这个CM是那个初入樵***里的,汇编编写,无壳,爆破超简单
下面是我的分析
我使用用户名zxcvbnm注册码123456789
004010CB > \B9 1E000000 mov ecx, 1E
004010D0 . 31C0 xor eax, eax
004010D2 . BF B8204000 mov edi, Crackme.004020B8
004010D7 . F3:AA rep stos byte ptr es:[edi]
004010D9 . 31FF xor edi, edi
004010DB . 47 inc edi
004010DC . C1E7 0B shl edi, 0B
004010DF . 6A 2D push 2D
004010E1 . 68 4F204000 push Crackme.0040204F ; ASCII "zxcvbnm"
004010E6 . 57 push edi
004010E7 . 56 push esi
004010E8 . FF15 90214000 call near dword ptr ds:[402190] ; USER32.GetDlgItemTextA
004010EE . 09C0 or eax, eax
004010F0 . 0F85 01000000 jnz Crackme.004010F7
004010F6 . C3 retn
用户名是否为空
004010F7 > \D1EF shr edi, 1
004010F9 . 6A 1E push 1E
004010FB . 68 7C204000 push Crackme.0040207C ; ASCII "123456789"
00401100 . 57 push edi
00401101 . 56 push esi
00401102 . FF15 90214000 call near dword ptr ds:[402190] ; USER32.GetDlgItemTextA
00401108 . 09C0 or eax, eax
0040110A . 0F85 01000000 jnz Crackme.00401111
00401110 . C3 retn
注册码是否为空
00401111 > \B8 4F204000 mov eax, Crackme.0040204F ; ASCII "zxcvbnm"
00401116 . E8 1D020000 call Crackme.00401338
跟进去
00401338 /$ 51 push ecx ; USER32.77D3218C
00401339 |. 57 push edi
0040133A |. B9 64000000 mov ecx, 64
0040133F |. 89C7 mov edi, eax
00401341 |. 31C0 xor eax, eax
00401343 |. F2:AE repne scas byte ptr es:[edi]
00401345 |. F7D1 not ecx ; USER32.77D3218C
00401347 |. 83C1 64 add ecx, 64
0040134A |. 89C8 mov eax, ecx ; USER32.77D3218C
0040134C |. 5F pop edi ; Crackme.00401025
0040134D |. 59 pop ecx ; Crackme.00401025
0040134E \. C3 retn
不知道
用EBX来存真注册码
0040111B . A3 A0214000 mov dword ptr ds:[4021A0], eax
00401120 . BB 4F204000 mov ebx, Crackme.0040204F ; ASCII "zxcvbnm"
00401125 . 0FB613 movzx edx, byte ptr ds:[ebx]
00401128 . 0FB64C03 FF movzx ecx, byte ptr ds:[ebx+eax-1]
0040112D . 0FAFD1 imul edx, ecx
00401130 . 50 push eax
00401131 . B9 02000000 mov ecx, 2
00401136 . 52 push edx
00401137 . 31D2 xor edx, edx
00401139 . F7F9 idiv ecx
0040113B . 5A pop edx
0040113C . 0FB60C03 movzx ecx, byte ptr ds:[ebx+eax]
00401140 . 0FAFD1 imul edx, ecx
00401143 . BB B8204000 mov ebx, Crackme.004020B8 ; ASCII "HNT-"
00401148 . C703 484E542D mov dword ptr ds:[ebx], 2D544E48
0040114E . 89D0 mov eax, edx
00401150 . 83C3 04 add ebx, 4
到这里知道了注册码固定以"HNT-"开头
00401150 . 83C3 04 add ebx, 4
00401153 . E8 F7010000 call Crackme.0040134F
到这里可以在EBX看到"-9164",现在ebx=Crackme.004020B8="HNT-9164",等下再跟
call Crackme.0040134F
00401158 . C705 00204000>mov dword ptr ds:[402000], 1E
00401162 . 68 00204000 push Crackme.00402000 ; /pBufferSize = Crackme.00402000
00401167 . 68 9A204000 push Crackme.0040209A ; |Buffer = Crackme.0040209A
0040116C . E8 B34E0000 call <jmp.&KERNEL32.GetComputerNameA> ; \GetComputerNameA
00401171 . B8 9A204000 mov eax, Crackme.0040209A ; ASCII "ZAPLINE"
00401176 . E8 F2010000 call Crackme.0040136D
将机器名放到EAX,我的机器名为ZAPLINE,等下再跟call Crackme.0040136D
0040117B . BB 4F204000 mov ebx, Crackme.0040204F ; ASCII "zxcvbnm"
00401180 . E8 00020000 call Crackme.00401385
