.00406930 ; |Buffer = vcrkme01.00406930
0040122D . 68 E8030000 PUSH 3E8 ; |ControlID = 3E8 (1000.)
00401232 . 50 PUSH EAX ; |hWnd => 000E058C ('[v0!d] Crackme - v0.01',class='#32770')
00401233 . FFD6 CALL ESI ; \取注册名,长度返回在EAX中
00401235 . 8B0D 28694000 MOV ECX,DWORD PTR DS:[406928]
0040123B . 68 FF000000 PUSH 0FF ; /Count = FF (255.)
00401240 . 68 306A4000 PUSH vcrkme01.00406A30 ; |Buffer = vcrkme01.00406A30
00401245 . 68 EA030000 PUSH 3EA ; |ControlID = 3EA (1002.)
0040124A . 51 PUSH ECX ; |hWnd => 000E058C ('[v0!d] Crackme - v0.01',class='#32770')
0040124B . FFD6 CALL ESI ; \取注册码长度返回在EAX中
0040124D . 68 306A4000 PUSH vcrkme01.00406A30 ; ASCII "c-N1123-5678"
00401252 . 68 30694000 PUSH vcrkme01.00406930 ; ASCII "crackerlnn"
00401257 . E8 A4FDFFFF CALL vcrkme01.00401000 ; 关键CALL进入
0040125C . 83C4 08 ADD ESP,8
0040125F . 83F8 01 CMP EAX,1
00401262 . A3 646C4000 MOV DWORD PTR DS:[406C64],EAX
00401267 . 75 65 JNZ SHORT vcrkme01.004012CE
00401269 . 8B15 28694000 MOV EDX,DWORD PTR DS:[406928] ;下面是成功提示
0040126F . 6A 40 PUSH 40 ; /Style = MB_OK|MB_ICONASTERISK|MB_APPLMODAL
00401271 . 68 80604000 PUSH vcrkme01.00406080 ; |Title = "GOOD JOB! - CRACKED!"
00401276 . 68 50604000 PUSH vcrkme01.00406050 ; |Text = "Send your solution to : v0id2k1@hotmail.com "
0040127B . 52 PUSH EDX ; |hOwner => 000E058C ('[v0!d] Crackme - v0.01',class='#32770')
0040127C . FF15 C4504000 CALL DWORD PTR DS:[<&USER32.MessageBoxA>] ; \MessageBoxA
进CALL vcrkme01.00401000看看,好东西就在里面
00401000 /$ 53 PUSH EBX
00401001 |. 8B5C24 0C MOV EBX,DWORD PTR SS:[ESP+C] ; 注册码
00401005 |. 55 PUSH EBP
00401006 |. 56 PUSH ESI
00401007 |. 8B7424 10 MOV ESI,DWORD PTR SS:[ESP+10] ; 注册名
0040100B |. 8A0B MOV CL,BYTE PTR DS:[EBX] ; 取注册码的第一位
0040100D |. 33ED XOR EBP,EBP ; 清0
0040100F |. 57 PUSH EDI
00401010 |. 8A06 MOV AL,BYTE PTR DS:[ESI] ; 取注册名的第一位
00401012 |. 3AC1 CMP AL,CL ; 比较
00401014 |. 0F85 69010000 JNZ vcrkme01.00401183 ; 跳就死,不能够跳
0040101A |. 8BFE MOV EDI,ESI ; 注册名转移
0040101C |. 83C9 FF OR ECX,FFFFFFFF
0040101F |. 33C0 XOR EAX,EAX ; 清
00401021 |. F2:AE REPNE SCAS BYTE PTR ES:[EDI] ; 串扫描注册名
00401023 |. F7D1 NOT ECX
00401025 |. 49 DEC ECX
00401026 |. 83F9 05 CMP ECX,5 ; 长度与5比较
00401029 |. 0F82 54010000 JB vcrkme01.00401183 ; 小于就跳不能够跳
0040102F |. 807B 01 2D CMP BYTE PTR DS:[EBX+1],2D ; 注册码的第二位与2D比较
