教菜鸟写注册机――高级篇(注意我这里说的高级只是对偶辈菜鸟来说是难一些)
HEYA,我又来灌喽!还是那个系列的第3位CRACKME。下载:
http://opencrackmes.crackmes.de/opencrackmes/Collections/keygenning4newbies/Crackmes/k4n3.zip
用W32DASM来反,(可以先看后面说明)
:004011BF 6A45 push 00000045
:004011C1 50 push eax
:004011C2 A4 movsb
* Reference To: USER32.GetDlgItemTextA, Ord:0104h
|
:004011C3 8B3DA8404000 mov edi, dword ptr [004040A8] ;注意这里把地址放在EDI
* Possible Reference to Dialog: DialogID_0065, CONTROL_ID:03E8, ""
|
:004011C9 68E8030000 push 000003E8
:004011CE 51 push ecx
:004011CF FFD7 call edi ;实际是CALL GetDlgItemTextA,得到用户名
:004011D1 8BF0 mov esi, eax
:004011D3 85F6 test esi, esi
:004011D5 0F844B010000 je 00401326
:004011DB 83FE40 cmp esi, 00000040
:004011DE 0F8742010000 ja 00401326
:004011E4 8B4508 mov eax, dword ptr [ebp+08]
:004011E7 8D5594 lea edx, dword ptr [ebp-6C]
:004011EA 6A13 push 00000013
:004011EC 52 push edx
* Possible Reference to Dialog: DialogID_0065, CONTROL_ID:03E9, ""
|
:004011ED 68E9030000 push 000003E9
:004011F2 50 push eax
:004011F3 FFD7 call edi ;再次调用GetDlgItemText,得到注册码
:004011F5 6BC003 imul eax, 00000003 ;EAX是注册码的长度
:004011F8 C1E002 shl eax, 02 ;左移二位
:004011FB 05CD000000 add eax, 000000CD ;加上0CD
:00401200 8945FC mov dword ptr [ebp-04], eax
:00401203 817DFCA5010000 cmp dword ptr [ebp-04], 000001A5;看看计算结果是不是1A5
:0040120A 0F85BC000000 jne 004012CC ;不是就死,可以逆算出(1A5-0CD)>>2=12
:00401210 33C0 xor eax, eax ;即注册码不能小于12h位
:00401212 8A4594 mov al, byte ptr [ebp-6C]
:00401215 84C0 test al, al
:00401217 7413 je 0040122C
:00401219 8D4D94 lea ecx, dword ptr [ebp-6C]
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040122A(C)
|
:0040121C 3C30 cmp al, 30
:0040121E 0F82C6000000 jb 004012EA ;注册码每位不能小于30h,即'0'
:00401224 8A4101 mov al, byte ptr [ecx+01]
:00401227 41 inc ecx
:00401228 84C0 test al, al
:0040122A 75F0 jne 0040121C
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00401217(C)
|
:0040122C E8CFFDFFFF call 00401000 ;这是什么呀?好像很重要哟,进去看看!:D
:00401231 8D852CFFFFFF lea eax, dword ptr [ebp+FFFFFF2C]
:00401237 50 push eax
:00401238 E843FEFFFF call 00401080 ;转换过程一,跟进
:0040123D 8945FC mov dword ptr [ebp-04], eax
:00401240 E8BBFDFFFF call 00401000 ;还进去不?呀....别打我!
:00401245 8D8D2CFFFFFF lea ecx, dword ptr [ebp+FFFFFF2C]
:0040124B 56 push esi
:0040124C 51 push ecx
:0040124D E8BEFDFFFF call 00401010
:00401252 83C40C add esp, 0000000C
:00401255 33C9 xor ecx, ecx
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00401284(C)
|
:00401257 8B45FC mov eax, dword ptr [ebp-04] \
:0040125A 33D2 xor edx, edx |
:0040125C BE1A000000 mov esi, 0000001A |
:00401261 F7F6 div esi |
:00401263 8A941510FFFFFF mov dl, byte ptr [ebp+edx-000000F0]
:0040126A 88540DC8 mov byte ptr [ebp+ecx-38], dl|
:0040126E 8B45FC mov eax, dword ptr [ebp-04] |
:00401271 C1E003 shl eax, 03 |---转换过程二
:00401274 BA45230100 mov edx, 00012345 |
:00401279 F7E8 imul eax |
:0040127B 03C2 add eax, edx |
:0040127D 8945FC mov dword ptr [ebp-04], eax |
:00401280 41 inc ecx |
:00401281 83F912 cmp ecx, 00000012 |
:00401284 72D1 jb 00401257 /
:00401286 E875FDFFFF call 00401000
:0040128B 33C0 xor eax, eax
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004012A2(C)
|
:0040128D 8A4C0594 mov cl, byte ptr [ebp+eax-6C] \
:00401291 8A5405C8 mov dl, byte ptr [ebp+eax-38] |
:00401295 80E930 sub cl, 30 |
:00401298 32D1 xor dl, cl |---转换过程三
:0040129A 885405C8 mov byte ptr [ebp+eax-38], dl |
:0040129E 40 inc eax |
:0040129F 83F812 cmp eax, 00000012 |
:004012A2 72E9 jb 0040128D /
:004012A4 E857FDFFFF call 00401000
:004012A9 8D55C8 lea edx, dword ptr [ebp-38]
:004012AC 52 push edx
:004012AD E85EFEFFFF call 00401110 ;转换过程四
:004012B2 E849FDFFFF call 00401000
:004012B7 8D45C8 lea eax, dword ptr [ebp-38]
* Possible StringData Ref from Data Obj ->"KEYGENNING4NEWBIES"
|
:004012BA 6814514000 push 00405114 ;固定字串"KEYGENNING4NEWBIES"
:004012BF 50 push eax ;上面转换而来的字串
:004012C0 E86BFEFFFF call 00401130 ;进行比较
:004012C5 83C40C add esp, 0000000C
:004012C8 85C0 test eax, eax
:004012CA 753C jne 00401308 ;关键跳转
* Referenced by a CALL at Address:
|:00401238
|
:00401080 55 push ebp
:00401081 8BEC mov ebp, esp
:00401083 51 push ecx
:00401084 53 push ebx
:00401085 56 push esi
:00401086 57 push edi
* Possible StringData Ref from Data Obj ->"eheh"
|
:00401087 6880504000 push 00405080
:0040108C 6A00 push 00000000
:0040108E E8ADFFFFFF call 00401040 ;这个CALL有问题
:00401093 83C408 add esp, 00000008
:00401096 8BD8 mov ebx, eax
:00401098 E863FFFFFF call 00401000
* Possible StringData Ref from Data Obj ->" is a whore."
