【文章标题】: 2003年OCN成员申请专用CRACKME算法分析及其注册机
【文章作者】: luckyxsky[bcg]
【参考文献】:暴破2003年OCN成员申请专用CRACKME
【参考链接】:http://bbs.pediy.com/showthread.php?s=&threadid=25120&highlight=OCNCrackME
【下载地址】: (如上)(已经被脱壳)
【使用工具】: DeDe OD
【作者声明】: 只是感兴趣,没有其他目的。失误之处敬请赐教!
--------------------------------------------------------------------------------
侥幸混到bcg内部有些日子了,总也没做什么,心中实有不安。前面看到joe-lu的爆破,不觉心痒,折腾大半天,好歹做了个注册机,
供和我差不多菜的朋友参考。
用dede找到注册按钮Click事件(palRegCmdClick),参考dede静态分析的提示信息,使用OD动态调试。
0044FEF8 /. 55 push ebp
0044FEF9 |. 8BEC mov ebp,esp
0044FEFB |. B9 0B000000 mov ecx,0B
0044FF00 |> 6A 00 /push 0
0044FF02 |. 6A 00 |push 0
0044FF04 |. 49 |dec ecx
0044FF05 |.^ 75 F9 \jnz short OCN_Crac.0044FF00
0044FF07 |. 53 push ebx
0044FF08 |. 56 push esi
0044FF09 |. 57 push edi
0044FF0A |. 8BF0 mov esi,eax
0044FF0C |. 33C0 xor eax,eax
0044FF0E |. 55 push ebp
0044FF0F |. 68 8A014500 push OCN_Crac.0045018A
0044FF14 |. 64:FF30 push dword ptr fs:[eax]
0044FF17 |. 64:8920 mov dword ptr fs:[eax],esp
0044FF1A |. 8D55 CC lea edx,dword ptr ss:[ebp-34]
0044FF1D |. 8B86 F4020000 mov eax,dword ptr ds:[esi+2F4]
0044FF23 |. E8 3046FDFF call OCN_Crac.00424558 ; 用户名
0044FF28 |. 837D CC 00 cmp dword ptr ss:[ebp-34],0
0044FF2C |. 75 1F jnz short OCN_Crac.0044FF4D
0044FF2E |. 8B86 F4020000 mov eax,dword ptr ds:[esi+2F4]
0044FF34 |. 33D2 xor edx,edx
0044FF36 |. E8 4D46FDFF call OCN_Crac.00424588
0044FF3B |. 8B86 F8020000 mov eax,dword ptr ds:[esi+2F8]
0044FF41 |. 33D2 xor edx,edx
0044FF43 |. E8 4046FDFF call OCN_Crac.00424588
0044FF48 |. E9 E3010000 jmp OCN_Crac.00450130
0044FF4D |> 8D55 C8 lea edx,dword ptr ss:[ebp-38]
0044FF50 |. 8B86 F8020000 mov eax,dword ptr ds:[esi+2F8]
0044FF56 |. E8 FD45FDFF call OCN_Crac.00424558 ; 注册码
0044FF5B |. 837D C8 00 cmp dword ptr ss:[ebp-38],0
0044FF5F |. 75 1F jnz short OCN_Crac.0044FF80
0044FF61 |. 8B86 F4020000 mov eax,dword ptr ds:[esi+2F4]
0044FF67 |. 33D2 xor edx,edx
0044FF69 |. E8 1A46FDFF call OCN_Crac.00424588
0044FF6E |. 8B86 F8020000 mov eax,dword ptr ds:[esi+2F8]
0044FF74 |. 33D2 xor edx,edx
0044FF76 |. E8 0D46FDFF call OCN_Crac.00424588
0044FF7B |. E9 B0010000 jmp OCN_Crac.00450130
0044FF80 |> 8D55 E0 lea edx,dword ptr ss:[ebp-20]
0044FF83 |. 8B86 00030000 mov eax,dword ptr ds:[esi+300]
0044FF89 |. E8 CA45FDFF call OCN_Crac.00424558 ; 机器码 我的是 019B109720
0044FF8E |. 8D55 C4 lea edx,dword ptr ss:[ebp-3C]
0044FF91 |. 8B45 E0 mov eax,dword ptr ss:[ebp-20]
0044FF94 |. E8 27FCFFFF call OCN_Crac.0044FBC0 ; 我的机器得到 4862 在 [ebp-2c] 进去看看,
0044FF99 |. 8B45 C4 mov eax,dword ptr ss:[ebp-3C] ; 原来是对机器码的初步变换,算法为:
0044FF9C |. E8 BF7EFBFF call OCN_Crac.00407E60 ; 机器码各位字符乘位数的累加和
0044FFA1 |. 99 cdq
