【破文标题】crackme算法分析 (echap518)
【破文作者】逍遥风
【破解工具】PEID,OD
【破解平台】WINXP
------------------------------------------------------------------------
1)PEID检查:Microsoft Visual C++ 6.0。无壳
2)根据错误提示信息很容易来到下面代码处
004014B0 /. 55 PUSH EBP
004014B1 |. 8BEC MOV EBP,ESP
004014B3 |. 6A FF PUSH -1
004014B5 |. 68 C21B4000 PUSH echap518.00401BC2 SE 处理程序安装
004014BA |. 64:A1 0000000>MOV EAX,DWORD PTR FS:[0]
004014C0 |. 50 PUSH EAX
004014C1 |. 64:8925 00000>MOV DWORD PTR FS:[0],ESP
004014C8 |. 83EC 14 SUB ESP,14
004014CB |. 53 PUSH EBX
004014CC |. 56 PUSH ESI
004014CD |. 57 PUSH EDI
004014CE |. 894D E0 MOV DWORD PTR SS:[EBP-20],ECX
004014D1 |. 8D4D E4 LEA ECX,DWORD PTR SS:[EBP-1C]
004014D4 |. E8 83030000 CALL <JMP.&MFC42.#540_??0CString@@QAE@XZ>
004014D9 |. C745 FC 00000>MOV DWORD PTR SS:[EBP-4],0
004014E0 |. 8D4D F0 LEA ECX,DWORD PTR SS:[EBP-10]
004014E3 |. E8 74030000 CALL <JMP.&MFC42.#540_??0CString@@QAE@XZ>
004014E8 |. C645 FC 01 MOV BYTE PTR SS:[EBP-4],1
004014EC |. 8B4D E0 MOV ECX,DWORD PTR SS:[EBP-20]
004014EF |. 81C1 A0000000 ADD ECX,0A0
004014F5 |. E8 AA030000 CALL <JMP.&MFC42.#3876_?GetWindowTextLen>; 取注册名位数
004014FA |. 8945 EC MOV DWORD PTR SS:[EBP-14],EAX
004014FD |. 837D EC 05 CMP DWORD PTR SS:[EBP-14],5 ; 注册名位数与5比较
00401501 >|. 7F 05 JG SHORT echap518.00401508
00401503 |. E9 BB000000 JMP echap518.004015C3 ; 小于5位就跳向失败
00401508 |> 8B4D E0 MOV ECX,DWORD PTR SS:[EBP-20]
0040150B |. 83C1 60 ADD ECX,60
0040150E |. E8 91030000 CALL <JMP.&MFC42.#3876_?GetWindowTextLen>; 取假码位数
00401513 |. 8945 E8 MOV DWORD PTR SS:[EBP-18],EAX
00401516 |. 837D E8 05 CMP DWORD PTR SS:[EBP-18],5 ; 假码位数与5比较
0040151A |. 7F 05 JG SHORT echap518.00401521 ; 大于5位就继续计算
0040151C |. E9 A2000000 JMP echap518.004015C3 ; 小于5位就失败
00401521 |> 8B45 E0 MOV EAX,DWORD PTR SS:[EBP-20]
00401524 |. 05 E0000000 ADD EAX,0E0
00401529 |. 50 PUSH EAX
0040152A |. 8B4D E0 MOV ECX,DWORD PTR SS:[EBP-20]
0040152D |. 81C1 A0000000 ADD ECX,0A0
00401533 |. E8 66030000 CALL <JMP.&MFC42.#3874_?GetWindowTextA@C>; 取注册名
00401538 |. 8B4D E0 MOV ECX,DWORD PTR SS:[EBP-20]
0040153B |. 81C1 E4000000 ADD ECX,0E4
00401541 |. 51 PUSH ECX
00401542 |. 8B4D E0 MOV ECX,DWORD PTR SS:[EBP-20]
00401545 |. 83C1 60 ADD ECX,60
00401548 |. E8 51030000 CALL <JMP.&MFC42.#3874_?GetWindowTextA@C>; 取假码
0040154D |. 8B55 E0 MOV EDX,DWORD PTR SS:[EBP-20]
00401550 |. 81C2 E0000000 ADD EDX,0E0
00401556 |. 52 PUSH EDX
00401557 |. 8D4D E4 LEA ECX,DWORD PTR SS:[EBP-1C]
0040155A |. E8 39030000 CALL <JMP.&MFC42.#858_??4CString@@QAEABV>
0040155F |. 8B45 E0 MOV EAX,DWORD PTR SS:[EBP-20]
00401562 |. 05 E4000000 ADD EAX,0E4
00401567 |. 50 PUSH EAX
