【软件名称】lnn1123's Crackme V 0.1
【下载地址】进入OCN后http://ocn.e5v.com/bbs1/attachment.php?aid=1692&checkid=1da54&download=1(注册机压缩包也有)
【应用平台】Win9x/NT/2000/XP
【软件大小】12K
【软件限制】序列号保护
【破 解 者】HappyTown
【破解声明】算不上密码学的一个Crackme,顺祝PEdiy蒸蒸日上。
【破解工具】OD,Peid,Windows自带计算器
【注册机下载】破文下边
【软件简介】不要爆破,不要内存注册机,只要真正的KeyGen(其实很简单)
============================================================
【分析过程】
00401B06 E8 77010000 call <jmp.&user32.GetDlgItemTextA>
00401B0B 8D85 00FFFFFF lea eax,dword ptr ss:[ebp-100]
00401B11 50 push eax
00401B12 E8 A7010000 call <jmp.&kernel32.lstrlenA>
00401B17 8D95 F8FDFFFF lea edx,dword ptr ss:[ebp-208]
00401B1D 52 push edx
00401B1E 50 push eax
00401B1F 8D85 00FFFFFF lea eax,dword ptr ss:[ebp-100]
00401B25 50 push eax
00401B26 E8 D5F4FFFF call Crackme.00401000 ; 取name(happy)的MD5散列值(变形,几个常数被替换)
{
00401000 55 push ebp
00401001 8BEC mov ebp,esp
00401003 83C4 F0 add esp,-10
00401006 60 pushad
00401007 8B7D 08 mov edi,dword ptr ss:[ebp+8]
......
00401040 8947 F8 mov dword ptr ds:[edi-8],eax
00401043 8957 FC mov dword ptr ds:[edi-4],edx
00401046 8B55 0C mov edx,dword ptr ss:[ebp+C]
00401049 8B7D 08 mov edi,dword ptr ss:[ebp+8]
0040104C 8B75 10 mov esi,dword ptr ss:[ebp+10]
0040104F C706 23118619 mov dword ptr ds:[esi],19861123 ; 此常数被替换
00401055 C746 04 88888888 mov dword ptr ds:[esi+4],88888888 ; 此常数被替换
0040105C C746 08 21110420 mov dword ptr ds:[esi+8],20041121 ; 此常数被替换
00401063 C746 0C 55555555 mov dword ptr ds:[esi+C],55555555 ; 此常数被替换
0040106A 8B06 mov eax,dword ptr ds:[esi]
0040106C 8945 FC mov dword ptr ss:[ebp-4],eax
0040106F 8B46 04 mov eax,dword ptr ds:[esi+4]
00401072 8945 F8 mov dword ptr ss:[ebp-8],eax
00401075 8B46 08 mov eax,dword ptr ds:[esi+8]
00401078 8945 F4 mov dword ptr ss:[ebp-C],eax
0040107B 8B46 0C mov eax,dword ptr ds:[esi+C]
0040107E 8945 F0 mov dword ptr ss:[ebp-10],eax
00401081 8B45 F8 mov eax,dword ptr ss:[ebp-8]
00401084 8B5D F4 mov ebx,dword ptr ss:[ebp-C]
00401087 8B4D F0 mov ecx,dword ptr ss:[ebp-10]
0040108A 23D8 and ebx,eax
0040108C F7D0 not eax
0040108E 23C1 and eax,ecx
00401090 0BC3 or eax,ebx
00401092 0345 FC add eax,dword ptr ss:[ebp-4]
00401095 0307 add eax,dword ptr ds:[edi]
00401097 05 896745D5 add eax,D5456789 ; 此常数被替换
0040109C B1 07 mov cl,7
0040109E D3C0 rol eax,cl
004010A0 0345 F8 add eax,dword ptr ss:[ebp-8]
004010A3 8945 FC mov dword ptr ss:[ebp-4],eax
004010A6 8B45 FC mov eax,dword ptr ss:[ebp-4]
004010A9 8B5D F8 mov ebx,dword ptr ss:[ebp-8]
004010AC 8B4D F4 mov ecx,dword ptr ss:[ebp-C]
004010AF 23D8 and ebx,eax
004010B1 F7D0 not eax
004010B3 23C1 and eax,ecx
004010B5 0BC3 or eax,ebx
004010B7 0345 F0 add eax,dword ptr ss:[ebp-10]
004010BA 0347 04 add eax,dword ptr ds:[edi+4]
004010BD 05 56B7C7E8 add eax,E8C7B756
004010C2 B1 0C mov cl,0C
004010C4 D3C0 rol eax,cl
......
