-
-
初学者从这里树立信心-极弱Crackme算法简单分析[原创]
-
2006-7-31 16:39
-
【文章标题】: aaaaaaaaaaaa
【文章作者】: RCracker
【软件名称】: keygenme1
【下载地址】: 自己搜索下载
【编写语言】: MASM32 / TASM32
【作者声明】: 只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!
--------------------------------------------------------------------------------
【详细过程】
0040120D |. E8 80010000 CALL <JMP.&kernel32.lstrlenA> ; \lstrlenA
00401212 |. A3 86DC4000 MOV DWORD PTR DS:[40DC86],EAX
00401217 |. 833D 86DC4000>CMP DWORD PTR DS:[40DC86],4
0040121E |. 0F8C 29010000 JL keygenme.0040134D
00401224 |. 833D 86DC4000>CMP DWORD PTR DS:[40DC86],32
0040122B |. 0F8F 1C010000 JG keygenme.0040134D ;用户名位数应大于等于4位而小于等于50位
00401231 |. 33C0 XOR EAX,EAX
00401233 |. 33DB XOR EBX,EBX
00401235 |. 33C9 XOR ECX,ECX
00401237 |. BF F8DC4000 MOV EDI,keygenme.0040DCF8
0040123C |. 8B15 86DC4000 MOV EDX,DWORD PTR DS:[40DC86]
00401242 |> 0FB60439 /MOVZX EAX,BYTE PTR DS:[ECX+EDI]
00401246 |. 83E8 19 |SUB EAX,19
00401249 |. 2BD8 |SUB EBX,EAX
0040124B |. 41 |INC ECX
0040124C |. 3BCA |CMP ECX,EDX
0040124E |.^ 75 F2 \JNZ SHORT keygenme.00401242
00401250 |. 53 PUSH EBX ; ebx=0-((r+c+r+a+c+k+e+r)-19*8)--------ebx 的低八位设为sn1(注册码第二部分)
00401251 |. 68 F8DB4000 PUSH keygenme.0040DBF8
00401256 |. 68 F8E04000 PUSH keygenme.0040E0F8
0040125B |. E8 38010000 CALL <JMP.&user32.wsprintfA>
00401260 |. 83C4 0C ADD ESP,0C
00401263 |. 33C0 XOR EAX,EAX
00401265 |. 33D2 XOR EDX,EDX
00401267 |. 33C9 XOR ECX,ECX
00401269 |. 03C3 ADD EAX,EBX
0040126B |. 0FAFC3 IMUL EAX,EBX ;eax=sn1 x sn1
0040126E |. 03C8 ADD ECX,EAX ;ecx=sn1
00401270 |. 2BD3 SUB EDX,EBX ;edx=0-sn1
00401272 |. 33D0 XOR EDX,EAX ;edx=0-sn1
00401274 |. 0FAFD8 IMUL EBX,EAX ;ebx=sn1 * sn1 * sn1------------低八位设为sn2(注册码第三部分)
00401277 |. 53 PUSH EBX
00401278 |. 68 F8DB4000 PUSH keygenme.0040DBF8
0040127D |. 68 F8E14000 PUSH keygenme.0040E1F8
00401282 |. E8 11010000 CALL <JMP.&user32.wsprintfA>
00401287 |. 83C4 0C ADD ESP,0C
0040128A |. 33C0 XOR EAX,EAX
0040128C |. 33DB XOR EBX,EBX
0040128E |. 33D2 XOR EDX,EDX
00401290 |. 33C9 XOR ECX,ECX
00401292 |. B8 F8E04000 MOV EAX,keygenme.0040E0F8 ;注意这里是把sn1的地址送EAX,而不是把sn1送eax
00401297 |. 03D8 ADD EBX,EAX
00401299 |. 33CB XOR ECX,EBX
0040129B |. 0FAFCB IMUL ECX,EBX
0040129E |. 2BC8 SUB ECX,EAX ;地址 * 地址 - 地址的低八位sn3应为固定值"41720F48"(注册码第四部分)
004012A0 |. 51 PUSH ECX
004012A1 |. 68 F8DB4000 PUSH keygenme.0040DBF8
004012A6 |. 68 F8E24000 PUSH keygenme.0040E2F8
004012AB |. E8 E8000000 CALL <JMP.&user32.wsprintfA>
004012B0 |. 83C4 0C ADD ESP,0C
004012B3 |. 68 FCDB4000 PUSH keygenme.0040DBFC ; /Bon- ------------------------设为sn0(注册码第一部分,固定值)
004012B8 |. 68 F8DD4000 PUSH keygenme.0040DDF8
004012BD |. E8 D6000000 CALL <JMP.&user32.wsprintfA>
004012C2 |. 83C4 08 ADD ESP,8
004012C5 |. 68 F8E04000 PUSH keygenme.0040E0F8 ; /StringToAdd = ""
004012CA |. 68 F8DD4000 PUSH keygenme.0040DDF8 ; |ConcatString = ""
004012CF |. E8 B2000000 CALL <JMP.&kernel32.lstrcatA> ; \lstrcatA
004012D4 |. 68 01DC4000 PUSH keygenme.0040DC01 ; /-
004012D9 |. 68 F8DD4000 PUSH keygenme.0040DDF8 ; |ConcatString = ""
004012DE |. E8 A3000000 CALL <JMP.&kernel32.lstrcatA> ; \lstrcatA
004012E3 |. 68 F8E14000 PUSH keygenme.0040E1F8 ; /StringToAdd = ""
004012E8 |. 68 F8DD4000 PUSH keygenme.0040DDF8 ; |ConcatString = ""
004012ED |. E8 94000000 CALL <JMP.&kernel32.lstrcatA> ; \lstrcatA
004012F2 |. 68 01DC4000 PUSH keygenme.0040DC01 ; /-
004012F7 |. 68 F8DD4000 PUSH keygenme.0040DDF8 ; |ConcatString = ""
004012FC |. E8 85000000 CALL <JMP.&kernel32.lstrcatA> ; \lstrcatA
00401301 |. 68 F8E24000 PUSH keygenme.0040E2F8 ; /StringToAdd = ""
00401306 |. 68 F8DD4000 PUSH keygenme.0040DDF8 ; |ConcatString = ""
0040130B |. E8 76000000 CALL <JMP.&kernel32.lstrcatA> ; \lstrcatA
00401310 |. B8 F8DD4000 MOV EAX,keygenme.0040DDF8
00401315 |. BB F8DE4000 MOV EBX,keygenme.0040DEF8 ; ASCII
0040131A |. 53 PUSH EBX ; /String2 =>
0040131B |. 50 PUSH EAX ; |String1 =>
0040131C |. E8 6B000000 CALL <JMP.&kernel32.lstrcmpA> ; \lstrcmpA------------------------真假码比较
00401321 |. 74 15 JE SHORT keygenme.00401338
00401323 |. 68 17DC4000 PUSH keygenme.0040DC17 ; /hello, mr. badboy!
00401328 |. 68 F8DF4000 PUSH keygenme.0040DFF8 ; |s = keygenme.0040DFF8
0040132D |. E8 66000000 CALL <JMP.&user32.wsprintfA> ; \wsprintfA
00401332 |. 83C4 08 ADD ESP,8
00401335 |. 33C0 XOR EAX,EAX
00401337 |. C3 RETN
00401338 |> 68 03DC4000 PUSH keygenme.0040DC03 ; /hello, mr. goodboy!
0040133D |. 68 F8DF4000 PUSH keygenme.0040DFF8 ; |s = keygenme.0040DFF8
00401342 |. E8 51000000 CALL <JMP.&user32.wsprintfA> ; \wsprintfA
00401347 |. 83C4 08 ADD ESP,8
0040134A |. 33C0 XOR EAX,EAX
0040134C |. C3 RETN
0040134D |> 6A 28 PUSH 28 ; /Length = 28 (40.)
