大家是不是嫌简单呢,那我来做一下这个练习把.
______________________________________________________________________________________________________________
【作者时间】:4nil[DFCG] / May-24-2006
【软件介绍】:HappyTown兄弟的crackme_13,主要锻炼crc算法.
【原帖地址】:http://bbs.pediy.com/showthread.php?threadid=26103
【软件限制】:注册码
【作者声明】:初学Crack,只是感兴趣,没有其它目的。失误之处敬请诸位大侠赐教!
【破解工具】:Ollydbg1.08 + VC6
【破解过程】:
OD载入,点右键搜索字符串。
发现"GOOD JOB, MAN!",往上看,直到下面代码中的2个GetDlgItemTextA,这个一般就是取用户名和注册码
F9运行程序。
----------------------------------反汇编代码开始,就在这里下断点--------------------------------------
00401168 |. 0F85 50020000 JNZ CrackMe_.004013BE
0040116E |. 68 FF000000 PUSH 0FF ; /Count = FF (255.)
00401173 |. 68 8C344000 PUSH CrackMe_.0040348C ; |Buffer = CrackMe_.0040348C
00401178 |. 68 EC030000 PUSH 3EC ; |ControlID = 3EC (1004.)
0040117D |. FF75 08 PUSH DWORD PTR SS:[EBP+8] ; |hWnd
00401180 |. E8 6D020000 CALL <JMP.&user32.GetDlgItemTextA> ; \GetDlgItemTextA
00401185 |. 83F8 04 CMP EAX,4
00401188 |. 73 05 JNB SHORT CrackMe_.0040118F
0040118A |. E9 11020000 JMP CrackMe_.004013A0
0040118F |> A3 8F354000 MOV DWORD PTR DS:[40358F],EAX
00401194 |. 68 FF000000 PUSH 0FF ; /Count = FF (255.)
00401199 |. 68 93354000 PUSH CrackMe_.00403593 ; |Buffer = CrackMe_.00403593
0040119E |. 68 ED030000 PUSH 3ED ; |ControlID = 3ED (1005.)
004011A3 |. FF75 08 PUSH DWORD PTR SS:[EBP+8] ; |hWnd
004011A6 |. E8 47020000 CALL <JMP.&user32.GetDlgItemTextA> ; \GetDlgItemTextA
004011AB |. BA 1B344000 MOV EDX,CrackMe_.0040341B //上面2个GetDlgItemTextA取用户名和注册码
004011B0 |. 8902 MOV DWORD PTR DS:[EDX],EAX
004011B2 |. E8 49FEFFFF CALL CrackMe_.00401000
004011B7 |. 8D1D 1B344000 LEA EBX,DWORD PTR DS:[40341B] //注册码长度(穷举得到为26位)
004011BD |. E8 78FEFFFF CALL CrackMe_.0040103A //CRC32
004011C2 |. 3D F716602F CMP EAX,2F6016F7
004011C7 |. 0F85 D3010000 JNZ CrackMe_.004013A0
004011CD |. 6A 08 PUSH 8 ; /Length = 8
004011CF |. 68 7F344000 PUSH CrackMe_.0040347F ; |Destination = CrackMe_.0040347F
004011D4 |. E8 FB010000 CALL <JMP.&kernel32.RtlZeroMemory> ; \RtlZeroMemory
004011D9 |. 8D05 93354000 LEA EAX,DWORD PTR DS:[403593]
004011DF |. 83C0 08 ADD EAX,8
004011E2 |. 8A18 MOV BL,BYTE PTR DS:[EAX]
004011E4 |. 8D15 7F344000 LEA EDX,DWORD PTR DS:[40347F]
004011EA |. 881A MOV BYTE PTR DS:[EDX],BL
004011EC |. 42 INC EDX
004011ED |. 83C0 09 ADD EAX,9
004011F0 |. 8A18 MOV BL,BYTE PTR DS:[EAX]
004011F2 |. 881A MOV BYTE PTR DS:[EDX],BL
004011F4 |. E8 07FEFFFF CALL CrackMe_.00401000
