原CrackMe链接:
http://bbs.pediy.com/showthread.php?s=&threadid=32446
peid->kanal:
CAST-128 [sbox 8] :: 0000ECF8 :: 0040ECF8
SHA1 [Compress] :: 00003FAD :: 00403FAD
SHA1 [Compress] :: 000056AA :: 004056AA
SHA1 [Compress] :: 00007032 :: 00407032
SHA1 [Compress] :: 00008998 :: 00408998
搜了几篇文章看了看,大致分析:
00401214 |. 3BEB CMP EBP,EBX ; 用户名长度>=4
00401216 |. 7D 0D JGE SHORT CrackMe_.00401225
00401218 >|> 5F POP EDI
00401219 |. 5E POP ESI
0040121A |. 5D POP EBP
0040121B |. 33C0 XOR EAX,EAX ; 失败标志!
0040121D |. 5B POP EBX
0040121E |. 81C4 A8020000 ADD ESP,2A8
00401224 |. C3 RETN
00401225 |> 8D4424 44 LEA EAX,DWORD PTR SS:[ESP+44] ; 存储序列号
00401229 |. 68 C9000000 PUSH 0C9
0040122E |. 50 PUSH EAX
0040122F |. 68 E9030000 PUSH 3E9
00401234 |. 56 PUSH ESI
00401235 |. FFD7 CALL EDI
00401237 |. 83F8 10 CMP EAX,10 ; 长度==16.?
0040123A |. 74 0D JE SHORT CrackMe_.00401249
0040123C |. 5F POP EDI
0040123D |. 5E POP ESI
0040123E |. 5D POP EBP
0040123F |. 33C0 XOR EAX,EAX ; 失败!
...
0040124B |> 833D E8024100 >/CMP DWORD PTR DS:[4102E8],1
00401252 |. 7E 15 |JLE SHORT CrackMe_.00401269
00401254 |. 0FBE4C34 44 |MOVSX ECX,BYTE PTR SS:[ESP+ESI+44]
00401259 |. 68 80000000 |PUSH 80
0040125E |. 51 |PUSH ECX
0040125F |. E8 A7860000 |CALL CrackMe_.0040990B
00401264 |. 83C4 08 |ADD ESP,8
00401267 |. EB 12 |JMP SHORT CrackMe_.0040127B
00401269 |> 0FBE5434 44 |MOVSX EDX,BYTE PTR SS:[ESP+ESI+44]
0040126E |. A1 DC004100 |MOV EAX,DWORD PTR DS:[4100DC]
00401273 |. 8A0450 |MOV AL,BYTE PTR DS:[EAX+EDX*2]
00401276 |. 25 80000000 |AND EAX,80
0040127B |> 85C0 |TEST EAX,EAX ; "0"-"9","A/a"-"F/f"?
0040127D |.^74 99 |JE SHORT <CrackMe_.Fail>
0040127F |. 0FBE4C34 44 |MOVSX ECX,BYTE PTR SS:[ESP+ESI+44]
00401284 |. 51 |PUSH ECX
00401285 |. E8 B6850000 |CALL CrackMe_.00409840 ; 不知道,似乎无关紧要.
0040128A |. 83C4 04 |ADD ESP,4
0040128D |. 884434 44 |MOV BYTE PTR SS:[ESP+ESI+44],AL
00401291 |. 46 |INC ESI
00401292 |. 83FE 10 |CMP ESI,10
00401295 |.^7C B4 \JL SHORT CrackMe_.0040124B
...
00401323 |. 52 PUSH EDX
00401324 |. E8 D71A0000 CALL <CrackMe_.SHA1INIT>
00401329 |. 8D8424 7001000>LEA EAX,DWORD PTR SS:[ESP+170]
00401330 |. 55 PUSH EBP
00401331 |. 8D8C24 1401000>LEA ECX,DWORD PTR SS:[ESP+114]
00401338 |. 50 PUSH EAX ; 这里可以看到用户名
00401339 |. 51 PUSH ECX
0040133A |. E8 91160000 CALL CrackMe_.004029D0
0040133F |. 8D9424 1C01000>LEA EDX,DWORD PTR SS:[ESP+11C]
00401346 |. 8D4424 38 LEA EAX,DWORD PTR SS:[ESP+38]
0040134A |. 52 PUSH EDX
0040134B |. 50 PUSH EAX
0040134C |. E8 3F190000 CALL CrackMe_.00402C90 ; sha1(name)
00401351 |. 8D4C24 28 LEA ECX,DWORD PTR SS:[ESP+28]
...
0040135F |. 52 PUSH EDX
00401360 |. E8 0B010000 CALL CrackMe_.00401470 ; cast key
00401365 |. 8D8424 5802000>LEA EAX,DWORD PTR SS:[ESP+258]
0040136C |. 6A 00 PUSH 0
0040136E |. 8D4C24 64 LEA ECX,DWORD PTR SS:[ESP+64]
00401372 |. 50 PUSH EAX
00401373 |. 8D5424 4C LEA EDX,DWORD PTR SS:[ESP+4C]
00401377 |. 51 PUSH ECX
00401378 |. 52 PUSH EDX
00401379 |. E8 22000000 CALL CrackMe_.004013A0
0040137E |. 83C4 34 ADD ESP,34
00401381 |. B9 02000000 MOV ECX,2
00401386 |. 8D7C24 28 LEA EDI,DWORD PTR SS:[ESP+28]
0040138A |. 8D7424 3C LEA ESI,DWORD PTR SS:[ESP+3C]
0040138E |. 33C0 XOR EAX,EAX
00401390 |. F3:A7 REPE CMPS DWORD PTR ES:[EDI],DWORD PTR D>; 比较
还是看注册机代码吧:
comment;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
comment;
KeyGen for HappyTown's CrackMe_0022
感谢
一块三毛钱关于CAST-128算法的帖子
(http://bbs.pediy.com/showthread.php?threadid=7323)
和
狂编的sha1算法源码!
(http://www.aogosoft.com/downpage.asp?mode=downsource&id=120)
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
.386
.model flat,stdcall
option casemap:none
include windows.inc
include kernel32.inc
include user32.inc
include comctl32.inc
include comdlg32.inc
include cast128.inc
include sha1.inc
includelib user32.lib
includelib kernel32.lib
includelib comctl32.lib
includelib comdlg32.lib
includelib cast128.lib
includelib sha1.lib
dlgproc proto :DWORD,:DWORD,:DWORD,:DWORD
.const
IDD_DLGKEYG equ 1000
IDC_EDTNAME equ 1001
IDC_EDTKEY equ 1004
IDC_BTNKEY equ 1005
IDC_BTNEXIT equ 1007
.data
szName db 201 dup(0)
szKey db 17 dup(0)
szFmt db "%08X%08X",0
rippedkey1 db 004h, 0B5h, 052h, 06Ch, 0DCh, 006h, 0C4h, 0DFh
db 087h, 0C2h, 0AAh, 075h, 0DEh, 007h, 004h, 008h
buf db 012h, 034h, 056h, 001h, 023h, 045h, 067h, 089h,0;test constant
tmp db 17 dup(0)
mykey cast_key <>
.data?
hInstance dd ?
.code
start:
invoke InitCommonControls
invoke GetModuleHandle,NULL
mov hInstance,eax
invoke DialogBoxParam,eax,IDD_DLGKEYG,NULL,offset dlgproc,0
invoke ExitProcess,NULL
dlgproc proc hWnd:DWORD,wMsg:DWORD,wParam:DWORD,lParam:DWORD
mov eax,wMsg
.if eax == WM_CLOSE
invoke EndDialog,hWnd,NULL
.elseif eax == WM_INITDIALOG
invoke InitCommonControls
.elseif eax == WM_COMMAND
mov eax,wParam
.if eax == IDC_BTNKEY
invoke GetDlgItemText,hWnd,IDC_EDTNAME,addr szName,sizeof szName
invoke SHA1_GetCode,addr szName,eax,addr buf
invoke cast_setkey, addr mykey, addr rippedkey1, 16
;invoke RtlZeroMemory, addr buf, sizeof buf
invoke cast_encrypt, addr mykey, addr buf, addr tmp
mov al,byte ptr [tmp]
xchg al,byte ptr [tmp+3]
mov byte ptr [tmp],al
mov al,byte ptr [tmp+1]
xchg al,byte ptr [tmp+2]
mov byte ptr [tmp+1],al
mov al,byte ptr [tmp+4]
xchg al,byte ptr [tmp+7]
mov byte ptr [tmp+4],al
mov al,byte ptr [tmp+5]
xchg al,byte ptr [tmp+6]
mov byte ptr [tmp+5],al
invoke wsprintf,addr szKey,addr szFmt,dword ptr [tmp],dword ptr[tmp+4]
invoke SetDlgItemText,hWnd,IDC_EDTKEY,addr szKey
.elseif eax == IDC_BTNEXIT
invoke EndDialog,hWnd,NULL
.endif
.else
mov eax,FALSE
ret
.endif
mov eax,TRUE
ret
dlgproc endp
end start
PS:哪些是纯高级语言??
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)
