【破文作者】 hbqjxhw[pyg]
【文章题目】 [破]keygenme#2.saytos.MASM
【下载地址】 http://www.crackmes.de/users/saytos/keygenme2/
----------------------------------------------------------------------------------------------
【破解工具】 OllyDBG+汉化第三版
【破解平台】 WinXP SP2
----------------------------------------------------------------------------------------------
【文章简介】
.:.:. Keygenme#2 .:.:.
---------------------------------
Compiled in : MASM
Date : 5.01.2007 3.57 am
YES : keygen with src
NO : self-keygenning,patch,serial-fishing
Tested on : WinXp SP2
Happy cracking :)
saytos
/2007
----------------------------------------------------------------------------------------------
【破解过程】
004010E2 |. 6A 1E PUSH 1E ; /Length = 1E (30.)
004010E4 |. 68 65804000 PUSH keygenme.00408065 ; |hbqjxhw
004010E9 |. E8 4E360000 CALL <JMP.&KERNEL32.RtlZeroMemory> ; \RtlZeroMemory
004010EE |. 6A 64 PUSH 64 ; /Length = 64 (100.)
004010F0 |. 68 B5804000 PUSH keygenme.004080B5 ; |abef02ce08a87dd1596456a8c30c6f6e
004010F5 |. E8 42360000 CALL <JMP.&KERNEL32.RtlZeroMemory> ; \RtlZeroMemory
004010FA |. 6A 32 PUSH 32 ; /Length = 32 (50.)
004010FC |. 68 83804000 PUSH keygenme.00408083 ; |ABEF02CE08A87DD15964X6A8C30C6F6$-92AFCE9324E2FC95
00401101 |. E8 36360000 CALL <JMP.&KERNEL32.RtlZeroMemory> ; \RtlZeroMemory
00401106 |. 6A 32 PUSH 32 ; /Length = 32 (50.)
00401108 |. 68 37824000 PUSH keygenme.00408237 ; |ABEF02CE08A87DD15964X6A8C30C6F6$-92AFCE9324E2FC95
0040110D |. E8 2A360000 CALL <JMP.&KERNEL32.RtlZeroMemory> ; \RtlZeroMemory
00401112 |. 6A 14 PUSH 14 ; /Count = 14 (20.)
00401114 |. 68 65804000 PUSH keygenme.00408065 ; |hbqjxhw
00401119 |. 68 EB030000 PUSH 3EB ; |ControlID = 3EB (1003.)
0040111E |. FF75 08 PUSH DWORD PTR SS:[EBP+8] ; |hWnd
00401121 |. E8 52360000 CALL <JMP.&user32.GetDlgItemTextA> ; \GetDlgItemTextA
00401126 |. 0AC0 OR AL,AL
00401128 |. 75 0A JNZ SHORT keygenme.00401134 ; 判断Name是否为空
0040112A |. E8 E0010000 CALL keygenme.0040130F
0040112F |. E9 D2010000 JMP keygenme.00401306
00401134 |> 6A 32 PUSH 32 ; /Count = 32 (50.)
00401136 |. 68 83804000 PUSH keygenme.00408083 ; |ABEF02CE08A87DD15964X6A8C30C6F6$-92AFCE9324E2FC95
0040113B |. 68 ED030000 PUSH 3ED ; |ControlID = 3ED (1005.)