004011F9 |. 8D1D 7F344000 LEA EBX,DWORD PTR DS:[40347F] //注册码第9和第18位连接起来的字符串(穷举得到为"--")
004011FF |. E8 36FEFFFF CALL CrackMe_.0040103A //CRC32
--------------------------------CALL CrackMe_.0040103A begin------------------------------------
0040103A /$ B8 FFFFFFFF MOV EAX,-1
0040103F |. 0BDB OR EBX,EBX
00401041 |. 74 18 JE SHORT CrackMe_.0040105B
00401043 |> 8A13 /MOV DL,BYTE PTR DS:[EBX]
00401045 |. 0AD2 |OR DL,DL
00401047 |. 74 12 |JE SHORT CrackMe_.0040105B
00401049 |. 32D0 |XOR DL,AL
0040104B |. 0FB6D2 |MOVZX EDX,DL
0040104E |. C1E8 08 |SHR EAX,8
00401051 |. 330495 1B3040>|XOR EAX,DWORD PTR DS:[EDX*4+40301B] //40301B是CRC32_table的开始地址。大小为0xFF*4, 我们DUMP下来一会用。
00401058 |. 43 |INC EBX
00401059 |.^ EB E8 \JMP SHORT CrackMe_.00401043
0040105B |> F7D0 NOT EAX
0040105D \. C3 RETN
--------------------------------CALL CrackMe_.0040103A end---------------------------------------
00401204 |. 3D 65142C24 CMP EAX,242C1465
00401209 |. 0F85 91010000 JNZ CrackMe_.004013A0
0040120F |. 6A 0A PUSH 0A ; /Length = A (10.)
00401211 |. 8D45 EA LEA EAX,DWORD PTR SS:[EBP-16] ; |
00401214 |. 50 PUSH EAX ; |Destination
00401215 |. E8 BA010000 CALL <JMP.&kernel32.RtlZeroMemory> ; \RtlZeroMemory
0040121A |. 6A 0A PUSH 0A ; /Length = A (10.)
0040121C |. 8D45 E0 LEA EAX,DWORD PTR SS:[EBP-20] ; |
0040121F |. 50 PUSH EAX ; |Destination
00401220 |. E8 AF010000 CALL <JMP.&kernel32.RtlZeroMemory> ; \RtlZeroMemory
00401225 |. 33C9 XOR ECX,ECX
00401227 |. 8D05 93354000 LEA EAX,DWORD PTR DS:[403593]
0040122D |> 8A1401 /MOV DL,BYTE PTR DS:[ECX+EAX]
00401230 |. 80FA 39 |CMP DL,39
00401233 |. 76 05 |JBE SHORT CrackMe_.0040123A
00401235 |. 80FA 41 |CMP DL,41
00401238 |. 72 0A |JB SHORT CrackMe_.00401244
0040123A |> 80FA 30 |CMP DL,30
0040123D |. 72 05 |JB SHORT CrackMe_.00401244
0040123F |. 80FA 46 |CMP DL,46
00401242 |. 76 05 |JBE SHORT CrackMe_.00401249
00401244 |> E9 57010000 |JMP CrackMe_.004013A0
00401249 |> 41 |INC ECX
0040124A |. 83F9 08 |CMP ECX,8
0040124D |.^ 75 DE \JNZ SHORT CrackMe_.0040122D
0040124F |. 33C9 XOR ECX,ECX
00401251 |. 33DB XOR EBX,EBX
00401253 |. 8D75 EA LEA ESI,DWORD PTR SS:[EBP-16]
00401256 |> C1E3 04 /SHL EBX,4
00401259 |. 8A1401 |MOV DL,BYTE PTR DS:[ECX+EAX]
0040125C |. 8816 |MOV BYTE PTR DS:[ESI],DL
0040125E |. 80FA 41 |CMP DL,41
00401261 |. 72 0A |JB SHORT CrackMe_.0040126D
00401263 |. 80FA 46 |CMP DL,46
