【破文标题】lanyus的Crackme算法分析-MD5算法
【破文作者】XXNB
【作者邮箱】
【作者主页】http://free.ys168.com/?binbinbin7456
【破解工具】OD
【破解平台】xpsp2
【软件名称】reg.rar
【软件大小】
【原版下载】http://lanyus.googlepages.com/reg.rar
【保护方式】名+码
【软件简介】下载地址: http://lanyus.googlepages.com/reg.rar
说明,如果注册成功,重启软件后状态栏会显示一个注册码有效日期,否则显示 未注册。。
参考注册码:
用户名:binbinbin
注册码:4C345698EA77087A
该注册码的有效日期是 2011-05-12
【破解声明】向大侠们学习!!!
------------------------------------------------------------------------
【破解过程】
------------------------------------------------------------------------
1、这个Crackme是重启验证的例子,读写文件,Delphi的程序,未加壳。用PEID的插件可知道使用了MD5算法。字符串搜索“您的有效期至 ”可以找到断点如下,不过事先我们必须
先运行下,输入试验码:
名:binbinbin
码:1234567890123456
程序会自动生产一个reg.dll文件,用记事本打开可以看到用户名和注册码信息。这个假码很重要的,首先一定要16位数,然后,假码直接关系
到注册码有效日期,具体请看算法:
0045D4A9 |. 55 push ebp ; 在这里中断吧。下断
0045D4AA |. 68 A9D54500 push 0045D5A9
0045D4AF |. 64:FF30 push dword ptr fs:[eax]
0045D4B2 |. 64:8920 mov fs:[eax], esp
0045D4B5 |. 8D45 FC lea eax, [ebp-4]
0045D4B8 |. BA C0D54500 mov edx, 0045D5C0 ; 您的有效期至
0045D4BD |. E8 366FFAFF call 004043F8
0045D4C2 |. 8D45 F8 lea eax, [ebp-8]
0045D4C5 |. BA D8D54500 mov edx, 0045D5D8 ; 未注册
0045D4CA |. E8 296FFAFF call 004043F8
0045D4CF |. B8 E8D54500 mov eax, 0045D5E8 ; reg.dll
0045D4D4 |. E8 FBB3FAFF call 004088D4
0045D4D9 |. 84C0 test al, al
0045D4DB |. 0F84 AD000000 je 0045D58E
0045D4E1 |. B2 01 mov dl, 1
0045D4E3 |. A1 B4244100 mov eax, [4124B4]
0045D4E8 |. E8 F360FAFF call 004035E0
0045D4ED |. 8BD8 mov ebx, eax
0045D4EF |. BA E8D54500 mov edx, 0045D5E8 ; reg.dll
0045D4F4 |. 8BC3 mov eax, ebx
0045D4F6 |. 8B08 mov ecx, [eax]
0045D4F8 |. FF51 68 call [ecx+68]
0045D4FB |. 8D4D F4 lea ecx, [ebp-C]
0045D4FE |. BA F8D54500 mov edx, 0045D5F8 ; username
0045D503 |. 8BC3 mov eax, ebx
0045D505 |. E8 8285FBFF call 00415A8C
0045D50A |. 8D4D F0 lea ecx, [ebp-10]
0045D50D |. BA 0CD64500 mov edx, 0045D60C ; sn
0045D512 |. 8BC3 mov eax, ebx
0045D514 |. E8 7385FBFF call 00415A8C
0045D519 |. 8BC3 mov eax, ebx
0045D51B |. E8 F060FAFF call 00403610
0045D520 |. 8B55 F0 mov edx, [ebp-10]
0045D523 |. 8B45 F4 mov eax, [ebp-C]
0045D526 |. E8 C9FBFFFF call 0045D0F4 ; 算法call 《----------
0045D52B |. 84C0 test al, al
0045D52D |. 74 44 je short 0045D573 ; 关键跳转
2、跟进0045D526 call 0045D0F4 ,得到:
0045D0F4 $ 55 push ebp
0045D0F5 . 8BEC mov ebp, esp
0045D0F7 . 83C4 D0 add esp, -30
0045D0FA . 53 push ebx
0045D0FB . 56 push esi
0045D0FC . 57 push edi
0045D0FD . 33C9 xor ecx, ecx
0045D0FF . 894D EC mov [ebp-14], ecx
0045D102 . 894D D4 mov [ebp-2C], ecx
0045D105 . 894D D0 mov [ebp-30], ecx
0045D108 . 894D D8 mov [ebp-28], ecx
0045D10B . 894D F4 mov [ebp-C], ecx
0045D10E . 894D F0 mov [ebp-10], ecx
0045D111 . 8955 F8 mov [ebp-8], edx
0045D114 . 8945 FC mov [ebp-4], eax
0045D117 . 8B45 FC mov eax, [ebp-4] ; 用户名到eax
0045D11A . E8 F176FAFF call 00404810
0045D11F . 8B45 F8 mov eax, [ebp-8] ; 假码到eax
0045D122 . E8 E976FAFF call 00404810
0045D127 . 33C0 xor eax, eax
0045D129 . 55 push ebp
0045D12A . 68 53D24500 push 0045D253
0045D12F . 64:FF30 push dword ptr fs:[eax]
0045D132 . 64:8920 mov fs:[eax], esp
0045D135 . 33DB xor ebx, ebx
0045D137 . 8B45 F8 mov eax, [ebp-8]
