-
-
[原创][破]KeygenMe.Prof.DrAcULA.WinASM.1
-
发表于:
2007-1-25 11:02
5253
-
[原创][破]KeygenMe.Prof.DrAcULA.WinASM.1
【文章标题】: [破]KeygenMe.Prof.DrAcULA.WinASM.1
【文章作者】: HappyTown
【作者主页】: www.pediy.com
【软件名称】: Cryptok KeygenMe {1}
【下载地址】: 附件内
【加壳方式】: 无
【保护方式】: CAST128 + BASE64
【编写语言】: Win32ASM
【使用工具】: OD,IDA,
【操作平台】: WinXP
【作者声明】: 只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!
--------------------------------------------------------------------------------
【详细过程】
1. PEiD查看,找到了Cast128;
2. IDA + CryptoSIG,直接定位Cast函数,导出map文件;
3. OD载入,Loadmap;
name:happy
seria:7654321
00403DEE /$>push ebp
00403DEF |.>mov ebp, esp
00403DF1 |.>pushad
00403DF2 |.>xor eax, eax
00403DF4 |>>/mov byte ptr [eax+4052E0>
00403DFB |.>|mov byte ptr [eax+40527C>
00403E02 |.>|inc eax
00403E03 |.>|cmp eax, 64
00403E06 |.>\jb short 00403DF4
00403E08 |.>push 64 ; /Count = 64 (100.)
00403E0A |.>push 00405218 ; |Buffer = Cryptok_.00405218
00403E0F |.>push 69 ; |ControlID = 69 (105.)
00403E11 |.>push dword ptr [ebp+8] ; |hWnd
00403E14 |.>call <GetDlgItemTextA> ; \GetDlgItemTextA
00403E19 |.>cmp eax, 1 ; nameLen
00403E1C |.>jb 00403EDA
00403E22 |.>mov edx, eax ; nameLen
00403E24 |.>xor ebx, ebx
00403E26 |>>/mov cl, [eax+405015] ; Table1:o
00403E2C |.>|mov [ebx+405344], cl ; 最终:s=6F 6B 20 4B 65 79 67 65 6E 4D65 20 7B 31 7D 0D ok KeygenMe {1}.
00403E32 |.>|inc eax
00403E33 |.>|inc ebx
00403E34 |.>|cmp ebx, 10
00403E37 |.>\jb short 00403E26
00403E39 |.>mov eax, [405344] ; S
00403E3E |.>mov esi, [4052E0]
00403E44 |.>call <_bart_dword2hexstr@0>; 4B206B6F:转换s的第一个DWORD为字符串,但后面却没有使用它
00403E49 |.>push 004052E0 ; ASCII "TMiyYv0ql9Y="
00403E4E |.>call <_CAST128_SetKey@4>
00403E53 |.>push 00405218 ; name
00403E58 |.>push 0040527C ; castCipher
00403E5D |.>call <_CAST128_Encrypt@8>
00403E62 |.>call <_CAST128_Clear@0>
00403E67 |.>push 004052E0 ; ASCII "TMiyYv0ql9Y="
00403E6C |.>push 0040527C ; castCipher
00403E71 |.>call <b64>
00403E76 |.>push 0040527C
00403E7B |.>push 004052E0 ; ASCII "TMiyYv0ql9Y="
00403E80 |.>call <strcopy>
00403E85 |.>push 64 ; /Count = 64 (100.)
00403E87 |.>push 004052E0 ; |Buffer = Cryptok_.004052E0
00403E8C |.>push 6A ; |ControlID = 6A (106.)
00403E8E |.>push dword ptr [ebp+8] ; |hWnd
00403E91 |.>call <GetDlgItemTextA> ; \GetDlgItemTextA
00403E96 |.>cmp eax, 6
00403E99 |.>jb short 00403EDA
00403E9B |.>xor eax, eax
00403E9D |>>/mov bl, [eax+4052E0] ; //取Base64(castCipher)的奇数位字符,并与输入的sn比较
00403EA3 |.>|mov dl, bl
00403EA5 |.>|inc dl
00403EA7 |.>|mov bh, bl
00403EA9 |.>|sub bl, dl
00403EAB |.>|inc bl
00403EAD |.>|movzx edx, bl
00403EB0 |.>|mov bl, bh
00403EB2 |.>|mov bh, [edx+eax*2+40527>
00403EB9 |.>|xor bl, bh
00403EBB |.>|cmp bl, 0
00403EBE |.>|jnz short 00403EDA
00403EC0 |.>|inc eax
00403EC1 |.>|cmp eax, 6 ; 共6次,所以sn应该只有6个字符
00403EC4 |.>\jb short 00403E9D ; \\
00403EC6 |.>push 0 ; /Style = MB_OK|MB_APPLMODAL
00403EC8 |.>push 00405000 ; |Title = "Cryptok KeygenMe {1}"
00403ECD |.>push 0040510A ; |Text = "Yeah you did it! Now code a keygen!"
00403ED2 |.>push dword ptr [ebp+8] ; |hOwner
00403ED5 |.>call <MessageBoxA> ; \MessageBoxA
00403EDA |>>popad
00403EDB |.>leave
00403EDC \.>retn 4
验证思路如下:
(1) Base64(Cast128(name));
(2) 取上一步结果的奇数位字符,共6位。
明码比较,所以注册机直接按程序的流程写即可。源代码如下:
#include <stdio.h>
#include <stdlib.h>
#include <windows.h>
#include "cast128.h"
#include "base64.c"
int main()
{
int i, pLen;
unsigned char name[100] = {0};
unsigned char castKey[100] = {0};
unsigned char castCipher[100] = {0};
unsigned char serial[100] = {0};
unsigned char strTemp[100] = {0};
printf("\tName:\t");
scanf("%s", name);
CAST128_SetKey(castKey);
CAST128_Encrypt(castCipher, name);
CAST128_Clear();
Base64Encode(castCipher, 8, strTemp, &pLen);
for (i=0;i<6;i++)
{
serial[i] = strTemp[i*2];
}
printf("\tSeria:\t%s", serial);
printf("\n\n");
return 0;
}
给几组可用的注册码:
name:happy
serial:TiY0lY
name:看雪学院
serial:GTdwv8
--------------------------------------------------------------------------------
【经验总结】
一个简单的,适合入门的密码学kgme,但作者使用密码学的方法不对。
--------------------------------------------------------------------------------
【版权声明】: 本文原创于看雪软件安全论坛, 转载请注明作者并保持文章的完整, 谢谢!
2007年01月24日 11:50:27
[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!
