- UID
- 32678
注册时间2007-8-2
阅读权限20
最后登录1970-1-1
以武会友
 
该用户从未签到
|
【文章标题】: Buzz'm_Frog's Crackme #2 算法简单分析
【文章作者】: 网络断魂
【软件名称】: Buzz'm_Frog's Crackme #2
【下载地址】: 自己搜吧,朋友给偶的
【加壳方式】: 无壳
【保护方式】: 用户名+注册码
【编写语言】: Borland C++
【使用工具】: OD
【操作平台】: winxp2
【作者声明】: 也不知道分析的对不对,大家别笑话偶
下消息断点,找到算法关键处:
00401400 /. 55 push ebp
00401401 |. 8BEC mov ebp, esp
00401403 |. 83C4 90 add esp, -70
00401406 |. 53 push ebx
00401407 |. 8955 A8 mov dword ptr [ebp-58], edx
0040140A |. 8945 AC mov dword ptr [ebp-54], eax
0040140D |. B8 BC234300 mov eax, 004323BC
00401412 |. E8 4D8A0200 call 00429E64
00401417 |. 66:C745 C0 08>mov word ptr [ebp-40], 8
0040141D |. 8D45 FC lea eax, dword ptr [ebp-4]
00401420 |. E8 C3040000 call 004018E8
00401425 |. FF45 CC inc dword ptr [ebp-34]
00401428 |. 66:C745 C0 14>mov word ptr [ebp-40], 14
0040142E |. 66:C745 C0 20>mov word ptr [ebp-40], 20
00401434 |. 8D45 F8 lea eax, dword ptr [ebp-8]
00401437 |. E8 AC040000 call 004018E8
0040143C |. FF45 CC inc dword ptr [ebp-34]
0040143F |. 66:C745 C0 14>mov word ptr [ebp-40], 14
00401445 |. 66:C745 C0 2C>mov word ptr [ebp-40], 2C
0040144B |. 8D45 F4 lea eax, dword ptr [ebp-C]
0040144E |. E8 95040000 call 004018E8
00401453 |. FF45 CC inc dword ptr [ebp-34]
00401456 |. 66:C745 C0 14>mov word ptr [ebp-40], 14
0040145C |. C645 A7 00 mov byte ptr [ebp-59], 0
00401460 |. 66:C745 C0 38>mov word ptr [ebp-40], 38
00401466 |. 8D45 F0 lea eax, dword ptr [ebp-10]
00401469 |. E8 7A040000 call 004018E8
0040146E |. 8BD0 mov edx, eax
00401470 |. FF45 CC inc dword ptr [ebp-34]
00401473 |. 8B4D AC mov ecx, dword ptr [ebp-54]
00401476 |. 8B81 C8010000 mov eax, dword ptr [ecx+1C8]
0040147C |. E8 BF920000 call 0040A740
00401481 |. 8D55 F0 lea edx, dword ptr [ebp-10]
00401484 |. 8D45 FC lea eax, dword ptr [ebp-4]
00401487 |. E8 3FE00000 call 0040F4CB
0040148C |. FF4D CC dec dword ptr [ebp-34]
0040148F |. 8D45 F0 lea eax, dword ptr [ebp-10]
00401492 |. BA 02000000 mov edx, 2
00401497 |. E8 00E00000 call 0040F49C ; //取有户名,存在EDX中,
0040149C |. 66:C745 C0 44>mov word ptr [ebp-40], 44
004014A2 |. 8D45 EC lea eax, dword ptr [ebp-14]
004014A5 |. E8 3E040000 call 004018E8
004014AA |. 8BD0 mov edx, eax
004014AC |. FF45 CC inc dword ptr [ebp-34]
004014AF |. 8B4D AC mov ecx, dword ptr [ebp-54]
004014B2 |. 8B81 CC010000 mov eax, dword ptr [ecx+1CC]
004014B8 |. E8 83920000 call 0040A740 ; //计算用户名长度,存在EAX中,
004014BD |. 8D55 EC lea edx, dword ptr [ebp-14]
004014C0 |. 8D45 F8 lea eax, dword ptr [ebp-8]
004014C3 |. E8 03E00000 call 0040F4CB
004014C8 |. FF4D CC dec dword ptr [ebp-34]
004014CB |. 8D45 EC lea eax, dword ptr [ebp-14]
004014CE |. BA 02000000 mov edx, 2
