这个我估计是最适合新手的任务,我顺带做了一些逆向分析(高手不要笑哦)
00401000 >/$ E8 24000000 CALL crackme2.00401029
00401005 |. 8B4C24 0C MOV ECX,DWORD PTR SS:[ESP+C]
00401009 |. C701 17000100 MOV DWORD PTR DS:[ECX],10017
0040100F |. C781 B8000000>MOV DWORD PTR DS:[ECX+B8],0
00401019 |. 31C0 XOR EAX,EAX
0040101B |. 8941 14 MOV DWORD PTR DS:[ECX+14],EAX
0040101E |. 8941 18 MOV DWORD PTR DS:[ECX+18],EAX
00401021 |. 806A 00 E8 SUB BYTE PTR DS:[EDX],0E8
00401025 |. 33C0 XOR EAX,EAX
00401027 |. 33DB XOR EBX,EBX
00401029 |$ 68 60104000 PUSH crackme2.00401060 ; SE 处理程序安装
0040102E |. 64:FF35 00000>PUSH DWORD PTR FS:[0]
00401035 |. 64:8925 00000>MOV DWORD PTR FS:[0],ESP
0040103C |. 9C PUSHFD
0040103D |. 813424 540100>XOR DWORD PTR SS:[ESP],154
00401044 |. 9D POPFD
00401045 6A 30 PUSH 30
00401047 |. 68 00604000 PUSH crackme2.00406000 ; |Title = "crackme2"
0040104C |. 68 7A604000 PUSH crackme2.0040607A ; |Text = "What the hell are you doing in my app with a debugger?"
00401051 |. 6A 00 PUSH 0 ; |hOwner = NULL
00401053 |. E8 9C030000 CALL <JMP.&user32.MessageBoxA> ; \MessageBoxA
00401058 6A 00 PUSH 0 ; 改成JMP 00401060
0040105A E8 A7030000 CALL <JMP.&kernel32.ExitProcess>
0040105F . C3 RETN
程序的入口点在00401000,如果直接用OD下断点调试,程序会直接退出。所以我改了一下代码。让我们来到00401060。
00401060 /$ 64:8F05 00000>POP DWORD PTR FS:[0] ; 结构异常处理程序
00401067 |. 83C4 04 ADD ESP,4
0040106A |. 6A 00 PUSH 0 ; /pModule = NULL
0040106C |. E8 A1030000 CALL <JMP.&kernel32.GetModuleHandleA> ; \GetModuleHandleA
00401071 |. A3 35604000 MOV DWORD PTR DS:[406035],EAX
00401076 |. 6A 00 PUSH 0 ; /lParam = NULL
00401078 >|. 68 95104000 PUSH crackme2.00401095 ; |对话框过程的入口地址
0040107D |. 6A 00 PUSH 0 ; |hOwner = NULL
0040107F |. 68 00604000 PUSH crackme2.00406000 ; |pTemplate = "crackme2"
00401084 |. FF35 35604000 PUSH DWORD PTR DS:[406035] ; |hInst = NULL
0040108A |. E8 4D030000 CALL <JMP.&user32.DialogBoxParamA> ; \DialogBoxParamA
0040108F |. 50 PUSH EAX ; /ExitCode
00401090 \. E8 71030000 CALL <JMP.&kernel32.ExitProcess> ; \ExitProcess
接下来来到对话框过程的入口地址00401095。
00401095 /. 55 PUSH EBP
00401096 |. 8BEC MOV EBP,ESP
00401098 |. 817D 0C 10010>CMP DWORD PTR SS:[EBP+C],110 ; if msg=WM_INITDIALOG
0040109F |. 75 07 JNZ SHORT crackme2.004010A8