0045D13A . E8 E174FAFF call 00404620
0045D13F . 83F8 10 cmp eax, 10 ; 注册码位数要16位
0045D142 . 0F85 E3000000 jnz 0045D22B
0045D148 . B8 01000000 mov eax, 1
0045D14D > 8B55 F8 mov edx, [ebp-8]
0045D150 . 8A5402 FF mov dl, [edx+eax-1] ; 逐个取假码
0045D154 . 80C2 D0 add dl, 0D0 ; +D0 208
0045D157 . 80EA 0A sub dl, 0A ; -0A 10
0045D15A . 72 0C jb short 0045D168
0045D15C . 80C2 F9 add dl, 0F9
0045D15F . 80EA 06 sub dl, 6
0045D162 . 0F83 C3000000 jnb 0045D22B
0045D168 > 40 inc eax
0045D169 . 83F8 11 cmp eax, 11
0045D16C .^ 75 DF jnz short 0045D14D ; 循环回去。这个应该是对注册码的验证
0045D16E . 33C0 xor eax, eax
0045D170 . 55 push ebp
0045D171 . 68 B0D14500 push 0045D1B0
0045D176 . 64:FF30 push dword ptr fs:[eax]
0045D179 . 64:8920 mov fs:[eax], esp
0045D17C . 8B45 F8 mov eax, [ebp-8] ; 假码
0045D17F . E8 B0FAFFFF call 0045CC34 这个将得到日期,我们跟进去
0045D184 . 83C4 F8 add esp, -8 ; /
0045D187 . DD1C24 fstp qword ptr [esp] ; |40675
0045D18A . 9B wait ; |
0045D18B . 8D55 F4 lea edx, [ebp-C] ; |
0045D18E . B8 6CD24500 mov eax, 0045D26C ; |yymmdd
0045D193 . E8 7CD8FAFF call 0040AA14 ; \这里将得到时间格式为:ASCII "110512"
0045D198 . 8D4D F0 lea ecx, [ebp-10]
0045D19B . 8B55 F4 mov edx, [ebp-C] ; 这里出现到期时间了。110512
0045D19E . 8B45 FC mov eax, [ebp-4] ; 用户名
0045D1A1 . E8 3AF4FFFF call 0045C5E0 ; 这个是最最最关键算法!《----------*****
0045D1A6 . 33C0 xor eax, eax
0045D1A8 . 5A pop edx
0045D1A9 . 59 pop ecx
0045D1AA . 59 pop ecx
0045D1AB . 64:8910 mov fs:[eax], edx
0045D1AE . EB 13 jmp short 0045D1C3
0045D1B0 .^ E9 FB68FAFF jmp 00403AB0
0045D1B5 . 33DB xor ebx, ebx
0045D1B7 . E8 5C6CFAFF call 00403E18
0045D1BC . EB 6D jmp short 0045D22B
0045D1BE . E8 556CFAFF call 00403E18
0045D1C3 > 8D55 DC lea edx, [ebp-24]
0045D1C6 . 8B45 F0 mov eax, [ebp-10] ; 真注册码出现了。~~~~内存注册机
0045D1C9 . E8 6EECFFFF call 0045BE3C
0045D1CE . 8D45 DC lea eax, [ebp-24]
0045D1D1 . 8D55 D8 lea edx, [ebp-28]
0045D1D4 . E8 D7ECFFFF call 0045BEB0 ; 这个0045BEB0是MD5的算法
0045D1D9 . 8B45 D8 mov eax, [ebp-28] ; 这个串
0045D1DC . 8D55 DC lea edx, [ebp-24] ; 下面的不管了。~偷懒
0045D1DF . E8 58ECFFFF call 0045BE3C
0045D1E4 . 8D45 DC lea eax, [ebp-24]
0045D1E7 . 8D55 EC lea edx, [ebp-14] ; 又一个
0045D1EA . E8 C1ECFFFF call 0045BEB0 ; MD5
0045D1EF . 8B45 EC mov eax, [ebp-14] ; 继续
0045D1F2 . 50 push eax
0045D1F3 . 8D55 DC lea edx, [ebp-24]
0045D1F6 . 8B45 F8 mov eax, [ebp-8] ; +++
0045D1F9 . E8 3EECFFFF call 0045BE3C
0045D1FE . 8D45 DC lea eax, [ebp-24]
0045D201 . 8D55 D0 lea edx, [ebp-30]
0045D204 . E8 A7ECFFFF call 0045BEB0 ; MD5
0045D209 . 8B45 D0 mov eax, [ebp-30] ; ***+
0045D20C . 8D55 DC lea edx, [ebp-24]
0045D20F . E8 28ECFFFF call 0045BE3C
0045D214 . 8D45 DC lea eax, [ebp-24]
0045D217 . 8D55 D4 lea edx, [ebp-2C]
0045D21A . E8 91ECFFFF call 0045BEB0 ; MD5
2.1,跟进那个得到日期的call:可以找到:
0045CF76 |. 8D95 0CFFFFFF lea edx, dword ptr [ebp-F4] ; "0001011010101100",由上面运算得到的
0045CF7C |. 8D45 E8 lea eax, dword ptr [ebp-18]
0045CF7F |. E8 4076FAFF call 004045C4
0045CF84 |. 8D85 04FFFFFF lea eax, dword ptr [ebp-FC]
0045CF8A |. 50 push eax
0045CF8B |. B9 07000000 mov ecx, 7 ; 取7位
0045CF90 |. BA 01000000 mov edx, 1 ; 第一位开始
0045CF95 |. 8B45 E8 mov eax, dword ptr [ebp-18]
0045CF98 |. E8 E378FAFF call 00404880
