[原创]xx crackme算法分析及注册机-CTF对抗-看雪-安全社区|安全招聘|kanxue.com

[原创]xx crackme算法分析及注册机

发表于: 2007-2-25 13:29 3645

[原创]xx crackme算法分析及注册机

theOcrat

2007-2-25 13:29

3645

【文章标题】: xx crackme算法分析及注册机
【文章作者】: the0crat
【作者邮箱】: the0crat.cn_at_gmail.com
【作者主页】: http://the0crat.spaces.live.com
【生产日期】: 20070225
【软件名称】: xx
【保护方式】: 注册码
【编写语言】: Borland Delphi 6.0 - 7.0
【使用工具】: IDA+OD
【作者声明】: 本文仅供研究学习，本人对因这篇文章而导致的一切后果，不承担任何法律责任。本文中的不足之处请各位多多指教
【版权声明】: 本文原创于看雪技术论坛, 转载请注明作者并保持文章的完整, 谢谢!
--------------------------------------------------------------------------------
【详细过程】

从字符串信息中很快定位

00466580 >/.  55          push ebp                            ;  sub_466580
00466581  |.  8BEC       mov    ebp, esp
00466583  |.  83C4 E8    add    esp, -18
00466586  |.  33C9       xor    ecx, ecx
00466588  |.  894D E8    mov    dword ptr [ebp-18], ecx
0046658B  |.  894D EC    mov    dword ptr [ebp-14], ecx
0046658E  |.  894D F4    mov    dword ptr [ebp-C], ecx
00466591  |.  8955 F0    mov    dword ptr [ebp-10], edx
00466594  |.  8945 FC    mov    dword ptr [ebp-4], eax
00466597  |.  33C0       xor    eax, eax
00466599  |.  55          push ebp
0046659A  |.  68 60664600 push <loc_466660>
0046659F  |.  64:FF30    push dword ptr fs:[eax]
004665A2  |.  64:8920    mov    dword ptr fs:[eax], esp
004665A5  |.  68 BF580000 push 58BF                            ; /Arg1 = 000058BF
004665AA  |.  66:B9 6DCE mov    cx, 0CE6D                      ; |
004665AE  |.  B2 01       mov    dl, 1                         ; |
004665B0  |.  A1 84614600 mov    eax, dword ptr [<off_466184>] ; |
004665B5  |.  E8 22FCFFFF call <sub_4661DC>                   ; \DCG_2_2.004661DC
004665BA  |.  8945 F8    mov    dword ptr [ebp-8], eax
004665BD  |.  33C0       xor    eax, eax
004665BF  |.  55          push ebp
004665C0  |.  68 36664600 push <sub_466636>
004665C5  |.  64:FF30    push dword ptr fs:[eax]
004665C8  |.  64:8920    mov    dword ptr fs:[eax], esp
004665CB  |.  8D45 F4    lea    eax, dword ptr [ebp-C]
004665CE  |.  50          push eax
004665CF  |.  8D55 EC    lea    edx, dword ptr [ebp-14]
004665D2  |.  8B45 FC    mov    eax, dword ptr [ebp-4]
004665D5  |.  8B80 FC020000 mov    eax, dword ptr [eax+2FC]
004665DB  |.  E8 08BBFCFF call <sub_4320E8>                   ;  取用户名
004665E0  |.  8B55 EC    mov    edx, dword ptr [ebp-14]
004665E3  |.  66:B9 E14D mov    cx, 4DE1
004665E7  |.  8B45 F8    mov    eax, dword ptr [ebp-8]
004665EA  |.  E8 41FCFFFF call <sub_466230>                   ;  ###关键call###-->

跟进

00466230 >/$  55          push ebp                            ;  sub_466230
00466231  |.  8BEC       mov    ebp, esp
00466233  |.  83C4 E4    add    esp, -1C
00466236  |.  53          push ebx
00466237  |.  33DB       xor    ebx, ebx
00466239  |.  895D E4    mov    dword ptr [ebp-1C], ebx
0046623C  |.  66:894D F6 mov    word ptr [ebp-A], cx
00466240  |.  8955 F8    mov    dword ptr [ebp-8], edx
00466243  |.  8945 FC    mov    dword ptr [ebp-4], eax
00466246  |.  33C0       xor    eax, eax
00466248  |.  55          push ebp
00466249  |.  68 E9624600 push <sub_4662E9>
0046624E  |.  64:FF30    push dword ptr fs:[eax]
00466251  |.  64:8920    mov    dword ptr fs:[eax], esp
00466254  |.  66:8B45 F6 mov    ax, word ptr [ebp-A]
00466258  |.  66:8945 EE mov    word ptr [ebp-12], ax
0046625C  |.  8B45 08    mov    eax, dword ptr [ebp+8]
0046625F  |.  E8 3CDDF9FF call <sub_403FA0>
00466264  |.  8B45 F8    mov    eax, dword ptr [ebp-8]
00466267  |.  E8 F4DFF9FF call <sub_404260>                   ;  将注册码长度放入eax
0046626C  |.  85C0       test eax, eax
0046626E  |.  7E 63       jle    short <loc_4662D3>
00466270  |.  8945 E8    mov    dword ptr [ebp-18], eax       ;  循环次数=注册码长度
00466273  |.  C745 F0 01000>mov    dword ptr [ebp-10], 1
0046627A >|>  8B45 F8    /mov    eax, dword ptr [ebp-8]       ;  loc_46627A
0046627D  |.  8B55 F0    |mov    edx, dword ptr [ebp-10]
00466280  |.  8A4410 FF    |mov    al, byte ptr [eax+edx-1]       ;  从左顺次取用户名的一个字符
00466284  |.  0FB755 EE    |movzx edx, word ptr [ebp-12]       ;  n[0]=4DE1h
00466288  |.  C1EA 08    |shr    edx, 8                         ;  取n[i-1]/2的8次方
0046628B  |.  32C2       |xor    al, dl                         ;  两者异或，记x[i]
0046628D  |.  8845 F5    |mov    byte ptr [ebp-B], al
00466290  |.  33C0       |xor    eax, eax
00466292  |.  8A45 F5    |mov    al, byte ptr [ebp-B]
00466295  |.  66:0345 EE |add    ax, word ptr [ebp-12]          ;  n[i]=n[i-1]+x[i]
00466299  |.  8B55 FC    |mov    edx, dword ptr [ebp-4]
0046629C  |.  66:F76A 04 |imul word ptr [edx+4]             ;  n[i]*=CE6Dh,取16位的大小
004662A0  |.  8B55 FC    |mov    edx, dword ptr [ebp-4]
004662A3  |.  66:0342 06 |add    ax, word ptr [edx+6]          ;  n[i]+=58BFh
004662A7  |.  66:8945 EE |mov    word ptr [ebp-12], ax          ;  保存
004662AB  |.  8D4D E4    |lea    ecx, dword ptr [ebp-1C]
004662AE  |.  33C0       |xor    eax, eax
004662B0  |.  8A45 F5    |mov    al, byte ptr [ebp-B]
004662B3  |.  BA 02000000 |mov    edx, 2
004662B8  |.  E8 831CFAFF |call <sub_407F40>                   ;  转换,("%s",x[i])
004662BD  |.  8B55 E4    |mov    edx, dword ptr [ebp-1C]
004662C0  |.  8B45 08    |mov    eax, dword ptr [ebp+8]
004662C3  |.  E8 A0DFF9FF |call <sub_404268>                   ;  strcat
004662C8  |.  8B45 08    |mov    eax, dword ptr [ebp+8]
004662CB  |.  FF45 F0    |inc    dword ptr [ebp-10]
004662CE  |.  FF4D E8    |dec    dword ptr [ebp-18]
004662D1  |.^ 75 A7       \jnz    short <loc_46627A>
004662D3 >|>  33C0       xor    eax, eax                      ;  loc_4662D3
004662D5  |.  5A          pop    edx
004662D6  |.  59          pop    ecx
004662D7  |.  59          pop    ecx
004662D8  |.  64:8910    mov    dword ptr fs:[eax], edx
004662DB  |.  68 F0624600 push <loc_4662F0>
004662E0 >|>  8D45 E4    lea    eax, dword ptr [ebp-1C]       ;  loc_4662E0
004662E3  |.  E8 B8DCF9FF call <sub_403FA0>
004662E8  \.  C3          retn

