-
-
[分享]菜鸟分析CrackMe by Nsso @2012算法及注册机
-
发表于: 2012-9-21 02:25
-
【文章标题】菜鸟分析CrackMe by Nsso @2012算法及注册机
【文章作者】无常pl
【下载地址】原帖http://bbs.pediy.com/showthread.php?t=154148
搞了好几天才搞出来
首先解除灰色按钮,对GetWindowTextA下断,alt+F9回来。然后对存字符串的内存下断,f9
途中会跟到strlen和strcp,遇到strcp是再对copy的内存地址下断点f9。遇到两次strlen和两次strcp会断在下面这个函数中
01241DB0 /. 55 PUSH EBP ; 关键地方 01241DB1 |. 8BEC MOV EBP,ESP 01241DB3 |. 6A FF PUSH -1 01241DB5 |. 68 73132901 PUSH creakme.01291373 01241DBA |. 64:A1 00000000 MOV EAX,DWORD PTR FS:[0] 01241DC0 |. 50 PUSH EAX 01241DC1 |. 81EC 98000000 SUB ESP,98 01241DC7 |. A1 505A2A01 MOV EAX,DWORD PTR DS:[12A5A50] 01241DCC |. 33C5 XOR EAX,EBP 01241DCE |. 8945 F0 MOV DWORD PTR SS:[EBP-10],EAX 01241DD1 |. 53 PUSH EBX 01241DD2 |. 56 PUSH ESI 01241DD3 |. 57 PUSH EDI 01241DD4 |. 50 PUSH EAX 01241DD5 |. 8D45 F4 LEA EAX,DWORD PTR SS:[EBP-C] 01241DD8 |. 64:A3 00000000 MOV DWORD PTR FS:[0],EAX 01241DDE |. 8B5D 08 MOV EBX,DWORD PTR SS:[EBP+8] 01241DE1 |. 8D8B A0020000 LEA ECX,DWORD PTR DS:[EBX+2A0] 01241DE7 |. 68 68082A01 PUSH creakme.012A0868 ; EditUI1LabelUI2 01241DEC |. C745 E4 596F7543 MOV DWORD PTR SS:[EBP-1C],43756F59 01241DF3 |. C745 E8 616E446F MOV DWORD PTR SS:[EBP-18],6F446E61 01241DFA |. 66:C745 EC 4974 MOV WORD PTR SS:[EBP-14],7449 ; YouCanDoIt 01241E00 |. C645 EE 00 MOV BYTE PTR SS:[EBP-12],0 01241E04 |. E8 D9450000 CALL creakme.012463E2 01241E09 |. 8BF0 MOV ESI,EAX 01241E0B |. 8B06 MOV EAX,DWORD PTR DS:[ESI] 01241E0D |. 8B50 04 MOV EDX,DWORD PTR DS:[EAX+4] 01241E10 |. 8D4D A0 LEA ECX,DWORD PTR SS:[EBP-60] 01241E13 |. 51 PUSH ECX 01241E14 |. 8BCE MOV ECX,ESI 01241E16 |. FFD2 CALL EDX 01241E18 |. 8BC8 MOV ECX,EAX 01241E1A |. C745 FC 00000000 MOV DWORD PTR SS:[EBP-4],0 01241E21 |. E8 233A0000 CALL creakme.01245849 01241E26 |. 8D4D A0 LEA ECX,DWORD PTR SS:[EBP-60] 01241E29 |. C745 FC FFFFFFFF MOV DWORD PTR SS:[EBP-4],-1 01241E30 |. E8 142D0000 CALL creakme.01244B49 01241E35 |> 68 70082A01 /PUSH creakme.012A0870 ; LabelUI2 01241E3A |. 8D8B A0020000 |LEA ECX,DWORD PTR DS:[EBX+2A0] 01241E40 |. E8 9D450000 |CALL creakme.012463E2 01241E45 |. 8B10 |MOV EDX,DWORD PTR DS:[EAX] 01241E47 |. 8BC8 |MOV ECX,EAX 01241E49 |. 8B82 C4000000 |MOV EAX,DWORD PTR DS:[EDX+C4] 01241E4F |. 6A 00 |PUSH 0 01241E51 |. FFD0 |CALL EAX 01241E53 |. 