[原创]破解bos1.rar_904-付费问答-看雪-安全社区|安全招聘|kanxue.com

[旧帖] [原创]破解bos1.rar_904 0.00雪花

发表于: 2016-2-25 22:02 1519

[旧帖] [原创]破解bos1.rar_904 0.00雪花

wenbuxiu

2016-2-25 22:02

1519

CrackMe提供者：bos
原帖：http://bbs.pediy.com/showthread.php?t=10071

工具：od，vc
平台：winxpsp3

一、破
这个程序使用了显而易见的反调试代码，
00455751  |> \E8 FAFEFFFF call 00455650 ；反dede
00455756  |.  E8 65FEFFFF call <jmp.&Ken.GetHDID>
0045575B  |.  8BD0       mov    edx, eax
0045575D  |.  8D45 C8    lea    eax, dword ptr [ebp-38]
00455760  |.  E8 2BEAFAFF call 00404190
00455765  |.  8B55 C8    mov    edx, dword ptr [ebp-38]
00455768  |.  8B86 08030000 mov    eax, dword ptr [esi+308]
0045576E  |.  E8 B9EFFDFF call 0043472C
00455773  |.  E8 10FEFFFF call <jmp.&Ken.IsSoftIce95Loaded>
00455778  |.  84C0       test al, al
0045577A  |.  75 3F       jnz    short 004557BB
0045577C  |.  E8 0FFEFFFF call <jmp.&Ken.IsSoftIceNTLoaded>
00455781  |.  84C0       test al, al
00455783  |.  75 36       jnz    short 004557BB
00455785  |.  E8 0EFEFFFF call <jmp.&Ken.IsTRWLoaded>
0045578A  |.  84C0       test al, al
0045578C  |.  75 2D       jnz    short 004557BB
0045578E  |.  E8 05FEFFFF call <jmp.&Ken.IsTRWLoaded>
00455793  |.  84C0       test al, al
00455795  |.  75 24       jnz    short 004557BB
00455797  |.  E8 04FEFFFF call <jmp.&Ken.IsTRW2000Loaded>
0045579C  |.  84C0       test al, al
0045579E  |.  75 1B       jnz    short 004557BB
004557A0  |.  E8 03FEFFFF call <jmp.&Ken.IsRegMONLoaded>
004557A5  |.  84C0       test al, al
004557A7  |.  75 12       jnz    short 004557BB
004557A9  |.  E8 02FEFFFF call <jmp.&Ken.IsFileMONLoaded>
004557AE  |.  84C0       test al, al
004557B0  |.  75 09       jnz    short 004557BB
004557B2  |.  E8 01FEFFFF call <jmp.&Ken.IsBW2000Loaded>
004557B7  |.  84C0       test al, al
004557B9  |.  74 16       je    short 004557D1
004557BB  |>  6A 00       push 0                               ; /lParam = 0
004557BD  |.  6A 00       push 0                               ; |wParam = 0
004557BF  |.  6A 10       push 10                            ; |Message = WM_CLOSE
004557C1  |.  A1 98804500 mov    eax, dword ptr [458098]       ; |
004557C6  |.  8B00       mov    eax, dword ptr [eax]          ; |
004557C8  |.  8B40 30    mov    eax, dword ptr [eax+30]       ; |
004557CB  |.  50          push eax                            ; |hWnd
004557CC  |.  E8 730FFBFF call <jmp.&user32.PostMessageA>    ; \PostMessageA

可以看出没有针对od的代码，我使用od可以无视上述反调试代码。
00455897  |.  8B55 C0    mov    edx, dword ptr [ebp-40]
0045589A  |.  58          pop    eax
0045589B  |.  E8 04EBFAFF call 004043A4 ；注册验证处
004558A0  |.  75 39       jnz    short 004558DB ；爆破点

二、解
注册码= 取尾部20个字符(ken.KXEN(系列号))
系列号 = ken.GetHDID

算法没有研究，又有些浮躁了，失去了学习的本心。下面是keygen:

#include "stdafx.h"
#include "windows.h"

int _tmain(int argc, _TCHAR* argv[])
{
HMODULE hdll;
FARPROC farFunctionGetHDID,farFunctionKXEN;
char sn[21],*pSN;

hdll = LoadLibrary(TEXT("Ken.dll"));
if(hdll == NULL)
{
printf("Ken.dll加载失败，请确保程序运行目录里面包含Ken.dll文件");
return 1;
}
farFunctionGetHDID = GetProcAddress(hdll,"GetHDID");
if(farFunctionGetHDID != NULL)
{
farFunctionKXEN = GetProcAddress(hdll,"KXEN");
if(farFunctionKXEN != NULL)
{
_asm
{
call [farFunctionGetHDID]
push eax
call [farFunctionKXEN]
mov pSN,eax
}
while(*pSN != '\0')
   pSN++;
for(int nlen = 20;nlen >= 0;nlen--,pSN--)
{
sn[nlen] = *pSN;

}
printf("注册码：%s",sn);
getchar();
return 0;
}
}
return 0;
}

[招生]科锐逆向工程师培训(2024年11月15日实地，远程教学同时开班, 第51期)

收藏・1

免费・0

支持