返回

004665EF  |.  8D55 E8    lea    edx, dword ptr [ebp-18]
004665F2  |.  8B45 FC    mov    eax, dword ptr [ebp-4]
004665F5  |.  8B80 00030000 mov    eax, dword ptr [eax+300]
004665FB  |.  E8 E8BAFCFF call <sub_4320E8>                   ;  取注册码
00466600  |.  8B45 E8    mov    eax, dword ptr [ebp-18]
00466603  |.  8B55 F4    mov    edx, dword ptr [ebp-C]
00466606  |.  E8 A1DDF9FF call <sub_4043AC>                   ;  对比
0046660B  |.  75 13       jnz    short <loc_466620>
0046660D  |.  6A 00       push 0                               ; /Style = MB_OK|MB_APPLMODAL
0046660F  |.  68 6C664600 push <aValidKey>                   ; |valid key
00466614  |.  68 6C664600 push <aValidKey>                   ; |valid key
00466619  |.  6A 00       push 0                               ; |hOwner = NULL
0046661B  |.  E8 D400FAFF call <MessageBoxA_0>                ; \MessageBoxA
00466620 >|>  33C0       xor    eax, eax                      ;  loc_466620
00466622  |.  5A          pop    edx
00466623  |.  59          pop    ecx
00466624  |.  59          pop    ecx
00466625  |.  64:8910    mov    dword ptr fs:[eax], edx
00466628  |.  68 3D664600 push <loc_46663D>
0046662D >|>  8B45 F8    mov    eax, dword ptr [ebp-8]          ;  loc_46662D
00466630  |.  E8 C7CAF9FF call <sub_4030FC>
00466635  \.  C3          retn

[算法总结]
void CDCG_KeyGenDlg::OnChangeName()
{
// TODO: If this is a RICHEDIT control, the control will not
// send this notification unless you override the CDialog::OnInitDialog()
// function and call CRichEditCtrl().SetEventMask()
// with the ENM_CHANGE flag ORed into the mask.

// TODO: Add your control notification handler code here
// kengen by the0crat
char szName[31]={0};
int nNum=0;
int n=0x4DE1;
int m;
int len;
int i;
int con1=0xce6d;
int con2=0x58bf;
int Gewei=0;
int Shiwei=0;
char szSerial[50]={0};
GetDlgItemText(IDC_Name,szName,30);
len=strlen(szName);
if(len<1) return;
for(i=0;i<len;i++)
{
m=n;
m>>=8;
nNum=szName[i]^m;
n+=nNum;
__asm
{
pushad
mov eax,n
imul con1
movzx ebx,ax
add ebx,con2
movzx eax,bx
mov n,eax
popad
}
/////////////////////////////////
//十六进制转换成字符串
Shiwei=nNum/0x10;
Gewei=nNum%0x10;
Shiwei+=0x30;
if(Shiwei>=0x3a) Shiwei+=7;
Gewei+=0x30;
if(Gewei>=0x3a) Gewei+=7;
szSerial[i*2]=Shiwei;
szSerial[i*2+1]=Gewei;
/////////////////////////////////
}
SetDlgItemText(IDC_Serial,szSerial);
}

[培训]内核驱动高级班，冲击BAT一流互联网大厂工作，每周日13:00-18:00直播授课

收藏・0

免费・0

支持