68 F4010000 |PUSH 1F4 ; /Timeout = 500. ms 01241E58 |. C783 58020000 00>|MOV DWORD PTR DS:[EBX+258],0 ; | 01241E62 |. FF15 00222901 |CALL DWORD PTR DS:[<&KERNEL32.Sleep>] ; \Sleep 01241E68 |. 8B16 |MOV EDX,DWORD PTR DS:[ESI] 01241E6A |. 8B52 28 |MOV EDX,DWORD PTR DS:[EDX+28] 01241E6D |. 8D85 5CFFFFFF |LEA EAX,DWORD PTR SS:[EBP-A4] 01241E73 |. 50 |PUSH EAX 01241E74 |. 8BCE |MOV ECX,ESI 01241E76 |. FFD2 |CALL EDX ; 获取UserName 01241E78 |. 8BC8 |MOV ECX,EAX ; (Initial CPU selection) 01241E7A |. C745 FC 01000000 |MOV DWORD PTR SS:[EBP-4],1 01241E81 |. E8 C3390000 |CALL creakme.01245849 01241E86 |. 8D8D 5CFFFFFF |LEA ECX,DWORD PTR SS:[EBP-A4] 01241E8C |. 8BF8 |MOV EDI,EAX 01241E8E |. C745 FC FFFFFFFF |MOV DWORD PTR SS:[EBP-4],-1 01241E95 |. E8 AF2C0000 |CALL creakme.01244B49 01241E9A |. 8BC7 |MOV EAX,EDI 01241E9C |. 8D48 01 |LEA ECX,DWORD PTR DS:[EAX+1] 01241E9F |. 90 |NOP 01241EA0 |> 8A10 |/MOV DL,BYTE PTR DS:[EAX] 01241EA2 |. 40 ||INC EAX 01241EA3 |. 84D2 ||TEST DL,DL 01241EA5 |.^ 75 F9 |\JNZ SHORT creakme.01241EA0 ; strlen 01241EA7 |. 2BC1 |SUB EAX,ECX 01241EA9 |. 83F8 06 |CMP EAX,6 01241EAC |.^ 72 87 |JB SHORT creakme.01241E35 01241EAE |. 8BC7 |MOV EAX,EDI 01241EB0 |. 8D50 01 |LEA EDX,DWORD PTR DS:[EAX+1] 01241EB3 |> 8A08 |/MOV CL,BYTE PTR DS:[EAX] 01241EB5 |. 40 ||INC EAX 01241EB6 |. 84C9 ||TEST CL,CL 01241EB8 |.^ 75 F9 |\JNZ SHORT creakme.01241EB3 ; strlen 01241EBA |. 2BC2 |SUB EAX,EDX 01241EBC |. 83F8 10 |CMP EAX,10 01241EBF |.^ 0F87 70FFFFFF |JA creakme.01241E35 01241EC5 |. 8D45 E4 |LEA EAX,DWORD PTR SS:[EBP-1C] 01241EC8 |. 50 |PUSH EAX ; YouCanDoIt 01241EC9 |. 57 |PUSH EDI ; 输入的UserName 01241ECA |. E8 F1D50200 |CALL creakme.0126F4C0 ; _mbcmp 01241ECF |. 83C4 08 |ADD ESP,8 01241ED2 |. 85C0 |TEST EAX,EAX 01241ED4 |.^ 0F85 5BFFFFFF \JNZ creakme.01241E35 ; 不等于就一直循环 01241EDA |. 8D4B 14 LEA ECX,DWORD PTR DS:[EBX+14] 01241EDD |. 51 PUSH ECX 01241EDE |. 8D8B A0020000 LEA ECX,DWORD PTR DS:[EBX+2A0] 01241EE4 |. E8 F9440000 CALL creakme.012463E2 01241EE9 |. 8B10 MOV EDX,DWORD PTR DS:[EAX] 01241EEB |. 8BC8 MOV ECX,EAX 01241EED |. 8B82 D0000000 MOV EAX,DWORD PTR DS:[EDX+D0] 01241EF3 |. 6A 01 PUSH 1 01241EF5 |. FFD0 CALL EAX ; 这个函数应该是Enble按钮 01241EF7 |. 8B4B 1C MOV ECX,DWORD PTR DS:[EBX+1C] 01241EFA |. 33C0 XOR EAX,EAX 01241EFC |. 51 PUSH ECX ; /hThread 01241EFD |. 8945 E4 MOV DWORD PTR SS:[EBP-1C],EAX ; | 01241F00 |. 