【破文作者】 HBQJXHW
【文章题目】 skilLa's keyGenMe#4算法分析
【破解工具】 OD
【破解平台】 WINDOWSXP SP2
----------------------------------------------------------------------------------------------
----------------------------------------------------------------------------------------------
【破解过程】
用OD载入很容易就可找到如下特征:
00401043 . /0F85 C8000000 JNZ skilLa's.00401111
00401049 . |6A 14 PUSH 14 ; /Count = 14 (20.)
0040104B . |68 89304000 PUSH skilLa's.00403089 ; |aaaa
00401050 . |68 EA030000 PUSH 3EA ; |ControlID = 3EA (1002.)
00401055 . |FF75 08 PUSH DWORD PTR SS:[EBP+8] ; |hWnd
00401058 . |E8 C3010000 CALL <JMP.&user32.GetDlgItemTextA> ; \GetDlgItemTextA
0040105D . |85C0 TEST EAX,EAX
0040105F . |0F84 F0000000 JE skilLa's.00401155 ; 判断是否输入Name,没有输入则OVER
00401065 . |8D35 AC304000 LEA ESI,DWORD PTR DS:[4030AC] 这个地址非常重要4030AC
0040106B . |E8 EB000000 CALL skilLa's.0040115B ; 根据用户名算出一个数(重要CALL)
00401070 . |6A 09 PUSH 9 ; /Count = 9
00401072 . |68 8E304000 PUSH skilLa's.0040308E ; |Buffer = skilLa's.0040308E
00401077 . |68 EB030000 PUSH 3EB ; |ControlID = 3EB (1003.)
0040107C . |FF75 08 PUSH DWORD PTR SS:[EBP+8] ; |hWnd
0040107F . |E8 9C010000 CALL <JMP.&user32.GetDlgItemTextA> ; \GetDlgItemTextA
00401084 . |85C0 TEST EAX,EAX
00401086 . |0F84 C9000000 JE skilLa's.00401155 ; 判断是否输入Serial,没有输入则OVER
0040108C . |33C9 XOR ECX,ECX
0040108E . |8D35 97304000 LEA ESI,DWORD PTR DS:[403097]
下面这段代码是让Serial按高位高地址,低位低地址存放。
00401094 . |BB 10000000 MOV EBX,10 ;
00401099 > |0FBE81 8E3040>MOVSX EAX,BYTE PTR DS:[ECX+40308E]
004010A0 . |3C 00 CMP AL,0 ; Switch (cases 0..3F)
004010A2 . |74 28 JE SHORT skilLa's.004010CC
004010A4 . |3C 40 CMP AL,40
004010A6 . |72 04 JB SHORT skilLa's.004010AC
004010A8 . |2C 37 SUB AL,37
004010AA . |EB 02 JMP SHORT skilLa's.004010AE
004010AC > |2C 30 SUB AL,30 ; Cases
1,2,3,4,5,6,7,8,9,A,B,C,D,E,F,10,11,12,13,14,15,16,17,18,19,1A,1B,1C,1D,1E,1F,20,21,22,23,24,25,26,27,28,29,2A,2B,2C,2D,2E,2F
,30,31,32,33,34,35,36,37,38,39,3A,3B,3C,3D,3E,3F of switch 004010A0
004010AE > |F7E3 MUL EBX ; Default case of switch 004010A0
004010B0 . |86E0 XCHG AL,AH
004010B2 . |8A81 8F304000 MOV AL,BYTE PTR DS:[ECX+40308F]
004010B8 . |3C 40 CMP AL,40
004010BA . |72 04 JB SHORT skilLa's.004010C0
004010BC . |2C 37 SUB AL,37
004010BE . |EB 02 JMP SHORT skilLa's.004010C2
004010C0 > |2C 30 SUB AL,30
004010C2 > |02C4 ADD AL,AH
004010C4 . |8806 MOV BYTE PTR DS:[ESI],AL
004010C6 . |46 INC ESI
004010C7 . |83C1 02 ADD ECX,2
004010CA .^|EB CD JMP SHORT skilLa's.00401099
004010CC > |8D35 DD304000 LEA ESI,DWORD PTR DS:[4030DD] ; 这个地址也非常重要4030DD Case 0 of switch 004010A0
004010D2 . |E8 84000000 CALL skilLa's.0040115B ; 根据用户名算出一个数与Serial存放的数计算出结果(重要
CALL)
004010D7 . |A1 97304000 MOV EAX,DWORD PTR DS:[403097] ; 把这个结果给EAX
004010DC . |3D FB104000 CMP EAX,skilLa's.004010FB ; 比较上面的结果是否等于004010FB,等于就^-^
004010E1 . |75 02 JNZ SHORT skilLa's.004010E5
004010E3 . |FFE0 JMP EAX ; jmp eax=004010FB
004010E5 > |6A 10 PUSH 10 ; /Style = MB_OK|MB_ICONHAND|MB_APPLMODAL
004010E7 . |68 81304000 PUSH skilLa's.00403081 ; |oh no!!
