Crackme01
加密小组刚开张,没什么东东,写一个给大家玩玩~~~over时放出源码,请大家多多指教~~~
此CM已over,不懂算法兄弟太强悍了。。。膜拜一下先。。。 另:放出完整代码~~(转载时请注明作者信息)
{**************************************************************
CrackMe #01
code by 黑夜彩虹 & vxin with almost pure delphi
2007-03-07
--- 转载时请保留作者信息。
**************************************************************}
此CM的设计模式:
1、插入一些花指令
2、写了一些代码迷惑Cracker
3、有简单的Anti_DEDE 和检测调试器
话不多说,请看以下代码:
unit main;
interface
uses
Windows, Messages, SysUtils, Variants, Classes, Graphics, Controls, Forms,
Dialogs, StdCtrls, ExtCtrls,strutils;
Const
C1= 17856;
C2= 23589;
type
TForm1 = class(TForm)
Image1: TImage;
Edit1: TEdit;
Label1: TLabel;
Label2: TLabel;
Edit2: TEdit;
Button1: TButton;
procedure FormCreate(Sender: TObject);
procedure Button1Click(Sender: TObject);
private
{ Private declarations }
public
{ Public declarations }
end;
var
Form1: TForm1;
implementation
{$R *.dfm}
Procedure Anti_DeDe();//检测DEDE反编译器
var
DeDeHandle:THandle;
i:integer;
begin
DeDeHandle:=FindWindow(nil,chr($64)+chr($65)+chr($64)+chr($65));
if DeDeHandle<>0 then
begin
For i:=1 to 4500 do
SendMessage(DeDeHandle,WM_CLOSE,0,0);
end;
end;
Function ABC42():Boolean; //检测调试器;
var
YInt,NInt:Integer;
begin
asm
mov eax,fs:
movzx eax,byte ptr
or al,al
jz @No
jnz @Yes
@No:
mov NInt,1
@Yes:
Mov YInt,1
end;
if YInt=1 then
Result:=True;
if NInt=1 then
Result:=False;
end;
function EncryptModule(SourceStr:String;Key:Word;N:Integer):String;
var //加密函数
I:Integer;
begin
SetLength(Result,Length(SourceStr));//利用SetLength函数指定密文长度
//对每一个索引元素进行变换
for I:=1 to Length(SourceStr) do
begin
Result:=Char(byte(SourceStr) xor (Key Shr N));
Key:= (byte(Result) + Key)*C1+C2;
end;
end;
//==========以下是549的函数,据说没有暴破点,顺便试一试
//========函数作用:动态改变程序运行罗辑
function GetEIP: Integer;//自动生成address的方法
asm
mov eax, ;
sub eax, 5; //call GetEIP占用5字节
end;
function PatchOneItem(PatchItem: String): Boolean;
var
PatchAddress: Integer;
PatchLength: DWord;
PatchData: Pointer;
PatchDataStr: String;
i: Integer;
PatchByte: Byte;
PID, PHandle: THandle;
WriteCount: DWord;
begin
Result := False;
if Length(PatchItem) < 11 then Exit;
PatchAddress := StrToInt('0x' + LeftStr(PatchItem, 8));
for i := 1 to Length(PatchItem) do begin
if PatchItem <> ' ' then
PatchDataStr := PatchDataStr + PatchItem;
end;
PatchLength := (Length(PatchDataStr) - 9) div 2;
GetMem(PatchData, PatchLength);
try
for i := 0 to PatchLength - 1 do begin
PatchByte := StrToInt('0x'+PatchDataStr + PatchDataStr);
Byte(Pointer(Integer(PatchData) + i)^) := PatchByte;
end;
GetWindowThreadProcessId(Application.Handle, PID);
PHandle := OpenProcess(PROCESS_ALL_ACCESS, False, PID);
WriteProcessMemory(PHandle, Pointer(PatchAddress), PatchData, PatchLength, WriteCount);
CloseHandle(PHandle);
finally
FreeMem(PatchData, PatchLength);
end;
Result := PatchLength = WriteCount;
end;
procedure Patch(PatchFile: String);
var
PatchItems: TStrings;
PatchIndex: Integer;
begin
if not FileExists(PatchFile) then Exit;
PatchItems := TStringList.Create;