00401033 |. 0F85 4A010000 JNZ vcrkme01.00401183 ; 不等就跳,不能够跳
00401039 |. 8BFE MOV EDI,ESI ; 转移
0040103B |. 83C9 FF OR ECX,FFFFFFFF
0040103E |. 33C0 XOR EAX,EAX ; 清0
00401040 |. 33D2 XOR EDX,EDX ; 清0
00401042 |. F2:AE REPNE SCAS BYTE PTR ES:[EDI] ; 串扫描注册名
00401044 |. F7D1 NOT ECX
00401046 |. 49 DEC ECX
00401047 |. 74 17 JE SHORT vcrkme01.00401060 ; 下面这个循环就是取注册名ASC的和
00401049 |> 0FBE0C32 /MOVSX ECX,BYTE PTR DS:[EDX+ESI] ; 依次取注册名的ASC
0040104D |. 03E9 |ADD EBP,ECX ; 累加到EBP中
0040104F |. 8BFE |MOV EDI,ESI
00401051 |. 83C9 FF |OR ECX,FFFFFFFF
00401054 |. 33C0 |XOR EAX,EAX ; 清0
00401056 |. 42 |INC EDX ; +1
00401057 |. F2:AE |REPNE SCAS BYTE PTR ES:[EDI] ; 串扫描注册名
00401059 |. F7D1 |NOT ECX
0040105B |. 49 |DEC ECX
0040105C |. 3BD1 |CMP EDX,ECX ; 循环10次
0040105E |.^72 E9 \JB SHORT vcrkme01.00401049 ; 回到循环
00401060 |> 81C5 64600000 ADD EBP,6064 ; 和的值+6064
00401066 |. 55 PUSH EBP
00401067 |. 68 34604000 PUSH vcrkme01.00406034 ; ASCII "%lu"
0040106C |. 68 306B4000 PUSH vcrkme01.00406B30 ; ASCII "50411"
00401071 |. E8 B6030000 CALL vcrkme01.0040142C ; 转化位无符号位十进制数
00401076 |. 8A16 MOV DL,BYTE PTR DS:[ESI] ; 取注册名的第一位
00401078 |. 8BFE MOV EDI,ESI
0040107A |. 83C9 FF OR ECX,FFFFFFFF
0040107D |. 33C0 XOR EAX,EAX ; 清0
0040107F |. 8815 446B4000 MOV BYTE PTR DS:[406B44],DL ; 存放到内存空间
00401085 |. C605 456B4000 >MOV BYTE PTR DS:[406B45],2D ; -放到内存空间
0040108C |. F2:AE REPNE SCAS BYTE PTR ES:[EDI] ; 串扫描注册名
0040108E |. F7D1 NOT ECX
00401090 |. 49 DEC ECX
00401091 |. 0FBE4431 FF MOVSX EAX,BYTE PTR DS:[ECX+ESI-1] ; 取注册名最后一位
00401096 |. 50 PUSH EAX ; 进贱
00401097 |. E8 C4020000 CALL vcrkme01.00401360 ; 字母小写转化为大写
0040109C |. A2 466B4000 MOV BYTE PTR DS:[406B46],AL ; AL为转化的结果,存放到内存空间
004010A1 |. BF 306B4000 MOV EDI,vcrkme01.00406B30 ; ASCII "50411"
004010A6 |. 83C9 FF OR ECX,FFFFFFFF
004010A9 |. 33C0 XOR EAX,EAX ; 清0
004010AB |. F2:AE REPNE SCAS BYTE PTR ES:[EDI] ; 串扫描转化后的无符号10进制数
004010AD |. F7D1 NOT ECX
004010AF |. 2BF9 SUB EDI,ECX ; EDI=EDI-ECX
004010B1 |. 81C5 64600000 ADD EBP,6064 ; 再次加上6064
004010B7 |. 8BF7 MOV ESI,EDI ; 无符号10进制数
004010B9 |. 8BD1 MOV EDX,ECX
004010BB |. BF 446B4000 MOV EDI,vcrkme01.00406B44 ; ASCII "c-N25735-50411"
004010C0 |. 83C9 FF OR ECX,FFFFFFFF
004010C3 |. F2:AE REPNE SCAS BYTE PTR ES:[EDI] ; 串扫描上面放到内存空间的内容
004010C5 |. 8BCA MOV ECX,EDX
004010C7 |. 4F DEC EDI