004014D3 |. E8 C4DF0000 call 0040F49C ; //取假码,存在EDX中,
004014D8 |. 33C9 xor ecx, ecx ; //ECX清零
004014DA |. 894D A0 mov dword ptr [ebp-60], ecx
004014DD |. 66:C745 C0 14>mov word ptr [ebp-40], 14
004014E3 |. C745 9C 01000>mov dword ptr [ebp-64], 1
004014EA |. 8D45 F8 lea eax, dword ptr [ebp-8]
004014ED |. E8 B2EA0000 call 0040FFA4 ; //假码转换为16进制,结果存EAX中,
004014F2 |. 8945 98 mov dword ptr [ebp-68], eax ; //存结果
004014F5 |. 33D2 xor edx, edx ; //EDX清零
004014F7 |. 8955 94 mov dword ptr [ebp-6C], edx
004014FA |. EB 15 jmp short 00401511
004014FC |> 8D45 FC /lea eax, dword ptr [ebp-4] ; //用户名堆栈地址送给EAX
004014FF |. E8 14040000 |call 00401918
00401504 |. 8B55 94 |mov edx, dword ptr [ebp-6C] ; //送取位标志给EDX,用于取下一位,
00401507 |. 0FBE0C10 |movsx ecx, byte ptr [eax+edx] ; //逐位送用户名的ASCII值给ECX,带符号
0040150B |. 014D A0 |add dword ptr [ebp-60], ecx ; //ASCII值累加,存结果,
0040150E |. FF45 94 |inc dword ptr [ebp-6C] ; //取位标志+1,取下一位,
00401511 |> 8D45 FC lea eax, dword ptr [ebp-4] ; //用户名堆栈地址给EAX
00401514 |. E8 DDE10000 |call 0040F6F6 ; //取用户名长度,
00401519 |. 3B45 94 |cmp eax, dword ptr [ebp-6C] ; //较验用户名是否为空
0040151C |.^ 7F DE \jg short 004014FC
0040151E |. 6955 A0 32130>imul edx, dword ptr [ebp-60], 1332 ; //累加结果与1332进行带符号乘法,结果存EDX
00401525 |. 8955 A0 mov dword ptr [ebp-60], edx ; //存结果,
00401528 |. 694D A0 32130>imul ecx, dword ptr [ebp-60], 1332 ; //再次与1332进行带符号乘法,结果存ECX
0040152F |. 894D A0 mov dword ptr [ebp-60], ecx ; //存结果
00401532 |. 6945 A0 32130>imul eax, dword ptr [ebp-60], 1332 ; //再次与1332进行带符号乘法,结果存EAX
00401539 |. 8945 A0 mov dword ptr [ebp-60], eax ; //存结果
0040153C |. 8145 A0 4A0F0>add dword ptr [ebp-60], 0F4A ; //三次相乘后的结果+OF4A
00401543 |. 8B55 98 mov edx, dword ptr [ebp-68] ; //假码十六进制值送给EDX
00401546 |. 3B55 A0 cmp edx, dword ptr [ebp-60] ; //假码十六进制值与前面三次相乘再想加的结果比
较,
00401549 0F85 71010000 jnz 004016C0 ; //不等则挂,不能跳。先NOP一下,往下跟踪
0040154F |. 66:C745 C0 50>mov word ptr [ebp-40], 50
00401555 |. 8D45 E8 lea eax, dword ptr [ebp-18]
00401558 |. 8B55 A0 mov edx, dword ptr [ebp-60] ; //运算结果送EDX
0040155B |. E8 69DE0000 call 0040F3C9 ; //转换为有符号十进制数作为真码,
00401560 |. FF45 CC inc dword ptr [ebp-34]
00401563 |. 8D55 E8 lea edx, dword ptr [ebp-18]
00401566 |. 8D45 F4 lea eax, dword ptr [ebp-C]
00401569 |. E8 5DDF0000 call 0040F4CB
0040156E |. FF4D CC dec dword ptr [ebp-34]
00401571 |. 8D45 E8 lea eax, dword ptr [ebp-18]
00401574 |. BA 02000000 mov edx, 2
00401579 |. E8 1EDF0000 call 0040F49C
0040157E |. 8D45 F8 lea eax, dword ptr [ebp-8]
00401581 |. E8 70E10000 call 0040F6F6
00401586 |. 8BD8 mov ebx, eax
00401588 |. 8D45 F4 lea eax, dword ptr [ebp-C]
0040158B |. E8 66E10000 call 0040F6F6
00401590 |. 3BD8 cmp ebx, eax
00401592 0F85 28010000 jnz 004016C0 ; //跳则死NOP掉,
00401598 |. 33D2 xor edx, edx
0040159A |. 8955 90 mov dword ptr [ebp-70], edx
0040159D |. 66:C745 C0 14>mov word ptr [ebp-40], 14
004015A3 |. EB 32 jmp short 004015D7
004015A5 |> 8D45 F8 /lea eax, dword ptr [ebp-8]
004015A8 |. E8 6B030000 |call 00401918
004015AD |. 8B55 90 |mov edx, dword ptr [ebp-70]
004015B0 |. 8A1C10 |mov bl, byte ptr [eax+edx]
004015B3 |. 8D45 F4 |lea eax, dword ptr [ebp-C]
004015B6 |. E8 5D030000 |call 00401918
004015BB |. 8B55 90 |mov edx, dword ptr [ebp-70]
004015BE |. 3A1C10 |cmp bl, byte ptr [eax+edx]
004015C1 |. 74 0D |je short 004015D0
004015C3 |. C645 A7 00 |mov byte ptr [ebp-59], 0
004015C7 |. C745 9C 02000>|mov dword ptr [ebp-64], 2
004015CE |. EB 04 |jmp short 004015D4
004015D0 |> C645 A7 01 |mov byte ptr [ebp-59], 1
004015D4 |> FF45 90 |inc dword ptr [ebp-70]
004015D7 |> 8D45 F8 lea eax, dword ptr [ebp-8]
004015DA |. E8 17E10000 |call 0040F6F6
004015DF |. 3B45 90 |cmp eax, dword ptr [ebp-70]
004015E2 |.^ 7F C1 \jg short 004015A5
004015E4 |. 807D A7 00 cmp byte ptr [ebp-59], 0
004015E8 0F84 D2000000 je 004016C0 ; //跳则死,NOP掉,
004015EE |. 837D 9C 01 cmp dword ptr [ebp-64], 1
004015F2 0F85 C8000000 jnz 004016C0 ; //跳则死,NOP掉
004015F8 |. 6A 00 push 0
004015FA |. 66:C745 C0 5C>mov word ptr [ebp-40], 5C
00401600 |. 8D45 E4 lea eax, dword ptr [ebp-1C]
00401603 |. E8 E0020000 call 004018E8
00401608 |. 8BD0 mov edx, eax
0040160A |. FF45 CC inc dword ptr [ebp-34]
0040160D |. 8B0D 606A4300 mov ecx, dword ptr [436A60]
00401613 |. 8B81 DC010000 mov eax, dword ptr [ecx+1DC]
00401619 |. E8 22910000 call 0040A740
0040161E |. 8D45 E4 lea eax, dword ptr [ebp-1C]
00401621 |. E8 F2020000 call 00401918
00401626 |. 50 push eax
00401627 |. 8D45 E0 lea eax, dword ptr [ebp-20]
0040162A |. E8 B9020000 call 004018E8
0040162F |. 8BD0 mov edx, eax
00401631 |. FF45 CC inc dword ptr [ebp-34]
00401634 |. 8B0D 606A4300 mov ecx, dword ptr [436A60]
0040163A |. 8B81 DC010000 mov eax, dword ptr [ecx+1DC]
00401640 |. E8 FB900000 call 0040A740
00401645 |. 8D45 E0 lea eax, dword ptr [ebp-20]
00401648 |. E8 CB020000 call 00401918
0040164D |. 50 push eax ; |Text
0040164E |. 6A 00 push 0 ; |hOwner = NULL
00401650 |. E8 69FA0200 call <jmp.&USER32.MessageBoxA> ; \MessageBoxA
00401655 |. FF4D CC dec dword ptr [ebp-34]
00401658 |. 8D45 E0 lea eax, dword ptr [ebp-20]
0040165B |. BA 02000000 mov edx, 2
00401660 |. E8 37DE0000 call 0040F49C
00401665 |. FF4D CC dec dword ptr [ebp-34]
00401668 |. 8D45 E4 lea eax, dword ptr [ebp-1C]
0040166B |. BA 02000000 mov edx, 2
00401670 |. E8 27DE0000 call 0040F49C
00401675 |. 6A 00 push 0
00401677 |. 68 EC254300 push 004325EC ; buzz'm_frog[scusi!]
0040167C |. 66:C745 C0 68>mov word ptr [ebp-40], 68
00401682 |. 8D45 DC lea eax, dword ptr [ebp-24]
00401685 |. E8 5E020000 call 004018E8
0040168A |. 8BD0 mov edx, eax
0040168C |. FF45 CC inc dword ptr [ebp-34]
0040168F |. 8B0D 606A4300 mov ecx, dword ptr [436A60]
00401695 |. 8B81 E0010000 mov eax, dword ptr [ecx+1E0]
0040169B |. E8 A0900000 call 0040A740
004016A0 |. 8D45 DC lea eax, dword ptr [ebp-24]
004016A3 |. E8 70020000 call 00401918
004016A8 |. 50 push eax ; |Text
004016A9 |. 6A 00 push 0 ; |hOwner = NULL
004016AB |. E8 0EFA0200 call <jmp.&USER32.MessageBoxA> ; \MessageBoxA
004016B0 |. FF4D CC dec dword ptr [ebp-34]
004016B3 |. 8D45 DC lea eax, dword ptr [ebp-24]
004016B6 |. BA 02000000 mov edx, 2
004016BB |. E8 DCDD0000 call 0040F49C
004016C0 |> 807D A7 00 cmp byte ptr [ebp-59], 0
004016C4 75 7D jnz short 00401743
004016C6 |. 6A 00 push 0
004016C8 |. 66:C745 C0 74>mov word ptr [ebp-40], 74
004016CE |. 8D45 D8 lea eax, dword ptr [ebp-28]
004016D1 |. E8 12020000 call 004018E8
004016D6 |. 8BD0 mov edx, eax
004016D8 |. FF45 CC inc dword ptr [ebp-34]
004016DB |. 8B0D 606A4300 mov ecx, dword ptr [436A60]
004016E1 |. 8B81 E4010000 mov eax, dword ptr [ecx+1E4]
004016E7 |. E8 54900000 call 0040A740
004016EC |. 8D45 D8 lea eax, dword ptr [ebp-28]
004016EF |. E8 24020000 call 00401918
004016F4 |. 50 push eax
004016F5 |. 8D45 D4 lea eax, dword ptr [ebp-2C]
004016F8 |. E8 EB010000 call 004018E8
004016FD |. 8BD0 mov edx, eax
004016FF |. FF45 CC inc dword ptr [ebp-34]
00401702 |. 8B0D 606A4300 mov ecx, dword ptr [436A60]
00401708 |. 8B81 E4010000 mov eax, dword ptr [ecx+1E4]
0040170E |. E8 2D900000 call 0040A740
00401713 |. 8D45 D4 lea eax, dword ptr [ebp-2C]
00401716 |. E8 FD010000 call 00401918
0040171B |. 50 push eax ; |Text
0040171C |. 6A 00 push 0 ; |hOwner = NULL
0040171E |. E8 9BF90200 call <jmp.&USER32.MessageBoxA> ; \MessageBoxA
00401723 |. FF4D CC dec dword ptr [ebp-34]
00401726 |. 8D45 D4 lea eax, dword ptr [ebp-2C]
00401729 |. BA 02000000 mov edx, 2
0040172E |. E8 69DD0000 call 0040F49C
00401733 |. FF4D CC dec dword ptr [ebp-34]
00401736 |. 8D45 D8 lea eax, dword ptr [ebp-28]
00401739 |. BA 02000000 mov edx, 2
0040173E |. E8 59DD0000 call 0040F49C
00401743 |> FF4D CC dec dword ptr [ebp-34]
00401746 |. 8D45 F4 lea eax, dword ptr [ebp-C]
00401749 |. BA 02000000 mov edx, 2
0040174E |. E8 49DD0000 call 0040F49C
00401753 |. FF4D CC dec dword ptr [ebp-34]
00401756 |. 8D45 F8 lea eax, dword ptr [ebp-8]
00401759 |. BA 02000000 mov edx, 2
0040175E |. E8 39DD0000 call 0040F49C
00401763 |. FF4D CC dec dword ptr [ebp-34]
00401766 |. 8D45 FC lea eax, dword ptr [ebp-4]
00401769 |. BA 02000000 mov edx, 2
0040176E |. E8 29DD0000 call 0040F49C
00401773 |. 8B4D B0 mov ecx, dword ptr [ebp-50]
00401776 |. 64:890D 00000>mov dword ptr fs:[0], ecx
0040177D |. 5B pop ebx
0040177E |. 8BE5 mov esp, ebp
00401780 |. 5D pop ebp
00401781 \. C3 retn
总结:
1、用户名ASCII值累加,三次乘于1332,结果+0F4A, 转换为有符号十进制数作为最终真码;
(修改原因:第一次分析的时候把完整的转换函数当成算法运算来分析了,谢谢TIANXJ兄弟指点!!)
[ 本帖最后由 网络断魂 于 2007-11-25 16:02 编辑 ] |
评分
-
查看全部评分
|
IP卡
发表于 2007-11-25 01:01:52
提升卡
置顶卡
变色卡
千斤顶
显身卡
发表于 2007-11-25 01:23:11
发表于 2007-11-25 09:59:18
楼主