Download Jade.zip, 6 kb
Browse contents of Jade.zip
This is some thing different from others....
No crypto....But some thing else....
Difficulty: 2 - Needs a little brain (or luck)
Platform: Windows 2000/XP only
Language: C/C++
Published: 26. Jul, 2006
Downloads: 90
这个Crackme很有意思,没有输入用户名/序列号的地方,完全就是交互式的网络验证,类似于FTP应答过程
00401BE0 . A1 5C464000 mov eax, [40465C] ; 可疑哦:=)
00401BE5 . 56 push esi
00401BE6 . 85C0 test eax, eax
00401BE8 . 8BF1 mov esi, ecx
00401BEA . 74 22 je short 00401C0E
00401BEC . 68 58414000 push 00404158 ; ASCII "Registered!!!"
00401BF1 . 68 E8030000 push 3E8
00401BF6 . E8 59020000 call <jmp.&MFC42.#5953_CWnd::SetDlgItemTextA>
00401BFB . 6A 00 push 0
00401BFD . 68 4C414000 push 0040414C ; ASCII "Success!!!"
00401C02 . 68 08414000 push 00404108 ; ASCII "Now Make a KeyGen.!!!",LF,"Send ur Solutions To",LF,"cyclops1428@yahoo.com"
00401C07 . 8BCE mov ecx, esi
00401C09 . E8 76020000 call <jmp.&MFC42.#4224_CWnd::MessageBoxA>
寻找[40465C]的赋值地方,
004016D7 |. E8 8E060000 |call <jmp.&MFC42.#5478_CAsyncSocket::Receive>
004016DC |. 83F8 FF |cmp eax, -1
004016DF |.^ 74 E6 \je short 004016C7
004016E1 |> 8D95 C4FEFFFF lea edx, [ebp-13C] ; 第七次收到数据
004016E7 |. 52 push edx
004016E8 |. E8 73FBFFFF call 00401260 ; 几乎同CALL 00401210一样,与(ASCII "---...:: [cYC] ::...---")比较,相同返回EAX=1
004016ED |. 83C4 04 add esp, 4
004016F0 |. 85C0 test eax, eax
004016F2 |. 0F84 AC000000 je 004017A4
004016F8 |. 8D45 F8 lea eax, [ebp-8]
004016FB |. 8D4D FF lea ecx, [ebp-1]
004016FE |. 50 push eax
004016FF |. 8D95 34FDFFFF lea edx, [ebp-2CC]
00401705 |. 51 push ecx
00401706 |. 52 push edx
00401707 |. 8D85 60FEFFFF lea eax, [ebp-1A0] ; 取前面第三次时候收到的数据,这个sscanf很重要!
0040170D |. 68 74404000 push 00404074 ; |format = "%[^-]%c%x"
00401712 |. 50 push eax ; |s
00401713 |. FF15 EC314000 call [<&MSVCRT.sscanf>] ; \sscanf
00401719 |. 8DBD 34FDFFFF lea edi, [ebp-2CC]
0040171F |. 83C9 FF or ecx, FFFFFFFF
00401722 |. 33C0 xor eax, eax
00401724 |. 8D95 38FCFFFF lea edx, [ebp-3C8]
0040172A |. F2:AE repne scas byte ptr es:[edi]
0040172C |. F7D1 not ecx
0040172E |. 2BF9 sub edi, ecx
00401730 |. 8BC1 mov eax, ecx
00401732 |. 8BF7 mov esi, edi
00401734 |. 8BFA mov edi, edx
00401736 |. 8D95 38FCFFFF lea edx, [ebp-3C8]
0040173C |. C1E9 02 shr ecx, 2
0040173F |. F3:A5 rep movs dword ptr es:[edi], dword ptr [esi]
00401741 |. 8BC8 mov ecx, eax
00401743 |. 33C0 xor eax, eax
00401745 |. 83E1 03 and ecx, 3
00401748 |. F3:A4 rep movs byte ptr es:[edi], byte ptr [esi]
0040174A |. 8DBD 28FFFFFF lea edi, [ebp-D8] ; 取第二次收到的数据
00401750 |. 83C9 FF or ecx, FFFFFFFF
00401753 |. F2:AE repne scas byte ptr es:[edi]
00401755 |. F7D1 not ecx
00401757 |. 2BF9 sub edi, ecx
00401759 |. 8BF7 mov esi, edi
0040175B |. 8BD9 mov ebx, ecx
0040175D |. 8BFA mov edi, edx
0040175F |. 83C9 FF or ecx, FFFFFFFF
00401762 |. F2:AE repne scas byte ptr es:[edi]
00401764 |. 8BCB mov ecx, ebx
00401766 |. 4F dec edi
00401767 |. C1E9 02 shr ecx, 2
0040176A |. F3:A5 rep movs dword ptr es:[edi], dword ptr [esi]
0040176C |. 8BCB mov ecx, ebx
0040176E |. 8D85 38FCFFFF lea eax, [ebp-3C8]
00401774 |. 83E1 03 and ecx, 3
00401777 |. 50 push eax
00401778 |. F3:A4 rep movs byte ptr es:[edi], byte ptr [esi] ; cat(第三次数据,第二次数据)
0040177A |. E8 01FAFFFF call 00401180
0040177F |. 8B4D F8 mov ecx, [ebp-8]
00401782 |. 83C4 18 add esp, 18
00401785 |. 3BC1 cmp eax, ecx ; EAX==0?
00401787 |. 75 1B jnz short 004017A4
00401789 |. 8D8D 34FDFFFF lea ecx, [ebp-2CC] ; “第三次数据”
0040178F |. 8D95 28FFFFFF lea edx, [ebp-D8] ; “第二次数据”
00401795 |. 51 push ecx
00401796 |. 52 push edx
00401797 |. E8 44FBFFFF call 004012E0 ; 最后一步验证,“第二次数据”运算后所得16位字符串(ASCII "%08X%08x")是否与“第三次数据”一致,一致返回EAX=1
0040179C |. 83C4 08 add esp, 8
0040179F |. A3 5C464000 mov [40465C], eax ; EAX注册标志,0--未注册
请注意上面的sscanf,它的format串很重要,它分解serial成两部分。
Crackme有几处ANTI OD的检测和反调试如:
00401540 |. 60 pushad
00401541 |. 0F31 rdtsc ; ANTI-DEBUG-?
00401543 |. 33C9 xor ecx, ecx
00401545 |. 03C8 add ecx, eax
00401547 |. 0F31 rdtsc
00401549 |. 2BC1 sub eax, ecx
0040154B |. 3D FF0F0000 cmp eax, 0FFF
00401550 |. 72 07 jb short 00401559 ; 果然反调试(RDTSC),要跳走
第二次收到数据是服务器发过来的随机数(是16进制串),要求在第5次应答时回复它的八进制字符串
我的注册信息:
Status:
RECV: HeLlO
SENT: ---...:: [CYc] ::...---
SENT: KXSQ
RECV: 29
SENT: 00369C25a662baaa-0D309A23
SENT: anything
SENT: 51
SENT: ---...:: [cYC] ::...---
太晚了,明天还上班,写的潦草,附上Crackme和注册机(运行需.NET平台)
附件:
[培训]《安卓高级研修班(网课)》月薪三万计划,掌握调试、分析还原ollvm、vmp的方法,定制art虚拟机自动化脱壳的方法