004012CB 0345 F8 add eax,dword ptr ss:[ebp-8]
004012CE 0347 3C add eax,dword ptr ds:[edi+3C]
004012D1 05 2108B449 add eax,49B40821
004012D6 B1 16 mov cl,16
004012D8 D3C0 rol eax,cl
004012DA 0345 F4 add eax,dword ptr ss:[ebp-C]
004012DD 8945 F8 mov dword ptr ss:[ebp-8],eax
004012E0 8B45 F8 mov eax,dword ptr ss:[ebp-8]
004012E3 8B5D F4 mov ebx,dword ptr ss:[ebp-C]
004012E6 8B4D F0 mov ecx,dword ptr ss:[ebp-10]
004012E9 23C1 and eax,ecx
004012EB F7D1 not ecx
004012ED 23CB and ecx,ebx
004012EF 0BC1 or eax,ecx
004012F1 0345 FC add eax,dword ptr ss:[ebp-4]
004012F4 0347 04 add eax,dword ptr ds:[edi+4]
004012F7 05 896754E2 add eax,E2546789 ; 此常数被替换
004012FC B1 05 mov cl,5
004012FE D3C0 rol eax,cl
00401300 0345 F8 add eax,dword ptr ss:[ebp-8]
00401303 8945 FC mov dword ptr ss:[ebp-4],eax
00401306 8B45 FC mov eax,dword ptr ss:[ebp-4]
00401309 8B5D F8 mov ebx,dword ptr ss:[ebp-8]
0040130C 8B4D F4 mov ecx,dword ptr ss:[ebp-C]
0040130F 23C1 and eax,ecx
00401311 F7D1 not ecx
00401313 23CB and ecx,ebx
00401315 0BC1 or eax,ecx
00401317 0345 F0 add eax,dword ptr ss:[ebp-10]
0040131A 0347 18 add eax,dword ptr ds:[edi+18]
0040131D 05 40B340C0 add eax,C040B340
00401322 B1 09 mov cl,9
00401324 D3C0 rol eax,cl
00401326 0345 FC add eax,dword ptr ss:[ebp-4]
00401329 8945 F0 mov dword ptr ss:[ebp-10],eax
.........
0040152A 0345 F8 add eax,dword ptr ss:[ebp-8]
0040152D 0347 30 add eax,dword ptr ds:[edi+30]
00401530 05 8A4C2A8D add eax,8D2A4C8A
00401535 B1 14 mov cl,14
00401537 D3C0 rol eax,cl
00401539 0345 F4 add eax,dword ptr ss:[ebp-C]
0040153C 8945 F8 mov dword ptr ss:[ebp-8],eax
0040153F 8B45 F8 mov eax,dword ptr ss:[ebp-8]
00401542 8B5D F4 mov ebx,dword ptr ss:[ebp-C]
00401545 8B4D F0 mov ecx,dword ptr ss:[ebp-10]
00401548 33C3 xor eax,ebx
0040154A 33C1 xor eax,ecx
0040154C 0345 FC add eax,dword ptr ss:[ebp-4]
0040154F 0347 14 add eax,dword ptr ds:[edi+14]
00401552 05 7926E1EE add eax,EEE12679 ; 此常数被替换
00401557 B1 04 mov cl,4
00401559 D3C0 rol eax,cl
0040155B 0345 F8 add eax,dword ptr ss:[ebp-8]
0040155E 8945 FC mov dword ptr ss:[ebp-4],eax
00401561 8B45 FC mov eax,dword ptr ss:[ebp-4]
00401564 8B5D F8 mov ebx,dword ptr ss:[ebp-8]
00401567 8B4D F4 mov ecx,dword ptr ss:[ebp-C]
0040156A 33C3 xor eax,ebx
0040156C 33C1 xor eax,ecx
0040156E 0345 F0 add eax,dword ptr ss:[ebp-10]
00401571 0347 20 add eax,dword ptr ds:[edi+20]
00401574 05 81F67187 add eax,8771F681
00401579 B1 0B mov cl,0B
0040157B D3C0 rol eax,cl
0040157D 0345 FC add eax,dword ptr ss:[ebp-4]
00401580 8945 F0 mov dword ptr ss:[ebp-10],eax
00401583 8B45 F0 mov eax,dword ptr ss:[ebp-10]
00401586 8B5D FC mov ebx,dword ptr ss:[ebp-4]
00401589 8B4D F8 mov ecx,dword ptr ss:[ebp-8]
0040158C 33C3 xor eax,ebx
0040158E 33C1 xor eax,ecx
00401590 0345 F4 add eax,dword ptr ss:[ebp-C]
00401593 0347 2C add eax,dword ptr ds:[edi+2C]
00401596 05 22619D6D add eax,6D9D6122
.........
