【文章标题】: yingyue Crackme2 算法简析
【文章作者】: hawking
【作者邮箱】: [EMAIL="rich_hawking@hotmail.com"]rich_hawking@hotmail.com[/EMAIL]
【下载地址】: 自己搜索下载
【使用工具】: OD
【操作平台】: 2K
【作者声明】: 只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!
--------------------------------------------------------------------------------
【详细过程】
让我们来看一下yingyue的这个Crackme 。
00401389 50 push eax
0040138A 56 push esi
0040138B 53 push ebx
0040138C E8 539C0000 call 0040AFE4
00401391 83C4 F8 add esp, -8
00401394 68 002F4000 push 00402F00
00401399 83C4 F8 add esp, -8
0040139C 68 10124000 push 00401210 ; ---------------------------------------
004013A1 68 28304100 push 00413028 ; ,0a
004013A6 E8 1D170000 call 00402AC8
004013AB 83C4 10 add esp, 10
004013AE 89C0 mov eax, eax
004013B0 50 push eax
004013B1 E8 46F60000 call 004109FC
004013B6 83C4 10 add esp, 10
004013B9 83C4 F8 add esp, -8
004013BC 68 002F4000 push 00402F00
004013C1 83C4 F8 add esp, -8
004013C4 68 50124000 push 00401250 ; --------------yingyue------------
004013C9 68 28304100 push 00413028 ; ,0a
004013CE E8 F5160000 call 00402AC8
004013D3 83C4 10 add esp, 10
004013D6 89C0 mov eax, eax
004013D8 50 push eax
004013D9 E8 1EF60000 call 004109FC
004013DE 83C4 10 add esp, 10
004013E1 83C4 F8 add esp, -8
004013E4 68 002F4000 push 00402F00
004013E9 83C4 F8 add esp, -8
004013EC 68 90124000 push 00401290 ; [EMAIL="--------------vvvvvvaa@tom.com"]--------------vvvvvvaa@tom.com[/EMAIL]------
004013F1 68 28304100 push 00413028 ; ,0a
004013F6 E8 CD160000 call 00402AC8
004013FB 83C4 10 add esp, 10
004013FE 89C0 mov eax, eax
00401400 50 push eax
00401401 E8 F6F50000 call 004109FC
00401406 83C4 10 add esp, 10
00401409 83C4 F8 add esp, -8
0040140C 68 002F4000 push 00402F00
00401411 83C4 F8 add esp, -8
00401414 68 D0124000 push 004012D0 ; -----------------crackme 2--------------
00401419 68 28304100 push 00413028 ; ,0a
0040141E E8 A5160000 call 00402AC8
00401423 83C4 10 add esp, 10
00401426 89C0 mov eax, eax
00401428 50 push eax
00401429 E8 CEF50000 call 004109FC
0040142E 83C4 10 add esp, 10
00401431 83C4 F8 add esp, -8
00401434 68 002F4000 push 00402F00
00401439 83C4 F8 add esp, -8
0040143C 68 10134000 push 00401310 ; >>>>>>>>>> 不要爆破 <<<<<<<<<<<
00401441 68 28304100 push 00413028 ; ,0a
00401446 E8 7D160000 call 00402AC8
0040144B 83C4 10 add esp, 10
0040144E 89C0 mov eax, eax
00401450 50 push eax
00401451 E8 A6F50000 call 004109FC
00401456 83C4 10 add esp, 10
00401459 83C4 F4 add esp, -0C
0040145C 68 50140000 push 1450
00401461 E8 AAAB0000 call 0040C010
00401466 83C4 10 add esp, 10
00401469 89C0 mov eax, eax
0040146B 8945 CC mov dword ptr [ebp-34], eax
0040146E 83C4 F8 add esp, -8
00401471 68 002F4000 push 00402F00
00401476 83C4 F8 add esp, -8
00401479 68 002F4000 push 00402F00
0040147E 68 28304100 push 00413028 ; ,0a
00401483 E8 74F50000 call 004109FC
00401488 83C4 10 add esp, 10
0040148B 89C0 mov eax, eax
0040148D 50 push eax
0040148E E8 69F50000 call 004109FC
00401493 83C4 10 add esp, 10
00401496 83C4 F8 add esp, -8
00401499 68 51134000 push 00401351 ; >>> 请输入你的大名吧 :
0040149E 68 28304100 push 00413028 ; ,0a
004014A3 E8 20160000 call 00402AC8
004014A8 83C4 10 add esp, 10
004014AB 6A 0A push 0A
004014AD 6A 14 push 14
004014AF 8D45 E0 lea eax, dword ptr [ebp-20]
004014B2 50 push eax
004014B3 68 A8304100 push 004130A8
004014B8 E8 4B1F0000 call 00403408 ; 取用户名
004014BD 83C4 10 add esp, 10
004014C0 83C4 F4 add esp, -0C
004014C3 8D45 E0 lea eax, dword ptr [ebp-20]
004014C6 50 push eax
004014C7 E8 08E30000 call 0040F7D4 ; jmp 到 msvcrt.strlen
004014CC 83C4 10 add esp, 10
004014CF 8945 DC mov dword ptr [ebp-24], eax
004014D2 837D DC 02 cmp dword ptr [ebp-24], 2
004014D6 7F 08 jg short 004014E0 ; 用户名长度必须大于2 否则直接跳向结束
004014D8 31C0 xor eax, eax
004014DA E9 93010000 jmp 00401672
004014DF 90 nop
004014E0 83C4 F8 add esp, -8
004014E3 68 002F4000 push 00402F00
004014E8 83C4 F8 add esp, -8
004014EB 68 002F4000 push 00402F00
004014F0 68 28304100 push 00413028 ; ,0a
004014F5 E8 02F50000 call 004109FC
004014FA 83C4 10 add esp, 10
004014FD 89C0 mov eax, eax
004014FF 50 push eax
00401500 E8 F7F40000 call 004109FC
00401505 83C4 10 add esp, 10
00401508 83C4 F8 add esp, -8
0040150B 68 69134000 push 00401369 ; >>> 请输入你的假码吧 :
00401510 68 28304100 push 00413028 ; ,0a
00401515 E8 AE150000 call 00402AC8
0040151A 83C4 10 add esp, 10
0040151D 83C4 F8 add esp, -8
00401520 8D45 D8 lea eax,
dword ptr [ebp-28]
00401523 50 push
eax ; 取得用户输入的假码并转成十六进制形式保存在这个地址
00401524 68 A8304100 push 004130A8
00401529 E8 960C0000 call 004021C4 ; 取假码
0040152E 83C4 10 add esp, 10
00401531 C745 C4 0000000>mov dword ptr [ebp-3C], 0 ; i = 0
00401538 8B55 DC mov edx, dword ptr [ebp-24] ; len
0040153B 89D0 mov eax, edx
0040153D C1E0 02 shl eax, 2
00401540 01D0 add eax, edx
00401542 8D0C85 00000000 lea ecx, dword ptr [eax*4]
00401549 01C8 add eax, ecx
0040154B C1E0 02 shl eax, 2
0040154E 01D0 add eax, edx ;
对用户名长度len作运算 结果为0x65*len
00401550 3945 C4 cmp dword ptr [ebp-3C],
eax ; 如果 i < 0x65*len 则继续,否则跳出循环
00401553 7C 0B jl short 00401560
00401555 E9 89000000 jmp 004015E3
0040155A 8DB6 00000000 lea esi, dword ptr [esi]
00401560 8B45 C4 mov eax, dword ptr [ebp-3C] ; i
00401563 8945 C8 mov dword ptr [ebp-38], eax
00401566 8B45 C8 mov eax, dword ptr [ebp-38]
00401569 8945 C0 mov dword ptr [ebp-40], eax
0040156C 8B45 C8 mov eax, dword ptr [ebp-38]
0040156F 89C2 mov edx, eax
00401571 8D0412 lea eax, dword ptr [edx+edx] ; 2i
00401574 8945 C8 mov dword ptr [ebp-38], eax
00401577 8B45 C4 mov eax, dword ptr [ebp-3C]
0040157A 83C0 FD add eax, -3 ; i-3
0040157D 8945 C8 mov dword ptr [ebp-38], eax
00401580 83C4 F4 add esp, -0C
00401583 8B45 C0 mov eax, dword ptr [ebp-40] ; i
00401586 50 push eax
00401587 E8 F0000000
call 0040167C ; F7跟进
0040158C 83C4 10 add esp, 10
0040158F 89C0 mov eax, eax
00401591 8945 C8
mov dword ptr [ebp-38], eax ; 上面的Call返回值k 这个循环里有用的也就是这个返回值 其余的眼花缭乱的代码都没有什么作用
00401594 8B45 C8 mov eax, dword ptr [ebp-38]
00401597 89C2 mov edx, eax
00401599 8D0495 00000000 lea eax, dword ptr [edx*4] ; 4k
004015A0 8945 D4 mov dword ptr [ebp-2C], eax
004015A3 8B45 D4 mov eax, dword ptr [ebp-2C]
004015A6 89C2 mov edx, eax
004015A8 8D0412 lea eax, dword ptr [edx+edx] ; 8k
004015AB 8D50 21 lea edx, dword ptr [eax+21] ; 8k+21
004015AE 8955 D0 mov dword ptr [ebp-30], edx
004015B1 8B55 C4 mov edx, dword ptr [ebp-3C]
004015B4 8D0495 00000000 lea eax, dword ptr [edx*4] ; 4i
004015BB 8B55 CC mov edx, dword ptr [ebp-34] ; buffer首地址
004015BE 8B5D C4 mov ebx, dword ptr [ebp-3C] ; i
004015C1 89D9 mov ecx, ebx
004015C3 01C9 add ecx, ecx ; 2i
004015C5 01D9 add ecx, ebx ; 3i
004015C7 89CB mov ebx, ecx
004015C9 C1FB 1F sar ebx, 1F ; 3i >> 1f
004015CC 89DE mov esi, ebx
004015CE C1EE 1F shr esi, 1F ; (3i >> 1f ) >> 1f
004015D1 01F1 add ecx, esi ; 3i + (3i>>1f ) >> 1f
004015D3 89CB mov ebx, ecx
004015D5 C1FB 01 sar ebx, 1 ; sar 1
004015D8 891C02 mov dword ptr [edx+eax], ebx ; 将上面的运算结果存入buffer[i],其实后面没用到
004015DB FF45 C4 inc dword ptr [ebp-3C] ; i++
004015DE ^ E9 55FFFFFF jmp 00401538 ;
这个循环其实可以简化成求k 而且k只和0x65*len-1有关
004015E3 83C4 F8 add esp, -8
004015E6 68 002F4000 push 00402F00
004015EB 83C4 F8 add esp, -8
004015EE 68 002F4000 push 00402F00
004015F3 68 28304100 push 00413028 ; ,0a
004015F8 E8 FFF30000 call 004109FC
004015FD 83C4 10 add esp, 10
00401600 89C0 mov eax, eax
00401602 50 push eax
00401603 E8 F4F30000 call 004109FC
00401608 83C4 10 add esp, 10
0040160B 837D CC 00 cmp dword ptr [ebp-34], 0
0040160F 74 11 je short 00401622
00401611 83C4 F4 add esp, -0C
00401614 8B45 CC mov eax, dword ptr [ebp-34]
00401617 50 push eax
00401618 E8 53AB0000 call 0040C170 ; free上面的buffer
0040161D 83C4 10 add esp, 10
00401620 /EB 00 jmp short 00401622
00401622 \817D C0 0E03000>
cmp dword ptr [ebp-40], 30E ;
0x65*len-1是否大于30E 如果小于等于则跳向结束
00401629 7F 05 jg short 00401630 ;
如果要满足上面的条件 要求用户名长度必须大于7位
0040162B 31C0 xor eax, eax
0040162D EB 43 jmp short 00401672
0040162F 90 nop
00401630 0FBE45 E2 movsx eax, byte ptr [ebp-1E] ;
name[2]
00401634 89C2 mov edx, eax
00401636 0355 C8 add edx, dword ptr [ebp-38] ; k
00401639 0FBE45 E4 movsx eax, byte ptr [ebp-1C] ;
name[4]
0040163D 8D0C10 lea ecx, dword ptr [eax+edx]
00401640 894D C8 mov dword ptr [ebp-38], ecx ; k = name[2] + name[4] + k
00401643 83C4 FC add esp, -4
00401646 8B45 DC mov eax,
dword ptr [ebp-24] ; len
00401649 50 push eax
0040164A 8B45 C8 mov eax,
dword ptr [ebp-38] ; k
0040164D 50 push eax
0040164E 8B45 D8 mov eax,
dword ptr [ebp-28] ; key
00401651 50 push eax
00401652 E8 71000000
call 004016C8 ;
关键Call F7跟进 key和用户名长度len相关 只和用户名的第3、5位字符有关系
00401657 83C4 10 add esp, 10
0040165A 89C0 mov eax, eax
0040165C 8945 C0 mov dword ptr [ebp-40], eax
0040165F 83C4 F4 add esp, -0C
00401662 8B45 C0 mov eax, dword ptr [ebp-40]
00401665 50 push eax
00401666 E8 9D010000 call
00401808 ; 根据上面的Call的结果显示成功或失败信息
0040166B 83C4 10 add esp, 10
0040166E 31C0 xor eax, eax
00401670 EB 00 jmp short 00401672
00401672 8D65 A8 lea esp, dword ptr [ebp-58]
00401675 5B pop ebx
00401676 5E pop esi
00401677 C9 leave
00401678 C3 retn
0040167C 55 push ebp
0040167D 89E5 mov ebp, esp
0040167F 83EC 28 sub esp, 28
00401682 8B45 08 mov eax, dword ptr [ebp+8] ; i
00401685 8945 EC mov dword ptr [ebp-14], eax
00401688 B9 B7600BB6 mov ecx, B60B60B7 ; b60b60b7
0040168D 8B45 EC mov eax, dword ptr [ebp-14] ; i
00401690 F7E9 imul ecx ; b60b60b7*i
00401692 8B45 EC mov eax, dword ptr [ebp-14]
00401695 8D0C10 lea ecx, dword ptr [eax+edx] ; b60b60b7*i的高32位 + i = s
00401698 89CA mov edx, ecx
0040169A C1FA 06 sar edx, 6 ; >> 6
0040169D 8B4D EC mov ecx, dword ptr [ebp-14]
004016A0 C1F9 1F sar ecx, 1F ; i >> 1f
004016A3 89D0 mov eax, edx
004016A5 29C8 sub eax, ecx ; s>>6 - i>>1f = m
004016A7 89C2 mov edx, eax
004016A9 01D2 add edx, edx
004016AB 8D0C10 lea ecx, dword ptr [eax+edx] ; 3m 有用的就是这个返回值了
004016AE 894D FC mov dword ptr [ebp-4], ecx
004016B1 8B55 FC mov edx, dword ptr [ebp-4]
004016B4 89D0 mov eax, edx
004016B6 EB 00 jmp short 004016B8
004016B8 C9 leave
004016B9 C3 retn
004016C8 55 push ebp
004016C9 89E5 mov ebp, esp
004016CB 83EC 44 sub esp, 44
004016CE 53 push ebx
004016CF 8B55 0C mov edx, dword ptr [ebp+C] ; k
004016D2 89D0 mov eax, edx
004016D4 C1E0 02 shl eax, 2 ; k<<2
004016D7 01D0 add eax, edx
004016D9 8D1400 lea edx, dword ptr [eax+eax]
004016DC 8955 FC mov dword ptr [ebp-4], edx ; 10 * k
004016DF 8B55 10 mov edx, dword ptr [ebp+10] ; len
004016E2 0FAF55 FC imul edx, dword ptr [ebp-4]
004016E6 89D0 mov eax, edx
004016E8 35 CF2BFFFF xor eax, FFFF2BCF ; len * ( 10 k ) ^ ffff2bcf
004016ED 8945 DC mov dword ptr [ebp-24], eax
004016F0 8B4D FC mov ecx, dword ptr [ebp-4] ; 10 k
004016F3 89C8 mov eax, ecx
004016F5 99 cdq
004016F6 F77D 10 idiv dword ptr [ebp+10] ; (10k) /len
004016F9 89C3 mov ebx, eax
004016FB 8B45 DC mov eax, dword ptr [ebp-24]
004016FE 99 cdq
004016FF F7FB idiv ebx ; len * ( 10 k ^ ffff2bcf) / (10k /len)
00401701 89C1 mov ecx, eax
00401703 894D F8 mov dword ptr [ebp-8], ecx
00401706 DB45 08 fild dword ptr [ebp+8] ; key
00401709 DB45 08 fild dword ptr [ebp+8]
0040170C DB45 10 fild dword ptr [ebp+10] ; len
0040170F DD05 C0164000 fld qword ptr [4016C0] ; 1.5
00401715 DEC9 fmulp st(1), st ; 1.5len
00401717 DEE9 fsubp st(1), st
00401719 DEE9 fsubp st(1), st
0040171B D97D EA fstcw word ptr [ebp-16]
