【文章标题】: 简单keyme_b0ne分析
【文章作者】: 坚持到底
【软件名称】: keyme_b0ne
【下载地址】: crackmes.de
【操作平台】: xp2
【作者声明】: 只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!
--------------------------------------------------------------------------------
【详细过程】
readme:
hey folks
wanna have some fun finding a key ?
check out this keyme ;)
difficulty: it's not that hard. you just need a bit patience.
there's more than one key but you probably will recognize the right one
after testing the routine a little bit.
have fun
april 29th 2007
B0ne (PM at crackmes.de)
special greetz to all Abiturensoehne of 2007 and everyone on crackmes.de
004013FB E8 407B0000 call keyme.00408F40
00401400 83C4 10 add esp,10
00401403 83F8 10 cmp eax,10
00401406 0F85 EE010000 jnz keyme.004015FA
0040140C 83EC 08 sub esp,8
0040140F 6A 00 push 0 ; //常数
00401411 8D45 E8 lea eax,dword ptr ss:[ebp-18]
00401414 50 push eax
00401415 E8 92640100 call keyme.004178AC
0040141A 83C4 10 add esp,10
0040141D 8038 40 cmp byte ptr ds:[eax],40 ; //
00401420 0F8E D4010000 jle keyme.004015FA ; //
00401426 83EC 08 sub esp,8 ; //
00401429 6A 00 push 0 ; //常数
0040142B 8D45 E8 lea eax,dword ptr ss:[ebp-18] ; //KEY第一位要是大写字母
0040142E 50 push eax ; //
0040142F E8 78640100 call keyme.004178AC ; //
00401434 83C4 10 add esp,10 ; //
00401437 8038 5A cmp byte ptr ds:[eax],5A ; //
0040143A 0F8F BA010000 jg keyme.004015FA
00401440 83EC 08 sub esp,8
00401443 6A 0B push 0B ; //常数
00401445 8D45 E8 lea eax,dword ptr ss:[ebp-18]
00401448 50 push eax
00401449 E8 5E640100 call keyme.004178AC
0040144E 83C4 10 add esp,10
00401451 8038 20 cmp byte ptr ds:[eax],20 ; //第12位是空格
00401454 0F85 A0010000 jnz keyme.004015FA
0040145A 83EC 08 sub esp,8
0040145D 6A 08 push 8 ; //常数
0040145F 8D45 E8 lea eax,dword ptr ss:[ebp-18]
00401462 50 push eax
00401463 E8 44640100 call keyme.004178AC
00401468 83C4 10 add esp,10 ; //第9位是"."
0040146B 8038 2E cmp byte ptr ds:[eax],2E
0040146E 0F85 86010000 jnz keyme.004015FA
00401474 C745 DC 00000000 mov dword ptr ss:[ebp-24],0
0040147B C745 D0 00000000 mov dword ptr ss:[ebp-30],0
00401482 837D D0 0A cmp dword ptr ss:[ebp-30],0A
00401486 7E 02 jle short keyme.0040148A
00401488 EB 21 jmp short keyme.004014AB
0040148A 83EC 08 sub esp,8
0040148D FF75 D0 push dword ptr ss:[ebp-30]
00401490 8D45 E8 lea eax,dword ptr ss:[ebp-18]
00401493 50 push eax
00401494 E8 13640100 call keyme.004178AC
00401499 83C4 10 add esp,10
0040149C 0FBE10 movsx edx,byte ptr ds:[eax]
0040149F 8D45 DC lea eax,dword ptr ss:[ebp-24]
004014A2 0110 add dword ptr ds:[eax],edx ; //KEY的前11位累加和
004014A4 8D45 D0 lea eax,dword ptr ss:[ebp-30]
004014A7 FF00 inc dword ptr ds:[eax]
004014A9 ^ EB D7 jmp short keyme.00401482
004014AB C745 D8 00000000 mov dword ptr ss:[ebp-28],0
004014B2 C745 D0 0C000000 mov dword ptr ss:[ebp-30],0C
004014B9 837D D0 0F cmp dword ptr ss:[ebp-30],0F
004014BD 7E 02 jle short keyme.004014C1
004014BF EB 21 jmp short keyme.004014E2
004014C1 83EC 08 sub esp,8
004014C4 FF75 D0 push dword ptr ss:[ebp-30]
004014C7 8D45 E8 lea eax,dword ptr ss:[ebp-18]
004014CA 50 push eax
004014CB E8 DC630100 call keyme.004178AC
004014D0 83C4 10 add esp,10
004014D3 0FBE10 movsx edx,byte ptr ds:[eax]
004014D6 8D45 D8 lea eax,dword ptr ss:[ebp-28]
004014D9 0110 add dword ptr ds:[eax],edx ; //后4位累加和
004014DB 8D45 D0 lea eax,dword ptr ss:[ebp-30]
004014DE FF00 inc dword ptr ds:[eax]
004014E0 ^ EB D7 jmp short keyme.004014B9
004014E2 817D D8 D1010000 cmp dword ptr ss:[ebp-28],1D1 ; //后4位累加和要等于1d1
004014E9 0F85 0B010000 jnz keyme.004015FA
004014EF 817D DC F3030000 cmp dword ptr ss:[ebp-24],3F3 ; //前11位累加和要等于3f3
004014F6 0F85 FE000000 jnz keyme.004015FA
004014FC 8B55 D8 mov edx,dword ptr ss:[ebp-28]
004014FF 8B45 DC mov eax,dword ptr ss:[ebp-24]
00401502 29D0 sub eax,edx ; //前11位累加和-=后4位累加和
00401504 8945 D4 mov dword ptr ss:[ebp-2C],eax
00401507 C745 DC 72000000 mov dword ptr ss:[ebp-24],72
0040150E 83EC 08 sub esp,8
00401511 6A 0F push 0F ; //常数
00401513 8D45 E8 lea eax,dword ptr ss:[ebp-18]
00401516 50 push eax
00401517 E8 90630100 call keyme.004178AC
0040151C 83C4 10 add esp,10
0040151F 8945 C8 mov dword ptr ss:[ebp-38],eax
00401522 83EC 08 sub esp,8
00401525 6A 0E push 0E ; //常数
00401527 8D45 E8 lea eax,dword ptr ss:[ebp-18]
0040152A 50 push eax
0040152B E8 7C630100 call keyme.004178AC
00401530 83C4 10 add esp,10
00401533 89C2 mov edx,eax
00401535 8B4D C8 mov ecx,dword ptr ss:[ebp-38]
00401538 8A01 mov al,byte ptr ds:[ecx]
0040153A 3A02 cmp al,byte ptr ds:[edx] ; //KEY倒数两位要相等
0040153C 0F85 B8000000 jnz keyme.004015FA
00401542 83EC 08 sub esp,8
00401545 6A 0D push 0D ; //常数
00401547 8D45 E8 lea eax,dword ptr ss:[ebp-18]
0040154A 50 push eax
0040154B E8 5C630100 call keyme.004178AC
00401550 83C4 10 add esp,10
00401553 8038 6F cmp byte ptr ds:[eax],6F ; //KEY第14位要等于"o"
00401556 0F85 9E000000 jnz keyme.004015FA
0040155C 83EC 08 sub esp,8
0040155F 6A 0C push 0C
00401561 8D45 E8 lea eax,dword ptr ss:[ebp-18]
00401564 50 push eax
00401565 E8 42630100 call keyme.004178AC
0040156A 83C4 10 add esp,10
0040156D 0FBE00 movsx eax,byte ptr ds:[eax]
00401570 3B45 DC cmp eax,dword ptr ss:[ebp-24] ; //KEY第13位要等于"r"
00401573 0F85 81000000 jnz keyme.004015FA
00401579 817D D4 22020000 cmp dword ptr ss:[ebp-2C],222 ; //(前11位累加和-后4位累加和)要等于222
00401580 75 78 jnz short keyme.004015FA
00401582 83EC 08 sub esp,8
00401585 6A 02 push 2
00401587 8D45 E8 lea eax,dword ptr ss:[ebp-18]
0040158A 50 push eax
0040158B E8 1C630100 call keyme.004178AC
00401590 83C4 10 add esp,10
00401593 8038 39 cmp byte ptr ds:[eax],39 ; //KEY的第三位要等于小于等于"9"
00401596 7F 62 jg short keyme.004015FA
00401598 83EC 08 sub esp,8
0040159B 6A 02 push 2
0040159D 8D45 E8 lea eax,dword ptr ss:[ebp-18]
004015A0 50 push eax
004015A1 E8 06630100 call keyme.004178AC
004015A6 83C4 10 add esp,10
004015A9 8038 2F cmp byte ptr ds:[eax],2F ; //KEY的第三位要等于大于2f
004015AC 7E 4C jle short keyme.004015FA
004015AE 83EC 08 sub esp,8
004015B1 6A 01 push 1
004015B3 8D45 E8 lea eax,dword ptr ss:[ebp-18]
004015B6 50 push eax
004015B7 E8 F0620100 call keyme.004178AC
004015BC 83C4 10 add esp,10
004015BF 8945 C4 mov dword ptr ss:[ebp-3C],eax
004015C2 83EC 08 sub esp,8
004015C5 6A 0C push 0C
004015C7 8D45 E8 lea eax,dword ptr ss:[ebp-18]
004015CA 50 push eax
004015CB E8 DC620100 call keyme.004178AC
004015D0 83C4 10 add esp,10
004015D3 89C2 mov edx,eax
004015D5 8B4D C4 mov ecx,dword ptr ss:[ebp-3C]
004015D8 8A01 mov al,byte ptr ds:[ecx]
004015DA 3A02 cmp al,byte ptr ds:[edx] ; //KEY的第2位和第13位要相等
004015DC 75 1C jnz short keyme.004015FA
004015DE 83EC 08 sub esp,8
004015E1 68 00134000 push keyme.00401300 ; ASCII "Well done, your key works. Congrats Lad
"
004015E6 68 50634300 push keyme.00436350
004015EB E8 5C210200 call keyme.0042374C
004015F0 83C4 10 add esp,10
004015F3 C745 E4 01000000 mov dword ptr ss:[ebp-1C],1
004015FA 837D E4 00 cmp dword ptr ss:[ebp-1C],0
004015FE 75 15 jnz short keyme.00401615
00401600 83EC 08 sub esp,8
00401603 68 29134000 push keyme.00401329 ; ASCII 09,"wrong ser"
00401608 68 50634300 push keyme.00436350
0040160D E8 3A210200 call keyme.0042374C
00401612 83C4 10 add esp,10
00401615 83EC 08 sub esp,8
00401618 6A 00 push 0
0040161A 8D45 E8 lea eax,dword ptr ss:[ebp-18]
0040161D 50 push eax
0040161E E8 89620100 call keyme.004178AC
00401623 83C4 10 add esp,10
00401626 8038 00 cmp byte ptr ds:[eax],0
00401629 74 0B je short keyme.00401636
0040162B 837D E4 00 cmp dword ptr ss:[ebp-1C],0
0040162F 75 05 jnz short keyme.00401636
00401631 ^ E9 8EFDFFFF jmp keyme.004013C4
00401636 83EC 08 sub esp,8
00401639 68 40134000 push keyme.00401340 ; ASCII "
B0ne, April 29th 2007 19:50
for
crackmes.de
"
0040163E 68 50634300 push keyme.00436350
00401643 E8 04210200 call keyme.0042374C
00401648 83C4 10 add esp,10
0040164B 83EC 0C sub esp,0C
0040164E 68 74134000 push keyme.00401374 ; ASCII "PAUSE"
00401653 E8 184D0000 call <jmp.&msvcrt.system>
--------------------------------------------------------------------------------
【经验总结】
由于KEY最后两位相等,还有最后4位累加等于1d1,第13位=r,第14位=o,就可以求得最后两位是x;
已经确定了几位除外,剩下的只能穷举了.
keygen代码 代码写的很乱.............
#include<stdio.h>
main()
{
char key[]="Ar000000.00 roxx";
for(key[2]=0x39;key[2]>=0x30;key[2]--)
for(key[3]=0x7A;key[3]>=0x62;key[3]--)
for(key[4]=0x7A;key[4]>=0x62;key[4]--)
for(key[5]=0x7A;key[5]>=0x62;key[5]--)
for(key[6]=0x7a;key[6]>=0x62;key[6]--)
for(key[7]=0x7a;key[7]>=0x62;key[7]--)
for(key[9]=0x7A;key[9]>=0x62;key[9]--)
for(key[10]=0x7A;key[10]>=0x62;key[10]--)
if((key[2]+key[3]+key[4]+key[5]+key[6]+key[7]+key[9]+key[10])==0x312)
{
puts(key); //0x312=0x3f3-('A'+'r'+'.')
}
printf("\nend");
getchar();
}
测试了几个可以通过............
--------------------------------------------------------------------------------
【版权声明】: 本文原创于看雪技术论坛, 转载请注明作者并保持文章的完整, 谢谢!
2007年05月10日 13:43:32
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)