004010A1 |. E8 83000000 CALL crackme2.00401129
004010A6 |. EB 7B JMP SHORT crackme2.00401123
004010A8 |> 817D 0C 11010>CMP DWORD PTR SS:[EBP+C],111 ; if msg=WM_COMMAND
004010AF |. 75 50 JNZ SHORT crackme2.00401101
004010B1 |. 837D 10 0F CMP DWORD PTR SS:[EBP+10],0F ; if按下about按钮
004010B5 |. 75 16 JNZ SHORT crackme2.004010CD
004010B7 |. 6A 40 PUSH 40 ; /Style = MB_OK|MB_ICONASTERISK|MB_APPLMODAL
004010B9 |. 68 09604000 PUSH crackme2.00406009 ; |Title = "About"
004010BE |. 68 0F604000 PUSH crackme2.0040600F ; |Text = "muckis crackme #2
coded 2006 by mucki"
004010C3 |. FF75 08 PUSH DWORD PTR SS:[EBP+8] ; |hOwner
004010C6 |. E8 29030000 CALL <JMP.&user32.MessageBoxA> ; \MessageBoxA
004010CB |. EB 56 JMP SHORT crackme2.00401123
004010CD |> 837D 10 14 CMP DWORD PTR SS:[EBP+10],14 ; if按下exit按钮
004010D1 |. 75 1E JNZ SHORT crackme2.004010F1
004010D3 |. 68 00000900 PUSH 90000
004010D8 68 E8030000 PUSH 3E8
004010DD |. FF75 08 PUSH DWORD PTR SS:[EBP+8]
004010E0 |. E8 F1020000 CALL <JMP.&user32.AnimateWindow>
004010E5 |. 6A 00 PUSH 0 ; /Result = 0
004010E7 |. FF75 08 PUSH DWORD PTR SS:[EBP+8] ; |hWnd
004010EA |. E8 F3020000 CALL <JMP.&user32.EndDialog> ; \EndDialog
004010EF |. EB 32 JMP SHORT crackme2.00401123
004010F1 |> 837D 10 0A CMP DWORD PTR SS:[EBP+10],0A ; if按下check按钮(关键)
004010F5 |. 75 2C JNZ SHORT crackme2.00401123
004010F7 |. FF75 08 PUSH DWORD PTR SS:[EBP+8]
004010FA |. E8 BC000000 CALL crackme2.004011BB
004010FF |. EB 22 JMP SHORT crackme2.00401123
00401101 |> 837D 0C 10 CMP DWORD PTR SS:[EBP+C],10 ; if按下close
00401105 |. 75 1C JNZ SHORT crackme2.00401123
00401107 |. 68 00000900 PUSH 90000
0040110C |. 68 E8030000 PUSH 3E8
00401111 |. FF75 08 PUSH DWORD PTR SS:[EBP+8]
00401114 |. E8 BD020000 CALL <JMP.&user32.AnimateWindow>
00401119 |. 6A 00 PUSH 0 ; /Result = 0
0040111B |. FF75 08 PUSH DWORD PTR SS:[EBP+8] ; |hWnd
0040111E |. E8 BF020000 CALL <JMP.&user32.EndDialog> ; \EndDialog
00401123 |> 33C0 XOR EAX,EAX
00401125 |. C9 LEAVE
00401126 \. C2 1000 RETN 10
接下来跟踪004011BB。
004011BB /$ 55 PUSH EBP
004011BC |. 8BEC MOV EBP,ESP
004011BE |. 57 PUSH EDI
004011BF |. 56 PUSH ESI
004011C0 |. 53 PUSH EBX
004011C1 |> 6A 32 /PUSH 32 ; /Count = 32 (50.)
