CrackMe Nr.7简单算法分析

hrbx · 发表于 2006-5-30 01:33:43

【破文标题】CrackMe Nr.7简单算法分析
【破解作者】hrbx
【作者主页】hrbx.ys168.com
【作者邮箱】[email protected]
【破解平台】WinXP
【使用工具】flyOD1.10、Peid
【破解日期】2006-05-29
【软件名称】CrackMe Nr.7
【软件大小】383KB
【下载地址】见附件
【加壳方式】无
【软件简介】CrackMe Nr.7
-----------------------------------------------------------------------------------------------
【破解声明】我是一只小菜鸟，偶得一点心得，愿与大家分享：）
-----------------------------------------------------------------------------------------------
【破解过程】
1.查壳。用Peid扫描，显示为：Borland Delphi 4.0 - 5.0，无壳。
2.试运行CrackMe。CrackMe分为5个等级：Nag、Password、Serial、CheckBox、TrackBar。
3.开始各个击破吧。
3-1.去掉启动时的Nag提示。
OD载入CrackMe,命令栏下断点：bp MessageBoxA，回车，F9运行，中断：
77D36476 u> 833D D0C3D677 00 cmp dword ptr ds:[77D6C3D0],0
77D3647D 0F85 885B0100 jnz user32.77D4C00B
77D36483 6A 00 push 0
77D36485 FF7424 14 push dword ptr ss:[esp+14]
堆栈友好提示：
0012FF20 00441CF7 /CALL 到 MessageBoxA 来自 CrackMe_.00441CF2
0012FF24 000805FE |hOwner = 000805FE ('Crackme_7',class='TApplication')
0012FF28 00A93544 |Text = "Hello, I'm a NAG.Please kill me...."
0012FF2C 00A93578 |Title = "Sorry..."
0012FF30 00000000 \Style = MB_OK|MB_APPLMODAL
0012FF34 0012FFA8 指针到下一个 SEH 记录
0012FF38 00441D59 SE 句柄
Alt+F9返回，弹出Nag提示窗体，点击"确定"按钮，来到：
00441CF1 |. 50 push eax
00441CF2 |. E8 5946FCFF call <jmp.&user32.MessageBoxA>
00441CF7 |. 8945 F8 mov dword ptr ss:[ebp-8],eax ; Alt+F9返回到这里
00441CFA |. 33C0 xor eax,eax
00441CFC |. 5A pop edx
F8几步，经过retn后，来到：
0044D09C . 59 pop ecx
0044D09D E8 724BFFFF call CrackMe_.00441C14 ; 调用Nag窗体，Nop掉
0044D0A2 . A1 A0ED4400 mov eax,dword ptr ds:[44EDA0] ; F8直到这里
0044D0A7 . 8B00 mov eax,dword ptr ds:[eax]
0044D0A9 . E8 7649FFFF call CrackMe_.00441A24
0044D0AE . A1 A0ED4400 mov eax,dword ptr ds:[44EDA0]
Nop掉0044D09D处的Call,就去掉了启动时的Nag提示。
3-2.寻找Password.
OD载入CrackMe，右键--Ultra String Reference--Find ASCII,查找“right password”，
找到后双击，来到：
0044C512 |. BA 78C54400 mov edx,CrackMe_.0044C578 ; right password，双击后来到这里
0044C517 |. 8B83 E8020000 mov eax,dword ptr ds:[ebx+2E8]
0044C51D |. E8 3293FDFF call CrackMe_.00425854
0044C522 |. EB 22 jmp short CrackMe_.0044C546
0044C524 |> BA 90C54400 mov edx,CrackMe_.0044C590 ; wrong password
向上查找，来到0044C3A4处F2下断，Ctrl+F2重新载入CrackMe，F9运行，输入Password:
==========================
Password:9876543210
==========================
点击"Check"标签，立即中断：
0044C3A4 /. 55 push ebp ; F2在此下断，中断后F8往下走
0044C3A5 |. 8BEC mov ebp,esp
0044C3A7 |. B9 06000000 mov ecx,6
0044C3AC |> 6A 00 /push 0
0044C3AE |. 6A 00 |push 0
0044C3B0 |. 49 |dec ecx
0044C3B1 |.^ 75 F9 \jnz short CrackMe_.0044C3AC
0044C3B3 |. 53 push ebx
0044C3B4 |. 8BD8 mov ebx,eax
0044C3B6 |. 33C0 xor eax,eax
0044C3B8 |. 55 push ebp
0044C3B9 |. 68 61C54400 push CrackMe_.0044C561
0044C3BE |. 64:FF30 push dword ptr fs:[eax]
0044C3C1 |. 64:8920 mov dword ptr fs:[eax],esp
0044C3C4 |. 8D55 FC lea edx,dword ptr ss:[ebp-4]
0044C3C7 |. 8B83 E8020000 mov eax,dword ptr ds:[ebx+2E8]
0044C3CD |. E8 5294FDFF call CrackMe_.00425824
0044C3D2 |. 8B45 FC mov eax,dword ptr ss:[ebp-4] ; 假码"9876543210"
0044C3D5 |. E8 9A76FBFF call CrackMe_.00403A74 ; 获取假码长度，EAX＝0xA
0044C3DA |. 83F8 0C cmp eax,0C ; 假码长度与0xC比较
0044C3DD |. 0F85 53010000 jnz CrackMe_.0044C536 ; 不等则Over,暴破点1，Nop掉
0044C3E3 |. 8D55 FC lea edx,dword ptr ss:[ebp-4]
0044C3E6 |. 8B83 E8020000 mov eax,dword ptr ds:[ebx+2E8]
0044C3EC |. E8 3394FDFF call CrackMe_.00425824
0044C3F1 |. 8B45 FC mov eax,dword ptr ss:[ebp-4] ; 假码"9876543210"
0044C3F4 |. 8038 43 cmp byte ptr ds:[eax],43 ; 假码第1位与0x43('C')比较
0044C3F7 |. 0F85 27010000 jnz CrackMe_.0044C524 ; 不等则Over,暴破点2，Nop掉
0044C3FD |. 8D55 F8 lea edx,dword ptr ss:[ebp-8]
0044C400 |. 8B83 E8020000 mov eax,dword ptr ds:[ebx+2E8]
