破解的程序:Crackers for Freedom Official CrackMe#4
工具:PEiD.v0.92,upx,DeDe3.5,Ollydby1.10
时间:2004.1.8.16:00
点这里下载
我用PEiD.v0.92探其为upx 0.89Pack,且为Delphi编写,用upx -d crackme#4.exe Unpack it.
然后,在DeDe3.5中找出检测密码的程序入口为00457BAC;
之后,用Ollydby1.10加载程序,来到00457BAC处,按F2键设断点。
然后,运行,输入Name:Smarter,ID:87654321,单击“Check if Valid”,则程序中断于
00457BAC处,然后用F7、F8键跟踪,以下为跟踪结果。
00457BAC /. 55 push ebp ;设断点
00457BAD |. 8BEC mov ebp,esp
00457BAF |. 33C9 xor ecx,ecx
00457BB1 |. 51 push ecx
00457BB2 |. 51 push ecx
00457BB3 |. 51 push ecx
00457BB4 |. 51 push ecx
00457BB5 |. 51 push ecx
00457BB6 |. 51 push ecx
00457BB7 |. 51 push ecx
00457BB8 |. 53 push ebx
00457BB9 |. 56 push esi
00457BBA |. 8BD8 mov ebx,eax
00457BBC |. 33C0 xor eax,eax
00457BBE |. 55 push ebp
00457BBF |. 68 8A7E4500 push CRACKME#.00457E8A
00457BC4 |. 64:FF30 push dword ptr fs:[eax]
00457BC7 |. 64:8920 mov dword ptr fs:[eax],esp
00457BCA |. 8D55 FC lea edx,dword ptr ss:[ebp-4]
00457BCD |. 8B83 D8020000 mov eax,dword ptr ds:[ebx+2D8]
00457BD3 |. E8 08C3FCFF call CRACKME#.00423EE0
00457BD8 |. 837D FC 00 cmp dword ptr ss:[ebp-4],0 ; Name长度是否为0
00457BDC |. 75 18 jnz short CRACKME#.00457BF6
00457BDE |. 6A 00 push 0
00457BE0 |. B9 987E4500 mov ecx,CRACKME#.00457E98 ; ASCII "Enter your Name !"
00457BE5 |. BA AC7E4500 mov edx,CRACKME#.00457EAC ; ASCII "You must enter your Name !"
00457BEA |. A1 98A54500 mov eax,dword ptr ds:[45A598]
00457BEF |. 8B00 mov eax,dword ptr ds:[eax]
00457BF1 |. E8 3A85FEFF call CRACKME#.00440130
00457BF6 |> 8D55 FC lea edx,dword ptr ss:[ebp-4]
00457BF9 |. 8B83 DC020000 mov eax,dword ptr ds:[ebx+2DC]
00457BFF |. E8 DCC2FCFF call CRACKME#.00423EE0
00457C04 |. 837D FC 00 cmp dword ptr ss:[ebp-4],0 ; Serial是否为空
00457C08 |. 75 18 jnz short CRACKME#.00457C22
00457C0A |. 6A 00 push 0
00457C0C |. B9 C87E4500 mov ecx,CRACKME#.00457EC8 ; ASCII "Enter a Serial !"
00457C11 |. BA DC7E4500 mov edx,CRACKME#.00457EDC ; ASCII "You must enter a Serial !"
00457C16 |. A1 98A54500 mov eax,dword ptr ds:[45A598]
00457C1B |. 8B00 mov eax,dword ptr ds:[eax]
00457C1D |. E8 0E85FEFF call CRACKME#.00440130
00457C22 |> 33C0 xor eax,eax
00457C24 |. A3 40B84500 mov dword ptr ds:[45B840],eax
00457C29 |. 8D55 FC lea edx,dword ptr ss:[ebp-4]
00457C2C |. 8B83 D8020000 mov eax,dword ptr ds:[ebx+2D8]
00457C32 |. E8 A9C2FCFF call CRACKME#.00423EE0
00457C37 |. 8B45 FC mov eax,dword ptr ss:[ebp-4]
00457C3A |. E8 F9BFFAFF call CRACKME#.00403C38
00457C3F |. A3 44B84500 mov dword ptr ds:[45B844],eax
00457C44 |. A1 44B84500 mov eax,dword ptr ds:[45B844]
00457C49 |. E8 82FDFAFF call CRACKME#.004079D0 ; 求Name的长度
00457C4E |. 83F8 06 cmp eax,6 ; Name长度是否小于6
00457C51 |. 73 1D jnb short CRACKME#.00457C70
00457C53 |. 6A 00 push 0
00457C55 |. B9 F87E4500 mov ecx,CRACKME#.00457EF8 ; ASCII "Name too short !"
