算法初探--Crackme001 献给算法初学者~~
算法初探--Crackme001 By 飘云1.去除启动时的延时。
2.分析算法。
3.去除退出时的Nag。 破解努力中 完成算法:
(注册名16进制值之和+18)+注册名16进制排列+(160409768-123456)
(换成10进制再加哦!^…^) 好像有问题???16049768不是常数。。。。 明白了!160409768是和日期有关。即破解当天日期(20051221),SHL 3(即乘8)。即160409768=20051221×8 什么?
先下了 CRACKME是入门的基础呀 【破文标题】算法分析之CrackMe001 By飘云
【破文作者】busheler
【作者邮箱】[email protected]
【作者主页】
【破解工具】PEiD v0.94,LordPE Deluxe V1.4,import re v1.6,W32Dasm 10.0,odbg110,Quick Unpack v1.0 b3
【破解平台】Windows2000
【软件名称】CrackMe001 By飘云
【软件大小】250KB
【原版下载】https://www.chinapyg.com/attachment.php?aid=385
【保护方式】
【软件简介】【CrackMe#1】
算法初探--Crackme001 By 飘云
1.去除启动时的延时。
2.分析算法。
3.去除退出时的Nag。
------------------------------------------------------------------------
一、查壳:
PEiD v0.94查壳为FSG 2.0 -> bart/xt OEP为4689c8
由于脱壳水平有限,脱壳未果!
二、找资源:
前面为完全脱壳程序并不影响资源分析。
W32Dasm 10.0载入我未脱壳成功文件可以看到以下信息。
:004682A1 BA03000000 mov edx, 00000003
:004682A6 E821BFF9FF call 004041CC
:004682AB 8B45D4 mov eax, dword ptr
:004682AE E859BEF9FF call 0040410C
:004682B3 8BD8 mov ebx, eax
:004682B5 8D55C8 lea edx, dword ptr
:004682B8 8B8614030000 mov eax, dword ptr
:004682BE E8E9BAFCFF call 00433DAC
:004682C3 8B45C8 mov eax, dword ptr
:004682C6 E841BEF9FF call 0040410C
:004682CB 3BD8 cmp ebx, eax
:004682CD 7427 je 004682F6
* Possible StringData Ref from Data Obj ->"注册失败!"
|
:004682CF A1DCA64600 mov eax, dword ptr
:004682D4 E833C0F9FF call 0040430C
:004682D9 8BD0 mov edx, eax
:004682DB 8D45C4 lea eax, dword ptr
:004682DE E861BDF9FF call 00404044
:004682E3 8B55C4 mov edx, dword ptr
:004682E6 8B8614030000 mov eax, dword ptr
:004682EC E8EBBAFCFF call 00433DDC
:004682F1 E9ED000000 jmp 004683E3
........
:00468381 8B45E8 mov eax, dword ptr
:00468384 8B55F4 mov edx, dword ptr
:00468387 E8CCBEF9FF call 00404258
:0046838C 7521 jne 004683AF
:0046838E 8D45E4 lea eax, dword ptr
:00468391 50 push eax
:00468392 8D55B0 lea edx, dword ptr
:00468395 8B8614030000 mov eax, dword ptr
:0046839B E80CBAFCFF call 00433DAC
:004683A0 8B45B0 mov eax, dword ptr
:004683A3 8D541F01 lea edx, dword ptr
:004683A7 8B4DE0 mov ecx, dword ptr
:004683AA E8BDBFF9FF call 0040436C
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0046838C(C)
|
:004683AF 8B45E4 mov eax, dword ptr
:004683B2 E8E9FAF9FF call 00407EA0
:004683B7 0540E20100 add eax, 0001E240
:004683BC 3B0518BC4600 cmp eax, dword ptr
:004683C2 751F jne 004683E3
:004683C4 6A40 push 00000040
* Possible StringData Ref from Data Obj ->"恭喜"
|
:004683C6 A1D4A64600 mov eax, dword ptr
:004683CB E83CBFF9FF call 0040430C
:004683D0 50 push eax
* Possible StringData Ref from Data Obj ->"注册成功!"
|
:004683D1 A1D0A64600 mov eax, dword ptr
:004683D6 E831BFF9FF call 0040430C
:004683DB 50 push eax
:004683DC 6A00 push 00000000
:004683DE E8E5E1F9FF call 004065C8
三、带壳走上漫漫路......
1、跟踪分析:
由odbg110载入带壳程序,F9运行...因为程序已经运行,这是我们应该已经进入主程序领空了。
由前找出相关资源很容易到达这里:
并在004681C0处F2下断点,输入用户名、注册码...“确定”,立即被断下,呵呵!
慢慢看看......
004681C0/.55 push ebp
004681C1|.8BEC mov ebp,esp
004681C3|.B9 0A000000 mov ecx,0A
004681C8|>6A 00 /push 0
004681CA|.6A 00 |push 0
004681CC|.49 |dec ecx
004681CD|.^ 75 F9 \jnz short CrackMe0.004681C8
004681CF|.53 push ebx
004681D0|.56 push esi
004681D1|.57 push edi
004681D2|.8BF0 mov esi,eax
004681D4|.33C0 xor eax,eax
004681D6|.55 push ebp
004681D7|.68 3A844600 push CrackMe0.0046843A
004681DC|.64:FF30 push dword ptr fs:
004681DF|.64:8920 mov dword ptr fs:,esp
004681E2|.8D55 FC lea edx,dword ptr ss:
004681E5|.8B86 10030000 mov eax,dword ptr ds:
004681EB|.E8 BCBBFCFF call CrackMe0.00433DAC
004681F0|.8D55 F8 lea edx,dword ptr ss:
004681F3|.8B86 14030000 mov eax,dword ptr ds:
004681F9|.E8 AEBBFCFF call CrackMe0.00433DAC
004681FE|.33C0 xor eax,eax
00468200|.8945 F0 mov dword ptr ss:,eax
00468203|.8B45 FC mov eax,dword ptr ss:
00468206|.E8 01BFF9FF call CrackMe0.0040410C
0046820B|.8BD8 mov ebx,eax
0046820D|.837D FC 00 cmp dword ptr ss:,0 ;判断用户名是否为0
00468211|.74 06 je short CrackMe0.00468219 ;非0,跳
00468213|.837D F8 00 cmp dword ptr ss:,0 ;判断注册码是否为0
00468217|.75 27 jnz short CrackMe0.00468240 ;非0 ,跳
00468219|>A1 D8A64600 mov eax,dword ptr ds: ;请输入完整信息!
0046821E|.E8 E9C0F9FF call CrackMe0.0040430C
00468223|.8BD0 mov edx,eax
00468225|.8D45 DC lea eax,dword ptr ss:
00468228|.E8 17BEF9FF call CrackMe0.00404044
0046822D|.8B55 DC mov edx,dword ptr ss:
00468230|.8B86 14030000 mov eax,dword ptr ds:
00468236|.E8 A1BBFCFF call CrackMe0.00433DDC
0046823B|.E9 A3010000 jmp CrackMe0.004683E3
00468240|>8BFB mov edi,ebx
00468242|.85FF test edi,edi
00468244|.7E 37 jle short CrackMe0.0046827D
00468246|.BB 01000000 mov ebx,1
0046824B|>8D4D D8 /lea ecx,dword ptr ss:
0046824E|.8B45 FC |mov eax,dword ptr ss: ;用户名入EAX
00468251|.0FB64418 FF |movzx eax,byte ptr ds:
00468256|.C1E8 00 |shr eax,0
00468259|.BA 01000000 |mov edx,1
0046825E|.E8 15FCF9FF |call CrackMe0.00407E78 ;求各位用户名ASCAII值
00468263|.8B55 D8 |mov edx,dword ptr ss:
00468266|.8D45 F4 |lea eax,dword ptr ss:
00468269|.E8 A6BEF9FF |call CrackMe0.00404114 ;把各位用户把ASCAII组成字符串,即为第
二组验证码
0046826E|.8B45 FC |mov eax,dword ptr ss:
00468271|.0FB64418 FF |movzx eax,byte ptr ds:
00468276|.0145 F0 |add dword ptr ss:,eax ;累加用户名各位ASCII值
00468279|.43 |inc ebx
0046827A|.4F |dec edi
0046827B|.^ 75 CE \jnz short CrackMe0.0046824B
0046827D|>8D55 D0 lea edx,dword ptr ss:
00468280|.8B45 F0 mov eax,dword ptr ss: ;前面累加值入eax
00468283|.E8 DCFAF9FF call CrackMe0.00407D64 ;转累加值为10进制字符串,即为第一组验
证码
00468288|.FF75 D0 push dword ptr ss:
0046828B|.FF75 F4 push dword ptr ss:
0046828E|.8D55 CC lea edx,dword ptr ss:
00468291|.A1 18BC4600 mov eax,dword ptr ds: ;第三段验证码?那里来的??????
00468296|.E8 C9FAF9FF call CrackMe0.00407D64 ;第三段验证码以10进制方式转为字符串
0046829B|.FF75 CC push dword ptr ss:
0046829E|.8D45 D4 lea eax,dword ptr ss:
004682A1|.BA 03000000 mov edx,3
004682A6|.E8 21BFF9FF call CrackMe0.004041CC ;第一、第二、第三组验证码合并
004682AB|.8B45 D4 mov eax,dword ptr ss:
004682AE|.E8 59BEF9FF call CrackMe0.0040410C
004682B3|.8BD8 mov ebx,eax
004682B5|.8D55 C8 lea edx,dword ptr ss:
004682B8|.8B86 14030000 mov eax,dword ptr ds:
004682BE|.E8 E9BAFCFF call CrackMe0.00433DAC
004682C3|.8B45 C8 mov eax,dword ptr ss:
004682C6|.E8 41BEF9FF call CrackMe0.0040410C
004682CB|.3BD8 cmp ebx,eax ;输入注册码位数与算出验证码位数是否相
等!
004682CD 74 27 je short CrackMe0.004682F6 ;相等跳去验证,不等。。注册失败!
004682CF|.A1 DCA64600 mov eax,dword ptr ds: ;"注册失败!"
004682D4|.E8 33C0F9FF call CrackMe0.0040430C
004682D9|.8BD0 mov edx,eax
004682DB|.8D45 C4 lea eax,dword ptr ss:
004682DE|.E8 61BDF9FF call CrackMe0.00404044
004682E3|.8B55 C4 mov edx,dword ptr ss:
004682E6|.8B86 14030000 mov eax,dword ptr ds:
004682EC|.E8 EBBAFCFF call CrackMe0.00433DDC
004682F1|.E9 ED000000 jmp CrackMe0.004683E3
004682F6|>8D55 C0 lea edx,dword ptr ss:
004682F9|.8B45 F0 mov eax,dword ptr ss:
004682FC|.E8 63FAF9FF call CrackMe0.00407D64
00468301|.8B45 C0 mov eax,dword ptr ss:
00468304|.E8 03BEF9FF call CrackMe0.0040410C
00468309|.8BD8 mov ebx,eax
0046830B|.8B45 F4 mov eax,dword ptr ss:
0046830E|.E8 F9BDF9FF call CrackMe0.0040410C
00468313|.8BF8 mov edi,eax
00468315|.8D55 BC lea edx,dword ptr ss:
00468318|.A1 18BC4600 mov eax,dword ptr ds:
0046831D|.E8 42FAF9FF call CrackMe0.00407D64
00468322|.8B45 BC mov eax,dword ptr ss:
00468325|.E8 E2BDF9FF call CrackMe0.0040410C
0046832A|.8945 E0 mov dword ptr ss:,eax
0046832D|.8D45 EC lea eax,dword ptr ss:
00468330|.50 push eax
00468331|.8D55 B8 lea edx,dword ptr ss:
00468334|.8B86 14030000 mov eax,dword ptr ds:
0046833A|.E8 6DBAFCFF call CrackMe0.00433DAC
0046833F|.8B45 B8 mov eax,dword ptr ss:
00468342|.8BCB mov ecx,ebx
00468344|.BA 01000000 mov edx,1
00468349|.E8 1EC0F9FF call CrackMe0.0040436C
0046834E|.8B45 EC mov eax,dword ptr ss:
00468351|.E8 4AFBF9FF call CrackMe0.00407EA0
00468356|.83E8 12 sub eax,12 ;输入注册码第一组减去12(十进制18)应等
于第一组验证码
00468359|.3B45 F0 cmp eax,dword ptr ss:
0046835C 0F84 81000000 je CrackMe0.004683E3 ;不等跳出!
00468362|.8D45 E8 lea eax,dword ptr ss:
00468365|.50 push eax
00468366|.8D55 B4 lea edx,dword ptr ss:
00468369|.8B86 14030000 mov eax,dword ptr ds:
0046836F|.E8 38BAFCFF call CrackMe0.00433DAC
00468374|.8B45 B4 mov eax,dword ptr ss:
00468377|.8D53 01 lea edx,dword ptr ds:
0046837A|.8BCF mov ecx,edi
0046837C|.E8 EBBFF9FF call CrackMe0.0040436C
00468381|.8B45 E8 mov eax,dword ptr ss: ;输入第二段注册码入eax
00468384|.8B55 F4 mov edx,dword ptr ss: ;验证码也就是注册码入edx
00468387|.E8 CCBEF9FF call CrackMe0.00404258 ;去比较
0046838C 74 21 je short CrackMe0.004683AF ;不等跳!
0046838E|.8D45 E4 lea eax,dword ptr ss:
00468391|.50 push eax
00468392|.8D55 B0 lea edx,dword ptr ss:
00468395|.8B86 14030000 mov eax,dword ptr ds:
0046839B|.E8 0CBAFCFF call CrackMe0.00433DAC
004683A0|.8B45 B0 mov eax,dword ptr ss: ;输入注册码入EAX
004683A3|.8D541F 01 lea edx,dword ptr ds: ;注册码位数入EDX
004683A7|.8B4D E0 mov ecx,dword ptr ss:
004683AA|.E8 BDBFF9FF call CrackMe0.0040436C
004683AF|>8B45 E4 mov eax,dword ptr ss:
004683B2|.E8 E9FAF9FF call CrackMe0.00407EA0
004683B7|.05 40E20100 add eax,1E240 ;第三组输入注册码十进制与1E240(123456)
相加
004683BC|.3B05 18BC4600 cmp eax,dword ptr ds: ;与验证码最后一组对比
004683C2 75 1F jnz short CrackMe0.004683E3 ;不等跳!
004683C4|.6A 40 push 40
004683C6|.A1 D4A64600 mov eax,dword ptr ds: ;"恭喜"
004683CB|.E8 3CBFF9FF call CrackMe0.0040430C
004683D0|.50 push eax
004683D1|.A1 D0A64600 mov eax,dword ptr ds: ;"注册成功!"
004683D6|.E8 31BFF9FF call CrackMe0.0040430C
004683DB|.50 push eax ; |Text
004683DC|.6A 00 push 0 ; |hOwner = NULL
004683DE|.E8 E5E1F9FF call CrackMe0.004065C8 ; \MessageBoxA
----------------------------------
00468291|.A1 18BC4600 mov eax,dword ptr ds: ;第三段验证码?那里来的??????
搜索===〉二进制字符===〉HEX +3中输入18BC46,选在“整个区块”很容易找到下面这里,在004685B0 处下断点,点注册未被断下,显然这部分代码在程序启动时已经运行过了。
没有办法,带壳我是无法跟踪了,抓出Quick Unpack v1.0 b3脱夹克,再odbg110载入,004685B0 处下断点,F9运行,果然被立即断下 :)
看看.......
004685B0/.55 push ebp
004685B1|.8BEC mov ebp,esp
004685B3|.33C9 xor ecx,ecx
004685B5|.51 push ecx
004685B6|.51 push ecx
004685B7|.51 push ecx
004685B8|.51 push ecx
004685B9|.33C0 xor eax,eax
004685BB|.55 push ebp
004685BC|.68 7F864600 push CrackMe0.0046867F
004685C1|.64:FF30 push dword ptr fs:
004685C4|.64:8920 mov dword ptr fs:,esp
004685C7|.C705 14BC4600 0A00000>mov dword ptr ds:,0A
004685D1|.E8 7A10FAFF call CrackMe0.00409650 ;取系统 年份-月份-日期
004685D6|.83C4 F8 add esp,-8 ; /
004685D9|.DD1C24 fstp qword ptr ss: ; |Arg1 (8-byte)
004685DC|.9B wait ; |
004685DD|.8D45 FC lea eax,dword ptr ss: ; |
004685E0|.E8 7F1CFAFF call CrackMe0.0040A264 ; \CrackMe0.0040A264
004685E5|.8B55 FC mov edx,dword ptr ss: ;系统时间串入EDX
004685E8|.B8 10BC4600 mov eax,CrackMe0.0046BC10
004685ED|.E8 AEB8F9FF call CrackMe0.00403EA0
004685F2|.8D45 F8 lea eax,dword ptr ss:
004685F5|.50 push eax
004685F6|.B9 04000000 mov ecx,4
004685FB|.BA 01000000 mov edx,1
00468600|.A1 10BC4600 mov eax,dword ptr ds:
00468605|.E8 62BDF9FF call CrackMe0.0040436C
0046860A|.FF75 F8 push dword ptr ss:
0046860D|.8D45 F4 lea eax,dword ptr ss:
00468610|.50 push eax
00468611|.B9 02000000 mov ecx,2
00468616|.BA 06000000 mov edx,6
0046861B|.A1 10BC4600 mov eax,dword ptr ds:
00468620|.E8 47BDF9FF call CrackMe0.0040436C
00468625|.FF75 F4 push dword ptr ss:
00468628|.8D45 F0 lea eax,dword ptr ss:
0046862B|.50 push eax
0046862C|.B9 02000000 mov ecx,2
00468631|.BA 09000000 mov edx,9
00468636|.A1 10BC4600 mov eax,dword ptr ds:
0046863B|.E8 2CBDF9FF call CrackMe0.0040436C
00468640|.FF75 F0 push dword ptr ss:
00468643|.B8 0CBC4600 mov eax,CrackMe0.0046BC0C
00468648|.BA 03000000 mov edx,3
0046864D|.E8 7ABBF9FF call CrackMe0.004041CC
00468652|.A1 0CBC4600 mov eax,dword ptr ds:
00468657|.E8 44F8F9FF call CrackMe0.00407EA0
0046865C|.C1E0 03 shl eax,3 ;年月日*2^3
0046865F|.A3 18BC4600 mov dword ptr ds:,eax ;好久未破软件了,这个命令不记得了,反
正就是把上面的乘积入地址"DS:"
00468664|.33C0 xor eax,eax
00468666|.5A pop edx
00468667|.59 pop ecx
00468668|.59 pop ecx
00468669|.64:8910 mov dword ptr fs:,edx
0046866C|.68 86864600 push CrackMe0.00468686
00468671|>8D45 F0 lea eax,dword ptr ss:
00468674|.BA 04000000 mov edx,4
00468679|.E8 F2B7F9FF call CrackMe0.00403E70
0046867E\.C3 retn
瞅瞅call CrackMe0.00409650里的内容:
00409650/$83C4 E8 add esp,-18
00409653|.8D4424 08 lea eax,dword ptr ss:
00409657|.50 push eax ; /pLocaltime
00409658|.E8 83C8FFFF call <jmp.&kernel32.GetLocalTime> ; \GetLocalTime
0040965D|.66:8B4C24 0E mov cx,word ptr ss: ;当前日期入CX
00409662|.66:8B5424 0A mov dx,word ptr ss: ;当前月份入DX
00409667|.66:8B4424 08 mov ax,word ptr ss: ;当前年份入AX
0040966C|.E8 1BFEFFFF call CrackMe0.0040948C
00409671|.DD1C24 fstp qword ptr ss:
00409674|.9B wait
00409675|.DD0424 fld qword ptr ss:
00409678|.83C4 18 add esp,18
0040967B\.C3 retn
2、验证码(非注册码)算法分析
验证码应该由三部分组成:
第一部分:用户名各位ASCII值之和;
第二部分:用户名各位ASCAII值组成的字符串;
第三部分:系统年月日为20060113这种形式,乘以2的三次方,即20060113*2^3=160480904。
用户名为:busheler,系统时间是2006年1月13日
其ASCII码为:
b u s h e l e r
Dec: 98117115 104101108101114
Hex: 62 75 7368 65 6C 65 72
第一部分:
98+117+115+104+101+108+101+114=858
第二部分:
62757368656C6572
第三部分:
20060113*2^3=160480904
4、注册验证过程大概是这样的:
(1)第一组注册码-18与验证码比较。
(2)第二组是直接对比,主循环每4位、4位进行验证,如果注册码数(肯定是偶数)为非4的倍数,另两组单独验证。
(3)第三组注册码+123456与验证马比较。
5、注册码算法:
用户名:busheler
第一组:858+18=876
第二组:62757368656C6572
第三组:160480904-123456=160357448
由此:
用户名:busheler
注册码:87662757368656C6572160357448
备注:
1、由于我系统时间格式的问题,该CrackMe运行时总弹出这样的对话框:"'2006-2' is not a valid integer value"...,并造成第三个验证码总为0,呵呵。感谢飘云指导,并顺利完成注册码算法分析!:)
2、关于“去除启动时的延时”及“去除退出时的Nag”未分析。
------------------------------------------------------------------------
【版权声明】交流学习,非商业应用,转载时请保证其完整! 不知为什么,我系统是win2000。 原帖由 busheler 于 2006-1-13 01:03 发表
不知为什么,我系统是win2000。
你把时间日期格式改为:
****-**-**
再调试,这是xp的默认格式~~