-
-
[分享]very simple Windows crackme(分析)
-
2007-4-21 11:31 5763
-
【文章标题】: very simple Windows crackme(分析)
【文章作者】: 坚持到底
【软件名称】: KeyGenMe_#1_cLoNeTrOnE.exe
【下载地址】: http://www.crackmes.de/
【操作平台】: winxp_sp2
【软件介绍】: flyodbg,peid
【作者声明】: 只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!
--------------------------------------------------------------------------------
【详细过程】
简单大侠飘过..............
004010B8 66:FF0D C9324000 dec word ptr ds:[4032C9]
004010BF 6A 50 push 50
004010C1 68 54324000 push KeyGenMe.00403254 ;
004010C6 6A 03 push 3
004010C8 FF75 08 push dword ptr ss:[ebp+8]
004010CB E8 00030000 call <jmp.&user32.GetDlgItemTextA>
004010D0 A3 B8324000 mov dword ptr ds:[4032B8],eax
004010D5 6A 14 push 14
004010D7 68 A4324000 push KeyGenMe.004032A4 ;
004010DC 6A 06 push 6
004010DE FF75 08 push dword ptr ss:[ebp+8]
004010E1 E8 EA020000 call <jmp.&user32.GetDlgItemTextA>
004010E6 A3 BC324000 mov dword ptr ds:[4032BC],eax
004010EB FF75 08 push dword ptr ss:[ebp+8]
004010EE E8 EF020000 call <jmp.&user32.UpdateWindow>
004010F3 FF35 B8324000 push dword ptr ds:[4032B8]
004010F9 68 54324000 push KeyGenMe.00403254 ;
004010FE E8 76020000 call KeyGenMe.00401379 //关键CALL
00401103 833D B8324000 00 cmp dword ptr ds:[4032B8],0 //关键跳转
0040110A 75 14 jnz short KeyGenMe.00401120
0040110C 68 BB314000 push KeyGenMe.004031BB ; ASCII "There is nothing here to be processed."
00401111 6A 03 push 3
00401113 FF75 08 push dword ptr ss:[ebp+8]
00401116 E8 C1020000 call <jmp.&user32.SetDlgItemTextA>
0040111B E9 9E000000 jmp KeyGenMe.004011BE
00401120 833D B8324000 04 cmp dword ptr ds:[4032B8],4
00401127 73 14 jnb short KeyGenMe.0040113D
00401129 68 0B324000 push KeyGenMe.0040320B ; ASCII "Name was too short. Put more than 3 chars"
0040112E 6A 03 push 3
00401130 FF75 08 push dword ptr ss:[ebp+8]
00401133 E8 A4020000 call <jmp.&user32.SetDlgItemTextA>
00401138 E9 81000000 jmp KeyGenMe.004011BE
0040113D 833D B8324000 3C cmp dword ptr ds:[4032B8],3C
00401144 76 11 jbe short KeyGenMe.00401157
00401146 68 E2314000 push KeyGenMe.004031E2 ; ASCII "Name was too long, buffer will overflow."
0040114B 6A 03 push 3
0040114D FF75 08 push dword ptr ss:[ebp+8]
00401150 E8 87020000 call <jmp.&user32.SetDlgItemTextA>
00401155 EB 67 jmp short KeyGenMe.004011BE
00401157 0BC0 or eax,eax
00401159 75 11 jnz short KeyGenMe.0040116C
0040115B 68 00304000 push KeyGenMe.00403000 ; ASCII "The Name contains invalid ASCII char [>127]."
00401160 6A 03 push 3
00401162 FF75 08 push dword ptr ss:[ebp+8]
00401165 E8 72020000 call <jmp.&user32.SetDlgItemTextA>
0040116A EB 52 jmp short KeyGenMe.004011BE
0040116C FF75 08 push dword ptr ss:[ebp+8]
0040116F E8 EE000000 call KeyGenMe.00401262
00401174 803D CB324000 00 cmp byte ptr ds:[4032CB],0
0040117B 75 19 jnz short KeyGenMe.00401196
0040117D 68 10100000 push 1010
00401182 68 C6304000 push KeyGenMe.004030C6 ; ASCII "Invalid Serial - Serial Rejected"
00401187 68 7C304000 push KeyGenMe.0040307C ; ASCII "Wrong Serial. The Serial Is Case-Sensitive. Try Again. Never Give Up !!!."
///////////////////////////////////////////////////////////////////////////////////////////////////////////////
//跟进关键CALL
///////////////////////////////////////////////////////////////////////////////////////////////////////////////
00401262 55 push ebp
00401263 8BEC mov ebp,esp
00401265 60 pushad
00401266 33C0 xor eax,eax
00401268 33D2 xor edx,edx
0040126A B9 10000000 mov ecx,10
0040126F A0 54324000 mov al,byte ptr ds:[403254] ;// 取用户名第1位
00401274 F6F1 div cl ; //用户名第1位的ASCII码除以0x10
00401276 8AD4 mov dl,ah
00401278 8A82 35324000 mov al,byte ptr ds:[edx+403235] ; //以余数为索引取固定字符串"1AG4T3CX8ZF7R95Q"中的元素
0040127E 8A15 A4324000 mov dl,byte ptr ds:[4032A4] ;//取注册码第1位
00401284 38D0 cmp al,dl
00401286 0F85 E8000000 jnz KeyGenMe.00401374
0040128C 33C0 xor eax,eax
0040128E A0 55324000 mov al,byte ptr ds:[403255] ; //取用户名第2位
00401293 F6F1 div cl ; //用户名第2位的ASCII码除以0x10
00401295 8AD4 mov dl,ah
00401297 8A82 35324000 mov al,byte ptr ds:[edx+403235] ; //以余数为索引取固定字符串中的元素
0040129D 8A15 A5324000 mov dl,byte ptr ds:[4032A5] ; //取注册码第2位
004012A3 38D0 cmp al,dl
004012A5 0F85 C9000000 jnz KeyGenMe.00401374
004012AB A0 A6324000 mov al,byte ptr ds:[4032A6]
004012B0 2C 2D sub al,2D ; //注册码第3位为"-"
004012B2 0F85 BC000000 jnz KeyGenMe.00401374
004012B8 33D2 xor edx,edx
004012BA 33C0 xor eax,eax
004012BC 33C9 xor ecx,ecx
004012BE 8A8A 54324000 mov cl,byte ptr ds:[edx+403254]
004012C4 0AC9 or cl,cl
004012C6 74 05 je short KeyGenMe.004012CD
004012C8 03C1 add eax,ecx ; //用户名累加到eax
004012CA 42 inc edx
004012CB ^ EB EF jmp short KeyGenMe.004012BC
004012CD 50 push eax
004012CE 68 46324000 push KeyGenMe.00403246 ; ASCII "%.8X"
004012D3 68 C0324000 push KeyGenMe.004032C0 ; ASCII "0000029A"
004012D8 E8 E1000000 call <jmp.&user32.wsprintfA> ; //写入数组占8个字符
004012DD 83C4 0C add esp,0C
004012E0 33C9 xor ecx,ecx
004012E2 EB 11 jmp short KeyGenMe.004012F5
004012E4 8A81 C0324000 mov al,byte ptr ds:[ecx+4032C0]
004012EA 8A91 A7324000 mov dl,byte ptr ds:[ecx+4032A7] ; //注册码第4位
004012F0 38D0 cmp al,dl
004012F2 75 06 jnz short KeyGenMe.004012FA
004012F4 41 inc ecx
004012F5 83F9 08 cmp ecx,8
004012F8 ^ 75 EA jnz short KeyGenMe.004012E4
004012FA 83F9 08 cmp ecx,8
004012FD 75 75 jnz short KeyGenMe.00401374
004012FF 33C0 xor eax,eax
00401301 A0 AF324000 mov al,byte ptr ds:[4032AF]
00401306 2C 2D sub al,2D ; //注册码第13位是"-"
00401308 75 6A jnz short KeyGenMe.00401374
0040130A 33C0 xor eax,eax
0040130C B9 10000000 mov ecx,10
00401311 8B1D B8324000 mov ebx,dword ptr ds:[4032B8]
00401317 8A83 52324000 mov al,byte ptr ds:[ebx+403252] ; //取用户名倒数第2位
0040131D F6F1 div cl //除以0x10
0040131F 8AD4 mov dl,ah
00401321 8A82 35324000 mov al,byte ptr ds:[edx+403235] //以余数为索引取固定字符串"1AG4T3CX8ZF7R95Q"中的元素
00401327 8A15 B0324000 mov dl,byte ptr ds:[4032B0]
0040132D 38D0 cmp al,dl
0040132F 75 43 jnz short KeyGenMe.00401374
00401331 33C0 xor eax,eax
00401333 8A83 53324000 mov al,byte ptr ds:[ebx+403253] ; //取用户名倒数第1位
00401339 F6F1 div cl //除以0x10
0040133B 8AD4 mov dl,ah
0040133D 8A82 35324000 mov al,byte ptr ds:[edx+403235] //以余数为索引取固定字符串"1AG4T3CX8ZF7R95Q"中的元素
00401343 8A15 B1324000 mov dl,byte ptr ds:[4032B1]
00401349 38D0 cmp al,dl
0040134B 75 27 jnz short KeyGenMe.00401374
0040134D 68 30100000 push 1030
00401352 68 59304000 push KeyGenMe.00403059 ; ASCII "WoW, Very Good Job."
