happytown兄的kgme,一定要捧场,我来写吧。
用到sha1,rsa128,ok,let's start。
【分析】
00401130 /$ 81EC 50050000 sub esp, 550
00401136 |. 53 push ebx
00401137 |. 55 push ebp
00401138 |. 56 push esi
00401139 |. 57 push edi
0040113A |. B9 31000000 mov ecx, 31
0040113F |. 33C0 xor eax, eax
00401141 |. 8DBC24 690200>lea edi, [esp+269]
00401148 |. C68424 680200>mov byte ptr [esp+268], 0
00401150 |. F3:AB rep stos dword ptr es:[edi]
00401152 |. 66:AB stos word ptr es:[edi]
00401154 |. AA stos byte ptr es:[edi]
00401155 |. B9 31000000 mov ecx, 31
0040115A |. 33C0 xor eax, eax
0040115C |. 8DBC24 A10100>lea edi, [esp+1A1]
00401163 |. C68424 A00100>mov byte ptr [esp+1A0], 0
0040116B |. F3:AB rep stos dword ptr es:[edi]
0040116D |. 66:AB stos word ptr es:[edi]
0040116F |. 6A 00 push 0
00401171 |. 6A 64 push 64
00401173 |. AA stos byte ptr es:[edi]
00401174 |. E8 37090000 call 00401AB0
00401179 |. 8BE8 mov ebp, eax
0040117B |. B9 31000000 mov ecx, 31
00401180 |. 33C0 xor eax, eax
00401182 |. 8D7C24 19 lea edi, [esp+19]
00401186 |. C64424 18 00 mov byte ptr [esp+18], 0
0040118B |. C68424 E00000>mov byte ptr [esp+E0], 0
00401193 |. F3:AB rep stos dword ptr es:[edi]
00401195 |. 66:AB stos word ptr es:[edi]
00401197 |. AA stos byte ptr es:[edi]
00401198 |. B9 31000000 mov ecx, 31
0040119D |. 33C0 xor eax, eax
0040119F |. 8DBC24 E10000>lea edi, [esp+E1]
004011A6 |. C68424 380300>mov byte ptr [esp+338], 0
004011AE |. F3:AB rep stos dword ptr es:[edi]
004011B0 |. 66:AB stos word ptr es:[edi]
004011B2 |. AA stos byte ptr es:[edi]
004011B3 |. B9 31000000 mov ecx, 31
004011B8 |. 33C0 xor eax, eax
004011BA |. 8DBC24 390300>lea edi, [esp+339]
004011C1 |. 8BB424 6C0500>mov esi, [esp+56C]
004011C8 |. F3:AB rep stos dword ptr es:[edi]
004011CA |. 66:AB stos word ptr es:[edi]
004011CC |. 8B1D C0C04000 mov ebx, [<&USER32.GetDlgItemTextA>] ; USER32.GetDlgItemTextA
004011D2 |. 83C4 08 add esp, 8
004011D5 |. AA stos byte ptr es:[edi]
004011D6 |. 8D4424 10 lea eax, [esp+10]
004011DA |. 68 C9000000 push 0C9 ; /Count = C9 (201.)
004011DF |. 50 push eax ; |Buffer
004011E0 |. 68 E8030000 push 3E8 ; |ControlID = 3E8 (1000.)
004011E5 |. 56 push esi ; |hWnd
004011E6 |. FFD3 call ebx ; \GetDlgItemTextA
004011E8 |. 8D7C24 10 lea edi, [esp+10]
004011EC |. 83C9 FF or ecx, FFFFFFFF
004011EF |. 33C0 xor eax, eax
004011F1 |. F2:AE repne scas byte ptr es:[edi]
004011F3 |. F7D1 not ecx
004011F5 |. 49 dec ecx
004011F6 |. 0F84 EA010000 je 004013E6
004011FC |. 8D8C24 D80000>lea ecx, [esp+D8]
00401203 |. 68 C9000000 push 0C9 ; /Count = C9 (201.)
00401208 |. 51 push ecx ; |Buffer
00401209 |. 68 E9030000 push 3E9 ; |ControlID = 3E9 (1001.)
0040120E |. 56 push esi ; |hWnd
0040120F |. FFD3 call ebx ; \GetDlgItemTextA
00401211 |. 8A8424 D80000>mov al, [esp+D8]
00401218 |. 84C0 test al, al
0040121A |. 74 44 je short 00401260
0040121C |. 8DB424 D80000>lea esi, [esp+D8]
00401223 |> 833D 6CDF4000>/cmp dword ptr [40DF6C], 1
0040122A |. 7E 13 |jle short 0040123F
0040122C |. 0FBE16 |movsx edx, byte ptr [esi]
0040122F |. 68 80000000 |push 80
00401234 |. 52 |push edx
00401235 |. E8 225E0000 |call 0040705C
0040123A |. 83C4 08 |add esp, 8
0040123D |. EB 11 |jmp short 00401250
0040123F |> 0FBE06 |movsx eax, byte ptr [esi]
00401242 |. 8B0D 60DD4000 |mov ecx, [40DD60] ; CrackMe_.0040DD6A
00401248 |. 8A0441 |mov al, [ecx+eax*2]
0040124B |. 25 80000000 |and eax, 80
00401250 |> 85C0 |test eax, eax
00401252 |. 0F84 8E010000 |je 004013E6
00401258 |. 8A46 01 |mov al, [esi+1]
0040125B |. 46 |inc esi
0040125C |. 84C0 |test al, al
0040125E |.^ 75 C3 \jnz short 00401223
上面是输入检查
00401260 |> 8D9424 F80300>lea edx, [esp+3F8]
00401267 |. 52 push edx
00401268 |. E8 632B0000 call 00403DD0 shs_init sha的初始化
0040126D |. 8A4424 14 mov al, [esp+14]
00401271 |. 83C4 04 add esp, 4
00401274 |. 84C0 test al, al
00401276 |. 74 20 je short 00401298
00401278 |. 8D7424 10 lea esi, [esp+10]
0040127C |> 0FBEC0 /movsx eax, al
0040127F |. 8D8C24 F80300>|lea ecx, [esp+3F8]
00401286 |. 50 |push eax
00401287 |. 51 |push ecx
00401288 |. E8 832B0000 |call 00403E10 shs_process sha计算
0040128D |. 8A46 01 |mov al, [esi+1]
00401290 |. 83C4 08 |add esp, 8
00401293 |. 46 |inc esi
00401294 |. 84C0 |test al, al
00401296 |.^ 75 E4 \jnz short 0040127C
00401298 |> 8D9424 A00100>lea edx, [esp+1A0]
0040129F |. 8D8424 F80300>lea eax, [esp+3F8]
004012A6 |. 52 push edx
004012A7 |. 50 push eax
004012A8 |. E8 B32D0000 call 00404060 shs_hash 取sha的结果
004012AD |. 83C4 08 add esp, 8
004012B0 |. 33FF xor edi, edi
004012B2 |. 8DB424 690200>lea esi, [esp+269]
004012B9 |> 33C0 /xor eax, eax
004012BB |. 8A843C A00100>|mov al, [esp+edi+1A0]
004012C2 |. 8BC8 |mov ecx, eax
004012C4 |. 83E1 F0 |and ecx, FFFFFFF0
004012C7 |. 81F9 90000000 |cmp ecx, 90
004012CD |. 7E 11 |jle short 004012E0
004012CF |. C1E8 04 |shr eax, 4
004012D2 |. 83C0 37 |add eax, 37
004012D5 |. 50 |push eax
004012D6 |. E8 B55C0000 |call 00406F90 upper
004012DB |. 83C4 04 |add esp, 4
004012DE |. EB 06 |jmp short 004012E6
004012E0 |> C1E8 04 |shr eax, 4
004012E3 |. 83C0 30 |add eax, 30
004012E6 |> 8846 FF |mov [esi-1], al
004012E9 |. 8A843C A00100>|mov al, [esp+edi+1A0]
004012F0 |. 8AD0 |mov dl, al
004012F2 |. 80E2 0F |and dl, 0F
004012F5 |. 80FA 09 |cmp dl, 9
004012F8 |. 76 11 |jbe short 0040130B
004012FA |. 83E0 0F |and eax, 0F
004012FD |. 83C0 37 |add eax, 37
00401300 |. 50 |push eax
00401301 |. E8 8A5C0000 |call 00406F90 upper
00401306 |. 83C4 04 |add esp, 4
00401309 |. EB 06 |jmp short 00401311
0040130B |> 83E0 0F |and eax, 0F
0040130E |. 83C0 30 |add eax, 30
00401311 |> 8806 |mov [esi], al
00401313 |. 47 |inc edi
