【破文作者】 hbqjxhw
【文章题目】 HappyTown的第28个CrackMe分析
【下载地址】 http://bbs.pediy.com/showthread.php?threadid=33861
----------------------------------------------------------------------------------------------
【破解平台】 XP SP2
----------------------------------------------------------------------------------------------
【破解过程】
00401068 > \56 PUSH ESI ; Case 1 of switch 00401048
00401069 . 8B7424 08 MOV ESI,DWORD PTR SS:[ESP+8]
0040106D . 68 E9030000 PUSH 3E9 ; /ControlID = 3E9 (1001.)
00401072 . 56 PUSH ESI ; |hWnd
00401073 . FF15 C4804000 CALL DWORD PTR DS:[<&USER32.GetDlgItem>] ; \GetDlgItem
00401079 . 50 PUSH EAX ; /hWnd
0040107A . FF15 C8804000 CALL DWORD PTR DS:[<&USER32.SetFocus>] ; \SetFocus
00401080 . 56 PUSH ESI
00401081 . E8 AA000000 CALL CrackMe_.00401130 ; 这里是重要CALL
00401086 . 83C4 04 ADD ESP,4
00401089 . 85C0 TEST EAX,EAX
0040108B . 5E POP ESI
0040108C . 0F84 8D000000 JE CrackMe_.0040111F ; 关键跳转。
00401092 . 6A 40 PUSH 40 ; /Style = MB_OK|MB_ICONASTERISK|MB_APPLMODAL
00401094 . 68 C4904000 PUSH CrackMe_.004090C4 ; |congratulations
00401099 . 68 B4904000 PUSH CrackMe_.004090B4 ; |good job, man!
0040109E . 6A 00 PUSH 0 ; |hOwner = NULL
004010A0 . FF15 CC804000 CALL DWORD PTR DS:[<&USER32.MessageBoxA>>; \MessageBoxA
004010A6 . 33C0 XOR EAX,EAX
004010A8 . C2 1000 RETN 10
004010AB > 8B4424 04 MOV EAX,DWORD PTR SS:[ESP+4] ; Case 3EE of switch 00401048
004010AF . 6A 05 PUSH 5 ; /IsShown = 5
004010B1 . 6A 00 PUSH 0 ; |DefDir = NULL
004010B3 . 6A 00 PUSH 0 ; |Parameters = NULL
004010B5 . 68 9C904000 PUSH CrackMe_.0040909C ; |mailto:wxr277@163.com
004010BA . 68 94904000 PUSH CrackMe_.00409094 ; |open
004010BF . 50 PUSH EAX ; |hWnd
004010C0 . FF15 B4804000 CALL DWORD PTR DS:[<&SHELL32.ShellExecut>; \ShellExecuteA
004010C6 . 33C0 XOR EAX,EAX
004010C8 . C2 1000 RETN 10
004010CB > 3D EF030000 CMP EAX,3EF
004010D0 . 75 4D JNZ SHORT CrackMe_.0040111F
004010D2 . 6A 40 PUSH 40 ; /Style = MB_OK|MB_ICONASTERISK|MB_APPLMODAL; Case 3EF
of switch 00401048
004010D4 . 68 90904000 PUSH CrackMe_.00409090 ; |^_^
004010D9 . 68 30904000 PUSH CrackMe_.00409030 ; |this is my 28th crackme,and\n\nprogrammed with
vc++6.0.\n\n [happytown]\n\n\t 2006-10-24
004010DE . 6A 00 PUSH 0 ; |hOwner = NULL
004010E0 . FF15 CC804000 CALL DWORD PTR DS:[<&USER32.MessageBoxA>>; \MessageBoxA
004010E6 . 33C0 XOR EAX,EAX
004010E8 . C2 1000 RETN 10
---------------------CALL CrackMe_.00401130---------------------
00401130 /$ 81EC D4000000 SUB ESP,0D4
00401136 |. 53 PUSH EBX
00401137 |. 55 PUSH EBP
00401138 |. 56 PUSH ESI
00401139 |. 57 PUSH EDI
0040113A |. B9 18000000 MOV ECX,18
0040113F |. 33C0 XOR EAX,EAX
00401141 |. 8DBC24 810000>LEA EDI,DWORD PTR SS:[ESP+81]
00401148 |. C68424 800000>MOV BYTE PTR SS:[ESP+80],0