00401357 68 2D304000 push KeyGenMe.0040302D ; ASCII "Well Done Cracker !!!. Now, Code a KeyGen.?"
0040135C FF75 08 push dword ptr ss:[ebp+8]
0040135F E8 72000000 call <jmp.&user32.MessageBoxA>
00401364 66:C705 C9324000 FFF>mov word ptr ds:[4032C9],0FFFF
0040136D C605 CB324000 01 mov byte ptr ds:[4032CB],1
00401374 61 popad
00401375 C9 leave
--------------------------------------------------------------------------------
【经验总结】
总结:
用户名第1个字符%0x10为索引取固定字符串"1AG4T3CX8ZF7R95Q"中的字符 为注册码第1位
用户名第2个字符%0x10为索引取固定字符串"1AG4T3CX8ZF7R95Q"中的字符 为注册码第2位
注册码第3位为"-"
用户名累加和扩展为8位
注册码第13位为"-"
用户名倒数第2个字符%0x10为索引取固定字符串"1AG4T3CX8ZF7R95Q"中的字符 为注册码倒数第2位
用户名倒数第1个字符%0x10为索引取固定字符串"1AG4T3CX8ZF7R95Q"中的字符 为注册码倒数第1位
keygen附件中:
--------------------------------------------------------------------------------
【版权声明】: 本文原创于看雪技术论坛, 转载请注明作者并保持文章的完整, 谢谢!
2007年04月21日 11:24:08
【文章作者】: 坚持到底
【软件名称】: KeyGenMe_#1_cLoNeTrOnE.exe
【下载地址】: http://www.crackmes.de/
【操作平台】: winxp_sp2
【软件介绍】: flyodbg,peid
【作者声明】: 只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!
--------------------------------------------------------------------------------
【详细过程】
简单大侠飘过..............
004010B8 66:FF0D C9324000 dec word ptr ds:[4032C9]
004010BF 6A 50 push 50
004010C1 68 54324000 push KeyGenMe.00403254 ;
004010C6 6A 03 push 3
004010C8 FF75 08 push dword ptr ss:[ebp+8]
004010CB E8 00030000 call <jmp.&user32.GetDlgItemTextA>
004010D0 A3 B8324000 mov dword ptr ds:[4032B8],eax
004010D5 6A 14 push 14
004010D7 68 A4324000 push KeyGenMe.004032A4 ;
004010DC 6A 06 push 6
004010DE FF75 08 push dword ptr ss:[ebp+8]
004010E1 E8 EA020000 call <jmp.&user32.GetDlgItemTextA>
004010E6 A3 BC324000 mov dword ptr ds:[4032BC],eax
004010EB FF75 08 push dword ptr ss:[ebp+8]
004010EE E8 EF020000 call <jmp.&user32.UpdateWindow>
004010F3 FF35 B8324000 push dword ptr ds:[4032B8]
004010F9 68 54324000 push KeyGenMe.00403254 ;
004010FE E8 76020000 call KeyGenMe.00401379 //关键CALL
00401103 833D B8324000 00 cmp dword ptr ds:[4032B8],0 //关键跳转
0040110A 75 14 jnz short KeyGenMe.00401120
0040110C 68 BB314000 push KeyGenMe.004031BB ; ASCII "There is nothing here to be processed."
00401111 6A 03 push 3
00401113 FF75 08 push dword ptr ss:[ebp+8]
00401116 E8 C1020000 call <jmp.&user32.SetDlgItemTextA>
0040111B E9 9E000000 jmp KeyGenMe.004011BE
00401120 833D B8324000 04 cmp dword ptr ds:[4032B8],4
00401127 73 14 jnb short KeyGenMe.0040113D
00401129 68 0B324000 push KeyGenMe.0040320B ; ASCII "Name was too short. Put more than 3 chars"
0040112E 6A 03 push 3
00401130 FF75 08 push dword ptr ss:[ebp+8]
00401133 E8 A4020000 call <jmp.&user32.SetDlgItemTextA>
00401138 E9 81000000 jmp KeyGenMe.004011BE
0040113D 833D B8324000 3C cmp dword ptr ds:[4032B8],3C
00401144 76 11 jbe short KeyGenMe.00401157
00401146 68 E2314000 push KeyGenMe.004031E2 ; ASCII "Name was too long, buffer will overflow."
0040114B 6A 03 push 3
0040114D FF75 08 push dword ptr ss:[ebp+8]
00401150 E8 87020000 call <jmp.&user32.SetDlgItemTextA>
00401155 EB 67 jmp short KeyGenMe.004011BE
00401157 0BC0 or eax,eax
00401159 75 11 jnz short KeyGenMe.0040116C
0040115B 68 00304000 push KeyGenMe.00403000 ; ASCII "The Name contains invalid ASCII char [>127]."
00401160 6A 03 push 3
00401162 FF75 08 push dword ptr ss:[ebp+8]
00401165 E8 72020000 call <jmp.&user32.SetDlgItemTextA>
0040116A EB 52 jmp short KeyGenMe.004011BE
0040116C FF75 08 push dword ptr ss:[ebp+8]
0040116F E8 EE000000 call KeyGenMe.00401262
00401174 803D CB324000 00 cmp byte ptr ds:[4032CB],0
0040117B 75 19 jnz short KeyGenMe.00401196
0040117D 68 10100000 push 1010
00401182 68 C6304000 push KeyGenMe.004030C6 ; ASCII "Invalid Serial - Serial Rejected"
00401187 68 7C304000 push KeyGenMe.0040307C ; ASCII "Wrong Serial. The Serial Is Case-Sensitive. Try Again. Never Give Up !!!."
///////////////////////////////////////////////////////////////////////////////////////////////////////////////
//跟进关键CALL
///////////////////////////////////////////////////////////////////////////////////////////////////////////////
00401262 55 push ebp
00401263 8BEC mov ebp,esp
00401265 60 pushad
00401266 33C0 xor eax,eax
00401268 33D2 xor edx,edx
0040126A B9 10000000 mov ecx,10
0040126F A0 54324000 mov al,byte ptr ds:[403254] ;// 取用户名第1位
00401274 F6F1 div cl ; //用户名第1位的ASCII码除以0x10
00401276 8AD4 mov dl,ah
00401278 8A82 35324000 mov al,byte ptr ds:[edx+403235] ; //以余数为索引取固定字符串"1AG4T3CX8ZF7R95Q"中的元素
0040127E 8A15 A4324000 mov dl,byte ptr ds:[4032A4] ;//取注册码第1位
00401284 38D0 cmp al,dl
00401286 0F85 E8000000 jnz KeyGenMe.00401374
0040128C 33C0 xor eax,eax
0040128E A0 55324000 mov al,byte ptr ds:[403255] ; //取用户名第2位
00401293 F6F1 div cl ; //用户名第2位的ASCII码除以0x10
00401295 8AD4 mov dl,ah
00401297 8A82 35324000 mov al,byte ptr ds:[edx+403235] ; //以余数为索引取固定字符串中的元素
0040129D 8A15 A5324000 mov dl,byte ptr ds:[4032A5] ; //取注册码第2位
004012A3 38D0 cmp al,dl
004012A5 0F85 C9000000 jnz KeyGenMe.00401374
004012AB A0 A6324000 mov al,byte ptr ds:[4032A6]
004012B0 2C 2D sub al,2D ; //注册码第3位为"-"
004012B2 0F85 BC000000 jnz KeyGenMe.00401374
004012B8 33D2 xor edx,edx