00401266 |. 77 05 |JA SHORT CrackMe_.0040126D
00401268 |. 80EA 37 |SUB DL,37
0040126B |. EB 03 |JMP SHORT CrackMe_.00401270
0040126D |> 80EA 30 |SUB DL,30
00401270 |> 80E2 0F |AND DL,0F
00401273 |. 0ADA |OR BL,DL
00401275 |. 46 |INC ESI
00401276 |. 41 |INC ECX
00401277 |. 83F9 08 |CMP ECX,8
0040127A |. 895D FC |MOV DWORD PTR SS:[EBP-4],EBX //str2hex
0040127D |.^ 75 D7 \JNZ SHORT CrackMe_.00401256
0040127F |. E8 7CFDFFFF CALL CrackMe_.00401000
00401284 |. 8D1D 8C344000 LEA EBX,DWORD PTR DS:[40348C] //用户名
0040128A |. E8 ABFDFFFF CALL CrackMe_.0040103A //CRC32
0040128F |. 3945 FC CMP DWORD PTR SS:[EBP-4],EAX //得到的值与第一个8位字符的16进制形式比较
00401292 |. 0F85 08010000 JNZ CrackMe_.004013A0
00401298 |. 33C9 XOR ECX,ECX
0040129A |. 8D05 93354000 LEA EAX,DWORD PTR DS:[403593]
004012A0 |. 83C0 09 ADD EAX,9
004012A3 |> 8A1401 /MOV DL,BYTE PTR DS:[ECX+EAX]
004012A6 |. 80FA 39 |CMP DL,39
004012A9 |. 76 05 |JBE SHORT CrackMe_.004012B0
004012AB |. 80FA 41 |CMP DL,41
004012AE |. 72 0A |JB SHORT CrackMe_.004012BA
004012B0 |> 80FA 30 |CMP DL,30
004012B3 |. 72 05 |JB SHORT CrackMe_.004012BA
004012B5 |. 80FA 46 |CMP DL,46
004012B8 |. 76 05 |JBE SHORT CrackMe_.004012BF
004012BA |> E9 E1000000 |JMP CrackMe_.004013A0
004012BF |> 41 |INC ECX
004012C0 |. 83F9 08 |CMP ECX,8
004012C3 |.^ 75 DE \JNZ SHORT CrackMe_.004012A3
004012C5 |. 33C9 XOR ECX,ECX
004012C7 |. 33DB XOR EBX,EBX
004012C9 |. 8D75 E0 LEA ESI,DWORD PTR SS:[EBP-20]
004012CC |> C1E3 04 /SHL EBX,4
004012CF |. 8A1401 |MOV DL,BYTE PTR DS:[ECX+EAX]
004012D2 |. 8816 |MOV BYTE PTR DS:[ESI],DL
004012D4 |. 8810 |MOV BYTE PTR DS:[EAX],DL
004012D6 |. 80FA 41 |CMP DL,41
004012D9 |. 72 0A |JB SHORT CrackMe_.004012E5
004012DB |. 80FA 46 |CMP DL,46
004012DE |. 77 05 |JA SHORT CrackMe_.004012E5
004012E0 |. 80EA 37 |SUB DL,37
004012E3 |. EB 03 |JMP SHORT CrackMe_.004012E8
004012E5 |> 80EA 30 |SUB DL,30
004012E8 |> 80E2 0F |AND DL,0F
004012EB |. 0ADA |OR BL,DL
004012ED |. 46 |INC ESI
004012EE |. 41 |INC ECX
004012EF |. 83F9 08 |CMP ECX,8
004012F2 |. 895D F8 |MOV DWORD PTR SS:[EBP-8],EBX
004012F5 |.^ 75 D5 \JNZ SHORT CrackMe_.004012CC
004012F7 |. E8 04FDFFFF CALL CrackMe_.00401000
004012FC |. 8D5D EA LEA EBX,DWORD PTR SS:[EBP-16] //注册码第一个8位的字符串形式
004012FF |. E8 36FDFFFF CALL CrackMe_.0040103A //CRC32
00401304 |. 3945 F8 CMP DWORD PTR SS:[EBP-8],EAX //得到的值与第2个8位字符的16进制形式比较
00401307 |. 0F85 93000000 JNZ CrackMe_.004013A0
