【文章标题】: [破]KeyGenMe.x3chun.vc6.2
【文章作者】: HappyTown
【作者邮箱】: [email]wxr277@163.com[/email]
【作者主页】:
www.pediy.com
【软件名称】: x3chun's Crypto KeyGenMe #2
【下载地址】: See it in attachment
【加壳方式】: None
【保护方式】: MD4(modified) + TEA
【编写语言】: VC6
【使用工具】: OD,IDA,CALC
--------------------------------------------------------------------------------
【详细过程】
This KeyGenMe written by x3chun(a Korea-South guy) is perfect for newbiez in crypto algo.
OK,let's get started.
NAME: happy
SERIAL:1234567822222222
004010FB |.>push 64 ; /Count = 64 (100.)
004010FD |.>push eax ; |Buffer
004010FE |.>push 3E9 ; |ControlID = 3E9 (1001.)
00401103 |.>push esi ; |hWnd
00401104 |.>call edi ; \GetDlgItemTextA
00401106 |.>mov ebx, eax
00401108 |.>cmp ebx, 3 ; nameLen must not be less than 3
0040110B |.>jge short 00401129
0040110D |>>push 004060E4 ; /Text = "Try Again"
00401112 |.>push 3E8 ; |ControlID = 3E8 (1000.)
00401117 |.>push esi ; |hWnd
00401118 |.>call [<&USER32.SetDlgItemTextA>] ; \SetDlgItemTextA
0040111E |.>xor eax, eax
00401120 |.>pop edi
00401121 |.>pop esi
00401122 |.>pop ebx
00401123 |.>mov esp, ebp
00401125 |.>pop ebp
00401126 |.>retn 10
00401129 |>>lea ecx, [ebp-3E0]
0040112F |.>push 64
00401131 |.>push ecx
00401132 |.>push 3E8
00401137 |.>push esi
00401138 |.>call edi ; USER32.GetDlgItemTextA
0040113A |.>cmp eax, 10 ; snLen must be 16
0040113D |.>jnz short 0040110D
0040113F |.>lea edx, [ebp-3E0]
00401145 |.>push edx ; sn
00401146 |.>call 00401000
0040114B |.>mov [ebp-250], eax
00401151 |.>lea eax, [ebp-3D8]
00401157 |.>push eax ; sn_2
00401158 |.>call 00401000
0040115D |.>mov [ebp-24C], eax
00401163 |.>lea ecx, [ebp-C0]
00401169 |.>push ecx
0040116A |.>call <MD4_Init> ====>
MD4_Init
{
004019A0 >/$>mov edx, [esp+4]
004019A4 |.>push edi
004019A5 |.>mov ecx, 17
004019AA |.>xor eax, eax
004019AC |.>mov edi, edx
004019AE |.>rep stos dword ptr es:[edi]
004019B0 |.>mov dword ptr [edx], 67452301
004019B6 |.>mov dword ptr [edx+4], EFCDAB89
004019BD |.>mov dword ptr [edx+8], 89ABCDEF ; Modified this parameter
004019C4 |.>mov dword ptr [edx+C], 10325476
004019CB |.>mov [edx+14], eax
004019CE |.>mov [edx+10], eax
004019D1 |.>pop edi
004019D2 \.>retn
}
0040116F |.>lea edx, [ebp-64]
00401172 |.>push ebx ; nameLen
00401173 |.>lea eax, [ebp-C0]
00401179 |.>push edx ; name
0040117A |.>push eax
0040117B |.>call <MD4_Update> ====>
How do I know it is MD4 but not MD5?
MD4_Update
{
004019E0 >/$>mov ecx, [esp+C]
004019E4 |.>push ebx
004019E5 |.>mov ebx, [esp+8]
......
00401A34 |.>pop ebp
00401A35 |.>pop ebx
00401A36 |.>retn
00401A37 |>>mov esi, [esp+18]
00401A3B |.>mov ecx, ebp
00401A3D |.>mov edx, ecx
00401A3F |.>lea eax, [ebx+18]
00401A42 |.>shr ecx, 2
00401A45 |.>rep movs dword ptr es:[edi], dword p>
00401A47 |.>mov ecx, edx
00401A49 |.>push eax
00401A4A |.>and ecx, 3
00401A4D |.>push ebx
00401A4E |.>rep movs byte ptr es:[edi], byte ptr>
00401A50 |.>call <MD4_Compress> ====>Let's check this function.
MD4_Compress
{
....
00401583 |.>mov ecx, [esp+10]
00401587 |.>add eax, ecx
00401589 |.>mov ecx, esi
0040158B |.>lea eax, [edi+eax+5A827999] ;This is one of the constant of MDX
00401592 |.>mov edi, eax
....
004017B5 |.>mov edx, [esp+10]
004017B9 |.>xor ecx, eax
004017BB |.>add ecx, edx
004017BD |.>lea esi, [esi+ecx+6ED9EBA1] ;This is another constant of MDX
....
We know that MD5 has many constants in compress function.But MD4 has only a little.
Here they are:0,0x5A827999,0x6ED9EBA1. You can find them in md4.c file packed in keygen.rar.
}
00401A55 |.>mov ecx, [esp+20]
00401A59 |.>mov eax, [esp+24]
00401A5D |.>add esp, 8
00401A60 |.>add ecx, ebp
00401A62 |.>sub eax, ebp
00401A64 |.>mov [esp+18], ecx
00401A68 |.>mov [esp+1C], eax
00401A6C |.>mov ecx, eax
00401A6E |>>cmp ecx, 40
00401A71 |.>jl short 00401AB1
00401A73 |.>mov ebp, ecx
00401A75 |.>shr ebp, 6
00401A78 |.>mov edx, ebp
00401A7A |.>neg edx
00401A7C |.>shl edx, 6
00401A7F |.>add ecx, edx
00401A81 |.>mov [esp+1C], ecx
00401A85 |>>/mov esi, [esp+18]
00401A89 |.>|lea eax, [ebx+18]
00401A8C |.>|mov ecx, 10
00401A91 |.>|mov edi, eax
00401A93 |.>|push eax
00401A94 |.>|push ebx
00401A95 |.>|rep movs dword ptr es:[edi], dword >
00401A97 |.>|call <MD4_Compress>
00401A9C |.>|mov ecx, [esp+20]
00401AA0 |.>|add esp, 8
00401AA3 |.>|add ecx, 40
00401AA6 |.>|dec ebp
00401AA7 |.>|mov [esp+18], ecx
00401AAB |.>\jnz short 00401A85
00401AAD |.>mov ecx, [esp+1C]
}
00401180 |.>lea ecx, [ebp-C0]
00401186 |.>lea edx, [ebp-188]
0040118C |.>push ecx
0040118D |.>push edx
0040118E |.>call <MD4_Final> ; MD4(name)
00401193 |.>add esp, 20
00401196 |.>push ebp
00401197 |.>xor eax, eax
00401199 |.>mov [ebp+C], eax
0040119C |.>lea esi, [ebp-188]
004011A2 |.>mov eax, [esi] ; MD4_1(as TEA key)
004011A4 |.>mov ebx, [esi+4] ; MD4_2
004011A7 |.>mov ecx, [esi+8] ; MD4_3
004011AA |.>mov edx, [esi+C] ; MD4_4
004011AD |.>mov [ebp-570], eax
004011B3 |.>mov [ebp-56C], ebx
004011B9 |.>mov [ebp-568], ecx
004011BF |.>mov [ebp-564], edx
004011C5 |.>lea ebx, [ebp-250]
004011CB |.>mov edx, C6EF3720 ; Sum:constant of TEA Decryption
004011D0 |.>mov esi, [ebx] ; sn_1:12345678
004011D2 |.>mov edi, [ebx+4] ; sn_2:22222222
004011D5 |.>mov dword ptr [ebp+10], 20 ; 32:recommended round times
004011DC |>>/mov eax, esi
004011DE |.>|mov ebx, esi
004011E0 |.>|mov ecx, esi
004011E2 |.>|shl eax, 4 ; rotate left 4 bits
004011E5 |.>|add eax, [ebp-568]
004011EB |.>|shr ebx, 5 ; rotate right 5 bits
004011EE |.>|add ebx, [ebp-564]
004011F4 |.>|add ecx, edx
004011F6 |.>|xor ecx, eax
004011F8 |.>|xor ecx, ebx
004011FA |.>|sub edi, ecx
004011FC |.>|mov eax, edi
004011FE |.>|mov ebx, eax
00401200 |.>|mov ecx, eax
00401202 |.>|shl eax, 4 ; rotate left 4 bits
00401205 |.>|add eax, [ebp-570]
0040120B |.>|shr ebx, 5 ; rotate right 5 bits
0040120E |.>|add ebx, [ebp-56C]
00401214 |.>|add ecx, edx
00401216 |.>|xor ecx, eax
00401218 |.>|xor ecx, ebx
0040121A |.>|sub esi, ecx
0040121C |.>|sub edx, 9E3779B9 ; Delta:inside BOTH Encryption and Decryption of TEA
00401222 |.>|dec dword ptr [ebp+10]
00401225 |.>\jnz short 004011DC
00401227 |.>xor eax, eax
00401229 |.>mov [ebp-570], eax ; //Clear key
0040122F |.>mov [ebp-56C], eax
00401235 |.>mov [ebp-568], eax
0040123B |.>mov [ebp-564], eax ; \\
00401241 |.>pop ebp
00401242 |.>lea ebx, [ebp-250]
00401248 |.>mov [ebx], esi ; FB8EA0EB:decryption result
0040124A |.>mov [ebx+4], edi ; 1F231200:decryption result
0040124D |.>cmp esi, 78336368 ; FB8EA0EB =? 78336368
00401253 |.>je short 00401259
00401255 |.>add dword ptr [ebp+C], 1
00401259 |>>cmp edi, 756E3A29 ; 1F231200 ?= 756E3A29
0040125F |.>je short 00401265
00401261 |.>add dword ptr [ebp+C], 1
00401265 |>>mov eax, [ebp+C]
00401268 |.>test eax, eax
0040126A |.>jnz short 0040128B
0040126C |.>mov eax, [ebp+8]
0040126F |.>push 004060D8 ; /Text = "Good WorkS!"
00401274 |.>push 3E8 ; |ControlID = 3E8 (1000.)
00401279 |.>push eax ; |hWnd
0040127A |.>call [<&USER32.SetDlgItemTextA>] ; \SetDlgItemTextA
00401280 |.>xor eax, eax
00401282 |.>pop edi
00401283 |.>pop esi
00401284 |.>pop ebx
00401285 |.>mov esp, ebp
00401287 |.>pop ebp
00401288 |.>retn 10
0040128B |>>mov ecx, [ebp+8]
0040128E |.>push 004060C4 ; /Text = "Wrong Serial Number"
00401293 |.>push 3E8 ; |ControlID = 3E8 (1000.)
00401298 |.>push ecx ; |hWnd
00401299 |.>call [<&USER32.SetDlgItemTextA>] ; \SetDlgItemTextA
It is obvious that the KeyGenMe verifys TEA_Decrypt(MD4(name),sn) =? constant(0x78336368/0x756E3A29).
Here, key of TEA is MD4(name); and sn is the data to be decrypted.
So, the KeyGen is just like that: TEA_Encrypt(MD4(name),constant) = sn.
A valid set of NAME/SERIAL: happytown/483E71155BFF8E5E
KeyGen is in accessory.
--------------------------------------------------------------------------------
【经验总结】
There are so many KeyGenMes with this verification way. You also can find it in my CrackMe_0021~0023.
--------------------------------------------------------------------------------
【版权声明】: 本文原创于看雪技术论坛, 转载请注明作者并保持文章的完整, 谢谢!
2006年11月23日 14:11:56
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
上传的附件:
