【文章标题】: [破]CrackMe.qxtianlong.VC7.1
【文章作者】: HappyTown
【作者邮箱】: [email]wxr277@163.com[/email]
【作者主页】: www.pediy.com
【软件名称】: CrackMe1
【软件大小】: 224KB
【下载地址】: 附件内
【加壳方式】: 无
【保护方式】: MD5 + RC6-32/20/16
【编写语言】: VC7
【使用工具】: OD,DAMN_Hash,PEiD
【作者声明】: 只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!
--------------------------------------------------------------------------------
【详细过程】
一、基本信息:
1. PEiD查看,为VC 7编写,无壳;
2. KANAL分析使用了MD5 + RC5/RC6;
3. 什么都不输入,弹出错误信息,这个可以帮助定位应该下断的地方。
二、分析过程:
1. OD载入,下断点;
2. 输入试炼码:
用户名:happy
注册码:1234567890ABCDEFAABBCCDDEEFF9876
3. 为了方便,我给有些call加上了标签。
00401B40 push -1
00401B42 push 00425A3B ; SE 处理程序安装
00401B47 mov eax, fs:[0]
00401B4D push eax
00401B4E mov fs:[0], esp
00401B55 sub esp, 1D4
00401B5B mov eax, [4320EC]
00401B60 mov [esp+1D0], eax
00401B67 push ebx
00401B68 mov al, 5C
00401B6A mov ebx, ecx
00401B6C mov cl, 47
00401B6E mov [esp+7], al
00401B72 mov [esp+11], al
00401B76 push 104
00401B7B lea eax, [esp+D4]
00401B82 mov [esp+9], cl
00401B86 mov [esp+17], cl
00401B8A push eax
00401B8B lea ecx, [ebx+C4]
00401B91 mov byte ptr [esp+C], 35 ; //RC6-32/20/16
00401B96 mov byte ptr [esp+E], 82
00401B9B mov byte ptr [esp+10], 33
00401BA0 mov byte ptr [esp+11], 8C
00401BA5 mov byte ptr [esp+12], 85
00401BAA mov byte ptr [esp+13], 77
00401BAF mov byte ptr [esp+14], 9A
00401BB4 mov byte ptr [esp+15], 67
00401BB9 mov byte ptr [esp+16], 45
00401BBE mov byte ptr [esp+17], 7A
00401BC3 mov byte ptr [esp+18], 6D
00401BC8 mov byte ptr [esp+1A], 16 ; \\Key:35 47 82 5C 33 8C 85 77 9A 67 45 7A 6D 5C 16 47
00401BCD call <GetTxt>
00401BD2 lea ecx, [esp+34]
00401BD6 call <MD5_Init> ======> go into
///////////////// MD5 constants inside
00402910 >mov edx, ecx
00402912 push esi
00402913 push edi
00402914 xor eax, eax
00402916 lea esi, [edx+5C]
00402919 mov edi, esi
0040291B mov [edx+18], eax
0040291E mov [edx+14], eax
00402921 mov ecx, 10
00402926 mov dword ptr [edx], 00427A1C
0040292C mov dword ptr [edx+4], 67452301
00402933 mov dword ptr [edx+8], EFCDAB89
0040293A mov dword ptr [edx+C], 98BADCFE
00402941 mov dword ptr [edx+10], 10325476
00402948 rep stos dword ptr es:[edi]
0040294A pop edi
0040294B mov byte ptr [esi], 80
0040294E mov eax, edx
00402950 pop esi
00402951 retn
\\\\\\\\\\\\\\\\\\
00401BDB lea eax, [esp+D0] ; name
00401BE2 mov dword ptr [esp+1E0], 0
00401BED lea edx, [eax+1]
00401BF0 mov cl, [eax]
00401BF2 inc eax
00401BF3 test cl, cl
00401BF5 jnz short 00401BF0
00401BF7 sub eax, edx
00401BF9 push eax ; name length
00401BFA lea ecx, [esp+D4]
00401C01 push ecx ; name
00401C02 lea ecx, [esp+3C]
00401C06 call <MD5_Update>
00401C0B lea edx, [esp+24]