0045CF9D |. 8B8D 04FFFFFF mov ecx, dword ptr [ebp-FC] ; "0001011"
0045CFA3 |. 8D85 08FFFFFF lea eax, dword ptr [ebp-F8]
0045CFA9 |. BA D4D04500 mov edx, 0045D0D4
0045CFAE |. E8 B976FAFF call 0040466C
0045CFB3 |. 8B85 08FFFFFF mov eax, dword ptr [ebp-F8]
0045CFB9 |. E8 D6EFFFFF call 0045BF94 ; 这里得到的B
0045CFBE |. 8BD8 mov ebx, eax
0045CFC0 |. 8D85 FCFEFFFF lea eax, dword ptr [ebp-104]
0045CFC6 |. 50 push eax
0045CFC7 |. B9 04000000 mov ecx, 4 ; 要四位
0045CFCC |. BA 08000000 mov edx, 8 ; 第八位开始
0045CFD1 |. 8B45 E8 mov eax, dword ptr [ebp-18]
0045CFD4 |. E8 A778FAFF call 00404880
0045CFD9 |. 8B8D FCFEFFFF mov ecx, dword ptr [ebp-104] ; 0101
0045CFDF |. 8D85 00FFFFFF lea eax, dword ptr [ebp-100]
0045CFE5 |. BA E0D04500 mov edx, 0045D0E0 ; ASCII "0000"
0045CFEA |. E8 7D76FAFF call 0040466C
0045CFEF |. 8B85 00FFFFFF mov eax, dword ptr [ebp-100] ; 连上0000
0045CFF5 |. E8 9AEFFFFF call 0045BF94 ; 这里得到的05
0045CFFA |. 8BF0 mov esi, eax
0045CFFC |. 8D85 F4FEFFFF lea eax, dword ptr [ebp-10C]
0045D002 |. 50 push eax
0045D003 |. B9 05000000 mov ecx, 5 ; 要5位
0045D008 |. BA 0C000000 mov edx, 0C ; 第12位开始
0045D00D |. 8B45 E8 mov eax, dword ptr [ebp-18] ; 从"0001011010101100"
0045D010 |. E8 6B78FAFF call 00404880
0045D015 |. 8B8D F4FEFFFF mov ecx, dword ptr [ebp-10C] ; 0110
0045D01B |. 8D85 F8FEFFFF lea eax, dword ptr [ebp-108]
0045D021 |. BA F0D04500 mov edx, 0045D0F0 ; ASCII "000"
0045D026 |. E8 4176FAFF call 0040466C ; 连上000
0045D02B |. 8B85 F8FEFFFF mov eax, dword ptr [ebp-108] ; 00001100
0045D031 |. E8 5EEFFFFF call 0045BF94 ; 这里得到0C
0045D036 |. 66:81C3 D007 add bx, 7D0
0045D03B |. 66:895D D8 mov word ptr [ebp-28], bx ; 7DB
0045D03F |. 66:8975 DA mov word ptr [ebp-26], si ; 05
0045D043 |. 66:8945 DE mov word ptr [ebp-22], ax ; 0C
0045D047 |. 8D45 D8 lea eax, dword ptr [ebp-28]
0045D04A |. E8 19CDFAFF call 00409D68
0045D04F |. 83C4 F8 add esp, -8 ; /
0045D052 |. DD1C24 fstp qword ptr [esp] ; |40675
0045D055 |. 9B wait ; |
0045D056 |. 8D85 F0FEFFFF lea eax, dword ptr [ebp-110] ; |
0045D05C |. E8 87D9FAFF call 0040A9E8 ; \Reg.0040A9E8
0045D061 |. 8B85 F0FEFFFF mov eax, dword ptr [ebp-110] ; "2011-5-12" 终于出现了
3、跟进整个Crackme的运算算法call:0045D1A1 call 0045C5E0 得到:
0045C5E0 /$ 55 push ebp
0045C5E1 |. 8BEC mov ebp, esp
0045C5E3 |. 51 push ecx
0045C5E4 |. B9 1C000000 mov ecx, 1C
0045C5E9 |> 6A 00 /push 0
0045C5EB |. 6A 00 |push 0
0045C5ED |. 49 |dec ecx
0045C5EE |.^ 75 F9 \jnz short 0045C5E9
0045C5F0 |. 874D FC xchg [ebp-4], ecx
0045C5F3 |. 53 push ebx
0045C5F4 |. 56 push esi
0045C5F5 |. 57 push edi
0045C5F6 |. 894D F4 mov [ebp-C], ecx
0045C5F9 |. 8955 F8 mov [ebp-8], edx ; 到期时间
0045C5FC |. 8945 FC mov [ebp-4], eax ; 用户名
0045C5FF |. 8B45 FC mov eax, [ebp-4]
0045C602 |. E8 0982FAFF call 00404810
0045C607 |. 8B45 F8 mov eax, [ebp-8]
0045C60A |. E8 0182FAFF call 00404810
0045C60F |. 33C0 xor eax, eax
0045C611 |. 55 push ebp
0045C612 |. 68 25CC4500 push 0045CC25
0045C617 |. 64:FF30 push dword ptr fs:[eax]
0045C61A |. 64:8920 mov fs:[eax], esp
0045C61D |. 8D55 B8 lea edx, [ebp-48]
0045C620 |. 8B45 FC mov eax, [ebp-4]
0045C623 |. E8 14F8FFFF call 0045BE3C
