【文章标题】: 一个简单CrackMe的分析
【文章作者】: ikki[D.4s]
【下载地址】: http://bbs.pediy.com/attachment.php?s=&attachmentid=2754
【使用工具】: olldbg
【作者声明】: 只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!
--------------------------------------------------------------------------------
【详细过程】
CrackMe下载地址:
http://bbs.pediy.com/attachment.php?s=&attachmentid=2754
以输入
name:ikki
code:1234-2345-3456-4567
为例。
00450A94 B9 01000000 mov ecx,1
00450A99 8B45 CC mov eax,dword ptr ss:[ebp-34] ; /
00450A9C 0FB64408 FF movzx eax,byte ptr ds:[eax+ecx-1]
00450AA1 F7E9 imul ecx
00450AA3 99 cdq
00450AA4 0345 D8 add eax,dword ptr ss:[ebp-28] ; 对name字符串进行计算
00450AA7 1355 DC adc edx,dword ptr ss:[ebp-24]
00450AAA 8945 D8 mov dword ptr ss:[ebp-28],eax
00450AAD 8955 DC mov dword ptr ss:[ebp-24],edx
00450AB0 41 inc ecx
00450AB1 4B dec ebx
00450AB2 ^ 75 E5 jnz short ♂CrackM.00450A99 ; \
----------------
char strName[] = "ikki";
unsigned long result = 0;
for(int i = 0; i < strlen(strName); i++)
{
result += strName[i] * (i + 1);
}
//"ikki"的计算结果是:0x424
00450AB4 8B45 C8 mov eax,dword ptr ss:[ebp-38]
00450AB7 > E8 94FAFFFF call ♂CrackM.00450550 ; 计算blowfish子密钥(key="SUNZONES")
00450ABC FF75 DC push dword ptr ss:[ebp-24] ; 0x0000
00450ABF FF75 D8 push dword ptr ss:[ebp-28] ; 0x424(前面对name字符串计算的结果)
00450AC2 > E8 4DF9FFFF call ♂CrackM.00450414 ; blowfish加密函数--bf_en()
00450AC7 FF75 DC push dword ptr ss:[ebp-24] ; (不知道作者为什么用相同的参数加密两次)
00450ACA FF75 D8 push dword ptr ss:[ebp-28]
00450ACD > E8 42F9FFFF call ♂CrackM.00450414 ; blowfish加密函数--bf_en()
00450AD2 8905 245C4500 mov dword ptr ds:[455C24],eax ; 结果保存起来,
00450AD8 8915 285C4500 mov dword ptr ds:[455C28],edx ; 后面用到
00450ADE 8D55 C4 lea edx,dword ptr ss:[ebp-3C]
00450AE1 8B45 FC mov eax,dword ptr ss:[ebp-4]
00450AE4 > 8B80 FC020000 mov eax,dword ptr ds:[eax+2FC] ; *TForm1.Edit2:TEdit
00450AEA > E8 29ECFDFF call ♂CrackM.0042F718 ; ->Controls.TControl.GetText(TControl):TCaption;
00450AEF 8B45 C4 mov eax,dword ptr ss:[ebp-3C]
00450AF2 > E8 E535FBFF call ♂CrackM.004040DC ; ->System.@LStrLen(String):Integer;
00450AF7 83F8 13 cmp eax,13 ; code字符串长度是否为19位?