|
:0040109D BF70504000 mov edi, 00405070
:004010A2 83C9FF or ecx, FFFFFFFF
:004010A5 33C0 xor eax, eax
:004010A7 F2 repnz
:004010A8 AE scasb
:004010A9 F7D1 not ecx
:004010AB 2BF9 sub edi, ecx
:004010AD 8BF7 mov esi, edi
:004010AF 8B7D08 mov edi, dword ptr [ebp+08]
:004010B2 8BD1 mov edx, ecx
:004010B4 83C9FF or ecx, FFFFFFFF
:004010B7 F2 repnz
:004010B8 AE scasb
:004010B9 8BCA mov ecx, edx
:004010BB 4F dec edi
:004010BC C1E902 shr ecx, 02
:004010BF F3 repz
:004010C0 A5 movsd
:004010C1 8BCA mov ecx, edx
:004010C3 83E103 and ecx, 00000003
:004010C6 F3 repz
:004010C7 A4 movsb
:004010C8 33FF xor edi, edi
:004010CA 33F6 xor esi, esi ;上面这一段是不是有点晕,没关系,只看结果
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004010F6(C)
|
:004010CC 8B4508 mov eax, dword ptr [ebp+08]
:004010CF 50 push eax ;在这里D eax看看是什么,RoBa is a whore.
:004010D0 56 push esi ;ESI每次加4,从第ESI个字符开始取值
:004010D1 E86AFFFFFF call 00401040 ;还是上面的CALL
:004010D6 8B8E30504000 mov ecx, dword ptr [esi+00405030];这也是一个表,从里面取值
:004010DC 83C408 add esp, 00000008
:004010DF 33CF xor ecx, edi
:004010E1 03C1 add eax, ecx
:004010E3 8945FC mov dword ptr [ebp-04], eax
:004010E6 C145FC07 rol dword ptr [ebp-04], 07 ;ROL是一个“滚动”移位
:004010EA 8B45FC mov eax, dword ptr [ebp-04]
:004010ED 83C604 add esi, 00000004
:004010F0 33D8 xor ebx, eax ;进行一些运算,EBX最初是"eheh"=68656865
:004010F2 47 inc edi
:004010F3 83FE40 cmp esi, 00000040 ;ESI每次加4,所以这是计算10H=16次
:004010F6 7CD4 jl 004010CC ;这里是循环计算
:004010F8 5F pop edi
:004010F9 8BC3 mov eax, ebx
:004010FB 5E pop esi
:004010FC 5B pop ebx
:004010FD 8BE5 mov esp, ebp
:004010FF 5D pop ebp
:00401100 C3 ret
:00401257 8B45FC mov eax, dword ptr [ebp-04] ;最初这里是上面过程一的结果
:0040125A 33D2 xor edx, edx
:0040125C BE1A000000 mov esi, 0000001A
:00401261 F7F6 div esi ;除以1Ah=26
:00401263 8A941510FFFFFF mov dl, byte ptr [ebp+edx-000000F0];根据余数从表中取值
:0040126A 88540DC8 mov byte ptr [ebp+ecx-38], dl ;把取得的值组成一个字串
:0040126E 8B45FC mov eax, dword ptr [ebp-04]
:00401271 C1E003 shl eax, 03
:00401274 BA45230100 mov edx, 00012345
:00401279 F7E8 imul eax
:0040127B 03C2 add eax, edx ;进行一些计算,准备下次再取
:0040127D 8945FC mov dword ptr [ebp-04], eax
:00401280 41 inc ecx ;ECX是循环变量
:00401281 83F912 cmp ecx, 00000012 ;共计算12h=18次
:00401284 72D1 jb 00401257
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课