- UID
- 37613
注册时间2007-12-1
阅读权限10
最后登录1970-1-1
周游历练
该用户从未签到
|
这是我的第一个CrackMe, 用汇编铸成, 使用RadASM环境, 看雪有下载。
是一个简单的密码学CrackMe, 不为别的, 只想加强下自己的数学知识。 想在论坛宣传下密码学的学习
吧。。呵呵。。总觉得真正的加密加密还是数学的战争, 只靠自己写点加密性不强的东西是远远不够的
算法介绍:
第一个算法是变形的base64算法
第二个算法是完全没有变形的TEA算法, 是利用RadASM里密码学算法库中的TEA算法
两者加密的结果异或后必须等于某个数据, 这就是基本思想吧。
话说回来。这个是我破一个软件时的一点心得, 本来我也不会上述2个算法。我查了资料才知道, 然后
将汇编转为对应的C, 才知道这两个算法的思想
这个CrackMe算是那个软件的超级简化版, 这个软件我没破出来, 由于该软件是国产软件, 在下不便
透漏, 有兴趣的同志可以发短消息给我
只希望加强下学习密码学的气氛。。~~没别的意思。。看不起密码学的同志来BS吧~呵呵
最后, 我在写CrackMe方面还是个菜鸟, 希望大家多提意见。
.386
.model flat,stdcall
option casemap:none
include CrackMeV1.inc
.data
.code
start:
invoke GetModuleHandle,NULL
mov hInstance,eax
invoke GetCommandLine
mov CommandLine,eax
invoke InitCommonControls
invoke WinMain,hInstance,NULL,CommandLine,SW_SHOWDEFAULT
invoke ExitProcess,eax
WinMain proc hInst:HINSTANCE,hPrevInst:HINSTANCE,CmdLine:LPSTR,CmdShow:DWORD
LOCAL wc:WNDCLASSEX
LOCAL msg:MSG
invoke SetTimer, 0, 1, 800, AntiFunc
mov wc.cbSize,sizeof WNDCLASSEX
mov wc.style,CS_HREDRAW or CS_VREDRAW
mov wc.lpfnWndProc,offset WndProc
mov wc.cbClsExtra,NULL
mov wc.cbWndExtra,DLGWINDOWEXTRA
push hInst
pop wc.hInstance
mov wc.hbrBackground,COLOR_BTNFACE+1
mov wc.lpszMenuName,0
mov wc.lpszClassName,offset ClassName
invoke LoadIcon,NULL,IDI_APPLICATION
mov wc.hIcon,eax
mov wc.hIconSm,eax
invoke LoadCursor,NULL,IDC_ARROW
mov wc.hCursor,eax
invoke RegisterClassEx,addr wc
invoke CreateDialogParam,hInstance,IDD_DIALOG,NULL,addr WndProc,NULL
invoke ShowWindow,hWnd,SW_SHOWNORMAL
invoke UpdateWindow,hWnd
.while TRUE
invoke GetMessage,addr msg,NULL,0,0
.BREAK .if !eax
invoke TranslateMessage,addr msg
invoke DispatchMessage,addr msg
.endw
mov eax,msg.wParam
ret
WinMain endp
WndProc proc hWin:HWND,uMsg:UINT,wParam:WPARAM,lParam:LPARAM
LOCAL hDC : HANDLE
LOCAL hMemDC : HANDLE
LOCAL ps : PAINTSTRUCT
LOCAL hBitmap : HANDLE
LOCAL bm : BITMAP
LOCAL szUsername[256] : byte
LOCAL szRegcode[256] : byte
LOCAL szBase64Buffer[256] : byte
LOCAL dwTEACache[4]:DWORD
LOCAL dwTEABuffer[3]:DWORD
mov eax,uMsg
.if eax==WM_INITDIALOG
push hWin
pop hWnd
.elseif eax==WM_COMMAND
mov eax,wParam
and eax,0FFFFh
.if eax==IDM_FILE_EXIT
invoke SendMessage,hWin,WM_CLOSE,0,0
.elseif eax==IDM_HELP_ABOUT
invoke ShellAbout,hWin,addr AppName,addr AboutMsg,NULL
.elseif eax==IDC_BTN1
;这里是加密过程, 很容易看懂
invoke SendDlgItemMessage,hWin, IDC_EDT1, WM_GETTEXT, 256, ADDR
szUsername
invoke lstrcat, addr szUsername, StrAddr("vecri*&%");
xor ecx, ecx
lea ebx, szUsername
mov [ebx+8], ecx
invoke SendDlgItemMessage,hWin, IDC_EDT2, WM_GETTEXT, 256, ADDR
szRegcode
mov ecx, eax
sub ecx, 010h
