[原创][破]keygenme#2.saytos.MASM-CTF对抗-看雪-安全社区|安全招聘|kanxue.com

[原创][破]keygenme#2.saytos.MASM

2007-1-22 23:38 5226

[原创][破]keygenme#2.saytos.MASM

hbqjxhw

2007-1-22 23:38

5226

【破文作者】 hbqjxhw[pyg]
【文章题目】 [破]keygenme#2.saytos.MASM
【下载地址】 http://www.crackmes.de/users/saytos/keygenme2/
----------------------------------------------------------------------------------------------
【破解工具】 OllyDBG+汉化第三版
【破解平台】 WinXP SP2
----------------------------------------------------------------------------------------------
【文章简介】

.:.:. Keygenme#2  .:.:.
---------------------------------

Compiled in : MASM

Date       : 5.01.2007 3.57 am

YES       : keygen with src

NO       : self-keygenning,patch,serial-fishing

Tested on : WinXp SP2

Happy cracking :)

saytos
   /2007

----------------------------------------------------------------------------------------------
【破解过程】

004010E2  |.  6A 1E       PUSH 1E                            ; /Length = 1E (30.)
004010E4  |.  68 65804000 PUSH keygenme.00408065             ; |hbqjxhw
004010E9  |.  E8 4E360000 CALL <JMP.&KERNEL32.RtlZeroMemory> ; \RtlZeroMemory
004010EE  |.  6A 64       PUSH 64                            ; /Length = 64 (100.)
004010F0  |.  68 B5804000 PUSH keygenme.004080B5             ; |abef02ce08a87dd1596456a8c30c6f6e
004010F5  |.  E8 42360000 CALL <JMP.&KERNEL32.RtlZeroMemory> ; \RtlZeroMemory
004010FA  |.  6A 32       PUSH 32                            ; /Length = 32 (50.)
004010FC  |.  68 83804000 PUSH keygenme.00408083             ; |ABEF02CE08A87DD15964X6A8C30C6F6$-92AFCE9324E2FC95
00401101  |.  E8 36360000 CALL <JMP.&KERNEL32.RtlZeroMemory> ; \RtlZeroMemory
00401106  |.  6A 32       PUSH 32                            ; /Length = 32 (50.)
00401108  |.  68 37824000 PUSH keygenme.00408237             ; |ABEF02CE08A87DD15964X6A8C30C6F6$-92AFCE9324E2FC95
0040110D  |.  E8 2A360000 CALL <JMP.&KERNEL32.RtlZeroMemory> ; \RtlZeroMemory
00401112  |.  6A 14       PUSH 14                            ; /Count = 14 (20.)
00401114  |.  68 65804000 PUSH keygenme.00408065             ; |hbqjxhw
00401119  |.  68 EB030000 PUSH 3EB                            ; |ControlID = 3EB (1003.)
0040111E  |.  FF75 08    PUSH DWORD PTR SS:[EBP+8]          ; |hWnd
00401121  |.  E8 52360000 CALL <JMP.&user32.GetDlgItemTextA> ; \GetDlgItemTextA
00401126  |.  0AC0       OR AL,AL
00401128  |.  75 0A       JNZ SHORT keygenme.00401134          ;  判断Name是否为空
0040112A  |.  E8 E0010000 CALL keygenme.0040130F
0040112F  |.  E9 D2010000 JMP keygenme.00401306
00401134  |>  6A 32       PUSH 32                            ; /Count = 32 (50.)
00401136  |.  68 83804000 PUSH keygenme.00408083             ; |ABEF02CE08A87DD15964X6A8C30C6F6$-92AFCE9324E2FC95
0040113B  |.  68 ED030000 PUSH 3ED                            ; |ControlID = 3ED (1005.)
00401140  |.  FF75 08    PUSH DWORD PTR SS:[EBP+8]          ; |hWnd
00401143  |.  E8 30360000 CALL <JMP.&user32.GetDlgItemTextA> ; \GetDlgItemTextA
00401148  |.  0AC0       OR AL,AL
0040114A  |.  75 0A       JNZ SHORT keygenme.00401156          ;  判断Serial是否为空
0040114C  |.  E8 D4010000 CALL keygenme.00401325
00401151  |.  E9 B0010000 JMP keygenme.00401306
00401156  |>  66:A3 B182400>MOV WORD PTR DS:[4082B1],AX
0040115C  |.  83F8 31    CMP EAX,31                         ;  比较Serial是否大于等于49位数
0040115F  |.  73 0A       JNB SHORT keygenme.0040116B
00401161  |.  E8 D5010000 CALL keygenme.0040133B
00401166  |.  E9 9B010000 JMP keygenme.00401306
0040116B  |>  803D 89804000>CMP BYTE PTR DS:[408089],43          ;  判断Serial第7位是否等于C
00401172  |.  74 0A       JE SHORT keygenme.0040117E
00401174  |.  E8 C2010000 CALL keygenme.0040133B
00401179  |.  E9 88010000 JMP keygenme.00401306
0040117E  |>  803D 97804000>CMP BYTE PTR DS:[408097],58          ;  判断Serial第21位是否等于X
00401185  |.  74 0A       JE SHORT keygenme.00401191