00401150 |. F3:AB REP STOS DWORD PTR ES:[EDI]
00401152 |. 66:AB STOS WORD PTR ES:[EDI]
00401154 |. AA STOS BYTE PTR ES:[EDI]
00401155 |. B9 18000000 MOV ECX,18
0040115A |. 33C0 XOR EAX,EAX
0040115C |. 8D7C24 1D LEA EDI,DWORD PTR SS:[ESP+1D]
00401160 |. C64424 1C 00 MOV BYTE PTR SS:[ESP+1C],0
00401165 |. F3:AB REP STOS DWORD PTR ES:[EDI]
00401167 |. 66:AB STOS WORD PTR ES:[EDI]
00401169 |. 6A 10 PUSH 10
0040116B |. 68 20030000 PUSH 320
00401170 |. 33F6 XOR ESI,ESI
00401172 |. AA STOS BYTE PTR ES:[EDI]
00401173 |. E8 98110000 CALL CrackMe_.00402310
00401178 |. 56 PUSH ESI
00401179 |. C780 34020000>MOV DWORD PTR DS:[EAX+234],10
00401183 |. E8 28100000 CALL CrackMe_.004021B0
00401188 |. 8B9C24 F40000>MOV EBX,DWORD PTR SS:[ESP+F4]
0040118F |. 83C4 0C ADD ESP,0C
00401192 |. 894424 14 MOV DWORD PTR SS:[ESP+14],EAX
00401196 |. 8D8424 800000>LEA EAX,DWORD PTR SS:[ESP+80]
0040119D |. 6A 65 PUSH 65 ; /Count = 65 (101.)
0040119F |. 50 PUSH EAX ; |Buffer
004011A0 |. 68 E8030000 PUSH 3E8 ; |ControlID = 3E8 (1000.)
004011A5 |. 53 PUSH EBX ; |hWnd
004011A6 |. FF15 BC804000 CALL DWORD PTR DS:[<&USER32.GetDlgItemTe>; \GetDlgItemTextA
004011AC |. 83F8 03 CMP EAX,3 ; 比较用户名是否大于等于3位
004011AF |. 0F82 27010000 JB CrackMe_.004012DC
004011B5 |. 83F8 23 CMP EAX,23 ; 比较用户名是否小于等于35位
004011B8 |. 0F87 1E010000 JA CrackMe_.004012DC
004011BE |. 33C9 XOR ECX,ECX
004011C0 |. 85C0 TEST EAX,EAX
004011C2 |. 76 10 JBE SHORT CrackMe_.004011D4
004011C4 |> 33D2 /XOR EDX,EDX
004011C6 |. 8A940C 800000>|MOV DL,BYTE PTR SS:[ESP+ECX+80]
004011CD |. 03F2 |ADD ESI,EDX ; ESI保存Name的HEX码之和
004011CF |. 41 |INC ECX
004011D0 |. 3BC8 |CMP ECX,EAX
004011D2 |.^ 72 F0 \JB SHORT CrackMe_.004011C4
004011D4 |> 8BC6 MOV EAX,ESI
004011D6 |. 8DAE 89ABCDEF LEA EBP,DWORD PTR DS:[ESI+EFCDAB89] ; EBP值为HEX码之和+0xEFCDAB89
004011DC |. 69F6 76543210 IMUL ESI,ESI,10325476 ; ESI值为HEX码之和*0x10325476
004011E2 |. 69C0 01234567 IMUL EAX,EAX,67452301 ; EAX值为HEX码之和*0x67452301
004011E8 |. 8BCE MOV ECX,ESI
004011EA |. 8BFD MOV EDI,EBP
004011EC |. 33C8 XOR ECX,EAX ; ECX值为ESI与EAX异或
004011EE |. 33F8 XOR EDI,EAX ; ECX值为EBP与EAX异或
004011F0 |. 6A 05 PUSH 5 ; 常数0x5
004011F2 |. 51 PUSH ECX
004011F3 |. 33EF XOR EBP,EDI
004011F5 |. E8 F6000000 CALL CrackMe_.004012F0 ; 算法CALL1
004011FA |. 6A 0D PUSH 0D ; 常数0xD
004011FC |. 57 PUSH EDI
004011FD |. 894424 28 MOV DWORD PTR SS:[ESP+28],EAX
00401201 |. D1E6 SHL ESI,1 ; ESI左移0x1
00401203 |. E8 08010000 CALL CrackMe_.00401310 ; 算法CALL2
00401208 |. 6A 11 PUSH 11 ; 常数0x11
0040120A |. 55 PUSH EBP
0040120B |. 894424 28 MOV DWORD PTR SS:[ESP+28],EAX
0040120F |. E8 DC000000 CALL CrackMe_.004012F0
00401214 |. 83C4 18 ADD ESP,18
00401217 |. 8D5424 1C LEA EDX,DWORD PTR SS:[ESP+1C]
0040121B |. 8BE8 MOV EBP,EAX
0040121D |. 6A 65 PUSH 65 ; /Count = 65 (101.)
0040121F |. 52 PUSH EDX ; |Buffer
00401220 |. 68 E9030000 PUSH 3E9 ; |ControlID = 3E9 (1001.)
00401225 |. 53 PUSH EBX ; |hWnd
00401226 |. FF15 BC804000 CALL DWORD PTR DS:[<&USER32.GetDlgItemTe>; \GetDlgItemTextA
0040122C |. 83F8 20 CMP EAX,20
0040122F |. 0F85 A7000000 JNZ CrackMe_.004012DC
00401235 |. 8A4424 1C MOV AL,BYTE PTR SS:[ESP+1C]
00401239 |. 84C0 TEST AL,AL
0040123B |. 74 3F JE SHORT CrackMe_.0040127C
0040123D |. 8D7C24 1C LEA EDI,DWORD PTR SS:[ESP+1C]
00401241 |> 833D 409F4000>/CMP DWORD PTR DS:[409F40],1
00401248 |. 7E 14 |JLE SHORT CrackMe_.0040125E
0040124A |. 33C0 |XOR EAX,EAX
0040124C |. 68 80000000 |PUSH 80
00401251 |. 8A07 |MOV AL,BYTE PTR DS:[EDI]
00401253 |. 50 |PUSH EAX
00401254 |. E8 97280000 |CALL <CrackMe_.__isctype>
00401259 |. 83C4 08 |ADD ESP,8
0040125C |. EB 12 |JMP SHORT CrackMe_.00401270
0040125E |> 8B15 349D4000 |MOV EDX,DWORD PTR DS:[409D34] ; CrackMe_.00409D3E
00401264 |. 33C9 |XOR ECX,ECX
00401266 |. 8A0F |MOV CL,BYTE PTR DS:[EDI]
00401268 |. 8A044A |MOV AL,BYTE PTR DS:[EDX+ECX*2]
0040126B |. 25 80000000 |AND EAX,80
00401270 |> 85C0 |TEST EAX,EAX
00401272 |. 74 68 |JE SHORT CrackMe_.004012DC
00401274 |. 8A47 01 |MOV AL,BYTE PTR DS:[EDI+1]
00401277 |. 47 |INC EDI
00401278 |. 84C0 |TEST AL,AL
0040127A |.^ 75 C5 \JNZ SHORT CrackMe_.00401241
0040127C |> 8B5C24 14 MOV EBX,DWORD PTR SS:[ESP+14]
00401280 |. 8D4424 1C LEA EAX,DWORD PTR SS:[ESP+1C]
00401284 |. 50 PUSH EAX
00401285 |. 53 PUSH EBX
00401286 |. E8 75070000 CALL CrackMe_.00401A00
0040128B |. B9 19000000 MOV ECX,19
00401290 |. 33C0 XOR EAX,EAX
00401292 |. 8D7C24 24 LEA EDI,DWORD PTR SS:[ESP+24]
00401296 |. 50 PUSH EAX
00401297 |. F3:AB REP STOS DWORD PTR ES:[EDI]
00401299 |. 8D4C24 28 LEA ECX,DWORD PTR SS:[ESP+28]
0040129D |. 51 PUSH ECX
0040129E |. 53 PUSH EBX
0040129F |. 50 PUSH EAX
004012A0 |. E8 0B050000 CALL CrackMe_.004017B0
004012A5 |. 8B5424 30 MOV EDX,DWORD PTR SS:[ESP+30]
004012A9 |. 8B4424 34 MOV EAX,DWORD PTR SS:[ESP+34]
004012AD |. 83C4 18 ADD ESP,18
004012B0 |. 3BC2 CMP EAX,EDX ; 下面几个都是比较
004012B2 |. 75 28 JNZ SHORT CrackMe_.004012DC
004012B4 |. 396C24 20 CMP DWORD PTR SS:[ESP+20],EBP
004012B8 |. 75 22 JNZ SHORT CrackMe_.004012DC
004012BA |. 8B4424 10 MOV EAX,DWORD PTR SS:[ESP+10]
004012BE |. 8B4C24 24 MOV ECX,DWORD PTR SS:[ESP+24]
004012C2 |. 3BC8 CMP ECX,EAX
004012C4 |. 75 16 JNZ SHORT CrackMe_.004012DC
004012C6 |. 397424 28 CMP DWORD PTR SS:[ESP+28],ESI
004012CA |. 75 10 JNZ SHORT CrackMe_.004012DC
004012CC |. 5F POP EDI
004012CD |. 5E POP ESI
004012CE |. 5D POP EBP
004012CF |. B8 01000000 MOV EAX,1
004012D4 |. 5B POP EBX
004012D5 |. 81C4 D4000000 ADD ESP,0D4
004012DB |. C3 RETN
004012DC |> 5F POP EDI
004012DD |. 5E POP ESI
004012DE |. 5D POP EBP
004012DF |. 33C0 XOR EAX,EAX
004012E1 |. 5B POP EBX
004012E2 |. 81C4 D4000000 ADD ESP,0D4
004012E8 \. C3 RETN
---------------------CALL CrackMe_.004012F0---------------------
004012F0 /$ 8B5424 04 MOV EDX,DWORD PTR SS:[ESP+4]
004012F4 |. 56 PUSH ESI
004012F5 |. 8B7424 0C MOV ESI,DWORD PTR SS:[ESP+C]
004012F9 |. B9 20000000 MOV ECX,20
004012FE |. 2BCE SUB ECX,ESI
00401300 |. 8BC2 MOV EAX,EDX
00401302 |. D3E8 SHR EAX,CL
00401304 |. 8BCE MOV ECX,ESI
00401306 |. 5E POP ESI
00401307 |. D3E2 SHL EDX,CL
00401309 |. 0BC2 OR EAX,EDX
0040130B \. C3 RETN
---------------------CALL CrackMe_.00401310---------------------
00401310 /$ 8B5424 04 MOV EDX,DWORD PTR SS:[ESP+4]
00401314 |. 56 PUSH ESI
00401315 |. 8B7424 0C MOV ESI,DWORD PTR SS:[ESP+C]
00401319 |. B9 20000000 MOV ECX,20
0040131E |. 2BCE SUB ECX,ESI
00401320 |. 8BC2 MOV EAX,EDX
00401322 |. D3E0 SHL EAX,CL
00401324 |. 8BCE MOV ECX,ESI
00401326 |. 5E POP ESI
00401327 |. D3EA SHR EDX,CL
00401329 |. 0BC2 OR EAX,EDX
0040132B \. C3 RETN
附上C程序代码:
#include "stdio.h"
#include "string.h"
#include <stdlib.h>
void main()
{ unsigned long a,b,c,d;
unsigned long sn1,sn2,sn3,sn4;
char serial1[9],serial2[9],serial3[9],serial4[9];
int len,num=0;
char str[50];
printf("请输入Name(大于等于3,小于等于35):");
scanf("%s",str);
len=strlen(str);
for (int i=0;i<len;i++)
num+=str[i];
a=(num*0x10325476)^(num*0x67452301);
b=num*0x10325476;
c=(num+0xEFCDAB89)^(num*0x67452301);
d=num*0x67452301;
a=(a>>0x1B)|(a<<0x5);
b=b<<0x1;
c=(c<<0x13)|(c>>0xD);
d=(d>>0xf)|(d<<0x11);
sn1=(a<<0x18)|(a<<0x8&0xff0000)|(a>>0x8&0xff00)|(a>>0x18&0xff);
sn2=(d<<0x18)|(d<<0x8&0xff0000)|(d>>0x8&0xff00)|(d>>0x18&0xff);
sn3=(c<<0x18)|(c<<0x8&0xff0000)|(c>>0x8&0xff00)|(c>>0x18&0xff);
sn4=(b<<0x18)|(b<<0x8&0xff0000)|(b>>0x8&0xff00)|(b>>0x18&0xff);
ltoa(sn1,serial1,16);
ltoa(sn2,serial2,16);
ltoa(sn3,serial3,16);
ltoa(sn4,serial4,16);
printf("Serial:%s%s%s%s",serial1,serial2,serial3,serial4);
printf("\n");
getchar();
}
----------------------------------------------------------------------------------------------
【破解声明】 我是一只小菜鸟,偶得一点心得,愿与大家分享:)
【版权声明】 本文纯属技术交流, 转载请注明作者并保持文章的完整, 谢谢!
----------------------------------------------------------------------------------------------
文章写于2006-10-26 19:40:12
[培训]科锐软件逆向50期预科班报名即将截止,速来!!! 50期正式班报名火爆招生中!!!