0045C628 |. 8D45 B8 lea eax, [ebp-48]
0045C62B |. 8D55 E4 lea edx, [ebp-1C]
0045C62E |. E8 7DF8FFFF call 0045BEB0 ; MD5
0045C633 |. 8D55 B8 lea edx, [ebp-48]
0045C636 |. 8B45 F8 mov eax, [ebp-8]
0045C639 |. E8 FEF7FFFF call 0045BE3C
0045C63E |. 8D45 B8 lea eax, [ebp-48]
0045C641 |. 8D55 E0 lea edx, [ebp-20]
0045C644 |. E8 67F8FFFF call 0045BEB0 ; MD5
0045C649 |. 8D45 B4 lea eax, [ebp-4C]
0045C64C |. 8B4D E0 mov ecx, [ebp-20] ; 串110512的md5 316a6f4ced05edfc00f35e2699f0b762
0045C64F |. 8B55 E4 mov edx, [ebp-1C] ; 串用户名binbinbin的MD5
a35ace6d1594e9da9b723b6c9f541c77
0045C652 |. E8 1580FAFF call 0040466C ; 连接函数
0045C657 |. 8B45 B4 mov eax, [ebp-4C] ; 用户名的在前面
0045C65A |. 8D55 B8 lea edx, [ebp-48]
0045C65D |. E8 DAF7FFFF call 0045BE3C ; 这个是把eax 移到edx
0045C662 |. 8D45 B8 lea eax, [ebp-48]
0045C665 |. 8D55 E8 lea edx, [ebp-18] ; 上面用户名MD5和到期日期的MD5连接后,即将取MD5。然后就
得到了下面的串 我这里记为 AA
0045C668 |. E8 43F8FFFF call 0045BEB0 ; MD5
0045C66D |. 8D45 F0 lea eax, [ebp-10] ; 这里我们可以在堆栈看到 字符串 AA
0045C670 |. 8B55 F8 mov edx, [ebp-8] ; 110512
0045C673 |. E8 807DFAFF call 004043F8
0045C678 |. 8D45 B0 lea eax, [ebp-50]
0045C67B |. 50 push eax
0045C67C |. B9 02000000 mov ecx, 2 ; 取两位
0045C681 |. BA 01000000 mov edx, 1 ; 第一位开始取
0045C686 |. 8B45 F0 mov eax, [ebp-10]
0045C689 |. E8 F281FAFF call 00404880 ; 取数字函数
0045C68E |. 8B45 B0 mov eax, [ebp-50] ; (ASCII "11")
0045C691 |. E8 92BEFAFF call 00408528 ; 转成16进制
0045C696 |. 8BD8 mov ebx, eax
0045C698 |. 8D45 AC lea eax, [ebp-54]
0045C69B |. 50 push eax
0045C69C |. B9 02000000 mov ecx, 2 ; 取2位
0045C6A1 |. BA 03000000 mov edx, 3 ; 第三位开始
0045C6A6 |. 8B45 F0 mov eax, [ebp-10]
0045C6A9 |. E8 D281FAFF call 00404880
0045C6AE |. 8B45 AC mov eax, [ebp-54] ; (ASCII "05")
0045C6B1 |. E8 72BEFAFF call 00408528 ; 转成16进制
0045C6B6 |. 8BF0 mov esi, eax
0045C6B8 |. 8D45 A8 lea eax, [ebp-58]
0045C6BB |. 50 push eax
0045C6BC |. B9 02000000 mov ecx, 2 ; 取2位
0045C6C1 |. BA 05000000 mov edx, 5 ; 第五位开始
0045C6C6 |. 8B45 F0 mov eax, [ebp-10]
0045C6C9 |. E8 B281FAFF call 00404880
0045C6CE |. 8B45 A8 mov eax, [ebp-58] ; (ASCII "12")
0045C6D1 |. E8 52BEFAFF call 00408528
0045C6D6 |. 8BF8 mov edi, eax
0045C6D8 |. 8D45 A4 lea eax, [ebp-5C]
0045C6DB |. 50 push eax
0045C6DC |. 8D55 A0 lea edx, [ebp-60]
0045C6DF |. 8BC3 mov eax, ebx
0045C6E1 |. E8 5EF9FFFF call 0045C044 ; 这个是转成二进制的函数
0045C6E6 |. 8B45 A0 mov eax, [ebp-60] ; "00001011" 11的二进制。把上面取得的两位两位变成二
进制
0045C6E9 |. B9 07000000 mov ecx, 7 ; 7位
0045C6EE |. BA 02000000 mov edx, 2 ; 第二开始
0045C6F3 |. E8 8881FAFF call 00404880 ; 又要取数字
0045C6F8 |. FF75 A4 push dword ptr [ebp-5C] ; (ASCII "0001011")
0045C6FB |. 8D45 9C lea eax, [ebp-64]
0045C6FE |. 50 push eax
0045C6FF |. 8D55 98 lea edx, [ebp-68]
0045C702 |. 8BC6 mov eax, esi
0045C704 |. E8 3BF9FFFF call 0045C044 ; 转二进制
0045C709 |. 8B45 98 mov eax, [ebp-68] ; "00000101" 05的二进制
0045C70C |. B9 04000000 mov ecx, 4
0045C711 |. BA 05000000 mov edx, 5
0045C716 |. E8 6581FAFF call 00404880
0045C71B |. FF75 9C push dword ptr [ebp-64] ; (ASCII "0101")
0045C71E |. 8D45 94 lea eax, [ebp-6C]
0045C721 |. 50 push eax
0045C722 |. 8D55 90 lea edx, [ebp-70]
0045C725 |. 8BC7 mov eax, edi
0045C727 |. E8 18F9FFFF call 0045C044 ; 转二进制
0045C72C |. 8B45 90 mov eax, [ebp-70] ; "00001100" 12的二进制
0045C72F |. B9 05000000 mov ecx, 5
0045C734 |. BA 04000000 mov edx, 4
0045C739 |. E8 4281FAFF call 00404880
0045C73E |. FF75 94 push dword ptr [ebp-6C] ; (ASCII "01100")
0045C741 |. 8D45 EC lea eax, [ebp-14]
0045C744 |. BA 03000000 mov edx, 3
0045C749 |. E8 927FFAFF call 004046E0 ; 把上面的二进制连接。完成了“110512”转成二进制
0045C74E |. 8D45 84 lea eax, [ebp-7C]
0045C751 |. 8B55 EC mov edx, [ebp-14] ; "0001011010101100" “110512”二进制
0045C754 |. 8A52 02 mov dl, [edx+2]
0045C757 |. 8850 01 mov [eax+1], dl
0045C75A |. C600 01 mov byte ptr [eax], 1
0045C75D |. 8D55 84 lea edx, [ebp-7C]
0045C760 |. 8D45 80 lea eax, [ebp-80]
0045C763 |. E8 4C66FAFF call 00402DB4
0045C768 |. 8D85 7CFFFFFF lea eax, [ebp-84]
0045C76E |. 8B55 EC mov edx, [ebp-14]
0045C771 |. 8A52 03 mov dl, [edx+3]
0045C774 |. 8850 01 mov [eax+1], dl
0045C777 |. C600 01 mov byte ptr [eax], 1
0045C77A |. 8D95 7CFFFFFF lea edx, [ebp-84]
0045C780 |. 8D45 80 lea eax, [ebp-80]
0045C783 |. B1 02 mov cl, 2 ; 2
0045C785 |. E8 FA65FAFF call 00402D84
0045C78A |. 8D55 80 lea edx, [ebp-80]
0045C78D |. 8D85 78FFFFFF lea eax, [ebp-88]
0045C793 |. E8 1C66FAFF call 00402DB4
0045C798 |. 8D85 7CFFFFFF lea eax, [ebp-84]
0045C79E |. 8B55 EC mov edx, [ebp-14]
0045C7A1 |. 8A52 04 mov dl, [edx+4]
0045C7A4 |. 8850 01 mov [eax+1], dl
0045C7A7 |. C600 01 mov byte ptr [eax], 1
0045C7AA |. 8D95 7CFFFFFF lea edx, [ebp-84]
0045C7B0 |. 8D85 78FFFFFF lea eax, [ebp-88]
0045C7B6 |. B1 03 mov cl, 3 ; 3
0045C7B8 |. E8 C765FAFF call 00402D84
0045C7BD |. 8D95 78FFFFFF lea edx, [ebp-88]
0045C7C3 |. 8D85 70FFFFFF lea eax, [ebp-90]
0045C7C9 |. E8 E665FAFF call 00402DB4
0045C7CE |. 8D85 7CFFFFFF lea eax, [ebp-84]
0045C7D4 |. 8B55 EC mov edx, [ebp-14]
0045C7D7 |. 8A52 08 mov dl, [edx+8]
0045C7DA |. 8850 01 mov [eax+1], dl
0045C7DD |. C600 01 mov byte ptr [eax], 1
0045C7E0 |. 8D95 7CFFFFFF lea edx, [ebp-84]
0045C7E6 |. 8D85 70FFFFFF lea eax, [ebp-90]
0045C7EC |. B1 04 mov cl, 4 ; 4
0045C7EE |. E8 9165FAFF call 00402D84
0045C7F3 |. 8D95 70FFFFFF lea edx, [ebp-90]
0045C7F9 |. 8D85 68FFFFFF lea eax, [ebp-98]
0045C7FF |. E8 B065FAFF call 00402DB4
0045C804 |. 8D85 7CFFFFFF lea eax, [ebp-84]
0045C80A |. 8B55 EC mov edx, [ebp-14]
0045C80D |. 8A52 09 mov dl, [edx+9]
0045C810 |. 8850 01 mov [eax+1], dl
0045C813 |. C600 01 mov byte ptr [eax], 1
0045C816 |. 8D95 7CFFFFFF lea edx, [ebp-84]
0045C81C |. 8D85 68FFFFFF lea eax, [ebp-98]
0045C822 |. B1 05 mov cl, 5 ; 5
0045C824 |. E8 5B65FAFF call 00402D84
0045C829 |. 8D95 68FFFFFF lea edx, [ebp-98]
0045C82F |. 8D85 60FFFFFF lea eax, [ebp-A0]
0045C835 |. E8 7A65FAFF call 00402DB4
0045C83A |. 8D85 7CFFFFFF lea eax, [ebp-84]
0045C840 |. 8B55 EC mov edx, [ebp-14]
0045C843 |. 8A52 0C mov dl, [edx+C]
0045C846 |. 8850 01 mov [eax+1], dl
0045C849 |. C600 01 mov byte ptr [eax], 1
0045C84C |. 8D95 7CFFFFFF lea edx, [ebp-84]
0045C852 |. 8D85 60FFFFFF lea eax, [ebp-A0]
0045C858 |. B1 06 mov cl, 6 ; 6
0045C85A |. E8 2565FAFF call 00402D84
0045C85F |. 8D95 60FFFFFF lea edx, [ebp-A0]