00401187  |.  E8 AF010000 CALL keygenme.0040133B
0040118C  |.  E9 75010000 JMP keygenme.00401306
00401191  |>  803D A2804000>CMP BYTE PTR DS:[4080A2],24          ;  判断Serial第32位是否等于$
00401198  |.  74 0A       JE SHORT keygenme.004011A4
0040119A  |.  E8 9C010000 CALL keygenme.0040133B
0040119F  |.  E9 62010000 JMP keygenme.00401306
004011A4  |>  68 65804000 PUSH keygenme.00408065             ; /hbqjxhw
004011A9  |.  68 B5804000 PUSH keygenme.004080B5             ; |abef02ce08a87dd1596456a8c30c6f6e
004011AE  |.  E8 95350000 CALL <JMP.&KERNEL32.lstrcatA>       ; \lstrcatA
004011B3  |.  FECA       DEC DL
004011B5  |.  68 A1824000 PUSH keygenme.004082A1             ; /Arg3 = 004082A1
004011BA  |.  52          PUSH EDX                            ; |Arg2
004011BB  |.  68 B5804000 PUSH keygenme.004080B5             ; |abef02ce08a87dd1596456a8c30c6f6e
004011C0  |.  E8 4F2C0000 CALL keygenme.00403E14             ; \标准的MD5计算
004011C5  |.  68 AF814000 PUSH keygenme.004081AF             ;  crackmes
004011CA  |.  E8 71560000 CALL keygenme.00406840
004011CF  |.  68 65804000 PUSH keygenme.00408065             ;  hbqjxhw
004011D4  |.  68 65804000 PUSH keygenme.00408065             ;  hbqjxhw
004011D9  |.  E8 9A560000 CALL keygenme.00406878             ;  TEA计算
004011DE  |.  A1 65804000 MOV EAX,DWORD PTR DS:[408065]       ;  (Initial CPU selection)
004011E3  |.  8B15 69804000 MOV EDX,DWORD PTR DS:[408069]
004011E9  |.  50          PUSH EAX                            ; /<%.8x> => 0
004011EA  |.  52          PUSH EDX                            ; |<%.8x> => 0
004011EB  |.  68 5C804000 PUSH keygenme.0040805C             ; |%.8x%.8x
004011F0  |.  68 6A824000 PUSH keygenme.0040826A             ; |92afce9324e2fc95
004011F5  |.  E8 5A350000 CALL <JMP.&user32.wsprintfA>       ; \wsprintfA
004011FA  |.  83C4 10    ADD ESP,10
004011FD  |.  C605 69824000>MOV BYTE PTR DS:[408269],2D
00401204  |.  68 B5804000 PUSH keygenme.004080B5             ; /abef02ce08a87dd1596456a8c30c6f6e
00401209  |.  68 37824000 PUSH keygenme.00408237             ; |ABEF02CE08A87DD15964X6A8C30C6F6$-92AFCE9324E2FC95
0040120E  |.  E8 3B350000 CALL <JMP.&KERNEL32.lstrcpyA>       ; \lstrcpyA
00401213  |.  68 69824000 PUSH keygenme.00408269             ; /-92afce9324e2fc95
00401218  |.  68 37824000 PUSH keygenme.00408237             ; |ABEF02CE08A87DD15964X6A8C30C6F6$-92AFCE9324E2FC95
0040121D  |.  E8 26350000 CALL <JMP.&KERNEL32.lstrcatA>       ; \MD5的值与TEA的值用“-”连接
00401222  |.  C605 3D824000>MOV BYTE PTR DS:[40823D],43          ;  把C赋给Serial第7位
00401229  |.  C605 4B824000>MOV BYTE PTR DS:[40824B],78          ;  把x赋给Serial第21位
00401230  |.  68 37824000 PUSH keygenme.00408237             ; /ABEF02CE08A87DD15964X6A8C30C6F6$-92AFCE9324E2FC95
00401235  |.  E8 26350000 CALL <JMP.&user32.CharUpperA>       ; \全部转换为大写字母
0040123A  |.  C605 56824000>MOV BYTE PTR DS:[408256],24          ;  把$赋给Serial第32位
00401241  |.  33C0       XOR EAX,EAX
00401243  |.  33DB       XOR EBX,EBX
00401245  |.  33D2       XOR EDX,EDX
00401247  |.  33C9       XOR ECX,ECX
00401249  |.  66:8B0D B1824>MOV CX,WORD PTR DS:[4082B1]
00401250  |.  8D35 83804000 LEA ESI,DWORD PTR DS:[408083]
00401256  |.  8D2D 37824000 LEA EBP,DWORD PTR DS:[408237]
0040125C  |>  03F0       /ADD ESI,EAX
0040125E  |.  03E8       |ADD EBP,EAX
00401260  |.  33C0       |XOR EAX,EAX
00401262  |.  8A1E       |MOV BL,BYTE PTR DS:[ESI]
00401264  |.  8A55 00    |MOV DL,BYTE PTR SS:[EBP]
00401267  |.  38D3       |CMP BL,DL                         ;  Serial比较
00401269  |.  75 60       |JNZ SHORT keygenme.004012CB
0040126B  |.  40          |INC EAX
0040126C  |.^ E2 EE       \LOOPD SHORT keygenme.0040125C
0040126E  |.  803D B3824000>CMP BYTE PTR DS:[4082B3],1
00401275  |.  74 26       JE SHORT keygenme.0040129D
00401277  |.  33C9       XOR ECX,ECX
00401279  |.  33C0       XOR EAX,EAX
0040127B  |.  33DB       XOR EBX,EBX
0040127D  |.  B9 2C000000 MOV ECX,2C
00401282  |.  8D35 F6814000 LEA ESI,DWORD PTR DS:[4081F6]
00401288  |>  03F0       /ADD ESI,EAX
0040128A  |.  33C0       |XOR EAX,EAX
0040128C  |.  8A1E       |MOV BL,BYTE PTR DS:[ESI]
0040128E  |.  80F3 40    |XOR BL,40                         ;  Text = "%%0a`/7`72)4%`454`!.$`3%.$`4/`#2!#+-%3n$%a"这断TEXT每个与0X40异或之后就是成功的标志
00401291  |.  881E       |MOV BYTE PTR DS:[ESI],BL
00401293  |.  40          |INC EAX
00401294  |.^ E2 F2       \LOOPD SHORT keygenme.00401288       ;  (Initial CPU selection)
00401296  |.  C605 B3824000>MOV BYTE PTR DS:[4082B3],1
0040129D  |>  68 F6814000 PUSH keygenme.004081F6             ; /Text = "%%0a`/7`72)4%`454`!.$`3%.$`4/`#2!#+-%3n$%a"
004012A2  |.  68 ED030000 PUSH 3ED                            ; |ControlID = 3ED (1005.)
004012A7  |.  FF35 90824000 PUSH DWORD PTR DS:[408290]          ; |hWnd = NULL
004012AD  |.  E8 DE340000 CALL <JMP.&user32.SetDlgItemTextA> ; \SetDlgItemTextA
004012B2  |.  6A 00       PUSH 0                               ; /lParam = 0
004012B4  |.  6A 00       PUSH 0                               ; |wParam = 0
004012B6  |.  6A 0A       PUSH 0A                            ; |Message = WM_ENABLE
004012B8  |.  68 ED030000 PUSH 3ED                            ; |ControlID = 3ED (1005.)
004012BD  |.  FF35 90824000 PUSH DWORD PTR DS:[408290]          ; |hWnd = NULL
004012C3  |.  E8 BC340000 CALL <JMP.&user32.SendDlgItemMessageA>; \SendDlgItemMessageA
004012C8  |.  61          POPAD
004012C9  |.  EB 3B       JMP SHORT keygenme.00401306
004012CB  |>  61          POPAD
004012CC  |.  E8 6A000000 CALL keygenme.0040133B
004012D1  |.  EB 33       JMP SHORT keygenme.00401306
004012D3  |>  B8 01000000 MOV EAX,1
004012D8  |.  EB 2C       JMP SHORT keygenme.00401306
004012DA  |>  83F8 10    CMP EAX,10                         ;  (Initial CPU selection)
004012DD  |.  75 1E       JNZ SHORT keygenme.004012FD
004012DF  |.  68 02000900 PUSH 90002
004012E4  |.  68 20030000 PUSH 320
004012E9  |.  FF75 08    PUSH DWORD PTR SS:[EBP+8]
004012EC  |.  E8 69340000 CALL <JMP.&user32.AnimateWindow>
004012F1  |.  6A 00       PUSH 0                               ; /Result = 0
004012F3  |.  FF75 08    PUSH DWORD PTR SS:[EBP+8]          ; |hWnd
004012F6  |.  E8 71340000 CALL <JMP.&user32.EndDialog>       ; \EndDialog
004012FB  |.  EB 09       JMP SHORT keygenme.00401306
004012FD  |>  B8 00000000 MOV EAX,0
00401302  |.  C9          LEAVE
00401303  |.  C2 1000    RETN 10
00401306  |>  B8 01000000 MOV EAX,1
0040130B  |.  C9          LEAVE
0040130C  \.  C2 1000    RETN 10
0040130F  /$  68 B8814000 PUSH keygenme.004081B8             ; /Hmm,but who name?
00401314  |.  68 EB030000 PUSH 3EB                            ; |ControlID = 3EB (1003.)
00401319  |.  FF75 08    PUSH DWORD PTR SS:[EBP+8]          ; |hWnd
0040131C  |.  E8 6F340000 CALL <JMP.&user32.SetDlgItemTextA> ; \SetDlgItemTextA
00401321  |.  C9          LEAVE
00401322  \.  C2 1000    RETN 10
00401325  /$  68 CA814000 PUSH keygenme.004081CA             ; /Heh,what must check?
0040132A  |.  68 ED030000 PUSH 3ED                            ; |ControlID = 3ED (1005.)
0040132F  |.  FF75 08    PUSH DWORD PTR SS:[EBP+8]          ; |hWnd
00401332  |.  E8 59340000 CALL <JMP.&user32.SetDlgItemTextA> ; \SetDlgItemTextA
00401337  |.  C9          LEAVE
00401338  \.  C2 1000    RETN 10
0040133B  /$  68 DF814000 PUSH keygenme.004081DF             ; /Serial is not valid...
00401340  |.  68 ED030000 PUSH 3ED                            ; |ControlID = 3ED (1005.)
00401345  |.  FF75 08    PUSH DWORD PTR SS:[EBP+8]          ; |hWnd
00401348  |.  E8 43340000 CALL <JMP.&user32.SetDlgItemTextA> ; \SetDlgItemTextA
0040134D  |.  C9          LEAVE
0040134E  \.  C2 1000    RETN 10