004012BA 33C0 xor eax,eax
004012BC 33C9 xor ecx,ecx
004012BE 8A8A 54324000 mov cl,byte ptr ds:[edx+403254]
004012C4 0AC9 or cl,cl
004012C6 74 05 je short KeyGenMe.004012CD
004012C8 03C1 add eax,ecx ; //用户名累加到eax
004012CA 42 inc edx
004012CB ^ EB EF jmp short KeyGenMe.004012BC
004012CD 50 push eax
004012CE 68 46324000 push KeyGenMe.00403246 ; ASCII "%.8X"
004012D3 68 C0324000 push KeyGenMe.004032C0 ; ASCII "0000029A"
004012D8 E8 E1000000 call <jmp.&user32.wsprintfA> ; //写入数组占8个字符
004012DD 83C4 0C add esp,0C
004012E0 33C9 xor ecx,ecx
004012E2 EB 11 jmp short KeyGenMe.004012F5
004012E4 8A81 C0324000 mov al,byte ptr ds:[ecx+4032C0]
004012EA 8A91 A7324000 mov dl,byte ptr ds:[ecx+4032A7] ; //注册码第4位
004012F0 38D0 cmp al,dl
004012F2 75 06 jnz short KeyGenMe.004012FA
004012F4 41 inc ecx
004012F5 83F9 08 cmp ecx,8
004012F8 ^ 75 EA jnz short KeyGenMe.004012E4
004012FA 83F9 08 cmp ecx,8
004012FD 75 75 jnz short KeyGenMe.00401374
004012FF 33C0 xor eax,eax
00401301 A0 AF324000 mov al,byte ptr ds:[4032AF]
00401306 2C 2D sub al,2D ; //注册码第13位是"-"
00401308 75 6A jnz short KeyGenMe.00401374
0040130A 33C0 xor eax,eax
0040130C B9 10000000 mov ecx,10
00401311 8B1D B8324000 mov ebx,dword ptr ds:[4032B8]
00401317 8A83 52324000 mov al,byte ptr ds:[ebx+403252] ; //取用户名倒数第2位
0040131D F6F1 div cl //除以0x10
0040131F 8AD4 mov dl,ah
00401321 8A82 35324000 mov al,byte ptr ds:[edx+403235] //以余数为索引取固定字符串"1AG4T3CX8ZF7R95Q"中的元素
00401327 8A15 B0324000 mov dl,byte ptr ds:[4032B0]
0040132D 38D0 cmp al,dl
0040132F 75 43 jnz short KeyGenMe.00401374
00401331 33C0 xor eax,eax
00401333 8A83 53324000 mov al,byte ptr ds:[ebx+403253] ; //取用户名倒数第1位
00401339 F6F1 div cl //除以0x10
0040133B 8AD4 mov dl,ah
0040133D 8A82 35324000 mov al,byte ptr ds:[edx+403235] //以余数为索引取固定字符串"1AG4T3CX8ZF7R95Q"中的元素
00401343 8A15 B1324000 mov dl,byte ptr ds:[4032B1]
00401349 38D0 cmp al,dl
0040134B 75 27 jnz short KeyGenMe.00401374
0040134D 68 30100000 push 1030
00401352 68 59304000 push KeyGenMe.00403059 ; ASCII "WoW, Very Good Job."
00401357 68 2D304000 push KeyGenMe.0040302D ; ASCII "Well Done Cracker !!!. Now, Code a KeyGen.?"
0040135C FF75 08 push dword ptr ss:[ebp+8]
0040135F E8 72000000 call <jmp.&user32.MessageBoxA>
00401364 66:C705 C9324000 FFF>mov word ptr ds:[4032C9],0FFFF
0040136D C605 CB324000 01 mov byte ptr ds:[4032CB],1
00401374 61 popad
00401375 C9 leave
--------------------------------------------------------------------------------
【经验总结】
总结:
用户名第1个字符%0x10为索引取固定字符串"1AG4T3CX8ZF7R95Q"中的字符 为注册码第1位
用户名第2个字符%0x10为索引取固定字符串"1AG4T3CX8ZF7R95Q"中的字符 为注册码第2位
注册码第3位为"-"
用户名累加和扩展为8位
注册码第13位为"-"
用户名倒数第2个字符%0x10为索引取固定字符串"1AG4T3CX8ZF7R95Q"中的字符 为注册码倒数第2位
用户名倒数第1个字符%0x10为索引取固定字符串"1AG4T3CX8ZF7R95Q"中的字符 为注册码倒数第1位
keygen附件中:
--------------------------------------------------------------------------------
【版权声明】: 本文原创于看雪技术论坛, 转载请注明作者并保持文章的完整, 谢谢!
2007年04月21日 11:24:08
[培训]科锐软件逆向50期预科班报名即将截止,速来!!! 50期正式班报名火爆招生中!!!
赞赏
他的文章
看原图
赞赏
雪币:
留言: