【文章标题】: lafarge__s.crackme.0.2.crackme的破解
【文章作者】: jdxyw
【软件名称】: lafarge__s.crackme.0.2.crackme
【下载地址】: 自己搜索下载
【加壳方式】: 无
【编写语言】: MASM
【使用工具】: OD peid
【操作平台】: WIN XP
【作者声明】: 只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!
--------------------------------------------------------------------------------
【详细过程】
首先,peid查壳,无壳
运行crackme,输入用户名yutou注册码12345,check后,有提示窗口和注册码。
运行OD,下断点在下面,F9后,输入用户名和注册码,check后,停在下面
00401135 . 68 EA030000 PUSH 3EA ; /ControlID = 3EA (1002.)
0040113A . FF75 08 PUSH DWORD PTR SS:[EBP+8] ; |hWnd
0040113D . E8 E2010000 CALL <JMP.&user32.GetDlgItem> ; \GetDlgItem
00401142 . 68 84634000 PUSH crackme.00406384 ; /lParam = 406384
00401147 . 6A 40 PUSH 40 ; |wParam = 40
00401149 . 6A 0D PUSH 0D ; |Message = WM_GETTEXT
0040114B . 50 PUSH EAX ; |hWnd
0040114C . E8 EB010000 CALL <JMP.&user32.SendMessageA> ; \SendMessageA
00401151 . 83F8 03 CMP EAX,3 用户名必须4个字符以上包括4个
00401154 . 77 18 JA SHORT crackme.0040116E
00401156 . 6A 10 PUSH 10 ; /Style = MB_OK|MB_ICONHAND|MB_APPLMODAL
00401158 . 68 37634000 PUSH crackme.00406337 ; |Title = "Bad boy..."
0040115D . 68 0A624000 PUSH crackme.0040620A ; |Text = "Username must have at least 4 chars..."
00401162 . FF75 08 PUSH DWORD PTR SS:[EBP+8] ; |hOwner
00401165 . E8 C6010000 CALL <JMP.&user32.MessageBoxA> ; \MessageBoxA
0040116A . C9 LEAVE
0040116B . C2 1000 RETN 10
0040116E > 68 A46B4000 PUSH crackme.00406BA4 ; /String = "_r <()<1-Z2[l5,^" 这个是用来计算注册码的字符串,记为A
00401173 . E8 06020000 CALL <JMP.&kernel32.lstrlenA> ; \lstrlenA
00401178 . A3 9C6B4000 MOV DWORD PTR DS:[406B9C],EAX
0040117D . 8BD8 MOV EBX,EAX
0040117F . 68 84634000 PUSH crackme.00406384 ; /String = ""
00401184 . E8 F5010000 CALL <JMP.&kernel32.lstrlenA> ; \lstrlenA 这个是用来求用户名的长度
00401189 . A3 986B4000 MOV DWORD PTR DS:[406B98],EAX
0040118E . 8BF0 MOV ESI,EAX
00401190 . 33F6 XOR ESI,ESI
00401192 . 68 A46B4000 PUSH crackme.00406BA4 ; /String2 = "_r <()<1-Z2[l5,^"
00401197 . 68 84654000 PUSH crackme.00406584 ; |String1 = crackme.00406584
0040119C . E8 D7010000 CALL <JMP.&kernel32.lstrcpyA> ; \lstrcpyA 将字符串A复制到00406584处,后面用到
004011A1 . 8D3D 84654000 LEA EDI,DWORD PTR DS:[406584]
004011A7 . 50 PUSH EAX
004011A8 . A1 986B4000 MOV EAX,DWORD PTR DS:[406B98]
004011AD . 3B05 9C6B4000 CMP EAX,DWORD PTR DS:[406B9C] 用户名长度和字符串A长度相比较
004011B3 . 77 0C JA SHORT crackme.004011C1
004011B5 . A1 9C6B4000 MOV EAX,DWORD PTR DS:[406B9C]
004011BA . A3 A06B4000 MOV DWORD PTR DS:[406BA0],EAX
004011BF . EB 05 JMP SHORT crackme.004011C6
004011C1 > A3 A06B4000 MOV DWORD PTR DS:[406BA0],EAX
004011C6 > 58 POP EAX
004011C7 > 8BC6 MOV EAX,ESI
004011C9 . 6A 19 PUSH 19
004011CB . 99 CDQ
004011CC . F73D 9C6B4000 IDIV DWORD PTR DS:[406B9C]
004011D2 . 8BC6 MOV EAX,ESI
004011D4 . 5B POP EBX
004011D5 . 8D0C17 LEA ECX,DWORD PTR DS:[EDI+EDX]
004011D8 . 99 CDQ
004011D9 . F73D 986B4000 IDIV DWORD PTR DS:[406B98]
004011DF . 8D05 84634000 LEA EAX,DWORD PTR DS:[406384]
004011E5 . 0FB60410 MOVZX EAX,BYTE PTR DS:[EAX+EDX] 取用户名一个字符
004011E9 . 0FB611 MOVZX EDX,BYTE PTR DS:[ECX] 取字符串A的一个字符
004011EC . 33C2 XOR EAX,EDX EAX=EAX XOR EDX
004011EE . 99 CDQ