----------------------------------------------------------------------------------------------
由CALL 00403E14进入后
下面就是标准的MD5计算要用到的四个常数值
00403E68  |.  C706 01234567 MOV DWORD PTR DS:[ESI],67452301
00403E6E  |.  C746 04 89ABC>MOV DWORD PTR DS:[ESI+4],EFCDAB89
00403E75  |.  C746 08 FEDCB>MOV DWORD PTR DS:[ESI+8],98BADCFE
00403E7C  |.  C746 0C 76543>MOV DWORD PTR DS:[ESI+C],10325476

----------------------------------------------------------------------------------------------
由CALL 00406878进入后
TEA计算
00406878 55             PUSH EBP
00406879 8BEC          MOV EBP,ESP
0040687B 57             PUSH EDI
0040687C 56             PUSH ESI
0040687D 53             PUSH EBX
0040687E 8B75 08       MOV ESI,DWORD PTR SS:[EBP+8]
00406881 8B06          MOV EAX,DWORD PTR DS:[ESI]
00406883 8B56 04       MOV EDX,DWORD PTR DS:[ESI+4]
00406886 33DB          XOR EBX,EBX
00406888 0FC8          BSWAP EAX---要加密的明文
0040688A 0FCA          BSWAP EDX---要加密的明文
0040688C 81C3 B979379E /ADD EBX,9E3779B9
00406892 8BCA          |MOV ECX,EDX
00406894 C1E1 04       |SHL ECX,4
00406897 8BFA          |MOV EDI,EDX
00406899 8D3413       |LEA ESI,DWORD PTR DS:[EBX+EDX]
0040689C 030D 401C5100 |ADD ECX,DWORD PTR DS:[511C40]---这里就是TEA要用到的密钥
004068A2 C1EF 05       |SHR EDI,5
004068A5 33CE          |XOR ECX,ESI
004068A7 033D 441C5100 |ADD EDI,DWORD PTR DS:[511C44]---这里就是TEA要用到的密钥
004068AD 33CF          |XOR ECX,EDI
004068AF 03C1          |ADD EAX,ECX
004068B1 8BC8          |MOV ECX,EAX
004068B3 C1E1 04       |SHL ECX,4
004068B6 8BF8          |MOV EDI,EAX
004068B8 8D3403       |LEA ESI,DWORD PTR DS:[EBX+EAX]
004068BB 030D 481C5100 |ADD ECX,DWORD PTR DS:[511C48]---这里就是TEA要用到的密钥
004068C1 C1EF 05       |SHR EDI,5
004068C4 33CE          |XOR ECX,ESI
004068C6 033D 4C1C5100 |ADD EDI,DWORD PTR DS:[511C4C]---这里就是TEA要用到的密钥
004068CC 33CF          |XOR ECX,EDI
004068CE 03D1          |ADD EDX,ECX
004068D0 81C3 B979379E |ADD EBX,9E3779B9
004068D6 8BCA          |MOV ECX,EDX
004068D8 C1E1 04       |SHL ECX,4
004068DB 8BFA          |MOV EDI,EDX
004068DD 8D3413       |LEA ESI,DWORD PTR DS:[EBX+EDX]
004068E0 030D 401C5100 |ADD ECX,DWORD PTR DS:[511C40]
004068E6 C1EF 05       |SHR EDI,5
004068E9 33CE          |XOR ECX,ESI
004068EB 033D 441C5100 |ADD EDI,DWORD PTR DS:[511C44]
004068F1 33CF          |XOR ECX,EDI
004068F3 03C1          |ADD EAX,ECX
004068F5 8BC8          |MOV ECX,EAX
004068F7 C1E1 04       |SHL ECX,4
004068FA 8BF8          |MOV EDI,EAX
004068FC 8D3403       |LEA ESI,DWORD PTR DS:[EBX+EAX]
004068FF 030D 481C5100 |ADD ECX,DWORD PTR DS:[511C48]
00406905 C1EF 05       |SHR EDI,5
00406908 33CE          |XOR ECX,ESI
0040690A 033D 4C1C5100 |ADD EDI,DWORD PTR DS:[511C4C]
00406910 33CF          |XOR ECX,EDI
00406912 03D1          |ADD EDX,ECX
00406914 81FB 2037EFC6 |CMP EBX,C6EF3720
0040691A  ^ 0F85 6CFFFFFF \JNZ keygenme.0040688C
00406920 0FC8          BSWAP EAX
00406922 0FCA          BSWAP EDX
00406924 8B75 0C       MOV ESI,DWORD PTR SS:[EBP+C]
00406927 8906          MOV DWORD PTR DS:[ESI],EAX
00406929 8956 04       MOV DWORD PTR DS:[ESI+4],EDX
0040692C 5B             POP EBX
0040692D 5E             POP ESI
0040692E 5F             POP EDI
0040692F C9             LEAVE
00406930 C2 0800       RETN 8