8945 E8 MOV DWORD PTR SS:[EBP-18],EAX ; | 01241F03 |. 66:8945 EC MOV WORD PTR SS:[EBP-14],AX ; | 01241F07 |. 8845 EE MOV BYTE PTR SS:[EBP-12],AL ; | 01241F0A |. C783 58020000 01>MOV DWORD PTR DS:[EBX+258],1 ; | 01241F14 |. FF15 FC212901 CALL DWORD PTR DS:[<&KERNEL32.SuspendThread>] ; \SuspendThread 01241F1A |. 6A 00 PUSH 0 ; /ExitCode = 0 01241F1C \. FF15 F8212901 CALL DWORD PTR DS:[<&KERNEL32.ExitProcess>] ; \ExitProcess
01241A90 $ 55 PUSH EBP 01241A91 . 8BEC MOV EBP,ESP 01241A93 . 81EC 6C030000 SUB ESP,36C 01241A99 . A1 505A2A01 MOV EAX,DWORD PTR DS:[12A5A50] 01241A9E . 33C5 XOR EAX,EBP 01241AA0 . 8945 FC MOV DWORD PTR SS:[EBP-4],EAX 01241AA3 . 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8] 01241AA6 . 56 PUSH ESI 01241AA7 . 8D8D F0FCFFFF LEA ECX,DWORD PTR SS:[EBP-310] 01241AAD . 51 PUSH ECX 01241AAE . 8985 F8FCFFFF MOV DWORD PTR SS:[EBP-308],EAX 01241AB4 . E8 E70B0000 CALL creakme.012426A0 01241AB9 . 8D8D F0FCFFFF LEA ECX,DWORD PTR SS:[EBP-310] 01241ABF . E8 CC0C0000 CALL creakme.01242790 ; 获取当前时间的分钟数 01241AC4 . 68 00010000 PUSH 100 01241AC9 . 8D95 FCFEFFFF LEA EDX,DWORD PTR SS:[EBP-104] 01241ACF . 6A 00 PUSH 0 01241AD1 . 52 PUSH EDX 01241AD2 . 8BF0 MOV ESI,EAX 01241AD4 . E8 B7F90200 CALL creakme.01271490 ; memset 01241AD9 . 6A 0A PUSH 0A 01241ADB . 8D85 FCFEFFFF LEA EAX,DWORD PTR SS:[EBP-104] 01241AE1 . 50 PUSH EAX 01241AE2 . 56 PUSH ESI 01241AE3 . E8 CFE50400 CALL creakme.012900B7 ; itoa 01241AE8 . 83C4 18 ADD ESP,18 01241AEB . FF15 10222901 CALL DWORD PTR DS:[<&KERNEL32.GetCommandLineA>] ; [GetCommandLineA 01241AF1 . 8D95 FCFDFFFF LEA EDX,DWORD PTR SS:[EBP-204] 01241AF7 . 2BD0 SUB EDX,EAX 01241AF9 . 8DA424 00000000 LEA ESP,DWORD PTR SS:[ESP] 01241B00 > 8A08 MOV CL,BYTE PTR DS:[EAX] 01241B02 . 880C02 MOV BYTE PTR DS:[EDX+EAX],CL 01241B05 . 40 INC EAX 01241B06 . 84C9 TEST CL,CL 01241B08 .^ 75 F6 JNZ SHORT creakme.01241B00 01241B0A . 8D8D FCFEFFFF LEA ECX,DWORD PTR SS:[EBP-104] 01241B10 . 8D85 FCFDFFFF LEA EAX,DWORD PTR SS:[EBP-204] 01241B16 > 8A10 MOV DL,BYTE PTR DS:[EAX] 01241B18 . 3A11 CMP DL,BYTE PTR DS:[ECX] 01241B1A . 75 1A JNZ SHORT creakme.01241B36 01241B1C . 84D2 TEST DL,DL 01241B1E . 74 12 JE SHORT creakme.01241B32 01241B20 . 8A50 01 MOV DL,BYTE PTR DS:[EAX+1] 01241B23 . 3A51 01 CMP DL,BYTE PTR DS:[ECX+1] 01241B26 . 75 0E JNZ SHORT creakme.01241B36 01241B28 . 