0044C406 |. E8 1994FDFF call CrackMe_.00425824
0044C40B |. 8B45 F8 mov eax,dword ptr ss:[ebp-8]
0044C40E |. 8078 03 6F cmp byte ptr ds:[eax+3],6F ; 假码第4位与0x6F('o')比较
0044C412 |. 0F85 0C010000 jnz CrackMe_.0044C524 ; 不等则Over,暴破点3，Nop掉
0044C418 |. 8D55 F4 lea edx,dword ptr ss:[ebp-C]
0044C41B |. 8B83 E8020000 mov eax,dword ptr ds:[ebx+2E8]
0044C421 |. E8 FE93FDFF call CrackMe_.00425824
0044C426 |. 8B45 F4 mov eax,dword ptr ss:[ebp-C]
0044C429 |. 8078 08 6F cmp byte ptr ds:[eax+8],6F ; 假码第9位与0x6F('o')比较
0044C42D |. 0F85 F1000000 jnz CrackMe_.0044C524 ; 不等则Over,暴破点4，Nop掉
0044C433 |. 8D55 F0 lea edx,dword ptr ss:[ebp-10]
0044C436 |. 8B83 E8020000 mov eax,dword ptr ds:[ebx+2E8]
0044C43C |. E8 E393FDFF call CrackMe_.00425824
0044C441 |. 8B45 F0 mov eax,dword ptr ss:[ebp-10]
0044C444 |. 8078 01 6C cmp byte ptr ds:[eax+1],6C ; 假码第2位与0x6C('l')比较
0044C448 |. 0F85 D6000000 jnz CrackMe_.0044C524 ; 不等则Over,暴破点5，Nop掉
0044C44E |. 8D55 EC lea edx,dword ptr ss:[ebp-14]
0044C451 |. 8B83 E8020000 mov eax,dword ptr ds:[ebx+2E8]
0044C457 |. E8 C893FDFF call CrackMe_.00425824
0044C45C |. 8B45 EC mov eax,dword ptr ss:[ebp-14]
0044C45F |. 8078 04 20 cmp byte ptr ds:[eax+4],20 ; 假码第5位与0x20(' ')比较
0044C463 |. 0F85 BB000000 jnz CrackMe_.0044C524 ; 不等则Over,暴破点6，Nop掉
0044C469 |. 8D55 E8 lea edx,dword ptr ss:[ebp-18]
0044C46C |. 8B83 E8020000 mov eax,dword ptr ds:[ebx+2E8]
0044C472 |. E8 AD93FDFF call CrackMe_.00425824
0044C477 |. 8B45 E8 mov eax,dword ptr ss:[ebp-18]
0044C47A |. 8078 0A 52 cmp byte ptr ds:[eax+A],52 ; 假码第11位与0x52('R')比较
0044C47E |. 0F85 A0000000 jnz CrackMe_.0044C524 ; 不等则Over,暴破点7，Nop掉
0044C484 |. 8D55 E4 lea edx,dword ptr ss:[ebp-1C]
0044C487 |. 8B83 E8020000 mov eax,dword ptr ds:[ebx+2E8]
0044C48D |. E8 9293FDFF call CrackMe_.00425824
0044C492 |. 8B45 E4 mov eax,dword ptr ss:[ebp-1C]
0044C495 |. 8078 07 75 cmp byte ptr ds:[eax+7],75 ; 假码第8位与0x75('u')比较
0044C499 |. 0F85 85000000 jnz CrackMe_.0044C524 ; 不等则Over,暴破点8，Nop掉
0044C49F |. 8D55 E0 lea edx,dword ptr ss:[ebp-20]
0044C4A2 |. 8B83 E8020000 mov eax,dword ptr ds:[ebx+2E8]
0044C4A8 |. E8 7793FDFF call CrackMe_.00425824
0044C4AD |. 8B45 E0 mov eax,dword ptr ss:[ebp-20]
0044C4B0 |. 8078 09 6E cmp byte ptr ds:[eax+9],6E ; 假码第10位与0x6E('n')比较
0044C4B4 |. 75 6E jnz short CrackMe_.0044C524 ; 不等则Over,暴破点9，Nop掉
0044C4B6 |. 8D55 DC lea edx,dword ptr ss:[ebp-24]
0044C4B9 |. 8B83 E8020000 mov eax,dword ptr ds:[ebx+2E8]
0044C4BF |. E8 6093FDFF call CrackMe_.00425824
0044C4C4 |. 8B45 DC mov eax,dword ptr ss:[ebp-24]
0044C4C7 |. 8078 02 6E cmp byte ptr ds:[eax+2],6E ; 假码第3位与0x6E('n')比较
0044C4CB |. 75 57 jnz short CrackMe_.0044C524 ; 不等则Over,暴破点10，Nop掉
0044C4CD |. 8D55 D8 lea edx,dword ptr ss:[ebp-28]
0044C4D0 |. 8B83 E8020000 mov eax,dword ptr ds:[ebx+2E8]
0044C4D6 |. E8 4993FDFF call CrackMe_.00425824
0044C4DB |. 8B45 D8 mov eax,dword ptr ss:[ebp-28]
0044C4DE |. 8078 05 69 cmp byte ptr ds:[eax+5],69 ; 假码第6位与0x69('i')比较
0044C4E2 |. 75 40 jnz short CrackMe_.0044C524 ; 不等则Over,暴破点11，Nop掉
0044C4E4 |. 8D55 D4 lea edx,dword ptr ss:[ebp-2C]
0044C4E7 |. 8B83 E8020000 mov eax,dword ptr ds:[ebx+2E8]
0044C4ED |. E8 3293FDFF call CrackMe_.00425824
0044C4F2 |. 8B45 D4 mov eax,dword ptr ss:[ebp-2C]
0044C4F5 |. 8078 0B 6E cmp byte ptr ds:[eax+B],6E ; 假码第12位与0x6E('n')比较
0044C4F9 |. 75 29 jnz short CrackMe_.0044C524 ; 不等则Over,暴破点12，Nop掉
0044C4FB |. 8D55 D0 lea edx,dword ptr ss:[ebp-30]
0044C4FE |. 8B83 E8020000 mov eax,dword ptr ds:[ebx+2E8]
0044C504 |. E8 1B93FDFF call CrackMe_.00425824
0044C509 |. 8B45 D0 mov eax,dword ptr ss:[ebp-30]
0044C50C |. 8078 06 67 cmp byte ptr ds:[eax+6],67 ; 假码第7位与0x67('g')比较