004010C8 |. C1E9 02 SHR ECX,2 ; 右移2位
004010CB |. F3:A5 REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS:[ESI] ; 串转移到特定内存空间
004010CD |. 8BCA MOV ECX,EDX
004010CF |. 55 PUSH EBP
004010D0 |. 83E1 03 AND ECX,3
004010D3 |. 68 34604000 PUSH vcrkme01.00406034 ; ASCII "%lu"
004010D8 |. F3:A4 REP MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[ESI]
004010DA |. BF 30604000 MOV EDI,vcrkme01.00406030
004010DF |. 83C9 FF OR ECX,FFFFFFFF
004010E2 |. F2:AE REPNE SCAS BYTE PTR ES:[EDI] ; 串扫描-
004010E4 |. F7D1 NOT ECX
004010E6 |. 2BF9 SUB EDI,ECX
004010E8 |. 68 306B4000 PUSH vcrkme01.00406B30 ; ASCII "50411"
004010ED |. 8BF7 MOV ESI,EDI
004010EF |. 8BD1 MOV EDX,ECX
004010F1 |. BF 446B4000 MOV EDI,vcrkme01.00406B44 ; ASCII "c-N25735-50411"
004010F6 |. 83C9 FF OR ECX,FFFFFFFF
004010F9 |. F2:AE REPNE SCAS BYTE PTR ES:[EDI] ; 串扫描特定内存空间内容
004010FB |. 8BCA MOV ECX,EDX
004010FD |. 4F DEC EDI
004010FE |. C1E9 02 SHR ECX,2 ; 右移2位
00401101 |. F3:A5 REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS:[ESI]
00401103 |. 8BCA MOV ECX,EDX
00401105 |. 83E1 03 AND ECX,3
00401108 |. F3:A4 REP MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[ESI] ; 存放-到特定内存空间
0040110A |. E8 1D030000 CALL vcrkme01.0040142C ; 转化为无符号10进制数
0040110F |. BF 306B4000 MOV EDI,vcrkme01.00406B30 ; ASCII "50411"
00401114 |. 83C9 FF OR ECX,FFFFFFFF
00401117 |. 33C0 XOR EAX,EAX ; 清0
00401119 |. 83C4 1C ADD ESP,1C
0040111C |. F2:AE REPNE SCAS BYTE PTR ES:[EDI] ; 串扫描转化后的结果
0040111E |. F7D1 NOT ECX
00401120 |. 2BF9 SUB EDI,ECX
00401122 |. 8BF7 MOV ESI,EDI
00401124 |. 8BD1 MOV EDX,ECX
00401126 |. BF 446B4000 MOV EDI,vcrkme01.00406B44 ; ASCII "c-N25735-50411"
0040112B |. 83C9 FF OR ECX,FFFFFFFF
0040112E |. F2:AE REPNE SCAS BYTE PTR ES:[EDI] ; 串扫描
00401130 |. 8BCA MOV ECX,EDX
00401132 |. 4F DEC EDI
00401133 |. C1E9 02 SHR ECX,2
00401136 |. F3:A5 REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS:[ESI] ; 存放转化好的无符号10进制数到特定内存
00401138 |. 8BCA MOV ECX,EDX
0040113A |. 8BC3 MOV EAX,EBX ; 注册码
0040113C |. 83E1 03 AND ECX,3
0040113F |. F3:A4 REP MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[ESI]
00401141 |. BE 446B4000 MOV ESI,vcrkme01.00406B44 ; ASCII "c-N25735-50411"
00401146 |> 8A10 /MOV DL,BYTE PTR DS:[EAX] ; 取注册码的第一位
00401148 |. 8A1E |MOV BL,BYTE PTR DS:[ESI] ; 生成的正确注册码的第一位
0040114A |. 8ACA |MOV CL,DL ; 转移