00401C0F push edx ; /Arg1
00401C10 lea ecx, [esp+38] ; |
00401C14 call <MD5_Final> ; \CrackMe1.00402A30
00401C19 push 104
00401C1E lea eax, [esp+D4]
00401C25 push eax
00401C26 lea ecx, [ebx+74]
00401C29 call <GetTxt>
00401C2E lea ecx, [esp+D0]
00401C35 push ecx ; sn
00401C36 mov ecx, ebx
00401C38 call <checksn> ; sn is acceptable? and sn length must be 32
00401C3D test eax, eax
00401C3F je short 00401C95
00401C41 push esi
00401C42 push edi
00401C43 lea edx, [esp+1C]
00401C47 push edx
00401C48 lea eax, [esp+DC]
00401C4F push eax ; sn
00401C50 mov ecx, ebx
00401C52 call 00401450 ; Convert sn to hex string
00401C57 lea ecx, [esp+C]
00401C5B push 10 ; 16
00401C5D push ecx ; 35 47 82 5C 33 8C 85 77 9A 67 45 7A 6D 5C 16 47
00401C5E call <RC6_Set_Key> ======>
//////////
00401160 >/>sub esp, 24
00401163 |>mov ecx, [esp+2C]
00401167 |>lea eax, [ecx+3]
0040116A |>cdq
0040116B |>and edx, 3
0040116E |>push ebx
0040116F |>add eax, edx
00401171 |>push ebp
00401172 |>sar eax, 2
00401175 |>xor ebp, ebp
00401177 |>dec ecx
00401178 |>cmp ecx, ebp
0040117A |>push esi
0040117B |>push edi
0040117C |>mov [esp+10], eax
00401180 |>mov [esp+eax*4+10], ebp
00401184 |>jl short 004011AB
00401186 |>mov esi, [esp+38]
0040118A |>lea ebx, [ebx]
00401190 |>/movzx edi, byte ptr [ecx+esi]
00401194 |>|mov edx, ecx
00401196 |>|shr edx, 2
00401199 |>|mov ebx, [esp+edx*4+14]
0040119D |>|lea edx, [esp+edx*4+14]
004011A1 |>|shl ebx, 8
004011A4 |>|add edi, ebx
004011A6 |>|dec ecx
004011A7 |>|mov [edx], edi
004011A9 |>\jns short 00401190
004011AB |>mov dword ptr [433040], B7E15163 ; magic constant P
004011B5 |>mov ecx, 00433044
004011BA |>lea ebx, [ebx]
004011C0 |>/mov edx, [ecx-4]
004011C3 |>|sub edx, 61C88647 ; magic constant Q(equal to add 9E3779B9)
004011C9 |>|mov [ecx], edx
004011CB |>|add ecx, 4
004011CE |>|cmp ecx, 004330EC
004011D4 |>\jle short 004011C0
004011D6 |>mov edx, 2C
004011DB |>xor edi, edi
004011DD |>xor ecx, ecx
004011DF |>xor esi, esi
004011E1 |>cmp eax, edx
004011E3 |>jle short 004011E7
004011E5 |>mov edx, eax
004011E7 |>lea eax, [edx+edx*2]
004011EA |>cmp eax, 1
004011ED |>jl short 00401258
004011EF |>mov [esp+3C], eax
004011F3 |>/mov eax, [edi*4+433040]
004011FA |>|add eax, ecx
004011FC |>|add esi, eax
004011FE |>|mov eax, esi
00401200 |>|shr eax, 1D ; rol 3 bits = ror 29 bits
00401203 |>|lea edx, [esi*8]
0040120A |>|or eax, edx
0040120C |>|mov [edi*4+433040], eax
00401213 |>|mov esi, eax
00401215 |>|mov eax, [esp+ebp*4+14]
00401219 |>|add eax, ecx
0040121B |>|lea edx, [eax+esi]
0040121E |>|lea ebx, [ecx+esi]
00401221 |>|mov eax, edx
00401223 |>|and ebx, 1F
00401226 |>|mov ecx, 20
0040122B |>|sub ecx, ebx
