- UID
- 6257
注册时间2006-1-2
阅读权限20
最后登录1970-1-1
以武会友
 
该用户从未签到
|
发表于 2006-1-13 01:02:00
|
显示全部楼层
【破文标题】算法分析之CrackMe001 By飘云[PYG]
【破文作者】busheler
【作者邮箱】[email protected]
【作者主页】
【破解工具】PEiD v0.94,LordPE Deluxe V1.4,import re v1.6,W32Dasm 10.0,odbg110,Quick Unpack v1.0 b3
【破解平台】Windows2000
【软件名称】CrackMe001 By飘云[PYG]
【软件大小】250KB
【原版下载】https://www.chinapyg.com/attachment.php?aid=385
【保护方式】
【软件简介】【[PYG]CrackMe#1】
算法初探--Crackme001 By 飘云[PYG]
1.去除启动时的延时。
2.分析算法。
3.去除退出时的Nag。
------------------------------------------------------------------------
一、查壳:
PEiD v0.94查壳为FSG 2.0 -> bart/xt OEP为4689c8
由于脱壳水平有限,脱壳未果!
二、找资源:
前面为完全脱壳程序并不影响资源分析。
W32Dasm 10.0载入我未脱壳成功文件可以看到以下信息。
:004682A1 BA03000000 mov edx, 00000003
:004682A6 E821BFF9FF call 004041CC
:004682AB 8B45D4 mov eax, dword ptr [ebp-2C]
:004682AE E859BEF9FF call 0040410C
:004682B3 8BD8 mov ebx, eax
:004682B5 8D55C8 lea edx, dword ptr [ebp-38]
:004682B8 8B8614030000 mov eax, dword ptr [esi+00000314]
:004682BE E8E9BAFCFF call 00433DAC
:004682C3 8B45C8 mov eax, dword ptr [ebp-38]
:004682C6 E841BEF9FF call 0040410C
:004682CB 3BD8 cmp ebx, eax
:004682CD 7427 je 004682F6
* Possible StringData Ref from Data Obj ->"注册失败!"
|
:004682CF A1DCA64600 mov eax, dword ptr [0046A6DC]
:004682D4 E833C0F9FF call 0040430C
:004682D9 8BD0 mov edx, eax
:004682DB 8D45C4 lea eax, dword ptr [ebp-3C]
:004682DE E861BDF9FF call 00404044
:004682E3 8B55C4 mov edx, dword ptr [ebp-3C]
:004682E6 8B8614030000 mov eax, dword ptr [esi+00000314]
:004682EC E8EBBAFCFF call 00433DDC
:004682F1 E9ED000000 jmp 004683E3
........
:00468381 8B45E8 mov eax, dword ptr [ebp-18]
:00468384 8B55F4 mov edx, dword ptr [ebp-0C]
:00468387 E8CCBEF9FF call 00404258
:0046838C 7521 jne 004683AF
:0046838E 8D45E4 lea eax, dword ptr [ebp-1C]
:00468391 50 push eax
:00468392 8D55B0 lea edx, dword ptr [ebp-50]
:00468395 8B8614030000 mov eax, dword ptr [esi+00000314]
:0046839B E80CBAFCFF call 00433DAC
:004683A0 8B45B0 mov eax, dword ptr [ebp-50]
:004683A3 8D541F01 lea edx, dword ptr [edi+ebx+01]
:004683A7 8B4DE0 mov ecx, dword ptr [ebp-20]
:004683AA E8BDBFF9FF call 0040436C
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0046838C(C)
|
:004683AF 8B45E4 mov eax, dword ptr [ebp-1C]
:004683B2 E8E9FAF9FF call 00407EA0
:004683B7 0540E20100 add eax, 0001E240
:004683BC 3B0518BC4600 cmp eax, dword ptr [0046BC18]
:004683C2 751F jne 004683E3
:004683C4 6A40 push 00000040
* Possible StringData Ref from Data Obj ->"恭喜"
|
:004683C6 A1D4A64600 mov eax, dword ptr [0046A6D4]
:004683CB E83CBFF9FF call 0040430C
:004683D0 50 push eax
* Possible StringData Ref from Data Obj ->"注册成功!"
|
:004683D1 A1D0A64600 mov eax, dword ptr [0046A6D0]
:004683D6 E831BFF9FF call 0040430C
:004683DB 50 push eax
:004683DC 6A00 push 00000000
:004683DE E8E5E1F9FF call 004065C8
三、带壳走上漫漫路......