00401745 33C3 xor eax,ebx
00401747 33C1 xor eax,ecx
00401749 0345 F8 add eax,dword ptr ss:[ebp-8]
0040174C 0347 08 add eax,dword ptr ds:[edi+8]
0040174F 05 6556ACC4 add eax,C4AC5665
00401754 B1 17 mov cl,17
00401756 D3C0 rol eax,cl
00401758 0345 F4 add eax,dword ptr ss:[ebp-C]
0040175B 8945 F8 mov dword ptr ss:[ebp-8],eax
0040175E 8B45 F8 mov eax,dword ptr ss:[ebp-8]
00401761 8B5D F4 mov ebx,dword ptr ss:[ebp-C]
00401764 8B4D F0 mov ecx,dword ptr ss:[ebp-10]
00401767 F7D1 not ecx
00401769 0BC1 or eax,ecx
0040176B 33C3 xor eax,ebx
0040176D 0345 FC add eax,dword ptr ss:[ebp-4]
00401770 0307 add eax,dword ptr ds:[edi]
00401772 05 419678D5 add eax,D5789641 ; 此常数被替换
00401777 B1 06 mov cl,6
00401779 D3C0 rol eax,cl
0040177B 0345 F8 add eax,dword ptr ss:[ebp-8]
0040177E 8945 FC mov dword ptr ss:[ebp-4],eax
00401781 8B45 FC mov eax,dword ptr ss:[ebp-4]
00401784 8B5D F8 mov ebx,dword ptr ss:[ebp-8]
00401787 8B4D F4 mov ecx,dword ptr ss:[ebp-C]
0040178A F7D1 not ecx
0040178C 0BC1 or eax,ecx
0040178E 33C3 xor eax,ebx
00401790 0345 F0 add eax,dword ptr ss:[ebp-10]
00401793 0347 1C add eax,dword ptr ds:[edi+1C]
00401796 05 97FF2A43 add eax,432AFF97
0040179B B1 0A mov cl,0A
0040179D D3C0 rol eax,cl
0040179F 0345 FC add eax,dword ptr ss:[ebp-4]
004017A2 8945 F0 mov dword ptr ss:[ebp-10],eax
004017A5 8B45 F0 mov eax,dword ptr ss:[ebp-10]
004017A8 8B5D FC mov ebx,dword ptr ss:[ebp-4]
004017AB 8B4D F8 mov ecx,dword ptr ss:[ebp-8]
004017AE F7D1 not ecx
004017B0 0BC1 or eax,ecx
004017B2 33C3 xor eax,ebx
004017B4 0345 F4 add eax,dword ptr ss:[ebp-C]
.......
004019D8 FF76 0C push dword ptr ds:[esi+C]
004019DB FF76 08 push dword ptr ds:[esi+8]
004019DE FF76 04 push dword ptr ds:[esi+4]
004019E1 FF36 push dword ptr ds:[esi]
004019E3 68 08304000 push Crackme.00403008 ; ASCII "%.8x%.8x%.8x%.8x"
004019E8 FF75 08 push dword ptr ss:[ebp+8]
004019EB E8 74020000 call <jmp.&user32.wsprintfA>
004019F0 83C4 18 add esp,18
004019F3 61 popad
004019F4 C9 leave
004019F5 C2 0C00 retn 0C
}
00401B2B 833D 2C304000 00 cmp dword ptr ds:[40302C],0
00401B32 0F84 97000000 je Crackme.00401BCF
00401B38 8D85 00FFFFFF lea eax,dword ptr ss:[ebp-100]
00401B3E 50 push eax
00401B3F FF35 20304000 push dword ptr ds:[403020]
00401B45 FF15 2C304000 call dword ptr ds:[40302C] ; MD5散列值变为大写;计算正确注册码
{
003E100C > 55 push ebp
003E100D 8BEC mov ebp,esp
003E100F 83C4 F8 add esp,-8
003E1012 53 push ebx
003E1013 57 push edi
003E1014 56 push esi
003E1015 52 push edx
003E1016 FF75 0C push dword ptr ss:[ebp+C]
003E1019 E8 5E000000 call lnn1123.003E107C
003E101E FF75 0C push dword ptr ss:[ebp+C]
003E1021 E8 4E000000 call <jmp.&kernel32.lstrlenA>
003E1026 50 push eax
003E1027 FF75 0C push dword ptr ss:[ebp+C]
003E102A E8 3F000000 call <jmp.&user32.CharUpperBuffA> ; 散列大写
003E102F FF75 0C push dword ptr ss:[ebp+C]
003E1032 E8 3D000000 call <jmp.&kernel32.lstrlenA> ; MD5的散列长度(字节)
003E1037 33C9 xor ecx,ecx
003E1039 33DB xor ebx,ebx
003E103B C1E3 04 shl ebx,4 ; 0,01424376 shl 4=14243760,
003E103E 33D2 xor edx,edx
003E1040 8B7D 0C mov edi,dword ptr ss:[ebp+C] ; 6CBA7398473A8BED4980D3EBF4385F97
003E1043 8B1439 mov edx,dword ptr ds:[ecx+edi] ; 41424336(ABC6),37414243(7ABC),...
37394635 (79F5),00373946,00003739,00000037
003E1046 03DA add ebx,edx ; 0+41424336,14243760+37414243=4B6579A3,...
EB1B2380 + 37394635=225469B5
003E1048 8BD3 mov edx,ebx ; 41424336,4B6579A3,...225469B5
003E104A 81E2 000000F0 and edx,F0000000 ; 40000000,40000000,...20000000
003E1050 85D2 test edx,edx
003E1052 74 07 je short lnn1123.003E105B
003E1054 8BF2 mov esi,edx ; 40000000,40000000,...20000000
003E1056 C1EE 18 shr esi,18 ; 00000040,00000040,...00000020
003E1059 33DE xor ebx,esi ; 41424336 XOR 00000040=41424376,
4B6579A3 XOR 40=4B6579E3,...225469B5 XOR 20=22546995
003E105B F7D2 not edx ; BFFFFFFF,BFFFFFFF,...DFFFFFFF
003E105D 23DA and ebx,edx ; 41424376 AND BFFFFFFF=01424376,
4B6579E3 AND BFFFFFFF=0B6579E3,...22546995 AND DFFFFFFF=02546995
003E105F 41 inc ecx ; 1,2,...1D
003E1060 3BC8 cmp ecx,eax
003E1062 ^ 75 D7 jnz short lnn1123.003E103B
003E1064 8BC3 mov eax,ebx
003E1066 5A pop edx
003E1067 5E pop esi
003E1068 5F pop edi
003E1069 5B pop ebx
003E106A C9 leave
003E106B C2 0800 retn 8
}
00401B4B 50 push eax ; EAX=0DD62CB7
00401B4C 8D85 00FFFFFF lea eax,dword ptr ss:[ebp-100]
00401B52 68 00010000 push 100
00401B57 50 push eax
00401B58 68 F1030000 push 3F1
00401B5D FF35 20304000 push dword ptr ds:[403020]
00401B63 E8 1A010000 call <jmp.&user32.GetDlgItemTextA>
00401B68 8D85 00FFFFFF lea eax,dword ptr ss:[ebp-100]
00401B6E 50 push eax
00401B6F E8 50010000 call Crackme.00401CC4 ; 没用,不用管
00401B74 8BD8 mov ebx,eax
00401B76 58 pop eax
00401B77 3BC3 cmp eax,ebx ; cmp 0DD62CB7,87654321
00401B79 75 3F jnz short Crackme.00401BBA
00401B7B 6A 40 push 40
00401B7D 68 E3204000 push Crackme.004020E3 ; ASCII "CracKmE"
00401B82 68 B6204000 push Crackme.004020B6 ; ASCII "Good,Register Success!"
00401B87 6A 00 push 0
00401B89 E8 00010000 call <jmp.&user32.MessageBoxA>
======================================================================
【分析总结】
对于初次认识MD5的Cracker可能会有些帮助
======================================================================
【版权信息】
CopyLeft(仅限于本破文)
2006-3-16
阿里云助力开发者!2核2G 3M带宽不限流量!6.18限时价,开
发者可享99元/年,续费同价!