004011C3 |. 68 84624000 |PUSH crackme2.00406284 ; |Buffer = crackme2.00406284
004011C8 |. 6A 01 |PUSH 1 ; |ControlID = 1
004011CA |. FF75 08 |PUSH DWORD PTR SS:[EBP+8] ; |hWnd
004011CD |. E8 16020000 |CALL <JMP.&user32.GetDlgItemTextA> ; \GetDlgItemTextA
004011D2 |. 64:8B15 18000>|MOV EDX,DWORD PTR FS:[18]
004011D9 |. 8B52 30 |MOV EDX,DWORD PTR DS:[EDX+30]
004011DC |. 0FB652 02 |MOVZX EDX,BYTE PTR DS:[EDX+2] ; 检测EDX是否为零,不为零则是被调试状态,此时EDX为零
004011E0 |. 83F8 00 |CMP EAX,0 ; 比较NAME是否为空
004011E3 |. 7F 11 |JG SHORT crackme2.004011F6
004011E5 |. 68 B1604000 |PUSH crackme2.004060B1 ; /Text = "nameless"
004011EA |. 6A 01 |PUSH 1 ; |ControlID = 1
004011EC |. FF75 08 |PUSH DWORD PTR SS:[EBP+8] ; |hWnd
004011EF |. E8 0C020000 |CALL <JMP.&user32.SetDlgItemTextA> ; \SetDlgItemTextA
004011F4 |.^ EB CB \JMP SHORT crackme2.004011C1
004011F6 |> 8D35 84624000 LEA ESI,DWORD PTR DS:[406284]
004011FC |. 33C9 XOR ECX,ECX
004011FE |> 0FBE06 /MOVSX EAX,BYTE PTR DS:[ESI]
00401201 |. 8BD8 |MOV EBX,EAX
00401203 |. 2BF2 |SUB ESI,EDX
00401205 |. C1E0 04 |SHL EAX,4
00401208 |. C1EB 05 |SHR EBX,5
0040120B |. 33C3 |XOR EAX,EBX
0040120D |. 83C0 26 |ADD EAX,26
00401210 |. 33C1 |XOR EAX,ECX
00401212 |. 03C8 |ADD ECX,EAX
00401214 |. 46 |INC ESI
00401215 |. 803E 00 |CMP BYTE PTR DS:[ESI],0
00401218 |.^ 75 E4 \JNZ SHORT crackme2.004011FE ; 循环处理NAME各字符,结果保留在ECX内
0040121A |. B8 EF0D0C00 MOV EAX,0C0DEF
0040121F |. 2BC1 SUB EAX,ECX
00401221 |. 0FAFC0 IMUL EAX,EAX ; 用OCODEF*(OCODEF-ECX)
00401224 |. 50 PUSH EAX ; /<%lX>
00401225 |. 51 PUSH ECX ; |<%lX>
00401226 |. 68 E1604000 PUSH crackme2.004060E1 ; |Format = "CM2-%lX-%lX"
0040122B |. 68 B6624000 PUSH crackme2.004062B6 ; |这里存放经过一些列处理后的NAME
00401230 |. E8 9B010000 CALL <JMP.&user32.wsprintfA> ; \wsprintfA
00401235 |. 6A 4B PUSH 4B ; /Count = 4B (75.)
00401237 |. 68 BA604000 PUSH crackme2.004060BA ; |Buffer = crackme2.004060BA
0040123C |. 6A 02 PUSH 2 ; |ControlID = 2
0040123E |. FF75 08 PUSH DWORD PTR SS:[EBP+8] ; |hWnd
00401241 |. E8 A2010000 CALL <JMP.&user32.GetDlgItemTextA> ; \GetDlgItemTextA
00401246 |. 68 BA604000 PUSH crackme2.004060BA ; /经过一些处理后的NAME
0040124B |. 68 B6624000 PUSH crackme2.004062B6 ; |你输入的Serial
00401250 |. E8 DB010000 CALL <JMP.&kernel32.lstrcmpA> ; \lstrcmpA
00401255 |. 75 16 JNZ SHORT crackme2.0040126D ; 相同就成功,否则失败
00401257 |. 6A 00 PUSH 0 ; /Style = MB_OK|MB_APPLMODAL
00401259 |. 68 00604000 PUSH crackme2.00406000 ; |Title = "crackme2"
0040125E |. 68 3D604000 PUSH crackme2.0040603D ; |Text = "Valid serial - now write a keygen!"
