[转]reywen's crackme2分析[easy]
reywen's crackme2分析【破解作者】 winndy
【作者邮箱】 [email protected]
【使用工具】 PEID v0.93OllyDbg v1.10 fly修改版,fsg2.0dumper(download from http://www.programmerstools.com)
【破解平台】 Winxp SP2
【软件名称】 reywen's crackme2
【下载地址】 http://www.crackmes.de/users/reywen/crackme_2/
【编写语言】 masm32
【破解声明】 For Study ,For Fun,
昨天搞定了PYG的crackme....
在crackmes.de逛的时候,看到这个,已经有Kreet破出来了,自己也想玩玩,于是.....
【保护方式】 fsg2.0,花指令,非标准MD5,暴力方式
【破解过程】 PEID查壳,fsg2.0,用fsg2.0dumper脱壳.
搜索字符串,未果!
bpx GetDlgItemTextA,在USER32.GetDlgItem也下,结果中断在下面.
call <jmp.&user32.GetDlgItemTextA> F8之后,全部都用F7下去.
一步一步,会发现很多都是无用的代码.只要细心点,F7下去,一遍就可以发现算法.
我输入的密码是:12345678901234567890
code:
004018F8 .E8 F9010000 call <jmp.&user32.GetDlgItemTextA> ; \GetDlgItemTextA
004018FD .51 push ecx
004018FE .EB 01 jmp short dump.00401901
00401900 69 db 69 ;CHAR 'i'
00401901 >EB 02 jmp short dump.00401905
00401903 CD db CD
00401904 20 db 20 ;CHAR ' '
00401905 >6A 15 push 15
00401907 .59 pop ecx
00401908 .E8 01000000 call dump.0040190E
0040190D .5A pop edx
0040190E $76 03 jbe short dump.00401913
00401910 .C1F1 00 sal ecx,0
00401913 >EB 01 jmp short dump.00401916
00401915 .5A pop edx
00401916 >49 dec ecx
00401917 .^ 75 F5 jnz short dump.0040190E
00401919 .59 pop ecx
0040191A .E3 01 jecxz short dump.0040191D
0040191C .59 pop ecx
0040191D >EB 01 jmp short dump.00401920
0040191F 69 db 69 ;CHAR 'i'
00401920 >EB 07 jmp short dump.00401929
00401922 5A db 5A ;CHAR 'Z'
00401923 DB db DB
00401924 >83C4 04 add esp,4
00401927 .EB 08 jmp short dump.00401931
00401929 >E8 01000000 call dump.0040192F
0040192E .5A pop edx
0040192F $^ EB F3 jmp short dump.00401924
00401931 >83F8 08 cmp eax,8 ;比较注册码长度,不能小于8
00401934 .0F82 83010000 jb dump.00401ABD
0040193A .51 push ecx
0040193B .EB 01 jmp short dump.0040193E
0040193D 69 db 69 ;CHAR 'i'
0040193E >EB 02 jmp short dump.00401942
00401940 CD db CD
00401941 20 db 20 ;CHAR ' '
00401942 >6A 0C push 0C
00401944 .59 pop ecx ;这句和上面一句为mov ecx 0c
00401945 .E8 01000000 call dump.0040194B
0040194A .5A pop edx
0040194B $76 03 jbe short dump.00401950 ;注册码等于8则跳
0040194D .C1F1 00 sal ecx,0
00401950 >EB 01 jmp short dump.00401953
00401952 .5A pop edx ;不会执行
00401953 >49 dec ecx ;
00401954 .^ 75 F5 jnz short dump.0040194B
00401956 .59 pop ecx ;0040194A
00401957 .E3 01 jecxz short dump.0040195A
00401959 .59 pop ecx
0040195A >EB 01 jmp short dump.0040195D
0040195C 69 db 69 ;CHAR 'i'
0040195D >EB 07 jmp short dump.00401966
0040195F 5A db 5A ;CHAR 'Z'
00401960 DB db DB
00401961 >83C4 04 add esp,4
00401964 .EB 08 jmp short dump.0040196E
00401966 >E8 01000000 call dump.0040196C
0040196B .5A pop edx
0040196C $^ EB F3 jmp short dump.00401961
0040196E >A3 B4304000 mov dword ptr ds:,eax ;save 用户名长度
00401973 .EB 07 jmp short dump.0040197C
00401975 5A db 5A ;CHAR 'Z'
00401976 DB db DB
00401977 >83C4 04 add esp,4
0040197A .EB 08 jmp short dump.00401984
0040197C >E8 01000000 call dump.00401982
00401981 .5A pop edx
00401982 $^ EB F3 jmp short dump.00401977
00401984 >8BC8 mov ecx,eax
00401986 .51 push ecx
00401987 .EB 01 jmp short dump.0040198A
00401989 69 db 69 ;CHAR 'i'
0040198A >EB 02 jmp short dump.0040198E
0040198C CD db CD
0040198D 20 db 20 ;CHAR ' '
0040198E >6A 1A push 1A
00401990 .59 pop ecx ;mov ecx 1A
00401991 .E8 01000000 call dump.00401997
00401996 .5A pop edx
00401997 $76 03 jbe short dump.0040199C
00401999 .C1F1 00 sal ecx,0
0040199C >EB 01 jmp short dump.0040199F
0040199E .5A pop edx
0040199F >49 dec ecx
004019A0 .^ 75 F5 jnz short dump.00401997
004019A2 .59 pop ecx
004019A3 .E3 01 jecxz short dump.004019A6
004019A5 .59 pop ecx ;ecx=00000014
004019A6 >EB 01 jmp short dump.004019A9
004019A8 69 db 69 ;CHAR 'i'
004019A9 >EB 07 jmp short dump.004019B2
004019AB 5A db 5A ;CHAR 'Z'
004019AC DB db DB
004019AD >83C4 04 add esp,4
004019B0 .EB 08 jmp short dump.004019BA
004019B2 >E8 01000000 call dump.004019B8
004019B7 .5A pop edx
004019B8 $^ EB F3 jmp short dump.004019AD
004019BA >BE 50304000 mov esi,dump.00403050 ;esi 00403050 ASCII "12345678901234567890"
004019BF .51 push ecx
004019C0 .EB 01 jmp short dump.004019C3
004019C2 69 db 69 ;CHAR 'i'
004019C3 >EB 02 jmp short dump.004019C7
004019C5 CD db CD
004019C6 20 db 20 ;CHAR ' '
004019C7 >6A 1A push 1A
004019C9 .59 pop ecx
004019CA .E8 01000000 call dump.004019D0
004019CF .5A pop edx
004019D0 $76 03 jbe short dump.004019D5
004019D2 .C1F1 00 sal ecx,0
004019D5 >EB 01 jmp short dump.004019D8
004019D7 .5A pop edx
004019D8 >49 dec ecx
004019D9 .^ 75 F5 jnz short dump.004019D0
004019DB .59 pop ecx ;0040194F
004019DC .E3 01 jecxz short dump.004019DF
004019DE .59 pop ecx ;0014
004019DF >EB 01 jmp short dump.004019E2
004019E1 69 db 69 ;CHAR 'i'
004019E2 >8B1E mov ebx,dword ptr ds: ;34333231
004019E4 .035E 04 add ebx,dword ptr ds: ;34333231+38373635=6C6A6866
004019E7 >81EB 9A020000 sub ebx,29A
004019ED .81C3 78320400 add ebx,43278
004019F3 .81EB 4CB30000 sub ebx,0B34C ;43278-29A-0B34C =37C92
004019F9 .46 inc esi
004019FA .^ E2 EB loopd short dump.004019E7 ;ecx=14为计数器初值
//最终结果ebx=6CB023CE
004019FC .B9 DC304000 mov ecx,dump.004030DC
00401A01 .EB 07 jmp short dump.00401A0A
00401A03 5A db 5A ;CHAR 'Z'
00401A04 DB db DB
00401A05 >83C4 04 add esp,4
00401A08 .EB 08 jmp short dump.00401A12
00401A0A >E8 01000000 call dump.00401A10
00401A0F .5A pop edx
00401A10 $^ EB F3 jmp short dump.00401A05
00401A12 >52 push edx ;EDX 7C92EB94 ntdll.KiFastSystemCallRet
00401A13 .BA DC304000 mov edx,dump.004030DC
00401A18 .891A mov dword ptr ds:,ebx ;保存计算结果到004030DC
00401A1A .5A pop edx
00401A1B .6A 20 push 20
00401A1D .68 DC304000 push dump.004030DC
00401A22 .68 BC304000 push dump.004030BC
00401A27 .E8 D4F5FFFF call dump.00401000 ;非标准MD5算法,见后面
//004030BC27 F7 0D DA 68 7D E1 F3'?趆}狍
//004030C49F 0C 59 33 2D C2 A9 69?Y3-漏i
//004030CC00 00 00 00 00 00 00 00........