00401140 |. FF75 08 PUSH DWORD PTR SS:[EBP+8] ; |hWnd
00401143 |. E8 30360000 CALL <JMP.&user32.GetDlgItemTextA> ; \GetDlgItemTextA
00401148 |. 0AC0 OR AL,AL
0040114A |. 75 0A JNZ SHORT keygenme.00401156 ; 判断Serial是否为空
0040114C |. E8 D4010000 CALL keygenme.00401325
00401151 |. E9 B0010000 JMP keygenme.00401306
00401156 |> 66:A3 B182400>MOV WORD PTR DS:[4082B1],AX
0040115C |. 83F8 31 CMP EAX,31 ; 比较Serial是否大于等于49位数
0040115F |. 73 0A JNB SHORT keygenme.0040116B
00401161 |. E8 D5010000 CALL keygenme.0040133B
00401166 |. E9 9B010000 JMP keygenme.00401306
0040116B |> 803D 89804000>CMP BYTE PTR DS:[408089],43 ; 判断Serial第7位是否等于C
00401172 |. 74 0A JE SHORT keygenme.0040117E
00401174 |. E8 C2010000 CALL keygenme.0040133B
00401179 |. E9 88010000 JMP keygenme.00401306
0040117E |> 803D 97804000>CMP BYTE PTR DS:[408097],58 ; 判断Serial第21位是否等于X
00401185 |. 74 0A JE SHORT keygenme.00401191
00401187 |. E8 AF010000 CALL keygenme.0040133B
0040118C |. E9 75010000 JMP keygenme.00401306
00401191 |> 803D A2804000>CMP BYTE PTR DS:[4080A2],24 ; 判断Serial第32位是否等于$
00401198 |. 74 0A JE SHORT keygenme.004011A4
0040119A |. E8 9C010000 CALL keygenme.0040133B
0040119F |. E9 62010000 JMP keygenme.00401306
004011A4 |> 68 65804000 PUSH keygenme.00408065 ; /hbqjxhw
004011A9 |. 68 B5804000 PUSH keygenme.004080B5 ; |abef02ce08a87dd1596456a8c30c6f6e
004011AE |. E8 95350000 CALL <JMP.&KERNEL32.lstrcatA> ; \lstrcatA
004011B3 |. FECA DEC DL
004011B5 |. 68 A1824000 PUSH keygenme.004082A1 ; /Arg3 = 004082A1
004011BA |. 52 PUSH EDX ; |Arg2
004011BB |. 68 B5804000 PUSH keygenme.004080B5 ; |abef02ce08a87dd1596456a8c30c6f6e
004011C0 |. E8 4F2C0000 CALL keygenme.00403E14 ; \标准的MD5计算
004011C5 |. 68 AF814000 PUSH keygenme.004081AF ; crackmes
004011CA |. E8 71560000 CALL keygenme.00406840
004011CF |. 68 65804000 PUSH keygenme.00408065 ; hbqjxhw
004011D4 |. 68 65804000 PUSH keygenme.00408065 ; hbqjxhw
004011D9 |. E8 9A560000 CALL keygenme.00406878 ; TEA计算
004011DE |. A1 65804000 MOV EAX,DWORD PTR DS:[408065] ; (Initial CPU selection)
004011E3 |. 8B15 69804000 MOV EDX,DWORD PTR DS:[408069]
004011E9 |. 50 PUSH EAX ; /<%.8x> => 0
004011EA |. 52 PUSH EDX ; |<%.8x> => 0
004011EB |. 68 5C804000 PUSH keygenme.0040805C ; |%.8x%.8x
004011F0 |. 68 6A824000 PUSH keygenme.0040826A ; |92afce9324e2fc95
004011F5 |. E8 5A350000 CALL <JMP.&user32.wsprintfA> ; \wsprintfA
004011FA |. 83C4 10 ADD ESP,10
004011FD |. C605 69824000>MOV BYTE PTR DS:[408269],2D
00401204 |. 68 B5804000 PUSH keygenme.004080B5 ; /abef02ce08a87dd1596456a8c30c6f6e