00450AFA 0F85 68010000 jnz ♂CrackM.00450C68
00450B00 8D55 D4 lea edx,dword ptr ss:[ebp-2C]
00450B03 8B45 FC mov eax,dword ptr ss:[ebp-4]
00450B06 > 8B80 FC020000 mov eax,dword ptr ds:[eax+2FC] ; *TForm1.Edit2:TEdit
00450B0C > E8 07ECFDFF call ♂CrackM.0042F718 ; ->Controls.TControl.GetText(TControl):TCaption;
00450B11 8D45 D0 lea eax,dword ptr ss:[ebp-30]
00450B14 > E8 0333FBFF call ♂CrackM.00403E1C ; ->System.@LStrClr(void;void);
00450B19 BB 01000000 mov ebx,1 ; /
00450B1E 8D45 C0 lea eax,dword ptr ss:[ebp-40]
00450B21 8B55 D4 mov edx,dword ptr ss:[ebp-2C]
00450B24 8A541A FF mov dl,byte ptr ds:[edx+ebx-1]
00450B28 > E8 D734FBFF call ♂CrackM.00404004 ; ->System.@LStrFromChar(String;String;Char);
00450B2D 8B55 C0 mov edx,dword ptr ss:[ebp-40]
00450B30 8D45 D0 lea eax,dword ptr ss:[ebp-30] ; 对code字符串的1-4进行处理
00450B33 > E8 AC35FBFF call ♂CrackM.004040E4 ; ->System.@LStrCat;
00450B38 43 inc ebx ; 依次取一位并连接
00450B39 83FB 05 cmp ebx,5
00450B3C ^ 75 E0 jnz short ♂CrackM.00450B1E ; \
00450B3E BB 06000000 mov ebx,6 ; /
00450B43 8D45 BC lea eax,dword ptr ss:[ebp-44]
00450B46 8B55 D4 mov edx,dword ptr ss:[ebp-2C]
00450B49 8A541A FF mov dl,byte ptr ds:[edx+ebx-1]
00450B4D > E8 B234FBFF call ♂CrackM.00404004 ; ->System.@LStrFromChar(String;String;Char);
00450B52 8B55 BC mov edx,dword ptr ss:[ebp-44] ; 6-9位
00450B55 8D45 D0 lea eax,dword ptr ss:[ebp-30]
00450B58 > E8 8735FBFF call ♂CrackM.004040E4 ; ->System.@LStrCat;
00450B5D 43 inc ebx
00450B5E 83FB 0A cmp ebx,0A
00450B61 ^ 75 E0 jnz short ♂CrackM.00450B43 ; \
00450B63 BB 0B000000 mov ebx,0B ; /
00450B68 8D45 B8 lea eax,dword ptr ss:[ebp-48]
00450B6B 8B55 D4 mov edx,dword ptr ss:[ebp-2C]
00450B6E 8A541A FF mov dl,byte ptr ds:[edx+ebx-1]
00450B72 > E8 8D34FBFF call ♂CrackM.00404004 ; ->System.@LStrFromChar(String;String;Char);
00450B77 8B55 B8 mov edx,dword ptr ss:[ebp-48]
00450B7A 8D45 D0 lea eax,dword ptr ss:[ebp-30] ; 11-14
00450B7D > E8 6235FBFF call ♂CrackM.004040E4 ; ->System.@LStrCat;
00450B82 43 inc ebx
00450B83 83FB 0F cmp ebx,0F
00450B86 ^ 75 E0 jnz short ♂CrackM.00450B68 ; \
00450B88 BB 10000000 mov ebx,10 ; /
00450B8D 8D45 B4 lea eax,dword ptr ss:[ebp-4C]
00450B90 8B55 D4 mov edx,dword ptr ss:[ebp-2C]
00450B93 8A541A FF mov dl,byte ptr ds:[edx+ebx-1]
00450B97 > E8 6834FBFF call ♂CrackM.00404004 ; ->System.@LStrFromChar(String;String;Char);
00450B9C 8B55 B4 mov edx,dword ptr ss:[ebp-4C] ; 16-19
00450B9F 8D45 D0 lea eax,dword ptr ss:[ebp-30]
00450BA2 > E8 3D35FBFF call ♂CrackM.004040E4 ; ->System.@LStrCat;
00450BA7 43 inc ebx
00450BA8 83FB 14 cmp ebx,14
00450BAB ^ 75 E0 jnz short ♂CrackM.00450B8D ; \
00450BAD 33C0 xor eax,eax
00450BAF 55 push ebp
00450BB0 68 480C4500 push <♂CrackM.->System.@HandleAnyException;>
00450BB5 64:FF30 push dword ptr fs:[eax]
00450BB8 64:8920 mov dword ptr fs:[eax],esp
00450BBB 8D45 B0 lea eax,dword ptr ss:[ebp-50]
00450BBE 8B4D D0 mov ecx,dword ptr ss:[ebp-30]
00450BC1 BA D80C4500 mov edx,♂CrackM.00450CD8
00450BC6 > E8 5D35FBFF call ♂CrackM.00404128 ; 字符'$'与前面得到的字符串连接
00450BCB 8B45 B0 mov eax,dword ptr ss:[ebp-50]
00450BCE > E8 DD73FBFF call ♂CrackM.00407FB0 ; ->SysUtils.StrToInt64(AnsiString):Int64;
00450BD3 8945 F0 mov dword ptr ss:[ebp-10],eax
00450BD6 8955 F4 mov dword ptr ss:[ebp-C],edx
00450BD9 B8 C40C4500 mov eax,♂CrackM.00450CC4 ; ASCII "SUNZONES"
00450BDE > E8 6DF9FFFF call ♂CrackM.00450550 ; 计算blowfish子密钥(key="SUNZONES")
00450BE3 FF75 F4 push dword ptr ss:[ebp-C] ; 0x12342345
00450BE6 FF75 F0 push dword ptr ss:[ebp-10] ; 0x34564567
00450BE9 E8 8AF7FFFF call ♂CrackM.00450378 ; blowfish解密函数bf_de()
00450BEE 8945 E8 mov dword ptr ss:[ebp-18],eax ; 保存结果
00450BF1 8955 EC mov dword ptr ss:[ebp-14],edx ; 保存结果
00450BF4 8B45 E8 mov eax,dword ptr ss:[ebp-18]
00450BF7 8B55 EC mov edx,dword ptr ss:[ebp-14]
00450BFA 2B05 245C4500 sub eax,dword ptr ds:[455C24] ; 与加密时得到的结果比较,是否相等
00450C00 1B15 285C4500 sbb edx,dword ptr ds:[455C28] ; 与加密时得到的结果比较,是否相等
00450C06 8945 E0 mov dword ptr ss:[ebp-20],eax
00450C09 8955 E4 mov dword ptr ss:[ebp-1C],edx
00450C0C 8B45 E0 mov eax,dword ptr ss:[ebp-20]
00450C0F 83E8 01 sub eax,1 ; 根据比较结果跳转。这两句功能类似常见的
00450C12 73 16 jnb short ♂CrackM.00450C2A ; cmp eax, 0/jnz xxx
00450C14 8B45 FC mov eax,dword ptr ss:[ebp-4]
00450C17 > 8B80 14030000 mov eax,dword ptr ds:[eax+314] ; *TForm1.Label3:TLabel
00450C1D 8B15 C82D4500 mov edx,dword ptr ds:[452DC8] ; ♂CrackM.004509A8
00450BDE > E8 6DF9FFFF call ♂CrackM.00450550 ; 计算blowfish子密钥(key="SUNZONES")
------------
00450550 55 push ebp
00450551 8BEC mov ebp,esp
00450553 83C4 E8 add esp,-18
00450556 53 push ebx
00450557 56 push esi
00450558 57 push edi
00450559 8945 FC mov dword ptr ss:[ebp-4],eax
0045055C 8B45 FC mov eax,dword ptr ss:[ebp-4]
0045055F E8 683DFBFF call ♂CrackM.004042CC
00450564 33C0 xor eax,eax
00450566 55 push ebp
00450567 68 76064500 push ♂CrackM.00450676
0045056C 64:FF30 push dword ptr fs:[eax]
0045056F 64:8920 mov dword ptr fs:[eax],esp
00450572 B8 D04B4500 mov eax,♂CrackM.00454BD0
00450577 33C9 xor ecx,ecx
00450579 BA 48100000 mov edx,1048
0045057E E8 7D25FBFF call ♂CrackM.00402B00
00450583 BB 01000000 mov ebx,1
00450588 BE 12000000 mov esi,12
0045058D C745 EC 801D4500 mov dword ptr ss:[ebp-14],♂CrackM.00451D80
00450594 C745 E8 D04B4500 mov dword ptr ss:[ebp-18],♂CrackM.00454BD0
0045059B 33C0 xor eax,eax
0045059D 8945 F8 mov dword ptr ss:[ebp-8],eax
004505A0 BF 04000000 mov edi,4
004505A5 8B45 F8 mov eax,dword ptr ss:[ebp-8] ; /
004505A8 C1E0 08 shl eax,8
004505AB 8B55 FC mov edx,dword ptr ss:[ebp-4]
004505AE 0FB6541A FF movzx edx,byte ptr ds:[edx+ebx-1]