将用户名放到EBX,等下再跟call Crackme.00401385
00401185 . 50 push eax
00401186 . 31C0 xor eax, eax
00401188 . 0FA2 cpuid
0040118A . 58 pop eax
0040118B . 51 push ecx
0040118C . 52 push edx
0040118D . 21D8 and eax, ebx ; Crackme.004020C0
0040118F . BB B8204000 mov ebx, Crackme.004020B8 ; ASCII "HNT-9164-0929"
00401194 . 89DF mov edi, ebx ; Crackme.004020C0
00401196 . 50 push eax
00401197 . 66:31C0 xor ax, ax
0040119A . F2:AE repne scas byte ptr es:[edi]
0040119C . 89FB mov ebx, edi ; Crackme.004020C1
0040119E . 58 pop eax
0040119F . 4B dec ebx ; Crackme.004020C0
004011A0 . C603 2D mov byte ptr ds:[ebx], 2D
004011A3 . 43 inc ebx ; Crackme.004020C0
004011A4 . E8 A6010000 call Crackme.0040134F
现在ebx=Crackme.004020B8="HNT-9164-0929"
004011A9 . B8 4F204000 mov eax, Crackme.0040204F ; ASCII "zxcvbnm"
004011AE . E8 BA010000 call Crackme.0040136D
将用户名放到EAX,等下再跟call Crackme.0040136D
004011B3 . 59 pop ecx
004011B4 . 31C8 xor eax, ecx
004011B6 . 59 pop ecx
004011B7 . 09C8 or eax, ecx
004011B9 . 50 push eax
004011BA . BB 4F204000 mov ebx, Crackme.0040204F ; ASCII "zxcvbnm"
004011BF . 0FB603 movzx eax, byte ptr ds:[ebx]
004011C2 . 0FB64B 01 movzx ecx, byte ptr ds:[ebx+1]
004011C6 . 0FAFC1 imul eax, ecx
004011C9 . 59 pop ecx
004011CA . 0FAFC1 imul eax, ecx
004011CD . BF B8204000 mov edi, Crackme.004020B8 ; ASCII "HNT-9164-0929-"
004011D2 . 50 push eax
004011D3 . 30C0 xor al, al
004011D5 . F2:AE repne scas byte ptr es:[edi]
004011D7 . 58 pop eax
004011D8 . 89FB mov ebx, edi ; Crackme.004020C6
004011DA . 4B dec ebx ; Crackme.004020C6
004011DB . C603 2D mov byte ptr ds:[ebx], 2D
004011DE . 43 inc ebx ; Crackme.004020C6
004011DF . E8 6B010000 call Crackme.0040134F
对用户名一些操作,此时edi=Crackme.004020B8="HNT-9164-0929-3504"
004011E4 . B8 4F204000 mov eax, Crackme.0040204F ; ASCII "zxcvbnm"
004011E9 . E8 7F010000 call Crackme.0040136D
004011EE . B9 1A000000 mov ecx, 1A
004011F3 . 31D2 xor edx, edx
004011F5 . F7F9 idiv ecx
004011F7 . B8 41000000 mov eax, 41
004011FC . 01D0 add eax, edx
004011FE . 89C7 mov edi, eax
00401200 . BB 4F204000 mov ebx, Crackme.0040204F ; ASCII "zxcvbnm"
00401205 . E8 7B010000 call Crackme.00401385
0040120A . 31D2 xor edx, edx
0040120C . F7F9 idiv ecx
0040120E . 83C2 41 add edx, 41
00401211 . BB B8204000 mov ebx, Crackme.004020B8 ; ASCII "HNT-9164-0929-3504-WT"
00401216 . 50 push eax
00401217 . 31C0 xor eax, eax
00401219 . 57 push edi
0040121A . 89DF mov edi, ebx ; Crackme.004020CA
0040121C . F2:AE repne scas byte ptr es:[edi]
0040121E . 58 pop eax
0040121F . 89FB mov ebx, edi
00401221 . 5F pop edi
00401222 . 4B dec ebx ; Crackme.004020CA
00401223 . C603 2D mov byte ptr ds:[ebx], 2D
00401226 . 8843 01 mov byte ptr ds:[ebx+1], al
00401229 . 8853 02 mov byte ptr ds:[ebx+2], dl
0040122C . C643 03 00 mov byte ptr ds:[ebx+3], 0
00401230 . 58 pop eax
00401231 . 56 push esi
00401232 . B8 B8204000 mov eax, Crackme.004020B8 ; ASCII "HNT-9164-0929-3504-WT"
00401237 . E8 FC000000 call Crackme.00401338
ebx=Crackme.004020B8="HNT-9164-0929-3504-WT"
0040123C . 89C2 mov edx, eax ; Crackme.0040207C
0040123E . B8 7C204000 mov eax, Crackme.0040207C ; ASCII "123456789"
00401243 . E8 F0000000 call Crackme.00401338
取得伪注册码
00401248 . 39D0 cmp eax, edx
0040124A . 0F85 5F000000 jnz Crackme.004012AF
关键对比和跳转
先将jnz Crackme.004012AF NOP掉
00401250 . BE B8204000 mov esi, Crackme.004020B8 ; ASCII "HNT-9164-0929-3504-WT"
00401255 . BF 7C204000 mov edi, Crackme.0040207C ; ASCII "123456789"
0040125A . 89C1 mov ecx, eax
0040125C > 8A06 mov al, byte ptr ds:[esi]
0040125E . 8A27 mov ah, byte ptr ds:[edi]
00401260 . 46 inc esi ; Crackme.004020B9
00401261 . 47 inc edi ; Crackme.0040207D
00401262 . 30C4 xor ah, al
00401264 . 0F85 45000000 jnz Crackme.004012AF
0040126A . 49 dec ecx
0040126B .^ 75 EF jnz short Crackme.0040125C
再将真伪注册码循环去掉首个字母再比较
再将jnz Crackme.004012AF 和jnz short Crackme.0040125C NOP掉
再下去RIGHT CODE提示就出来了
好了,在来想想如何写注册机,当然,内存注册机就很容易做了。
好,重来,用户名123456789,注册码随便了,反正不参与计算。
00401111 > \B8 4F204000 mov eax, Crackme.0040204F ; ASCII "123456789"
00401116 . E8 1D020000 call Crackme.00401338
0040111B . A3 A0214000 mov dword ptr ds:[4021A0], eax
获得用户名长度,存到dword ptr ds:[4021A0],我这为9
0040111B . A3 A0214000 mov dword ptr ds:[4021A0], eax
00401120 . BB 4F204000 mov ebx, Crackme.0040204F ; ASCII "123456789"
00401125 . 0FB613 movzx edx, byte ptr ds:[ebx]
00401128 . 0FB64C03 FF movzx ecx, byte ptr ds:[ebx+eax-1]
0040112D . 0FAFD1 imul edx, ecx
00401130 . 50 push eax
首末字符imul,我这得到9,压入堆栈
00401131 . B9 02000000 mov ecx, 2
00401136 . 52 push edx
00401137 . 31D2 xor edx, edx
00401139 . F7F9 idiv ecx
0040113B . 5A pop edx
0040113C . 0FB60C03 movzx ecx, byte ptr ds:[ebx+eax]
00401140 . 0FAFD1 imul edx, ecx
00401143 . BB B8204000 mov ebx, Crackme.004020B8 ; ASCII "HNT-8029"
00401148 . C703 484E542D mov dword ptr ds:[ebx], 2D544E48
0040114E . 89D0 mov eax, edx
00401150 . 83C3 04 add ebx, 4
00401153 . E8 F7010000 call Crackme.0040134F
跟过去
0040134F /$ 51 push ecx
00401350 |. 56 push esi
00401351 |. 4B dec ebx ; Crackme.004020BC
00401352 |. B9 04000000 mov ecx, 4
00401357 |. BE 0A000000 mov esi, 0A
0040135C |. 52 push edx
0040135D |> 31D2 xor edx, edx
0040135F |. F7FE idiv esi
00401361 |. 80C2 30 add dl, 30
00401364 |. 88140B mov byte ptr ds:[ebx+ecx], dl
00401367 |.^ E2 F4 loopd short Crackme.0040135D
00401369 |. 5A pop edx ; Crackme.00401158
0040136A |. 5E pop esi ; Crackme.00401158
0040136B |. 59 pop ecx ; Crackme.00401158
0040136C \. C3 retn
反正在这个CALL里算出8029
00401158 . C705 00204000>mov dword ptr ds:[402000], 1E
00401162 . 68 00204000 push Crackme.00402000 ; /pBufferSize = Crackme.00402000
00401167 . 68 9A204000 push Crackme.0040209A ; |Buffer = Crackme.0040209A
0040116C . E8 B34E0000 call <jmp.&KERNEL32.GetComputerNameA> ; \GetComputerNameA
00401171 . B8 9A204000 mov eax, Crackme.0040209A ; ASCII "ZAPLINE"
00401176 . E8 F2010000 call Crackme.0040136D
0040117B . BB 4F204000 mov ebx, Crackme.0040204F ; ASCII "123456789"
00401180 . E8 00020000 call Crackme.00401385
00401185 . 50 push eax
00401186 . 31C0 xor eax, eax
00401188 . 0FA2 cpuid
0040118A . 58 pop eax
0040118B . 51 push ecx
0040118C . 52 push edx
0040118D . 21D8 and eax, ebx ; Crackme.004020C0
0040118F . BB B8204000 mov ebx, Crackme.004020B8 ; ASCII "HNT-8029-0672"
00401194 . 89DF mov edi, ebx ; Crackme.004020C0
00401196 . 50 push eax
00401197 . 66:31C0 xor ax, ax
0040119A . F2:AE repne scas byte ptr es:[edi]
0040119C . 89FB mov ebx, edi ; Crackme.004020C1
0040119E . 58 pop eax
0040119F . 4B dec ebx ; Crackme.004020C0
004011A0 . C603 2D mov byte ptr ds:[ebx], 2D
004011A3 . 43 inc ebx ; Crackme.004020C0
004011A4 . E8 A6010000 call Crackme.0040134F
这里算出了0672
004011A9 . B8 4F204000 mov eax, Crackme.0040204F ; ASCII "123456789"
004011AE . E8 BA010000 call Crackme.0040136D
004011B3 . 59 pop ecx
004011B4 . 31C8 xor eax, ecx
004011B6 . 59 pop ecx
004011B7 . 09C8 or eax, ecx
004011B9 . 50 push eax
004011BA . BB 4F204000 mov ebx, Crackme.0040204F ; ASCII "123456789"
004011BF . 0FB603 movzx eax, byte ptr ds:[ebx]
004011C2 . 0FB64B 01 movzx ecx, byte ptr ds:[ebx+1]
004011C6 . 0FAFC1 imul eax, ecx
004011C9 . 59 pop ecx
004011CA . 0FAFC1 imul eax, ecx
004011CD . BF B8204000 mov edi, Crackme.004020B8 ; ASCII "HNT-8029-0672-8038"
004011D2 . 50 push eax
004011D3 . 30C0 xor al, al
004011D5 . F2:AE repne scas byte ptr es:[edi]
004011D7 . 58 pop eax
004011D8 . 89FB mov ebx, edi ; Crackme.004020C6
004011DA . 4B dec ebx ; Crackme.004020C5
004011DB . C603 2D mov byte ptr ds:[ebx], 2D
004011DE . 43 inc ebx ; Crackme.004020C5
004011DF . E8 6B010000 call Crackme.0040134F
这里算出了8083
004011E4 . B8 4F204000 mov eax, Crackme.0040204F ; ASCII "123456789"
004011E9 . E8 7F010000 call Crackme.0040136D
004011EE . B9 1A000000 mov ecx, 1A
004011F3 . 31D2 xor edx, edx
004011F5 . F7F9 idiv ecx
004011F7 . B8 41000000 mov eax, 41
004011FC . 01D0 add eax, edx
004011FE . 89C7 mov edi, eax
00401200 . BB 4F204000 mov ebx, Crackme.0040204F ; ASCII "123456789"
00401205 . E8 7B010000 call Crackme.00401385
0040120A . 31D2 xor edx, edx
0040120C . F7F9 idiv ecx
0040120E . 83C2 41 add edx, 41
00401211 . BB B8204000 mov ebx, Crackme.004020B8 ; ASCII "HNT-8029-0672-8038-JA"
00401216 . 50 push eax
00401217 . 31C0 xor eax, eax
00401219 . 57 push edi
0040121A . 89DF mov edi, ebx ; Crackme.004020CA
0040121C . F2:AE repne scas byte ptr es:[edi]
0040121E . 58 pop eax
0040121F . 89FB mov ebx, edi
00401221 . 5F pop edi
00401222 . 4B dec ebx ; Crackme.004020CA
00401223 . C603 2D mov byte ptr ds:[ebx], 2D
00401226 . 8843 01 mov byte ptr ds:[ebx+1], al
00401229 . 8853 02 mov byte ptr ds:[ebx+2], dl
0040122C . C643 03 00 mov byte ptr ds:[ebx+3], 0
00401230 . 58 pop eax
00401231 . 56 push esi
00401232 . B8 B8204000 mov eax, Crackme.004020B8 ; ASCII "HNT-8029-0672-8038-JA"
00401237 . E8 FC000000 call Crackme.00401338
注册码完整了
尝试使用DELPHI加上内联汇编来写注册机,晕了
谁来大概概括一下,再用C或者c++写个注册机让我学习学习。
[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!
