【文章标题】: [破]CrackMe.zack.VC6.4
【文章作者】: HappyTown
【作者邮箱】: wxr277@163.com
【作者主页】: www.pediy.com
【软件名称】: zackCM4hard
【下载地址】: 附件内
【加壳方式】: 无
【保护方式】: RSA
【使用工具】: OD,IDA
【作者声明】: 只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!
--------------------------------------------------------------------------------
【详细过程】
1. 先改变"OK"按钮属性,使它ENABLED:
004015BA .>push 0 ; /lParam = NULL
004015BC .>push eax ; |hInst => NULL
004015BD .>push 7E7 ; |hMenu = 000007E7
004015C2 .>push esi ; |hParent
004015C3 .>push 19 ; |Height = 19 (25.)
004015C5 .>push 19 ; |Width = 19 (25.)
004015C7 .>push 118 ; |Y = 118 (280.)
004015CC .>push 151 ; |X = 151 (337.)
004015D1 .>push 58000001 ; |Style = WS_CHILD|WS_VISIBLE|WS_DISABLED|1
004015D6 .>push 0040C034 ; |WindowName = "OK"
004015DB .>push 0040C050 ; |Class = "BUTTON"
004015E0 .>push 0 ; |ExtStyle = 0
004015E2 .>call edi ; \CreateWindowExA
我们把Style改为:50000001即可,也就是说在004015D1地址处,我们push 50000001。
2. 注册失败后OK按钮又会变灰,我们找一下能使按钮变灰的函数,找到了EnableWindow:
00401451 . 50 push eax ; /Enable => FALSE
00401452 . 52 push edx ; |hWnd => NULL
00401453 . FF15 E8B04000 call [<&USER32.EnableWindow>] ; \EnableWindow
我们不让它变灰:
00401451 90 nop
00401452 90 nop
00401453 90 nop
00401454 90 nop
00401455 90 nop
00401456 90 nop
00401457 90 nop
00401458 90 nop
3. 保存上面两个修改,重新载入程序。
00401250 . 57 push edi ; /lParam
00401251 . 68 2B010000 push 12B ; |wParam = 12B
00401256 . 6A 0D push 0D ; |Message = WM_GETTEXT
00401258 . 52 push edx ; |hWnd => A0254
00401259 . 896C24 6C mov [esp+6C], ebp ; |
0040125D . FF15 E0B04000 call [<&USER32.SendMessageA>] ; \SendMessageA
00401263 . 83F8 05 cmp eax, 5 ; nameLen >= 5
00401266 . 7D 07 jge short 0040126F
00401268 . C605 80D44000>mov byte ptr [40D480], 1
0040126F > A1 74D44000 mov eax, [40D474]
00401274 . 55 push ebp ; /lParam
00401275 . 68 2B010000 push 12B ; |wParam = 12B
0040127A . 6A 0D push 0D ; |Message = WM_GETTEXT
0040127C . 50 push eax ; |hWnd => 801A4
0040127D . FF15 E0B04000 call [<&USER32.SendMessageA>] ; \SendMessageA
00401283 . 3D C8000000 cmp eax, 0C8 ; 200
00401288 . 7D 07 jge short 00401291
0040128A . C605 80D44000>mov byte ptr [40D480], 1
00401291 > 8A07 mov al, [edi]
00401293 . 84C0 test al, al
00401295 . 74 12 je short 004012A9
00401297 . 8BCF mov ecx, edi ; name
00401299 > 0FBED0 movsx edx, al ; //name[i]:68;61
0040129C . 8A41 01 mov al, [ecx+1] ; 61(a);70(p)
0040129F . 83F2 14 xor edx, 14 ; 68 xor 14=7C;61 xor 14=75
004012A2 . 03F2 add esi, edx ; 0+7C=7C;7C+75=F1
004012A4 . 41 inc ecx
004012A5 . 84C0 test al, al
004012A7 .^ 75 F0 jnz short 00401299 ; \\Sum(name)
004012A9 > 81C6 3E780000 add esi, 783E ; 226+783E=7A64 = 31332(d)=Hash(name)
004012AF . 56 push esi ; /<%i>
004012B0 . 68 F4C04000 push 0040C0F4 ; |Format = "%i"
004012B5 . 57 push edi ; |s
004012B6 . FF15 E4B04000 call [<&USER32.wsprintfA>] ; \wsprintfA
004012BC . 8BCB mov ecx, ebx
004012BE . BE 70C04000 mov esi, 0040C070 ; ASCII "54269873541268974123698753215985265487231456987412360202050709637514565896541123654789654214145263421548412318565421634485445316"
004012C3 . 8DBC24 800000>lea edi, [esp+80] ; a
004012CA . 6A 0A push 0A ; 10d
004012CC . F3:A5 rep movs dword ptr es:[edi], dword>
004012CE . 68 00040000 push 400 ; 0x400
004012D3 . A4 movs byte ptr es:[edi], byte ptr [e>
004012D4 . E8 E7380000 call <mirsys>
004012D9 . 6A 00 push 0
004012DB . C780 38020000>mov dword ptr [eax+238], 0A ; 10进制
004012E5 . C780 40020000>mov dword ptr [eax+240], 1
004012EF . E8 2C380000 call <mirvar>