00401263 |. FF75 08 PUSH DWORD PTR SS:[EBP+8] ; |hOwner
00401266 |. E8 89010000 CALL <JMP.&user32.MessageBoxA> ; \MessageBoxA
0040126B |. EB 14 JMP SHORT crackme2.00401281
0040126D |> 6A 10 PUSH 10 ; /Style = MB_OK|MB_ICONHAND|MB_APPLMODAL
0040126F |. 68 00604000 PUSH crackme2.00406000 ; |Title = "crackme2"
00401274 |. 68 60604000 PUSH crackme2.00406060 ; |Text = "Wrong serial - try again!"
00401279 |. FF75 08 PUSH DWORD PTR SS:[EBP+8] ; |hOwner
0040127C |. E8 73010000 CALL <JMP.&user32.MessageBoxA> ; \MessageBoxA
用汇编写了一个相应的注册机,代码如下:
.386
.Model Flat, StdCall
Option Casemap :None
Include windows.inc
Include user32.inc
Include kernel32.inc
IncludeLib user32.lib
IncludeLib kernel32.lib
IDD_DIALOG equ 101
IDC_EDIT1 equ 1000
IDC_EDIT2 equ 1001
IDC_STATIC equ -1
.CONST
szName db "Name不能为空",0
format db "CM2-%lX-%lX",0
.DATA?
hInstance dd ?
username db 20 dup (?)
xuliehao db 20 dup (?)
.CODE
_ProcDlgMain proc uses ebx edi esi hWnd,wMsg,wParam,lParam
mov eax,wMsg
.if eax == WM_CLOSE
invoke EndDialog,hWnd,NULL
.elseif eax == WM_COMMAND
mov eax,wParam
.if ax == IDOK
invoke GetDlgItemText,hWnd,IDC_EDIT1,addr username,sizeof username
.if eax==0
invoke MessageBox,hWnd,addr szName,addr szName,NULL
.endif
mov esi,offset username
xor ecx,ecx
a:movsx eax,BYTE ptr [esi]
mov ebx,eax
shl eax,4h
shr ebx,5h
xor eax,ebx
add eax,26h
xor eax,ecx
add ecx,eax
inc esi
.if BYTE ptr [esi] != 0
JMP a
.endif
mov eax,0c0defh
sub eax,ecx
imul eax,eax
invoke wsprintf,addr xuliehao,addr format,ecx,eax
invoke SetDlgItemText,hWnd,IDC_EDIT2,addr xuliehao
.endif
.else
mov eax,FALSE
ret
.endif
mov eax,TRUE
ret
_ProcDlgMain endp
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
start:
invoke GetModuleHandle,NULL
mov hInstance,eax
invoke DialogBoxParam,hInstance,IDD_DIALOG,NULL,offset _ProcDlgMain,NULL
invoke ExitProcess,NULL
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
end start
RC文件代码:
#include <resource.h>
#define IDD_DIALOG 101
#define IDC_EDIT1 1000
#define IDC_EDIT2 1001
#define IDC_STATIC -1
IDD_DIALOG DIALOG DISCARDABLE 0, 0, 187, 94
STYLE DS_MODALFRAME | WS_POPUP | WS_CAPTION | WS_SYSMENU
CAPTION "注册机"
FONT 10, "System"
BEGIN
DEFPUSHBUTTON "确定",IDOK,67,61,50,14
LTEXT "用户名",IDC_STATIC,22,18,39,15
LTEXT "序列号",IDC_STATIC,22,43,34,11
EDITTEXT IDC_EDIT1,62,17,102,12,ES_AUTOHSCROLL
EDITTEXT IDC_EDIT2,62,42,102,12,ES_AUTOHSCROLL | ES_READONLY
END
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