0040130D |. E8 EEFCFFFF CALL CrackMe_.00401000
00401312 |. 8D5D E0 LEA EBX,DWORD PTR SS:[EBP-20]
00401315 |. E8 20FDFFFF CALL CrackMe_.0040103A
0040131A |. 8945 F8 MOV DWORD PTR SS:[EBP-8],EAX
0040131D |. 33C9 XOR ECX,ECX
0040131F |. 8D05 93354000 LEA EAX,DWORD PTR DS:[403593]
00401325 |. 83C0 12 ADD EAX,12
00401328 |> 8A1401 /MOV DL,BYTE PTR DS:[ECX+EAX]
0040132B |. 80FA 39 |CMP DL,39
0040132E |. 76 05 |JBE SHORT CrackMe_.00401335
00401330 |. 80FA 41 |CMP DL,41
00401333 |. 72 0A |JB SHORT CrackMe_.0040133F
00401335 |> 80FA 30 |CMP DL,30
00401338 |. 72 05 |JB SHORT CrackMe_.0040133F
0040133A |. 80FA 46 |CMP DL,46
0040133D |. 76 02 |JBE SHORT CrackMe_.00401341
0040133F |> EB 5F |JMP SHORT CrackMe_.004013A0
00401341 |> 41 |INC ECX
00401342 |. 83F9 08 |CMP ECX,8
00401345 |.^ 75 E1 \JNZ SHORT CrackMe_.00401328
00401347 |. 33C9 XOR ECX,ECX
00401349 |. 33DB XOR EBX,EBX
0040134B |> C1E3 04 /SHL EBX,4
0040134E |. 8A1401 |MOV DL,BYTE PTR DS:[ECX+EAX]
00401351 |. 8810 |MOV BYTE PTR DS:[EAX],DL
00401353 |. 80FA 41 |CMP DL,41
00401356 |. 72 0A |JB SHORT CrackMe_.00401362
00401358 |. 80FA 46 |CMP DL,46
0040135B |. 77 05 |JA SHORT CrackMe_.00401362
0040135D |. 80EA 37 |SUB DL,37
00401360 |. EB 03 |JMP SHORT CrackMe_.00401365
00401362 |> 80EA 30 |SUB DL,30
00401365 |> 80E2 0F |AND DL,0F
00401368 |. 0ADA |OR BL,DL
0040136A |. 41 |INC ECX
0040136B |. 83F9 08 |CMP ECX,8
0040136E |. 895D F4 |MOV DWORD PTR SS:[EBP-C],EBX
00401371 |.^ 75 D8 \JNZ SHORT CrackMe_.0040134B
00401373 |. 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
00401376 |. 3345 F8 XOR EAX,DWORD PTR SS:[EBP-8] //前面2个CRC值 XOR 运算
00401379 |. 3B45 F4 CMP EAX,DWORD PTR SS:[EBP-C] //与最后8位的16进制比较
0040137C |. 75 22 JNZ SHORT CrackMe_.004013A0
0040137E |. 68 D2204000 PUSH CrackMe_.004020D2 ; /Text = "GOOD JOB, MAN!"
00401383 |. FF75 08 PUSH DWORD PTR SS:[EBP+8] ; |hWnd
00401386 |. E8 8B000000 CALL <JMP.&user32.SetWindowTextA> ; \SetWindowTextA
0040138B |. 68 EE030000 PUSH 3EE ; /ControlID = 3EE (1006.)
00401390 |. FF75 08 PUSH DWORD PTR SS:[EBP+8] ; |hWnd
00401393 |. E8 54000000 CALL <JMP.&user32.GetDlgItem> ; \GetDlgItem
00401398 |. 6A 00 PUSH 0 ; /Enable = FALSE
0040139A |. 50 PUSH EAX ; |hWnd
0040139B |. E8 40000000 CALL <JMP.&user32.EnableWindow> ; \EnableWindow
004013A0 |> 33C0 XOR EAX,EAX
004013A2 |. EB 1A JMP SHORT CrackMe_.004013BE
004013A4 |> 83F8 10 CMP EAX,10
004013A7 |. 75 0C JNZ SHORT CrackMe_.004013B5
004013A9 |. 6A 00 PUSH 0 ; /Result = 0
004013AB |. FF75 08 PUSH DWORD PTR SS:[EBP+8] ; |hWnd
004013AE |. E8 33000000 CALL <JMP.&user32.EndDialog> ; \EndDialog
004013B3 |. EB 09 JMP SHORT CrackMe_.004013BE
004013B5 |> B8 00000000 MOV EAX,0
004013BA |. C9 LEAVE
004013BB |. C2 1000 RETN 10
004013BE |> B8 01000000 MOV EAX,1
004013C3 |. C9 LEAVE
004013C4 \. C2 1000 RETN 10
----------------------------------反汇编代码结束---------------------------------------------
【算法总结】:
开始先验证长度的CRC32是否是0x2F6016F7,不是就挂。
然后将注册码第9和18位取出连接计算CRC32,是否为0x242C1465,不是就挂。
将注册码第一个8位转化为16进制形式,与用户名的CRC32比较,不同就挂。
将注册码第二个8位转化为16进制形式,与第一个8位(字符串)的CRC32比较,不同就挂。
将注册码第三个8位转化为16进制形式,与上面2个CRC32值的XOR运算结果比较,不同就挂。
【注册代码】:
//vc++项目里的注册部分代码
//
//CRC32函数
//
DWORD crc32(unsigned char * in)
{
//这个是刚才DUMP的数据,我用小工具转了下C格式
DWORD crc_32_tab[256]={
0x00000000,0x77073096,0xEE0E612C,0x990951BA,
0x076DC419,0x706AF48F,0xE963A535,0x9E6495A3,
0x0EDB8832,0x79DCB8A4,0xE0D5E91E,0x97D2D988,
0x09B64C2B,0x7EB17CBD,0xE7B82D07,0x90BF1D91,
0x1DB71064,0x6AB020F2,0xF3B97148,0x84BE41DE,
0x1ADAD47D,0x6DDDE4EB,0xF4D4B551,0x83D385C7,
0x136C9856,0x646BA8C0,0xFD62F97A,0x8A65C9EC,
0x14015C4F,0x63066CD9,0xFA0F3D63,0x8D080DF5,
0x3B6E20C8,0x4C69105E,0xD56041E4,0xA2677172,
0x3C03E4D1,0x4B04D447,0xD20D85FD,0xA50AB56B,
0x35B5A8FA,0x42B2986C,0xDBBBC9D6,0xACBCF940,
0x32D86CE3,0x45DF5C75,0xDCD60DCF,0xABD13D59,
0x26D930AC,0x51DE003A,0xC8D75180,0xBFD06116,
0x21B4F4B5,0x56B3C423,0xCFBA9599,0xB8BDA50F,
0x2802B89E,0x5F058808,0xC60CD9B2,0xB10BE924,
0x2F6F7C87,0x58684C11,0xC1611DAB,0xB6662D3D,
0x76DC4190,0x01DB7106,0x98D220BC,0xEFD5102A,
0x71B18589,0x06B6B51F,0x9FBFE4A5,0xE8B8D433,
0x7807C9A2,0x0F00F934,0x9609A88E,0xE10E9818,
0x7F6A0DBB,0x086D3D2D,0x91646C97,0xE6635C01,
0x6B6B51F4,0x1C6C6162,0x856530D8,0xF262004E,
0x6C0695ED,0x1B01A57B,0x8208F4C1,0xF50FC457,
0x65B0D9C6,0x12B7E950,0x8BBEB8EA,0xFCB9887C,
0x62DD1DDF,0x15DA2D49,0x8CD37CF3,0xFBD44C65,
0x4DB26158,0x3AB551CE,0xA3BC0074,0xD4BB30E2,
0x4ADFA541,0x3DD895D7,0xA4D1C46D,0xD3D6F4FB,
0x4369E96A,0x346ED9FC,0xAD678846,0xDA60B8D0,
0x44042D73,0x33031DE5,0xAA0A4C5F,0xDD0D7CC9,
0x5005713C,0x270241AA,0xBE0B1010,0xC90C2086,
0x5768B525,0x206F85B3,0xB966D409,0xCE61E49F,
0x5EDEF90E,0x29D9C998,0xB0D09822,0xC7D7A8B4,
0x59B33D17,0x2EB40D81,0xB7BD5C3B,0xC0BA6CAD,
0xEDB88320,0x9ABFB3B6,0x03B6E20C,0x74B1D29A,
0xEAD54739,0x9DD277AF,0x04DB2615,0x73DC1683,
0xE3630B12,0x94643B84,0x0D6D6A3E,0x7A6A5AA8,
0xE40ECF0B,0x9309FF9D,0x0A00AE27,0x7D079EB1,
0xF00F9344,0x8708A3D2,0x1E01F268,0x6906C2FE,
0xF762575D,0x806567CB,0x196C3671,0x6E6B06E7,
0xFED41B76,0x89D32BE0,0x10DA7A5A,0x67DD4ACC,
0xF9B9DF6F,0x8EBEEFF9,0x17B7BE43,0x60B08ED5,
0xD6D6A3E8,0xA1D1937E,0x38D8C2C4,0x4FDFF252,
0xD1BB67F1,0xA6BC5767,0x3FB506DD,0x48B2364B,
0xD80D2BDA,0xAF0A1B4C,0x36034AF6,0x41047A60,
0xDF60EFC3,0xA867DF55,0x316E8EEF,0x4669BE79,
0xCB61B38C,0xBC66831A,0x256FD2A0,0x5268E236,
0xCC0C7795,0xBB0B4703,0x220216B9,0x5505262F,
0xC5BA3BBE,0xB2BD0B28,0x2BB45A92,0x5CB36A04,
0xC2D7FFA7,0xB5D0CF31,0x2CD99E8B,0x5BDEAE1D,
0x9B64C2B0,0xEC63F226,0x756AA39C,0x026D930A,
0x9C0906A9,0xEB0E363F,0x72076785,0x05005713,
0x95BF4A82,0xE2B87A14,0x7BB12BAE,0x0CB61B38,
0x92D28E9B,0xE5D5BE0D,0x7CDCEFB7,0x0BDBDF21,
0x86D3D2D4,0xF1D4E242,0x68DDB3F8,0x1FDA836E,
0x81BE16CD,0xF6B9265B,0x6FB077E1,0x18B74777,
0x88085AE6,0xFF0F6A70,0x66063BCA,0x11010B5C,
0x8F659EFF,0xF862AE69,0x616BFFD3,0x166CCF45,
0xA00AE278,0xD70DD2EE,0x4E048354,0x3903B3C2,
0xA7672661,0xD06016F7,0x4969474D,0x3E6E77DB,
0xAED16A4A,0xD9D65ADC,0x40DF0B66,0x37D83BF0,
0xA9BCAE53,0xDEBB9EC5,0x47B2CF7F,0x30B5FFE9,
0xBDBDF21C,0xCABAC28A,0x53B39330,0x24B4A3A6,
0xBAD03605,0xCDD70693,0x54DE5729,0x23D967BF,
0xB3667A2E,0xC4614AB8,0x5D681B02,0x2A6F2B94,
0xB40BBE37,0xC30C8EA1,0x5A05DF1B,0x2D02EF8D
};
DWORD curr_crc;
//代码是用插件从OD里搞出来的,小修改了下
__asm{
MOV EAX, -1
MOV EBX, in
OR EBX,EBX
JE L012
L003:
MOV DL,BYTE PTR [EBX]
OR DL,DL
JE L012
XOR DL,AL
MOVZX EDX,DL
SHR EAX,8
XOR EAX,DWORD PTR [EDX*4+crc_32_tab]
INC EBX
JMP L003
L012:
NOT EAX
MOV curr_crc,EAX
}
return curr_crc;
}
//
//注册码生成主函数
//
void genKey(HWND hWnd)
{
char szName[MAXLEN]={0},szSerial[MAXLEN]={0};
int iStrlen;
char szCode1[9]={0};
char szCode2[9]={0};
char szCode3[9]={0};
DWORD dwCode1,dwCode2,dwCode3;
iStrlen=GetDlgItemText(hWnd, IDC_NAME, szName, MAXLEN);
dwCode1=crc32((unsigned char *)szName);
sprintf(szCode1, "%X", dwCode1);
dwCode2=crc32((unsigned char *)szCode1);
sprintf(szCode2, "%X", dwCode2);
dwCode3=dwCode1^crc32((unsigned char *)szCode2);
sprintf(szCode3, "%X", dwCode3);
strcat(szSerial, szCode1);
strcat(szSerial, "-");
strcat(szSerial, szCode2);
strcat(szSerial, "-");
strcat(szSerial, szCode3);
SetDlgItemText(hWnd, IDC_SN, szSerial);
}
代码在VC6.0+XPSP2测试通过。
OK,就这样了,感谢HappyTown 带来的这么多的优秀crackme,锻炼我们的基础。
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