0040134F |. 68 F8DD4000 PUSH keygenme.0040DDF8 ; |Destination = keygenme.0040DDF8
00401354 |. E8 21000000 CALL <JMP.&kernel32.RtlZeroMemory> ; \RtlZeroMemory
00401359 |. 68 65DC4000 PUSH keygenme.0040DC65 ; /name must be 4 - 50 chars long!
0040135E |. 68 F8DF4000 PUSH keygenme.0040DFF8 ; |s = keygenme.0040DFF8
00401363 |. E8 30000000 CALL <JMP.&user32.wsprintfA> ; \wsprintfA
00401368 |. 83C4 08 ADD ESP,8
0040136B |. 33C0 XOR EAX,EAX
0040136D \. C3 RETN
注册码:sn0-sn1-sn2-sn3
注册机源码:
Dim code As String
Dim code As String
Dim reg1, reg2 As Long
code = Text1.Text
a = "-"
reg1 = 0
If Text1.Text <> "" Then
For i = 1 To Len(code)
reg1 = reg1 + Asc(Mid(code, i, 1))
Next i
If Len(code) < 4 Or Len(code) > 50 Then
Text2.Text = "Name must be 4 - 50 chars long!"
Else
reg1 = 0 - (reg1 - 25 * Len(code))
reg2 = reg1 * reg1 * reg1
Text2.Text = "Bon-" & Hex(reg1) & a & Hex(reg2) & a & "41720F48"
End If
End If
感谢冷雪指出文中的不足之处!!!!!!!!!!!
--------------------------------------------------------------------------------
【经验总结】
简单!
--------------------------------------------------------------------------------
【文章作者】: RCracker
【软件名称】: keygenme1
【下载地址】: 自己搜索下载
【编写语言】: MASM32 / TASM32
【作者声明】: 只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!
--------------------------------------------------------------------------------
【详细过程】
0040120D |. E8 80010000 CALL <JMP.&kernel32.lstrlenA> ; \lstrlenA
00401212 |. A3 86DC4000 MOV DWORD PTR DS:[40DC86],EAX
00401217 |. 833D 86DC4000>CMP DWORD PTR DS:[40DC86],4
0040121E |. 0F8C 29010000 JL keygenme.0040134D
00401224 |. 833D 86DC4000>CMP DWORD PTR DS:[40DC86],32
0040122B |. 0F8F 1C010000 JG keygenme.0040134D ;用户名位数应大于等于4位而小于等于50位
00401231 |. 33C0 XOR EAX,EAX
00401233 |. 33DB XOR EBX,EBX
00401235 |. 33C9 XOR ECX,ECX
00401237 |. BF F8DC4000 MOV EDI,keygenme.0040DCF8
0040123C |. 8B15 86DC4000 MOV EDX,DWORD PTR DS:[40DC86]
00401242 |> 0FB60439 /MOVZX EAX,BYTE PTR DS:[ECX+EDI]
00401246 |. 83E8 19 |SUB EAX,19
00401249 |. 2BD8 |SUB EBX,EAX
0040124B |. 41 |INC ECX
0040124C |. 3BCA |CMP ECX,EDX
0040124E |.^ 75 F2 \JNZ SHORT keygenme.00401242
00401250 |. 53 PUSH EBX ; ebx=0-((r+c+r+a+c+k+e+r)-19*8)--------ebx 的低八位设为sn1(注册码第二部分)
00401251 |. 68 F8DB4000 PUSH keygenme.0040DBF8
00401256 |. 68 F8E04000 PUSH keygenme.0040E0F8
0040125B |. E8 38010000 CALL <JMP.&user32.wsprintfA>
00401260 |. 83C4 0C ADD ESP,0C
00401263 |. 33C0 XOR EAX,EAX
00401265 |. 33D2 XOR EDX,EDX
00401267 |. 33C9 XOR ECX,ECX
00401269 |. 03C3 ADD EAX,EBX
0040126B |. 0FAFC3 IMUL EAX,EBX ;eax=sn1 x sn1
0040126E |. 03C8 ADD ECX,EAX ;ecx=sn1