00401568 |. 8D4D F0 LEA ECX,DWORD PTR SS:[EBP-10]
0040156B |. E8 28030000 CALL <JMP.&MFC42.#858_??4CString@@QAEABV>
00401570 |. 33C0 XOR EAX,EAX ; EAX清零
00401572 |. 33DB XOR EBX,EBX ; EBX清零
00401574 |. 33C9 XOR ECX,ECX ; ECX清零
00401576 |. B9 01000000 MOV ECX,1 ; 使ECX=1
0040157B |. 33D2 XOR EDX,EDX ; EDX清零
0040157D |. 8B45 E4 MOV EAX,DWORD PTR SS:[EBP-1C]
00401580 |> 8A18 /MOV BL,BYTE PTR DS:[EAX] ; 取注册名每一位的HEX值
00401582 |. 32D9 |XOR BL,CL ; 注册名每一位的HEX值与对应的位数做XOR运算
00401584 |. 8818 |MOV BYTE PTR DS:[EAX],BL ; 取运算结果对应的ASCII值
00401586 |. 41 |INC ECX ; 每计算一次ECX+1
00401587 |. 40 |INC EAX ; 每计算一次EAX+1
00401588 |. 8038 00 |CMP BYTE PTR DS:[EAX],0
0040158B |.^ 75 F3 \JNZ SHORT echap518.00401580 ; 计算结果组成一个 字符串A
0040158D |. 33C0 XOR EAX,EAX
0040158F |. 33DB XOR EBX,EBX
00401591 |. 33C9 XOR ECX,ECX
00401593 |. B9 0A000000 MOV ECX,0A ; 令ECX=A
00401598 |. 33D2 XOR EDX,EDX
0040159A |. 8B45 F0 MOV EAX,DWORD PTR SS:[EBP-10]
0040159D |> 8A18 /MOV BL,BYTE PTR DS:[EAX] ; 取假码每一位的HEX值
0040159F |. 32D9 |XOR BL,CL ; 假码每一位的HEX值与ABCD。。。做XOR运算
004015A1 |. 8818 |MOV BYTE PTR DS:[EAX],BL ; 取计算结果对应的ASCII值,
004015A3 |. 41 |INC ECX ; 每计算一次ECX+1
004015A4 |. 40 |INC EAX ; 每计算一次EAX+1
004015A5 |. 8038 00 |CMP BYTE PTR DS:[EAX],0
004015A8 |.^ 75 F3 \JNZ SHORT echap518.0040159D
004015AA |. 8B45 E4 MOV EAX,DWORD PTR SS:[EBP-1C] ; 计算结果组成一个 字符串B
004015AD |. 8B55 F0 MOV EDX,DWORD PTR SS:[EBP-10]
004015B0 |> 33C9 /XOR ECX,ECX
004015B2 |. 8A18 |MOV BL,BYTE PTR DS:[EAX] ; 字符串A与字符串B逐位进行比较,全部相等就成功
004015B4 |. 8A0A |MOV CL,BYTE PTR DS:[EDX]
004015B6 |. 3AD9 |CMP BL,CL
004015B8 |. 75 09 |JNZ SHORT echap518.004015C3 ; 有一位不相等就失败
004015BA |. 40 |INC EAX
004015BB |. 42 |INC EDX
004015BC |. 8038 00 |CMP BYTE PTR DS:[EAX],0
004015BF |.^ 75 EF \JNZ SHORT echap518.004015B0
004015C1 |. EB 16 JMP SHORT echap518.004015D9
004015C3 |> 6A 00 PUSH 0
004015C5 |. 68 6C304000 PUSH echap518.0040306C ; error
004015CA |. 68 40304000 PUSH echap518.00403040 ; one of the details you entered was wrong
004015CF |. 8B4D E0 MOV ECX,DWORD PTR SS:[EBP-20]
004015D2 |. E8 BB020000 CALL <JMP.&MFC42.#4224_?MessageBoxA@CWnd>
004015D7 |. EB 14 JMP SHORT echap518.004015ED
004015D9 |> 6A 00 PUSH 0
004015DB |. 68 34304000 PUSH echap518.00403034 ; you did it
004015E0 |. 68 20304000 PUSH echap518.00403020 ; well done,cracker
------------------------------------------------------------------------
算法总结:
1)注册名和注册码都必须大于5位。
2)必须满足F1(注册名)=F2(注册码)
3)对注册名的算法是:注册名每一位的HEX值与对应的位数做XOR运算,取运算结果对应的ASCII值。设为A
4)对注册码的算法是:注册名每一位的HEX值与对应的ABCDEF。。。做XOR运算,取运算结果对应的ASCII值。设为B。
5)A与B进行逐位比较。
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)
