前不久在CCG做的练习,老大看看可以发一个吗?
【破文标题】破解某CreakMe
【破文作者】basicbird(菜鸟)
【作者邮箱】hry817@gmail.com
【作者主页】没东西,就不介绍了
【破解工具】ded+od
【破解平台】winsp3
【软件名称】monkey keygen #1
【软件大小】503KB
【原版下载】monkey_keygen1.zip (271.58 KB)2009-9-12 21:03
【保护方式】注册码保护
【软件简介】
【破解声明】纯属技术学习,如有错误之处,烦请指出!
------------------------------------------------------------------------
【破解过程】
------------------------------------------------------------------------
先运行下软件看下,输入:
Name: basicbird
Serial: 123
注册无反应;无壳的,用OD直接加载搜索看有没有有用的信息;
Snap3.jpg (77.61 KB)
2009-9-12 21:03
0046660F | PUSH monkey_k.0046666C | ASCII "Valid Key"
看上面, 双击进去看看!
00466600 |. 8B45 E8 MOV EAX,DWORD PTR SS:[EBP-18]
00466603 |. 8B55 F4 MOV EDX,DWORD PTR SS:[EBP-C]
00466606 |. E8 A1DDF9FF CALL monkey_k.004043AC
0046660B |. 75 13 JNZ SHORT monkey_k.00466620
0046660D |. 6A 00 PUSH 0 ; /Style = MB_OK|MB_APPLMODAL
0046660F |. 68 6C664600 PUSH monkey_k.0046666C ; |Title = "Valid Key"
00466614 |. 68 6C664600 PUSH monkey_k.0046666C ; |Text = "Valid Key"
00466619 |. 6A 00 PUSH 0 ; |hOwner = NULL
0046661B |. E8 D400FAFF CALL <JMP.&user32.MessageBoxA> //弹出窗口,上面有CALL, 极有可能为注册判断,
再往上去即可下断;
00466620 |> 33C0 XOR EAX,EAX
00466622 |. 5A POP EDX
上面是今天楼主要我把断点详细说下才发现的,开始因为是Dephi程序,我直接用DED软件找的断点
ded加载该文件,找到单击事件处,即可找出断点
Image00000.jpg (70.88 KB)
2009-9-12 21:03
记下断点位置,打开OD,ctrl+g 到达位置00466580设断;
00466580 /. 55 PUSH EBP //注册断点
00466581 |. 8BEC MOV EBP,ESP
00466583 |. 83C4 E8 ADD ESP,-18
00466586 |. 33C9 XOR ECX,ECX
00466588 |. 894D E8 MOV DWORD PTR SS:[EBP-18],ECX
0046658B |. 894D EC MOV DWORD PTR SS:[EBP-14],ECX
0046658E |. 894D F4 MOV DWORD PTR SS:[EBP-C],ECX
00466591 |. 8955 F0 MOV DWORD PTR SS:[EBP-10],EDX
00466594 |. 8945 FC MOV DWORD PTR SS:[EBP-4],EAX
00466597 |. 33C0 XOR EAX,EAX
00466599 |. 55 PUSH EBP
0046659A |. 68 60664600 PUSH monkey_k.00466660
0046659F |. 64:FF30 PUSH DWORD PTR FS:[EAX]
004665A2 |. 64:8920 MOV DWORD PTR FS:[EAX],ESP
004665A5 |. 68 BF580000 PUSH 58BF
004665AA |. 66:B9 6DCE MOV CX,0CE6D
004665AE |. B2 01 MOV DL,1
004665B0 |. A1 84614600 MOV EAX,DWORD PTR DS:[466184]
004665B5 |. E8 22FCFFFF CALL monkey_k.004661DC
004665BA |. 8945 F8 MOV DWORD PTR SS:[EBP-8],EAX
004665BD |. 33C0 XOR EAX,EAX
004665BF |. 55 PUSH EBP
004665C0 |. 68 36664600 PUSH monkey_k.00466636
004665C5 |. 64:FF30 PUSH DWORD PTR FS:[EAX]
004665C8 |. 64:8920 MOV DWORD PTR FS:[EAX],ESP
004665CB |. 8D45 F4 LEA EAX,DWORD PTR SS:[EBP-C]
004665CE |. 50 PUSH EAX
004665CF |. 8D55 EC LEA EDX,DWORD PTR SS:[EBP-14]
004665D2 |. 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
004665D5 |. 8B80 FC020000 MOV EAX,DWORD PTR DS:[EAX+2FC]
004665DB |. E8 08BBFCFF CALL monkey_k.004320E8
004665E0 |. 8B55 EC MOV EDX,DWORD PTR SS:[EBP-14]
004665E3 |. 66:B9 E14D MOV CX,4DE1 //初始计算的值,后面用
到
004665E7 |. 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8] //取用户名:
004665EA |. E8 41FCFFFF CALL monkey_k.00466230 //算法要跟进
004665EF |. 8D55 E8 LEA EDX,DWORD PTR SS:[EBP-18]
004665F2 |. 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
004665F5 |. 8B80 00030000 MOV EAX,DWORD PTR DS:[EAX+300]
004665FB |. E8 E8BAFCFF CALL monkey_k.004320E8
00466600 |. 8B45 E8 MOV EAX,DWORD PTR SS:[EBP-18] //取密码:
00466603 |. 8B55 F4 MOV EDX,DWORD PTR SS:[EBP-C] //这里可以看到明码
(ASCII "2F14EAB8616291A99E")
00466606 |. E8 A1DDF9FF CALL monkey_k.004043AC
0046660B |. 75 13 JNZ SHORT monkey_k.00466620
0046660D |. 6A 00 PUSH 0 ; /Style = MB_OK|MB_APPLMODAL
0046660F |. 68 6C664600 PUSH monkey_k.0046666C ; |Title = "Valid Key"
00466614 |. 68 6C664600 PUSH monkey_k.0046666C ; |Text = "Valid Key"
00466619 |. 6A 00 PUSH 0 ; |hOwner = NULL
0046661B |. E8 D400FAFF CALL <JMP.&user32.MessageBoxA> ; \MessageBoxA
00466620 |> 33C0 XOR EAX,EAX
00466622 |. 5A POP EDX
00466623 |. 59 POP ECX
00466624 |. 59 POP ECX
00466625 |. 64:8910 MOV DWORD PTR FS:[EAX],EDX
00466628 |. 68 3D664600 PUSH monkey_k.0046663D
0046662D |> 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8]
00466630 |. E8 C7CAF9FF CALL monkey_k.004030FC
00466635 \. C3 RETN
上面CALL跟进
00466230 /$ 55 PUSH EBP
00466231 |. 8BEC MOV EBP,ESP
00466233 |. 83C4 E4 ADD ESP,-1C
00466236 |. 53 PUSH EBX
00466237 |. 33DB XOR EBX,EBX
00466239 |. 895D E4 MOV DWORD PTR SS:[EBP-1C],EBX //名称位数
0046623C |. 66:894D F6 MOV WORD PTR SS:[EBP-A],CX //即前面的4ED1
00466240 |. 8955 F8 MOV DWORD PTR SS:[EBP-8],EDX
00466243 |. 8945 FC MOV DWORD PTR SS:[EBP-4],EAX
00466246 |. 33C0 XOR EAX,EAX
00466248 |. 55 PUSH EBP
00466249 |. 68 E9624600 PUSH monkey_k.004662E9
0046624E |. 64:FF30 PUSH DWORD PTR FS:[EAX]
00466251 |. 64:8920 MOV DWORD PTR FS:[EAX],ESP
00466254 |. 66:8B45 F6 MOV AX,WORD PTR SS:[EBP-A]
00466258 |. 66:8945 EE MOV WORD PTR SS:[EBP-12],AX
0046625C |. 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8]
0046625F |. E8 3CDDF9FF CALL monkey_k.00403FA0
00466264 |. 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8]
00466267 |. E8 F4DFF9FF CALL monkey_k.00404260
0046626C |. 85C0 TEST EAX,EAX
0046626E |. 7E 63 JLE SHORT monkey_k.004662D3
00466270 |. 8945 E8 MOV DWORD PTR SS:[EBP-18],EAX
00466273 |. C745 F0 01000>MOV DWORD PTR SS:[EBP-10],1 //初始计数
0046627A |> 8B45 F8 /MOV EAX,DWORD PTR SS:[EBP-8] //用户输入名=basicbird
0046627D |. 8B55 F0 |MOV EDX,DWORD PTR SS:[EBP-10] //取N位
00466280 |. 8A4410 FF |MOV AL,BYTE PTR DS:[EAX+EDX-1] //第N位HEX=62
00466284 |. 0FB755 EE |MOVZX EDX,WORD PTR SS:[EBP-12]
00466288 |. C1EA 08 |SHR EDX,8 //4DE1右移8=4D
0046628B |. 32C2 |XOR AL,DL //异或=2F
0046628D |. 8845 F5 |MOV BYTE PTR SS:[EBP-B],AL
00466290 |. 33C0 |XOR EAX,EAX
00466292 |. 8A45 F5 |MOV AL,BYTE PTR SS:[EBP-B]
00466295 |. 66:0345 EE |ADD AX,WORD PTR SS:[EBP-12] //4DE1+2F=4E10
00466299 |. 8B55 FC |MOV EDX,DWORD PTR SS:[EBP-4]
0046629C |. 66:F76A 04 |IMUL WORD PTR DS:[EDX+4] //4E10*CE6D=1CD0
004662A0 |. 8B55 FC |MOV EDX,DWORD PTR SS:[EBP-4]
004662A3 |. 66:0342 06 |ADD AX,WORD PTR DS:[EDX+6] //1CD0+58BF=758F 该值即下面
一轮计算值
004662A7 |. 66:8945 EE |MOV WORD PTR SS:[EBP-12],AX
004662AB |. 8D4D E4 |LEA ECX,DWORD PTR SS:[EBP-1C]
004662AE |. 33C0 |XOR EAX,EAX
004662B0 |. 8A45 F5 |MOV AL,BYTE PTR SS:[EBP-B]
004662B3 |. BA 02000000 |MOV EDX,2
004662B8 |. E8 831CFAFF |CALL monkey_k.00407F40
004662BD |. 8B55 E4 |MOV EDX,DWORD PTR SS:[EBP-1C]
004662C0 |. 8B45 08 |MOV EAX,DWORD PTR SS:[EBP+8]
004662C3 |. E8 A0DFF9FF |CALL monkey_k.00404268
004662C8 |. 8B45 08 |MOV EAX,DWORD PTR SS:[EBP+8]
004662CB |. FF45 F0 |INC DWORD PTR SS:[EBP-10]
004662CE |. FF4D E8 |DEC DWORD PTR SS:[EBP-18]
004662D1 |.^ 75 A7 \JNZ SHORT monkey_k.0046627A
004662D3 |> 33C0 XOR EAX,EAX
004662D5 |. 5A POP EDX
004662D6 |. 59 POP ECX
004662D7 |. 59 POP ECX
004662D8 |. 64:8910 MOV DWORD PTR FS:[EAX],EDX
004662DB |. 68 F0624600 PUSH monkey_k.004662F0
004662E0 |> 8D45 E4 LEA EAX,DWORD PTR SS:[EBP-1C]
004662E3 |. E8 B8DCF9FF CALL monkey_k.00403FA0
004662E8 \. C3 RETN
上面只分析了用户名第一位处理过程,后面的依然
1.用户名的第一位与4DE1右移8位进行异或=2F ----注册码的第一部分
2.4DE1+2F=4E10
3.4E10*CE6D=1CD0
4.1CD0+58BF=758F
5.758F右移8位与用户名第二位异或 ,反复2,3,4,5,即可
用户名:basicbird
密 码:2F14EAB8616291A99E
注册机
才学的C#,就用它写吧,主要过程附上,有点取巧了
private void button1_Click(object sender, EventArgs e)
{
if (this.textBox1.Text.Trim() == "")
{
MessageBox.Show("请输入用户名!");
return;
}
int l = this.textBox1.Text.Length;
string regno="";
string str=this.textBox1 .Text .Trim ();
string first ="4DE1";
string second="CE6D";
string third="58BF";
ulong sum;
for (int i = 0; i < l; i++)
{
int num =Convert .ToChar (str.Substring(i,1));
string newnum = this.DtoX(num);
string zstr = first.Substring(0, 2);
string result = (Convert.ToInt64(newnum .ToString (), 16) ^ Convert.ToInt64(zstr,
16)).ToString("X2");
regno +=result;
sum = Convert.ToUInt32(result,16) + Convert.ToUInt32(first,16);
first=String.Format("{0:X}", sum);
sum = Convert.ToUInt32(first, 16) * Convert.ToUInt32(second, 16);
first = String.Format("{0:X}", sum);
first = first.Substring(first.Length - 4, 4);
sum = Convert.ToUInt32(first, 16) + Convert.ToUInt32(third, 16);
first = String.Format("{0:X}", sum);
first = first.Substring(first.Length - 4, 4);
}
this.textBox2.Text = regno;
}
不知道怎么发附件,这里给个地址吧!
http://www.ccgcn.com/bbs/viewthread.php?tid=1203&extra=page%3D1
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
好东西