83C0 02 ADD EAX,2 01241B2B . 83C1 02 ADD ECX,2 01241B2E . 84D2 TEST DL,DL 01241B30 .^ 75 E4 JNZ SHORT creakme.01241B16 01241B32 > 33C0 XOR EAX,EAX 01241B34 . EB 05 JMP SHORT creakme.01241B3B 01241B36 > 1BC0 SBB EAX,EAX 01241B38 . 83D8 FF SBB EAX,-1 01241B3B > 85C0 TEST EAX,EAX 01241B3D . 0F84 A1000000 JE creakme.01241BE4 ; 如果命令行参数不等于分钟数,就会以分钟数为参数重新创建一个进程 01241B43 . 68 04010000 PUSH 104 ; /BufSize = 104 (260.) 01241B48 . 8D8D FCFCFFFF LEA ECX,DWORD PTR SS:[EBP-304] ; | 01241B4E . 51 PUSH ECX ; |PathBuffer 01241B4F . 6A 00 PUSH 0 ; |hModule = NULL 01241B51 . FF15 2C222901 CALL DWORD PTR DS:[<&KERNEL32.GetModuleFileNameA>] ; \GetModuleFileNameA 01241B57 . 6A 44 PUSH 44 01241B59 . 8D95 A4FCFFFF LEA EDX,DWORD PTR SS:[EBP-35C] 01241B5F . 6A 00 PUSH 0 01241B61 . 52 PUSH EDX 01241B62 . E8 29F90200 CALL creakme.01271490 01241B67 . B8 05000000 MOV EAX,5 01241B6C . 83C4 0C ADD ESP,0C 01241B6F . 66:8985 D4FCFFFF MOV WORD PTR SS:[EBP-32C],AX 01241B76 . C785 A4FCFFFF 44>MOV DWORD PTR SS:[EBP-35C],44 01241B80 . C785 D0FCFFFF 01>MOV DWORD PTR SS:[EBP-330],1 01241B8A . 33C0 XOR EAX,EAX 01241B8C . 8D6424 00 LEA ESP,DWORD PTR SS:[ESP] 01241B90 > 8A8C05 FCFEFFFF MOV CL,BYTE PTR SS:[EBP+EAX-104] 01241B97 . 888C05 FCFDFFFF MOV BYTE PTR SS:[EBP+EAX-204],CL 01241B9E . 40 INC EAX 01241B9F . 84C9 TEST CL,CL 01241BA1 .^ 75 ED JNZ SHORT creakme.01241B90 01241BA3 . 8D8D 94FCFFFF LEA ECX,DWORD PTR SS:[EBP-36C] 01241BA9 . 51 PUSH ECX ; /pProcessInfo 01241BAA . 8D95 A4FCFFFF LEA EDX,DWORD PTR SS:[EBP-35C] ; | 01241BB0 . 52 PUSH EDX ; |pStartupInfo 01241BB1 . 6A 00 PUSH 0 ; |CurrentDir = NULL 01241BB3 . 6A 00 PUSH 0 ; |pEnvironment = NULL 01241BB5 . 6A 00 PUSH 0 ; |CreationFlags = 0 01241BB7 . 6A 00 PUSH 0 ; |InheritHandles = FALSE 01241BB9 . 6A 00 PUSH 0 ; |pThreadSecurity = NULL 01241BBB . 6A 00 PUSH 0 ; |pProcessSecurity = NULL 01241BBD . 8D85 FCFDFFFF LEA EAX,DWORD PTR SS:[EBP-204] ; | 01241BC3 . 50 PUSH EAX ; |CommandLine 01241BC4 . 8D8D FCFCFFFF LEA ECX,DWORD PTR SS:[EBP-304] ; | 01241BCA . 51 PUSH ECX ; |ModuleFileName 01241BCB . FF15 0C222901 CALL DWORD PTR DS:[<&KERNEL32.CreateProcessA>] ; \CreateProcessA