00401209 |. 68 37824000 PUSH keygenme.00408237 ; |ABEF02CE08A87DD15964X6A8C30C6F6$-92AFCE9324E2FC95
0040120E |. E8 3B350000 CALL <JMP.&KERNEL32.lstrcpyA> ; \lstrcpyA
00401213 |. 68 69824000 PUSH keygenme.00408269 ; /-92afce9324e2fc95
00401218 |. 68 37824000 PUSH keygenme.00408237 ; |ABEF02CE08A87DD15964X6A8C30C6F6$-92AFCE9324E2FC95
0040121D |. E8 26350000 CALL <JMP.&KERNEL32.lstrcatA> ; \MD5的值与TEA的值用“-”连接
00401222 |. C605 3D824000>MOV BYTE PTR DS:[40823D],43 ; 把C赋给Serial第7位
00401229 |. C605 4B824000>MOV BYTE PTR DS:[40824B],78 ; 把x赋给Serial第21位
00401230 |. 68 37824000 PUSH keygenme.00408237 ; /ABEF02CE08A87DD15964X6A8C30C6F6$-92AFCE9324E2FC95
00401235 |. E8 26350000 CALL <JMP.&user32.CharUpperA> ; \全部转换为大写字母
0040123A |. C605 56824000>MOV BYTE PTR DS:[408256],24 ; 把$赋给Serial第32位
00401241 |. 33C0 XOR EAX,EAX
00401243 |. 33DB XOR EBX,EBX
00401245 |. 33D2 XOR EDX,EDX
00401247 |. 33C9 XOR ECX,ECX
00401249 |. 66:8B0D B1824>MOV CX,WORD PTR DS:[4082B1]
00401250 |. 8D35 83804000 LEA ESI,DWORD PTR DS:[408083]
00401256 |. 8D2D 37824000 LEA EBP,DWORD PTR DS:[408237]
0040125C |> 03F0 /ADD ESI,EAX
0040125E |. 03E8 |ADD EBP,EAX
00401260 |. 33C0 |XOR EAX,EAX
00401262 |. 8A1E |MOV BL,BYTE PTR DS:[ESI]
00401264 |. 8A55 00 |MOV DL,BYTE PTR SS:[EBP]
00401267 |. 38D3 |CMP BL,DL ; Serial比较
00401269 |. 75 60 |JNZ SHORT keygenme.004012CB
0040126B |. 40 |INC EAX
0040126C |.^ E2 EE \LOOPD SHORT keygenme.0040125C
0040126E |. 803D B3824000>CMP BYTE PTR DS:[4082B3],1
00401275 |. 74 26 JE SHORT keygenme.0040129D
00401277 |. 33C9 XOR ECX,ECX
00401279 |. 33C0 XOR EAX,EAX
0040127B |. 33DB XOR EBX,EBX
0040127D |. B9 2C000000 MOV ECX,2C
00401282 |. 8D35 F6814000 LEA ESI,DWORD PTR DS:[4081F6]
00401288 |> 03F0 /ADD ESI,EAX
0040128A |. 33C0 |XOR EAX,EAX
0040128C |. 8A1E |MOV BL,BYTE PTR DS:[ESI]
0040128E |. 80F3 40 |XOR BL,40 ; Text = "%%0a`/7`72)4%`454`!.$`3%.$`4/`#2!#+-%3n$%a"这断TEXT每个与0X40异或之后就是成功的标志
00401291 |. 881E |MOV BYTE PTR DS:[ESI],BL
00401293 |. 40 |INC EAX
00401294 |.^ E2 F2 \LOOPD SHORT keygenme.00401288 ; (Initial CPU selection)
00401296 |. C605 B3824000>MOV BYTE PTR DS:[4082B3],1
0040129D |> 68 F6814000 PUSH keygenme.004081F6 ; /Text = "%%0a`/7`72)4%`454`!.$`3%.$`4/`#2!#+-%3n$%a"
004012A2 |. 68 ED030000 PUSH 3ED ; |ControlID = 3ED (1005.)
004012A7 |. FF35 90824000 PUSH DWORD PTR DS:[408290] ; |hWnd = NULL
004012AD |. E8 DE340000 CALL <JMP.&user32.SetDlgItemTextA> ; \SetDlgItemTextA
004012B2 |. 6A 00 PUSH 0 ; /lParam = 0
004012B4 |. 6A 00 PUSH 0 ; |wParam = 0
004012B6 |. 6A 0A PUSH 0A ; |Message = WM_ENABLE
004012B8 |. 68 ED030000 PUSH 3ED ; |ControlID = 3ED (1005.)