0044C510 |. 75 12 jnz short CrackMe_.0044C524 ; 不等则Over,暴破点13，Nop掉
0044C512 |. BA 78C54400 mov edx,CrackMe_.0044C578 ; right password
0044C517 |. 8B83 E8020000 mov eax,dword ptr ds:[ebx+2E8]
0044C51D |. E8 3293FDFF call CrackMe_.00425854
0044C522 |. EB 22 jmp short CrackMe_.0044C546
0044C524 |> BA 90C54400 mov edx,CrackMe_.0044C590 ; wrong password
0044C529 |. 8B83 E8020000 mov eax,dword ptr ds:[ebx+2E8]
0044C52F |. E8 2093FDFF call CrackMe_.00425854
0044C534 |. EB 10 jmp short CrackMe_.0044C546
0044C536 |> BA 90C54400 mov edx,CrackMe_.0044C590 ; wrong password
0044C53B |. 8B83 E8020000 mov eax,dword ptr ds:[ebx+2E8]
0044C541 |. E8 0E93FDFF call CrackMe_.00425854
0044C546 |> 33C0 xor eax,eax
0044C548 |. 5A pop edx
0044C549 |. 59 pop ecx
程序逐位取输入的Password与固定字符比较，相等则通过。Password为固定值：Clno iguonRn。
3-3.Serial简单算法分析。
OD载入CrackMe，右键--Ultra String Reference--Find ASCII,查找"You have found the correct Serial :)"，
找到后双击，来到：
0044C763 |. BA CCC74400 mov edx,CrackMe_.0044C7CC ; you have found the correct serial :)
0044C768 |. E8 E790FDFF call CrackMe_.00425854
0044C76D |> 33C0 xor eax,eax
向上查找，来到0044C648处F2下断，Ctrl+F2重新载入CrackMe，F9运行，输入注册信息:
==========================
Name:hrbxhui
Company:h2h StudiOS
Serial:9876543210
==========================
点击"Check"标签，立即中断：
0044C648 /. 55 push ebp ; F2在此下断，中断后F8往下走
0044C649 |. 8BEC mov ebp,esp
0044C64B |. 83C4 F8 add esp,-8
0044C64E |. 53 push ebx
0044C64F |. 56 push esi
0044C650 |. 33C9 xor ecx,ecx
0044C652 |. 894D F8 mov dword ptr ss:[ebp-8],ecx
0044C655 |. 8BF0 mov esi,eax
0044C657 |. 33C0 xor eax,eax
0044C659 |. 55 push ebp
0044C65A |. 68 83C74400 push CrackMe_.0044C783
0044C65F |. 64:FF30 push dword ptr fs:[eax]
0044C662 |. 64:8920 mov dword ptr fs:[eax],esp
0044C665 |. 33C0 xor eax,eax
0044C667 |. 8945 FC mov dword ptr ss:[ebp-4],eax
0044C66A |. A1 80F84400 mov eax,dword ptr ds:[44F880]
0044C66F |. E8 0074FBFF call CrackMe_.00403A74 ; 获取用户名长度，EAX＝7
0044C674 |. 83F8 06 cmp eax,6 ; 用户名长度与6比较
0044C677 |. 0F8E F0000000 jle CrackMe_.0044C76D ; 小于等于则Over,暴破点1，Nop掉
0044C67D |. A1 80F84400 mov eax,dword ptr ds:[44F880]
0044C682 |. E8 ED73FBFF call CrackMe_.00403A74 ; 获取用户名长度，EAX＝7
0044C687 |. 83F8 14 cmp eax,14 ; 用户名长度与0x14(20)比较
0044C68A |. 0F8D DD000000 jge CrackMe_.0044C76D ; 大于等于则Over,暴破点2，Nop掉
0044C690 |. A1 80F84400 mov eax,dword ptr ds:[44F880]
0044C695 |. E8 DA73FBFF call CrackMe_.00403A74
0044C69A |. 85C0 test eax,eax
0044C69C |. 7E 17 jle short CrackMe_.0044C6B5
0044C69E |. BA 01000000 mov edx,1
0044C6A3 |> 8B0D 80F84400 /mov ecx,dword ptr ds:[44F880] ; 用户名"hrbxhui"
0044C6A9 |. 0FB64C11 FF |movzx ecx,byte ptr ds:[ecx+edx-1] ; 依次取用户名每一位字符的ASCII值
0044C6AE |. 014D FC |add dword ptr ss:[ebp-4],ecx ; 将用户名所有字符的ASCII值累加
0044C6B1 |. 42 |inc edx ; ASCII值累加之和为0x2FA(762)
0044C6B2 |. 48 |dec eax
0044C6B3 |.^ 75 EE \jnz short CrackMe_.0044C6A3
0044C6B5 |> A1 84F84400 mov eax,dword ptr ds:[44F884]
0044C6BA |. E8 B573FBFF call CrackMe_.00403A74 ; 获取公司名称长度，EAX=0xB
0044C6BF |. 83F8 02 cmp eax,2 ; 公司名称长度与2比较
0044C6C2 |. 7E 18 jle short CrackMe_.0044C6DC ; 小于等于则Over,暴破点3，Nop掉
0044C6C4 |. A1 84F84400 mov eax,dword ptr ds:[44F884]
0044C6C9 |. E8 A673FBFF call CrackMe_.00403A74 ; 获取公司名称长度，EAX=0xB
0044C6CE |. 83F8 08 cmp eax,8 ; 公司名称长度与8比较
0044C6D1 |. 7D 09 jge short CrackMe_.0044C6DC ; 大于等于则跳
0044C6D3 |. 8B45 FC mov eax,dword ptr ss:[ebp-4] ; 公司名称长度若小于8
0044C6D6 |. 6BC0 02 imul eax,eax,2 ; 则将公司名称长度乘2,EAX=EAX*2
0044C6D9 |. 8945 FC mov dword ptr ss:[ebp-4],eax
0044C6DC |> 68 98C74400 push CrackMe_.0044C798 ; i love cracking and
0044C6E1 |. 8D55 F8 lea edx,dword ptr ss:[ebp-8]
0044C6E4 |. 8B45 FC mov eax,dword ptr ss:[ebp-4]
0044C6E7 |. E8 68B0FBFF call CrackMe_.00407754 ; ASCII值累加之和10进制形式转为字符串
0044C6EC |. FF75 F8 push dword ptr ss:[ebp-8] ; 0x2FA(762)-->"762"
0044C6EF |. 68 B8C74400 push CrackMe_.0044C7B8 ; girls ;)
0044C6F4 |. B8 8CF84400 mov eax,CrackMe_.0044F88C ; 连接成字符串str1"I Love Cracking and 762 Girls ;)"
0044C6F9 |. BA 03000000 mov edx,3
0044C6FE |. E8 3174FBFF call CrackMe_.00403B34
0044C703 |. 33C0 xor eax,eax
0044C705 |. 8945 FC mov dword ptr ss:[ebp-4],eax
0044C708 |. A1 88F84400 mov eax,dword ptr ds:[44F888]
0044C70D |. E8 6273FBFF call CrackMe_.00403A74 ; 获取假码"9876543210"长度，EAX＝0xA(10)
0044C712 |. 8BD8 mov ebx,eax ; EBX=EAX=0xA
0044C714 |. A1 8CF84400 mov eax,dword ptr ds:[44F88C]
0044C719 |. E8 5673FBFF call CrackMe_.00403A74 ; 获取字符串str1长度，EAX＝0x20(32)
0044C71E |. 3BD8 cmp ebx,eax ; 比较假码与字符串长度是否相等
0044C720 |. 75 4B jnz short CrackMe_.0044C76D ; 不等则Over,暴破点4，Nop掉
0044C722 |. A1 88F84400 mov eax,dword ptr ds:[44F888]
0044C727 |. E8 4873FBFF call CrackMe_.00403A74
0044C72C |. 85C0 test eax,eax
0044C72E |. 7E 27 jle short CrackMe_.0044C757
0044C730 |. BA 01000000 mov edx,1
0044C735 |> 8B0D 88F84400 /mov ecx,dword ptr ds:[44F888] ; 假码"9876543210"长度
0044C73B |. 0FB64C11 FF |movzx ecx,byte ptr ds:[ecx+edx-1] ; 依次取假码每一位字符的ASCII值
0044C740 |. 034D FC |add ecx,dword ptr ss:[ebp-4] ; 将地址ss:[ebp-4]处的值加到字符的ASCII值
0044C743 |. 8B1D 8CF84400 |mov ebx,dword ptr ds:[44F88C] ; 字符串str1"I Love Cracking and 762 Girls ;)"
0044C749 |. 0FB65C13 FF |movzx ebx,byte ptr ds:[ebx+edx-1] ; 依次取字符串str1每一位字符的ASCII值
0044C74E |. 2BCB |sub ecx,ebx ; 依次减去字符串str中取出的字符的ASCII值
0044C750 |. 894D FC |mov dword ptr ss:[ebp-4],ecx ; 将相减的差保存在ss:[ebp-4]中
0044C753 |. 42 |inc edx
0044C754 |. 48 |dec eax
0044C755 |.^ 75 DE \jnz short CrackMe_.0044C735
0044C757 |> 837D FC 00 cmp dword ptr ss:[ebp-4],0 ; 比较地址ss:[ebp-4]处的值是否为0
0044C75B |. 75 10 jnz short CrackMe_.0044C76D ; 不等则Over,暴破点5，Nop掉
0044C75D |. 8B86 14030000 mov eax,dword ptr ds:[esi+314]
0044C763 |. BA CCC74400 mov edx,CrackMe_.0044C7CC ; you have found the correct serial :)
0044C768 |. E8 E790FDFF call CrackMe_.00425854
用户名和公司长度有一定限制，取用户名各位字符的ASCII值累加，结果与固定字符串连接，再与输入的注册码比较。
3-4.心形CheckBoxes之旅。由于CrackMe是用Delphi编写的，还是用Dede分析一下吧。
Dede载入CrackMe，很容易找到CheckBoxes对应的SpeedButton3Click,双击来到如下位置：
0044C7F4 55 push ebp
0044C7F5 8BEC mov ebp, esp
0044C7F7 6A00 push $00
0044C7F9 53 push ebx
0044C7FA 8BD8 mov ebx, eax
0044C7FC 33C0 xor eax, eax
0044C7FE 55 push ebp
* Possible String Reference to: '閾i?腽[Y]?
|
0044C7FF 6820C94400 push $0044C920
***** TRY
|
0044C804 64FF30 push dword ptr fs:[eax]
0044C807 648920 mov fs:[eax], esp
* Reference to control TForm1.cb3 : TCheckBox <====CheckBox3
|
0044C80A 8B8324030000 mov eax, [ebx+$0324]
0044C810 8B10 mov edx, [eax]
* Reference to method TCheckBox.GetChecked()
|
0044C812 FF92B8000000 call dword ptr [edx+$00B8]
0044C818 84C0 test al, al
0044C81A 0F84CD000000 jz 0044C8ED
* Reference to control TForm1.cb5 : TCheckBox <====CheckBox5
|
0044C820 8B8328030000 mov eax, [ebx+$0328]
0044C826 8B10 mov edx, [eax]
* Reference to method TCheckBox.GetChecked()
|
0044C828 FF92B8000000 call dword ptr [edx+$00B8]
0044C82E 84C0 test al, al
0044C830 0F84B7000000 jz 0044C8ED
* Reference to control TForm1.cb6 : TCheckBox <====CheckBox6
|
0044C836 8B832C030000 mov eax, [ebx+$032C]
0044C83C 8B10 mov edx, [eax]
* Reference to method TCheckBox.GetChecked()
|
0044C83E FF92B8000000 call dword ptr [edx+$00B8]
0044C844 84C0 test al, al
0044C846 0F84A1000000 jz 0044C8ED
* Reference to control TForm1.cb12 : TCheckBox <====CheckBox12
|
0044C84C 8B8358030000 mov eax, [ebx+$0358]
0044C852 8B10 mov edx, [eax]
* Reference to method TCheckBox.GetChecked()
|
0044C854 FF92B8000000 call dword ptr [edx+$00B8]
0044C85A 84C0 test al, al
0044C85C 0F848B000000 jz 0044C8ED
* Reference to control TForm1.cb15 : TCheckBox <====CheckBox15
|
0044C862 8B8364030000 mov eax, [ebx+$0364]
0044C868 8B10 mov edx, [eax]
* Reference to method TCheckBox.GetChecked()
|
0044C86A FF92B8000000 call dword ptr [edx+$00B8]
0044C870 84C0 test al, al
0044C872 7479 jz 0044C8ED
* Reference to control TForm1.cb20 : TCheckBox <====CheckBox20
|
0044C874 8B8330030000 mov eax, [ebx+$0330]
0044C87A 8B10 mov edx, [eax]
* Reference to method TCheckBox.GetChecked()
|
0044C87C FF92B8000000 call dword ptr [edx+$00B8]
0044C882 84C0 test al, al
0044C884 7467 jz 0044C8ED
* Reference to control TForm1.cb9 : TCheckBox <====CheckBox9
|
0044C886 8B834C030000 mov eax, [ebx+$034C]
0044C88C 8B10 mov edx, [eax]
* Reference to method TCheckBox.GetChecked()
|
0044C88E FF92B8000000 call dword ptr [edx+$00B8]
0044C894 84C0 test al, al
0044C896 7455 jz 0044C8ED
* Reference to control TForm1.cb11 : TCheckBox <====CheckBox11
|
0044C898 8B8354030000 mov eax, [ebx+$0354]
0044C89E 8B10 mov edx, [eax]
* Reference to method TCheckBox.GetChecked()
|
0044C8A0 FF92B8000000 call dword ptr [edx+$00B8]
0044C8A6 84C0 test al, al
0044C8A8 7443 jz 0044C8ED
* Reference to control TForm1.cb13 : TCheckBox <====CheckBox13
|
0044C8AA 8B835C030000 mov eax, [ebx+$035C]
0044C8B0 8B10 mov edx, [eax]
* Reference to method TCheckBox.GetChecked()
|
0044C8B2 FF92B8000000 call dword ptr [edx+$00B8]
0044C8B8 84C0 test al, al
0044C8BA 7431 jz 0044C8ED
* Reference to control TForm1.cb19 : TCheckBox <====CheckBox19
|
0044C8BC 8B833C030000 mov eax, [ebx+$033C]
0044C8C2 8B10 mov edx, [eax]
* Reference to method TCheckBox.GetChecked()
|
0044C8C4 FF92B8000000 call dword ptr [edx+$00B8]
0044C8CA 84C0 test al, al
0044C8CC 741F jz 0044C8ED
0044C8CE 8D45FC lea eax, [ebp-$04]
* Possible String Reference to: '条舾鲼辚螭哨榔材驸忸噤抖' <====加密的成功提示"You are a GOOD Cracker!!"
|
0044C8D1 BA34C94400 mov edx, $0044C934
* Reference to: System.Proc_00403890
|
0044C8D6 E8B56FFBFF call 00403890
0044C8DB 8D45FC lea eax, [ebp-$04]
* Reference to: crack.Proc_0044BF00
|
0044C8DE E81DF6FFFF call 0044BF00
0044C8E3 8B45FC mov eax, [ebp-$04]
* Reference to: dialogs.ShowMessage(AnsiString);
|
0044C8E6 E80989FFFF call 004451F4
0044C8EB EB1D jmp 0044C90A
0044C8ED 8D45FC lea eax, [ebp-$04]
* Possible String Reference to: '?骝琛?帙?赙甬?ろ?铊?' <====加密的错误提示"Sorry,but this is wrong!"
|
0044C8F0 BA58C94400 mov edx, $0044C958
* Reference to: System.Proc_00403890
|
0044C8F5 E8966FFBFF call 00403890
0044C8FA 8D45FC lea eax, [ebp-$04]
* Reference to: crack.Proc_0044BF00
|
0044C8FD E8FEF5FFFF call 0044BF00
0044C902 8B45FC mov eax, [ebp-$04]
* Reference to: dialogs.ShowMessage(AnsiString);
|
0044C905 E8EA88FFFF call 004451F4
0044C90A 33C0 xor eax, eax
0044C90C 5A pop edx
0044C90D 59 pop ecx
0044C90E 59 pop ecx
0044C90F 648910 mov fs:[eax], edx
****** FINALLY
Dede已经分析得很清楚了，需要选中10个CheckBox。
OD载入CrackMe，Ctrl+G,输入：0044C7F4，回车，直接到0044C7F4处F2下断，F9运行，逐个点击CheckBox，直到使0044C81A处的跳转实现，
则点击的CheckBox即为CheckBox3，接着只需再使0044C830处的跳转实现，其它的CheckBox即可全部推测出来。
0044C7F4 /. 55 push ebp
0044C7F5 |. 8BEC mov ebp,esp
0044C7F7 |. 6A 00 push 0
0044C7F9 |. 53 push ebx
0044C7FA |. 8BD8 mov ebx,eax
0044C7FC |. 33C0 xor eax,eax
0044C7FE |. 55 push ebp
0044C7FF |. 68 20C94400 push CrackMe_.0044C920
0044C804 |. 64:FF30 push dword ptr fs:[eax]
0044C807 |. 64:8920 mov dword ptr fs:[eax],esp
0044C80A |. 8B83 24030000 mov eax,dword ptr ds:[ebx+324]
0044C810 |. 8B10 mov edx,dword ptr ds:[eax]
0044C812 |. FF92 B8000000 call dword ptr ds:[edx+B8] ; 检查CheckBox3是否选中
0044C818 |. 84C0 test al,al
0044C81A |. 0F84 CD000000 je CrackMe_.0044C8ED ; 暴破点1，Nop掉
0044C820 |. 8B83 28030000 mov eax,dword ptr ds:[ebx+328]
0044C826 |. 8B10 mov edx,dword ptr ds:[eax]
0044C828 |. FF92 B8000000 call dword ptr ds:[edx+B8] ; 检查CheckBox5是否选中
0044C82E |. 84C0 test al,al
0044C830 |. /0F84 B7000000 je CrackMe_.0044C8ED ; 暴破点2，Nop掉
0044C836 |. 8B83 2C030000 mov eax,dword ptr ds:[ebx+32C]
0044C83C |. 8B10 mov edx,dword ptr ds:[eax]
以心形CheckBoxes第1列上面那个CheckBox作为第1个，顺时针方向从1至20编号.
分别选中编号为3、5、6、9、11、12、13、15、19、20的CheckBox即可过关。
3-5.TrackBar浮点运算。同样，用Dede分析得知TrackBar对应SpeedButton4Click.
TForm1.SpeedButton4Click对应事件为：
0044CB40 E807F6FFFF call 0044C14C
OD载入CrackMe，Ctrl+G,输入：0044C14C，回车，直接到0044C14C处F2下断，F9运行，
依次拖动TrackBar,使Serial为12345,点击"Check"标签，立即中断：
0044C14C /$ 55 push ebp
0044C14D |. 8BEC mov ebp,esp
0044C14F |. 83C4 98 add esp,-68
0044C152 |. 53 push ebx
0044C153 |. 33D2 xor edx,edx
0044C155 |. 8955 C4 mov dword ptr ss:[ebp-3C],edx
0044C158 |. 8955 FC mov dword ptr ss:[ebp-4],edx
0044C15B |. 8955 F8 mov dword ptr ss:[ebp-8],edx
0044C15E |. 8BD8 mov ebx,eax
0044C160 |. 33C0 xor eax,eax
0044C162 |. 55 push ebp
0044C163 |. 68 44C34400 push CrackMe_.0044C344
0044C168 |. 64:FF30 push dword ptr fs:[eax]
0044C16B |. 64:8920 mov dword ptr fs:[eax],esp
0044C16E |. 8D55 C4 lea edx,dword ptr ss:[ebp-3C]
0044C171 |. 8B83 80030000 mov eax,dword ptr ds:[ebx+380]
0044C177 |. E8 A896FDFF call CrackMe_.00425824
0044C17C |. 8B45 C4 mov eax,dword ptr ss:[ebp-3C]
0044C17F |. E8 B0C0FBFF call CrackMe_.00408234
0044C184 |. DD5D E8 fstp qword ptr ss:[ebp-18] ; 第1个数1.0
0044C187 |. 9B wait
0044C188 |. 8D55 C4 lea edx,dword ptr ss:[ebp-3C]
0044C18B |. 8B83 98030000 mov eax,dword ptr ds:[ebx+398]
0044C191 |. E8 8E96FDFF call CrackMe_.00425824
0044C196 |. 8B45 C4 mov eax,dword ptr ss:[ebp-3C]
0044C199 |. E8 96C0FBFF call CrackMe_.00408234
0044C19E |. DD5D E0 fstp qword ptr ss:[ebp-20] ; 第2个数2.0
0044C1A1 |. 9B wait
0044C1A2 |. 8D55 C4 lea edx,dword ptr ss:[ebp-3C]
0044C1A5 |. 8B83 9C030000 mov eax,dword ptr ds:[ebx+39C]
0044C1AB |. E8 7496FDFF call CrackMe_.00425824
0044C1B0 |. 8B45 C4 mov eax,dword ptr ss:[ebp-3C]
0044C1B3 |. E8 7CC0FBFF call CrackMe_.00408234
0044C1B8 |. DD5D D8 fstp qword ptr ss:[ebp-28] ; 第3个数3.0
0044C1BB |. 9B wait
0044C1BC |. 8D55 C4 lea edx,dword ptr ss:[ebp-3C]
0044C1BF |. 8B83 A0030000 mov eax,dword ptr ds:[ebx+3A0]
0044C1C5 |. E8 5A96FDFF call CrackMe_.00425824
0044C1CA |. 8B45 C4 mov eax,dword ptr ss:[ebp-3C]
0044C1CD |. E8 62C0FBFF call CrackMe_.00408234
0044C1D2 |. DD5D D0 fstp qword ptr ss:[ebp-30] ; 第4个数4.0
0044C1D5 |. 9B wait
0044C1D6 |. 8D55 C4 lea edx,dword ptr ss:[ebp-3C]
0044C1D9 |. 8B83 A4030000 mov eax,dword ptr ds:[ebx+3A4]
0044C1DF |. E8 4096FDFF call CrackMe_.00425824
0044C1E4 |. 8B45 C4 mov eax,dword ptr ss:[ebp-3C]
0044C1E7 |. E8 48C0FBFF call CrackMe_.00408234
0044C1EC |. DD5D C8 fstp qword ptr ss:[ebp-38] ; 第5个数5.0
0044C1EF |. 9B wait
0044C1F0 |. DD45 E0 fld qword ptr ss:[ebp-20] ; 第2个数字，2.0
0044C1F3 |. 83C4 F4 add esp,-0C
0044C1F6 |. DB3C24 fstp tbyte ptr ss:[esp]
0044C1F9 |. 9B wait
0044C1FA |. B8 03000000 mov eax,3 ; EAX＝3
0044C1FF |. E8 ECF6FCFF call CrackMe_.0041B8F0 ; 第2个数字的3次方，2^3=8
0044C204 |. D805 50C34400 fadd dword ptr ds:[44C350] ; 结果加上第1个常数5.0(ds:[44C350]＝5.0),8.0+5.0＝
13.0
0044C20A |. D9FA fsqrt ; 13开平方=3.60555127546398929
0044C20C |. E8 F365FBFF call CrackMe_.00402804 ; fcos=cos(3.605555127546398929)
0044C211 |. DB7D B8 fstp tbyte ptr ss:[ebp-48] ; st=-0.8942880585582759936
0044C214 |. 9B wait
0044C215 |. D905 54C34400 fld dword ptr ds:[44C354] ; 第2个常数1.0(ds:[44C354]=1.0)
0044C21B |. DC45 E8 fadd qword ptr ss:[ebp-18] ; 第2个常数加上第1个数字,1.0+1.0＝2.0
0044C21E |. D9FA fsqrt ; st=2.0,相加结果开平方，st=1.4142135623730951680
0044C220 |. D9E0 fchs ; 取相反数，st=-1.4142135623730951680
0044C222 |. DB6D B8 fld tbyte ptr ss:[ebp-48] ; 装载第2个数字运算结果,ss:[0012FBCC]=-
0.8942880585582759936
0044C225 |. DEC1 faddp st(1),st ; 两数相加
0044C227 |. DB7D AC fstp tbyte ptr ss:[ebp-54] ; st=-2.3085016209313710080
0044C22A |. 9B wait
0044C22B |. D905 58C34400 fld dword ptr ds:[44C358] ; 第3个常数3.0(ds:[0044C358]=3.0)
0044C231 |. DC4D D8 fmul qword ptr ss:[ebp-28] ; 第3个常数乘以第3个数字，3.0*3.0＝9.0
0044C234 |. D805 54C34400 fadd dword ptr ds:[44C354] ; 乘法结果加上第2个常数1.0，9.0+1.0＝10.0
0044C23A |. D9ED fldln2 ; st0=1n2=0.6931471805599453184,st1=10
0044C23C |. D9C9 fxch st(1) ; fxch,st(0),st(1)互相交换,交换后
st0=10.0,st1=0.6931471805599453184
0044C23E |. D9F1 fyl2x ; fyl2x指令:st(0)<--st(0)*log2(st(1)),st(0)
=2.3025850929940456960 ,即求ln(st(1))=ln10
0044C240 |. DB6D AC fld tbyte ptr ss:[ebp-54] ; ss:[0012FBC0]=-2.3085016209313710080,st(0)=-
2.3085016209313710080
0044C243 |. DEC1 faddp st(1),st ; st(1)+st,上面两浮点数相加
0044C245 |. DB7D A0 fstp tbyte ptr ss:[ebp-60] ; st=-0.0059165279373252168
0044C248 |. 9B wait
0044C249 |. D905 5CC34400 fld dword ptr ds:[44C35C] ; 第4个常数2.0(ds:[0044C35C]=2.0)
0044C24F |. DC45 D0 fadd qword ptr ss:[ebp-30] ; 第4个常数加上第4个数字4.0，4.0*2.0＝6.0
0044C252 |. D9FA fsqrt ; 相加结果开平方，st=2.4494897427831777280
0044C254 |. DB6D A0 fld tbyte ptr ss:[ebp-60] ; ss:[0012FBB4]=-0.0059165279373252168
0044C257 |. DEE1 fsubrp st(1),st ; 减去开平方的结果=-2.4554062707205027840
0044C259 |. D905 58C34400 fld dword ptr ds:[44C358] ; 第3个常数3.0(ds:[0044C358]=3.0)
0044C25F |. DC4D C8 fmul qword ptr ss:[ebp-38] ; 第3个数字乘发第5个数字5.0，3.0*5.0＝15.0
0044C262 |. D835 5CC34400 fdiv dword ptr ds:[44C35C] ; 乘法结果除以第4个常数2.0,15.0/2.0=7.5
0044C268 |. DEC1 faddp st(1),st ; 7.5+(-2.4554062707205027840)=5.0445937292794972160
0044C26A |. DB2D 60C34400 fld tbyte ptr ds:[44C360] ; 第5个常数0.37(ds:[0044C360]=0.37)
0044C270 |. DEC1 faddp st(1),st ; 0.37+5.044593729279497216=5.4145937292794972160
0044C272 |. D80D 6CC34400 fmul dword ptr ds:[44C36C] ; 乘以第6个常数1000.0(ds:[0044C36C]=1000.000)
0044C278 |. DD5D F0 fstp qword ptr ss:[ebp-10] ; 得到st=5414.5937292794972160
0044C27B |. 9B wait
0044C27C |. DD45 F0 fld qword ptr ss:[ebp-10]
0044C27F |. E8 9065FBFF call CrackMe_.00402814 ; 乘法结果取整转为16进制形式，5415-->0x1527
0044C284 |. 8945 98 mov dword ptr ss:[ebp-68],eax ; EAX=00001527
0044C287 |. 8955 9C mov dword ptr ss:[ebp-64],edx
0044C28A |. DF6D 98 fild qword ptr ss:[ebp-68]
0044C28D |. 83C4 F4 add esp,-0C
0044C290 |. DB3C24 fstp tbyte ptr ss:[esp] ; st=5415.0000000000000000
0044C293 |. 9B wait
0044C294 |. 8D45 FC lea eax,dword ptr ss:[ebp-4]
0044C297 |. E8 68BFFBFF call CrackMe_.00408204 ; 运算结果转为字符串，取字符串长度，EAX＝4
0044C29C |. 8D45 FC lea eax,dword ptr ss:[ebp-4]
0044C29F |. E8 5CFCFFFF call CrackMe_.0044BF00 ; 关键Call-1,F7进入
0044C2A4 |. 8B45 FC mov eax,dword ptr ss:[ebp-4] ; 结果赋给EAX，D EAX,为00A95630 B5 B5 BC BB 档蓟
0044C2A7 |. BA 78C34400 mov edx,CrackMe_.0044C378 ; 字符串"岛埠",D EDX,为0044C378 B5 BA B2 BA 岛埠
0044C2AC |. E8 D378FBFF call CrackMe_.00403B84 ; 比较两者是否相等
0044C2B1 |. 75 38 jnz short CrackMe_.0044C2EB ; 不等则Over,暴破点，Nop掉
0044C2B3 |. 8D45 F8 lea eax,dword ptr ss:[ebp-8]
F7进入0044C29F处的关键Call-1,来到：
0044BF00 /$ 53 push ebx
0044BF01 |. 56 push esi
0044BF02 |. 57 push edi
0044BF03 |. 51 push ecx
0044BF04 |. 8BF0 mov esi,eax
0044BF06 |. 8B06 mov eax,dword ptr ds:[esi] ; "5415"
0044BF08 |. E8 677BFBFF call CrackMe_.00403A74
0044BF0D |. 8B15 98EE4400 mov edx,dword ptr ds:[44EE98]
0044BF13 |. 8902 mov dword ptr ds:[edx],eax
0044BF15 |. 8B06 mov eax,dword ptr ds:[esi]
0044BF17 |. E8 587BFBFF call CrackMe_.00403A74
0044BF1C |. 84C0 test al,al
0044BF1E |. 76 38 jbe short CrackMe_.0044BF58
0044BF20 |. 880424 mov byte ptr ss:[esp],al
0044BF23 |. B3 01 mov bl,1
0044BF25 |> B8 1C000000 /mov eax,1C ; EAX＝0x1C
0044BF2A |. E8 516AFBFF |call CrackMe_.00402980 ; 关键Call-2,F7进入
0044BF2F |. 0D 80000000 |or eax,80 ; EAX=EAX or 0x80
0044BF34 |. 8BFB |mov edi,ebx
0044BF36 |. 81E7 FF000000 |and edi,0FF
0044BF3C |. 8B16 |mov edx,dword ptr ds:[esi] ; 运算结果"5415"
0044BF3E |. 0FB6543A FF |movzx edx,byte ptr ds:[edx+edi-1] ; 依次取运算结果"5415"每一位字符的ASCII值
0044BF43 |. 33C2 |xor eax,edx ; EAX=EAX xor EDX
0044BF45 |. 50 |push eax ; xor结果保存
0044BF46 |. 8BC6 |mov eax,esi
0044BF48 |. E8 F77CFBFF |call CrackMe_.00403C44
0044BF4D |. 5A |pop edx
0044BF4E |. 885438 FF |mov byte ptr ds:[eax+edi-1],dl
0044BF52 |. 43 |inc ebx
0044BF53 |. FE0C24 |dec byte ptr ss:[esp]
0044BF56 |.^ 75 CD \jnz short CrackMe_.0044BF25
0044BF58 |> 5A pop edx
0044BF59 |. 5F pop edi
0044BF5A |. 5E pop esi
0044BF5B |. 5B pop ebx
0044BF5C \. C3 retn
F7进入0044BF2A处的关键Call-2,来到：
00402980 /$ 6915 40F04400 >imul edx,dword ptr ds:[44F040],8088405 ; ds:[0044F040]=4，初值为运算结果的长度
0040298A |. 42 inc edx ; EDX=EDX+1
0040298B |. 8915 40F04400 mov dword ptr ds:[44F040],edx ; EDX保存
00402991 |. F7E2 mul edx ; EAX=EAX*EDX,EAX初值为0x1C
00402993 |. 89D0 mov eax,edx ; EAX=EDX
00402995 \. C3 retn
浮点运算结果转为字符串后依次取每位字符串的ASCII值进行运算，最终结果与固定值B5 BA B2 BA 比较，相等则成功。
反推浮点运算结果所得数值(设为4位)，经0044BF2A处的CALL以后，到0044BF2F处时EAX依次为83，89,86,8D，于是
83 xor B5 = 36('6')
89 xor BA = 33('3')
86 xor B2 = 34('4')
8D xor BA = 37('7')
故只需浮点运算最终结果为6347.0最可注册成功。
-----------------------------------------------------------------------------------------------
【破解总结】
1.Nag采用下断MessageBoxA即可轻松去除。
2.Password为固定值：Clno iguonRn。
3.Serial计算时，用户名和公司长度有一定限制，取用户名各位字符的ASCII值累加，结果与固定字符串连接，记为str1.
注册码长度必须与字符串str1长度相等；
注册码各位字符的ASCII值累加之和必须与字符串str1各位字符的ASCII值累加之和相等。
4.先确定CheckBox3及CheckBox5,其它CheckBoxes即可确定。以心形CheckBoxes第1列上面那个CheckBox作为第1个，
顺时针方向从1至20编号，分别选中编号为3、5、6、9、11、12、13、15、19、20的CheckBox即可过关。
5.TrackBar采用简单浮点运算，运算结果经xor后与固定值B5BAB2BA比较，相等则成功。
注册信息：
========================================
Password:Clno iguonRn
========================================
Name:hrbxhui
Company:h2h Studios
Serial:I Love Cracking and 762 Girls ;)
========================================
TrackBar Serial:14435
========================================
【VB注册机源码】(For TrackBar Serial)
Private Sub KeyGen_Click()
Dim n1 As Double
Dim n2 As Double
Dim n3 As Double
Dim n4 As Double
Dim n5 As Double
Dim sum As Long
Dim temp As Long
sum = 0
temp = (99999 - 10000) * Rnd() + 10000
For i = temp To 99999
n1 = Int(i / 10000)
n2 = Int((i Mod 10000) / 1000)
n3 = Int((i Mod 1000) / 100)
n4 = Int((i Mod 100) / 10)
n5 = i Mod 10
n1 = Sqr(n1 + 1) * (-1)
n2 = Cos(Sqr(n2 * n2 * n2 + 5))
n3 = Log(n3 * 3 + 1)
n4 = Sqr(n4 + 2)
n5 = n5 * 3# / 2#
sum = Int((n1 + n2 + n3 - n4 + n5 + 0.37) * 100000) / 100
If sum = 6347 Then GoTo Success:
Next i
Success:
Text1 = i
End Sub
-----------------------------------------------------------------------------------------------
【版权声明】本文纯属技术交流, 转载请注明作者并保持文章的完整, 谢谢!

复制代码

[ 本帖最后由 hrbx 于 2006-5-30 01:37 编辑 ]

野猫III · 发表于 2006-5-31 18:28:47

原帖由 hrbx 于 2006-5-30 01:33 发表

【破文标题】CrackMe Nr.7简单算法分析
【破解作者】hrbx
【作者主页】hrbx.ys168.com
【作者邮箱】[email protected]
【破解平台】WinXP
【使用工具】flyOD1.10、Peid
【破解日期】2006-05-29
【软件名称】C ...

惊呼！！！原是如此简单。。。

lhl8730 · 发表于 2006-6-2 09:56:53

好教程，学习了！

wzwgp · 发表于 2006-6-2 15:53:51

分析得真仔细，认真学习！

寒湖鹤影 · 发表于 2006-6-3 17:38:57

学习了，能不能出个DEDE使用引导

浮云思音 · 发表于 2006-6-6 01:40:17

唉,我什么时候才能达到这样的程度呀

		自动登录	找回密码
密码			加入我们

CrackMe Nr.7简单算法分析

本帖子中包含更多资源

相关帖子