【文章标题】: 算法追踪之壹只老虎 crackme1.5
【文章作者】: fonge
【作者邮箱】: fonge520@163.com
【作者QQ号】: 170247260
【编写语言】: C
【使用工具】: OllyICE1.10修改版
【操作平台】: WXP+SP2
【作者声明】: 只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!
--------------------------------------------------------------------------------
【详细过程】
00401000 /$ 55 push ebp
00401001 |. 8BEC mov ebp, esp
00401003 |. 83EC 58 sub esp, 58
00401006 |. 68 30704000 push 00407030 ; ======================================================\n
0040100B |. E8 55040000 call 00401465
00401010 |. 83C4 04 add esp, 4
00401013 |. 68 68704000 push 00407068 ; ==============壹只老虎crackme1.5--(c语言)=============\n
00401018 |. E8 48040000 call 00401465
0040101D |. 83C4 04 add esp, 4
00401020 |. 68 A0704000 push 004070A0 ; ======================2007-2-3========================\n
00401025 |. E8 3B040000 call 00401465
0040102A |. 83C4 04 add esp, 4
0040102D |. 68 D8704000 push 004070D8 ; 请输入注册名:
00401032 |. E8 2E040000 call 00401465
00401037 |. 83C4 04 add esp, 4
0040103A |. 8D45 A8 lea eax, dword ptr [ebp-58]
0040103D |. 50 push eax
0040103E |. E8 D8030000 call 0040141B
00401043 |. 83C4 04 add esp, 4
00401046 |. 68 E8704000 push 004070E8 ; 请输入注册码:
0040104B |. E8 15040000 call 00401465
00401050 |. 83C4 04 add esp, 4
00401053 |. 8D4D C4 lea ecx, dword ptr [ebp-3C] ;
爆破点,改为jmp 00401208即成功爆破!:)
00401056 |. 51 push ecx
00401057 |. E8 BF030000 call 0040141B
0040105C |. 83C4 04 add esp, 4
0040105F |. 8D55 A8 lea edx, dword ptr [ebp-58] ;
我们输入的注册名
00401062 |. 52 push edx
00401063 |. E8 38030000 call 004013A0 ;
返回长度
00401068 |. 83C4 04 add esp, 4
0040106B |. 83F8 64 cmp eax, 64
0040106E 77 11 ja short 00401081 ;
X>64时跳向失败
00401070 |. 8D45 C4 lea eax, dword ptr [ebp-3C] ;
注册码
00401073 |. 50 push eax
00401074 |. E8 27030000 call 004013A0 ;
返回长度
00401079 |. 83C4 04 add esp, 4
0040107C 83F8 64 cmp eax, 64
0040107F |. 76 14 jbe short 00401095 ;
X>64时跳向失败
00401081 |> 68 F8704000 push 004070F8 ; 注册失败!\n
00401086 |. E8 DA030000 call 00401465
0040108B |. 83C4 04 add esp, 4
0040108E |. 33C0 xor eax, eax
00401090 |. E9 82010000 jmp 00401217
00401095 |> 8D4D A8 lea ecx, dword ptr [ebp-58]
00401098 |. 51 push ecx
00401099 |. E8 02030000 call 004013A0
0040109E |. 83C4 04 add esp, 4
004010A1 83F8 08 cmp eax, 8
004010A4 |. 72 11 jb short 004010B7 ;
输入的注册名小于8时跳向失败
004010A6 |. 8D55 C4 lea edx, dword ptr [ebp-3C]
004010A9 |. 52 push edx
004010AA |. E8 F1020000 call 004013A0
004010AF |. 83C4 04 add esp, 4
004010B2 83F8 0A cmp eax, 0A
004010B5 73 14 jnb short 004010CB ;
输入的注册码>=10时跳走(成功方向)
004010B7 68 04714000 push 00407104 ; 注册失败!\n
004010BC E8 A4030000 call 00401465
004010C1 |. 83C4 04 add esp, 4
004010C4 |. 33C0 xor eax, eax
004010C6 |. E9 4C010000 jmp 00401217
004010CB |> 8D45 A8 lea eax, dword ptr [ebp-58]
004010CE |. 50 push eax
004010CF |. E8 CC020000 call 004013A0
004010D4 |. 83C4 04 add esp, 4
004010D7 83F8 10 cmp eax, 10
004010DA |. 77 11 ja short 004010ED ;
输入的注册名>10时跳向失败
004010DC |. 8D4D C4 lea ecx, dword ptr [ebp-3C]
004010DF |. 51 push ecx
004010E0 |. E8 BB020000 call 004013A0
004010E5 |. 83C4 04 add esp, 4
004010E8 |. 83F8 14 cmp eax, 14
004010EB 76 14 jbe short 00401101 ;
输入的注册码小于14H时跳向成功方向
004010ED 68 10714000 push 00407110 ; 注册失败!\n
004010F2 E8 6E030000 call 00401465
004010F7 |. 83C4 04 add esp, 4
004010FA |. 33C0 xor eax, eax
004010FC |. E9 16010000 jmp 00401217
00401101 |> 68 1C714000 push 0040711C ; 我用汉字来,看你怎么办!
00401106 |. 8D55 E0 lea edx, dword ptr [ebp-20]
00401109 |. 52 push edx
0040110A |. E8 A1010000 call 004012B0
0040110F |. 83C4 08 add esp, 8
00401112 |. 8D45 A8 lea eax, dword ptr [ebp-58]
00401115 |. 50 push eax
00401116 |. E8 85020000 call 004013A0
0040111B |. 83C4 04 add esp, 4
0040111E |. 8945 FC mov dword ptr [ebp-4], eax
00401121 |. EB 09 jmp short 0040112C ;
进入第一个循环,是填充数据的!第二个和第三个是运算!
00401123 |> 8B4D FC /mov ecx, dword ptr [ebp-4]
00401126 |. 83C1 01 |add ecx, 1
00401129 |. 894D FC |mov dword ptr [ebp-4], ecx
0040112C |> 837D FC 18 cmp dword ptr [ebp-4], 18
00401130 |. 7D 1E |jge short 00401150
00401132 |. 8B55 FC |mov edx, dword ptr [ebp-4]
00401135 |. 8D04D5 090000>|lea eax, dword ptr [edx*8+9]
0040113C |. 99 |cdq
0040113D |. B9 1A000000 |mov ecx, 1A
00401142 |. F7F9 |idiv ecx
00401144 |. 83C2 41 |add edx, 41
00401147 |. 8B45 FC |mov eax, dword ptr [ebp-4]
0040114A |. 885405 A8 |mov byte ptr [ebp+eax-58], dl ;
第一道关口,是填充数据!用户名是fonge,那结果就是fongeXFNVDLTBJRZHPXFNVDL!当然,这样是不行的,因为crme中要求是8-10位,so我用fonge5201,在这里结果就是fonge5201DLTBJRZHPXFNVDL!
0040114E |.^ EB D3 \jmp short 00401123
00401150 |> C645 C0 00 mov byte ptr [ebp-40], 0
00401154 |. C745 FC 00000>mov dword ptr [ebp-4], 0
0040115B |. EB 09 jmp short 00401166
0040115D |> 8B4D FC /mov ecx, dword ptr [ebp-4]
00401160 |. 83C1 01 |add ecx, 1
00401163 |. 894D FC |mov dword ptr [ebp-4], ecx
00401166 |> 8D55 A8 lea edx, dword ptr [ebp-58] ;
指向第一轮计算出来的结果
00401169 |. 52 |push edx ;
入栈
0040116A |. E8 31020000 |call 004013A0 ;
返回长度
0040116F |. 83C4 04 |add esp, 4 ;
C语言平衡堆栈
00401172 |. 3945 FC |cmp dword ptr [ebp-4], eax ;
比较是否为返回长度,T就跳
00401175 |. 7D 1B |jge short 00401192
00401177 |. 8B45 FC |mov eax, dword ptr [ebp-4]
0040117A |. 0FBE4C05 E0 |movsx ecx, byte ptr [ebp+eax-20] ;
这里就在取表(我用汉字来,看你怎么办!),是的,我不怎么办!
0040117F |. 8B55 FC |mov edx, dword ptr [ebp-4]
00401182 |. 0FBE4415 A8 |movsx eax, byte ptr [ebp+edx-58] ;
一个一个地取第一轮计算出来的结果
00401187 |. 33C8 |xor ecx, eax ;
与表中相应取值异或
00401189 |. 8B55 FC |mov edx, dword ptr [ebp-4]
0040118C |. 884C15 E0 |mov byte ptr [ebp+edx-20], cl ;
取CL拼加
00401190 |.^ EB CB \jmp short 0040115D
00401192 |> C745 FC 00000>mov dword ptr [ebp-4], 0
00401199 |. EB 09 jmp short 004011A4
0040119B |> 8B45 FC /mov eax, dword ptr [ebp-4]
0040119E |. 83C0 01 |add eax, 1
004011A1 |. 8945 FC |mov dword ptr [ebp-4], eax
004011A4 |> 837D FC 18 cmp dword ptr [ebp-4], 18
004011A8 |. 7D 2C |jge short 004011D6
004011AA |. 8B4D FC |mov ecx, dword ptr [ebp-4]
004011AD |. 0FBE540D E0 |movsx edx, byte ptr [ebp+ecx-20] ;
上面拼出来的结果抽出来参与计算
004011B2 |. 81F2 D7070000 |xor edx, 7D7 ;
xor 7d7
004011B8 |. 8B45 FC |mov eax, dword ptr [ebp-4]
004011BB |. 885405 E0 |mov byte ptr [ebp+eax-20], dl ;
DL值放回去
004011BF |. 8B4D FC |mov ecx, dword ptr [ebp-4]
004011C2 |. 0FBE540D E0 |movsx edx, byte ptr [ebp+ecx-20]
004011C7 |. 81F2 CB000000 |xor edx, 0CB ;
放回去的DL值参与xor 0CB运算
004011CD |. 8B45 FC |mov eax, dword ptr [ebp-4]
004011D0 |. 885405 E0 |mov byte ptr [ebp+eax-20], dl ;
最终值放回去,参与最后的比较
004011D4 |.^ EB C5 \jmp short 0040119B
004011D6 |> 8D4D C4 lea ecx, dword ptr [ebp-3C] ;
输入的注册码,在这里出现
004011D9 |. 51 push ecx
004011DA |. E8 C1010000 call 004013A0 ;
这个函数太熟了,返回长度的,上面出现了N次
004011DF |. 83C4 04 add esp, 4 ;
平衡堆栈,C语言的特性
004011E2 |. C64405 E0 00 mov byte ptr [ebp+eax-20], 0
004011E7 |. 8D55 E0 lea edx, dword ptr [ebp-20] ;
指向计算出来的结果
004011EA |. 52 push edx ;
压进去
004011EB |. 8D45 C4 lea eax, dword ptr [ebp-3C] ;
我们输入的注册码
004011EE |. 50 push eax ;
也压进去!
004011EF |. E8 2C000000 call 00401220 ;
标准的比较函数,压两个值进去
004011F4 |. 83C4 08 add esp, 8
004011F7 |. 85C0 test eax, eax
004011F9 74 0D je short 00401208
004011FB |. 68 38714000 push 00407138 ; 注册失败!\n
00401200 |. E8 60020000 call 00401465
00401205 |. 83C4 04 add esp, 4
00401208 |> 68 44714000 push 00407144 ; ok!\n
0040120D |. E8 53020000 call 00401465
00401212 |. 83C4 04 add esp, 4
00401215 |. 33C0 xor eax, eax
00401217 |> 8BE5 mov esp, ebp
00401219 |. 5D pop ebp
0040121A \. C3 retn
--------------------------------------------------------------------------------
【经验总结】
逆向不难,但好像要正确的注册码倒是有问题了,很想看看老虎的注册码源码是什么样的!
--------------------------------------------------------------------------------
2007年02月05日 13:30:42
[培训]科锐软件逆向50期预科班报名即将截止,速来!!! 50期正式班报名火爆招生中!!!
