看雪找的一个简单的crackme分析+注册机原代码
【文章标题】: 看雪找的一个简单的crackme分析+注册机原代码【文章作者】: 壹只老虎
【作者邮箱】: [email protected]
【作者QQ号】: 609841314
【软件名称】: CrackMe2.1.exe
【软件大小】: 204KB
【下载地址】: http://bbs.pediy.com/attachment.php?s=&attachmentid=2600
【加壳方式】: 无壳
【保护方式】: 注册名+序列号
【编写语言】: Microsoft Visual C++ 6.0
【使用工具】: od+peid+windows记事本+delphi7.0
【操作平台】: xp
【软件介绍】: 看雪的一个兄弟的creakme,爆破就没什么意思了!算法!好玩!
【作者声明】: 只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!
--------------------------------------------------------------------------------
【详细过程】
1:PEID查壳,Microsoft Visual C++ 6.0,无壳
2:运行程序,填写注册资料:name:tiger,serial:1111111111111111,注册,没反应,这不重要,看看再说!
3: OD载入, bpx GetWindowTextA,F9运行,写注册资料name:tiger,serial:1111111111111111,注册,断下来了!
在0041CD31 |.FF15 10334200 call dword ptr ds:[<&USER32.GetW>; \GetWindowTextA 断下来了!
这里别忙开始分析,f8走了一段又一段,终于看见注册名了!好了该开始分析了!
具体分析如下!从断点下来全部f8,就可以到达这里!嘿嘿!
4:这里是具体分析
第1部分:
00401750 .8DBE 90000000 lea edi,dword ptr ds:
00401756 .8D4C24 14 lea ecx,dword ptr ss:
0040175A .57 push edi
0040175B .E8 C2660100 call CrackMe2.00417E22
00401760 .8B17 mov edx,dword ptr ds: ;edx=注册名
00401762 .8B6A F8 mov ebp,dword ptr ds: ;ebp=注册名长度
00401765 .85ED test ebp,ebp ;长度=0就跳出
00401767 .0F84 F8000000 je CrackMe2.00401865
0040176D .83FD 08 cmp ebp,8
00401770 .7D 0D jge short CrackMe2.0040177F ;长度>=8就跳走
00401772 .68 44C14200 push CrackMe2.0042C144 ;ASCII "Prudence"
00401777 .55 push ebp
00401778 .8BCF mov ecx,edi
0040177A .E8 43420100 call CrackMe2.004159C2 ; 这个call的目的是当注册名不足8位的时候在注册名的末
; 尾加上Prudence,黑黑
0040177F >55 push ebp
00401780 .8BCF mov ecx,edi
00401782 .E8 53670100 call CrackMe2.00417EDA
00401787 .8D4C24 24 lea ecx,dword ptr ss:
0040178B .8D5424 1C lea edx,dword ptr ss:
0040178F .51 push ecx
00401790 .52 push edx
00401791 .50 push eax
00401792 .E8 B9FEFFFF call CrackMe2.00401650 ;重要(Ok),核心算法,跟进去
00401797 .8B4424 2C mov eax,dword ptr ss: ;eax=核心算法计算出的一个数据
0040179B .8B4C24 28 mov ecx,dword ptr ss: ;ecx=核心算法计算出的一个数据
0040179F .50 push eax ;压栈
004017A0 .51 push ecx ;压栈
004017A1 .8D5424 20 lea edx,dword ptr ss:
004017A5 .68 3CC14200 push CrackMe2.0042C13C ;ASCII "%x-%x"
004017AA .52 push edx
004017AB .E8 CF450100 call CrackMe2.00415D7F ;小写的"eax"-"ecx"
004017B0 .83C4 1C add esp,1C
004017B3 .8D4C24 0C lea ecx,dword ptr ss:
004017B7 .E8 B5670100 call CrackMe2.00417F71 ;大写的"eax"-"ecx"
004017BC .8D4C24 0C lea ecx,dword ptr ss:
004017C0 .E8 BE670100 call CrackMe2.00417F83 ;逆序"ecx"-逆序"eax",
这里我试看出来的,也可以跟进去看一看
004017C5 .8B86 94000000 mov eax,dword ptr ds: ;eax=注册码字符串
004017CB .50 push eax ; /Arg2
004017CC .8B4424 10 mov eax,dword ptr ss: ; |
004017D0 .50 push eax ; |Arg1
004017D1 .E8 10800000 call CrackMe2.004097E6 ; \这里关键call,把真码和假码比较的结果放在eax里面
004017D6 .83C4 08 add esp,8
004017D9 .85C0 test eax,eax ;eax不为0就失败!
004017DB .0F85 84000000 jnz CrackMe2.00401865 ;失败了
004017E1 .68 30C14200 push CrackMe2.0042C130
004017E6 .8D4C24 1C lea ecx,dword ptr ss:
004017EA .E8 68650100 call CrackMe2.00417D57
004017EF .68 14C14200 push CrackMe2.0042C114
004017F4 .8D4C24 14 lea ecx,dword ptr ss:
004017F8 .C64424 44 02 mov byte ptr ss:,2
004017FD .E8 55650100 call CrackMe2.00417D57
00401802 .8D4C24 18 lea ecx,dword ptr ss:
00401806 .C64424 40 03 mov byte ptr ss:,3
0040180B .51 push ecx
0040180C .8BCE mov ecx,esi
0040180E .E8 AD000000 call CrackMe2.004018C0
00401813 .68 EE030000 push 3EE
00401818 .8BCE mov ecx,esi
0040181A .E8 53920100 call CrackMe2.0041AA72
0040181F .8D5424 10 lea edx,dword ptr ss:
00401823 .8BCE mov ecx,esi
00401825 .52 push edx
00401826 .8BF8 mov edi,eax
00401828 .E8 93000000 call CrackMe2.004018C0
0040182D .8B4424 14 mov eax,dword ptr ss:
00401831 .8D4C24 10 lea ecx,dword ptr ss:
00401835 .50 push eax
00401836 .6A 00 push 0
00401838 .E8 85410100 call CrackMe2.004159C2
0040183D .8B4C24 10 mov ecx,dword ptr ss:
00401841 .51 push ecx
00401842 .8BCF mov ecx,edi
00401844 .E8 E8920100 call CrackMe2.0041AB31
00401849 .8D4C24 10 lea ecx,dword ptr ss:
0040184D .C64424 40 02 mov byte ptr ss:,2
00401852 .E8 D6640100 call CrackMe2.00417D2D
00401857 .8D4C24 18 lea ecx,dword ptr ss:
0040185B .C64424 40 01 mov byte ptr ss:,1
00401860 .E8 C8640100 call CrackMe2.00417D2D
00401865 >8D4C24 14 lea ecx,dword ptr ss:
00401869 .C64424 40 00 mov byte ptr ss:,0
0040186E .E8 BA640100 call CrackMe2.00417D2D
00401873 .8D4C24 0C lea ecx,dword ptr ss:
00401877 .C74424 40 FFFFFFFF mov dword ptr ss:,-1
0040187F .E8 A9640100 call CrackMe2.00417D2D
00401884 .8B4C24 38 mov ecx,dword ptr ss:
00401888 .5F pop edi
00401889 .5E pop esi
0040188A .5D pop ebp
0040188B .64:890D 00000000 mov dword ptr fs:,ecx
00401892 .83C4 38 add esp,38
00401895 .C3 retn
第2部分
00401792 .E8 B9FEFFFF call CrackMe2.00401650 ;重要(Ok),核心算法,跟进去
跟进00401650
分析如下
00401650 /$83EC 08 sub esp,8
00401653 |.8B5424 14 mov edx,dword ptr ss:
00401657 |.8B4C24 0C mov ecx,dword ptr ss:
0040165B |.53 push ebx
0040165C |.55 push ebp
0040165D |.56 push esi
0040165E |.8B32 mov esi,dword ptr ds:
00401660 |.8B01 mov eax,dword ptr ds: ;注册名前4位放eax
00401662 |.8B49 04 mov ecx,dword ptr ds: ;后4位放ecx
00401665 |.897424 18 mov dword ptr ss:,esi
00401669 |.8B72 04 mov esi,dword ptr ds:
0040166C |.897424 20 mov dword ptr ss:,esi
00401670 |.8B72 08 mov esi,dword ptr ds:
00401673 |.8B52 0C mov edx,dword ptr ds:
00401676 |.897424 0C mov dword ptr ss:,esi
0040167A |.895424 10 mov dword ptr ss:,edx
0040167E |.57 push edi
0040167F |.33D2 xor edx,edx ;edx=0
00401681 |.BE 20000000 mov esi,20 ;esi=32
00401686 |>8B5C24 1C /mov ebx,dword ptr ss: ;ebx=1936287828
0040168A |.8B6C24 24 |mov ebp,dword ptr ss: ;ebp=544434464
0040168E |.8BF9 |mov edi,ecx ;edi=ecx
00401690 |.33D9 |xor ebx,ecx ;ebx=1936287828 xor ecx
00401692 |.81EA 4786C861 |sub edx,61C88647 ;edx=edx-1640531527
00401698 |.03DD |add ebx,ebp ;ebx=544434464+ebx
0040169A |.C1EF 05 |shr edi,5 ;edi=edi shr 5
0040169D |.33FA |xor edi,edx ;edi=edi xor edx
0040169F |.8BE9 |mov ebp,ecx ;ebp=ecx
004016A1 |.C1E5 04 |shl ebp,4 ;ebp=ebp shl 4
004016A4 |.03DF |add ebx,edi ;ebx=ebx+edi
004016A6 |.03EB |add ebp,ebx ;ebp=ebp+ebx
004016A8 |.8B5C24 10 |mov ebx,dword ptr ss: ;ebx=1919098977
004016AC |.03C5 |add eax,ebp ;eax=eax+ebp
004016AE |.8B6C24 14 |mov ebp,dword ptr ss: ;ebp=778789729
004016B2 |.8BF8 |mov edi,eax ;edi=eax
004016B4 |.33D8 |xor ebx,eax ;ebx=ebx xor eax
004016B6 |.C1EF 05 |shr edi,5 ;edi =edi shr 5
004016B9 |.03DD |add ebx,ebp ;ebx=ebp+ebx
004016BB |.33FA |xor edi,edx ;edi=edi xor edx
004016BD |.8BE8 |mov ebp,eax ;ebp=eax
004016BF |.03DF |add ebx,edi ;ebx=edi+ebx
004016C1 |.C1E5 04 |shl ebp,4 ;ebp=ebp shl 4
004016C4 |.03EB |add ebp,ebx ;ebp=ebp+ebx
004016C6 |.03CD |add ecx,ebp ;ecx=ecx+ebp
004016C8 |.4E |dec esi ;esi-1
004016C9 |.^ 75 BB \jnz short CrackMe2.00401686 ;这里是循环32次
004016CB |.8B5424 20 mov edx,dword ptr ss: ;eax,ebx,ecx各得到一个结果
004016CF |.5F pop edi
004016D0 |.5E pop esi
004016D1 |.5D pop ebp
004016D2 |.8902 mov dword ptr ds:,eax
004016D4 |.894A 04 mov dword ptr ds:,ecx
004016D7 |.5B pop ebx
004016D8 |.83C4 08 add esp,8
004016DB \.C3 retn
好了分析完了!嘿嘿!
5:总结下算法!
当注册名<8位的时候,用Prudence补在后面,
然后把注册名的前四位和后四位做了一个32次的循环运算!
得到两个数据放在 eax和ecx
然后将这两个数据转换为字符串,然后按照"eax"-"ecx"构造新的字符串
最后,逆序"ecx"-逆序"eax",即为注册码!
6:注册机编写,代码有点长,小心看错了!我自己也看错了好多了!郁闷!呵呵!
delphi版本的!
unit key;
interface
uses
Windows, Messages, SysUtils, Variants, Classes, Graphics, Controls, Forms,
Dialogs, StdCtrls, WinSkinData, jpeg, ExtCtrls;
type
TForm1 = class(TForm)
SkinData1: TSkinData;
Label1: TLabel;
Label2: TLabel;
Edit1: TEdit;
Edit2: TEdit;
Button1: TButton;
Button2: TButton;
Button3: TButton;
Image1: TImage;
Label3: TLabel;
procedure Button2Click(Sender: TObject);
procedure Button3Click(Sender: TObject);
procedure Button1Click(Sender: TObject);
private
{ Private declarations }
public
{ Public declarations }
end;
var
Form1: TForm1;
implementation
{$R *.dfm}
procedure TForm1.Button2Click(Sender: TObject);
begin
Application.MessageBox('本注册机由壹只老虎制作!QQ:609841314','关于',MB_ICONINFORMATION+MB_OK);
end;
procedure TForm1.Button3Click(Sender: TObject);
begin
Close;
end;
procedure TForm1.Button1Click(Sender: TObject);
var
name,code,str1,str2:string;
name1,name2,edx,ebx,ecx,edi,eax,ebp:LongWord;
i:integer;
s:char;
begin
name:=edit1.Text;
if length(name)<8 then
name:=name+'Prudence';//前面四位
name1:=ord(name)+ord(name)*256+ord(name)*256*256+ord(name)*256*256*256;
name2:=ord(name)+ord(name)*256+ord(name)*256*256+ord(name)*256*256*256;
edx:=0;
eax:=name1;
ecx:=name2;
for i:=1 to 32 do
begin
ebp:=544434464 ;
edi:=ecx;
ebx:=1936287828 xor ecx;
edx:=edx-1640531527;
ebx:=ebp+ebx;
edi:=edi shr 5;
edi:=edi xor edx;
ebp:=ecx;
ebp:=ebp shl 4;
ebx:=ebx+edi;
ebp:=ebp+ebx;
ebx:=1919098977;
eax:=eax+ebp;
ebp:=778789729;
edi:=eax;
ebx:=ebx xor eax;
edi:=edi shr 5;
ebx:=ebp+ebx;
edi:=edi xor edx;
ebp:=eax;
ebx:=edi+ebx;
ebp:=ebp shl 4;
ebp:=ebp+ebx;
ecx:=ecx+ebp;
end;
str1:=inttohex(eax,2);
str2:=inttohex(ecx,2);
code:=str1+'-'+str2;
for i:=1 to pos('-',code) do
begin
s:=code;
code:=code;
code:=s;
end;
edit2.Text:=code;
end;
end.
好了就这样了,嘿嘿!壹只老虎祝大家破解愉快!
--------------------------------------------------------------------------------
【经验总结】
这个东西还是比较简单,思路很清晰的!要注意写代码的时候不要出错了!比较容易出错!(容易看花眼)
--------------------------------------------------------------------------------
【版权声明】: BY:壹只老虎
2006年08月27日 14:36:10 这个 Crackme 比较容易,加加减减适合初学算法的朋友,支持 学习了!!
页:
[1]