//004030D400 00 00 00 00 00 00 00........
//004030DCCE 23 B0 6C ?發..
00401A2C .B9 04000000 mov ecx,4
00401A31 .BA BC304000 mov edx,dump.004030BC ;MD5结果
00401A36 >2B1A sub ebx,dword ptr ds: ;ebx=6CB023CE
00401A38 .81EB E8030000 sub ebx,3E8
00401A3E .83C2 04 add edx,4
00401A41 .^ E2 F3 loopd short dump.00401A36
//最后ebx=01BDD0D3
00401A43 .51 push ecx
00401A44 .EB 01 jmp short dump.00401A47
00401A46 69 db 69 ;CHAR 'i'
00401A47 >EB 02 jmp short dump.00401A4B
00401A49 CD db CD
00401A4A 20 db 20 ;CHAR ' '
00401A4B >6A 1A push 1A
00401A4D .59 pop ecx ;mov ecx ,1A
00401A4E .E8 01000000 call dump.00401A54
00401A53 .5A pop edx
00401A54 $76 03 jbe short dump.00401A59
00401A56 .C1F1 00 sal ecx,0
00401A59 >EB 01 jmp short dump.00401A5C
00401A5B .5A pop edx
00401A5C >49 dec ecx
00401A5D .^ 75 F5 jnz short dump.00401A54
00401A5F .59 pop ecx
00401A60 .E3 01 jecxz short dump.00401A63
00401A62 .59 pop ecx
00401A63 >EB 01 jmp short dump.00401A66
00401A65 69 db 69 ;CHAR 'i'
00401A66 >81EB E6D699CE sub ebx,CE99D6E6 ;*************
00401A6C .74 25 je short dump.00401A93 ;相等就OK
00401A6E .EB 4D jmp short dump.00401ABD
00401A70 .51 push ecx
00401A71 .EB 01 jmp short dump.00401A74
00401A73 69 db 69 ;CHAR 'i'
00401A74 >EB 02 jmp short dump.00401A78
00401A76 CD db CD
00401A77 20 db 20 ;CHAR ' '
00401A78 >6A 1A push 1A
00401A7A .59 pop ecx
00401A7B .E8 01000000 call dump.00401A81
00401A80 .5A pop edx
00401A81 $76 03 jbe short dump.00401A86
00401A83 .C1F1 00 sal ecx,0
00401A86 >EB 01 jmp short dump.00401A89
00401A88 .5A pop edx
00401A89 >49 dec ecx
00401A8A .^ 75 F5 jnz short dump.00401A81
00401A8C .59 pop ecx
00401A8D .E3 01 jecxz short dump.00401A90
00401A8F .59 pop ecx
00401A90 >EB 01 jmp short dump.00401A93
00401A92 69 db 69 ;CHAR 'i'
00401A93 >BA 19304000 mov edx,dump.00403019 ;ASCII "y>y.wa{.coek.zfg}.5J .cogb.ck4.|kwyk`
icogb mac"
00401A98 .8B1A mov ebx,dword ptr ds:
00401A9A .80FB 77 cmp bl,77
00401A9D .74 0A je short dump.00401AA9
00401A9F .B9 31000000 mov ecx,31
00401AA4 .E8 1D000000 call dump.00401AC6
00401AA9 >6A 00 push 0 ; /Style = MB_OK|MB_APPLMODAL
00401AAB .68 0F304000 push dump.0040300F ; |Title = ""
00401AB0 .68 19304000 push dump.00403019 ; |Text = "y>y.wa{.coek.zfg}.5J
.cogb.ck4.|kwyk` icogb mac"
00401AB5 .FF75 08 push dword ptr ss: ; |hOwner
00401AB8 .E8 45000000 call <jmp.&user32.MessageBoxA> ; \MessageBoxA
00401ABD >EB 00 jmp short dump.00401ABF
00401ABF >61 popad
00401AC0 .33C0 xor eax,eax
00401AC2 .C9 leave
00401AC3 .C2 1000 retn 10
00401AC6 /$4A dec edx
00401AC7 |>42 inc edx
00401AC8 |.8A02 mov al,byte ptr ds:
00401ACA |.34 0E xor al,0E
00401ACC |.8802 mov byte ptr ds:,al
00401ACE |.^ E2 F7 loopd short dump.00401AC7
00401AD0 \.C3 retn
//上面这段代码用来解码,显示的消息
// 密文:"y>y.wa{.coek.zfg}.5J .cogb.ck4.|kwyk` icogb mac"
// 明文 "w0w you make this ;D... mail me: reywen.gmail.com"
00401AD1 /$4A dec edx
00401AD2 |.B9 20000000 mov ecx,20
00401AD7 |>42 inc edx
00401AD8 |.C602 00 mov byte ptr ds:,0
00401ADB |.^ E2 FA loopd short dump.00401AD7
00401ADD \.C3 retn
=================================
MD5算法
00401000 /$60 pushad
00401001 |.8B7424 24 mov esi,dword ptr ss:
00401005 |.C706 01234567 mov dword ptr ds:,67452301
0040100B |.C746 04 89ABC>mov dword ptr ds:,EFCDAB89
00401012 |.C746 08 FEDCB>mov dword ptr ds:,98BADCFE
00401019 |.C746 0C 76543>mov dword ptr ds:,10325476
00401020 |.8B4424 2C mov eax,dword ptr ss:
00401024 |.50 push eax
00401025 |.33D2 xor edx,edx
00401027 |.B9 40000000 mov ecx,40
0040102C |.F7F1 div ecx
0040102E |.40 inc eax
0040102F |.5A pop edx
00401030 |.83EC 40 sub esp,40
00401033 |.8BDC mov ebx,esp
00401035 |.8B7424 68 mov esi,dword ptr ss:
00401039 |.92 xchg eax,edx
0040103A |>8BFB /mov edi,ebx
0040103C |.4A |dec edx
0040103D |.75 41 |jnz short dump.00401080
0040103F |.85C0 |test eax,eax
00401041 |.78 06 |js short dump.00401049
00401043 |.C60418 80 |mov byte ptr ds:,80
00401047 |.EB 03 |jmp short dump.0040104C
00401049 |>33C0 |xor eax,eax
0040104B |.48 |dec eax
0040104C |>B9 40000000 |mov ecx,40
00401051 |.2BC8 |sub ecx,eax
00401053 |.03F8 |add edi,eax
00401055 |.50 |push eax
00401056 |.33C0 |xor eax,eax
00401058 |.47 |inc edi
00401059 |.49 |dec ecx
0040105A |.F3:AA |rep stos byte ptr es:
0040105C |.58 |pop eax
0040105D |.85C0 |test eax,eax
0040105F |.78 05 |js short dump.00401066
00401061 |.83F8 38 |cmp eax,38
00401064 |.73 19 |jnb short dump.0040107F
00401066 |>50 |push eax
00401067 |.8B4424 70 |mov eax,dword ptr ss:
0040106B |.52 |push edx
0040106C |.33D2 |xor edx,edx
0040106E |.B9 08000000 |mov ecx,8
00401073 |.F7E1 |mul ecx
00401075 |.8943 38 |mov dword ptr ds:,eax
00401078 |.8953 3C |mov dword ptr ds:,edx
0040107B |.5A |pop edx
0040107C |.58 |pop eax
0040107D |.EB 01 |jmp short dump.00401080
0040107F |>42 |inc edx
00401080 |>85C0 |test eax,eax
00401082 |.78 07 |js short dump.0040108B
00401084 |.83F8 40 |cmp eax,40
00401087 |.73 08 |jnb short dump.00401091
00401089 |.EB 02 |jmp short dump.0040108D
0040108B |>33C0 |xor eax,eax
0040108D |>8BC8 |mov ecx,eax
0040108F |.EB 05 |jmp short dump.00401096
00401091 |>B9 40000000 |mov ecx,40
00401096 |>8BFB |mov edi,ebx
00401098 |.F3:A4 |rep movs byte ptr es:,byte ptr ds:
//d edi
//0012F9BCCE 23 B0 6C 00 00 00 00?發....
//0012F9C400 00 00 00 00 00 00 00........
//0012F9CC00 00 00 00 00 00 00 00........
//0012F9D400 00 00 00 00 00 00 00........
//0012F9DC80 00 00 00 00 00 00 00 这么好的文章都没有人来支持啊`~~~ 好文,支持的说。。。
页:
[1]