Buzz'm_Frog's Crackme #2 算法简单分析
【文章标题】: Buzz'm_Frog's Crackme #2算法简单分析【文章作者】: 网络断魂
【软件名称】: Buzz'm_Frog's Crackme #2
【下载地址】: 自己搜吧,朋友给偶的
【加壳方式】: 无壳
【保护方式】: 用户名+注册码
【编写语言】: Borland C++
【使用工具】: OD
【操作平台】: winxp2
【作者声明】: 也不知道分析的对不对,大家别笑话偶
下消息断点,找到算法关键处:
00401400/.55 push ebp
00401401|.8BEC mov ebp, esp
00401403|.83C4 90 add esp, -70
00401406|.53 push ebx
00401407|.8955 A8 mov dword ptr , edx
0040140A|.8945 AC mov dword ptr , eax
0040140D|.B8 BC234300 mov eax, 004323BC
00401412|.E8 4D8A0200 call 00429E64
00401417|.66:C745 C0 08>mov word ptr , 8
0040141D|.8D45 FC lea eax, dword ptr
00401420|.E8 C3040000 call 004018E8
00401425|.FF45 CC inc dword ptr
00401428|.66:C745 C0 14>mov word ptr , 14
0040142E|.66:C745 C0 20>mov word ptr , 20
00401434|.8D45 F8 lea eax, dword ptr
00401437|.E8 AC040000 call 004018E8
0040143C|.FF45 CC inc dword ptr
0040143F|.66:C745 C0 14>mov word ptr , 14
00401445|.66:C745 C0 2C>mov word ptr , 2C
0040144B|.8D45 F4 lea eax, dword ptr
0040144E|.E8 95040000 call 004018E8
00401453|.FF45 CC inc dword ptr
00401456|.66:C745 C0 14>mov word ptr , 14
0040145C|.C645 A7 00 mov byte ptr , 0
00401460|.66:C745 C0 38>mov word ptr , 38
00401466|.8D45 F0 lea eax, dword ptr
00401469|.E8 7A040000 call 004018E8
0040146E|.8BD0 mov edx, eax
00401470|.FF45 CC inc dword ptr
00401473|.8B4D AC mov ecx, dword ptr
00401476|.8B81 C8010000 mov eax, dword ptr
0040147C|.E8 BF920000 call 0040A740
00401481|.8D55 F0 lea edx, dword ptr
00401484|.8D45 FC lea eax, dword ptr
00401487|.E8 3FE00000 call 0040F4CB
0040148C|.FF4D CC dec dword ptr
0040148F|.8D45 F0 lea eax, dword ptr
00401492|.BA 02000000 mov edx, 2
00401497|.E8 00E00000 call 0040F49C ;//取有户名,存在EDX中,
0040149C|.66:C745 C0 44>mov word ptr , 44
004014A2|.8D45 EC lea eax, dword ptr
004014A5|.E8 3E040000 call 004018E8
004014AA|.8BD0 mov edx, eax
004014AC|.FF45 CC inc dword ptr
004014AF|.8B4D AC mov ecx, dword ptr
004014B2|.8B81 CC010000 mov eax, dword ptr
004014B8|.E8 83920000 call 0040A740 ;//计算用户名长度,存在EAX中,
004014BD|.8D55 EC lea edx, dword ptr
004014C0|.8D45 F8 lea eax, dword ptr
004014C3|.E8 03E00000 call 0040F4CB
004014C8|.FF4D CC dec dword ptr
004014CB|.8D45 EC lea eax, dword ptr
004014CE|.BA 02000000 mov edx, 2
004014D3|.E8 C4DF0000 call 0040F49C ;//取假码,存在EDX中,
004014D8|.33C9 xor ecx, ecx ;//ECX清零
004014DA|.894D A0 mov dword ptr , ecx
004014DD|.66:C745 C0 14>mov word ptr , 14
004014E3|.C745 9C 01000>mov dword ptr , 1
004014EA|.8D45 F8 lea eax, dword ptr
004014ED|.E8 B2EA0000 call 0040FFA4 ;//假码转换为16进制,结果存EAX中,
004014F2|.8945 98 mov dword ptr , eax ;//存结果
004014F5|.33D2 xor edx, edx ;//EDX清零
004014F7|.8955 94 mov dword ptr , edx
004014FA|.EB 15 jmp short 00401511
004014FC|>8D45 FC /lea eax, dword ptr ;//用户名堆栈地址送给EAX
004014FF|.E8 14040000 |call 00401918
00401504|.8B55 94 |mov edx, dword ptr ;//送取位标志给EDX,用于取下一位,
00401507|.0FBE0C10 |movsx ecx, byte ptr ;//逐位送用户名的ASCII值给ECX,带符号
0040150B|.014D A0 |add dword ptr , ecx ;//ASCII值累加,存结果,
0040150E|.FF45 94 |inc dword ptr ;//取位标志+1,取下一位,
00401511|>8D45 FC lea eax, dword ptr ;//用户名堆栈地址给EAX
00401514|.E8 DDE10000 |call 0040F6F6 ;//取用户名长度,
00401519|.3B45 94 |cmp eax, dword ptr ;//较验用户名是否为空
0040151C|.^ 7F DE \jg short 004014FC
0040151E|.6955 A0 32130>imul edx, dword ptr , 1332 ;//累加结果与1332进行带符号乘法,结果存EDX
00401525|.8955 A0 mov dword ptr , edx ;//存结果,
00401528|.694D A0 32130>imul ecx, dword ptr , 1332 ;//再次与1332进行带符号乘法,结果存ECX
0040152F|.894D A0 mov dword ptr , ecx ;//存结果
00401532|.6945 A0 32130>imul eax, dword ptr , 1332 ;//再次与1332进行带符号乘法,结果存EAX
00401539|.8945 A0 mov dword ptr , eax ;//存结果
0040153C|.8145 A0 4A0F0>add dword ptr , 0F4A ;//三次相乘后的结果+OF4A
00401543|.8B55 98 mov edx, dword ptr ;//假码十六进制值送给EDX
00401546|.3B55 A0 cmp edx, dword ptr ;//假码十六进制值与前面三次相乘再想加的结果比
较,
00401549 0F85 71010000 jnz 004016C0 ;//不等则挂,不能跳。先NOP一下,往下跟踪
0040154F|.66:C745 C0 50>mov word ptr , 50
00401555|.8D45 E8 lea eax, dword ptr
00401558|.8B55 A0 mov edx, dword ptr ;//运算结果送EDX
0040155B|.E8 69DE0000 call 0040F3C9 ;//转换为有符号十进制数作为真码,
00401560|.FF45 CC inc dword ptr
00401563|.8D55 E8 lea edx, dword ptr
00401566|.8D45 F4 lea eax, dword ptr
00401569|.E8 5DDF0000 call 0040F4CB
0040156E|.FF4D CC dec dword ptr
00401571|.8D45 E8 lea eax, dword ptr
00401574|.BA 02000000 mov edx, 2
00401579|.E8 1EDF0000 call 0040F49C
0040157E|.8D45 F8 lea eax, dword ptr
00401581|.E8 70E10000 call 0040F6F6
00401586|.8BD8 mov ebx, eax
00401588|.8D45 F4 lea eax, dword ptr
0040158B|.E8 66E10000 call 0040F6F6
00401590|.3BD8 cmp ebx, eax
00401592 0F85 28010000 jnz 004016C0 ;//跳则死NOP掉,
00401598|.33D2 xor edx, edx
0040159A|.8955 90 mov dword ptr , edx
0040159D|.66:C745 C0 14>mov word ptr , 14
004015A3|.EB 32 jmp short 004015D7
004015A5|>8D45 F8 /lea eax, dword ptr
004015A8|.E8 6B030000 |call 00401918
004015AD|.8B55 90 |mov edx, dword ptr
004015B0|.8A1C10 |mov bl, byte ptr
004015B3|.8D45 F4 |lea eax, dword ptr
004015B6|.E8 5D030000 |call 00401918
004015BB|.8B55 90 |mov edx, dword ptr
004015BE|.3A1C10 |cmp bl, byte ptr
004015C1|.74 0D |je short 004015D0
004015C3|.C645 A7 00 |mov byte ptr , 0
004015C7|.C745 9C 02000>|mov dword ptr , 2
004015CE|.EB 04 |jmp short 004015D4
004015D0|>C645 A7 01 |mov byte ptr , 1
004015D4|>FF45 90 |inc dword ptr
004015D7|>8D45 F8 lea eax, dword ptr
004015DA|.E8 17E10000 |call 0040F6F6
004015DF|.3B45 90 |cmp eax, dword ptr
004015E2|.^ 7F C1 \jg short 004015A5
004015E4|.807D A7 00 cmp byte ptr , 0
004015E8 0F84 D2000000 je 004016C0 ;//跳则死,NOP掉,
004015EE|.837D 9C 01 cmp dword ptr , 1
004015F2 0F85 C8000000 jnz 004016C0 ;//跳则死,NOP掉
004015F8|.6A 00 push 0
004015FA|.66:C745 C0 5C>mov word ptr , 5C
00401600|.8D45 E4 lea eax, dword ptr
00401603|.E8 E0020000 call 004018E8
00401608|.8BD0 mov edx, eax
0040160A|.FF45 CC inc dword ptr
0040160D|.8B0D 606A4300 mov ecx, dword ptr
00401613|.8B81 DC010000 mov eax, dword ptr
00401619|.E8 22910000 call 0040A740
0040161E|.8D45 E4 lea eax, dword ptr
00401621|.E8 F2020000 call 00401918
00401626|.50 push eax
00401627|.8D45 E0 lea eax, dword ptr
0040162A|.E8 B9020000 call 004018E8
0040162F|.8BD0 mov edx, eax
00401631|.FF45 CC inc dword ptr
00401634|.8B0D 606A4300 mov ecx, dword ptr
0040163A|.8B81 DC010000 mov eax, dword ptr
00401640|.E8 FB900000 call 0040A740
00401645|.8D45 E0 lea eax, dword ptr
00401648|.E8 CB020000 call 00401918
0040164D|.50 push eax ; |Text
0040164E|.6A 00 push 0 ; |hOwner = NULL
00401650|.E8 69FA0200 call <jmp.&USER32.MessageBoxA> ; \MessageBoxA
00401655|.FF4D CC dec dword ptr
00401658|.8D45 E0 lea eax, dword ptr
0040165B|.BA 02000000 mov edx, 2
00401660|.E8 37DE0000 call 0040F49C
00401665|.FF4D CC dec dword ptr
00401668|.8D45 E4 lea eax, dword ptr
0040166B|.BA 02000000 mov edx, 2
00401670|.E8 27DE0000 call 0040F49C
00401675|.6A 00 push 0
00401677|.68 EC254300 push 004325EC ;buzz'm_frog
0040167C|.66:C745 C0 68>mov word ptr , 68
00401682|.8D45 DC lea eax, dword ptr
00401685|.E8 5E020000 call 004018E8
0040168A|.8BD0 mov edx, eax
0040168C|.FF45 CC inc dword ptr
0040168F|.8B0D 606A4300 mov ecx, dword ptr
00401695|.8B81 E0010000 mov eax, dword ptr
0040169B|.E8 A0900000 call 0040A740
004016A0|.8D45 DC lea eax, dword ptr
004016A3|.E8 70020000 call 00401918
004016A8|.50 push eax ; |Text
004016A9|.6A 00 push 0 ; |hOwner = NULL
004016AB|.E8 0EFA0200 call <jmp.&USER32.MessageBoxA> ; \MessageBoxA
004016B0|.FF4D CC dec dword ptr
004016B3|.8D45 DC lea eax, dword ptr
004016B6|.BA 02000000 mov edx, 2
004016BB|.E8 DCDD0000 call 0040F49C
004016C0|>807D A7 00 cmp byte ptr , 0
004016C4 75 7D jnz short 00401743
004016C6|.6A 00 push 0
004016C8|.66:C745 C0 74>mov word ptr , 74
004016CE|.8D45 D8 lea eax, dword ptr
004016D1|.E8 12020000 call 004018E8
004016D6|.8BD0 mov edx, eax
004016D8|.FF45 CC inc dword ptr
004016DB|.8B0D 606A4300 mov ecx, dword ptr
004016E1|.8B81 E4010000 mov eax, dword ptr
004016E7|.E8 54900000 call 0040A740
004016EC|.8D45 D8 lea eax, dword ptr
004016EF|.E8 24020000 call 00401918
004016F4|.50 push eax
004016F5|.8D45 D4 lea eax, dword ptr
004016F8|.E8 EB010000 call 004018E8
004016FD|.8BD0 mov edx, eax
004016FF|.FF45 CC inc dword ptr
00401702|.8B0D 606A4300 mov ecx, dword ptr
00401708|.8B81 E4010000 mov eax, dword ptr
0040170E|.E8 2D900000 call 0040A740
00401713|.8D45 D4 lea eax, dword ptr
00401716|.E8 FD010000 call 00401918
0040171B|.50 push eax ; |Text
0040171C|.6A 00 push 0 ; |hOwner = NULL
0040171E|.E8 9BF90200 call <jmp.&USER32.MessageBoxA> ; \MessageBoxA
00401723|.FF4D CC dec dword ptr
00401726|.8D45 D4 lea eax, dword ptr
00401729|.BA 02000000 mov edx, 2
0040172E|.E8 69DD0000 call 0040F49C
00401733|.FF4D CC dec dword ptr
00401736|.8D45 D8 lea eax, dword ptr
00401739|.BA 02000000 mov edx, 2
0040173E|.E8 59DD0000 call 0040F49C
00401743|>FF4D CC dec dword ptr
00401746|.8D45 F4 lea eax, dword ptr
00401749|.BA 02000000 mov edx, 2
0040174E|.E8 49DD0000 call 0040F49C
00401753|.FF4D CC dec dword ptr
00401756|.8D45 F8 lea eax, dword ptr
00401759|.BA 02000000 mov edx, 2
0040175E|.E8 39DD0000 call 0040F49C
00401763|.FF4D CC dec dword ptr
00401766|.8D45 FC lea eax, dword ptr
00401769|.BA 02000000 mov edx, 2
0040176E|.E8 29DD0000 call 0040F49C
00401773|.8B4D B0 mov ecx, dword ptr
00401776|.64:890D 00000>mov dword ptr fs:, ecx
0040177D|.5B pop ebx
0040177E|.8BE5 mov esp, ebp
00401780|.5D pop ebp
00401781\.C3 retn
总结:
1、用户名ASCII值累加,三次乘于1332,结果+0F4A, 转换为有符号十进制数作为最终真码;
(修改原因:第一次分析的时候把完整的转换函数当成算法运算来分析了,谢谢TIANXJ兄弟指点!!)
[ 本帖最后由 网络断魂 于 2007-11-25 16:02 编辑 ] 断魂兄弟 算法日见长了/:09 /:L 高手哦 未经CRACKME作者本人同意,发了破文,失礼之处,望见谅!!!
[ 本帖最后由 网络断魂 于 2007-11-25 10:08 编辑 ] /:013 高手
页:
[1]