00457C5A |. BA 0C7F4500 mov edx,CRACKME#.00457F0C ; ASCII "Your Name must be at least 6 Chars long !"
00457C5F |. A1 98A54500 mov eax,dword ptr ds:[45A598]
00457C64 |. 8B00 mov eax,dword ptr ds:[eax]
00457C66 |. E8 C584FEFF call CRACKME#.00440130
00457C6B |. E9 59010000 jmp CRACKME#.00457DC9
00457C70 |> 8D55 FC lea edx,dword ptr ss:[ebp-4]
00457C73 |. 8B83 D8020000 mov eax,dword ptr ds:[ebx+2D8]
00457C79 |. E8 62C2FCFF call CRACKME#.00423EE0
00457C7E |. 8B45 FC mov eax,dword ptr ss:[ebp-4] ; ID的计算起始位置,核心部分
00457C81 |. BA 01000000 mov edx,1
00457C86 |. 4A dec edx
00457C87 |. 3B50 FC cmp edx,dword ptr ds:[eax-4]
00457C8A |. 72 05 jb short CRACKME#.00457C91
00457C8C |. E8 F3AEFAFF call CRACKME#.00402B84
00457C91 |> 42 inc edx
00457C92 |. 0FB64410 FF movzx eax,byte ptr ds:[eax+edx-1] ; eax=53('S')
00457C97 |. 6BF0 02 imul esi,eax,2 ; esi=S*2
00457C9A |. 71 05 jno short CRACKME#.00457CA1
00457C9C |. E8 EBAEFAFF call CRACKME#.00402B8C
00457CA1 |> 8D55 F8 lea edx,dword ptr ss:[ebp-8]
00457CA4 |. 8B83 D8020000 mov eax,dword ptr ds:[ebx+2D8]
00457CAA |. E8 31C2FCFF call CRACKME#.00423EE0
00457CAF |. 8B45 F8 mov eax,dword ptr ss:[ebp-8]
00457CB2 |. BA 02000000 mov edx,2
00457CB7 |. 4A dec edx
00457CB8 |. 3B50 FC cmp edx,dword ptr ds:[eax-4]
00457CBB |. 72 05 jb short CRACKME#.00457CC2
00457CBD |. E8 C2AEFAFF call CRACKME#.00402B84
00457CC2 |> 42 inc edx
00457CC3 |. 0FB64410 FF movzx eax,byte ptr ds:[eax+edx-1] ; eax=6D('m')
00457CC8 |. 6BC0 02 imul eax,eax,2 ; eax=m*2
00457CCB |. 71 05 jno short CRACKME#.00457CD2
00457CCD |. E8 BAAEFAFF call CRACKME#.00402B8C
00457CD2 |> 03F0 add esi,eax ; esi=esi+eax
00457CD4 |. 71 05 jno short CRACKME#.00457CDB
00457CD6 |. E8 B1AEFAFF call CRACKME#.00402B8C
00457CDB |> 8D55 F4 lea edx,dword ptr ss:[ebp-C]
00457CDE |. 8B83 D8020000 mov eax,dword ptr ds:[ebx+2D8]
00457CE4 |. E8 F7C1FCFF call CRACKME#.00423EE0
00457CE9 |. 8B45 F4 mov eax,dword ptr ss:[ebp-C]
00457CEC |. BA 03000000 mov edx,3
00457CF1 |. 4A dec edx
00457CF2 |. 3B50 FC cmp edx,dword ptr ds:[eax-4]
00457CF5 |. 72 05 jb short CRACKME#.00457CFC
00457CF7 |. E8 88AEFAFF call CRACKME#.00402B84
00457CFC |> 42 inc edx
00457CFD |. 0FB64410 FF movzx eax,byte ptr ds:[eax+edx-1] ; eax=61('a')
00457D02 |. 6BC0 02 imul eax,eax,2 ; eax=a*2
00457D05 |. 71 05 jno short CRACKME#.00457D0C
00457D07 |. E8 80AEFAFF call CRACKME#.00402B8C
00457D0C |> 03F0 add esi,eax ; esi=esi+eax
00457D0E |. 71 05 jno short CRACKME#.00457D15
00457D10 |. E8 77AEFAFF call CRACKME#.00402B8C
00457D15 |> 8D55 F0 lea edx,dword ptr ss:[ebp-10]