004012BD |. FF35 90824000 PUSH DWORD PTR DS:[408290] ; |hWnd = NULL
004012C3 |. E8 BC340000 CALL <JMP.&user32.SendDlgItemMessageA>; \SendDlgItemMessageA
004012C8 |. 61 POPAD
004012C9 |. EB 3B JMP SHORT keygenme.00401306
004012CB |> 61 POPAD
004012CC |. E8 6A000000 CALL keygenme.0040133B
004012D1 |. EB 33 JMP SHORT keygenme.00401306
004012D3 |> B8 01000000 MOV EAX,1
004012D8 |. EB 2C JMP SHORT keygenme.00401306
004012DA |> 83F8 10 CMP EAX,10 ; (Initial CPU selection)
004012DD |. 75 1E JNZ SHORT keygenme.004012FD
004012DF |. 68 02000900 PUSH 90002
004012E4 |. 68 20030000 PUSH 320
004012E9 |. FF75 08 PUSH DWORD PTR SS:[EBP+8]
004012EC |. E8 69340000 CALL <JMP.&user32.AnimateWindow>
004012F1 |. 6A 00 PUSH 0 ; /Result = 0
004012F3 |. FF75 08 PUSH DWORD PTR SS:[EBP+8] ; |hWnd
004012F6 |. E8 71340000 CALL <JMP.&user32.EndDialog> ; \EndDialog
004012FB |. EB 09 JMP SHORT keygenme.00401306
004012FD |> B8 00000000 MOV EAX,0
00401302 |. C9 LEAVE
00401303 |. C2 1000 RETN 10
00401306 |> B8 01000000 MOV EAX,1
0040130B |. C9 LEAVE
0040130C \. C2 1000 RETN 10
0040130F /$ 68 B8814000 PUSH keygenme.004081B8 ; /Hmm,but who name?
00401314 |. 68 EB030000 PUSH 3EB ; |ControlID = 3EB (1003.)
00401319 |. FF75 08 PUSH DWORD PTR SS:[EBP+8] ; |hWnd
0040131C |. E8 6F340000 CALL <JMP.&user32.SetDlgItemTextA> ; \SetDlgItemTextA
00401321 |. C9 LEAVE
00401322 \. C2 1000 RETN 10
00401325 /$ 68 CA814000 PUSH keygenme.004081CA ; /Heh,what must check?
0040132A |. 68 ED030000 PUSH 3ED ; |ControlID = 3ED (1005.)
0040132F |. FF75 08 PUSH DWORD PTR SS:[EBP+8] ; |hWnd
00401332 |. E8 59340000 CALL <JMP.&user32.SetDlgItemTextA> ; \SetDlgItemTextA
00401337 |. C9 LEAVE
00401338 \. C2 1000 RETN 10
0040133B /$ 68 DF814000 PUSH keygenme.004081DF ; /Serial is not valid...
00401340 |. 68 ED030000 PUSH 3ED ; |ControlID = 3ED (1005.)
00401345 |. FF75 08 PUSH DWORD PTR SS:[EBP+8] ; |hWnd
00401348 |. E8 43340000 CALL <JMP.&user32.SetDlgItemTextA> ; \SetDlgItemTextA
0040134D |. C9 LEAVE
0040134E \. C2 1000 RETN 10
----------------------------------------------------------------------------------------------
由CALL 00403E14进入后
下面就是标准的MD5计算要用到的四个常数值
00403E68 |. C706 01234567 MOV DWORD PTR DS:[ESI],67452301
00403E6E |. C746 04 89ABC>MOV DWORD PTR DS:[ESI+4],EFCDAB89
00403E75 |. C746 08 FEDCB>MOV DWORD PTR DS:[ESI+8],98BADCFE
00403E7C |. C746 0C 76543>MOV DWORD PTR DS:[ESI+C],10325476
----------------------------------------------------------------------------------------------
由CALL 00406878进入后
TEA计算
00406878 55 PUSH EBP
00406879 8BEC MOV EBP,ESP
0040687B 57 PUSH EDI
0040687C 56 PUSH ESI
0040687D 53 PUSH EBX
0040687E 8B75 08 MOV ESI,DWORD PTR SS:[EBP+8]
00406881 8B06 MOV EAX,DWORD PTR DS:[ESI]
00406883 8B56 04 MOV EDX,DWORD PTR DS:[ESI+4]
00406886 33DB XOR EBX,EBX