004010EC . |68 7C304000 PUSH skilLa's.0040307C ; |oops
004010F1 . |FF75 08 PUSH DWORD PTR SS:[EBP+8] ; |hOwner
004010F4 . |E8 2D010000 CALL <JMP.&user32.MessageBoxA> ; \MessageBoxA
004010F9 . |EB 5A JMP SHORT skilLa's.00401155
004010FB . |6A 00 PUSH 0 ; /Style = MB_OK|MB_APPLMODAL
004010FD . |68 75304000 PUSH skilLa's.00403075 ; |oh yes
00401102 . |68 4E304000 PUSH skilLa's.0040304E ; |good you solved it write a tut please!
00401107 . |FF75 08 PUSH DWORD PTR SS:[EBP+8] ; |hOwner
0040110A . |E8 17010000 CALL <JMP.&user32.MessageBoxA> ; \MessageBoxA
0040110F . |EB 44 JMP SHORT skilLa's.00401155
00401111 > \3D ED030000 CMP EAX,3ED
00401116 . 75 16 JNZ SHORT skilLa's.0040112E
00401118 . 6A 00 PUSH 0 ; /Style = MB_OK|MB_APPLMODAL
0040111A . 68 48304000 PUSH skilLa's.00403048 ; |about
0040111F . 68 00304000 PUSH skilLa's.00403000 ; |solve it without bruteforce,it contains a litle vm.
coded by skilla^rem
00401124 . FF75 08 PUSH DWORD PTR SS:[EBP+8] ; |hOwner
00401127 . E8 FA000000 CALL <JMP.&user32.MessageBoxA> ; \MessageBoxA
0040112C . EB 27 JMP SHORT skilLa's.00401155
0040112E > 3D EC030000 CMP EAX,3EC
如果ESI是0X4030AC则有44、45、46、47、60
44 89 30 40 00 9C 30 40 00 45 89 30 40 00 A0 30 40 00 46 89 30 40 00 A4 30 40 00 47 89 30 40 00
A8 30 40 00 60 AD DE 00 00 02 00 00 00 03 00 00 00
如果ESI是0X4030DD则有44、45、46、48、49、60
44 97 30 40 00 89 30 40 00 45 97 30 40 00 D1 30 40 00 46 97 30 40 00 D5 30 40 00 48 97 30 40 00
D9 30 40 00 49 97 30 40 00 9C 30 40 00 60 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00
上面两个都是调用CALL 0040115B,根据上面的两个表很显然它们取数不同
0040115B /$ 8A1E /MOV BL,BYTE PTR DS:[ESI] ; 把BYTE PTR DS:[ESI]给BL
0040115D |. 0FBEDB |MOVSX EBX,BL
00401160 |. 8BC3 |MOV EAX,EBX ; 把BYTE PTR DS:[ESI]给EAX
00401162 |. 83F8 44 |CMP EAX,44 ; 判断是否等于0X44
00401165 |. 75 19 |JNZ SHORT skilLa's.00401180
00401167 |. 8B46 01 |MOV EAX,DWORD PTR DS:[ESI+1]
0040116A |. 8B00 |MOV EAX,DWORD PTR DS:[EAX]
0040116C |. 8B5E 05 |MOV EBX,DWORD PTR DS:[ESI+5]
0040116F |. 8B1B |MOV EBX,DWORD PTR DS:[EBX]
00401171 |. 33C3 |XOR EAX,EBX ; 取Name前四位倒序之后的十六进制组合 XOR 0X1337
00401173 |. 8B5E 01 |MOV EBX,DWORD PTR DS:[ESI+1]
00401176 |. 8903 |MOV DWORD PTR DS:[EBX],EAX
00401178 |. 83C6 09 |ADD ESI,9 ; ESI 加9
0040117B |. E9 8E000000 |JMP skilLa's.0040120E
00401180 |> 83F8 45 |CMP EAX,45 ; 判断是否等于0X45
00401183 |. 75 16 |JNZ SHORT skilLa's.0040119B
00401185 |. 8B46 01 |MOV EAX,DWORD PTR DS:[ESI+1]
00401188 |. 8B00 |MOV EAX,DWORD PTR DS:[EAX]
0040118A |. 8B5E 05 |MOV EBX,DWORD PTR DS:[ESI+5]
0040118D |. 8B1B |MOV EBX,DWORD PTR DS:[EBX]
0040118F |. 03C3 |ADD EAX,EBX ; XOR后的数 ADD 0X2016
00401191 |. 8B5E 01 |MOV EBX,DWORD PTR DS:[ESI+1]
00401194 |. 8903 |MOV DWORD PTR DS:[EBX],EAX
00401196 |. 83C6 09 |ADD ESI,9
00401199 |. EB 73 |JMP SHORT skilLa's.0040120E
0040119B |> 83F8 46 |CMP EAX,46 ; 判断是否等于0X46
0040119E |. 75 16 |JNZ SHORT skilLa's.004011B6
004011A0 |. 8B46 01 |MOV EAX,DWORD PTR DS:[ESI+1]
004011A3 |. 8B00 |MOV EAX,DWORD PTR DS:[EAX]
004011A5 |. 8B5E 05 |MOV EBX,DWORD PTR DS:[ESI+5]
004011A8 |. 8B1B |MOV EBX,DWORD PTR DS:[EBX]
004011AA |. F7E3 |MUL EBX ; ADD之后的数 MUL 2
004011AC |. 8B5E 01 |MOV EBX,DWORD PTR DS:[ESI+1]
004011AF |. 8903 |MOV DWORD PTR DS:[EBX],EAX
004011B1 |. 83C6 09 |ADD ESI,9
004011B4 |. EB 58 |JMP SHORT skilLa's.0040120E
004011B6 |> 83F8 47 |CMP EAX,47 ; 判断是否等于0X47
004011B9 |. 75 16 |JNZ SHORT skilLa's.004011D1
004011BB |. 8B46 01 |MOV EAX,DWORD PTR DS:[ESI+1]
004011BE |. 8B00 |MOV EAX,DWORD PTR DS:[EAX]
004011C0 |. 8B5E 05 |MOV EBX,DWORD PTR DS:[ESI+5]
004011C3 |. 8A0B |MOV CL,BYTE PTR DS:[EBX]
004011C5 |. D3E0 |SHL EAX,CL ; MUL之后的数 SHL 4
004011C7 |. 8B5E 01 |MOV EBX,DWORD PTR DS:[ESI+1]
004011CA |. 8903 |MOV DWORD PTR DS:[EBX],EAX
004011CC |. 83C6 09 |ADD ESI,9
004011CF |. EB 3D |JMP SHORT skilLa's.0040120E
004011D1 |> 83F8 48 |CMP EAX,48 ; 判断是否等于0X48
004011D4 |. 75 16 |JNZ SHORT skilLa's.004011EC
004011D6 |. 8B46 01 |MOV EAX,DWORD PTR DS:[ESI+1]
004011D9 |. 8B00 |MOV EAX,DWORD PTR DS:[EAX]
004011DB |. 8B5E 05 |MOV EBX,DWORD PTR DS:[ESI+5]
004011DE |. 8A0B |MOV CL,BYTE PTR DS:[EBX]
004011E0 |. D3E8 |SHR EAX,CL
004011E2 |. 8B5E 01 |MOV EBX,DWORD PTR DS:[ESI+1]
004011E5 |. 8903 |MOV DWORD PTR DS:[EBX],EAX
004011E7 |. 83C6 09 |ADD ESI,9
004011EA |. EB 22 |JMP SHORT skilLa's.0040120E
004011EC |> 83F8 49 |CMP EAX,49 ; 判断是否等于0X49
004011EF |. 75 16 |JNZ SHORT skilLa's.00401207
004011F1 |. 8B46 01 |MOV EAX,DWORD PTR DS:[ESI+1]
004011F4 |. 8B00 |MOV EAX,DWORD PTR DS:[EAX]
004011F6 |. 8B5E 05 |MOV EBX,DWORD PTR DS:[ESI+5]
004011F9 |. 8B1B |MOV EBX,DWORD PTR DS:[EBX]
004011FB |. 2BC3 |SUB EAX,EBX
004011FD |. 8B5E 01 |MOV EBX,DWORD PTR DS:[ESI+1]
00401200 |. 8903 |MOV DWORD PTR DS:[EBX],EAX
00401202 |. 83C6 09 |ADD ESI,9
00401205 |. EB 07 |JMP SHORT skilLa's.0040120E
00401207 |> 83F8 60 |CMP EAX,60 ; 判断是否等于0X60
0040120A |. 75 02 |JNZ SHORT skilLa's.0040120E
0040120C |. EB 05 |JMP SHORT skilLa's.00401213
0040120E |>^ E9 48FFFFFF \JMP skilLa's.0040115B
00401213 \> C3 RETN
附上C程序:
#include "stdio.h"
#include "string.h"
#include <stdlib.h>
void main()
{
int i;
unsigned long x;
char str[30];
printf("Name=");
scanf("%s",&str);
x=str[0]|str[1]<<0x8|str[2]<<0x10|str[3]<<0x18;
x=(((x^0x1337)+0x2016)*2)<<4;
x^=((((0x4010FB+0x1337)<<3)/2)-0xdead);
x=(x<<0x18)|(x<<0x8&0xff0000)|(x>>0x8&0xff00)|(x>>0x18&0xff);
ltoa(x,str,16);
printf("Serial=");
for (i=0;i<strlen(str);i++)
printf("%c",toupper(str[i]));
printf("\n");
getchar();
}
----------------------------------------------------------------------------------------------
----------------------------------------------------------------------------------------------
【破解声明】 我是一只小菜鸟,偶得一点心得,愿与大家分享:)
【版权声明】 本文纯属技术交流, 转载请注明作者并保持文章的完整, 谢谢!
----------------------------------------------------------------------------------------------
文章写于2006-10-24 2:12:35[CODE]
[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!