00457D18 |. 8B83 D8020000 mov eax,dword ptr ds:[ebx+2D8]
00457D1E |. E8 BDC1FCFF call CRACKME#.00423EE0
00457D23 |. 8B45 F0 mov eax,dword ptr ss:[ebp-10]
00457D26 |. BA 04000000 mov edx,4
00457D2B |. 4A dec edx
00457D2C |. 3B50 FC cmp edx,dword ptr ds:[eax-4]
00457D2F |. 72 05 jb short CRACKME#.00457D36
00457D31 |. E8 4EAEFAFF call CRACKME#.00402B84
00457D36 |> 42 inc edx
00457D37 |. 0FB64410 FF movzx eax,byte ptr ds:[eax+edx-1] ; eax=72('r')
00457D3C |. 6BC0 02 imul eax,eax,2 ; eax=r*2
00457D3F |. 71 05 jno short CRACKME#.00457D46
00457D41 |. E8 46AEFAFF call CRACKME#.00402B8C
00457D46 |> 03F0 add esi,eax ; esi=esi+eax
00457D48 |. 71 05 jno short CRACKME#.00457D4F
00457D4A |. E8 3DAEFAFF call CRACKME#.00402B8C
00457D4F |> 8D55 EC lea edx,dword ptr ss:[ebp-14]
00457D52 |. 8B83 D8020000 mov eax,dword ptr ds:[ebx+2D8]
00457D58 |. E8 83C1FCFF call CRACKME#.00423EE0
00457D5D |. 8B45 EC mov eax,dword ptr ss:[ebp-14]
00457D60 |. BA 05000000 mov edx,5
00457D65 |. 4A dec edx
00457D66 |. 3B50 FC cmp edx,dword ptr ds:[eax-4]
00457D69 |. 72 05 jb short CRACKME#.00457D70
00457D6B |. E8 14AEFAFF call CRACKME#.00402B84
00457D70 |> 42 inc edx
00457D71 |. 0FB64410 FF movzx eax,byte ptr ds:[eax+edx-1] ; eax=74('t')
00457D76 |. 6BC0 02 imul eax,eax,2 ; eax=t*2
00457D79 |. 71 05 jno short CRACKME#.00457D80
00457D7B |. E8 0CAEFAFF call CRACKME#.00402B8C
00457D80 |> 03F0 add esi,eax
00457D82 |. 71 05 jno short CRACKME#.00457D89
00457D84 |. E8 03AEFAFF call CRACKME#.00402B8C
00457D89 |> 8D55 E8 lea edx,dword ptr ss:[ebp-18]
00457D8C |. 8B83 D8020000 mov eax,dword ptr ds:[ebx+2D8]
00457D92 |. E8 49C1FCFF call CRACKME#.00423EE0
00457D97 |. 8B45 E8 mov eax,dword ptr ss:[ebp-18]
00457D9A |. BA 06000000 mov edx,6
00457D9F |. 4A dec edx
00457DA0 |. 3B50 FC cmp edx,dword ptr ds:[eax-4]
00457DA3 |. 72 05 jb short CRACKME#.00457DAA
00457DA5 |. E8 DAADFAFF call CRACKME#.00402B84
00457DAA |> 42 inc edx
00457DAB |. 0FB64410 FF movzx eax,byte ptr ds:[eax+edx-1] ; eax=65('e')
00457DB0 |. 6BC0 02 imul eax,eax,2 ; eax=e*2
00457DB3 |. 71 05 jno short CRACKME#.00457DBA
00457DB5 |. E8 D2ADFAFF call CRACKME#.00402B8C
00457DBA |> 03F0 add esi,eax ; esi=esi+eax
00457DBC |. 71 05 jno short CRACKME#.00457DC3
00457DBE |. E8 C9ADFAFF call CRACKME#.00402B8C
00457DC3 |> 8935 40B84500 mov dword ptr ds:[45B840],esi
00457DC9 |> A1 44B84500 mov eax,dword ptr ds:[45B844]
00457DCE |. E8 FDFBFAFF call CRACKME#.004079D0
00457DD3 |. 6BC0 02 imul eax,eax,2 ; eax=length("Smarter")*2;7*2=E;