0040122D |>|shr eax, cl
0040122F |>|mov ecx, ebx
00401231 |>|shl edx, cl
00401233 |>|or eax, edx
00401235 |>|mov [esp+ebp*4+14], eax
00401239 |>|mov ecx, eax
0040123B |>|lea eax, [edi+1]
0040123E |>|cdq
0040123F |>|mov edi, 2C
00401244 |>|idiv edi
00401246 |>|lea eax, [ebp+1]
00401249 |>|mov edi, edx
0040124B |>|cdq
0040124C |>|idiv dword ptr [esp+10]
00401250 |>|dec dword ptr [esp+3C]
00401254 |>|mov ebp, edx
00401256 |>\jnz short 004011F3
00401258 |>pop edi
00401259 |>pop esi
0040125A |>pop ebp
0040125B |>pop ebx
0040125C |>add esp, 24
0040125F \>retn
\\\\\\\\\
00401C63 lea edx, [esp+24]
00401C67 push edx ; sn
00401C68 mov eax, edx
00401C6A push eax ; sn
00401C6B call <RC6_Encrypt> ; RC6-32/20/16 Encrypt(sn) ===>
////////
00401260 >/>sub esp, 8
00401263 |>mov eax, [esp+C]
00401267 |>mov edx, [eax+8]
0040126A |>mov ecx, [eax] ; sn_1:78563412
0040126C |>push ebx
0040126D |>mov ebx, [eax+4] ; sn_2:EFCDAB90
00401270 |>push ebp
00401271 |>mov ebp, [eax+C] ; sn_4:7698FFEE
00401274 |>mov eax, [433044] ; EE7A3CB4
00401279 |>mov [esp+14], edx ; sn_3:DDCCBBAA
0040127D |>mov edx, [433040] ; 63D4757A
00401283 |>push esi
00401284 |>add ebx, edx ; 53A2210A
00401286 |>push edi
00401287 |>add ebp, eax
00401289 |>mov dword ptr [esp+10], 0043304C
00401291 |>jmp short 00401297
00401293 |>/mov ecx, [esp+14]
00401297 |> lea eax, [ebx+ebx+1] ; 2B+1
0040129B |>|imul eax, ebx ; B*2B+1
0040129E |>|mov edx, eax
004012A0 |>|shl eax, 5 ; B*2B+1 <<< 5 //the constant of RC5 is 3
004012A3 |>|shr edx, 1B
004012A6 |>|or edx, eax
004012A8 |>|lea eax, [ebp+ebp+1] ; 2D+1
004012AC |>|imul eax, ebp ; D*2D+1
004012AF |>|mov esi, eax
004012B1 |>|shl eax, 5 ; D*2D+1 <<< 5
004012B4 |>|shr esi, 1B
004012B7 |>|or esi, eax
004012B9 |>|mov eax, esi ; 3C7D3545
.......
\\\\\\\\
00401C70 add esp, 10
00401C73 mov ecx, 4
00401C78 lea edi, [esp+1C] ; //RC6(sn):F9 77 25 2A 9E 70 C8 3B E8 28 51 41 A2 C8 77 D1
00401C7C lea esi, [esp+2C] ; MD5(name):56 AB 24 C1 5B 72 A4 57 06 9C 5E A4 2F CF C6 40
00401C80 xor edx, edx ; \\Copare RC6(sn) and MD5(name) equal or not
00401C82 repe cmps dword ptr es:[edi], dword p>
00401C84 pop edi
00401C85 pop esi
00401C86 jnz short 00401C95
可以看出程序的验证过程是判断RC6_Encrypt(sn) ?= MD5(name)。那么注册算法很简单sn = RC6_Decrypt(MD5(name))。
一组可用的注册码:
用户名:happy
注册码:B7F45013276C2B4A52ECC4AE475CF583
注册机在附件内。
--------------------------------------------------------------------------------
【经验总结】
这个CrackMe的验证算法思路简单明了,很适合密码学的入门者,郑重推荐。
--------------------------------------------------------------------------------
【版权声明】: 本文原创于看雪技术论坛, 转载请注明作者并保持文章的完整, 谢谢!
2006年11月09日 0:31:07
[招生]系统0day安全班,企业级设备固件漏洞挖掘,Linux平台漏洞挖掘!