1、跟踪分析:
由odbg110载入带壳程序,F9运行...因为程序已经运行,这是我们应该已经进入主程序领空了。
由前找出相关资源很容易到达这里:
并在004681C0处F2下断点,输入用户名、注册码...“确定”,立即被断下,呵呵!
慢慢看看......
004681C0 /. 55 push ebp
004681C1 |. 8BEC mov ebp,esp
004681C3 |. B9 0A000000 mov ecx,0A
004681C8 |> 6A 00 /push 0
004681CA |. 6A 00 |push 0
004681CC |. 49 |dec ecx
004681CD |.^ 75 F9 \jnz short CrackMe0.004681C8
004681CF |. 53 push ebx
004681D0 |. 56 push esi
004681D1 |. 57 push edi
004681D2 |. 8BF0 mov esi,eax
004681D4 |. 33C0 xor eax,eax
004681D6 |. 55 push ebp
004681D7 |. 68 3A844600 push CrackMe0.0046843A
004681DC |. 64:FF30 push dword ptr fs:[eax]
004681DF |. 64:8920 mov dword ptr fs:[eax],esp
004681E2 |. 8D55 FC lea edx,dword ptr ss:[ebp-4]
004681E5 |. 8B86 10030000 mov eax,dword ptr ds:[esi+310]
004681EB |. E8 BCBBFCFF call CrackMe0.00433DAC
004681F0 |. 8D55 F8 lea edx,dword ptr ss:[ebp-8]
004681F3 |. 8B86 14030000 mov eax,dword ptr ds:[esi+314]
004681F9 |. E8 AEBBFCFF call CrackMe0.00433DAC
004681FE |. 33C0 xor eax,eax
00468200 |. 8945 F0 mov dword ptr ss:[ebp-10],eax
00468203 |. 8B45 FC mov eax,dword ptr ss:[ebp-4]
00468206 |. E8 01BFF9FF call CrackMe0.0040410C
0046820B |. 8BD8 mov ebx,eax
0046820D |. 837D FC 00 cmp dword ptr ss:[ebp-4],0 ; 判断用户名是否为0
00468211 |. 74 06 je short CrackMe0.00468219 ; 非0,跳
00468213 |. 837D F8 00 cmp dword ptr ss:[ebp-8],0 ; 判断注册码是否为0
00468217 |. 75 27 jnz short CrackMe0.00468240 ; 非0 ,跳
00468219 |> A1 D8A64600 mov eax,dword ptr ds:[46A6D8] ; 请输入完整信息!
0046821E |. E8 E9C0F9FF call CrackMe0.0040430C
00468223 |. 8BD0 mov edx,eax
00468225 |. 8D45 DC lea eax,dword ptr ss:[ebp-24]
00468228 |. E8 17BEF9FF call CrackMe0.00404044
0046822D |. 8B55 DC mov edx,dword ptr ss:[ebp-24]
00468230 |. 8B86 14030000 mov eax,dword ptr ds:[esi+314]
00468236 |. E8 A1BBFCFF call CrackMe0.00433DDC
0046823B |. E9 A3010000 jmp CrackMe0.004683E3
00468240 |> 8BFB mov edi,ebx
00468242 |. 85FF test edi,edi
00468244 |. 7E 37 jle short CrackMe0.0046827D
00468246 |. BB 01000000 mov ebx,1
0046824B |> 8D4D D8 /lea ecx,dword ptr ss:[ebp-28]
0046824E |. 8B45 FC |mov eax,dword ptr ss:[ebp-4] ; 用户名入EAX
00468251 |. 0FB64418 FF |movzx eax,byte ptr ds:[eax+ebx-1]
00468256 |. C1E8 00 |shr eax,0
00468259 |. BA 01000000 |mov edx,1
0046825E |. E8 15FCF9FF |call CrackMe0.00407E78 ; 求各位用户名ASCAII值
00468263 |. 8B55 D8 |mov edx,dword ptr ss:[ebp-28]
00468266 |. 8D45 F4 |lea eax,dword ptr ss:[ebp-C]
00468269 |. E8 A6BEF9FF |call CrackMe0.00404114 ; 把各位用户把ASCAII组成字符串,即为第
二组验证码
0046826E |. 8B45 FC |mov eax,dword ptr ss:[ebp-4]
00468271 |. 0FB64418 FF |movzx eax,byte ptr ds:[eax+ebx-1]
00468276 |. 0145 F0 |add dword ptr ss:[ebp-10],eax ; 累加用户名各位ASCII值
00468279 |. 43 |inc ebx
0046827A |. 4F |dec edi
0046827B |.^ 75 CE \jnz short CrackMe0.0046824B
0046827D |> 8D55 D0 lea edx,dword ptr ss:[ebp-30]
00468280 |. 8B45 F0 mov eax,dword ptr ss:[ebp-10] ; 前面累加值入eax
00468283 |. E8 DCFAF9FF call CrackMe0.00407D64 ; 转累加值为10进制字符串,即为第一组验
证码
00468288 |. FF75 D0 push dword ptr ss:[ebp-30]
0046828B |. FF75 F4 push dword ptr ss:[ebp-C]
0046828E |. 8D55 CC lea edx,dword ptr ss:[ebp-34]
00468291 |. A1 18BC4600 mov eax,dword ptr ds:[46BC18] ;第三段验证码?那里来的??????
00468296 |. E8 C9FAF9FF call CrackMe0.00407D64 ;第三段验证码以10进制方式转为字符串
0046829B |. FF75 CC push dword ptr ss:[ebp-34]
0046829E |. 8D45 D4 lea eax,dword ptr ss:[ebp-2C]
004682A1 |. BA 03000000 mov edx,3
004682A6 |. E8 21BFF9FF call CrackMe0.004041CC ; 第一、第二、第三组验证码合并
004682AB |. 8B45 D4 mov eax,dword ptr ss:[ebp-2C]
004682AE |. E8 59BEF9FF call CrackMe0.0040410C
004682B3 |. 8BD8 mov ebx,eax
004682B5 |. 8D55 C8 lea edx,dword ptr ss:[ebp-38]
004682B8 |. 8B86 14030000 mov eax,dword ptr ds:[esi+314]
004682BE |. E8 E9BAFCFF call CrackMe0.00433DAC
004682C3 |. 8B45 C8 mov eax,dword ptr ss:[ebp-38]
004682C6 |. E8 41BEF9FF call CrackMe0.0040410C
004682CB |. 3BD8 cmp ebx,eax ; 输入注册码位数与算出验证码位数是否相
等!
004682CD 74 27 je short CrackMe0.004682F6 ; 相等跳去验证,不等。。注册失败!
004682CF |. A1 DCA64600 mov eax,dword ptr ds:[46A6DC] ; "注册失败!"