00457DD6 |. 73 05 jnb short CRACKME#.00457DDD
00457DD8 |. E8 AFADFAFF call CRACKME#.00402B8C
00457DDD |> 33D2 xor edx,edx
00457DDF |. 52 push edx
00457DE0 |. 50 push eax
00457DE1 |. A1 40B84500 mov eax,dword ptr ds:[45B840] ; eax=esi=4D8
00457DE6 |. 99 cdq
00457DE7 |. 030424 add eax,dword ptr ss:[esp] ; eax=eax+length*2;eax=4E6
00457DEA |. 135424 04 adc edx,dword ptr ss:[esp+4] ; edx=0
00457DEE |. 71 05 jno short CRACKME#.00457DF5
00457DF0 |. E8 97ADFAFF call CRACKME#.00402B8C
00457DF5 |> 83C4 08 add esp,8
00457DF8 |. 50 push eax
00457DF9 |. C1F8 1F sar eax,1F ; 不知道是什么指令
00457DFC |. 3BC2 cmp eax,edx ; eax==edx=0
00457DFE |. 58 pop eax
00457DFF |. 74 05 je short CRACKME#.00457E06
00457E01 |. E8 7EADFAFF call CRACKME#.00402B84
00457E06 |> A3 40B84500 mov dword ptr ds:[45B840],eax
00457E0B |. 8D55 E4 lea edx,dword ptr ss:[ebp-1C]
00457E0E |. A1 40B84500 mov eax,dword ptr ds:[45B840] ; eax=4E6
00457E13 |. E8 2CF9FAFF call CRACKME#.00407744 ; 将eax转化为十进制
00457E18 |. 8B45 E4 mov eax,dword ptr ss:[ebp-1C]
00457E1B |. 50 push eax
00457E1C |. 8D55 FC lea edx,dword ptr ss:[ebp-4]
00457E1F |. 8B83 DC020000 mov eax,dword ptr ds:[ebx+2DC] ; [eax]='1254'
00457E25 |. E8 B6C0FCFF call CRACKME#.00423EE0
00457E2A |. 8B55 FC mov edx,dword ptr ss:[ebp-4] ; [edx]='87654321'
00457E2D |. 58 pop eax ; [eax]='1254'
00457E2E |. E8 51BDFAFF call CRACKME#.00403B84 ; 比较是否相等
00457E33 |. 75 1A jnz short CRACKME#.00457E4F ; 关键跳转
00457E35 |. 6A 00 push 0
00457E37 |. B9 387F4500 mov ecx,CRACKME#.00457F38 ; ASCII "Congratz !"
00457E3C |. BA 447F4500 mov edx,CRACKME#.00457F44 ; ASCII "You cracked the CFF CrackMe #4 ! Please send your solution to [email]acidbytes@gmx.net[/email] !"
00457E41 |. A1 98A54500 mov eax,dword ptr ds:[45A598]
00457E46 |. 8B00 mov eax,dword ptr ds:[eax]
00457E48 |. E8 E382FEFF call CRACKME#.00440130 ; 正确
00457E4D |. EB 18 jmp short CRACKME#.00457E67
00457E4F |> 6A 00 push 0
00457E51 |. B9 987F4500 mov ecx,CRACKME#.00457F98 ; ASCII "Serial not valid"
00457E56 |. BA AC7F4500 mov edx,CRACKME#.00457FAC ; ASCII "The Serial you entered is in any case not valid !"
00457E5B |. A1 98A54500 mov eax,dword ptr ds:[45A598]
00457E60 |. 8B00 mov eax,dword ptr ds:[eax]
00457E62 |. E8 C982FEFF call CRACKME#.00440130 ; 错误
综合起来,Serial的计算方法为:取Name的前6个字符和Name的长度,将这七个字符相加,和再乘以2,转化为
十进制,即为Serial.
在笔者的跟踪过程中,其计算过程为:
Name="Smarter";
length=7;
Serial=Decimal([(S+m+a+r+t+e+length)*2]);
(53+6D+61+72+74+65+7)*2=4E6;
decimal(4E6)=1254;
Serial=1254;
这是我的第一篇破解文,可能太简单,各路大虾见笑了!:D :D
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)