010B1588 |. 51 PUSH ECX 010B1589 |. 6A 00 PUSH 0 010B158B |. 56 PUSH ESI 010B158C |. 68 B01D0B01 PUSH creakme.010B1DB0 010B1591 |. 6A 00 PUSH 0 010B1593 |. 6A 00 PUSH 0 010B1595 |. E8 E6D80200 CALL creakme.010DEE80 ; 线程1监视UserName的输入是否启用按钮 010B159A |. 8D56 3C LEA EDX,DWORD PTR DS:[ESI+3C] 010B159D |. 52 PUSH EDX 010B159E |. 6A 00 PUSH 0 010B15A0 |. 56 PUSH ESI 010B15A1 |. 68 301F0B01 PUSH creakme.010B1F30 010B15A6 |. 6A 00 PUSH 0 010B15A8 |. 6A 00 PUSH 0 010B15AA |. 8946 1C MOV DWORD PTR DS:[ESI+1C],EAX 010B15AD |. E8 CED80200 CALL creakme.010DEE80 ; 线程2 010B15B2 |. 8946 20 MOV DWORD PTR DS:[ESI+20],EAX 010B15B5 |. 8D46 40 LEA EAX,DWORD PTR DS:[ESI+40] 010B15B8 |. 50 PUSH EAX 010B15B9 |. 6A 00 PUSH 0 010B15BB |. 56 PUSH ESI 010B15BC |. 68 D0220B01 PUSH creakme.010B22D0 010B15C1 |. 6A 00 PUSH 0 010B15C3 |. 6A 00 PUSH 0 010B15C5 |. E8 B6D80200 CALL creakme.010DEE80 ; 线程3初步判断username和regcode,符合条件唤醒线程6,不符合唤醒线程4 010B15CA |. 83C4 48 ADD ESP,48 010B15CD |. 8D4E 44 LEA ECX,DWORD PTR DS:[ESI+44] 010B15D0 |. 51 PUSH ECX 010B15D1 |. 6A 00 PUSH 0 010B15D3 |. 56 PUSH ESI 010B15D4 |. 68 00260B01 PUSH creakme.010B2600 010B15D9 |. 6A 00 PUSH 0 010B15DB |. 6A 00 PUSH 0 010B15DD |. 8946 24 MOV DWORD PTR DS:[ESI+24],EAX 010B15E0 |. E8 9BD80200 CALL creakme.010DEE80 ; 线程4发生异常,弹出异常对话框 010B15E5 |. 8D56 48 LEA EDX,DWORD PTR DS:[ESI+48] 010B15E8 |. 52 PUSH EDX 010B15E9 |. 6A 00 PUSH 0 010B15EB |. 56 PUSH ESI 010B15EC |. 68 60260B01 PUSH creakme.010B2660 010B15F1 |. 6A 00 PUSH 0 010B15F3 |. 6A 00 PUSH 0 010B15F5 |. 8946 28 MOV DWORD PTR DS:[ESI+28],EAX 010B15F8 |. E8 83D80200 CALL creakme.010DEE80 ; 线程5 010B15FD |. 8946 2C MOV DWORD PTR DS:[ESI+2C],EAX 010B1600 |. 8D46 4C LEA EAX,DWORD PTR DS:[ESI+4C] 010B1603 |. 50 PUSH EAX 010B1604 |. 6A 00 PUSH 0 010B1606 |. 56 PUSH ESI 010B1607 |. 68 10210B01 PUSH creakme.010B2110 010B160C |. 6A 00 PUSH 0 010B160E |. 6A 00 PUSH 0 010B1610 |. E8 6BD80200 CALL creakme.010DEE80 ; 线程6进一步进行验证 010B1615 |. 83C4 48 ADD ESP,48 010B1618 |. 8D4E 50 LEA ECX,DWORD PTR DS:[ESI+50] 010B161B |. 51 PUSH ECX 010B161C |. 6A 00 PUSH 0 010B161E |. 56 PUSH ESI 010B161F |. 68 90260B01 PUSH creakme.010B2690 010B1624 |. 6A 00 PUSH 0 010B1626 |. 6A 00 PUSH 0 010B1628 |. 8946 30 MOV DWORD PTR DS:[ESI+30],EAX 010B162B |. E8 50D80200 CALL creakme.010DEE80
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
|
|
|---|---|
|
|
 前排观看
|
|
|
说好的注册机呢
|
|
|
源码没看到吗
|
|
|
|
|
|
|
|
|
学习了
|
|
|
|
|
|
最近忙着写东西。。我把源码整理下发出来 @无常pl
|
|
|
|