0040114C |. 3AD3 |CMP DL,BL ; 比较
0040114E |. 75 25 |JNZ SHORT vcrkme01.00401175 ; 不能够跳
00401150 |. 84C9 |TEST CL,CL ; 又是测试
00401152 |. 74 16 |JE SHORT vcrkme01.0040116A ; 不能够跳
00401154 |. 8A50 01 |MOV DL,BYTE PTR DS:[EAX+1] ; 取注册码的第二位
00401157 |. 8A5E 01 |MOV BL,BYTE PTR DS:[ESI+1] ; 取算出的正确的注册码的第二位
0040115A |. 8ACA |MOV CL,DL ; 转移
0040115C |. 3AD3 |CMP DL,BL ; 比较
0040115E |. 75 15 |JNZ SHORT vcrkme01.00401175 ; 不能够跳
00401160 |. 83C0 02 |ADD EAX,2 ; EAX=EAX+2
00401163 |. 83C6 02 |ADD ESI,2 ; ESI=ESI+2
00401166 |. 84C9 |TEST CL,CL ; 是否比较结束
00401168 |.^75 DC \JNZ SHORT vcrkme01.00401146 ; 循环比较
0040116A |> 33C0 XOR EAX,EAX ; 下面我就不说了
0040116C |. 33D2 XOR EDX,EDX
0040116E |. 85C0 TEST EAX,EAX
00401170 |. 0F94C2 SETE DL
00401173 |. EB 12 JMP SHORT vcrkme01.00401187
00401175 |> 1BC0 SBB EAX,EAX
00401177 |. 83D8 FF SBB EAX,-1
0040117A |. 33D2 XOR EDX,EDX
0040117C |. 85C0 TEST EAX,EAX
0040117E |. 0F94C2 SETE DL
00401181 |. EB 04 JMP SHORT vcrkme01.00401187
00401183 |> 8B5424 14 MOV EDX,DWORD PTR SS:[ESP+14]
00401187 |> B9 40000000 MOV ECX,40
0040118C |. 33C0 XOR EAX,EAX
0040118E |. BF 446B4000 MOV EDI,vcrkme01.00406B44 ; ASCII "c-N25735-50411"
00401193 |. F3:AB REP STOS DWORD PTR ES:[EDI]
00401195 |. 5F POP EDI
00401196 |. 5E POP ESI
00401197 |. 5D POP EBP
00401198 |. 8BC2 MOV EAX,EDX
0040119A |. 5B POP EBX
0040119B \. C3 RETN
注册机代码(写的比较垃圾)
#include <stdio.h>
#include <string.h>
main()
{
char name[30];
int i,j,k,b,d;
unsigned long int sum,c;
int a;
k=sum=0;
printf(" KeyGen by lnn1123\n");
printf("input your name:");
gets(name);
i=strlen(name);
printf("your Key is :\n");
for(j=0;j<i;j++)
{k=name[j];
sum=sum+k;}
sum=sum+0x6064;
c=sum+0x6064;
printf("%c",name[0]);
printf("-");
printf("%c",name[i-1]=(name[i-1]>90)? name[i-1]-32:name[i-1]);
printf("%ld",sum);
printf("-");
printf("%ld",c);
getch();
}
============================================================
【破解分析过程总结】
首先说明一下,我总结的可能不好,看看分析就差不多了,注册码是分成3段,第一段是取注册名的第一位,第二段是注册名最后一位的大写+10进制(注册名SAC和+0X6064),第三段是10进制(10进制(注册名SAC和+0X6064)+0X6064)
最后还是一位一位的比较注册码
============================================================
*************本文章版权归: 【lnn1123】 所有*************
*****本文章由博思(BoS)文章生成器生成!*****
*****作者QQ:171090098*****
*****作者主页:博思PE交流*****附件:vcrkme01.rar
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)