004682D4 |. E8 33C0F9FF call CrackMe0.0040430C
004682D9 |. 8BD0 mov edx,eax
004682DB |. 8D45 C4 lea eax,dword ptr ss:[ebp-3C]
004682DE |. E8 61BDF9FF call CrackMe0.00404044
004682E3 |. 8B55 C4 mov edx,dword ptr ss:[ebp-3C]
004682E6 |. 8B86 14030000 mov eax,dword ptr ds:[esi+314]
004682EC |. E8 EBBAFCFF call CrackMe0.00433DDC
004682F1 |. E9 ED000000 jmp CrackMe0.004683E3
004682F6 |> 8D55 C0 lea edx,dword ptr ss:[ebp-40]
004682F9 |. 8B45 F0 mov eax,dword ptr ss:[ebp-10]
004682FC |. E8 63FAF9FF call CrackMe0.00407D64
00468301 |. 8B45 C0 mov eax,dword ptr ss:[ebp-40]
00468304 |. E8 03BEF9FF call CrackMe0.0040410C
00468309 |. 8BD8 mov ebx,eax
0046830B |. 8B45 F4 mov eax,dword ptr ss:[ebp-C]
0046830E |. E8 F9BDF9FF call CrackMe0.0040410C
00468313 |. 8BF8 mov edi,eax
00468315 |. 8D55 BC lea edx,dword ptr ss:[ebp-44]
00468318 |. A1 18BC4600 mov eax,dword ptr ds:[46BC18]
0046831D |. E8 42FAF9FF call CrackMe0.00407D64
00468322 |. 8B45 BC mov eax,dword ptr ss:[ebp-44]
00468325 |. E8 E2BDF9FF call CrackMe0.0040410C
0046832A |. 8945 E0 mov dword ptr ss:[ebp-20],eax
0046832D |. 8D45 EC lea eax,dword ptr ss:[ebp-14]
00468330 |. 50 push eax
00468331 |. 8D55 B8 lea edx,dword ptr ss:[ebp-48]
00468334 |. 8B86 14030000 mov eax,dword ptr ds:[esi+314]
0046833A |. E8 6DBAFCFF call CrackMe0.00433DAC
0046833F |. 8B45 B8 mov eax,dword ptr ss:[ebp-48]
00468342 |. 8BCB mov ecx,ebx
00468344 |. BA 01000000 mov edx,1
00468349 |. E8 1EC0F9FF call CrackMe0.0040436C
0046834E |. 8B45 EC mov eax,dword ptr ss:[ebp-14]
00468351 |. E8 4AFBF9FF call CrackMe0.00407EA0
00468356 |. 83E8 12 sub eax,12 ; 输入注册码第一组减去12(十进制18)应等
于第一组验证码
00468359 |. 3B45 F0 cmp eax,dword ptr ss:[ebp-10]
0046835C 0F84 81000000 je CrackMe0.004683E3 ; 不等跳出!
00468362 |. 8D45 E8 lea eax,dword ptr ss:[ebp-18]
00468365 |. 50 push eax
00468366 |. 8D55 B4 lea edx,dword ptr ss:[ebp-4C]
00468369 |. 8B86 14030000 mov eax,dword ptr ds:[esi+314]
0046836F |. E8 38BAFCFF call CrackMe0.00433DAC
00468374 |. 8B45 B4 mov eax,dword ptr ss:[ebp-4C]
00468377 |. 8D53 01 lea edx,dword ptr ds:[ebx+1]
0046837A |. 8BCF mov ecx,edi
0046837C |. E8 EBBFF9FF call CrackMe0.0040436C
00468381 |. 8B45 E8 mov eax,dword ptr ss:[ebp-18] ; 输入第二段注册码入eax
00468384 |. 8B55 F4 mov edx,dword ptr ss:[ebp-C] ; 验证码也就是注册码入edx
00468387 |. E8 CCBEF9FF call CrackMe0.00404258 ; 去比较
0046838C 74 21 je short CrackMe0.004683AF ; 不等跳!
0046838E |. 8D45 E4 lea eax,dword ptr ss:[ebp-1C]
00468391 |. 50 push eax
00468392 |. 8D55 B0 lea edx,dword ptr ss:[ebp-50]
00468395 |. 8B86 14030000 mov eax,dword ptr ds:[esi+314]
0046839B |. E8 0CBAFCFF call CrackMe0.00433DAC
004683A0 |. 8B45 B0 mov eax,dword ptr ss:[ebp-50] ; 输入注册码入EAX
004683A3 |. 8D541F 01 lea edx,dword ptr ds:[edi+ebx+1] ; 注册码位数入EDX
004683A7 |. 8B4D E0 mov ecx,dword ptr ss:[ebp-20]
004683AA |. E8 BDBFF9FF call CrackMe0.0040436C
004683AF |> 8B45 E4 mov eax,dword ptr ss:[ebp-1C]
004683B2 |. E8 E9FAF9FF call CrackMe0.00407EA0
004683B7 |. 05 40E20100 add eax,1E240 ; 第三组输入注册码十进制与1E240(123456)
相加
004683BC |. 3B05 18BC4600 cmp eax,dword ptr ds:[46BC18] ; 与验证码最后一组对比
004683C2 75 1F jnz short CrackMe0.004683E3 ; 不等跳!
