上次破解的小程序,由于第一次采用的是爆破,心中很是不爽,今天弄出来分析一下,:)先用OD载入,查找字符串来到下面的位置:
0040EBF0 |. /75 1C
JNZ SHORT KeyGenMe.0040EC0E //不等注册失败
0040EBF2 |. |68 4CEC4000 PUSH KeyGenMe.0040EC4C ; ASCII "Cool~ "
0040EBF7 |. |FF75 FC PUSH DWORD PTR SS:[EBP-4]
0040EBFA |. |68 5CEC4000 PUSH KeyGenMe.0040EC5C ;
ASCII " Registered!
0040EBFF |. |8B45 F4 MOV EAX,DWORD PTR SS:[EBP-C]
0040EC02 |. |BA 03000000 MOV EDX,3
0040EC07 |. |E8 2045FFFF CALL KeyGenMe.0040312C
0040EC0C |. |EB 0D JMP SHORT KeyGenMe.0040EC1B
0040EC0E |> \8B45 F4 MOV EAX,DWORD PTR SS:[EBP-C]
0040EC11 |. BA 74EC4000 MOV EDX,KeyGenMe.0040EC74 ;
ASCII "No,Unregistered!Try Again!"0040EC16 |. E8 4543FFFF CALL KeyGenMe.00402F60
往上嗅嗅,来到如下位置,这里大概就是比对注册码的地方,呵呵,开工了!先打个断点。
0040EB70 /$ 55 PUSH EBP
0040EB71 |. 8BEC MOV EBP,ESP
0040EB73 |. 83C4 F4 ADD ESP,-0C
0040EB76 |. 53 PUSH EBX
0040EB77 |. 56 PUSH ESI
0040EB78 |. 894D F4 MOV DWORD PTR SS:[EBP-C],ECX //断点就打这儿吧。0040EB7B |. 8955 F8 MOV DWORD PTR SS:[EBP-8],EDX
0040EB7E |. 8945 FC MOV DWORD PTR SS:[EBP-4],EAX
0040EB81 |. 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
0040EB84 |. E8 9746FFFF CALL KeyGenMe.00403220
0040EB89 |. 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8]
0040EB8C |. E8 8F46FFFF CALL KeyGenMe.00403220
0040EB91 |. 33C0 XOR EAX,EAX
0040EB93 |. 55 PUSH EBP
0040EB94 |. 68 36EC4000 PUSH KeyGenMe.0040EC36
0040EB99 |. 64:FF30 PUSH DWORD PTR FS:[EAX]
0040EB9C |. 64:8920 MOV DWORD PTR FS:[EAX],ESP
0040EB9F |. 33DB XOR EBX,EBX
0040EBA1 |. 33F6 XOR ESI,ESI
0040EBA3 |. 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
0040EBA6 |. E8 C144FFFF CALL KeyGenMe.0040306C
0040EBAB |. 85C0 TEST EAX,EAX
0040EBAD |. 7E 13 JLE SHORT KeyGenMe.0040EBC2
0040EBAF |. BA 01000000 MOV EDX,1
0040EBB4 |> 8B4D FC /MOV ECX,DWORD PTR SS:[EBP-4]
0040EBB7 |. 0FB64C11 FF |MOVZX ECX,BYTE PTR DS:[ECX+EDX-1]
0040EBBC |. 03D9 |ADD EBX,ECX
0040EBBE |. 42 |INC EDX
0040EBBF |. 48 |DEC EAX
0040EBC0 |.^ 75 F2 \JNZ SHORT KeyGenMe.0040EBB4
0040EBC2 |> 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8]
0040EBC5 |. E8 A244FFFF CALL KeyGenMe.0040306C
0040EBCA |. 85C0 TEST EAX,EAX
0040EBCC |. 7E 13 JLE SHORT KeyGenMe.0040EBE1
0040EBCE |. BA 01000000 MOV EDX,1
0040EBD3 |> 8B4D F8 /MOV ECX,DWORD PTR SS:[EBP-8]
0040EBD6 |. 0FB64C11 FF |MOVZX ECX,BYTE PTR DS:[ECX+EDX-1]
0040EBDB |. 03F1 |ADD ESI,ECX
0040EBDD |. 42 |INC EDX
0040EBDE |. 48 |DEC EAX
0040EBDF |.^ 75 F2 \JNZ SHORT KeyGenMe.0040EBD3
0040EBE1 |> 81C3 00000920 ADD EBX,20090000
0040EBE7 |. B8 01070920 MOV EAX,20090701
0040EBEC |. 2BC6 SUB EAX,ESI
0040EBEE |. 3BD8 CMP EBX,EAX
0040EBF0 |. 75 1C JNZ SHORT KeyGenMe.0040EC0E
F9运行,填入用户名和注册码,程序被断下来,:)看来断点打对了。单步执行。下面是关键代码:
0040EBB4 |> 8B4D FC /MOV ECX,DWORD PTR SS:[EBP-4] //用户名送ECX
0040EBB7 |. 0FB64C11 FF |MOVZX ECX,BYTE PTR DS:[ECX+EDX-1]
0040EBBC |. 03D9 |ADD EBX,ECX //取输入用户名的每位的ASCII码相加送EBX
0040EBBE |. 42 |INC EDX
0040EBBF |. 48 |DEC EAX
0040EBC0 |.^ 75 F2 \JNZ SHORT KeyGenMe.0040EBB4
0040EBC2 |> 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8] //注册码送EAX
0040EBC5 |. E8 A244FFFF CALL KeyGenMe.0040306C
0040EBCA |. 85C0 TEST EAX,EAX
0040EBCC |. 7E 13 JLE SHORT KeyGenMe.0040EBE1
0040EBCE |. BA 01000000 MOV EDX,1
0040EBD3 |> 8B4D F8 /MOV ECX,DWORD PTR SS:[EBP-8]
0040EBD6 |. 0FB64C11 FF |MOVZX ECX,BYTE PTR DS:[ECX+EDX-1]
0040EBDB |. 03F1 |ADD ESI,ECX //取输入注册码的每位的ASCII码相加送ESI
0040EBDD |. 42 |INC EDX
0040EBDE |. 48 |DEC EAX
0040EBDF |.^ 75 F2 \JNZ SHORT KeyGenMe.0040EBD3
0040EBE1 |> 81C3 00000920 ADD EBX,20090000 //两数相加送EBX
0040EBE7 |. B8 01070920 MOV EAX,20090701
0040EBEC |. 2BC6 SUB EAX,ESI //减去ESI送EAX
0040EBEE |. 3BD8 CMP EBX,EAX //比较,不等则死
0040EBF0 |. 75 1C JNZ SHORT KeyGenMe.0040EC0E
这个crakeme的算法就是把用户名的每位ASCII值相加,再加上20090000H,然后注册码就等于20090701H减去前面的和,换算成十进制即可。
呵呵,写得有点乱,大虾路过,菜鸟看看。至于注册机,今天没写出来,脑袋有点晕(16进制和10进制的转换粗心光出错),呵呵!改天有时间再研究。
[培训]《安卓高级研修班(网课)》月薪三万计划,掌握调试、分析还原ollvm、vmp的方法,定制art虚拟机自动化脱壳的方法