004505B3 0BC2 or eax,edx
004505B5 8945 F8 mov dword ptr ss:[ebp-8],eax ; strToHex
004505B8 43 inc ebx
004505B9 8B45 FC mov eax,dword ptr ss:[ebp-4]
004505BC E8 1B3BFBFF call ♂CrackM.004040DC
004505C1 3BD8 cmp ebx,eax
004505C3 7E 05 jle short ♂CrackM.004505CA
004505C5 BB 01000000 mov ebx,1
004505CA 4F dec edi
004505CB ^ 75 D8 jnz short ♂CrackM.004505A5 ; \
004505CD 8B45 EC mov eax,dword ptr ss:[ebp-14] ; /
004505D0 8B00 mov eax,dword ptr ds:[eax]
004505D2 3345 F8 xor eax,dword ptr ss:[ebp-8]
004505D5 8B55 E8 mov edx,dword ptr ss:[ebp-18] ; 用key依次XOR pBox
004505D8 8902 mov dword ptr ds:[edx],eax ; pBox[i](i form 0 to 17)
004505DA 8345 E8 04 add dword ptr ss:[ebp-18],4 ; key="SUNZONES"
004505DE 8345 EC 04 add dword ptr ss:[ebp-14],4
004505E2 4E dec esi
004505E3 ^ 75 B6 jnz short ♂CrackM.0045059B ; \
004505E5 33F6 xor esi,esi
004505E7 BA C81D4500 mov edx,♂CrackM.00451DC8
004505EC 33DB xor ebx,ebx
004505EE 8BC2 mov eax,edx
004505F0 8BCE mov ecx,esi ; /
004505F2 C1E1 08 shl ecx,8
004505F5 03CB add ecx,ebx
004505F7 8B38 mov edi,dword ptr ds:[eax] ; 初始化SBox[4][256]
004505F9 893C8D 184C4500 mov dword ptr ds:[ecx*4+454C18],edi
00450600 43 inc ebx
00450601 83C0 04 add eax,4
00450604 81FB 00010000 cmp ebx,100
0045060A ^ 75 E4 jnz short ♂CrackM.004505F0
0045060C 46 inc esi
0045060D 81C2 00040000 add edx,400
00450613 83FE 04 cmp esi,4
00450616 ^ 75 D4 jnz short ♂CrackM.004505EC ; \
00450618 C745 F0 00000000 mov dword ptr ss:[ebp-10],0
0045061F C745 F4 00000000 mov dword ptr ss:[ebp-C],0
00450626 BE 09020000 mov esi,209
0045062B BB D04B4500 mov ebx,♂CrackM.00454BD0
00450630 FF75 F4 push dword ptr ss:[ebp-C] ; /
00450633 FF75 F0 push dword ptr ss:[ebp-10]
00450636 E8 D9FDFFFF call ♂CrackM.00450414 ; bf_en()
0045063B 8945 F0 mov dword ptr ss:[ebp-10],eax
0045063E 8955 F4 mov dword ptr ss:[ebp-C],edx
00450641 8B45 F4 mov eax,dword ptr ss:[ebp-C] ; PBox/SBox替换
00450644 33D2 xor edx,edx
00450646 8903 mov dword ptr ds:[ebx],eax
00450648 6A 01 push 1
0045064A 6A 00 push 0
0045064C 8B45 F0 mov eax,dword ptr ss:[ebp-10]
0045064F 8B55 F4 mov edx,dword ptr ss:[ebp-C]
00450652 E8 8D45FBFF call ♂CrackM.00404BE4
00450657 8943 04 mov dword ptr ds:[ebx+4],eax
0045065A 83C3 08 add ebx,8
0045065D 4E dec esi
0045065E ^ 75 D0 jnz short ♂CrackM.00450630 ; \
00450660 33C0 xor eax,eax
00450662 5A pop edx
00450663 59 pop ecx
00450664 59 pop ecx
00450665 64:8910 mov dword ptr fs:[eax],edx
00450668 68 7D064500 push ♂CrackM.0045067D
0045066D 8D45 FC lea eax,dword ptr ss:[ebp-4]
00450670 E8 A737FBFF call ♂CrackM.00403E1C
00450675 C3 retn
-------------
00450ACD > E8 42F9FFFF call ♂CrackM.00450414 ; blowfish加密函数--bf_en()
------------
00450411 8D40 00 lea eax,dword ptr ds:[eax]
00450414 55 push ebp
00450415 8BEC mov ebp,esp
00450417 83C4 E8 add esp,-18
0045041A 53 push ebx
0045041B 56 push esi
0045041C 57 push edi
0045041D 8B45 0C mov eax,dword ptr ss:[ebp+C]
00450420 33D2 xor edx,edx
00450422 8BF0 mov esi,eax
00450424 6A 01 push 1
00450426 6A 00 push 0
00450428 8B45 08 mov eax,dword ptr ss:[ebp+8]
0045042B 8B55 0C mov edx,dword ptr ss:[ebp+C]
0045042E E8 B147FBFF call ♂CrackM.00404BE4
00450433 8945 F4 mov dword ptr ss:[ebp-C],eax
00450436 B3 01 mov bl,1
00450438 BF D04B4500 mov edi,♂CrackM.00454BD0
0045043D 3337 xor esi,dword ptr ds:[edi]
0045043F 8BC6 mov eax,esi
00450441 E8 6A000000 call ♂CrackM.004504B0 ; F()
00450446 3145 F4 xor dword ptr ss:[ebp-C],eax
00450449 80FB 10 cmp bl,10
0045044C 73 08 jnb short ♂CrackM.00450456
0045044E 8B45 F4 mov eax,dword ptr ss:[ebp-C]
00450451 8975 F4 mov dword ptr ss:[ebp-C],esi
00450454 8BF0 mov esi,eax
00450456 43 inc ebx
00450457 83C7 04 add edi,4
0045045A 80FB 11 cmp bl,11
0045045D ^ 75 DE jnz short ♂CrackM.0045043D
0045045F A1 104C4500 mov eax,dword ptr ds:[454C10]
00450464 3145 F4 xor dword ptr ss:[ebp-C],eax
00450467 3335 144C4500 xor esi,dword ptr ds:[454C14]
0045046D 8BC6 mov eax,esi
0045046F 33D2 xor edx,edx
00450471 8945 E8 mov dword ptr ss:[ebp-18],eax
00450474 8955 EC mov dword ptr ss:[ebp-14],edx
00450477 8B45 F4 mov eax,dword ptr ss:[ebp-C]
0045047A 33D2 xor edx,edx
0045047C 52 push edx
0045047D 50 push eax
0045047E 8B55 E8 mov edx,dword ptr ss:[ebp-18]
00450481 33C0 xor eax,eax
00450483 0B0424 or eax,dword ptr ss:[esp]
00450486 0B5424 04 or edx,dword ptr ss:[esp+4]
0045048A 83C4 08 add esp,8
0045048D 8945 E8 mov dword ptr ss:[ebp-18],eax
00450490 8955 EC mov dword ptr ss:[ebp-14],edx
00450493 8B45 E8 mov eax,dword ptr ss:[ebp-18]
00450496 8945 F8 mov dword ptr ss:[ebp-8],eax
00450499 8B45 EC mov eax,dword ptr ss:[ebp-14]
0045049C 8945 FC mov dword ptr ss:[ebp-4],eax
0045049F 8B45 F8 mov eax,dword ptr ss:[ebp-8]
004504A2 8B55 FC mov edx,dword ptr ss:[ebp-4]
004504A5 5F pop edi
004504A6 5E pop esi
004504A7 5B pop ebx
004504A8 8BE5 mov esp,ebp
004504AA 5D pop ebp
004504AB C2 0800 retn 8
--------------------------------------------------------------------------------
【经验总结】
从以上分析可以看到,这个CrackMe的验证就是
blowfish_EN(clac(name))=?blowfish_DE(code)
(key="SUNZONES")
所以
code=bf_EN(bf_EN(calc(name)))
(key="SUNZONES")
通过这个就可以计算出对应的注册码了,其中bf_EN()/bf_DE()的代码在CrackMe中都包含有,可以利用
它自身做个keygen。
用的是标准的blowfish算法,只是对SBOX的最后4位参数作了修改:
原始参数 修改后的参数
B74E6132-->B74E6131
CE77E25B-->CE77E25A
578FDFE3-->578FDFE2
3AC372E6-->3AC372E5
一个可用的name和code:
name:ikki
code:1B8F-01FD-23AE-5F44
用网上的blowfish的代码写了个C的注册机,代码比较简单,看看就明白了。
--------------------------------------------------------------------------------
【版权声明】: 本文原创于看雪技术论坛, 转载请注明作者并保持文章的完整, 谢谢!
2006年09月10日 10:05:56
[培训]内核驱动高级班,冲击BAT一流互联网大厂工
作,每周日13:00-18:00直播授课
上传的附件:
