某CrackMe分析(菜鸟级别)
刚才在DFCG看到一个求助的CrackMe,顺便看了一下,和适合初学者~脱壳、找关键点就不说了,直接贴算法
00457BBE |.55 push ebp
00457BBF |.68 8A7E4500 push CrackMe#.00457E8A
00457BC4 |.64:FF30 push dword ptr fs:
00457BC7 |.64:8920 mov dword ptr fs:,esp
00457BCA |.8D55 FC lea edx,dword ptr ss:
00457BCD |.8B83 D8020000 mov eax,dword ptr ds:
00457BD3 |.E8 08C3FCFF call CrackMe#.00423EE0
00457BD8 |.837D FC 00 cmp dword ptr ss:,0 ;输入用户名了吗?
00457BDC |.75 18 jnz short CrackMe#.00457BF6
00457BDE |.6A 00 push 0
00457BE0 |.B9 987E4500 mov ecx,CrackMe#.00457E98 ;ASCII "Enter your Name !"
00457BE5 |.BA AC7E4500 mov edx,CrackMe#.00457EAC ;ASCII "You must enter your Name !"
00457BEA |.A1 98A54500 mov eax,dword ptr ds:
00457BEF |.8B00 mov eax,dword ptr ds:
00457BF1 |.E8 3A85FEFF call CrackMe#.00440130
00457BF6 |>8D55 FC lea edx,dword ptr ss:
00457BF9 |.8B83 DC020000 mov eax,dword ptr ds:
00457BFF |.E8 DCC2FCFF call CrackMe#.00423EE0
00457C04 |.837D FC 00 cmp dword ptr ss:,0 ;输入注册码了吗?
00457C08 |.75 18 jnz short CrackMe#.00457C22
00457C0A |.6A 00 push 0
00457C0C |.B9 C87E4500 mov ecx,CrackMe#.00457EC8 ;ASCII "Enter a Serial !"
00457C11 |.BA DC7E4500 mov edx,CrackMe#.00457EDC ;ASCII "You must enter a Serial !"
00457C16 |.A1 98A54500 mov eax,dword ptr ds:
00457C1B |.8B00 mov eax,dword ptr ds:
00457C1D |.E8 0E85FEFF call CrackMe#.00440130
00457C22 |>33C0 xor eax,eax
00457C24 |.A3 40B84500 mov dword ptr ds:,eax
00457C29 |.8D55 FC lea edx,dword ptr ss:
00457C2C |.8B83 D8020000 mov eax,dword ptr ds:
00457C32 |.E8 A9C2FCFF call CrackMe#.00423EE0
00457C37 |.8B45 FC mov eax,dword ptr ss:
00457C3A |.E8 F9BFFAFF call CrackMe#.00403C38
00457C3F |.A3 44B84500 mov dword ptr ds:,eax
00457C44 |.A1 44B84500 mov eax,dword ptr ds:
00457C49 |.E8 82FDFAFF call CrackMe#.004079D0
00457C4E |.83F8 06 cmp eax,6 ;用户名大于6位吗?
00457C51 |.73 1D jnb short CrackMe#.00457C70
00457C53 |.6A 00 push 0
00457C55 |.B9 F87E4500 mov ecx,CrackMe#.00457EF8 ;ASCII "Name too short !"
00457C5A |.BA 0C7F4500 mov edx,CrackMe#.00457F0C ;ASCII "Your Name must be at least 6 Chars long !"
00457C5F |.A1 98A54500 mov eax,dword ptr ds:
00457C64 |.8B00 mov eax,dword ptr ds:
00457C66 |.E8 C584FEFF call CrackMe#.00440130
00457C6B |.E9 59010000 jmp CrackMe#.00457DC9
00457C70 |>8D55 FC lea edx,dword ptr ss:
00457C73 |.8B83 D8020000 mov eax,dword ptr ds:
00457C79 |.E8 62C2FCFF call CrackMe#.00423EE0 ;取用户名长度
00457C7E |.8B45 FC mov eax,dword ptr ss:
00457C81 |.BA 01000000 mov edx,1 ;参数1
00457C86 |.4A dec edx
00457C87 |.3B50 FC cmp edx,dword ptr ds:
00457C8A |.72 05 jb short CrackMe#.00457C91
00457C8C |.E8 F3AEFAFF call CrackMe#.00402B84
00457C91 |>42 inc edx
00457C92 |.0FB64410 FF movzx eax,byte ptr ds: ;用户名第1位ascii送到eax
00457C97 |.6BF0 02 imul esi,eax,2 ;eax×2送到esi
00457C9A |.71 05 jno short CrackMe#.00457CA1
00457C9C |.E8 EBAEFAFF call CrackMe#.00402B8C
00457CA1 |>8D55 F8 lea edx,dword ptr ss:
00457CA4 |.8B83 D8020000 mov eax,dword ptr ds:
00457CAA |.E8 31C2FCFF call CrackMe#.00423EE0
00457CAF |.8B45 F8 mov eax,dword ptr ss:
00457CB2 |.BA 02000000 mov edx,2 ;参数2
00457CB7 |.4A dec edx
00457CB8 |.3B50 FC cmp edx,dword ptr ds:
00457CBB |.72 05 jb short CrackMe#.00457CC2
00457CBD |.E8 C2AEFAFF call CrackMe#.00402B84
00457CC2 |>42 inc edx
00457CC3 |.0FB64410 FF movzx eax,byte ptr ds: ;用户名第2位ascii送到eax
00457CC8 |.6BC0 02 imul eax,eax,2 ;eax=eax×2
00457CCB |.71 05 jno short CrackMe#.00457CD2
00457CCD |.E8 BAAEFAFF call CrackMe#.00402B8C
00457CD2 |>03F0 add esi,eax ;和前面的结果相加
00457CD4 |.71 05 jno short CrackMe#.00457CDB
00457CD6 |.E8 B1AEFAFF call CrackMe#.00402B8C
00457CDB |>8D55 F4 lea edx,dword ptr ss:
00457CDE |.8B83 D8020000 mov eax,dword ptr ds:
00457CE4 |.E8 F7C1FCFF call CrackMe#.00423EE0
00457CE9 |.8B45 F4 mov eax,dword ptr ss:
00457CEC |.BA 03000000 mov edx,3 ;参数3
00457CF1 |.4A dec edx
00457CF2 |.3B50 FC cmp edx,dword ptr ds:
00457CF5 |.72 05 jb short CrackMe#.00457CFC
00457CF7 |.E8 88AEFAFF call CrackMe#.00402B84
00457CFC |>42 inc edx
00457CFD |.0FB64410 FF movzx eax,byte ptr ds: ;用户名第3位ascii送到eax
00457D02 |.6BC0 02 imul eax,eax,2 ;eax=eax×2
00457D05 |.71 05 jno short CrackMe#.00457D0C
00457D07 |.E8 80AEFAFF call CrackMe#.00402B8C
00457D0C |>03F0 add esi,eax ;和上面结果相加
00457D0E |.71 05 jno short CrackMe#.00457D15
00457D10 |.E8 77AEFAFF call CrackMe#.00402B8C
00457D15 |>8D55 F0 lea edx,dword ptr ss:
00457D18 |.8B83 D8020000 mov eax,dword ptr ds:
00457D1E |.E8 BDC1FCFF call CrackMe#.00423EE0
00457D23 |.8B45 F0 mov eax,dword ptr ss:
00457D26 |.BA 04000000 mov edx,4 ;参数4
00457D2B |.4A dec edx
00457D2C |.3B50 FC cmp edx,dword ptr ds:
00457D2F |.72 05 jb short CrackMe#.00457D36
00457D31 |.E8 4EAEFAFF call CrackMe#.00402B84
00457D36 |>42 inc edx
00457D37 |.0FB64410 FF movzx eax,byte ptr ds: ;用户名第4位ascii送到eax
00457D3C |.6BC0 02 imul eax,eax,2 ;eax=eax×2
00457D3F |.71 05 jno short CrackMe#.00457D46
00457D41 |.E8 46AEFAFF call CrackMe#.00402B8C
00457D46 |>03F0 add esi,eax ;和上面结果相加
00457D48 |.71 05 jno short CrackMe#.00457D4F
00457D4A |.E8 3DAEFAFF call CrackMe#.00402B8C
00457D4F |>8D55 EC lea edx,dword ptr ss:
00457D52 |.8B83 D8020000 mov eax,dword ptr ds:
00457D58 |.E8 83C1FCFF call CrackMe#.00423EE0
00457D5D |.8B45 EC mov eax,dword ptr ss:
00457D60 |.BA 05000000 mov edx,5 ;参数5
00457D65 |.4A dec edx
00457D66 |.3B50 FC cmp edx,dword ptr ds:
00457D69 |.72 05 jb short CrackMe#.00457D70
00457D6B |.E8 14AEFAFF call CrackMe#.00402B84
00457D70 |>42 inc edx
00457D71 |.0FB64410 FF movzx eax,byte ptr ds: ;用户名第5位ascii送到eax
00457D76 |.6BC0 02 imul eax,eax,2 ;eax=eax×2
00457D79 |.71 05 jno short CrackMe#.00457D80
00457D7B |.E8 0CAEFAFF call CrackMe#.00402B8C
00457D80 |>03F0 add esi,eax ;和上面结果相加
00457D82 |.71 05 jno short CrackMe#.00457D89
00457D84 |.E8 03AEFAFF call CrackMe#.00402B8C
00457D89 |>8D55 E8 lea edx,dword ptr ss:
00457D8C |.8B83 D8020000 mov eax,dword ptr ds:
00457D92 |.E8 49C1FCFF call CrackMe#.00423EE0
00457D97 |.8B45 E8 mov eax,dword ptr ss:
00457D9A |.BA 06000000 mov edx,6 ;参数6
00457D9F |.4A dec edx
00457DA0 |.3B50 FC cmp edx,dword ptr ds:
00457DA3 |.72 05 jb short CrackMe#.00457DAA
00457DA5 |.E8 DAADFAFF call CrackMe#.00402B84
00457DAA |>42 inc edx
00457DAB |.0FB64410 FF movzx eax,byte ptr ds: ;用户名第6位ascii送到eax
00457DB0 |.6BC0 02 imul eax,eax,2 ;eax=eax×2
00457DB3 |.71 05 jno short CrackMe#.00457DBA
00457DB5 |.E8 D2ADFAFF call CrackMe#.00402B8C
00457DBA |>03F0 add esi,eax ;和上面结果相加
00457DBC |.71 05 jno short CrackMe#.00457DC3
00457DBE |.E8 C9ADFAFF call CrackMe#.00402B8C
00457DC3 |>8935 40B84500 mov dword ptr ds:,esi
00457DC9 |>A1 44B84500 mov eax,dword ptr ds:
00457DCE |.E8 FDFBFAFF call CrackMe#.004079D0 ;取用户名位数到eax
00457DD3 |.6BC0 02 imul eax,eax,2 ;eax=eax×2
00457DD6 |.73 05 jnb short CrackMe#.00457DDD
00457DD8 |.E8 AFADFAFF call CrackMe#.00402B8C
00457DDD |>33D2 xor edx,edx
00457DDF |.52 push edx
00457DE0 |.50 push eax
00457DE1 |.A1 40B84500 mov eax,dword ptr ds:
00457DE6 |.99 cdq
00457DE7 |.030424 add eax,dword ptr ss: ;和上面累加的和相加
00457DEA |.135424 04 adc edx,dword ptr ss:
00457DEE |.71 05 jno short CrackMe#.00457DF5
00457DF0 |.E8 97ADFAFF call CrackMe#.00402B8C
00457DF5 |>83C4 08 add esp,8
00457DF8 |.50 push eax
00457DF9 |.C1F8 1F sar eax,1F
00457DFC |.3BC2 cmp eax,edx
00457DFE |.58 pop eax
00457DFF |.74 05 je short CrackMe#.00457E06
00457E01 |.E8 7EADFAFF call CrackMe#.00402B84
00457E06 |>A3 40B84500 mov dword ptr ds:,eax
00457E0B |.8D55 E4 lea edx,dword ptr ss:
00457E0E |.A1 40B84500 mov eax,dword ptr ds:
00457E13 |.E8 2CF9FAFF call CrackMe#.00407744 ;转换成10进制
00457E18 |.8B45 E4 mov eax,dword ptr ss:
00457E1B |.50 push eax ;此处见真码
00457E1C |.8D55 FC lea edx,dword ptr ss:
00457E1F |.8B83 DC020000 mov eax,dword ptr ds:
00457E25 |.E8 B6C0FCFF call CrackMe#.00423EE0
00457E2A |.8B55 FC mov edx,dword ptr ss:
00457E2D |.58 pop eax
00457E2E |.E8 51BDFAFF call CrackMe#.00403B84 ;经典部分
00457E33 |.75 1A jnz short CrackMe#.00457E4F ;爆破点
00457E35 |.6A 00 push 0
00457E37 |.B9 387F4500 mov ecx,CrackMe#.00457F38 ;ASCII "Congratz !"
00457E3C |.BA 447F4500 mov edx,CrackMe#.00457F44 ;ASCII "You cracked the CFF CrackMe #4 ! Please send your solution to [email protected] !"
00457E41 |.A1 98A54500 mov eax,dword ptr ds:
00457E46 |.8B00 mov eax,dword ptr ds:
00457E48 |.E8 E382FEFF call CrackMe#.00440130
00457E4D |.EB 18 jmp short CrackMe#.00457E67
00457E4F |>6A 00 push 0
00457E51 |.B9 987F4500 mov ecx,CrackMe#.00457F98 ;ASCII "Serial not valid"
00457E56 |.BA AC7F4500 mov edx,CrackMe#.00457FAC ;ASCII "The Serial you entered is in any case not valid !"
00457E5B |.A1 98A54500 mov eax,dword ptr ds:
00457E60 |.8B00 mov eax,dword ptr ds:
00457E62 |.E8 C982FEFF call CrackMe#.00440130
00457E67 |>33C0 xor eax,eax
00457E69 |.5A pop edx
00457E6A |.59 pop ecx
00457E6B |.59 pop ecx
00457E6C |.64:8910 mov dword ptr fs:,edx
00457E6F |.68 917E4500 push CrackMe#.00457E91
00457E74 |>8D45 E4 lea eax,dword ptr ss:
00457E77 |.E8 7CB9FAFF call CrackMe#.004037F8
00457E7C |.8D45 E8 lea eax,dword ptr ss:
00457E7F |.BA 06000000 mov edx,6
00457E84 |.E8 93B9FAFF call CrackMe#.0040381C
00457E89 \.C3 retn
算法总结:
用户名前6位(逐位的ascii×2)的和,然后加上(用户名位数×2)
转换成10进制就ok~
VB注册机:
Dim name, code, sum
name = Text1.Text
If Len(name) > 6 Then
For i = 1 To 6
sum = sum + Asc(Mid(name, i, 1)) * 2
Next
code = sum + Len(name) * 2
Text2.Text = code
Else
MsgBox "Your Name must be at least 6 chars long!"
End If 回去练习一下!~~ 学习了,飘云厉害! 汇编不懂。。。看来要学学了 晕死。。UPX的壳太好搞了。。。 我也不太懂汇编~ 试下看看。。 强烈支持中...好好学了,,, 学习一下!! 看着就有压力呀
页:
[1]
2