0040171E 66:8B45 EA mov ax, word ptr [ebp-16]
00401722 66:0D 000C or ax, 0C00
00401726 66:8945 E8 mov word ptr [ebp-18], ax
0040172A D96D E8 fldcw word ptr [ebp-18]
0040172D DB5D F4 fistp dword ptr [ebp-C] ; 1.5len 取整
00401730 D96D EA fldcw word ptr [ebp-16]
00401733 8B4D 08 mov ecx, dword ptr [ebp+8] ; key
00401736 89C8 mov eax, ecx
00401738 99 cdq
00401739 F77D F4 idiv dword ptr [ebp-C] ; key / 1.5len
0040173C 8B55 08 mov edx, dword ptr [ebp+8]
0040173F 01C2 add edx, eax ; key + ( key /1.5len)
00401741 8955 F0 mov dword ptr [ebp-10], edx
00401744 8B45 F8 mov eax, dword ptr [ebp-8] ; len * ( 10 k ^ ffff2bcf) / (10k /len)
00401747 3B45 F0
cmp eax, dword ptr [ebp-10] ; key + ( key /1.5len)
0040174A /75 09 jnz short 00401755 ;
相等则注册成功 返回值为0B 否则返回1 注册失败
0040174C |B8 0B000000
mov eax, 0B
00401751 |EB 0D jmp short 00401760
00401753 |EB 0B jmp short 00401760
00401755 \B8 01000000
mov eax, 1
0040175A EB 04 jmp short 00401760
0040175C 8D7426 00 lea esi, dword ptr [esi]
00401760 8B5D B8 mov ebx, dword ptr [ebp-48]
00401763 C9 leave
00401764 C3 retn
00401808 55 push ebp
00401809 89E5 mov ebp, esp
0040180B 83EC 08 sub esp, 8
0040180E 837D 08 0B
cmp dword ptr [ebp+8], 0B
00401812 /75 2D jnz short 00401841 ; 刚刚的返回值如果不是0B则跳向失败
00401814 |83C4 F8 add esp, -8
00401817 |68 002F4000 push 00402F00
0040181C |83C4 F8 add esp, -8
0040181F |68 D0174000 push 004017D0 ; >>>>> 叫你输入假码,你就输入真码,严重佩服你的能力,强
00401824 |68 28304100 push 00413028 ; ,0a
00401829 |E8 9A120000 call 00402AC8
0040182E |83C4 10 add esp, 10
00401831 |89C0 mov eax, eax
00401833 |50 push eax
00401834 |E8 C3F10000 call 004109FC
00401839 |83C4 10 add esp, 10
0040183C |E8 8BDF0000 call 0040F7CC ; jmp 到 msvcrt.getchar
00401841 \83C4 F4 add esp, -0C
00401844 8B45 08 mov eax, dword ptr [ebp+8]
00401847 50 push eax
00401848 E8 33FFFFFF call 00401780
0040184D 83C4 10 add esp, 10
00401850 C9 leave
00401851 C3 retn
00401780 55 push ebp
00401781 89E5 mov ebp, esp
00401783 83EC 08 sub esp, 8
00401786 837D 08 0B cmp dword ptr [ebp+8], 0B
0040178A 74 2D je short 004017B9
0040178C 83C4 F8 add esp, -8
0040178F 68 002F4000 push 00402F00
00401794 83C4 F8 add esp, -8
00401797 68 65174000 push 00401765 ; >>>>> 恭喜你,还有努力啊!
0040179C 68 28304100 push 00413028 ; ,0a
004017A1 E8 22130000 call 00402AC8
004017A6 83C4 10 add esp, 10
004017A9 89C0 mov eax, eax
004017AB 50 push eax
004017AC E8 4BF20000 call 004109FC
004017B1 83C4 10 add esp, 10
004017B4 E8 13E00000 call 0040F7CC ; jmp 到 msvcrt.getchar
004017B9 C9 leave
004017BA C3 retn
算法上面已经全部都分析到了,给个C#版的注册机。和上一个版本同样的问题依然存在,可能有些用户名会没有相应的key存在。
--------------------------------------------------------------------------------
【版权声明】: 感谢看雪论坛、一蓑烟雨, 转载请注明作者并保持文章的完整, 谢谢!
2007年05月13日 22:06:47
[培训]《安卓高级研修班(网课)》月薪三万计划,掌握调试、分析还原ollvm、vmp的方法,定制art虚拟机自动化脱壳的方法