0044FFA2 |. 8945 D0 mov dword ptr ss:[ebp-30],eax
0044FFA5 |. 8955 D4 mov dword ptr ss:[ebp-2C],edx
0044FFA8 |. 8D55 C0 lea edx,dword ptr ss:[ebp-40]
0044FFAB |. 8B86 F4020000 mov eax,dword ptr ds:[esi+2F4]
0044FFB1 |. E8 A245FDFF call OCN_Crac.00424558 ; 用户名 我用的 abcdef
0044FFB6 |. 8B45 C0 mov eax,dword ptr ss:[ebp-40]
0044FFB9 |. 8D55 DC lea edx,dword ptr ss:[ebp-24]
0044FFBC |. E8 FFFBFFFF call OCN_Crac.0044FBC0 ; 4086 在 [ebp-24] 算法同上
0044FFC1 |. C745 F0 000000>mov dword ptr ss:[ebp-10],0
0044FFC8 |. C745 F4 000000>mov dword ptr ss:[ebp-C],0
0044FFCF |. C745 E8 000000>mov dword ptr ss:[ebp-18],0
0044FFD6 |. C745 EC 000000>mov dword ptr ss:[ebp-14],0
0044FFDD |. 8D45 E4 lea eax,dword ptr ss:[ebp-1C]
0044FFE0 |. E8 6739FBFF call OCN_Crac.0040394C
0044FFE5 |. 8B45 DC mov eax,dword ptr ss:[ebp-24]
0044FFE8 |. E8 DF3BFBFF call OCN_Crac.00403BCC ; 4 (4086的长度)
0044FFED |. 8BF8 mov edi,eax
0044FFEF |. 85FF test edi,edi
0044FFF1 |. 0F8E DF000000 jle OCN_Crac.004500D6
0044FFF7 |. BB 01000000 mov ebx,1 ;下面开始循环,分别计算两段注册码
0044FFFC |> 8D45 BC /lea eax,dword ptr ss:[ebp-44]
0044FFFF |. 8B55 DC |mov edx,dword ptr ss:[ebp-24]
00450002 |. 8A541A FF |mov dl,byte ptr ds:[edx+ebx-1]
00450006 |. E8 E93AFBFF |call OCN_Crac.00403AF4
0045000B |. 8B45 BC |mov eax,dword ptr ss:[ebp-44] /-----------------------------
0045000E |. E8 4D7EFBFF |call OCN_Crac.00407E60 ; str2int
00450013 |. F7EB |imul ebx ;第一次:4×1 第二次:0×2 (1)
00450015 |. 99 |cdq ;第三次:8×3 第四次:6×4
00450016 |. 0345 E8 |add eax,dword ptr ss:[ebp-18] ;找到规律了吧
00450019 |. 1355 EC |adc edx,dword ptr ss:[ebp-14] ;
0045001C |. 52 |push edx ;
0045001D |. 50 |push eax ;
0045001E |. 8BC3 |mov eax,ebx ;
00450020 |. 99 |cdq ;
00450021 |. 52 |push edx ;
00450022 |. 50 |push eax ;
00450023 |. 8B45 D0 |mov eax,dword ptr ss:[ebp-30] ;每次都是12FE(4862),为下面准备数据
00450026 |. 8B55 D4 |mov edx,dword ptr ss:[ebp-2C] ;
00450029 |. E8 F25BFBFF |call OCN_Crac.00405C20 ;进去看看,发现是 12FE×循环次数 (2)
0045002E |. 030424 |add eax,dword ptr ss:[esp] ;上一次结果+(1)+(2)
00450031 |. 135424 04 |adc edx,dword ptr ss:[esp+4] ;最终得到注册码的第二部分
00450035 |. 83C4 08 |add esp,8 \---------------------------------
00450038 |. 8945 E8 |mov dword ptr ss:[ebp-18],eax
0045003B |. 8955 EC |mov dword ptr ss:[ebp-14],edx
0045003E |. 8D45 B4 |lea eax,dword ptr ss:[ebp-4C]
00450041 |. 8B55 DC |mov edx,dword ptr ss:[ebp-24]
00450044 |. 8A541A FF |mov dl,byte ptr ds:[edx+ebx-1]
00450048 |. 8850 01 |mov byte ptr ds:[eax+1],dl
0045004B |. C600 01 |mov byte ptr ds:[eax],1
0045004E |. 8D55 B4 |lea edx,dword ptr ss:[ebp-4C]
00450051 |. 8D45 B0 |lea eax,dword ptr ss:[ebp-50]
00450054 |. E8 4328FBFF |call OCN_Crac.0040289C ; strcpy
00450059 |. 8D45 AC |lea eax,dword ptr ss:[ebp-54]
0045005C |. 8B55 DC |mov edx,dword ptr ss:[ebp-24]
0045005F |. 8A141A |mov dl,byte ptr ds:[edx+ebx]
00450062 |. 8850 01 |mov byte ptr ds:[eax+1],dl
00450065 |. C600 01 |mov byte ptr ds:[eax],1
00450068 |. 8D55 AC |lea edx,dword ptr ss:[ebp-54]
0045006B |. 8D45 B0 |lea eax,dword ptr ss:[ebp-50]
0045006E |. B1 02 |mov cl,2 /------------------------------------
00450070 |. E8 F727FBFF |call OCN_Crac.0040286C ; 合并字符串
00450075 |. 8D55 B0 |lea edx,dword ptr ss:[ebp-50] ; 第一次:40 第二次:08
00450078 |. 8D45 B8 |lea eax,dword ptr ss:[ebp-48] ; 第三次:86 第四次:6
0045007B |. E8 F03AFBFF |call OCN_Crac.00403B70 ;
00450080 |. 8B45 B8 |mov eax,dword ptr ss:[ebp-48] ;
00450083 |. E8 D87DFBFF |call OCN_Crac.00407E60 ; 字符串变成数字如:"40"->28 (3)
00450088 |. 50 |push eax ;
00450089 |. 8B45 DC |mov eax,dword ptr ss:[ebp-24] ;
0045008C |. E8 CF7DFBFF |call OCN_Crac.00407E60 ; ff6(4086) (4)
00450091 |. 5A |pop edx ;
00450092 |. 0FAFD0 |imul edx,eax ; (3)×(4) (5)
00450095 |. 8BC2 |mov eax,edx ;
00450097 |. 99 |cdq ;
00450098 |. 0345 F0 |add eax,dword ptr ss:[ebp-10] ; (5)+上次循环的结果 (6)
0045009B |. 1355 F4 |adc edx,dword ptr ss:[ebp-C] ;
0045009E |. 8945 F0 |mov dword ptr ss:[ebp-10],eax ;
004500A1 |. 8955 F4 |mov dword ptr ss:[ebp-C],edx ;
004500A4 |. 6A 00 |push 0 ;
004500A6 |. 68 49010000 |push 149 ;
004500AB |. 8B45 F0 |mov eax,dword ptr ss:[ebp-10] ;
004500AE |. 8B55 F4 |mov edx,dword ptr ss:[ebp-C] ;
004500B1 |. E8 6A5BFBFF |call OCN_Crac.00405C20 ;(6)×149H 最后一次得到注册码第一部分
004500B6 |. 52 |push edx ; /Arg2
004500B7 |. 50 |push eax ; |Arg1
004500B8 |. 8D45 FC |lea eax,dword ptr ss:[ebp-4] ; |
004500BB |. E8 307DFBFF |call OCN_Crac.00407DF0 ; \OCN_Crac.00407DF0
004500C0 |. FF75 EC |push dword ptr ss:[ebp-14] ; /Arg2
004500C3 |. FF75 E8 |push dword ptr ss:[ebp-18] ; |Arg1
004500C6 |. 8D45 F8 |lea eax,dword ptr ss:[ebp-8] ; |
004500C9 |. E8 227DFBFF |call OCN_Crac.00407DF0 ; \OCN_Crac.00407DF0
004500CE |. 43 |inc ebx
004500CF |. 4F |dec edi
004500D0 |.^ 0F85 26FFFFFF \jnz OCN_Crac.0044FFFC
004500D6 |> FF75 FC push dword ptr ss:[ebp-4]
004500D9 |. 68 A0014500 push OCN_Crac.004501A0
004500DE |. FF75 F8 push dword ptr ss:[ebp-8]
004500E1 |. 8D45 E4 lea eax,dword ptr ss:[ebp-1C]
004500E4 |. BA 03000000 mov edx,3
004500E9 |. E8 9E3BFBFF call OCN_Crac.00403C8C ; 连接注册码的两部分
004500EE |. 8D55 A8 lea edx,dword ptr ss:[ebp-58]
004500F1 |. 8B86 F8020000 mov eax,dword ptr ds:[esi+2F8]
004500F7 |. E8 5C44FDFF call OCN_Crac.00424558
004500FC |. 8B55 A8 mov edx,dword ptr ss:[ebp-58]
004500FF |. 8B45 E4 mov eax,dword ptr ss:[ebp-1C]
00450102 |. E8 6DFBFFFF call OCN_Crac.0044FC74
00450107 |. 3C 01 cmp al,1
00450109 |. 75 25 jnz short OCN_Crac.00450130 ; 关键点,可爆破
0045010B |. B1 0A mov cl,0A
0045010D |. B2 DC mov dl,0DC
0045010F |. B0 78 mov al,78
00450111 |. E8 C269FBFF call OCN_Crac.00406AD8
00450116 |. 8BD0 mov edx,eax
00450118 |. 8B86 04030000 mov eax,dword ptr ds:[esi+304]
0045011E |. E8 C145FDFF call OCN_Crac.004246E4
00450123 |. 8B86 04030000 mov eax,dword ptr ds:[esi+304]
00450129 |. B2 01 mov dl,1
0045012B |. 8B08 mov ecx,dword ptr ds:[eax]
0045012D |. FF51 5C call dword ptr ds:[ecx+5C]
00450130 |> 33C0 xor eax,eax
00450132 |. 5A pop edx
00450133 |. 59 pop ecx
00450134 |. 59 pop ecx
00450135 |. 64:8910 mov dword ptr fs:[eax],edx
00450138 |. 68 91014500 push OCN_Crac.00450191
0045013D |> 8D45 A8 lea eax,dword ptr ss:[ebp-58]
00450140 |. E8 0738FBFF call OCN_Crac.0040394C
00450145 |. 8D45 B8 lea eax,dword ptr ss:[ebp-48]
00450148 |. BA 02000000 mov edx,2
0045014D |. E8 1E38FBFF call OCN_Crac.00403970
00450152 |. 8D45 C0 lea eax,dword ptr ss:[ebp-40]
00450155 |. E8 F237FBFF call OCN_Crac.0040394C
0045015A |. 8D45 C4 lea eax,dword ptr ss:[ebp-3C]
0045015D |. E8 EA37FBFF call OCN_Crac.0040394C
00450162 |. 8D45 C8 lea eax,dword ptr ss:[ebp-38]
00450165 |. BA 02000000 mov edx,2
0045016A |. E8 0138FBFF call OCN_Crac.00403970
0045016F |. 8D45 DC lea eax,dword ptr ss:[ebp-24]
00450172 |. BA 03000000 mov edx,3
00450177 |. E8 F437FBFF call OCN_Crac.00403970
0045017C |. 8D45 F8 lea eax,dword ptr ss:[ebp-8]
0045017F |. BA 02000000 mov edx,2
00450184 |. E8 E737FBFF call OCN_Crac.00403970
00450189 \. C3 retn
--------------------------------------------------------------------------------
【注册机】
vc6.0下测试通过
#include <string.h>
#include <stdlib.h>
#include <stdio.h>
int calc(char* s1,char* s2)
{
unsigned i;
int sum;
for(i=0,sum=0;i<strlen(s1);i++)
sum+=(int)s1[i]*(i+1);
sum+=0x7bb;
itoa(sum,s2,10);
return sum;
}
main()
{
char mac[15],name[15]; //019B109720 //abcdef
char smac[10],sname[10]; //4862 //4086
int nmac,nname;
int i,len,sum1,sum2;
printf("Please input your machine num\n");
scanf("%s",mac);
printf("Please input your name\n");
scanf("%s",name);
nmac=calc(mac,smac);
nname=calc(name,sname);
len=strlen(sname);
for(i=0,sum2=0;i<len;i++)
sum2+=((sname[i]-0x30)+nmac)*(i+1);
for(i=0,sum1=0;i<len-1;i++)
sum1+=(sname[i]-0x30)*10+(sname[i+1]-0x30);
sum1+=(sname[i]-0x30);
sum1=sum1*nname*0x149;
printf("Your sn is %i-%i\n",sum1,sum2);
printf("Cracked by LuckyXsky.\n");
}
--------------------------------------------------------------------------------
【版权声明】: 本文原创于看雪技术论坛, 转载请注明作者并保持文章的完整, 谢谢!
2006年06月03日 17:01:16
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)
终于我也有精啦,好激动。