004012F4 . 6A 00 push 0
004012F6 . E8 25380000 call <mirvar>
004012FB . 6A 00 push 0
004012FD . 898424 800000>mov [esp+80], eax
00401304 . E8 17380000 call <mirvar>
00401309 . 6A 00 push 0
0040130B . 898424 940000>mov [esp+94], eax
00401312 . E8 09380000 call <mirvar>
00401317 . 6A 00 push 0
00401319 . 8BF0 mov esi, eax
0040131B . E8 00380000 call <mirvar>
00401320 . 6A 00 push 0
00401322 . 898424 940000>mov [esp+94], eax
00401329 . E8 F2370000 call <mirvar>
0040132E . 6A 00 push 0
00401330 . 8BF8 mov edi, eax
00401332 . E8 E9370000 call <mirvar>
00401337 . 6A 00 push 0
00401339 . 8BD8 mov ebx, eax
0040133B . E8 E0370000 call <mirvar>
00401340 . 6A 00 push 0
00401342 . 8BE8 mov ebp, eax
00401344 . E8 D7370000 call <mirvar>
00401349 . 8B8C24 9C0000>mov ecx, [esp+9C]
00401350 . 898424 A40000>mov [esp+A4], eax
00401357 . 51 push ecx ; Hash:31332
00401358 . 50 push eax ; b
00401359 . E8 B2030000 call <cinstr>
0040135E . 83C4 40 add esp, 40
00401361 . 8D5424 74 lea edx, [esp+74]
00401365 . 52 push edx ; a
00401366 . 55 push ebp
00401367 . E8 A4030000 call <cinstr> ; a
0040136C . 57 push edi ; m'
0040136D . 6A 0A push 0A ; 10进制
0040136F . 68 80000000 push 80 ; 80位10进制
00401374 . E8 F7310000 call <bigdig> ; 15 31 4D D0...0A 31 70 42
00401379 . 57 push edi
0040137A . 57 push edi
0040137B . E8 30300000 call <nxprime> ; m:15 31 4D D0...0A 31 75 0B
00401380 . 53 push ebx ; n'
00401381 . 6A 0A push 0A
00401383 . 68 80000000 push 80
00401388 . E8 E3310000 call <bigdig> ; n':33 34 0B D1...04 6D 07 7B
0040138D . 53 push ebx
0040138E . 53 push ebx
0040138F . E8 1C300000 call <nxprime> ; n:33 34 0B D1...04 6D 07 BF
00401394 . 55 push ebp
00401395 . 55 push ebp ; a
00401396 . E8 15300000 call <nxprime> ; a: 36 10 15 F1...1C EF 4E 5B
0040139B . 83C4 38 add esp, 38
0040139E . 56 push esi
0040139F . 6A 01 push 1
004013A1 . E8 7A370000 call <mirvar> ; 1
004013A6 . 83C4 04 add esp, 4
004013A9 . 50 push eax ; p
004013AA . 57 push edi ; m
004013AB . E8 A0290000 call <subtract> ; p = m - 1:15 31 4D D0...0A 31 75 0A
004013B0 . 8B4424 6C mov eax, [esp+6C]
004013B4 . 83C4 0C add esp, 0C
004013B7 . 50 push eax
004013B8 . 6A 01 push 1
004013BA . E8 61370000 call <mirvar> ; 1
004013BF . 83C4 04 add esp, 4
004013C2 . 50 push eax ; s
004013C3 . 53 push ebx ; n
004013C4 . E8 87290000 call <subtract> ; s = n - 1:33 34 0B D1...04 6D 07 BE
004013C9 . 8B4C24 6C mov ecx, [esp+6C]
004013CD . 56 push esi ; p
004013CE . 51 push ecx ; s
004013CF . 56 push esi
004013D0 . E8 8B160000 call <multiply> ; p =s*p= 04 6C 0E A3...08 34 7F 6C
004013D5 . 8B5424 78 mov edx, [esp+78]
004013D9 . 8B8424 880000>mov eax, [esp+88]
004013E0 . 52 push edx ; s变成了1,其它未变
004013E1 . 50 push eax ; 0
004013E2 . 50 push eax ; 0
004013E3 . 56 push esi ; p
004013E4 . 55 push ebp ; a
004013E5 . E8 D6100000 call <xgcd> ; 求gcd[a,p] = 1
004013EA . 56 push esi ; p
004013EB . 53 push ebx ; n: ...BF
004013EC . 57 push edi ; m : ...0B
004013ED . E8 6E160000 call <multiply> ; p = m*n=04 6C 0E A3...16 D2 FC 35
004013F2 . 8BBC24 A00000>mov edi, [esp+A0]
004013F9 . 8B8424 A40000>mov eax, [esp+A4]
00401400 . 57 push edi ; u
00401401 . 56 push esi ; p
00401402 . 55 push ebp ; a
00401403 . 50 push eax ; b:Hash(name)
00401404 . E8 170C0000 call <powmod> ; u = b^a (mod p):B7 08 98 0F...31 5D 6E 0F
00401409 . 8BB424 AC0000>mov esi, [esp+AC]
00401410 . 83C4 48 add esp, 48
00401413 . 56 push esi
00401414 . 57 push edi ; u
00401415 . E8 86050000 call <cotstr> ; 1831441831889425...
