【破解作者】 bmahti
【作者邮箱】 ^-^!
【作者主页】 http://diyexe.blogcn.com
【使用工具】 OD peid
【破解平台】 Win9x/NT/2000/XP
【软件名称】 CrackME
【软件简介】 一个汇编语言写的,序列号保护的CrackMe
【加壳方式】 NO
【破解声明】 我是一只小菜鸟,偶得一点心得,愿与大家分享:)
--------------------------------------------------------------------------------
【破解内容】
软件比较小,所以我这种小菜鸟能够分析!
不多说了,用od加载:
00401000 c>push 0
00401002 call <jmp.&kernel32.GetModuleHa>
00401007 mov dword ptr ds:[402340],eax
0040100C call <jmp.&kernel32.GetCommandL>
00401011 mov dword ptr ds:[402344],eax
00401016 push 0A
00401018 push dword ptr ds:[402344]
0040101E push 0
00401020 push dword ptr ds:[402340]
00401026 call crackme.00401031 ; \crackme.00401031--这可是主程序!呆会儿分析!
0040102B push eax
0040102C call <jmp.&kernel32.ExitProcess>
00401031 push ebp ;主程序
00401032 mov ebp,esp
00401034 add esp,-44
00401037 mov dword ptr ss:[ebp-28],3 ;以下初始化WNDCLASSEX
0040103E mov dword ptr ss:[ebp-24],crack>;窗口处理程序401111
00401045 mov dword ptr ss:[ebp-20],0
0040104C mov dword ptr ss:[ebp-1C],0
00401053 push dword ptr ss:[ebp+8]
00401056 pop dword ptr ss:[ebp-18]
00401059 push 7F02 ; IDI_QUESTION
0040105E push 0
00401060 call <jmp.&user32.LoadIconA>
00401065 mov dword ptr ss:[ebp-14],eax
00401068 push 7F00 ; IDC_ARROW
0040106D push 0
0040106F call <jmp.&user32.LoadCursorA> ; \LoadCursorA
00401074 mov dword ptr ss:[ebp-10],eax
00401077 mov dword ptr ss:[ebp-C],5 ;COLOR_WINDOW
0040107E mov dword ptr ss:[ebp-8],0
00401085 mov dword ptr ss:[ebp-4],crackm>; ASCII "Class"
0040108C lea eax,dword ptr ss:[ebp-28]
0040108F push eax
00401090 call <jmp.&user32.RegisterClass>;注册窗口
00401095 push 0 ;
00401097 push dword ptr ss:[ebp+8]
0040109A push 0
0040109C push 0
0040109E push 69
004010A0 push 0DC
004010A5 push 80000000
004010AA push 80000000
004010AF push 0C80000
004010B4 push crackme.00402006
004010B9 push crackme.00402000
004010BE push 0
004010C0 call <jmp.&user32.CreateWindowE>
004010C5 mov dword ptr ds:[402340],eax
004010CA push dword ptr ss:[ebp+14]
004010CD push dword ptr ds:[402340]
004010D3 call <jmp.&user32.ShowWindow>
004010D8 push dword ptr ds:[402340]
004010DE call <jmp.&user32.UpdateWindow>
004010E3 /push 0
004010E5 |push 0
004010E7 |push 0
004010E9 |lea eax,dword ptr ss:[ebp-44]
004010EC |push eax
004010ED |call <jmp.&user32.GetMessageA>
004010F2 |or eax,eax
004010F4 |je short crackme.0040110A
004010F6 |lea eax,dword ptr ss:[ebp-44]
004010F9 |push eax
004010FA |call <jmp.&user32.TranslateMes>
004010FF |lea eax,dword ptr ss:[ebp-44]
00401102 |push eax
00401103 |call <jmp.&user32.DispatchMess>
00401108 \jmp short crackme.004010E3
0040110A mov eax,dword ptr ss:[ebp-3C]
0040110D leave
0040110E retn 10
00401111 push ebp
00401112 mov ebp,esp
00401114 cmp dword ptr ss:[ebp+C],2 ; WM_DESTROY
00401118 jnz short crackme.00401126
0040111A push 0
0040111C call <jmp.&user32.PostQuitMessa>
00401121 jmp crackme.00401353
00401126 cmp dword ptr ss:[ebp+C],1 ; WM_CREATE
0040112A jnz crackme.00401256
00401130 push 0
00401132 push dword ptr ds:[402340]
00401138 push 64 ; |hMenu = 00000064 (window)
0040113A push dword ptr ss:[ebp+8]
0040113D push 14
0040113F push 0CD
00401144 push 5
00401146 push 5
00401148 push 50800080
0040114D push 0
0040114F push crackme.0040201F ; |Class = "Edit"
00401154 push 0
00401156 call <jmp.&user32.CreateWindowE>
0040115B mov dword ptr ds:[402548],eax
00401160 push 0
00401162 push dword ptr ds:[402340]
00401168 push 0C8
0040116D push dword ptr ss:[ebp+8]
00401170 push 14
00401172 push 41
00401174 push 1E
00401176 push 5
00401178 push 50000000
0040117D push crackme.00402032 ; |WindowName = "&Check"
00401182 push crackme.0040202B ; |Class = "Button"
00401187 push 0
00401189 call <jmp.&user32.CreateWindowE>; \CreateWindowExA
0040118E push 0
00401190 push dword ptr ds:[402340]
00401196 push 12C
0040119B push dword ptr ss:[ebp+8]
0040119E push 14
004011A0 push 41
004011A2 push 1E
004011A4 push 4B
004011A6 push 50000000 ; |Style = WS_CHILD|WS_VISIBLE
004011AB push crackme.00402039 ; |WindowName = "&About"
004011B0 push crackme.0040202B ; |Class = "Button"
004011B5 push 0
004011B7 call <jmp.&user32.CreateWindowE>; \CreateWindowExA
004011BC push 0
004011BE push dword ptr ds:[402340]
004011C4 push 190
004011C9 push dword ptr ss:[ebp+8]
004011CC push 14
004011CE push 41
004011D0 push 1E
004011D2 push 91
004011D7 push 50000000
004011DC push crackme.00402040 ; |WindowName = "&Exit"
004011E1 push crackme.0040202B ; |Class = "Button"
004011E6 push 0 ; |ExtStyle = 0
004011E8 call <jmp.&user32.CreateWindowE>; \CreateWindowExA
004011ED push 0
004011EF push dword ptr ds:[402340]
004011F5 push 1F4
004011FA push dword ptr ss:[ebp+8]
004011FD push 10
004011FF push 0CD
00401204 push 39
00401206 push 7
00401208 push 50000000 ; |Style = WS_CHILD|WS_VISIBLE
0040120D push crackme.00402046 ; |WindowName = "UnRegistired Version"
00401212 push crackme.00402024 ; |Class = "Static"
00401217 push 0
00401219 call <jmp.&user32.CreateWindowE>; \CreateWindowExA
0040121E mov dword ptr ds:[40254C],eax
00401223 push 0
00401225 push dword ptr ds:[402340]
0040122B push 2BC
00401230 push dword ptr ss:[ebp+8]
00401233 push 14
00401235 push 0CD
0040123A push 37
0040123C push 5
0040123E push 50000008 ; |Style = WS_CHILD|WS_VISIBLE|8
00401243 push 0 ; |WindowName = NULL
00401245 push crackme.00402024 ; |Class = "Static"
0040124A push 0
0040124C call <jmp.&user32.CreateWindowE>; \CreateWindowExA
00401251 jmp crackme.00401353
00401256 cmp dword ptr ss:[ebp+C],111 ;WM_COMMAND
0040125D jnz crackme.0040133E
00401263 mov eax,dword ptr ss:[ebp+10]
00401266 shl eax,10
00401269 and eax,0FFFF
0040126E cmp ax,0
00401272 jnz crackme.0040133C
00401278 mov eax,dword ptr ss:[ebp+10]
0040127B cmp ax,0C8
0040127F jnz crackme.00401311
00401285 push crackme.00402046
0040128A push dword ptr ds:[40254C]
00401290 call <jmp.&user32.SetWindowText> ;设置unregisterd字符
00401295 push dword ptr ds:[402548]
0040129B call <jmp.&user32.GetWindowText>;读取字符串长度
004012A0 cmp eax,0B ;长度是否为11
004012A3 jnz crackme.0040133C ;要挂了
004012A9 push 200
004012AE push crackme.00402348
004012B3 push dword ptr ds:[402548]
004012B9 call <jmp.&user32.GetWindowText>;读取字符串,放在402348位置
004012BE cmp byte ptr ds:[40234B],2D ; 第四个字符必须等于"-"
004012C5 jnz short crackme.0040133C ;Over!
004012C7 mov byte ptr ds:[40234B],41
004012CE cmp byte ptr ds:[40234F],2D ; 第八个字符必须等于"-"
004012D5 jnz short crackme.0040133C
004012D7 mov byte ptr ds:[40234F],42
004012DE mov ecx,0A
004012E3 /inc byte ptr ds:[ecx+402348] ;你的字符串从后往前,依次加1,但要注意
004012E9 \loopd short crackme.004012E3 ;由于循环ecx,402348位置的字符不变!!!!
004012EB mov esi,crackme.00402348 ;放置处理后的字符串
004012F0 mov edi,crackme.004020F3 ; 要比较的字符串
004012F5 mov ecx,0B ;比较次数
004012FA cld
004012FB repe cmps byte ptr es:[edi],byt> ;Now Begin!
004012FD jnz short crackme.0040133C
004012FF push crackme.0040205B
00401304 push dword ptr ds:[40254C]
0040130A call <jmp.&user32.SetWindowText>;设置成功状态!
0040130F jmp short crackme.0040133C
00401311 cmp ax,12C
00401315 jnz short crackme.0040132D
00401317 push 0
00401319 push crackme.0040206F
0040131E push crackme.00402075
http://www.redrival.com/pulsar/
"
00401323 push dword ptr ss:[ebp+8]
00401326 call <jmp.&user32.MessageBoxA>
0040132B jmp short crackme.0040133C
0040132D cmp ax,190
00401331 jnz short crackme.0040133C
00401333 push 0
00401335 call <jmp.&user32.PostQuitMessa>
0040133A jmp short crackme.00401353
0040133C jmp short crackme.00401353
0040133E push dword ptr ss:[ebp+14]
00401341 push dword ptr ss:[ebp+10]
00401344 push dword ptr ss:[ebp+C]
00401347 push dword ptr ss:[ebp+8]
0040134A call <jmp.&user32.DefWindowProc>; \DefWindowProcA
0040134F leave
00401350 retn 10
00401353 xor eax,eax
00401355 leave
00401356 retn 10
放在edi 中字符串:PvMBtBsC112..现在计算我的字符串:
从后,每位依次减一,我就不细算了,结果为:
PuLAsArB001,但这不是最终结果,你应该记得,
004012BE cmp byte ptr ds:[40234B],2D ; 第四个字符必须等于"-"
004012C5 jnz short crackme.0040133C ;Over!
004012C7 mov byte ptr ds:[40234B],41 ;A
004012CE cmp byte ptr ds:[40234F],2D ; 第八个字符必须等于"-"
004012D5 jnz short crackme.0040133C
004012D7 mov byte ptr ds:[40234F],42 ;B
字符串应包含-号,代替可以得到以下字符串:
PuL-sAr-001
填入,注册成功!
******************************************************************************************************
累死我了,我终于反汇编得到了它的源代码,写的很烂,呵呵
.486
.model flat, stdcall
option casemap :none
include \masm32\include\windows.inc
include \masm32\include\masm32.inc
include \masm32\include\gdi32.inc
include \masm32\include\user32.inc
include \masm32\include\kernel32.inc
include \masm32\include\Comctl32.inc
include \masm32\include\comdlg32.inc
include \masm32\include\shell32.inc
include \masm32\include\oleaut32.inc
includelib \masm32\lib\masm32.lib
includelib \masm32\lib\gdi32.lib
includelib \masm32\lib\user32.lib
includelib \masm32\lib\kernel32.lib
includelib \masm32\lib\Comctl32.lib
includelib \masm32\lib\comdlg32.lib
includelib \masm32\lib\shell32.lib
includelib \masm32\lib\oleaut32.lib
WinMain proto :DWORD,:DWORD,:DWORD,:DWORD
.data?
buffer dd ?
hinstance dd ?
cmdline dd ?
hEdit dd ?
hStatic dd ?
.const
Button1ID equ c8
Button2ID equ 12c
Button3ID equ 190
StaticID equ 1f4
ClassName db 'Class',0
AppName db 'Pulsar Crackme(Level 0)',0
desti db 'PvMBtBsC112',0
EditClassName db 'edit',0
ButtonClassName db 'button',0
ButtonNameC db '&Check',0
ButtonNameA db '&About',0
ButtonNameE db '&Exit',0
StaticName db 'UnRegistired Version',0
StaticClassName db 'static',0
Success db 'Cracking Sucess!!!',0
Title db 'About',0
Text db 'Hello NewBie Cracker.This is ver ver easy crackme.Don't patch this and good luck\
http://www.redrival.com/pulsar
.code
start:
invoke GetModuleHandle,NULL
mov hinstance,eax
invoke GetCommandLine
mov cmdline,eax
invoke WinMain,hinstance,NULL,cmdline,SW_SHOWDEFAULT
invoke ExitProcess,eax
WinMain proc hInst:HINSTANCE,hPrevInst:HINSTANCE,CmdLine:LPSTR,CmdShow:DWORD
LOCAL wc:WNDCLASSEX
LOCAL msg:MSG
LOCAL hwnd:HWND
mov wc.cbSize,SIZEOF WNDCLASSEX
mov wc.style, CS_HREDRAW or CS_VREDRAW
mov wc.lpfnWndProc, OFFSET WndProc
mov wc.cbClsExtra,NULL
mov wc.cbWndExtra,NULL
push hInstance
pop wc.hInstance
mov wc.hbrBackground,COLOR_WINDOW
mov wc.lpszMenuName,NULL
mov wc.lpszClassName,OFFSET ClassName
invoke LoadIcon,NULL,IDI_QUESTION
mov wc.hIcon,eax
invoke LoadCursor,NULL,IDC_ARROW
mov wc.hCursor,eax
invoke RegisterClassEx, addr wc
invoke CreateWindowEx,NULL,\
ADDR ClassName,\
ADDR AppName,\
WS_OVERLAPPEDWINDOW or WS_SYSMENU or WS_CAPTION,\
CW_USEDEFAULT,\
CW_USEDEFAULT,\
220,\
105,\
NULL,\
NULL,\
hInst,\
NULL
mov hwnd,eax
invoke ShowWindow, hwnd,CmdShow
invoke UpdateWindow, hwnd
.WHILE TRUE
invoke GetMessage, ADDR msg,NULL,0,0
invoke TranslateMessage, ADDR msg
invoke DispatchMessage, ADDR msg
.ENDW
mov eax,msg.wParam
ret
WinMain endp
WndProc proc hWnd:HWND, uMsg:UINT, wParam:WPARAM, lParam:LPARAM
.if uMsg==WM_DESTROY
invoke PostQuitMessage,NULL
.elseif uMsg==WM_CREATE
;建立编辑控件
invoke CreateWindowEx,0, ADDR EditClassName,NULL,\
WS_CHILD or WS_VISIBLE or WS_BORDER or\
ES_AUTOHSCROLL,\
5,5,205,20,hWnd,64,hInstance,NULL
mov hEdit,eax
;建立Check按扭
invoke CreateWindowEx,0, ADDR ButtonClassName,addr ButtonNameC,\
WS_CHILD or WS_VISIBLE,\
5,30,65,20,hWnd,c8,hInstance,NULL
;建立About按扭
invoke CreateWindowEx,0, ADDR ButtonClassName,addr ButtonNameA,\
WS_CHILD or WS_VISIBLE,\
5,30,65,20,hWnd,12c,hInstance,NULL
;建立Exit按扭
invoke CreateWindowEx,0, ADDR ButtonClassName,addr ButtonNameE,\
WS_CHILD or WS_VISIBLE,\
75,30,65,20,hWnd,190,hInstance,NULL
invoke CreateWindowEx,0, ADDR StaticClassName,addr StaticName,\
WS_CHILD or WS_VISIBLE,\
7,57,205,16,hWnd,1fe,hInstance,NULL
mov hstatic,eax
.elseif uMsg==WM_COMMAND
mov eax,wParam
shl eax,10
and eax,0ffff
.if ax==0
mov eax,wParam
.elseif ax==Button1ID ;进入算法!
invoke SetWIndowText,hStatic,addr StaticName
invoke GetWindowTextLength,hEdit
.if eax==0B
invoke GetWindowText,hEdit,addr buffer,512
.if buffer[4]=='-'
mov buffer[4],41
.elseif buffer[8]=='-'
mov buffer[8],42
.endif
mov ecx,10
local: inc byte ptr buffer[ecx]
loop local
lea esi,buffer
lea edi,desti
repe cmpsb
jnz local1
invoke SetWindowText,hEdit,addr Success
.elseif ax==Button2ID
invoke MessageBox,hWnd,addr Text,addr Title,MB_OK or\
MB_APPLMODEL
.elseif ax==Button3ID
invoke PostQuitMessage,NULL
.else
xor eax,eax
.else
xor eax,eax
.else
local1: invoke DefWindowProc,hWnd,uMsg,wParam,lParam
ret
.endif
xor eax,eax
ret
WndProc endp
end start
--------------------------------------------------------------------------------
【破解总结】
代码有错误的地方,希望高手们给我指出来,谢谢了!!!
--------------------------------------------------------------------------------
【版权声明】 本文纯属技术交流, 转载请注明作者并保持文章的完整, 谢谢!
[课程]Linux pwn 探索篇!