0045C865 |. 8D85 58FFFFFF lea eax, [ebp-A8]
0045C86B |. E8 4465FAFF call 00402DB4
0045C870 |. 8D85 7CFFFFFF lea eax, [ebp-84]
0045C876 |. 8B55 EC mov edx, [ebp-14]
0045C879 |. 8A52 0D mov dl, [edx+D]
0045C87C |. 8850 01 mov [eax+1], dl
0045C87F |. C600 01 mov byte ptr [eax], 1
0045C882 |. 8D95 7CFFFFFF lea edx, [ebp-84]
0045C888 |. 8D85 58FFFFFF lea eax, [ebp-A8]
0045C88E |. B1 07 mov cl, 7 ; 7
0045C890 |. E8 EF64FAFF call 00402D84
0045C895 |. 8D95 58FFFFFF lea edx, [ebp-A8]
0045C89B |. 8D85 4CFFFFFF lea eax, [ebp-B4]
0045C8A1 |. E8 0E65FAFF call 00402DB4
0045C8A6 |. 8D85 7CFFFFFF lea eax, [ebp-84]
0045C8AC |. 8B55 EC mov edx, [ebp-14]
0045C8AF |. 8A52 0E mov dl, [edx+E]
0045C8B2 |. 8850 01 mov [eax+1], dl
0045C8B5 |. C600 01 mov byte ptr [eax], 1
0045C8B8 |. 8D95 7CFFFFFF lea edx, [ebp-84]
0045C8BE |. 8D85 4CFFFFFF lea eax, [ebp-B4]
0045C8C4 |. B1 08 mov cl, 8 ; 8
0045C8C6 |. E8 B964FAFF call 00402D84
0045C8CB |. 8D95 4CFFFFFF lea edx, [ebp-B4] ; "01010110" 即将转成10进制的“56”
0045C8D1 |. 8D45 88 lea eax, [ebp-78]
0045C8D4 |. E8 EB7CFAFF call 004045C4
0045C8D9 |. 8B45 88 mov eax, [ebp-78] ; "01010110"
0045C8DC |. E8 B3F6FFFF call 0045BF94
0045C8E1 |. 8D4D 8C lea ecx, [ebp-74]
0045C8E4 |. BA 02000000 mov edx, 2
0045C8E9 |. E8 12BCFAFF call 00408500 ; 转10进制
0045C8EE |. 8B45 8C mov eax, [ebp-74] ; 56 慢慢看看了
0045C8F1 |. 50 push eax
0045C8F2 |. 8D45 84 lea eax, [ebp-7C]
0045C8F5 |. 8B55 EC mov edx, [ebp-14] ; 又是那个“110512”的二进制
0045C8F8 |. 8A12 mov dl, [edx]
0045C8FA |. 8850 01 mov [eax+1], dl
0045C8FD |. C600 01 mov byte ptr [eax], 1
0045C900 |. 8D55 84 lea edx, [ebp-7C]
0045C903 |. 8D45 80 lea eax, [ebp-80]
0045C906 |. E8 A964FAFF call 00402DB4
0045C90B |. 8D85 7CFFFFFF lea eax, [ebp-84]
0045C911 |. 8B55 EC mov edx, [ebp-14]
0045C914 |. 8A52 01 mov dl, [edx+1]
0045C917 |. 8850 01 mov [eax+1], dl
0045C91A |. C600 01 mov byte ptr [eax], 1
0045C91D |. 8D95 7CFFFFFF lea edx, [ebp-84]
0045C923 |. 8D45 80 lea eax, [ebp-80]
0045C926 |. B1 02 mov cl, 2 ; 2
0045C928 |. E8 5764FAFF call 00402D84
0045C92D |. 8D55 80 lea edx, [ebp-80]
0045C930 |. 8D85 78FFFFFF lea eax, [ebp-88]
0045C936 |. E8 7964FAFF call 00402DB4
0045C93B |. 8D85 7CFFFFFF lea eax, [ebp-84]
0045C941 |. 8B55 EC mov edx, [ebp-14]
0045C944 |. 8A52 05 mov dl, [edx+5]
0045C947 |. 8850 01 mov [eax+1], dl
0045C94A |. C600 01 mov byte ptr [eax], 1
0045C94D |. 8D95 7CFFFFFF lea edx, [ebp-84]
0045C953 |. 8D85 78FFFFFF lea eax, [ebp-88]
0045C959 |. B1 03 mov cl, 3 ; 3
0045C95B |. E8 2464FAFF call 00402D84
0045C960 |. 8D95 78FFFFFF lea edx, [ebp-88]
0045C966 |. 8D85 70FFFFFF lea eax, [ebp-90]
0045C96C |. E8 4364FAFF call 00402DB4
0045C971 |. 8D85 7CFFFFFF lea eax, [ebp-84]
0045C977 |. 8B55 EC mov edx, [ebp-14]
0045C97A |. 8A52 06 mov dl, [edx+6]
0045C97D |. 8850 01 mov [eax+1], dl
0045C980 |. C600 01 mov byte ptr [eax], 1
0045C983 |. 8D95 7CFFFFFF lea edx, [ebp-84]
0045C989 |. 8D85 70FFFFFF lea eax, [ebp-90]
0045C98F |. B1 04 mov cl, 4 ; 4
0045C991 |. E8 EE63FAFF call 00402D84
0045C996 |. 8D95 70FFFFFF lea edx, [ebp-90]
0045C99C |. 8D85 68FFFFFF lea eax, [ebp-98]
0045C9A2 |. E8 0D64FAFF call 00402DB4