neg ecx
invoke lstrcat, addr szRegcode, StrAddr("0000000000000000")
xor ebx, ebx
lea edi, szRegcode
mov [edi+010h], ebx
;invoke MessageBox, hWin, addr szRegcode, addr szUsername, MB_OK
mov ebx, 10h
invoke BASE64PROC,addr szRegcode, ebx, addr szBase64Buffer
.if eax==04h
lea edi, dwTEACache
mov dword ptr [edi], 1234567h
mov dword ptr [edi+4], 89abcdefh
mov dword ptr [edi+8], 0fedcba98h
mov dword ptr [edi+0Ch], 76543210h
invoke TEAInit,addr dwTEACache
invoke TEAEncrypt,addr szUsername, addr dwTEABuffer
lea esi, szBase64Buffer
lea edi, dwTEABuffer
mov dword ptr [edi+8], 12345678h
mov eax, dword ptr [esi]
xor eax, dword ptr [edi]
cmp eax, 'rcev'
jnz REGLOSE
mov eax, dword ptr [esi+4]
xor eax, dword ptr [edi+4]
cmp eax, 'c>-i'
jnz REGLOSE
mov eax, dword ptr [esi+8]
xor eax, dword ptr [edi+8]
cmp eax, 'kcar'
jnz REGLOSE
REGOK:
invoke SetDlgItemText, hWin, IDC_EDT2, StrAddr("Right Code!
Now write a KeyGen, please~~")
invoke GetDlgItem,hWin, IDC_EDT2
push 0
push eax
call EnableWindow
REGLOSE:
.endif
.elseif eax==IDC_BTN2
invoke PostQuitMessage,NULL
.endif
; .elseif eax==WM_SIZE
.elseif eax==WM_CLOSE
invoke DestroyWindow,hWin
.elseif eax==WM_PAINT
invoke BeginPaint,hWin, addr ps
mov hDC, eax
invoke CreateCompatibleDC, hDC
mov hMemDC, eax
invoke LoadBitmap,hInstance, IDC_IMG1
mov hBitmap, eax
invoke GetObject,hBitmap, sizeof(BITMAP), addr bm
invoke SelectObject,hMemDC, hBitmap
invoke SelectObject,hDC, hBitmap
invoke BitBlt,hDC, 24, 18, bm.bmWidth, bm.bmHeight, hMemDC, 0, 0, SRCCOPY
invoke DeleteDC,hMemDC
invoke EndPaint,hWin, addr ps
.elseif uMsg==WM_DESTROY
invoke PostQuitMessage,NULL
.else
invoke DefWindowProc,hWin,uMsg,wParam,lParam
ret
.endif
xor eax,eax
ret
WndProc endp
;变形的Base64加密, 将标准的BASE64改动几处, 呵呵~~
BASE64PROC proc lpString:DWORD, iLen:DWORD, lpBase64buffer:DWORD
LOCAL temp:DWORD
pushad
mov edi, iLen
lea edx, [edi+3]
shr edx, 2
mov iLen, edx
mov edi, lpBase64buffer
mov ebx, lpString
B1:
mov al, byte ptr ds:[ebx]
xor ecx, ecx
mov temp, ecx
test al, al
je B2
inc ebx
cmp al, 41h
jl @F
cmp al, 5Ah
jg @F
movsx eax, al
sub eax, 41h
JMP F1
@@:
cmp al, 61h
jl @F
cmp al, 7Ah
jg @F
movsx eax, al
sub eax, 47h
JMP F1
@@:
cmp al, 30h
jl @F
cmp al, 39h
jg @F
movsx eax, al
add eax, 4
jmp F1
@@:
cmp al, 2Bh
je @F
cmp al, 2Ah
je @F
jmp @@1
@@:
mov eax, 3Eh
jmp F1
@@1:
cmp al, 2Fh
je @F
cmp al, 24h
je @F
jmp @@2
@@:
mov eax, 3Fh
jmp F1
@@2:
mov eax, 40h
F1:
sub eax, 0Ah
jge @F
add eax, 041h
@@:
and eax, 3Fh
shl eax, 12h
mov ecx, eax
mov temp, ecx
B2:
mov al, byte ptr ds:[ebx]
test al, al
je B3
inc ebx
cmp al, 41h
jl @F
cmp al, 5Ah
jg @F
movsx eax, al
sub eax, 41h
JMP F2
@@:
cmp al, 61h
jl @F
cmp al, 7Ah
jg @F
movsx eax, al
sub eax, 47h
JMP F2
@@:
cmp al, 30h
jl @F
cmp al, 39h
jg @F
movsx eax, al
add eax, 4
jmp F2
@@:
cmp al, 2Bh
je @F
cmp al, 2Ah
je @F
jmp @@3
@@:
mov eax, 3Eh
jmp F2
@@3:
cmp al, 2Fh
je @F
cmp al, 24h
je @F
jmp @@4
@@:
mov eax, 3Fh
jmp F2
@@4:
mov eax, 40h
F2:
sub eax, 0Ah
jge @F
add eax, 41h
@@:
and eax, 3Fh
and ecx, 0FFFC0FFFh
shl eax, 0Ch
or eax, ecx
mov ecx, eax
mov temp, ecx
B3:
mov al, byte ptr ds:[ebx]
test al, al
je B4
inc ebx
cmp al, 41h
jl @F
cmp al, 5Ah
jg @F
movsx eax, al
sub eax, 41h
JMP F3
@@:
cmp al, 61h
jl @F
cmp al, 7Ah
jg @F
movsx eax, al
sub eax, 47h
JMP F3
@@:
cmp al, 30h
jl @F
cmp al, 39h
jg @F
movsx eax, al
add eax, 4
jmp F3
@@:
cmp al, 2Bh
je @F
cmp al, 2Ah
je @F
jmp @@5
@@:
mov eax, 3Eh
jmp F3
@@5:
cmp al, 2Fh
je @F
cmp al, 24h
je @F
jmp @@6
@@:
mov eax, 3Fh
jmp F3
@@6:
mov eax, 40h
F3:
sub eax, 0Ah
jge @F
add eax, 41h
@@:
and eax, 3Fh
and ecx, 0FFFFF03Fh
shl eax, 06h
or eax, ecx
mov ecx, eax
mov temp, ecx
B4:
mov al, byte ptr ds:[ebx]
test al, al
je FINISH
inc ebx
cmp al, 41h
jl @F
cmp al, 5Ah
jg @F
movsx eax, al
sub eax, 41h
JMP F4
@@:
cmp al, 61h
jl @F
cmp al, 7Ah
jg @F
movsx eax, al
sub eax, 47h
JMP F4
@@:
cmp al, 30h
jl @F
cmp al, 39h
jg @F
movsx eax, al
add eax, 4
jmp F4
@@:
cmp al, 2Bh
je @F
cmp al, 2Ah
je @F
jmp @@7
@@:
mov eax, 3Eh
jmp F4
@@7:
cmp al, 2Fh
je @F
cmp al, 24h
je @F
jmp @@8
@@:
mov eax, 3Fh
jmp F4
@@8:
mov eax, 40h
F4:
sub eax, 0Ah
jge @F
add eax, 41h
@@:
and eax, 03Fh
and ecx, 0FFFFFFC0h
or eax, ecx
mov ecx, eax
mov temp, ecx
FINISH:
mov [edi], cl
mov [edi+1], ch
shr ecx, 10h
mov [edi+2], cl
add edi, 3
dec edx
jnz B1
popad
mov eax, iLen
ret
BASE64PROC endp
include ANTI.ASM
end start
;ANTI.ASM
.code
AntiFunc proc
invoke FindWindow,StrAddr("OllyDBG"), 0
.if eax!=0
push 0
push 0
push WM_CLOSE
push eax
call SendMessage
.endif
invoke FindWindow,StrAddr("ODbyDYK"), 0
.if eax!=0
push 0
push 0
push WM_CLOSE
push eax
call SendMessage
.endif
invoke FindWindow, StrAddr("1212121"), 0
.if eax!=0
push 0
push 0
push WM_CLOSE
push eax
call SendMessage
.endif
invoke FindWindow, StrAddr("fly*OD*"), 0
.if eax!=0
push 0
push 0
push WM_CLOSE
push eax
call SendMessage
.endif
invoke FindWindow, StrAddr("[PYG]OD"), 0
.if eax!=0
push 0
push 0
push WM_CLOSE
push eax
call SendMessage
.endif
invoke FindWindow, StrAddr("UkillOD"), 0
.if eax!=0
push 0
push 0
push WM_CLOSE
push eax
call SendMessage
.endif
AntiFunc endp |
本帖子中包含更多资源
您需要 登录 才可以下载或查看,没有账号?加入我们
x
|
IP卡
发表于 2008-1-17 18:34:32
提升卡
置顶卡
变色卡
千斤顶
显身卡
发表于 2008-1-17 20:18:18