00401270 |. 2BD3 SUB EDX,EBX ;edx=0-sn1
00401272 |. 33D0 XOR EDX,EAX ;edx=0-sn1
00401274 |. 0FAFD8 IMUL EBX,EAX ;ebx=sn1 * sn1 * sn1------------低八位设为sn2(注册码第三部分)
00401277 |. 53 PUSH EBX
00401278 |. 68 F8DB4000 PUSH keygenme.0040DBF8
0040127D |. 68 F8E14000 PUSH keygenme.0040E1F8
00401282 |. E8 11010000 CALL <JMP.&user32.wsprintfA>
00401287 |. 83C4 0C ADD ESP,0C
0040128A |. 33C0 XOR EAX,EAX
0040128C |. 33DB XOR EBX,EBX
0040128E |. 33D2 XOR EDX,EDX
00401290 |. 33C9 XOR ECX,ECX
00401292 |. B8 F8E04000 MOV EAX,keygenme.0040E0F8 ;注意这里是把sn1的地址送EAX,而不是把sn1送eax
00401297 |. 03D8 ADD EBX,EAX
00401299 |. 33CB XOR ECX,EBX
0040129B |. 0FAFCB IMUL ECX,EBX
0040129E |. 2BC8 SUB ECX,EAX ;地址 * 地址 - 地址的低八位sn3应为固定值"41720F48"(注册码第四部分)
004012A0 |. 51 PUSH ECX
004012A1 |. 68 F8DB4000 PUSH keygenme.0040DBF8
004012A6 |. 68 F8E24000 PUSH keygenme.0040E2F8
004012AB |. E8 E8000000 CALL <JMP.&user32.wsprintfA>
004012B0 |. 83C4 0C ADD ESP,0C
004012B3 |. 68 FCDB4000 PUSH keygenme.0040DBFC ; /Bon- ------------------------设为sn0(注册码第一部分,固定值)
004012B8 |. 68 F8DD4000 PUSH keygenme.0040DDF8
004012BD |. E8 D6000000 CALL <JMP.&user32.wsprintfA>
004012C2 |. 83C4 08 ADD ESP,8
004012C5 |. 68 F8E04000 PUSH keygenme.0040E0F8 ; /StringToAdd = ""
004012CA |. 68 F8DD4000 PUSH keygenme.0040DDF8 ; |ConcatString = ""
004012CF |. E8 B2000000 CALL <JMP.&kernel32.lstrcatA> ; \lstrcatA
004012D4 |. 68 01DC4000 PUSH keygenme.0040DC01 ; /-
004012D9 |. 68 F8DD4000 PUSH keygenme.0040DDF8 ; |ConcatString = ""
004012DE |. E8 A3000000 CALL <JMP.&kernel32.lstrcatA> ; \lstrcatA
004012E3 |. 68 F8E14000 PUSH keygenme.0040E1F8 ; /StringToAdd = ""
004012E8 |. 68 F8DD4000 PUSH keygenme.0040DDF8 ; |ConcatString = ""
004012ED |. E8 94000000 CALL <JMP.&kernel32.lstrcatA> ; \lstrcatA
004012F2 |. 68 01DC4000 PUSH keygenme.0040DC01 ; /-
004012F7 |. 68 F8DD4000 PUSH keygenme.0040DDF8 ; |ConcatString = ""
004012FC |. E8 85000000 CALL <JMP.&kernel32.lstrcatA> ; \lstrcatA
00401301 |. 68 F8E24000 PUSH keygenme.0040E2F8 ; /StringToAdd = ""
00401306 |. 68 F8DD4000 PUSH keygenme.0040DDF8 ; |ConcatString = ""
0040130B |. E8 76000000 CALL <JMP.&kernel32.lstrcatA> ; \lstrcatA
00401310 |. B8 F8DD4000 MOV EAX,keygenme.0040DDF8
00401315 |. BB F8DE4000 MOV EBX,keygenme.0040DEF8 ; ASCII
0040131A |. 53 PUSH EBX ; /String2 =>
0040131B |. 50 PUSH EAX ; |String1 =>
0040131C |. E8 6B000000 CALL <JMP.&kernel32.lstrcmpA> ; \lstrcmpA------------------------真假码比较
00401321 |. 74 15 JE SHORT keygenme.00401338
00401323 |. 68 17DC4000 PUSH keygenme.0040DC17 ; /hello, mr. badboy!