004011EF . F7FB IDIV EBX EAX/EBX EBX=19 商在EAX,余数在edx
004011F1 . 80C2 41 ADD DL,41 EDX=EDX+41
004011F4 . 46 INC ESI
004011F5 . 3B35 A06B4000 CMP ESI,DWORD PTR DS:[406BA0]
004011FB . 8811 MOV BYTE PTR DS:[ECX],DL 将重新计算出来的字符放到原先字符串相对应的位置上
004011FD .^7C C8 JL SHORT crackme.004011C7
004011FF . 8D35 84654000 LEA ESI,DWORD PTR DS:[406584]
00401205 . 8D3D 846B4000 LEA EDI,DWORD PTR DS:[406B84]
0040120B . A5 MOVS DWORD PTR ES:[EDI],DWORD PTR DS:[ES> 将计算后的字符串的前4位送入相对应位置
0040120C . C605 886B4000 >MOV BYTE PTR DS:[406B88],2D 将'-'送到四个字符后
00401213 . 8D35 88654000 LEA ESI,DWORD PTR DS:[406588]
00401219 . 8D3D 896B4000 LEA EDI,DWORD PTR DS:[406B89]
0040121F . A5 MOVS DWORD PTR ES:[EDI],DWORD PTR DS:[ES> 将计算后的字符串的第五到第八位送入相对应位置
00401220 . C605 8D6B4000 >MOV BYTE PTR DS:[406B8D],2D 将'-'送到四个字符后
00401227 . 8D35 8C654000 LEA ESI,DWORD PTR DS:[40658C]
0040122D . 8D3D 8E6B4000 LEA EDI,DWORD PTR DS:[406B8E]
00401233 . A5 MOVS DWORD PTR ES:[EDI],DWORD PTR DS:[ES> 将计算后的字符串的第九到第十二位送入相对应位置
00401234 . C605 926B4000 >MOV BYTE PTR DS:[406B92],2D 将'-'送到四个字符后
0040123B . 8D35 90654000 LEA ESI,DWORD PTR DS:[406590]
00401241 . 8D3D 936B4000 LEA EDI,DWORD PTR DS:[406B93]
00401247 . A5 MOVS DWORD PTR ES:[EDI],DWORD PTR DS:[ES> 将计算后的字符串的后4位送入相对应位置
00401248 . 6A 64 PUSH 64 ; /ControlID = 64 (100.)
0040124A . FF75 08 PUSH DWORD PTR SS:[EBP+8] ; |hWnd
0040124D . E8 D2000000 CALL <JMP.&user32.GetDlgItem> ; \GetDlgItem
00401252 . 68 84654000 PUSH crackme.00406584 ; /lParam = 406584
00401257 . 6A 40 PUSH 40 ; |wParam = 40
00401259 . 6A 0D PUSH 0D ; |Message = WM_GETTEXT
0040125B . 50 PUSH EAX ; |hWnd
0040125C . E8 DB000000 CALL <JMP.&user32.SendMessageA> ; \SendMessageA
00401261 . 0BC0 OR EAX,EAX
00401263 . 75 16 JNZ SHORT crackme.0040127B
00401265 . 6A 10 PUSH 10 ; /Style = MB_OK|MB_ICONHAND|MB_APPLMODAL
00401267 . 68 37634000 PUSH crackme.00406337 ; |Title = "Bad boy..."
0040126C . 68 42634000 PUSH crackme.00406342 ; |Text = "Ummm, no serial entered! U have brain, right?"
00401271 . FF75 08 PUSH DWORD PTR SS:[EBP+8] ; |hOwner
00401274 . E8 B7000000 CALL <JMP.&user32.MessageBoxA> ; \MessageBoxA
00401279 . EB 41 JMP SHORT crackme.004012BC
0040127B > 68 84654000 PUSH crackme.00406584 ; /String2 = "" 用户输入的注册码
00401280 . 68 846B4000 PUSH crackme.00406B84 ; |String1 = "" 真注册码
00401285 . E8 E8000000 CALL <JMP.&kernel32.lstrcmpA> ; \lstrcmpA
0040128A . 0BC0 OR EAX,EAX
0040128C . 75 1A JNZ SHORT crackme.004012A8
0040128E . 6A 40 PUSH 40 ; /Style = MB_OK|MB_ICONASTERISK|MB_APPLMODAL
00401290 . 68 0C634000 PUSH crackme.0040630C ; |Title = "Good boy..."
00401295 . 68 DD624000 PUSH crackme.004062DD ; |Text = "Yep, thats the right code!
Go write a keygen!"
0040129A . FF75 08 PUSH DWORD PTR SS:[EBP+8] ; |hOwner
0040129D . E8 8E000000 CALL <JMP.&user32.MessageBoxA> ; \MessageBoxA
注册码的计算其实很简单
将输入的用户名。重复到16位,例如我的用户名是yutou
则“yutouyutouyutouy” 与 字符串常量A "_r <()<1-Z2[l5,^"的相对应的每个字符相异或
再除以19H,将余数加上41H,所得的即为新字符。
再在每隔四个字符的地方加上隔'-'即可
--------------------------------------------------------------------------------
【版权声明】: 本文原创于看雪技术论坛, 转载请注明作者并保持文章的完整, 谢谢!
2006年08月08日 18:11:59
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)
