【文章标题】: muckis's crakcme #1破解(检测OD)
【文章作者】: bxm
【作者邮箱】: bxm78@163.com
【保护方式】: name,serial
【编写语言】: VC++
【使用工具】: OD
【操作平台】: winxp
【作者声明】: 只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!
--------------------------------------------------------------------------------
【详细过程】
下GetWindowTextA可以轻松断下,输入
name:bxm78
serial:780328051
00401506 |. E8 FFFAFFFF call 0040100A ; 对OD检测的子函数
0040150B |. 85C0 test eax, eax
0040150D |. 74 4D je short 0040155C ; 必须要跳,否则跟到的是错误的注册码
0040150F |. 6A 0A push 0A
00401511 |. 8D45 E0 lea eax, [ebp-20]
00401514 |. 50 push eax
00401515 |. 8D4D C0 lea ecx, [ebp-40]
00401518 |. 51 push ecx
00401519 |. E8 0AFBFFFF call 00401028
0040151E |. 83C4 04 add esp, 4
00401521 |. 50 push eax ; |Arg1
00401522 |. E8 49A00000 call 0040B570 ; \crackme1.0040B570
00401527 |. 83C4 0C add esp, 0C
0040152A |. 50 push eax
0040152B |. 8D55 A0 lea edx, [ebp-60]
0040152E |. 52 push edx
0040152F |. E8 6C1F0000 call 004034A0
00401534 |. 83C4 08 add esp, 8
00401537 |. 85C0 test eax, eax
00401539 75 1F jnz short 0040155A
0040153B |. 8BF4 mov esi, esp
0040153D |. 6A 00 push 0 ; /Style = MB_OK|MB_APPLMODAL
0040153F |. 68 4CA04200 push 0042A04C ; |lol
00401544 |. 68 34A04200 push 0042A034 ; |make a keygen ;-)
00401549 |. 8B45 08 mov eax, [ebp+8] ; |
0040154C |. 50 push eax ; |hOwner
0040154D |. FF15 D4024300 call [<&USER32.MessageBoxA>] ; \MessageBoxA
00401553 |. 3BF4 cmp esi, esp
00401555 |. E8 661D0000 call 004032C0
0040155A |> EB 44 jmp short 004015A0
0040155C |> 6A 0A push 0A
0040155E |. 8D4D E0 lea ecx, [ebp-20]
00401561 |. 51 push ecx
00401562 |. 8D55 C0 lea edx, [ebp-40] ; name入EDX
00401565 |. 52 push edx
00401566 |. E8 B3FAFFFF call 0040101E ; 关键算法
===================================
关键算法Call
004011C0 /> \55 push ebp
004011C1 |. 8BEC mov ebp, esp
004011C3 |. 83EC 50 sub esp, 50
004011C6 |. 53 push ebx
004011C7 |. 56 push esi
004011C8 |. 57 push edi
004011C9 |. 8D7D B0 lea edi, [ebp-50]
004011CC |. B9 14000000 mov ecx, 14
004011D1 |. B8 CCCCCCCC mov eax, CCCCCCCC
004011D6 |. F3:AB rep stos dword ptr es:[edi]
004011D8 |. C745 FC 00000>mov dword ptr [ebp-4], 0
004011DF |. C745 F8 00000>mov dword ptr [ebp-8], 0
004011E6 |. C745 F4 00000>mov dword ptr [ebp-C], 0
004011ED |. 8B45 08 mov eax, [ebp+8]
004011F0 |. 50 push eax
004011F1 |. E8 2A220000 call 00403420
004011F6 |. 83C4 04 add esp, 4
004011F9 |. 8945 F0 mov [ebp-10], eax
004011FC |. 8B4D 08 mov ecx, [ebp+8] ; name入ECX
004011FF |. 51 push ecx ; /Arg1
00401200 |. E8 1B210000 call 00403320 ; \转成大写
00401205 |. 83C4 04 add esp, 4
00401208 |. C745 FC 00000>mov dword ptr [ebp-4], 0
0040120F |. EB 09 jmp short 0040121A
00401211 |> 8B55 FC /mov edx, [ebp-4]
00401214 |. 83C2 01 |add edx, 1
00401217 |. 8955 FC |mov [ebp-4], edx
0040121A |> 8B45 FC mov eax, [ebp-4] ; [ebp-4]为循环控制变量
0040121D |. 3B45 F0 |cmp eax, [ebp-10] ; [ebp-10]为name长度
00401220 |. 7D 3C |jge short 0040125E
00401222 |. 8B4D 08 |mov ecx, [ebp+8] ; name入ECX
00401225 |. 034D FC |add ecx, [ebp-4] ; ECX+循环次数
00401228 |. 33D2 |xor edx, edx ; EDX清0
0040122A |. 8A11 |mov dl, [ecx] ; name的每个字符依次入dl
0040122C |. 83FA 20 |cmp edx, 20 ; EDX=空格?
0040122F |. 74 2B |je short 0040125C ; 等,跳
00401231 |. 8B45 08 |mov eax, [ebp+8] ; name入EAX
00401234 |. 0345 FC |add eax, [ebp-4] ; EAX+循环次数
00401237 |. 33C9 |xor ecx, ecx ; ECX清0
00401239 |. 8A08 |mov cl, [eax] ; name的每个字符依次入cl
0040123B |. 894D F4 |mov [ebp-C], ecx ; ECX存入[ebp-C]
0040123E |. 8B55 F4 |mov edx, [ebp-C] ; [ebp-C]入EDX
00401241 |. 69D2 7A150000 |imul edx, edx, 157A ; EDX*157A
00401247 |. 8955 F4 |mov [ebp-C], edx ; EDX存入[ebp-C]
0040124A |. 8B45 F4 |mov eax, [ebp-C] ; [ebp-C]入EAX
0040124D |. 83E8 01 |sub eax, 1 ; EAX-1
00401250 |. 8945 F4 |mov [ebp-C], eax ; EAX存入[ebp-C]
00401253 |. 8B4D F8 |mov ecx, [ebp-8] ; [ebp-8]为累加和变量
00401256 |. 034D F4 |add ecx, [ebp-C] ; 累加
00401259 |. 894D F8 |mov [ebp-8], ecx ; 存放累加和
0040125C |>^ EB B3 \jmp short 00401211
0040125E |> 8B75 F8 mov esi, [ebp-8] ; 累加和入ESI
00401261 |. 6BF6 0A imul esi, esi, 0A ; ESI*0A
00401264 |. 8B55 F8 mov edx, [ebp-8] ; 累加和入EDX
00401267 |. 52 push edx
00401268 |. E8 98FDFFFF call 00401005 ; 对累加和进行浮点运算,返回值放在EAX
0040126D |. 83C4 04 add esp, 4
00401270 |. 03C6 add eax, esi ; EAX+ESI
00401272 |. 5F pop edi
00401273 |. 5E pop esi
00401274 |. 5B pop ebx
00401275 |. 83C4 50 add esp, 50
00401278 |. 3BEC cmp ebp, esp
0040127A |. E8 41200000 call 004032C0
0040127F |. 8BE5 mov esp, ebp
00401281 |. 5D pop ebp
00401282 \. C3 retn
00401268句的call,浮点运算有点复杂,懒得跟了。
=======================================
0040156B |. 83C4 04 add esp, 4
0040156E |. 50 push eax ; |关键算法的运算结果
0040156F |. E8 FC9F0000 call 0040B570 ; \转换成十进制字符串
00401574 |. 83C4 0C add esp, 0C
00401577 |. 50 push eax ; 真码
00401578 |. 8D45 A0 lea eax, [ebp-60]
0040157B |. 50 push eax ; 假码
0040157C |. E8 1F1F0000 call 004034A0 ; 比较,相等返回0,不等返回1
00401581 |. 83C4 08 add esp, 8
00401584 |. 85C0 test eax, eax
00401586 |. 75 18 jnz short 004015A0 ; 跳就完蛋,爆破点
00401588 |. 8BF4 mov esi, esp
0040158A |. 68 1CA04200 push 0042A01C ; /now make a keygen!
0040158F |. 8B4D 9C mov ecx, [ebp-64] ; |
00401592 |. 51 push ecx ; |hWnd
00401593 |. FF15 D8024300 call [<&USER32.SetWindowTextA>] ; \SetWindowTextA
具体算法就不说了,看注释能够明白,这个CrackMe对OD有检测,必须去除这个限制,也比较简单,只要用插件隐藏OD即可。
附正确的注册码
name:bxm78
serial:18803116
--------------------------------------------------------------------------------
【版权声明】: 本文原创于看雪技术论坛, 转载请注明作者并保持文章的完整, 谢谢!
2006年09月10日 下午 01:54:44
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
爆破 比蒉快! :D
