《飘云阁》Crackme2.0算法分析!
算法注册机学习制作中~~~++++++++++++++++++++++++++++++++++
演示动画请到PYG专用FTP服务器的“野猫III”目录下载!
破解过程:
一、软件查壳壳:Microsoft Visual Basic 5.0 / 6.0程序。
二、OD载入,输入试练信息:
用户名:WildC
试练码:987654321
下命令断点:bp rtcMidCharVar //呵呵...向lhl8730兄学习的!
然后返回Crackme程序,点注册。程序被中断在:
660E64F3 >55 PUSH EBP //取消断点
660E64F4 8BEC MOV EBP,ESP
660E64F6 83EC 10 SUB ESP,10
660E64F9 56 PUSH ESI
660E64FA 57 PUSH EDI
660E64FB FF35 7CEE1066 PUSH DWORD PTR DS:
660E6501 FF15 B8100066 CALL DWORD PTR DS:[<&KERNEL32.TlsGetValu>; kernel32.TlsGetValue
++++++++堆栈友好提示:
0012F404 00402C60返回到 CrackMe0.00402C60 来自 MSVBVM60.rtcMidCharVar
//右键反汇编窗口中跟随。
++++接着算法分析:
00402B23 .FF15 B8104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeO>;MSVBVM60.__vbaFreeObj
00402B29 .8B55 E4 MOV EDX,DWORD PTR SS: ;用户名进EDX
00402B2C .52 PUSH EDX
00402B2D .FF15 14104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaLenBs>;MSVBVM60.__vbaLenBstr
00402B33 .33DB XOR EBX,EBX ;上面的Call取用户名位数
00402B35 .83F8 0B CMP EAX,0B ;与11比较
00402B38 .8B45 E4 MOV EAX,DWORD PTR SS:
00402B3B .50 PUSH EAX
00402B3C .0F9EC3 SETLE BL
00402B3F .FF15 14104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaLenBs>;MSVBVM60.__vbaLenBstr
00402B45 .33C9 XOR ECX,ECX ;ECX清零
00402B47 .8B55 CC MOV EDX,DWORD PTR SS: ;试练码放EDX
00402B4A .83F8 05 CMP EAX,5 ;用户名位数与5比较
00402B4D .52 PUSH EDX
00402B4E .0F9DC1 SETGE CL
00402B51 .23D9 AND EBX,ECX ;EBX+ECX
00402B53 .F7DB NEG EBX
00402B55 .1BDB SBB EBX,EBX
00402B57 .F7DB NEG EBX
00402B59 .FF15 14104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaLenBs>;MSVBVM60.__vbaLenBstr
00402B5F .33C9 XOR ECX,ECX ;Call取试练码位数
00402B61 .83F8 09 CMP EAX,9 ;试练码位数与9比较!
00402B64 .0F9DC1 SETGE CL
00402B67 .85D9 TEST ECX,EBX
00402B69 .0F85 8B000000 JNZ CrackMe0.00402BFA ;跳!不跳就OVER!
00402B6F .8B16 MOV EDX,DWORD PTR DS:
00402B71 .56 PUSH ESI
00402B72 .FF92 FC020000 CALL DWORD PTR DS:
00402B78 .8B1D 30104000 MOV EBX,DWORD PTR DS:[<&MSVBVM60.__vbaOb>;MSVBVM60.__vbaObjSet
00402B7E .50 PUSH EAX
00402B7F .8D45 C0 LEA EAX,DWORD PTR SS:
00402B82 .50 PUSH EAX
00402B83 .FFD3 CALL EBX ;<&MSVBVM60.__vbaObjSet>
00402B85 .8BF8 MOV EDI,EAX
00402B87 .68 60224000 PUSH CrackMe0.00402260
00402B8C .57 PUSH EDI
00402B8D .8B0F MOV ECX,DWORD PTR DS:
00402B8F .FF91 A4000000 CALL DWORD PTR DS:
00402B95 .85C0 TEST EAX,EAX
00402B97 .DBE2 FCLEX
00402B99 .7D 12 JGE SHORT CrackMe0.00402BAD
00402B9B .68 A4000000 PUSH 0A4
00402BA0 .68 4C224000 PUSH CrackMe0.0040224C
00402BA5 .57 PUSH EDI
00402BA6 .50 PUSH EAX
00402BA7 .FF15 28104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaHresu>;MSVBVM60.__vbaHresultCheckObj
00402BAD >8B3D B8104000 MOV EDI,DWORD PTR DS:[<&MSVBVM60.__vbaFr>;MSVBVM60.__vbaFreeObj
00402BB3 .8D4D C0 LEA ECX,DWORD PTR SS:
00402BB6 .FFD7 CALL EDI ;<&MSVBVM60.__vbaFreeObj>
00402BB8 .8B16 MOV EDX,DWORD PTR DS:
00402BBA .56 PUSH ESI
00402BBB .FF92 0C030000 CALL DWORD PTR DS:
00402BC1 .50 PUSH EAX
00402BC2 .8D45 C0 LEA EAX,DWORD PTR SS:
00402BC5 .50 PUSH EAX
00402BC6 .FFD3 CALL EBX
00402BC8 .8BF0 MOV ESI,EAX
00402BCA .68 60224000 PUSH CrackMe0.00402260
00402BCF .56 PUSH ESI
00402BD0 .8B0E MOV ECX,DWORD PTR DS:
00402BD2 .FF91 A4000000 CALL DWORD PTR DS:
00402BD8 .85C0 TEST EAX,EAX
00402BDA .DBE2 FCLEX
00402BDC .7D 12 JGE SHORT CrackMe0.00402BF0
00402BDE .68 A4000000 PUSH 0A4
00402BE3 .68 4C224000 PUSH CrackMe0.0040224C
00402BE8 .56 PUSH ESI
00402BE9 .50 PUSH EAX
00402BEA .FF15 28104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaHresu>;MSVBVM60.__vbaHresultCheckObj
00402BF0 >8D4D C0 LEA ECX,DWORD PTR SS:
00402BF3 .FFD7 CALL EDI
00402BF5 .E9 85020000 JMP CrackMe0.00402E7F ;跳!OVER!
00402BFA >8B55 E4 MOV EDX,DWORD PTR SS: ;试练码位数大于或等于9位就跳来这~~~
00402BFD .52 PUSH EDX
00402BFE .FF15 14104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaLenBs>;MSVBVM60.__vbaLenBstr
00402C04 .8BC8 MOV ECX,EAX ;Call取用户名位数ECX=EAX
00402C06 .FF15 54104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaI2I4>>;MSVBVM60.__vbaI2I4
00402C0C .BB 01000000 MOV EBX,1 ;EBX=1
00402C11 .8985 2CFFFFFF MOV DWORD PTR SS:,EAX ;EAX放到EPB-D4位置
00402C17 .8BF3 MOV ESI,EBX ;ESI=EBX
00402C19 >66:3BB5 2CFFF>CMP SI,WORD PTR SS: ;EBP-4与SI比较,进入循环!
00402C20 .0F8F A3000000 JG CrackMe0.00402CC9 ;取完用户名及运算完后,才跳出循环!
00402C26 .8D45 E4 LEA EAX,DWORD PTR SS:
00402C29 .8D4D B0 LEA ECX,DWORD PTR SS:
00402C2C .0FBFD6 MOVSX EDX,SI ;逐位取SI,结果放EDX
00402C2F .8985 78FFFFFF MOV DWORD PTR SS:,EAX
00402C35 .51 PUSH ECX
00402C36 .8D85 70FFFFFF LEA EAX,DWORD PTR SS:
00402C3C .52 PUSH EDX
00402C3D .8D4D A0 LEA ECX,DWORD PTR SS:
00402C40 .50 PUSH EAX
00402C41 .51 PUSH ECX
00402C42 .C745 B8 04000>MOV DWORD PTR SS:,80020004 ;EBP-48=80020004
00402C49 .C745 B0 0A000>MOV DWORD PTR SS:,0A ;EBP-50=0A
00402C50 .C785 70FFFFFF>MOV DWORD PTR SS:,4008 ;EBP-90=4008
00402C5A .FF15 44104000 CALL DWORD PTR DS:[<&MSVBVM60.#632>] ;MSVBVM60.rtcMidCharVar
00402C60 .8D55 A0 LEA EDX,DWORD PTR SS: ;rtcMidCharVar 返回到这!
00402C63 .8D45 C8 LEA EAX,DWORD PTR SS:
00402C66 .52 PUSH EDX
00402C67 .50 PUSH EAX
00402C68 .FF15 78104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaStrVa>;MSVBVM60.__vbaStrVarVal
00402C6E .50 PUSH EAX ;Call取用户名
00402C6F .FF15 0C104000 CALL DWORD PTR DS:[<&MSVBVM60.#693>] ;MSVBVM60.rtcByteValueBstr
00402C75 .66:33C9 XOR CX,CX ;Call逐位取用户名,这里CX清零
00402C78 .8AC8 MOV CL,AL ;CL=AL
00402C7A .66:6BC9 02 IMUL CX,CX,2 ;CX=CX*2
00402C7E .0F80 7A020000 JO CrackMe0.00402EFE
00402C84 .0FBFD1 MOVSX EDX,CX ;取CX到EDX
00402C87 .03D7 ADD EDX,EDI ;EDX加上EDI
00402C89 .8D4D C8 LEA ECX,DWORD PTR SS:
00402C8C .0F80 6C020000 JO CrackMe0.00402EFE
00402C92 .83C2 0A ADD EDX,0A ;EDX+0A
00402C95 .0F80 63020000 JO CrackMe0.00402EFE
00402C9B .8BFA MOV EDI,EDX
00402C9D .FF15 BC104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeS>;MSVBVM60.__vbaFreeStr
00402CA3 .8D45 A0 LEA EAX,DWORD PTR SS:
00402CA6 .8D4D B0 LEA ECX,DWORD PTR SS:
00402CA9 .50 PUSH EAX
00402CAA .51 PUSH ECX
00402CAB .6A 02 PUSH 2
00402CAD .FF15 18104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeV>;MSVBVM60.__vbaFreeVarList
00402CB3 .66:8BD3 MOV DX,BX ;DX=BX
00402CB6 .83C4 0C ADD ESP,0C
00402CB9 .66:03D6 ADD DX,SI ;DX再加上SI
00402CBC .0F80 3C020000 JO CrackMe0.00402EFE
00402CC2 .8BF2 MOV ESI,EDX ;ESI=EDX
00402CC4 .^ E9 50FFFFFF JMP CrackMe0.00402C19 ;循环!~
00402CC9 >81C7 2770430B ADD EDI,0B437027 ;EDI加上0B437027,结果就是注册码!
00402CCF .0F80 29020000 JO CrackMe0.00402EFE
00402CD5 .8BDF MOV EBX,EDI
00402CD7 .8B7D 08 MOV EDI,DWORD PTR SS:
00402CDA .57 PUSH EDI
00402CDB .8B07 MOV EAX,DWORD PTR DS:
00402CDD .FF90 0C030000 CALL DWORD PTR DS:
00402CE3 .8D4D C0 LEA ECX,DWORD PTR SS:
00402CE6 .50 PUSH EAX
00402CE7 .51 PUSH ECX
00402CE8 .FF15 30104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaObjSe>;MSVBVM60.__vbaObjSet
00402CEE .8BF0 MOV ESI,EAX
00402CF0 .8D45 C8 LEA EAX,DWORD PTR SS:
00402CF3 .50 PUSH EAX
00402CF4 .56 PUSH ESI
00402CF5 .8B16 MOV EDX,DWORD PTR DS:
00402CF7 .FF92 A0000000 CALL DWORD PTR DS:
00402CFD .85C0 TEST EAX,EAX
00402CFF .DBE2 FCLEX
00402D01 .7D 12 JGE SHORT CrackMe0.00402D15
00402D03 .68 A0000000 PUSH 0A0
00402D08 .68 4C224000 PUSH CrackMe0.0040224C
00402D0D .56 PUSH ESI
00402D0E .50 PUSH EAX
00402D0F .FF15 28104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaHresu>;MSVBVM60.__vbaHresultCheckObj
00402D15 >53 PUSH EBX
00402D16 .FF15 08104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaStrI4>;MSVBVM60.__vbaStrI4
00402D1C .8BD0 MOV EDX,EAX ;Call进将寄存器里的真码转成Unicode码出现!
00402D1E .8D4D C4 LEA ECX,DWORD PTR SS:
00402D21 .FF15 A8104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaStrMo>;MSVBVM60.__vbaStrMove
00402D27 .8B4D C8 MOV ECX,DWORD PTR SS: ;试练码!
00402D2A .50 PUSH EAX
00402D2B .51 PUSH ECX
00402D2C .FF15 50104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaStrCm>;MSVBVM60.__vbaStrCmp
00402D32 .8BF0 MOV ESI,EAX
00402D34 .8D55 C8 LEA EDX,DWORD PTR SS:
00402D37 .F7DE NEG ESI
00402D39 .1BF6 SBB ESI,ESI
00402D3B .8D45 C4 LEA EAX,DWORD PTR SS:
00402D3E .52 PUSH EDX
00402D3F .46 INC ESI
00402D40 .50 PUSH EAX
00402D41 .6A 02 PUSH 2
00402D43 .F7DE NEG ESI
00402D45 .FF15 8C104000 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeS>;MSVBVM60.__vbaFreeStrList
00402D4B .8B1D B8104000 MOV EBX,DWORD PTR DS:[<&MSVBVM60.__vbaFr>;MSVBVM60.__vbaFreeObj
00402D51 .83C4 0C ADD ESP,0C
00402D54 .8D4D C0 LEA ECX,DWORD PTR SS:
00402D57 .FFD3 CALL EBX ;<&MSVBVM60.__vbaFreeObj>
00402D59 .66:85F6 TEST SI,SI
00402D5C .0F84 9B000000 JE CrackMe0.00402DFD ;关键跳转!
++++++++++++++++++++++++++++++++++++++
算法总结(从简):
用户名>=5位.
注册码>=9位.
逐位取用户名的16进制值*2的积相加,设为A.
取用户位数*0A,设为B.
A+B+B437027(作者预设值)=C,将C改换成10进制就是注册码.
[ 本帖最后由 野猫III 于 2006-6-26 00:35 编辑 ] 呵呵,抢个位置先! 可否用这个做毕业破文? 恭喜,厉害。。。。。。。 原帖由 黑夜彩虹 于 2006-6-23 20:54 发表
可否用这个做毕业破文?
不行呀,这个Crackme N年前的啦。。。
咱今天权当用它来练手的。
[ 本帖最后由 野猫III 于 2006-6-29 23:45 编辑 ] 进步飞速啊~~
支持~~ 恭喜,厉害。。。。。。。 猫兄,真棒!! 好强啊,猫进步真快 强。。学习一下。算法过几天,等我搞懂了。。写个注册机出来
页:
[1]
2