hoy0a1 CrackMe 2算法分析
【破文标题】hoy0a1 CrackMe 2算法分析【破解作者】hrbx
【破解日期】2011-10-15
【软件简介】Zhoy0a1 CrackMe 2
【下载地址】https://www.chinapyg.com/viewthread.php?tid=63959&extra=page%3D1
-----------------------------------------------------------------------------------------------
【破解声明】我是一只小菜鸟,偶得一点心得,愿与大家分享:)
-----------------------------------------------------------------------------------------------
【破解过程】
1.查壳。用Peid扫描,显示为:Dev-C++ 4.9.9.2 -> Bloodshed Software [覆盖],无壳。
2.试运行。输入ID与SN,程序错误提示:"Wrong! Try again..."
3.算法分析。OD载入,Ultra String Reference-Find ASCII,找到如下地址:
======================================================================================================
Address Disassembly Text String
004015F5 > \C74424 04 4D4>mov dword ptr , 0044404D ;\t\t\twrong! try again...\n\n
======================================================================================================
双击来到:
004015F5 > \C74424 04 4D4>mov dword ptr , 0044404D ;\t\t\twrong! try again...\n\n
向上回溯,来到00401390,F2下断。
00401390 $55 push ebp ;F2下断
Ctrl+F2重新运行,输入注册信息:
======================================
ID:6543210
SN:987654321
======================================
回车,程序立即中断:
00401390 $55 push ebp ;F2下断
00401391 .89E5 mov ebp, esp
00401393 .57 push edi
00401394 .56 push esi
00401395 .53 push ebx
00401396 .81EC 8C010000 sub esp, 18C
0040139C .83E4 F0 and esp, FFFFFFF0
0040139F .B8 00000000 mov eax, 0
004013A4 .83C0 0F add eax, 0F
004013A7 .83C0 0F add eax, 0F
004013AA .C1E8 04 shr eax, 4
004013AD .C1E0 04 shl eax, 4
004013B0 .8985 84FEFFFF mov dword ptr , eax
004013B6 .8B85 84FEFFFF mov eax, dword ptr
004013BC .E8 0FCE0000 call 0040E1D0
004013C1 .C785 CCFEFFFF 801E4000 mov dword ptr , 00401E80
004013CB .C785 D0FEFFFF 20174400 mov dword ptr , 00441720
004013D5 .8D85 D4FEFFFF lea eax, dword ptr
004013DB .8D55 E8 lea edx, dword ptr
004013DE .8910 mov dword ptr , edx
004013E0 .BA 47154000 mov edx, 00401547
004013E5 .8950 04 mov dword ptr , edx
004013E8 .8960 08 mov dword ptr , esp
004013EB .8D85 B4FEFFFF lea eax, dword ptr
004013F1 .890424 mov dword ptr , eax
004013F4 .E8 87C30000 call 0040D780
004013F9 .E8 B2BE0000 call 0040D2B0
004013FE .8D45 D8 lea eax, dword ptr
00401401 .890424 mov dword ptr , eax
00401404 .C785 B8FEFFFF FFFFFFFF mov dword ptr , -1
0040140E .E8 4DDD0200 call 0042F160
00401413 .8D45 C8 lea eax, dword ptr
00401416 .890424 mov dword ptr , eax
00401419 .C785 B8FEFFFF 04000000 mov dword ptr , 4
00401423 .E8 38DD0200 call 0042F160
00401428 .C74424 04 08000000 mov dword ptr , 8
00401430 .C70424 10000000 mov dword ptr , 10
00401437 .E8 BCF10300 call 004405F8
0040143C .894424 04 mov dword ptr , eax
00401440 .8D85 08FFFFFF lea eax, dword ptr
00401446 .890424 mov dword ptr , eax
00401449 .C785 B8FEFFFF 03000000 mov dword ptr , 3
00401453 .E8 588F0300 call 0043A3B0
00401458 >C74424 04 00404400 mov dword ptr , 00444000 ;\t\t\tplease input your id:
00401460 .C70424 C0734400 mov dword ptr , 004473C0
00401467 .C785 B8FEFFFF 02000000 mov dword ptr , 2
00401471 .E8 B2E70300 call 0043FC28
00401476 .8D45 D8 lea eax, dword ptr
00401479 .894424 04 mov dword ptr , eax
0040147D .C70424 60744400 mov dword ptr , 00447460
00401484 .E8 2BFB0300 call 00440FB4
00401489 .8D45 D8 lea eax, dword ptr
0040148C .890424 mov dword ptr , eax ;EAX地址存放ID
0040148F .E8 6C100100 call 00412500 ;\ 获取ID长度
00401494 .83F8 05 cmp eax, 5 ;|ID长度与5比较
00401497 .0F86 7B010000 jbe 00401618 ;|小于则Over
0040149D .8D45 D8 lea eax, dword ptr ;|
004014A0 .890424 mov dword ptr , eax ;|EAX地址存放ID
004014A3 .E8 58100100 call 00412500 ;|获取ID长度
004014A8 .83F8 09 cmp eax, 9 ;|ID长度与9比较
004014AB .0F87 67010000 ja 00401618 ;/ 大于则Over
004014B1 .8D45 D8 lea eax, dword ptr ;ID长度应为6-9位
004014B4 .894424 04 mov dword ptr , eax
004014B8 .8D85 08FFFFFF lea eax, dword ptr
004014BE .83C0 08 add eax, 8
004014C1 .890424 mov dword ptr , eax
004014C4 .E8 BFEE0300 call 00440388
004014C9 .8D85 04FFFFFF lea eax, dword ptr
004014CF .894424 04 mov dword ptr , eax
004014D3 .8D85 08FFFFFF lea eax, dword ptr
004014D9 .890424 mov dword ptr , eax
004014DC .E8 2F7B0200 call 00429010
004014E1 .C74424 04 19404400 mov dword ptr , 00444019 ;\t\t\tplease input your sn:
004014E9 .C70424 C0734400 mov dword ptr , 004473C0
004014F0 .E8 33E70300 call 0043FC28
004014F5 .8D45 C8 lea eax, dword ptr
004014F8 .894424 04 mov dword ptr , eax
004014FC .C70424 60744400 mov dword ptr , 00447460
00401503 .E8 ACFA0300 call 00440FB4
00401508 .8D45 C8 lea eax, dword ptr
0040150B .894424 04 mov dword ptr , eax
0040150F .8D85 E8FEFFFF lea eax, dword ptr
00401515 .890424 mov dword ptr , eax
00401518 .E8 93D90200 call 0042EEB0
0040151D .8D85 E8FEFFFF lea eax, dword ptr
00401523 .894424 04 mov dword ptr , eax
00401527 .8B85 04FFFFFF mov eax, dword ptr
0040152D .890424 mov dword ptr , eax ;EAX=0x63D76A(6543210h)
00401530 .C785 B8FEFFFF 01000000 mov dword ptr , 1
0040153A .E8 21020000 call 00401760 ;关键CALL,F7进入
0040153F .8985 ACFEFFFF mov dword ptr , eax ;CALL中比较真假码,相等则EAX值存入,EAX=0x10
00401545 .EB 77 jmp short 004015BE
00401547 .8D6D 18 lea ebp, dword ptr
0040154A .8B85 B8FEFFFF mov eax, dword ptr
00401550 .8985 94FEFFFF mov dword ptr , eax
00401556 .8B95 BCFEFFFF mov edx, dword ptr
0040155C .8995 A4FEFFFF mov dword ptr , edx
00401562 .83BD 94FEFFFF 01 cmp dword ptr , 1
00401569 .0F84 33010000 je 004016A2
0040156F .83BD 94FEFFFF 02 cmp dword ptr , 2
00401576 .0F84 56010000 je 004016D2
0040157C .83BD 94FEFFFF 03 cmp dword ptr , 3
00401583 .0F84 76010000 je 004016FF
00401589 .8B85 A4FEFFFF mov eax, dword ptr
0040158F .8985 A8FEFFFF mov dword ptr , eax
00401595 .8D85 E8FEFFFF lea eax, dword ptr
0040159B .890424 mov dword ptr , eax
0040159E .C785 B8FEFFFF 00000000 mov dword ptr , 0
004015A8 .E8 73E00200 call 0042F620
004015AD .8B95 A8FEFFFF mov edx, dword ptr
004015B3 .8995 A4FEFFFF mov dword ptr , edx
004015B9 .E9 E4000000 jmp 004016A2
004015BE >8D85 E8FEFFFF lea eax, dword ptr
004015C4 .890424 mov dword ptr , eax
004015C7 .C785 B8FEFFFF 02000000 mov dword ptr , 2
004015D1 .E8 4AE00200 call 0042F620
004015D6 .83BD ACFEFFFF 10 cmp dword ptr , 10 ;比较地址值是否为0x10
004015DD .75 16 jnz short 004015F5 ;不是则Over,暴破点,Nop
004015DF .C74424 04 32404400 mov dword ptr , 00444032 ;注册成功提示"very well!you win..."
004015E7 .C70424 C0734400 mov dword ptr , 004473C0
004015EE .E8 35E60300 call 0043FC28
004015F3 .EB 46 jmp short 0040163B
004015F5 >C74424 04 4D404400 mov dword ptr , 0044404D ;错误提示"wrong! try again..."
004015FD .C70424 C0734400 mov dword ptr , 004473C0
00401604 .C785 B8FEFFFF 02000000 mov dword ptr , 2
0040160E .E8 15E60300 call 0043FC28
00401613 .^ E9 40FEFFFF jmp 00401458
00401618 >C74424 04 68404400 mov dword ptr , 00444068 ;ID长度范围提示"please input id in 100000 and 999999999 between!"
00401620 .C70424 C0734400 mov dword ptr , 004473C0
00401627 .C785 B8FEFFFF 02000000 mov dword ptr , 2
00401631 .E8 F2E50300 call 0043FC28
00401636 .^ E9 1DFEFFFF jmp 00401458
0040163B >C70424 9E404400 mov dword ptr , 0044409E ; |pause
00401642 .C785 B8FEFFFF 02000000 mov dword ptr , 2 ; |
0040164C .E8 0FF60000 call <jmp.&msvcrt.system> ; \system
00401651 .8D85 08FFFFFF lea eax, dword ptr
00401657 .890424 mov dword ptr , eax
0040165A .C785 B8FEFFFF 03000000 mov dword ptr , 3
00401664 .E8 F7930300 call 0043AA60
00401669 .8D45 C8 lea eax, dword ptr
0040166C .890424 mov dword ptr , eax
0040166F .C785 B8FEFFFF 04000000 mov dword ptr , 4
00401679 .E8 A2DF0200 call 0042F620
0040167E .8D45 D8 lea eax, dword ptr
00401681 .890424 mov dword ptr , eax
00401684 .C785 B8FEFFFF FFFFFFFF mov dword ptr , -1
0040168E .E8 8DDF0200 call 0042F620
00401693 .C785 B0FEFFFF 00000000 mov dword ptr , 0
0040169D .E9 A2000000 jmp 00401744
004016A2 >8B85 A4FEFFFF mov eax, dword ptr
004016A8 .8985 A0FEFFFF mov dword ptr , eax
004016AE .8D85 08FFFFFF lea eax, dword ptr
004016B4 .890424 mov dword ptr , eax
004016B7 .C785 B8FEFFFF 00000000 mov dword ptr , 0
004016C1 .E8 9A930300 call 0043AA60
004016C6 .8B95 A0FEFFFF mov edx, dword ptr
004016CC .8995 A4FEFFFF mov dword ptr , edx
004016D2 >8B85 A4FEFFFF mov eax, dword ptr
004016D8 .8985 9CFEFFFF mov dword ptr , eax
004016DE .8D45 C8 lea eax, dword ptr
004016E1 .890424 mov dword ptr , eax
004016E4 .C785 B8FEFFFF 00000000 mov dword ptr , 0
004016EE .E8 2DDF0200 call 0042F620
004016F3 .8B95 9CFEFFFF mov edx, dword ptr
004016F9 .8995 A4FEFFFF mov dword ptr , edx
004016FF >8B85 A4FEFFFF mov eax, dword ptr
00401705 .8985 98FEFFFF mov dword ptr , eax
0040170B .8D45 D8 lea eax, dword ptr
0040170E .890424 mov dword ptr , eax
00401711 .C785 B8FEFFFF 00000000 mov dword ptr , 0
0040171B .E8 00DF0200 call 0042F620
00401720 .8B95 98FEFFFF mov edx, dword ptr
00401726 .8995 A4FEFFFF mov dword ptr , edx
0040172C .8B85 A4FEFFFF mov eax, dword ptr
00401732 .890424 mov dword ptr , eax
00401735 .C785 B8FEFFFF FFFFFFFF mov dword ptr , -1
0040173F .E8 FCC60000 call 0040DE40
00401744 >8D85 B4FEFFFF lea eax, dword ptr
0040174A .890424 mov dword ptr , eax
0040174D .E8 0EC10000 call 0040D860
00401752 .8B85 B0FEFFFF mov eax, dword ptr
00401758 .8D65 F4 lea esp, dword ptr
0040175B .5B pop ebx
0040175C .5E pop esi
0040175D .5F pop edi
0040175E .5D pop ebp
0040175F .C3 retn
F7进入0040153A处的关键CALL,来到:
00401760 $55 push ebp ;算法CALL
00401761 .89E5 mov ebp, esp
00401763 .57 push edi
00401764 .56 push esi
00401765 .53 push ebx
00401766 .81EC 4C050000 sub esp, 54C
0040176C .C785 ECFAFFFF 801E4000 mov dword ptr , 00401E80
00401776 .C785 F0FAFFFF 2C174400 mov dword ptr , 0044172C
00401780 .8D85 F4FAFFFF lea eax, dword ptr
00401786 .8D55 E8 lea edx, dword ptr
00401789 .8910 mov dword ptr , edx
0040178B .BA BC184000 mov edx, 004018BC
00401790 .8950 04 mov dword ptr , edx
00401793 .8960 08 mov dword ptr , esp
00401796 .8D85 D4FAFFFF lea eax, dword ptr
0040179C .890424 mov dword ptr , eax
0040179F .E8 DCBF0000 call 0040D780
004017A4 .C74424 04 08000000 mov dword ptr , 8
004017AC .C70424 10000000 mov dword ptr , 10
004017B3 .E8 40EE0300 call 004405F8
004017B8 .894424 04 mov dword ptr , eax
004017BC .8D85 28FFFFFF lea eax, dword ptr
004017C2 .890424 mov dword ptr , eax
004017C5 .C785 D8FAFFFF FFFFFFFF mov dword ptr , -1
004017CF .E8 DC8B0300 call 0043A3B0
004017D4 .C785 24FBFFFF 00000000 mov dword ptr , 0
004017DE >837D 08 00 cmp dword ptr , 0 ;比较地址是否为0,不为0则继续
004017E2 .7E 4D jle short 00401831
004017E4 .8B9D 24FBFFFF mov ebx, dword ptr
004017EA .8B4D 08 mov ecx, dword ptr ;ECX=0x63D76A(6543210h),ID
004017ED .B8 67666666 mov eax, 66666667 ;EAX=0x66666667
004017F2 .F7E9 imul ecx ;EAX=EAX*ECX=0x66666667*0x63D76A=27EFC4003BE7A6
004017F4 .D1FA sar edx, 1 ;算法结果高8位放入EDX,EDX=0027EFC4,EDX=EDX sar 1=0013F7E2
004017F6 .89C8 mov eax, ecx ;EAX=ECX=0x63D76A(6543210h)
004017F8 .C1F8 1F sar eax, 1F ;EAX=EAX sar 1F=0
004017FB .29C2 sub edx, eax ;EDX=EDX-EAX=0013F7E2
004017FD .89D0 mov eax, edx ;EAX=EDX=0013F7E2
004017FF .C1E0 02 shl eax, 2 ;EAX=EAX shl 2=004FDF88
00401802 .01D0 add eax, edx ;EAX=EAX+EDX=0063D76A
00401804 .29C1 sub ecx, eax ;ECX=ECX-EAX
00401806 .89C8 mov eax, ecx ;EAX=ECX=0
00401808 .89849D 28FBFFFF mov dword ptr , eax ;每次运算结果保存入地址
0040180F .8B4D 08 mov ecx, dword ptr ;ECX=0x63D76A(6543210h),ID
00401812 .B8 67666666 mov eax, 66666667 ;EAX=0x66666667
00401817 .F7E9 imul ecx ;EAX=EAX*ECX=0x66666667*0x63D76A=27EFC4003BE7A6
00401819 .D1FA sar edx, 1 ;EDX=0027EFC4,EAX=003BE7A6,EDX=EDX sar 1=0013F7E2
0040181B .89C8 mov eax, ecx ;EAX=ECX=0x63D76A(6543210h)
0040181D .C1F8 1F sar eax, 1F ;EAX=EAX sar 1F=0
00401820 .29C2 sub edx, eax ;EDX=EDX-EAX=0013F7E2
00401822 .89D0 mov eax, edx ;EAX=EDX=0013F7E2
00401824 .8945 08 mov dword ptr , eax ;EAX保存入地址,作为下次循环运算数
00401827 .8D85 24FBFFFF lea eax, dword ptr
0040182D .FF00 inc dword ptr
0040182F .^ EB AD jmp short 004017DE
00401831 >83BD 24FBFFFF 00 cmp dword ptr , 0
00401838 .7E 36 jle short 00401870
0040183A .8B85 24FBFFFF mov eax, dword ptr ;EAX=0xA,上面运算循环次数,即注册码长度
00401840 .8B8485 24FBFFFF mov eax, dword ptr ;从地址取数据,即从401808处倒取每次运算结果
00401847 .894424 04 mov dword ptr , eax ;3133340320
0040184B .8D85 28FFFFFF lea eax, dword ptr
00401851 .83C0 08 add eax, 8
00401854 .890424 mov dword ptr , eax
00401857 .C785 D8FAFFFF 02000000 mov dword ptr , 2
00401861 .E8 AAA00200 call 0042B910
00401866 .8D85 24FBFFFF lea eax, dword ptr
0040186C .FF08 dec dword ptr
0040186E .^ EB C1 jmp short 00401831
00401870 >8D95 08FBFFFF lea edx, dword ptr
00401876 .8D85 28FFFFFF lea eax, dword ptr
0040187C .894424 04 mov dword ptr , eax
00401880 .891424 mov dword ptr , edx
00401883 .C785 D8FAFFFF 02000000 mov dword ptr , 2
0040188D .E8 7E210100 call 00413A10 ;真码"3133340320"
00401892 .83EC 04 sub esp, 4
00401895 .8D85 08FBFFFF lea eax, dword ptr
0040189B .894424 04 mov dword ptr , eax
0040189F .8B45 0C mov eax, dword ptr
004018A2 .890424 mov dword ptr , eax ;D EAX 假码"9876543210"
004018A5 .C785 D8FAFFFF 01000000 mov dword ptr , 1
004018AF .E8 34E30300 call 0043FBE8 ;真假码比较,相等则AL=1,反之AL=0
004018B4 .8885 CFFAFFFF mov byte ptr , al ;AL存入
004018BA .EB 50 jmp short 0040190C
004018BC .8D6D 18 lea ebp, dword ptr
004018BF .8B85 D8FAFFFF mov eax, dword ptr
004018C5 .8B95 DCFAFFFF mov edx, dword ptr
004018CB .8995 C4FAFFFF mov dword ptr , edx
004018D1 .83F8 01 cmp eax, 1
004018D4 .0F84 9B000000 je 00401975
004018DA .8B85 C4FAFFFF mov eax, dword ptr
004018E0 .8985 C8FAFFFF mov dword ptr , eax
004018E6 .8D85 08FBFFFF lea eax, dword ptr
004018EC .890424 mov dword ptr , eax
004018EF .C785 D8FAFFFF 00000000 mov dword ptr , 0
004018F9 .E8 22DD0200 call 0042F620
004018FE .8B95 C8FAFFFF mov edx, dword ptr
00401904 .8995 C4FAFFFF mov dword ptr , edx
0040190A .EB 69 jmp short 00401975
0040190C >8D85 08FBFFFF lea eax, dword ptr
00401912 .890424 mov dword ptr , eax
00401915 .C785 D8FAFFFF 02000000 mov dword ptr , 2
0040191F .E8 FCDC0200 call 0042F620
00401924 .80BD CFFAFFFF 00 cmp byte ptr , 0 ;地址处的值与0比较
0040192B .74 24 je short 00401951 ;相等则Over
0040192D .8D85 28FFFFFF lea eax, dword ptr
00401933 .890424 mov dword ptr , eax
00401936 .C785 D8FAFFFF FFFFFFFF mov dword ptr , -1
00401940 .E8 1B910300 call 0043AA60
00401945 .C785 D0FAFFFF 10000000 mov dword ptr , 10 ;不等则将地址处赋值0x10
0040194F .EB 6C jmp short 004019BD
00401951 >8D85 28FFFFFF lea eax, dword ptr
00401957 .890424 mov dword ptr , eax
0040195A .C785 D8FAFFFF FFFFFFFF mov dword ptr , -1
00401964 .E8 F7900300 call 0043AA60
00401969 .C785 D0FAFFFF 08000000 mov dword ptr , 8
00401973 .EB 48 jmp short 004019BD
00401975 >8B85 C4FAFFFF mov eax, dword ptr
0040197B .8985 C0FAFFFF mov dword ptr , eax
00401981 .8D85 28FFFFFF lea eax, dword ptr
00401987 .890424 mov dword ptr , eax
0040198A .C785 D8FAFFFF 00000000 mov dword ptr , 0
00401994 .E8 C7900300 call 0043AA60
00401999 .8B95 C0FAFFFF mov edx, dword ptr
0040199F .8995 C4FAFFFF mov dword ptr , edx
004019A5 .8B85 C4FAFFFF mov eax, dword ptr
004019AB .890424 mov dword ptr , eax
004019AE .C785 D8FAFFFF FFFFFFFF mov dword ptr , -1
004019B8 .E8 83C40000 call 0040DE40
004019BD >8D85 D4FAFFFF lea eax, dword ptr
004019C3 .890424 mov dword ptr , eax
004019C6 .E8 95BE0000 call 0040D860
004019CB .8B85 D0FAFFFF mov eax, dword ptr ;地址处的值给EAX
004019D1 .8D65 F4 lea esp, dword ptr
004019D4 .5B pop ebx
004019D5 .5E pop esi
004019D6 .5F pop edi
004019D7 .5D pop ebp
004019D8 .C3 retn
-----------------------------------------------------------------------------------------------
【破解总结】
1.注册ID长度应为6-9位。
2.将注册ID与0x66666667相乘,积右移1位(sar 1)取结果数值的高8位,然后sar 1F、shl 2、sub、add等运算将结果存入地址。
3.第二步注册ID与0x66666667相乘,积右移1位(sar 1)取结果数值的高8位,然后sar 1F、shl 2、sub等运算结果替换成注册ID做为运算,循环第二步,直到运算数结果为0。
4.倒序依次取地址的值,连接即为注册码。
5.真假码比较,相等则将处赋值0x10。
一组可用注册信息:
==========================================
ID:6543210
SN:3133340320
==========================================
暴破更改以下位置:
004015DD jnz short 004015F5 ;jnz=====>Nop
004015DE jnz short 004015F5 ;jnz=====>Nop
或者:
0043FBE8 push ebp ;push ebp=====>moval, 1
0043FBE9 mov ebp, esp ;mov ebp, esp=====>retn
-----------------------------------------------------------------------------------------------
【版权声明】本文纯属技术交流, 转载请注明作者并保持文章的完整, 谢谢! 截图,:-)
页:
[1]