00406888 0FC8 BSWAP EAX---要加密的明文
0040688A 0FCA BSWAP EDX---要加密的明文
0040688C 81C3 B979379E /ADD EBX,9E3779B9
00406892 8BCA |MOV ECX,EDX
00406894 C1E1 04 |SHL ECX,4
00406897 8BFA |MOV EDI,EDX
00406899 8D3413 |LEA ESI,DWORD PTR DS:[EBX+EDX]
0040689C 030D 401C5100 |ADD ECX,DWORD PTR DS:[511C40]---这里就是TEA要用到的密钥
004068A2 C1EF 05 |SHR EDI,5
004068A5 33CE |XOR ECX,ESI
004068A7 033D 441C5100 |ADD EDI,DWORD PTR DS:[511C44]---这里就是TEA要用到的密钥
004068AD 33CF |XOR ECX,EDI
004068AF 03C1 |ADD EAX,ECX
004068B1 8BC8 |MOV ECX,EAX
004068B3 C1E1 04 |SHL ECX,4
004068B6 8BF8 |MOV EDI,EAX
004068B8 8D3403 |LEA ESI,DWORD PTR DS:[EBX+EAX]
004068BB 030D 481C5100 |ADD ECX,DWORD PTR DS:[511C48]---这里就是TEA要用到的密钥
004068C1 C1EF 05 |SHR EDI,5
004068C4 33CE |XOR ECX,ESI
004068C6 033D 4C1C5100 |ADD EDI,DWORD PTR DS:[511C4C]---这里就是TEA要用到的密钥
004068CC 33CF |XOR ECX,EDI
004068CE 03D1 |ADD EDX,ECX
004068D0 81C3 B979379E |ADD EBX,9E3779B9
004068D6 8BCA |MOV ECX,EDX
004068D8 C1E1 04 |SHL ECX,4
004068DB 8BFA |MOV EDI,EDX
004068DD 8D3413 |LEA ESI,DWORD PTR DS:[EBX+EDX]
004068E0 030D 401C5100 |ADD ECX,DWORD PTR DS:[511C40]
004068E6 C1EF 05 |SHR EDI,5
004068E9 33CE |XOR ECX,ESI
004068EB 033D 441C5100 |ADD EDI,DWORD PTR DS:[511C44]
004068F1 33CF |XOR ECX,EDI
004068F3 03C1 |ADD EAX,ECX
004068F5 8BC8 |MOV ECX,EAX
004068F7 C1E1 04 |SHL ECX,4
004068FA 8BF8 |MOV EDI,EAX
004068FC 8D3403 |LEA ESI,DWORD PTR DS:[EBX+EAX]
004068FF 030D 481C5100 |ADD ECX,DWORD PTR DS:[511C48]
00406905 C1EF 05 |SHR EDI,5
00406908 33CE |XOR ECX,ESI
0040690A 033D 4C1C5100 |ADD EDI,DWORD PTR DS:[511C4C]
00406910 33CF |XOR ECX,EDI
00406912 03D1 |ADD EDX,ECX
00406914 81FB 2037EFC6 |CMP EBX,C6EF3720
0040691A ^ 0F85 6CFFFFFF \JNZ keygenme.0040688C
00406920 0FC8 BSWAP EAX
00406922 0FCA BSWAP EDX
00406924 8B75 0C MOV ESI,DWORD PTR SS:[EBP+C]
00406927 8906 MOV DWORD PTR DS:[ESI],EAX
00406929 8956 04 MOV DWORD PTR DS:[ESI+4],EDX
0040692C 5B POP EBX
0040692D 5E POP ESI
0040692E 5F POP EDI
0040692F C9 LEAVE
00406930 C2 0800 RETN 8
这里就是TEA要用到的密钥(6361726373656D6B6D6D48007475622C)
00511C40 63 61 72 63 73 65 6D 6B 6D 6D 48 00 74 75 62 2C carcsemkmmH.tub,
上面的核心算法应该是下面三行:
sum+=delta;
y+=((a+(z<<4))^(sum+z))^(b+(z>>5));
z+=((c+(y<<4))^(sum+y))^(d+(y>>5));
----------------------------------------------------------------------------------------------
破解总结:
一、计算Name的MD5值.
二、计算Name的TEA值
三、把MD5的值与TEA的值用“-”连接.
四、用C替代Serial第7位,用x替代Serial第21位.
五、全部转换为大写字母.
六、用$替代Serial第32位.
----------------------------------------------------------------------------------------------
【破解声明】 我是一只小菜鸟,偶得一点心得,愿与大家分享:)
【版权声明】 本文纯属技术交流, 转载请注明作者并保持文章的完整, 谢谢!
----------------------------------------------------------------------------------------------
文章写于2007-1-22 23:09:56
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)