00401328 |. 68 F8DF4000 PUSH keygenme.0040DFF8 ; |s = keygenme.0040DFF8
0040132D |. E8 66000000 CALL <JMP.&user32.wsprintfA> ; \wsprintfA
00401332 |. 83C4 08 ADD ESP,8
00401335 |. 33C0 XOR EAX,EAX
00401337 |. C3 RETN
00401338 |> 68 03DC4000 PUSH keygenme.0040DC03 ; /hello, mr. goodboy!
0040133D |. 68 F8DF4000 PUSH keygenme.0040DFF8 ; |s = keygenme.0040DFF8
00401342 |. E8 51000000 CALL <JMP.&user32.wsprintfA> ; \wsprintfA
00401347 |. 83C4 08 ADD ESP,8
0040134A |. 33C0 XOR EAX,EAX
0040134C |. C3 RETN
0040134D |> 6A 28 PUSH 28 ; /Length = 28 (40.)
0040134F |. 68 F8DD4000 PUSH keygenme.0040DDF8 ; |Destination = keygenme.0040DDF8
00401354 |. E8 21000000 CALL <JMP.&kernel32.RtlZeroMemory> ; \RtlZeroMemory
00401359 |. 68 65DC4000 PUSH keygenme.0040DC65 ; /name must be 4 - 50 chars long!
0040135E |. 68 F8DF4000 PUSH keygenme.0040DFF8 ; |s = keygenme.0040DFF8
00401363 |. E8 30000000 CALL <JMP.&user32.wsprintfA> ; \wsprintfA
00401368 |. 83C4 08 ADD ESP,8
0040136B |. 33C0 XOR EAX,EAX
0040136D \. C3 RETN
注册码:sn0-sn1-sn2-sn3
注册机源码:
Dim code As String
Dim code As String
Dim reg1, reg2 As Long
code = Text1.Text
a = "-"
reg1 = 0
If Text1.Text <> "" Then
For i = 1 To Len(code)
reg1 = reg1 + Asc(Mid(code, i, 1))
Next i
If Len(code) < 4 Or Len(code) > 50 Then
Text2.Text = "Name must be 4 - 50 chars long!"
Else
reg1 = 0 - (reg1 - 25 * Len(code))
reg2 = reg1 * reg1 * reg1
Text2.Text = "Bon-" & Hex(reg1) & a & Hex(reg2) & a & "41720F48"
End If
End If
感谢冷雪指出文中的不足之处!!!!!!!!!!!
--------------------------------------------------------------------------------
【经验总结】
简单!
--------------------------------------------------------------------------------
[培训]《安卓高级研修班(网课)》月薪三万计划,掌 握调试、分析还原ollvm、vmp的方法,定制art虚拟机自动化脱壳的方法
|
|
|---|---|
|
|
|
|
|
|
|
|
是有些复杂!!
|
|
|
最初由 bfqyygy 发布 这个是我见过几乎醉不复杂的 CarckMe 了,算法注册机加分析不到10分钟 |
|
|
最初由 bfqyygy 发布 复杂?分析加算法注册机不到 15 分钟 |
|
|
那么你来试试把这个Crackme还原出源代码来
 最初由 小剑 发布 |
|
|
|
|
|
|
