我的第一个CrackMe的源码,望高手来提意见
这是我的第一个CrackMe, 用汇编铸成, 使用RadASM环境, 看雪有下载。是一个简单的密码学CrackMe, 不为别的, 只想加强下自己的数学知识。 想在论坛宣传下密码学的学习
吧。。呵呵。。总觉得真正的加密加密还是数学的战争, 只靠自己写点加密性不强的东西是远远不够的
算法介绍:
第一个算法是变形的base64算法
第二个算法是完全没有变形的TEA算法, 是利用RadASM里密码学算法库中的TEA算法
两者加密的结果异或后必须等于某个数据, 这就是基本思想吧。
话说回来。这个是我破一个软件时的一点心得, 本来我也不会上述2个算法。我查了资料才知道, 然后
将汇编转为对应的C, 才知道这两个算法的思想
这个CrackMe算是那个软件的超级简化版, 这个软件我没破出来, 由于该软件是国产软件, 在下不便
透漏, 有兴趣的同志可以发短消息给我
只希望加强下学习密码学的气氛。。~~没别的意思。。看不起密码学的同志来BS吧~呵呵
最后, 我在写CrackMe方面还是个菜鸟, 希望大家多提意见。
.386
.model flat,stdcall
option casemap:none
include CrackMeV1.inc
.data
.code
start:
invoke GetModuleHandle,NULL
mov hInstance,eax
invoke GetCommandLine
mov CommandLine,eax
invoke InitCommonControls
invoke WinMain,hInstance,NULL,CommandLine,SW_SHOWDEFAULT
invoke ExitProcess,eax
WinMain proc hInst:HINSTANCE,hPrevInst:HINSTANCE,CmdLine:LPSTR,CmdShow:DWORD
LOCAL wc:WNDCLASSEX
LOCAL msg:MSG
invokeSetTimer, 0, 1, 800, AntiFunc
mov wc.cbSize,sizeof WNDCLASSEX
mov wc.style,CS_HREDRAW or CS_VREDRAW
mov wc.lpfnWndProc,offset WndProc
mov wc.cbClsExtra,NULL
mov wc.cbWndExtra,DLGWINDOWEXTRA
push hInst
pop wc.hInstance
mov wc.hbrBackground,COLOR_BTNFACE+1
mov wc.lpszMenuName,0
mov wc.lpszClassName,offset ClassName
invoke LoadIcon,NULL,IDI_APPLICATION
mov wc.hIcon,eax
mov wc.hIconSm,eax
invoke LoadCursor,NULL,IDC_ARROW
mov wc.hCursor,eax
invoke RegisterClassEx,addr wc
invoke CreateDialogParam,hInstance,IDD_DIALOG,NULL,addr WndProc,NULL
invoke ShowWindow,hWnd,SW_SHOWNORMAL
invoke UpdateWindow,hWnd
.while TRUE
invoke GetMessage,addr msg,NULL,0,0
.BREAK .if !eax
invoke TranslateMessage,addr msg
invoke DispatchMessage,addr msg
.endw
mov eax,msg.wParam
ret
WinMain endp
WndProc proc hWin:HWND,uMsg:UINT,wParam:WPARAM,lParam:LPARAM
LOCALhDC : HANDLE
LOCALhMemDC : HANDLE
LOCALps : PAINTSTRUCT
LOCALhBitmap : HANDLE
LOCALbm : BITMAP
LOCALszUsername : byte
LOCALszRegcode : byte
LOCALszBase64Buffer : byte
LOCALdwTEACache:DWORD
LOCALdwTEABuffer:DWORD
mov eax,uMsg
.if eax==WM_INITDIALOG
push hWin
pop hWnd
.elseif eax==WM_COMMAND
mov eax,wParam
and eax,0FFFFh
.if eax==IDM_FILE_EXIT
invoke SendMessage,hWin,WM_CLOSE,0,0
.elseif eax==IDM_HELP_ABOUT
invoke ShellAbout,hWin,addr AppName,addr AboutMsg,NULL
.elseif eax==IDC_BTN1
;这里是加密过程, 很容易看懂
invoke SendDlgItemMessage,hWin, IDC_EDT1, WM_GETTEXT, 256, ADDR
szUsername
invoke lstrcat, addr szUsername, StrAddr("vecri*&%");
xorecx, ecx
leaebx, szUsername
mov, ecx
invoke SendDlgItemMessage,hWin, IDC_EDT2, WM_GETTEXT, 256, ADDR
szRegcode
movecx, eax
subecx, 010h
negecx
invokelstrcat, addr szRegcode, StrAddr("0000000000000000")
xorebx, ebx
leaedi, szRegcode
mov, ebx
;invoke MessageBox, hWin, addr szRegcode, addr szUsername, MB_OK
mov ebx, 10h
invoke BASE64PROC,addr szRegcode, ebx, addr szBase64Buffer
.if eax==04h
leaedi, dwTEACache
movdword ptr , 1234567h
movdword ptr , 89abcdefh
movdword ptr , 0fedcba98h
movdword ptr , 76543210h
invokeTEAInit,addr dwTEACache
invokeTEAEncrypt,addr szUsername, addr dwTEABuffer
leaesi, szBase64Buffer
leaedi, dwTEABuffer
movdword ptr , 12345678h
moveax, dword ptr
xoreax, dword ptr
cmpeax, 'rcev'
jnzREGLOSE
moveax, dword ptr
xoreax, dword ptr
cmpeax, 'c>-i'
jnzREGLOSE
moveax, dword ptr
xoreax, dword ptr
cmpeax, 'kcar'
jnzREGLOSE
REGOK:
invoke SetDlgItemText, hWin, IDC_EDT2, StrAddr("Right Code!
Now write a keygen, please~~")
invoke GetDlgItem,hWin, IDC_EDT2
push0
pusheax
callEnableWindow
REGLOSE:
.endif
.elseif eax==IDC_BTN2
invoke PostQuitMessage,NULL
.endif
; .elseif eax==WM_SIZE
.elseif eax==WM_CLOSE
invoke DestroyWindow,hWin
.elseif eax==WM_PAINT
invoke BeginPaint,hWin, addr ps
movhDC, eax
invoke CreateCompatibleDC, hDC
mov hMemDC, eax
invoke LoadBitmap,hInstance, IDC_IMG1
mov hBitmap, eax
invoke GetObject,hBitmap, sizeof(BITMAP), addr bm
invoke SelectObject,hMemDC, hBitmap
invoke SelectObject,hDC, hBitmap
invoke BitBlt,hDC, 24, 18, bm.bmWidth, bm.bmHeight, hMemDC, 0, 0, SRCCOPY
invoke DeleteDC,hMemDC
invoke EndPaint,hWin, addr ps
.elseif uMsg==WM_DESTROY
invoke PostQuitMessage,NULL
.else
invoke DefWindowProc,hWin,uMsg,wParam,lParam
ret
.endif
xor eax,eax
ret
WndProc endp
;变形的Base64加密, 将标准的BASE64改动几处, 呵呵~~
BASE64PROCproclpString:DWORD, iLen:DWORD, lpBase64buffer:DWORD
LOCALtemp:DWORD
pushad
movedi, iLen
leaedx,
shredx, 2
moviLen, edx
movedi, lpBase64buffer
movebx, lpString
B1:
moval, byte ptr ds:
xorecx, ecx
movtemp, ecx
test al, al
je B2
incebx
cmpal, 41h
jl @F
cmpal, 5Ah
jg @F
movsxeax, al
subeax, 41h
JMPF1
@@:
cmpal, 61h
jl @F
cmpal, 7Ah
jg @F
movsxeax, al
subeax, 47h
JMPF1
@@:
cmpal, 30h
jl @F
cmpal, 39h
jg @F
movsxeax, al
addeax, 4
jmpF1
@@:
cmpal, 2Bh
je @F
cmpal, 2Ah
je @F
jmp@@1
@@:
moveax, 3Eh
jmpF1
@@1:
cmpal, 2Fh
je @F
cmpal, 24h
je @F
jmp@@2
@@:
moveax, 3Fh
jmpF1
@@2:
mov eax, 40h
F1:
sub eax, 0Ah
jge @F
add eax, 041h
@@:
and eax, 3Fh
shl eax, 12h
mov ecx, eax
mov temp, ecx
B2:
moval, byte ptr ds:
test al, al
je B3
incebx
cmpal, 41h
jl @F
cmpal, 5Ah
jg @F
movsxeax, al
subeax, 41h
JMPF2
@@:
cmpal, 61h
jl @F
cmpal, 7Ah
jg @F
movsxeax, al
subeax, 47h
JMPF2
@@:
cmpal, 30h
jl @F
cmpal, 39h
jg @F
movsxeax, al
addeax, 4
jmpF2
@@:
cmpal, 2Bh
je @F
cmpal, 2Ah
je @F
jmp@@3
@@:
moveax, 3Eh
jmpF2
@@3:
cmpal, 2Fh
je @F
cmpal, 24h
je @F
jmp@@4
@@:
moveax, 3Fh
jmpF2
@@4:
mov eax, 40h
F2:
sub eax, 0Ah
jge @F
add eax, 41h
@@:
and eax, 3Fh
and ecx, 0FFFC0FFFh
shl eax, 0Ch
or eax, ecx
mov ecx, eax
mov temp, ecx
B3:
moval, byte ptr ds:
test al, al
je B4
incebx
cmpal, 41h
jl @F
cmpal, 5Ah
jg @F
movsxeax, al
subeax, 41h
JMPF3
@@:
cmpal, 61h
jl @F
cmpal, 7Ah
jg @F
movsxeax, al
subeax, 47h
JMPF3
@@:
cmpal, 30h
jl @F
cmpal, 39h
jg @F
movsxeax, al
addeax, 4
jmpF3
@@:
cmpal, 2Bh
je @F
cmpal, 2Ah
je @F
jmp@@5
@@:
moveax, 3Eh
jmpF3
@@5:
cmpal, 2Fh
je @F
cmpal, 24h
je @F
jmp@@6
@@:
moveax, 3Fh
jmpF3
@@6:
mov eax, 40h
F3:
sub eax, 0Ah
jge @F
add eax, 41h
@@:
and eax, 3Fh
and ecx, 0FFFFF03Fh
shl eax, 06h
or eax, ecx
mov ecx, eax
mov temp, ecx
B4:
moval, byte ptr ds:
test al, al
je FINISH
incebx
cmpal, 41h
jl @F
cmpal, 5Ah
jg @F
movsxeax, al
subeax, 41h
JMPF4
@@:
cmpal, 61h
jl @F
cmpal, 7Ah
jg @F
movsxeax, al
subeax, 47h
JMPF4
@@:
cmpal, 30h
jl @F
cmpal, 39h
jg @F
movsxeax, al
addeax, 4
jmpF4
@@:
cmpal, 2Bh
je @F
cmpal, 2Ah
je @F
jmp@@7
@@:
moveax, 3Eh
jmpF4
@@7:
cmpal, 2Fh
je @F
cmpal, 24h
je @F
jmp@@8
@@:
moveax, 3Fh
jmpF4
@@8:
mov eax, 40h
F4:
sub eax, 0Ah
jge @F
add eax, 41h
@@:
and eax, 03Fh
and ecx, 0FFFFFFC0h
or eax, ecx
mov ecx, eax
mov temp, ecx
FINISH:
mov , cl
mov , ch
shr ecx, 10h
mov , cl
add edi, 3
dec edx
jnz B1
popad
mov eax, iLen
ret
BASE64PROCendp
include ANTI.ASM
endstart
;ANTI.ASM
.code
AntiFunc proc
invokeFindWindow,StrAddr("OllyDBG"), 0
.if eax!=0
push 0
push 0
push WM_CLOSE
push eax
call SendMessage
.endif
invokeFindWindow,StrAddr("ODbyDYK"), 0
.if eax!=0
push 0
push 0
push WM_CLOSE
push eax
call SendMessage
.endif
invokeFindWindow, StrAddr("1212121"), 0
.if eax!=0
push 0
push 0
push WM_CLOSE
push eax
call SendMessage
.endif
invokeFindWindow, StrAddr("fly*OD*"), 0
.if eax!=0
push 0
push 0
push WM_CLOSE
push eax
call SendMessage
.endif
invokeFindWindow, StrAddr("OD"), 0
.if eax!=0
push 0
push 0
push WM_CLOSE
push eax
call SendMessage
.endif
invokeFindWindow, StrAddr("UkillOD"), 0
.if eax!=0
push 0
push 0
push WM_CLOSE
push eax
call SendMessage
.endif
AntiFunc endp 记得上次 CM 大赛中就有一个较擅长密码学朋友,把一个(忘了什么算法)变形了,然后发布,结果给数十人单单打打的说了好多天 /:L
密码学真的很小看,不懂。也一点兴趣都没有,现在研究写属于自己的VM , 感觉比那些有意思一些(纯属自我感觉) 密码学用在CM里面,感觉大材小用。
这种 Tea(Name) Xor 常数 = F(SN),逆向F的算法,对常人太难,爆破又太容易。就算用计算机穷举出符合条件的SN,还是没有真正逆向。 好帖子,帮忙顶一下。 /:L有点花类我~~ 不懂:/:11 /:11 /:11
页:
[1]