try
PatchItems.LoadFromFile(PatchFile);
for PatchIndex := 0 to PatchItems.Count - 1 do begin
PatchOneItem(PatchItems);
end;
finally
PatchItems.Free;
end;
end;
procedure TForm1.FormCreate(Sender: TObject);
begin
Anti_DeDe; //检测DEDE,检测到关闭它。
if ABC42 thenExitProcess(0); //检测调试器,终止。
end;
procedure TForm1.Button1Click(Sender: TObject);//注册按纽,开始检测
begin
//========在这里插入一些花指令
asm
jz @Start
jnz @Start
db 0E8h, 24h, 0, 0;
db 0, 8Bh, 44h,24h
db 4, 8Bh, 0, 3Dh
db 4, 0, 0, 80h
db 75h,8, 8Bh,64h
db 24h,8, 0EBh, 4
db 58h,0EBh, 0Ch, 0E9h
db 64h,8Fh, 5,0
db 0, 0, 0, 74h
db 0F3h, 75h, 0F1h, 0EBh
db 24h,64h, 0FFh, 35h
db 0, 0, 0, 0
db 0EBh, 12h, 0FFh, 9Ch
db 74h,3, 75h,1
db 0E9h, 81h, 0Ch, 24h
db 0, 1, 0, 0
db 9Dh,90h, 0EBh, 0F4h
db 64h,89h, 25h, 0
db 0, 0, 0, 0EBh
db 0E6h
db 0EBh, 1, 0Fh, 31h;
db 0F0h, 0EBh, 0Ch, 33h
db 0C8h, 0EBh, 3, 0EBh
db 9, 0Fh, 59h,74h
db 5, 75h, 0F8h, 51h
db 0EBh, 0F1h
db 0B9h, 4, 0, 0;
@Start:
end;
if length(edit2.Text)>3 then//比较大于3位
begin
//============再写一些骗Cracker
if edit2.Text=EncryptModule(Edit1.Text,12345,10) then
begin
showmessage('请重启本软件。');
//=======还可以再写一些记号,这里我就不写了
end;
PatchOneItem(edit2.Text); //真正的比较
showmessage('ok'); //弹出OK对话框
end;
end;
end.
//=======有位兄弟PM我,说代码不无整,有几个地方不清楚(这是论坛本身的问题,现在我把高亮颜色去掉~~~)============//
[ 本帖最后由 黑夜彩虹 于 2007-3-8 17:15 编辑 ] 5AD7B1AD 46 inc esi
5AD7B1AE 8935 E81BDA5A mov dword ptr , esi
5AD7B1B4 FF15 CC10D75A call dword ptr ; kernel32.IsDebuggerPresent
5AD7B1BA 85C0 test eax, eax
5AD7B1BC 0F85 9D6E0100 jnz 5AD9205F ; 有个让人退出的IsDebuggerPresent
5AD7B1C2 5E pop esi
5AD7B1C3^ E9 3FFDFFFF jmp 5AD7AF07
00453BC7 . /74 69 je short 00453C32 ;这两个跳还在玩游戏呢
00453BC9 . |75 67 jnz short 00453C32
00453BCB . |E8 24000000 call 00453BF4
00453BD0 . |8B4424 04 mov eax, dword ptr [esp+4]
00453BD4 . |8B00 mov eax, dword ptr [eax]
00453BD6 . |3D 04000080 cmp eax, 80000004
00453BDB . |75 08 jnz short 00453BE5
00453BDD . |8B6424 08 mov esp, dword ptr [esp+8]
00453BE1 . |EB 04 jmp short 00453BE7
00453BE3 > |58 pop eax
00453BE4 |EB db EB
00453BE5 . |0C E9 or al, 0E9
00453BE7 > |64:8F05 00000>pop dword ptr fs:
00453BEE .^|74 F3 je short 00453BE3
00453BF0 .^|75 F1 jnz short 00453BE3
00453BF2 > |EB 24 jmp short 00453C18
00453BF4 $ |64:FF35 00000>push dword ptr fs:
00453BFB . |EB 12 jmp short 00453C0F
00453BFD |FF db FF
00453BFE > |9C pushfd
00453BFF . |74 03 je short 00453C04
00453C01 . |75 01 jnz short 00453C04
00453C03 >-|E9 810C2400 jmp 00694889
00453C08 . |0100 add dword ptr [eax], eax
00453C0A . |009D 90EBF464 add byte ptr [ebp+64F4EB90], bl
00453C10 ? |8925 00000000 mov dword ptr , esp
00453C16 .^|EB E6 jmp short 00453BFE
00453C18 > |EB 01 jmp short 00453C1B
00453C1A |0F db 0F
00453C1B > |31F0 xor eax, esi
00453C1D . |EB 0C jmp short 00453C2B
00453C1F > |33C8 xor ecx, eax
00453C21 . |EB 03 jmp short 00453C26
00453C23 > |EB 09 jmp short 00453C2E
00453C25 |0F db 0F
00453C26 > |59 pop ecx
00453C27 . |74 05 je short 00453C2E
00453C29 .^|75 F8 jnz short 00453C23
00453C2B > |51 push ecx
00453C2C .^|EB F1 jmp short 00453C1F
00453C2E |B9 db B9
00453C2F |04 db 04
00453C30 |00 db 00
00453C31 |00 db 00
00453C32 . \8D55 FC lea edx, dword ptr [ebp-4]
00453C35 .8B83 08030000 mov eax, dword ptr [ebx+308] ;指向 指向的地址
00453C3B .E8 94EEFDFF call 00432AD4
00453C40 .8B45 FC mov eax, dword ptr [ebp-4] ;指向输入注册码
00453C43 .E8 C404FBFF call 0040410C ;获取长度
00453C48 .83F8 03 cmp eax, 3
00453C4B .7E 6A jle short 00453CB7 ;小于等于3就跳
00453C4D .8D55 F8 lea edx, dword ptr [ebp-8]
00453C50 .8B83 08030000 mov eax, dword ptr [ebx+308]
00453C56 .E8 79EEFDFF call 00432AD4
00453C5B .8B45 F8 mov eax, dword ptr [ebp-8] ;这个也是指向输入的注册码
00453C5E .50 push eax
00453C5F .8D45 F4 lea eax, dword ptr [ebp-C]
00453C62 .50 push eax
00453C63 .8D55 F0 lea edx, dword ptr [ebp-10]
00453C66 .8B83 FC020000 mov eax, dword ptr [ebx+2FC]
00453C6C .E8 63EEFDFF call 00432AD4 ;没跟进去过,不过EAX一直都GET工longth的
00453C71 .8B45 F0 mov eax, dword ptr [ebp-10] ;指向用户名
00453C74 .B9 0A000000 mov ecx, 0A
00453C79 .66:BA 3930 mov dx, 3039
00453C7D .E8 86FCFFFF call 00453908 ;这个就是算法call吧,没跟进去,直接看返回结果猜的
00453C82 .8B55 F4 mov edx, dword ptr [ebp-C]
00453C85 .58 pop eax
00453C86 .E8 CD05FBFF call 00404258 ;这个就是比较call
00453C8B 75 0A jnz short 00453C97
00453C8D .B8 FC3C4500 mov eax, 00453CFC ;请重启本软件。
00453C92 .E8 ED36FDFF call 00427384
我就走到这了,
____________________________________________________________________________________________
觉得call结构的加密流行却不大实用!
甚至暴露行踪, 00453C74 .B9 0A000000 mov ecx, 0A
00453C79 .66:BA 3930 mov dx, 3039
00453C7D .E8 86FCFFFF call 00453908 ;这个就是算法call吧,没跟进去,直接看返回结果猜的(是算法call,但不是主要的)
00453C82 .8B55 F4 mov edx, dword ptr
00453C85 .58 pop eax
00453C86 .E8 CD05FBFF call 00404258 ;这个就是比较call(是陷井来的,也是这个CM要说的一种加密思路)
00453C8B 75 0A jnz short 00453C97
00453C8D .B8 FC3C4500 mov eax, 00453CFC ;请重启本软件。
00453C92 .E8 ED36FDFF call 00427384 呵呵,这个新的加密方法很不厚道呀
弄不好会出大乱子的 :victory:
用看起来像比较性质的call伪装,受教了!
_________________________________________
call我进去粗略的地看了,没有自修改,没有跳出call,
也没有call内call,仅仅是一些标志性的跳转!
而整个过程都是在寄存器中传来传去,没有放到某个
地方去
那重启验证是怎么一回事呢
也是用来误导的吗? 你去用我在crackme版贴那个注册码,然后跟踪就知道怎么回事了 此CrackMe 已over , 不懂算法 老大太强悍了。。。 原帖由 fonge 于 2007-3-7 13:03 发表
5AD7B1AD 46 inc esi
5AD7B1AE 8935 E81BDA5A mov dword ptr , esi
5AD7B1B4 FF15 CC10D75A call dword ptr ; kernel32.IsDebuggerPresent
5AD7B1BA ...
这个不是crackme.exe里的,是uxtheme.dll里的代码
这个crackme比较搞笑
00453CA5 .8B45 EC mov eax, dword ptr ss: ;注册码
00453CA8 .E8 07FDFFFF call CrackMe0.004539B4 ;写内存,修改下面5个字节
00453CAD B8 143D4500 mov eax, CrackMe0.00453D14 ;ASCII "ok"
00453CB2 .E8 CD36FDFF call <CrackMe0.D7.Dialogs.ShowMessage(AnsiString);>
原型是:
00453CA8 E8 07FDFFFF call CrackMe0.004539B4
00453CAD EB 08 jmp short CrackMe0.00453CB7
00453CAF 90 nop
00453CB0 90 nop
00453CB1 90 nop
00453CB2 E8 CD36FDFF call <CrackMe0.D7.Dialogs.ShowMessage(AnsiString);>
00453CB7 33C0 xor eax, eax
构造精巧,不过,有一份正版就能破解了 549的函数重点讲一下!:handshake 原帖由 fonge 于 2007-3-7 16:54 发表
549的函数重点讲一下!:handshake
作用:动态改变程序运行的罗辑