0045C9A7 |. 8D85 7CFFFFFF lea eax, [ebp-84]
0045C9AD |. 8B55 EC mov edx, [ebp-14]
0045C9B0 |. 8A52 07 mov dl, [edx+7]
0045C9B3 |. 8850 01 mov [eax+1], dl
0045C9B6 |. C600 01 mov byte ptr [eax], 1
0045C9B9 |. 8D95 7CFFFFFF lea edx, [ebp-84]
0045C9BF |. 8D85 68FFFFFF lea eax, [ebp-98]
0045C9C5 |. B1 05 mov cl, 5 ; 5
0045C9C7 |. E8 B863FAFF call 00402D84
0045C9CC |. 8D95 68FFFFFF lea edx, [ebp-98]
0045C9D2 |. 8D85 60FFFFFF lea eax, [ebp-A0]
0045C9D8 |. E8 D763FAFF call 00402DB4
0045C9DD |. 8D85 7CFFFFFF lea eax, [ebp-84]
0045C9E3 |. 8B55 EC mov edx, [ebp-14]
0045C9E6 |. 8A52 0A mov dl, [edx+A]
0045C9E9 |. 8850 01 mov [eax+1], dl
0045C9EC |. C600 01 mov byte ptr [eax], 1
0045C9EF |. 8D95 7CFFFFFF lea edx, [ebp-84]
0045C9F5 |. 8D85 60FFFFFF lea eax, [ebp-A0]
0045C9FB |. B1 06 mov cl, 6 ; 6
0045C9FD |. E8 8263FAFF call 00402D84
0045CA02 |. 8D95 60FFFFFF lea edx, [ebp-A0]
0045CA08 |. 8D85 58FFFFFF lea eax, [ebp-A8]
0045CA0E |. E8 A163FAFF call 00402DB4
0045CA13 |. 8D85 7CFFFFFF lea eax, [ebp-84]
0045CA19 |. 8B55 EC mov edx, [ebp-14]
0045CA1C |. 8A52 0B mov dl, [edx+B]
0045CA1F |. 8850 01 mov [eax+1], dl
0045CA22 |. C600 01 mov byte ptr [eax], 1
0045CA25 |. 8D95 7CFFFFFF lea edx, [ebp-84]
0045CA2B |. 8D85 58FFFFFF lea eax, [ebp-A8]
0045CA31 |. B1 07 mov cl, 7 ; 7
0045CA33 |. E8 4C63FAFF call 00402D84
0045CA38 |. 8D95 58FFFFFF lea edx, [ebp-A8]
0045CA3E |. 8D85 4CFFFFFF lea eax, [ebp-B4]
0045CA44 |. E8 6B63FAFF call 00402DB4
0045CA49 |. 8D85 7CFFFFFF lea eax, [ebp-84]
0045CA4F |. 8B55 EC mov edx, [ebp-14]
0045CA52 |. 8A52 0F mov dl, [edx+F]
0045CA55 |. 8850 01 mov [eax+1], dl
0045CA58 |. C600 01 mov byte ptr [eax], 1
0045CA5B |. 8D95 7CFFFFFF lea edx, [ebp-84]
0045CA61 |. 8D85 4CFFFFFF lea eax, [ebp-B4]
0045CA67 |. B1 08 mov cl, 8 ; 8
0045CA69 |. E8 1663FAFF call 00402D84
0045CA6E |. 8D95 4CFFFFFF lea edx, [ebp-B4] ; "00110100" 即将转成10进制的“34”
0045CA74 |. 8D85 44FFFFFF lea eax, [ebp-BC]
0045CA7A |. E8 457BFAFF call 004045C4
0045CA7F |. 8B85 44FFFFFF mov eax, [ebp-BC]
0045CA85 |. E8 0AF5FFFF call 0045BF94
0045CA8A |. 8D8D 48FFFFFF lea ecx, [ebp-B8]
0045CA90 |. BA 02000000 mov edx, 2
0045CA95 |. E8 66BAFAFF call 00408500 ; 转10进制
0045CA9A |. 8B95 48FFFFFF mov edx, [ebp-B8] ; 34 慢慢慢看
0045CAA0 |. 8D45 DC lea eax, [ebp-24]
0045CAA3 |. 59 pop ecx ; 56出栈
0045CAA4 |. E8 C37BFAFF call 0040466C ; 连接函数
0045CAA9 |. 8D85 40FFFFFF lea eax, [ebp-C0]
0045CAAF |. 8B4D E4 mov ecx, [ebp-1C] ; 用户名的MD5
0045CAB2 |. 8B55 DC mov edx, [ebp-24] ; 3456
0045CAB5 |. E8 B27BFAFF call 0040466C ; 又是连接函数
0045CABA |. 8B85 40FFFFFF mov eax, [ebp-C0] ; 连接后的字符串
0045CAC0 |. 8D55 D8 lea edx, [ebp-28]
0045CAC3 |. E8 7CF7FFFF call 0045C244 ; 这个call将得到最终注册码的前面两位。我这里是“4C”,
可随着您输入的注册码变化而变化
0045CAC8 |. 8D45 D4 lea eax, [ebp-2C]
0045CACB |. 50 push eax
0045CACC |. 8D85 38FFFFFF lea eax, [ebp-C8]
0045CAD2 |. 8B4D D8 mov ecx, [ebp-28] ; 4C
0045CAD5 |. 8B55 DC mov edx, [ebp-24] ; 连接后的字符串
0045CAD8 |. E8 8F7BFAFF call 0040466C ; 连接函数
0045CADD |. 8B85 38FFFFFF mov eax, [ebp-C8] ; 34564C
0045CAE3 |. 8D55 B8 lea edx, [ebp-48]
0045CAE6 |. E8 51F3FFFF call 0045BE3C
0045CAEB |. 8D45 B8 lea eax, [ebp-48]