00401314 |. 83C6 02 |add esi, 2
00401317 |. 83FF 14 |cmp edi, 14
0040131A |.^ 7C 9D \jl short 004012B9
上面保存SHA值前8个BYTE到一个字符串string1
0040131C |. C68424 780200>mov byte ptr [esp+278], 0
00401324 |. 6A 00 push 0
00401326 |. C785 34020000>mov dword ptr [ebp+234], 10
00401330 |. E8 5B050000 call 00401890 ;mirvar
00401335 |. 6A 00 push 0
00401337 |. 8BF0 mov esi, eax
00401339 |. E8 52050000 call 00401890 ;mirvar
0040133E |. 6A 00 push 0
00401340 |. 8BE8 mov ebp, eax
00401342 |. E8 49050000 call 00401890 ;mirvar
00401347 |. 6A 00 push 0
00401349 |. 8BF8 mov edi, eax
0040134B |. E8 40050000 call 00401890 ;mirvar
00401350 |. 8BD8 mov ebx, eax
00401352 |. 8D8424 E80000>lea eax, [esp+E8]
00401359 |. 50 push eax
0040135A |. 57 push edi 输入的key
0040135B |. E8 50270000 call 00403AB0 ; cinstr
00401360 |. 68 DCD04000 push 0040D0DC ; n=6199855658d504ebc98df20a2f170cd1 rsa中的n
6199855658D504EBC98DF20A2F170CD1=9FF10622D858576B*9C37748C2E4A07B3
00401365 |. 56 push esi
00401366 |. E8 45270000 call 00403AB0 ;cinstr
0040136B |. 68 D4D04000 push 0040D0D4 ; e=10001
00401370 |. 55 push ebp
00401371 |. E8 3A270000 call 00403AB0 ;cinstr
计算d=64A5ECDB1EC08E51537F4F96B221A1
00401376 |. 56 push esi
00401377 |. 57 push edi
00401378 |. E8 13140000 call 00402790 ; 比较 输入的不能大于n
0040137D |. 83C4 30 add esp, 30
00401380 |. 83F8 FF cmp eax, -1
00401383 |. 75 61 jnz short 004013E6
00401385 |. 53 push ebx
00401386 |. 56 push esi
00401387 |. 55 push ebp
00401388 |. 57 push edi
00401389 |. E8 F2200000 call 00403480 ;powmod 计算key^e mod n
0040138E |. 8D8C24 400300>lea ecx, [esp+340]
00401395 |. 6A 00 push 0
00401397 |. 51 push ecx
00401398 |. 53 push ebx
00401399 |. 6A 00 push 0
0040139B |. E8 901E0000 call 00403230
004013A0 |. 56 push esi
004013A1 |. E8 BA0E0000 call 00402260
004013A6 |. 55 push ebp
004013A7 |. E8 B40E0000 call 00402260
004013AC |. 57 push edi
004013AD |. E8 AE0E0000 call 00402260
004013B2 |. 53 push ebx
004013B3 |. E8 A80E0000 call 00402260
004013B8 |. 83C4 30 add esp, 30
004013BB |. E8 C00E0000 call 00402280
004013C0 |. 8D9424 300300>lea edx, [esp+330]
004013C7 |. 8D8424 680200>lea eax, [esp+268]
004013CE |. 52 push edx ; /String2
004013CF |. 50 push eax ; |String1
004013D0 |. FF15 00C04000 call [<&KERNEL32.lstrcmpA>] ; \lstrcmpA
比较字符串
004013D6 |. F7D8 neg eax
004013D8 |. 5F pop edi
004013D9 |. 5E pop esi
004013DA |. 1BC0 sbb eax, eax
004013DC |. 5D pop ebp
004013DD |. 40 inc eax
004013DE |. 5B pop ebx
004013DF |. 81C4 50050000 add esp, 550
004013E5 |. C3 retn
004013E6 |> 5F pop edi
004013E7 |. 5E pop esi
004013E8 |. 5D pop ebp
004013E9 |. 33C0 xor eax, eax
004013EB |. 5B pop ebx
004013EC |. 81C4 50050000 add esp, 550
004013F2 \. C3 retn
【破解】
过程很简单,就是sha(name)取8位,转成一个16位的string,与输入的key^e mod n转换的string进行比较,相等则注册成功。
破解过程:
sha(name)取8位,转成一个16位的string,变成一个大数ser,ser^d mod n转成的字符串就是真正的serial了,具体见程序吧。
谢谢你看到这里。
转载请注明出处来自看雪论坛,以及本文的完整性,谢谢!
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
上传的附件: