首页
社区
课程
招聘
acafeel的CrackMe算法详细分析
发表于: 2004-12-27 16:48 8823

acafeel的CrackMe算法详细分析

2004-12-27 16:48
8823

废话我就不多说了,我就直奔主题吧。

呵呵,首先,因为这个CrackMe加了壳,所以我们先将他的壳去掉。
//外壳入口,第一层外壳,往下拉动滚动条,找到RETN子程序返回语句。

004B5000 >  9C              PUSHFD
004B5001    60              PUSHAD
004B5002    8B4424 24       MOV EAX,DWORD PTR SS:[ESP+24]
004B5006    E8 00000000     CALL CRACKME1.004B500B
004B500B    5D              POP EBP
004B500C    81ED 351C4000   SUB EBP,CRACKME1.00401C35
004B5012    50              PUSH EAX
004B5013    E8 ED020000     CALL CRACKME1.004B5305
004B5018    85C0            TEST EAX,EAX
004B501A    0F84 B3000000   JE CRACKME1.004B50D3
004B5020    8985 9C224000   MOV DWORD PTR SS:[EBP+40229C],EAX
004B5026    E8 95030000     CALL CRACKME1.004B53C0
004B502B    85C0            TEST EAX,EAX
004B502D    0F84 87000000   JE CRACKME1.004B50BA
004B5033    6A 00           PUSH 0
004B5035    FF95 D7214000   CALL DWORD PTR SS:[EBP+4021D7]
004B503B    8985 AC224000   MOV DWORD PTR SS:[EBP+4022AC],EAX
004B5041    80BD B0224000 0>CMP BYTE PTR SS:[EBP+4022B0],1
004B5048    0F85 86000000   JNZ CRACKME1.004B50D4
004B504E    E8 9E010000     CALL CRACKME1.004B51F1
004B5053    85C0            TEST EAX,EAX
004B5055    74 63           JE SHORT CRACKME1.004B50BA
004B5057    E8 C4010000     CALL CRACKME1.004B5220
004B505C    E8 DE030000     CALL CRACKME1.004B543F
004B5061    85C0            TEST EAX,EAX
004B5063    74 3D           JE SHORT CRACKME1.004B50A2
004B5065    FFB5 A4224000   PUSH DWORD PTR SS:[EBP+4022A4]
004B506B    6A 00           PUSH 0
004B506D    68 72010000     PUSH 172
004B5072    FFB5 A0224000   PUSH DWORD PTR SS:[EBP+4022A0]
004B5078    FF95 66224000   CALL DWORD PTR SS:[EBP+402266]
004B507E    FFB5 A0224000   PUSH DWORD PTR SS:[EBP+4022A0]
004B5084    FF95 77224000   CALL DWORD PTR SS:[EBP+402277]
004B508A    FFB5 A8224000   PUSH DWORD PTR SS:[EBP+4022A8]
004B5090    FF95 C2214000   CALL DWORD PTR SS:[EBP+4021C2]
004B5096    FFB5 A0224000   PUSH DWORD PTR SS:[EBP+4022A0]
004B509C    FF95 28224000   CALL DWORD PTR SS:[EBP+402228]
004B50A2    FFB5 A4224000   PUSH DWORD PTR SS:[EBP+4022A4]
004B50A8    FF95 AA214000   CALL DWORD PTR SS:[EBP+4021AA]
004B50AE    FFB5 98224000   PUSH DWORD PTR SS:[EBP+402298]
004B50B4    FF95 F6214000   CALL DWORD PTR SS:[EBP+4021F6]
004B50BA    8B85 AC224000   MOV EAX,DWORD PTR SS:[EBP+4022AC]
004B50C0    0385 94224000   ADD EAX,DWORD PTR SS:[EBP+402294]
004B50C6    8985 F91C4000   MOV DWORD PTR SS:[EBP+401CF9],EAX
004B50CC    61              POPAD
004B50CD    9D              POPFD
004B50CE    68 00000000     PUSH 0
004B50D3    C3              RETN      //在这里下一个断点,F9运行程序将中断在这里
004B4000    90              NOP
004B4001    90              NOP
004B4002    90              NOP
004B4003    90              NOP
............................... //省略一大段NOP语句,
...............................
004B41A6    90              NOP
004B41A7    90              NOP
004B41A8    90              NOP
004B41A9  - E9 32D1FFFF     JMP CRACKME1.004B12E0  //到这里,在这里下一个断点,F9运行程序将中断在这里。
004B12E0    60              PUSHAD
004B12E1    BE 00104700     MOV ESI,CRACKME1.00471000
004B12E6    8DBE 0000F9FF   LEA EDI,DWORD PTR DS:[ESI+FFF90000]
004B12EC    C787 D0240900 7>MOV DWORD PTR DS:[EDI+924D0],484B2170
004B12F6    57              PUSH EDI
004B12F7    83CD FF         OR EBP,FFFFFFFF
004B12FA    EB 0E           JMP SHORT CRACKME1.004B130A
004B12FC    90              NOP
004B12FD    90              NOP
004B12FE    90              NOP
004B12FF    90              NOP
004B1300    8A06            MOV AL,BYTE PTR DS:[ESI]
004B1302    46              INC ESI
004B1303    8807            MOV BYTE PTR DS:[EDI],AL
004B1305    47              INC EDI
004B1306    01DB            ADD EBX,EBX
004B1308    75 07           JNZ SHORT CRACKME1.004B1311
004B130A    8B1E            MOV EBX,DWORD PTR DS:[ESI]
004B130C    83EE FC         SUB ESI,-4
004B130F    11DB            ADC EBX,EBX
004B1311  ^ 72 ED           JB SHORT CRACKME1.004B1300
004B1313    B8 01000000     MOV EAX,1
004B1318    01DB            ADD EBX,EBX
004B131A    75 07           JNZ SHORT CRACKME1.004B1323
004B131C    8B1E            MOV EBX,DWORD PTR DS:[ESI]
004B131E    83EE FC         SUB ESI,-4
004B1321    11DB            ADC EBX,EBX
004B1323    11C0            ADC EAX,EAX
004B1325    01DB            ADD EBX,EBX
004B1327    73 0B           JNB SHORT CRACKME1.004B1334
004B1329    75 19           JNZ SHORT CRACKME1.004B1344
004B132B    8B1E            MOV EBX,DWORD PTR DS:[ESI]
004B132D    83EE FC         SUB ESI,-4
004B1330    11DB            ADC EBX,EBX
004B1332    72 10           JB SHORT CRACKME1.004B1344
004B1334    48              DEC EAX
004B1335    01DB            ADD EBX,EBX
004B1337    75 07           JNZ SHORT CRACKME1.004B1340
004B1339    8B1E            MOV EBX,DWORD PTR DS:[ESI]
004B133B    83EE FC         SUB ESI,-4
004B133E    11DB            ADC EBX,EBX
004B1340    11C0            ADC EAX,EAX
004B1342  ^ EB D4           JMP SHORT CRACKME1.004B1318
004B1344    31C9            XOR ECX,ECX
004B1346    83E8 03         SUB EAX,3
004B1349    72 11           JB SHORT CRACKME1.004B135C
004B134B    C1E0 08         SHL EAX,8
004B134E    8A06            MOV AL,BYTE PTR DS:[ESI]
004B1350    46              INC ESI
004B1351    83F0 FF         XOR EAX,FFFFFFFF
004B1354    74 78           JE SHORT CRACKME1.004B13CE
004B1356    D1F8            SAR EAX,1
004B1358    89C5            MOV EBP,EAX
004B135A    EB 0B           JMP SHORT CRACKME1.004B1367
004B135C    01DB            ADD EBX,EBX
004B135E    75 07           JNZ SHORT CRACKME1.004B1367
004B1360    8B1E            MOV EBX,DWORD PTR DS:[ESI]
004B1362    83EE FC         SUB ESI,-4
004B1365    11DB            ADC EBX,EBX
004B1367    11C9            ADC ECX,ECX
004B1369    01DB            ADD EBX,EBX
004B136B    75 07           JNZ SHORT CRACKME1.004B1374
004B136D    8B1E            MOV EBX,DWORD PTR DS:[ESI]
004B136F    83EE FC         SUB ESI,-4
004B1372    11DB            ADC EBX,EBX
004B1374    11C9            ADC ECX,ECX
004B1376    75 20           JNZ SHORT CRACKME1.004B1398
004B1378    41              INC ECX
004B1379    01DB            ADD EBX,EBX
004B137B    75 07           JNZ SHORT CRACKME1.004B1384
004B137D    8B1E            MOV EBX,DWORD PTR DS:[ESI]
004B137F    83EE FC         SUB ESI,-4
004B1382    11DB            ADC EBX,EBX
004B1384    11C9            ADC ECX,ECX
004B1386    01DB            ADD EBX,EBX
004B1388  ^ 73 EF           JNB SHORT CRACKME1.004B1379
004B138A    75 09           JNZ SHORT CRACKME1.004B1395
004B138C    8B1E            MOV EBX,DWORD PTR DS:[ESI]
004B138E    83EE FC         SUB ESI,-4
004B1391    11DB            ADC EBX,EBX
004B1393  ^ 73 E4           JNB SHORT CRACKME1.004B1379
004B1395    83C1 02         ADD ECX,2
004B1398    81FD 00FBFFFF   CMP EBP,-500
004B139E    83D1 01         ADC ECX,1
004B13A1    8D142F          LEA EDX,DWORD PTR DS:[EDI+EBP]
004B13A4    83FD FC         CMP EBP,-4
004B13A7    76 0F           JBE SHORT CRACKME1.004B13B8
004B13A9    8A02            MOV AL,BYTE PTR DS:[EDX]
004B13AB    42              INC EDX
004B13AC    8807            MOV BYTE PTR DS:[EDI],AL
004B13AE    47              INC EDI
004B13AF    49              DEC ECX
004B13B0  ^ 75 F7           JNZ SHORT CRACKME1.004B13A9
004B13B2  ^ E9 4FFFFFFF     JMP CRACKME1.004B1306
004B13B7    90              NOP
004B13B8    8B02            MOV EAX,DWORD PTR DS:[EDX]
004B13BA    83C2 04         ADD EDX,4
004B13BD    8907            MOV DWORD PTR DS:[EDI],EAX
004B13BF    83C7 04         ADD EDI,4
004B13C2    83E9 04         SUB ECX,4
004B13C5  ^ 77 F1           JA SHORT CRACKME1.004B13B8
004B13C7    01CF            ADD EDI,ECX
004B13C9  ^ E9 38FFFFFF     JMP CRACKME1.004B1306
004B13CE    5E              POP ESI
004B13CF    89F7            MOV EDI,ESI
004B13D1    B9 A6470000     MOV ECX,47A6
004B13D6    8A07            MOV AL,BYTE PTR DS:[EDI]
004B13D8    47              INC EDI
004B13D9    2C E8           SUB AL,0E8
004B13DB    3C 01           CMP AL,1
004B13DD  ^ 77 F7           JA SHORT CRACKME1.004B13D6
004B13DF    803F 19         CMP BYTE PTR DS:[EDI],19
004B13E2  ^ 75 F2           JNZ SHORT CRACKME1.004B13D6
004B13E4    8B07            MOV EAX,DWORD PTR DS:[EDI]
004B13E6    8A5F 04         MOV BL,BYTE PTR DS:[EDI+4]
004B13E9    66:C1E8 08      SHR AX,8
004B13ED    C1C0 10         ROL EAX,10
004B13F0    86C4            XCHG AH,AL
004B13F2    29F8            SUB EAX,EDI
004B13F4    80EB E8         SUB BL,0E8
004B13F7    01F0            ADD EAX,ESI
004B13F9    8907            MOV DWORD PTR DS:[EDI],EAX
004B13FB    83C7 05         ADD EDI,5
004B13FE    89D8            MOV EAX,EBX
004B1400  ^ E2 D9           LOOPD SHORT CRACKME1.004B13DB
004B1402    8DBE 00E00A00   LEA EDI,DWORD PTR DS:[ESI+AE000]
004B1408    8B07            MOV EAX,DWORD PTR DS:[EDI]
004B140A    09C0            OR EAX,EAX
004B140C    74 3C           JE SHORT CRACKME1.004B144A
004B140E    8B5F 04         MOV EBX,DWORD PTR DS:[EDI+4]
004B1411    8D8430 30200B00 LEA EAX,DWORD PTR DS:[EAX+ESI+B2030]
004B1418    01F3            ADD EBX,ESI
004B141A    50              PUSH EAX
004B141B    83C7 08         ADD EDI,8
004B141E    FF96 F8200B00   CALL DWORD PTR DS:[ESI+B20F8]
004B1424    95              XCHG EAX,EBP
004B1425    8A07            MOV AL,BYTE PTR DS:[EDI]
004B1427    47              INC EDI
004B1428    08C0            OR AL,AL
004B142A  ^ 74 DC           JE SHORT CRACKME1.004B1408
004B142C    89F9            MOV ECX,EDI
004B142E    57              PUSH EDI
004B142F    48              DEC EAX
004B1430    F2:AE           REPNE SCAS BYTE PTR ES:[EDI]
004B1432    55              PUSH EBP
004B1433    FF96 FC200B00   CALL DWORD PTR DS:[ESI+B20FC]
004B1439    09C0            OR EAX,EAX
004B143B    74 07           JE SHORT CRACKME1.004B1444
004B143D    8903            MOV DWORD PTR DS:[EBX],EAX
004B143F    83C3 04         ADD EBX,4
004B1442  ^ EB E1           JMP SHORT CRACKME1.004B1425
004B1444    FF96 00210B00   CALL DWORD PTR DS:[ESI+B2100]
004B144A    61              POPAD    //到这里,下一个断点,F9运行程序将中断在这里。
004B144B  ^ E9 A8EBFDFF     JMP CRACKME1.0048FFF8  //跨段跳,跳到程序入口。
0048FFF8    55              PUSH EBP
0048FFF9    8BEC            MOV EBP,ESP
0048FFFB    83C4 F4         ADD ESP,-0C
0048FFFE    B8 18FE4800     MOV EAX,CRACKME1.0048FE18
00490003    E8 6C65F7FF     CALL CRACKME1.00406574
00490008    A1 6C234900     MOV EAX,DWORD PTR DS:[49236C]
0049000D    8B00            MOV EAX,DWORD PTR DS:[EAX]
0049000F    E8 D890FAFF     CALL CRACKME1.004390EC
00490014    E8 FFFCFFFF     CALL CRACKME1.0048FD18
00490019    84C0            TEST AL,AL
0049001B    74 0E           JE SHORT CRACKME1.0049002B
0049001D    A1 6C234900     MOV EAX,DWORD PTR DS:[49236C]
00490022    8B00            MOV EAX,DWORD PTR DS:[EAX]
00490024    E8 0F92FAFF     CALL CRACKME1.00439238
00490029    EB 24           JMP SHORT CRACKME1.0049004F
0049002B    8B0D 6C244900   MOV ECX,DWORD PTR DS:[49246C]            ; CRACKME1.0049393C
00490031    A1 6C234900     MOV EAX,DWORD PTR DS:[49236C]
00490036    8B00            MOV EAX,DWORD PTR DS:[EAX]
00490038    8B15 68F24800   MOV EDX,DWORD PTR DS:[48F268]            ; CRACKME1.0048F2B4
0049003E    E8 C190FAFF     CALL CRACKME1.00439104
00490043    A1 6C234900     MOV EAX,DWORD PTR DS:[49236C]
00490048    8B00            MOV EAX,DWORD PTR DS:[EAX]
0049004A    E8 3591FAFF     CALL CRACKME1.00439184
0049004F    E8 5839F7FF     CALL CRACKME1.004039AC
00490054    0000            ADD BYTE PTR DS:[EAX],AL
00490056    0000            ADD BYTE PTR DS:[EAX],AL
00490058    0000            ADD BYTE PTR DS:[EAX],AL
0049005A    0000            ADD BYTE PTR DS:[EAX],AL
0048FB2C   55                     push    ebp
0048FB2D   8BEC                   mov     ebp, esp
0048FB2F   6A00                   push    $00
0048FB31   6A00                   push    $00
0048FB33   6A00                   push    $00
0048FB35   33C0                   xor     eax, eax
0048FB37   55                     push    ebp
0048FB38   68E5FB4800             push    $0048FBE5

***** TRY
|
0048FB3D   64FF30                 push    dword ptr fs:[eax]
0048FB40   648920                 mov     fs:[eax], esp
0048FB43   8D55FC                 lea     edx, [ebp-$04]
0048FB46   A13C394900             mov     eax, dword ptr [$0049393C]

* Reference to control Edit1 : TEdit
|
0048FB4B   8B80D8020000           mov     eax, [eax+$02D8]

* Reference to: controls.TControl.GetText(TControl):TCaption;
|
0048FB51   E89670FBFF             call    00446BEC
0048FB56   8B45FC                 mov     eax, [ebp-$04]
0048FB59   50                     push    eax

* Possible String Reference to: 'name'
|
0048FB5A   B9F8FB4800             mov     ecx, $0048FBF8

* Possible String Reference to: 'Reg'
|
0048FB5F   BA08FC4800             mov     edx, $0048FC08
0048FB64   A144394900             mov     eax, dword ptr [$00493944]

* Reference to: registry.TRegIniFile.WriteString(TRegIniFile;AnsiString;AnsiString;AnsiString);
|
0048FB69   E8E2F5FFFF             call    0048F150
0048FB6E   8D55F8                 lea     edx, [ebp-$08]
0048FB71   A13C394900             mov     eax, dword ptr [$0049393C]

* Reference to control Edit2 : TEdit
|
0048FB76   8B80E0020000           mov     eax, [eax+$02E0]

* Reference to: controls.TControl.GetText(TControl):TCaption;
|
0048FB7C   E86B70FBFF             call    00446BEC
0048FB81   8B45F8                 mov     eax, [ebp-$08]
0048FB84   50                     push    eax

* Possible String Reference to: 'code'
|
0048FB85   B914FC4800             mov     ecx, $0048FC14

* Possible String Reference to: 'Reg'
|
0048FB8A   BA08FC4800             mov     edx, $0048FC08
0048FB8F   A144394900             mov     eax, dword ptr [$00493944]

* Reference to: registry.TRegIniFile.WriteString(TRegIniFile;AnsiString;AnsiString;AnsiString);
|
0048FB94   E8B7F5FFFF             call    0048F150
0048FB99   6A01                   push    $01
0048FB9B   8D55F4                 lea     edx, [ebp-$0C]
0048FB9E   A16C234900             mov     eax, dword ptr [$0049236C]
0048FBA3   8B00                   mov     eax, [eax]

* Reference to: ddeman.TDdeMgr.GetExeName(TDdeMgr):AnsiString;
|           or: forms.TApplication.GetExeName(TApplication):AnsiString;
|
0048FBA5   E8A29AFAFF             call    0043964C
0048FBAA   8B45F4                 mov     eax, [ebp-$0C]

* Reference to: system.@LStrToPChar;
|
0048FBAD   E87643F7FF             call    00403F28
0048FBB2   50                     push    eax

* Reference to: Y.WinExec()
|
0048FBB3   E8386CF7FF             call    004067F0
0048FBB8   A13C394900             mov     eax, dword ptr [$0049393C]

* Reference to: forms.TCustomForm.Close(TCustomForm);
|
0048FBBD   E8D663FAFF             call    00435F98
0048FBC2   33C0                   xor     eax, eax
0048FBC4   5A                     pop     edx
0048FBC5   59                     pop     ecx
0048FBC6   59                     pop     ecx
0048FBC7   648910                 mov     fs:[eax], edx

****** FINALLY
|
0048FBCA   68ECFB4800             push    $0048FBEC
0048FBCF   8D45F4                 lea     eax, [ebp-$0C]

* Reference to: system.@LStrClr(String;String);
|
0048FBD2   E80D3FF7FF             call    00403AE4
0048FBD7   8D45F8                 lea     eax, [ebp-$08]
0048FBDA   BA02000000             mov     edx, $00000002

* Reference to: system.@LStrArrayClr;
|
0048FBDF   E8243FF7FF             call    00403B08
0048FBE4   C3                     ret


* Reference to: system.@HandleFinally;
|
0048FBE5   E99239F7FF             jmp     0040357C
0048FBEA   EBE3                   jmp     0048FBCF

****** END
|
0048FBEC   8BE5                   mov     esp, ebp
0048FBEE   5D                     pop     ebp
0048FBEF   C3                     ret

[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!

收藏
免费 7
支持
分享
最新回复 (10)
雪    币: 230
活跃值: (11)
能力值: ( LV8,RANK:130 )
在线值:
发帖
回帖
粉丝
2
顶  ~~~~~~~~~~~

BS 看帖不顶的

2004-12-27 17:11
0
雪    币: 201
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
3
不错,学习……
2004-12-27 19:02
0
雪    币: 98745
活跃值: (201039)
能力值: (RANK:10 )
在线值:
发帖
回帖
粉丝
4
支持!!!
2004-12-27 19:06
0
雪    币: 209
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
5
学习了,楼主谢了
2004-12-27 21:17
0
雪    币: 205
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
6
先顶再看~~
2004-12-27 22:34
0
雪    币: 207
活跃值: (11)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
7
可惜DELPHI源程序看不懂
2004-12-27 23:39
0
雪    币: 333
活跃值: (116)
能力值: ( LV9,RANK:570 )
在线值:
发帖
回帖
粉丝
8
顶,对楼主表示敬佩:D
2004-12-29 09:31
0
雪    币: 200
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
9
经典~学习了!谢谢,楼主辛苦~
2004-12-29 13:36
0
雪    币: 61
活跃值: (160)
能力值: ( LV9,RANK:170 )
在线值:
发帖
回帖
粉丝
10
支持!!!
2004-12-29 22:09
0
雪    币: 231
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
11
学习啦呀!!!
2010-10-19 12:08
0
游客
登录 | 注册 方可回帖
返回
//