0045CAEE |. 8D95 3CFFFFFF lea edx, [ebp-C4]
0045CAF4 |. E8 B7F3FFFF call 0045BEB0 ; mD5 34564C的MD5 下面
0045CAF9 |. 8B85 3CFFFFFF mov eax, [ebp-C4] ; a3fd9ef98cbec3ed4fd71bfd66f1e0e1
0045CAFF |. B9 02000000 mov ecx, 2 ; 取两位
0045CB04 |. BA 08000000 mov edx, 8 ; 从第8位开始 就是取得“98”
0045CB09 |. E8 727DFAFF call 00404880
0045CB0E |. 8D85 34FFFFFF lea eax, [ebp-CC] ; 下面这个串是用户名的MD5值和到期日期MD5值连接后的串
的MD5值
0045CB14 |. 8B4D E8 mov ecx, [ebp-18] ; 9c1524aedce89fa6e8c4edb04ed1f73f 就是这个,我暂且记
为AA
0045CB17 |. 8B55 E4 mov edx, [ebp-1C]
0045CB1A |. E8 4D7BFAFF call 0040466C ; 连接
0045CB1F |. 8B85 34FFFFFF mov eax, [ebp-CC]
0045CB25 |. 8D55 D0 lea edx, [ebp-30]
0045CB28 |. E8 17F7FFFF call 0045C244
0045CB2D |. 8D85 30FFFFFF lea eax, [ebp-D0]
0045CB33 |. 8B4D E8 mov ecx, [ebp-18]
0045CB36 |. 8B55 E0 mov edx, [ebp-20]
0045CB39 |. E8 2E7BFAFF call 0040466C
0045CB3E |. 8B85 30FFFFFF mov eax, [ebp-D0] ; 好长啊
0045CB44 |. 8D55 CC lea edx, [ebp-34]
0045CB47 |. E8 F8F6FFFF call 0045C244
0045CB4C |. FF75 D8 push dword ptr [ebp-28] ; 4C
0045CB4F |. FF75 DC push dword ptr [ebp-24] ; 3456
0045CB52 |. FF75 D4 push dword ptr [ebp-2C] ; 98
0045CB55 |. 8D85 28FFFFFF lea eax, [ebp-D8]
0045CB5B |. 8B55 E8 mov edx, [ebp-18]
0045CB5E |. 8A52 07 mov dl, [edx+7] ; 第8位 就是上面那个 AA 的第8位 是“e”
0045CB61 |. E8 E279FAFF call 00404548
0045CB66 |. FFB5 28FFFFFF push dword ptr [ebp-D8]
0045CB6C |. 8D85 24FFFFFF lea eax, [ebp-DC]
0045CB72 |. 8B55 E8 mov edx, [ebp-18]
0045CB75 |. 8A52 0E mov dl, [edx+E] ; 15位 是“a”
0045CB78 |. E8 CB79FAFF call 00404548
0045CB7D |. FFB5 24FFFFFF push dword ptr [ebp-DC]
0045CB83 |. FF75 D0 push dword ptr [ebp-30] ; 直接拿“77” 这特殊
0045CB86 |. 8D85 20FFFFFF lea eax, [ebp-E0]
0045CB8C |. 8B55 E8 mov edx, [ebp-18]
0045CB8F |. 8A52 17 mov dl, [edx+17] ; 24位 是“0”
0045CB92 |. E8 B179FAFF call 00404548
0045CB97 |. FFB5 20FFFFFF push dword ptr [ebp-E0]
0045CB9D |. 8D85 1CFFFFFF lea eax, [ebp-E4]
0045CBA3 |. 8B55 E8 mov edx, [ebp-18]
0045CBA6 |. 8A52 0B mov dl, [edx+B] ; 12位 是“8”
0045CBA9 |. E8 9A79FAFF call 00404548
0045CBAE |. FFB5 1CFFFFFF push dword ptr [ebp-E4]
0045CBB4 |. FF75 CC push dword ptr [ebp-34] ; 这里也是直接拿“7A” 这特殊
0045CBB7 |. 8D85 2CFFFFFF lea eax, [ebp-D4]
0045CBBD |. BA 09000000 mov edx, 9
0045CBC2 |. E8 197BFAFF call 004046E0 ; 把上面出现过的连起来、就是真码了
0045CBC7 |. 8B85 2CFFFFFF mov eax, [ebp-D4] ; 这里出现了。真码啊~堆栈(ASCII "4C345698ea77087A")
0045CBCD |. 8D55 C8 lea edx, [ebp-38]
0045CBD0 |. E8 5FB3FAFF call 00407F34
0045CBD5 |. 8B45 F4 mov eax, [ebp-C]
0045CBD8 |. 8B55 C8 mov edx, [ebp-38] ; 这里出现了
0045CBDB |. E8 D477FAFF call 004043B4
【算法总结】
------------------------------------------------------------------------
用户名:binbinbin
注册码:1234567890123456 (假码)
到期字符串:110512
真码:4C345698ea77087A的分析:
1、binbinbin的MD5:a35ace6d1594e9da9b723b6c9f541c77 记为X
110512的MD5:316a6f4ced05edfc00f35e2699f0b762 记为Y
X+Y的MD5:9c1524aedce89fa6e8c4edb04ed1f73f 记为AA
中间值 34564C的MD5:a3fd9ef98cbec3ed4fd71bfd66f1e0e1
2、 call 0045C244 将计算出“4C”“77”“7A”
3、3456由我们输入的假码直接对应位置放过来。
4、98由上面中间值的MD5值得到。具体看代码注释。
5、“e”“a”“0”“8”由上面X+Y的MD5值的相应位置得到。
这个crackme还有很多我不能理解的东西。希望大侠们指正!!!!
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)
