【文章标题】: HappyTown的第24个CrackMe分析
【文章作者】: HorstStein
【作者邮箱】: [email]horststein@hotmail.com[/email]
【软件名称】: HappyTown's CrackMe_0024
【下载地址】: http://bbs.pediy.com/showthread.php?s=&threadid=33208
【保护方式】: 序列号
【使用工具】: OD,IDA
【作者声明】: 只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!
--------------------------------------------------------------------------------
【详细过程】
用IDA识别出miracl库,导出map文件,载入OD中
输入
Name:HorstStein
Serial:12345678
004011BA |.>push 0 ; 0
004011BC |.>push 64 ; 0x64
004011BE |.>stos byte ptr es:[edi]
004011BF |.>call <mirsys>
004011C4 |.>mov esi, [esp+57C]
004011CB |.>mov ebx, [<&USER32.GetDlgItemTex>; USER32.GetDlgItemTextA
004011D1 |.>add esp, 8
004011D4 |.>mov ebp, eax
004011D6 |.>lea eax, [esp+278]
004011DD |.>push 0C9 ; /Count = C9 (201.)
004011E2 |.>push eax ; |Buffer
004011E3 |.>push 3E8 ; |ControlID = 3E8 (1000.)
004011E8 |.>push esi ; |hWnd
004011E9 |.>call ebx ; \GetDlgItemTextA
004011EB |.>lea edi, [esp+278]
004011F2 |.>or ecx, FFFFFFFF
004011F5 |.>xor eax, eax
004011F7 |.>repne scas byte ptr es:[edi]
004011F9 |.>not ecx
004011FB |.>dec ecx
004011FC |.>je 004014B0
00401202 |.>lea ecx, [esp+20]
00401206 |.>push 0C9 ; /Count = C9 (201.)
0040120B |.>push ecx ; |Buffer
0040120C |.>push 3E9 ; |ControlID = 3E9 (1001.)
00401211 |.>push esi ; |hWnd
00401212 |.>call ebx ; \GetDlgItemTextA
00401214 |.>lea edi, [esp+20] ; sn
00401218 |.>or ecx, FFFFFFFF
0040121B |.>xor eax, eax
0040121D |.>repne scas byte ptr es:[edi]
0040121F |.>not ecx
00401221 |.>dec ecx
00401222 |.>je 004014B0
00401228 |.>mov al, [esp+20]
0040122C |.>test al, al
0040122E |.>je short 00401271
00401230 |.>lea esi, [esp+20] ; sn
00401234 |>>/cmp dword ptr [40DF60], 1
0040123B |.>|jle short 00401250
0040123D |.>|movsx edx, byte ptr [esi]
00401240 |.>|push 80
00401245 |.>|push edx
00401246 |.>|call <__isctype>
0040124B |.>|add esp, 8
0040124E |.>|jmp short 00401261
00401250 |>>|movsx eax, byte ptr [esi]
00401253 |.>|mov ecx, [40DD54] ; CrackMe_.0040DD5E
00401259 |.>|mov al, [ecx+eax*2]
0040125C |.>|and eax, 80
00401261 |>>|test eax, eax
00401263 |.>|je 004014B0
00401269 |.>|mov al, [esi+1]
0040126C |.>|inc esi
0040126D |.>|test al, al
0040126F |.>\jnz short 00401234
00401271 |>>lea edi, [esp+20] ; sn
00401275 |.>or ecx, FFFFFFFF
00401278 |.>xor eax, eax
0040127A |.>xor esi, esi
0040127C |.>repne scas byte ptr es:[edi]
0040127E |.>not ecx
00401280 |.>dec ecx
00401281 |.>test ecx, FFFFFFFE
00401287 |.>jbe short 004012D7
00401289 |.>lea edx, [esp+21]
0040128D |>>/mov al, [edx]
0040128F |.>|cmp al, 30
00401291 |.>|jl short 0040129B
00401293 |.>|cmp al, 39
00401295 |.>|jg short 0040129B
00401297 |.>|sub al, 30
00401299 |.>|jmp short 0040129D
0040129B |>>|sub al, 37
0040129D |>>|mov [edx], al
0040129F |.>|mov al, [edx-1]
004012A2 |.>|cmp al, 30
004012A4 |.>|jl short 004012AF
004012A6 |.>|cmp al, 39
004012A8 |.>|jg short 004012AF
004012AA |.>|shl al, 4
004012AD |.>|jmp short 004012B4
004012AF |>>|sub al, 7
004012B1 |.>|shl al, 4
004012B4 |>>|mov cl, [edx]
004012B6 |.>|lea edi, [esp+20]
004012BA |.>|or al, cl
004012BC |.>|or ecx, FFFFFFFF
004012BF |.>|mov [esp+esi+E8], al
004012C6 |.>|xor eax, eax
004012C8 |.>|inc esi
004012C9 |.>|add edx, 2
004012CC |.>|repne scas byte ptr es:[edi]
004012CE |.>|not ecx
004012D0 |.>|dec ecx
004012D1 |.>|shr ecx, 1
004012D3 |.>|cmp esi, ecx
004012D5 |.>\jb short 0040128D
004012D7 |>>lea edx, [esp+408]
004012DE |.>push edx
004012DF |.>call <_shs_init>
004012E4 |.>mov al, [esp+27C]
004012EB |.>add esp, 4
004012EE |.>test al, al
004012F0 |.>je short 00401315
004012F2 |.>lea esi, [esp+278]
004012F9 |>>/movsx eax, al
004012FC |.>|lea ecx, [esp+408]
00401303 |.>|push eax
00401304 |.>|push ecx
00401305 |.>|call <_shs_process>
0040130A |.>|mov al, [esi+1]
0040130D |.>|add esp, 8
00401310 |.>|inc esi
00401311 |.>|test al, al
00401313 |.>\jnz short 004012F9
00401315 |>>lea edx, [esp+340]
0040131C |.>lea eax, [esp+408]
00401323 |.>push edx ; SHA1(HorstStein)=8F927A189F52618CE1F60D4CAEE250B8CCE120FD
00401324 |.>push eax
00401325 |.>call <_shs_hash>
0040132A |.>mov cx, [esp+348] ; //928F SHA1(name)的前3个字节
00401332 |.>mov dl, [esp+34A] ; \\7A
00401339 |.>mov [esp+1B8], cx ; 928F
00401341 |.>mov [esp+1BA], dl ; 7A
00401348 |.>push 0
0040134A |.>mov dword ptr [ebp+234], 10 ; mip->IOBASE=16
00401354 |.>call <_mirvar>
00401359 |.>push 0
0040135B |.>mov esi, eax
0040135D |.>call <_mirvar>
00401362 |.>mov edi, eax
00401364 |.>push 0
00401366 |.>mov [esp+28], edi
0040136A |.>call <_mirvar>
0040136F |.>push 0
00401371 |.>mov ebx, eax
00401373 |.>call <_mirvar>
00401378 |.>push 0
0040137A |.>mov ebp, eax
0040137C |.>call <_mirvar>
00401381 |.>push 0
00401383 |.>mov [esp+3C], eax
00401387 |.>call <_mirvar>
0040138C |.>push 0
0040138E |.>mov [esp+34], eax
00401392 |.>call <_mirvar>
00401397 |.>push 0040D0E8 ; ASCII "A1F0B10F"
0040139C |.>push esi ; q
0040139D |.>mov [esp+44], eax
004013A1 |.>call <_cinstr>
004013A6 |.>push 0040D0E0 ; ASCII "10001"
004013AB |.>push edi ; g
004013AC |.>call <_cinstr>
004013B1 |.>mov eax, [esp+4C]
004013B5 |.>push 0040D0D4 ; ASCII "7597A504"
004013BA |.>push eax ; K
004013BB |.>call <_cinstr>
004013C0 |.>lea ecx, [esp+1EC]
004013C7 |.>push ebx
004013C8 |.>push ecx
004013C9 |.>push 3
004013CB |.>call <bytes_to_big> ; Xa = SHA1(name)前3个字节
004013D0 |.>lea edi, [esp+130]
004013D7 |.>or ecx, FFFFFFFF
004013DA |.>xor eax, eax
004013DC |.>add esp, 48
004013DF |.>repne scas byte ptr es:[edi]
004013E1 |.>not ecx
004013E3 |.>lea edx, [esp+E8]
004013EA |.>push ebp
004013EB |.>dec ecx
004013EC |.>push edx
004013ED |.>push ecx
004013EE |.>call <bytes_to_big> ; 把sn转换为大数
004013F3 |.>push esi
004013F4 |.>push ebp
004013F5 |.>call <_compare> ; sn < q
004013FA |.>add esp, 14
004013FD |.>cmp eax, -1
00401400 |.>jnz 004014B0
00401406 |.>mov edi, [esp+1C]
0040140A |.>mov eax, [esp+14]
0040140E |.>push edi ; Ya
0040140F |.>push esi ; q
00401410 |.>push ebx ; Xa
00401411 |.>push eax ; g
00401412 |.>call <_powmod> ; Ya= g ^ Xa mod q = 0DC24E5D
00401417 |.>mov ecx, [esp+20]
0040141B |.>push ecx ; Yb
0040141C |.>push esi ; q
0040141D |.>push ebp ; sn
0040141E |.>push edi ; Ya
0040141F |.>call <_powmod> ; Yb= Ya ^ sn mod q = 8D2CD50D
00401424 |.>mov ecx, 32
00401429 |.>xor eax, eax
0040142B |.>mov edi, ebx
0040142D |.>push eax
0040142E |.>rep stos dword ptr es:[edi]
00401430 |.>mov ecx, 32
00401435 |.>mov edi, ebp
00401437 |.>rep stos dword ptr es:[edi]
00401439 |.>mov eax, [esp+3C]
0040143D |.>lea edx, [esp+1D4]
00401444 |.>push edx
00401445 |.>push eax
00401446 |.>push 0
00401448 |.>call <_big_to_bytes> ; 把k转换为字节串
0040144D |.>mov edx, [esp+40]
00401451 |.>lea ecx, [esp+118]
00401458 |.>push 0
0040145A |.>push ecx
0040145B |.>push edx
0040145C |.>push 0
0040145E |.>call <_big_to_bytes> ; 把Yb转换为字节串
00401463 |.>add esp, 40
00401466 |.>push esi
00401467 |.>call <_mirkill>
0040146C |.>mov eax, [esp+18]
00401470 |.>push eax
00401471 |.>call <_mirkill>
00401476 |.>push ebx
00401477 |.>call <_mirkill>
0040147C |.>push ebp
0040147D |.>call <_mirkill>
00401482 |.>add esp, 10
00401485 |.>call <mirexit>
0040148A |.>lea ecx, [esp+E8]
00401491 |.>lea edx, [esp+1B0]
00401498 |.>push ecx ; /Yb:8D2CD50D
00401499 |.>push edx ; |K:7597A504
0040149A |.>call [<&KERNEL32.lstrcmpA>] ; \比较Yb和K是否相等
显然,HappyTown使用了SHA1和Diffie-Hellman密钥交换算法,验证注册过程是:
(1) Xa=SHA1(name)前3个字节
(2) Ya= g^Xa (mod q)
(3) Yb= Ya^sn (mod q)
(4) 判断Yb是否和常数K相等
要求出sn,必须解决K=Ya^sn (mod q)这个离散对数问题。
注册机就不做了。
给出一组可用的注册码:
Name:HorstStein
Serial:0568FEEC (注册码长度必须为偶数,所以前面补了个0)
--------------------------------------------------------------------------------
【经验总结】
考察Diffie-Hellman交换协议算法的CrackMe不常见,这个不错,感谢HappyTown的辛勤劳动。
--------------------------------------------------------------------------------
【版权声明】: 本文原创于看雪技术论坛, 转载请注明作者并保持文章的完整, 谢谢!
2006年10月18日 10:36:47
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)