- UID
- 1480
注册时间2005-5-8
阅读权限20
最后登录1970-1-1
以武会友
TA的每日心情 | 奋斗 2020-3-29 10:44 |
---|
签到天数: 24 天 [LV.4]偶尔看看III
|
reywen's crackme2分析
【破解作者】 winndy[FCG][PYG]
【作者邮箱】 CNwinndy@hotmail.com
【使用工具】 PEID v0.93 OllyDbg v1.10 fly修改版,fsg2.0dumper(download from http://www.programmerstools.com)
【破解平台】 Winxp SP2
【软件名称】 reywen's crackme2
【下载地址】 http://www.crackmes.de/users/reywen/crackme_2/
【编写语言】 masm32
【破解声明】 For Study ,For Fun,
昨天搞定了PYG的crackme....
在crackmes.de逛的时候,看到这个,已经有Kreet破出来了,自己也想玩玩,于是.....
【保护方式】 fsg2.0,花指令,非标准MD5,暴力方式
【破解过程】 PEID查壳,fsg2.0,用fsg2.0dumper脱壳.
搜索字符串,未果!
bpx GetDlgItemTextA,在USER32.GetDlgItem也下,结果中断在下面.
call <jmp.&user32.GetDlgItemTextA> F8之后,全部都用F7下去.
一步一步,会发现很多都是无用的代码.只要细心点,F7下去,一遍就可以发现算法.
我输入的密码是:12345678901234567890
code:
004018F8 . E8 F9010000 call <jmp.&user32.GetDlgItemTextA> ; \GetDlgItemTextA
004018FD . 51 push ecx
004018FE . EB 01 jmp short dump.00401901
00401900 69 db 69 ; CHAR 'i'
00401901 > EB 02 jmp short dump.00401905
00401903 CD db CD
00401904 20 db 20 ; CHAR ' '
00401905 > 6A 15 push 15
00401907 . 59 pop ecx
00401908 . E8 01000000 call dump.0040190E
0040190D . 5A pop edx
0040190E $ 76 03 jbe short dump.00401913
00401910 . C1F1 00 sal ecx,0
00401913 > EB 01 jmp short dump.00401916
00401915 . 5A pop edx
00401916 > 49 dec ecx
00401917 .^ 75 F5 jnz short dump.0040190E
00401919 . 59 pop ecx
0040191A . E3 01 jecxz short dump.0040191D
0040191C . 59 pop ecx
0040191D > EB 01 jmp short dump.00401920
0040191F 69 db 69 ; CHAR 'i'
00401920 > EB 07 jmp short dump.00401929
00401922 5A db 5A ; CHAR 'Z'
00401923 DB db DB
00401924 > 83C4 04 add esp,4
00401927 . EB 08 jmp short dump.00401931
00401929 > E8 01000000 call dump.0040192F
0040192E . 5A pop edx
0040192F $^ EB F3 jmp short dump.00401924
00401931 > 83F8 08 cmp eax,8 ;比较注册码长度,不能小于8
00401934 . 0F82 83010000 jb dump.00401ABD
0040193A . 51 push ecx
0040193B . EB 01 jmp short dump.0040193E
0040193D 69 db 69 ; CHAR 'i'
0040193E > EB 02 jmp short dump.00401942
00401940 CD db CD
00401941 20 db 20 ; CHAR ' '
00401942 > 6A 0C push 0C
00401944 . 59 pop ecx ;这句和上面一句为mov ecx 0c
00401945 . E8 01000000 call dump.0040194B
0040194A . 5A pop edx
0040194B $ 76 03 jbe short dump.00401950 ;注册码等于8则跳
0040194D . C1F1 00 sal ecx,0
00401950 > EB 01 jmp short dump.00401953
00401952 . 5A pop edx ;不会执行
00401953 > 49 dec ecx ;
00401954 .^ 75 F5 jnz short dump.0040194B
00401956 . 59 pop ecx ;0040194A
00401957 . E3 01 jecxz short dump.0040195A
00401959 . 59 pop ecx
0040195A > EB 01 jmp short dump.0040195D
0040195C 69 db 69 ; CHAR 'i'
0040195D > EB 07 jmp short dump.00401966
0040195F 5A db 5A ; CHAR 'Z'
00401960 DB db DB
00401961 > 83C4 04 add esp,4
00401964 . EB 08 jmp short dump.0040196E
00401966 > E8 01000000 call dump.0040196C
0040196B . 5A pop edx
0040196C $^ EB F3 jmp short dump.00401961
0040196E > A3 B4304000 mov dword ptr ds:[4030B4],eax ;save 用户名长度
00401973 . EB 07 jmp short dump.0040197C
00401975 5A db 5A ; CHAR 'Z'
00401976 DB db DB
00401977 > 83C4 04 add esp,4
0040197A . EB 08 jmp short dump.00401984
0040197C > E8 01000000 call dump.00401982
00401981 . 5A pop edx
00401982 $^ EB F3 jmp short dump.00401977
00401984 > 8BC8 mov ecx,eax
00401986 . 51 push ecx
00401987 . EB 01 jmp short dump.0040198A
00401989 69 db 69 ; CHAR 'i'
0040198A > EB 02 jmp short dump.0040198E
0040198C CD db CD
0040198D 20 db 20 ; CHAR ' '
0040198E > 6A 1A push 1A
00401990 . 59 pop ecx ;mov ecx 1A
00401991 . E8 01000000 call dump.00401997
00401996 . 5A pop edx
00401997 $ 76 03 jbe short dump.0040199C
00401999 . C1F1 00 sal ecx,0
0040199C > EB 01 jmp short dump.0040199F
0040199E . 5A pop edx
0040199F > 49 dec ecx
004019A0 .^ 75 F5 jnz short dump.00401997
004019A2 . 59 pop ecx
004019A3 . E3 01 jecxz short dump.004019A6
004019A5 . 59 pop ecx ;ecx=00000014
004019A6 > EB 01 jmp short dump.004019A9
004019A8 69 db 69 ; CHAR 'i'
004019A9 > EB 07 jmp short dump.004019B2
004019AB 5A db 5A ; CHAR 'Z'
004019AC DB db DB
004019AD > 83C4 04 add esp,4
004019B0 . EB 08 jmp short dump.004019BA
004019B2 > E8 01000000 call dump.004019B8
004019B7 . 5A pop edx
004019B8 $^ EB F3 jmp short dump.004019AD
004019BA > BE 50304000 mov esi,dump.00403050 ; esi 00403050 ASCII "12345678901234567890"
004019BF . 51 push ecx
004019C0 . EB 01 jmp short dump.004019C3
004019C2 69 db 69 ; CHAR 'i'
004019C3 > EB 02 jmp short dump.004019C7
004019C5 CD db CD
004019C6 20 db 20 ; CHAR ' '
004019C7 > 6A 1A push 1A
004019C9 . 59 pop ecx
004019CA . E8 01000000 call dump.004019D0
004019CF . 5A pop edx
004019D0 $ 76 03 jbe short dump.004019D5
004019D2 . C1F1 00 sal ecx,0
004019D5 > EB 01 jmp short dump.004019D8
004019D7 . 5A pop edx
004019D8 > 49 dec ecx
004019D9 .^ 75 F5 jnz short dump.004019D0
004019DB . 59 pop ecx ;0040194F
004019DC . E3 01 jecxz short dump.004019DF
004019DE . 59 pop ecx ;0014
004019DF > EB 01 jmp short dump.004019E2
004019E1 69 db 69 ; CHAR 'i'
004019E2 > 8B1E mov ebx,dword ptr ds:[esi] ;34333231
004019E4 . 035E 04 add ebx,dword ptr ds:[esi+4] ;34333231+38373635=6C6A6866
004019E7 > 81EB 9A020000 sub ebx,29A
004019ED . 81C3 78320400 add ebx,43278
004019F3 . 81EB 4CB30000 sub ebx,0B34C ;43278-29A-0B34C =37C92
004019F9 . 46 inc esi
004019FA .^ E2 EB loopd short dump.004019E7 ;ecx=14为计数器初值
//最终结果ebx=6CB023CE
004019FC . B9 DC304000 mov ecx,dump.004030DC
00401A01 . EB 07 jmp short dump.00401A0A
00401A03 5A db 5A ; CHAR 'Z'
00401A04 DB db DB
00401A05 > 83C4 04 add esp,4
00401A08 . EB 08 jmp short dump.00401A12
00401A0A > E8 01000000 call dump.00401A10
00401A0F . 5A pop edx
00401A10 $^ EB F3 jmp short dump.00401A05
00401A12 > 52 push edx ;EDX 7C92EB94 ntdll.KiFastSystemCallRet
00401A13 . BA DC304000 mov edx,dump.004030DC
00401A18 . 891A mov dword ptr ds:[edx],ebx ;保存计算结果到004030DC
00401A1A . 5A pop edx
00401A1B . 6A 20 push 20
00401A1D . 68 DC304000 push dump.004030DC
00401A22 . 68 BC304000 push dump.004030BC
00401A27 . E8 D4F5FFFF call dump.00401000 ;非标准MD5算法,见后面
//004030BC 27 F7 0D DA 68 7D E1 F3 '?趆}狍
//004030C4 9F 0C 59 33 2D C2 A9 69 ?Y3-漏i
//004030CC 00 00 00 00 00 00 00 00 ........
//004030D4 00 00 00 00 00 00 00 00 ........
//004030DC CE 23 B0 6C ?發..
00401A2C . B9 04000000 mov ecx,4
00401A31 . BA BC304000 mov edx,dump.004030BC ;MD5结果
00401A36 > 2B1A sub ebx,dword ptr ds:[edx] ;ebx=6CB023CE
00401A38 . 81EB E8030000 sub ebx,3E8
00401A3E . 83C2 04 add edx,4
00401A41 .^ E2 F3 loopd short dump.00401A36
//最后ebx=01BDD0D3
00401A43 . 51 push ecx
00401A44 . EB 01 jmp short dump.00401A47
00401A46 69 db 69 ; CHAR 'i'
00401A47 > EB 02 jmp short dump.00401A4B
00401A49 CD db CD
00401A4A 20 db 20 ; CHAR ' '
00401A4B > 6A 1A push 1A
00401A4D . 59 pop ecx ;mov ecx ,1A
00401A4E . E8 01000000 call dump.00401A54
00401A53 . 5A pop edx
00401A54 $ 76 03 jbe short dump.00401A59
00401A56 . C1F1 00 sal ecx,0
00401A59 > EB 01 jmp short dump.00401A5C
00401A5B . 5A pop edx
00401A5C > 49 dec ecx
00401A5D .^ 75 F5 jnz short dump.00401A54
00401A5F . 59 pop ecx
00401A60 . E3 01 jecxz short dump.00401A63
00401A62 . 59 pop ecx
00401A63 > EB 01 jmp short dump.00401A66
00401A65 69 db 69 ; CHAR 'i'
00401A66 > 81EB E6D699CE sub ebx,CE99D6E6 ;*************
00401A6C . 74 25 je short dump.00401A93 ;相等就OK
00401A6E . EB 4D jmp short dump.00401ABD
00401A70 . 51 push ecx
00401A71 . EB 01 jmp short dump.00401A74
00401A73 69 db 69 ; CHAR 'i'
00401A74 > EB 02 jmp short dump.00401A78
00401A76 CD db CD
00401A77 20 db 20 ; CHAR ' '
00401A78 > 6A 1A push 1A
00401A7A . 59 pop ecx
00401A7B . E8 01000000 call dump.00401A81
00401A80 . 5A pop edx
00401A81 $ 76 03 jbe short dump.00401A86
00401A83 . C1F1 00 sal ecx,0
00401A86 > EB 01 jmp short dump.00401A89
00401A88 . 5A pop edx
00401A89 > 49 dec ecx
00401A8A .^ 75 F5 jnz short dump.00401A81
00401A8C . 59 pop ecx
00401A8D . E3 01 jecxz short dump.00401A90
00401A8F . 59 pop ecx
00401A90 > EB 01 jmp short dump.00401A93
00401A92 69 db 69 ; CHAR 'i'
00401A93 > BA 19304000 mov edx,dump.00403019 ; ASCII "y>y.wa{.coek.zfg}.5J .cogb.ck4.|kwyk`
icogb mac"
00401A98 . 8B1A mov ebx,dword ptr ds:[edx]
00401A9A . 80FB 77 cmp bl,77
00401A9D . 74 0A je short dump.00401AA9
00401A9F . B9 31000000 mov ecx,31
00401AA4 . E8 1D000000 call dump.00401AC6
00401AA9 > 6A 00 push 0 ; /Style = MB_OK|MB_APPLMODAL
00401AAB . 68 0F304000 push dump.0040300F ; |Title = "[G.o.o.D]"
00401AB0 . 68 19304000 push dump.00403019 ; |Text = "y>y.wa{.coek.zfg}.5J
.cogb.ck4.|kwyk` icogb mac"
00401AB5 . FF75 08 push dword ptr ss:[ebp+8] ; |hOwner
00401AB8 . E8 45000000 call <jmp.&user32.MessageBoxA> ; \MessageBoxA
00401ABD > EB 00 jmp short dump.00401ABF
00401ABF > 61 popad
00401AC0 . 33C0 xor eax,eax
00401AC2 . C9 leave
00401AC3 . C2 1000 retn 10
00401AC6 /$ 4A dec edx
00401AC7 |> 42 inc edx
00401AC8 |. 8A02 mov al,byte ptr ds:[edx]
00401ACA |. 34 0E xor al,0E
00401ACC |. 8802 mov byte ptr ds:[edx],al
00401ACE |.^ E2 F7 loopd short dump.00401AC7
00401AD0 \. C3 retn
//上面这段代码用来解码,显示的消息
// 密文:"y>y.wa{.coek.zfg}.5J .cogb.ck4.|kwyk` icogb mac"
// 明文 "w0w you make this ;D... mail me: reywen.gmail.com"
00401AD1 /$ 4A dec edx
00401AD2 |. B9 20000000 mov ecx,20
00401AD7 |> 42 inc edx
00401AD8 |. C602 00 mov byte ptr ds:[edx],0
00401ADB |.^ E2 FA loopd short dump.00401AD7
00401ADD \. C3 retn
=================================
MD5算法
00401000 /$ 60 pushad
00401001 |. 8B7424 24 mov esi,dword ptr ss:[esp+24]
00401005 |. C706 01234567 mov dword ptr ds:[esi],67452301
0040100B |. C746 04 89ABC>mov dword ptr ds:[esi+4],EFCDAB89
00401012 |. C746 08 FEDCB>mov dword ptr ds:[esi+8],98BADCFE
00401019 |. C746 0C 76543>mov dword ptr ds:[esi+C],10325476
00401020 |. 8B4424 2C mov eax,dword ptr ss:[esp+2C]
00401024 |. 50 push eax
00401025 |. 33D2 xor edx,edx
00401027 |. B9 40000000 mov ecx,40
0040102C |. F7F1 div ecx
0040102E |. 40 inc eax
0040102F |. 5A pop edx
00401030 |. 83EC 40 sub esp,40
00401033 |. 8BDC mov ebx,esp
00401035 |. 8B7424 68 mov esi,dword ptr ss:[esp+68]
00401039 |. 92 xchg eax,edx
0040103A |> 8BFB /mov edi,ebx
0040103C |. 4A |dec edx
0040103D |. 75 41 |jnz short dump.00401080
0040103F |. 85C0 |test eax,eax
00401041 |. 78 06 |js short dump.00401049
00401043 |. C60418 80 |mov byte ptr ds:[eax+ebx],80
00401047 |. EB 03 |jmp short dump.0040104C
00401049 |> 33C0 |xor eax,eax
0040104B |. 48 |dec eax
0040104C |> B9 40000000 |mov ecx,40
00401051 |. 2BC8 |sub ecx,eax
00401053 |. 03F8 |add edi,eax
00401055 |. 50 |push eax
00401056 |. 33C0 |xor eax,eax
00401058 |. 47 |inc edi
00401059 |. 49 |dec ecx
0040105A |. F3:AA |rep stos byte ptr es:[edi]
0040105C |. 58 |pop eax
0040105D |. 85C0 |test eax,eax
0040105F |. 78 05 |js short dump.00401066
00401061 |. 83F8 38 |cmp eax,38
00401064 |. 73 19 |jnb short dump.0040107F
00401066 |> 50 |push eax
00401067 |. 8B4424 70 |mov eax,dword ptr ss:[esp+70]
0040106B |. 52 |push edx
0040106C |. 33D2 |xor edx,edx
0040106E |. B9 08000000 |mov ecx,8
00401073 |. F7E1 |mul ecx
00401075 |. 8943 38 |mov dword ptr ds:[ebx+38],eax
00401078 |. 8953 3C |mov dword ptr ds:[ebx+3C],edx
0040107B |. 5A |pop edx
0040107C |. 58 |pop eax
0040107D |. EB 01 |jmp short dump.00401080
0040107F |> 42 |inc edx
00401080 |> 85C0 |test eax,eax
00401082 |. 78 07 |js short dump.0040108B
00401084 |. 83F8 40 |cmp eax,40
00401087 |. 73 08 |jnb short dump.00401091
00401089 |. EB 02 |jmp short dump.0040108D
0040108B |> 33C0 |xor eax,eax
0040108D |> 8BC8 |mov ecx,eax
0040108F |. EB 05 |jmp short dump.00401096
00401091 |> B9 40000000 |mov ecx,40
00401096 |> 8BFB |mov edi,ebx
00401098 |. F3:A4 |rep movs byte ptr es:[edi],byte ptr ds:[esi]
//d edi
//0012F9BC CE 23 B0 6C 00 00 00 00 ?發....
//0012F9C4 00 00 00 00 00 00 00 00 ........
//0012F9CC 00 00 00 00 00 00 00 00 ........
//0012F9D4 00 00 00 00 00 00 00 00 ........
//0012F9DC 80 00 00 00 00 00 00 00 |
|