这里就是TEA要用到的密钥（6361726373656D6B6D6D48007475622C）
00511C40  63 61 72 63 73 65 6D 6B 6D 6D 48 00 74 75 62 2C  carcsemkmmH.tub,

上面的核心算法应该是下面三行：
sum+=delta;
y+=((a+(z<<4))^(sum+z))^(b+(z>>5));
z+=((c+(y<<4))^(sum+y))^(d+(y>>5));
----------------------------------------------------------------------------------------------
破解总结：
一、计算Name的MD5值.
二、计算Name的TEA值
三、把MD5的值与TEA的值用“-”连接.
四、用C替代Serial第7位,用x替代Serial第21位.
五、全部转换为大写字母.
六、用$替代Serial第32位.

----------------------------------------------------------------------------------------------
【破解声明】我是一只小菜鸟，偶得一点心得，愿与大家分享:)

【版权声明】本文纯属技术交流, 转载请注明作者并保持文章的完整, 谢谢!
----------------------------------------------------------------------------------------------
                                                                              文章写于2007-1-22 23:09:56

[培训]科锐软件逆向50期预科班报名即将截止，速来！！！ 50期正式班报名火爆招生中！！！

收藏・1

免费・7

打赏

最新回复 (2)
冷血书生雪币： 443 活跃值： (200) 能力值： ( LV9，RANK：1140 ) 在线值：发帖 53 回帖 1135 粉丝 2 关注私信	冷血书生 28 2007-1-23 00:26 2 楼 0 好文章啊~~学习学习！
wan 雪币： 333 活跃值： (40) 能力值： ( LV2，RANK：10 ) 在线值：发帖 0 回帖 312 粉丝 0 关注私信	wan 2007-1-23 09:05 3 楼 0 好文学习了
	游客登录 \| 注册方可回帖　回帖　表情雪币赚取及消费高级回复