0040141A . 8B5424 64 mov edx, [esp+64] ; sn
0040141E . 83C4 08 add esp, 8
00401421 . 33ED xor ebp, ebp
00401423 . 8BDE mov ebx, esi ; u
00401425 . 2BD6 sub edx, esi
00401427 > 8A0B mov cl, [ebx]
00401429 . 8A041A mov al, [edx+ebx]
0040142C . 3AC8 cmp cl, al ; 比较sn和u
0040142E . 74 07 je short 00401437
00401430 . C605 80D44000>mov byte ptr [40D480], 1
00401437 > 8B7C24 5C mov edi, [esp+5C]
0040143B . 45 inc ebp
0040143C . 83C9 FF or ecx, FFFFFFFF
0040143F . 33C0 xor eax, eax
00401441 . 43 inc ebx
00401442 . F2:AE repne scas byte ptr es:[edi]
00401444 . F7D1 not ecx
00401446 . 49 dec ecx
00401447 . 3BE9 cmp ebp, ecx
00401449 .^ 76 DC jbe short 00401427
0040144B . 8B15 78D44000 mov edx, [40D478]
00401451 90 nop
00401452 90 nop
00401453 90 nop
00401454 90 nop
00401455 90 nop
00401456 90 nop
00401457 90 nop
00401458 90 nop
00401459 . A0 80D44000 mov al, [40D480] ; 当=0时注册成功
0040145E . 5D pop ebp
0040145F . 84C0 test al, al
00401461 . 6A 00 push 0
00401463 . 68 68C04000 push 0040C068 ; ASCII "CrackMe"
00401468 . 75 0F jnz short 00401479
0040146A . 8B8C24 000100>mov ecx, [esp+100]
00401471 . 8D4424 30 lea eax, [esp+30]
00401475 . 50 push eax
00401476 . 51 push ecx
00401477 . EB 0D jmp short 00401486
00401479 > 8B8424 000100>mov eax, [esp+100] ; |
00401480 8D16 lea edx, [esi]
00401482 90 nop
00401483 90 nop
00401484 . 52 push edx ; |Text
00401485 . 50 push eax ; |hOwner
00401486 > FF15 ECB04000 call [<&USER32.MessageBoxA>] ; \MessageBoxA
验证过程描述如下:
m: 素数
n: 素数
a: 素数
b:Hash(name)
p =m - 1=φ(m)
s =n - 1=φ(n)
p =s*p=φ(m)*φ(n)
GCD[a,p] = 1
p =m*n
u =b^a (mod p) ?= sn
显然这是一个RSA算法的生成和加密过程,因此导致了注册码的明文比较。
注册机顺着程序的思路写即可,我就不写了。
如果你亲自动手追踪这个CrackMe,那么你可能会留意到下面这段代码和原程序不一样:
00401480 8D16 lea edx, [esi]
00401482 90 nop
00401483 90 nop
[esi]保存的是什么?呵呵,正确的注册码。也就是说,我让程序自动弹出注册码了。但请注意用户名的长度应>=5。
如果你看过我的另一篇文章《让软件自动弹出注册码》,就会很容易理解这个改动了。
修改过的程序(zackCM4hard_.exe)我随附件一并给出^_^
--------------------------------------------------------------------------------
【经验总结】
这个程序虽没有按常规出牌,但思路简单明了,基本给出了RSA方案的生成过程,比较新颖。
--------------------------------------------------------------------------------
【版权声明】: 本文原创于看雪技术论坛, 转载请注明作者并保持文章的完整, 谢谢!
2006年11月28日 10:07:01
[培训]科锐软件逆向50期预科班报名即将截止,速来!!! 50期正式班报名火爆招生中!!!