004683C4 |. 6A 40 push 40
004683C6 |. A1 D4A64600 mov eax,dword ptr ds:[46A6D4] ; "恭喜"
004683CB |. E8 3CBFF9FF call CrackMe0.0040430C
004683D0 |. 50 push eax
004683D1 |. A1 D0A64600 mov eax,dword ptr ds:[46A6D0] ; "注册成功!"
004683D6 |. E8 31BFF9FF call CrackMe0.0040430C
004683DB |. 50 push eax ; |Text
004683DC |. 6A 00 push 0 ; |hOwner = NULL
004683DE |. E8 E5E1F9FF call CrackMe0.004065C8 ; \MessageBoxA
----------------------------------
00468291 |. A1 18BC4600 mov eax,dword ptr ds:[46BC18] ;第三段验证码?那里来的??????
搜索===〉二进制字符===〉HEX +3中输入18BC46,选在“整个区块”很容易找到下面这里,在004685B0 处下断点,点注册未被断下,显然这部分代码在程序启动时已经运行过了。
没有办法,带壳我是无法跟踪了,抓出Quick Unpack v1.0 b3脱夹克,再odbg110载入,004685B0 处下断点,F9运行,果然被立即断下 :)
看看.......
004685B0 /. 55 push ebp
004685B1 |. 8BEC mov ebp,esp
004685B3 |. 33C9 xor ecx,ecx
004685B5 |. 51 push ecx
004685B6 |. 51 push ecx
004685B7 |. 51 push ecx
004685B8 |. 51 push ecx
004685B9 |. 33C0 xor eax,eax
004685BB |. 55 push ebp
004685BC |. 68 7F864600 push CrackMe0.0046867F
004685C1 |. 64:FF30 push dword ptr fs:[eax]
004685C4 |. 64:8920 mov dword ptr fs:[eax],esp
004685C7 |. C705 14BC4600 0A00000>mov dword ptr ds:[46BC14],0A
004685D1 |. E8 7A10FAFF call CrackMe0.00409650 ; 取系统 年份-月份-日期
004685D6 |. 83C4 F8 add esp,-8 ; /
004685D9 |. DD1C24 fstp qword ptr ss:[esp] ; |Arg1 (8-byte)
004685DC |. 9B wait ; |
004685DD |. 8D45 FC lea eax,dword ptr ss:[ebp-4] ; |
004685E0 |. E8 7F1CFAFF call CrackMe0.0040A264 ; \CrackMe0.0040A264
004685E5 |. 8B55 FC mov edx,dword ptr ss:[ebp-4] ; 系统时间串入EDX
004685E8 |. B8 10BC4600 mov eax,CrackMe0.0046BC10
004685ED |. E8 AEB8F9FF call CrackMe0.00403EA0
004685F2 |. 8D45 F8 lea eax,dword ptr ss:[ebp-8]
004685F5 |. 50 push eax
004685F6 |. B9 04000000 mov ecx,4
004685FB |. BA 01000000 mov edx,1
00468600 |. A1 10BC4600 mov eax,dword ptr ds:[46BC10]
00468605 |. E8 62BDF9FF call CrackMe0.0040436C
0046860A |. FF75 F8 push dword ptr ss:[ebp-8]
0046860D |. 8D45 F4 lea eax,dword ptr ss:[ebp-C]
00468610 |. 50 push eax
00468611 |. B9 02000000 mov ecx,2
00468616 |. BA 06000000 mov edx,6
0046861B |. A1 10BC4600 mov eax,dword ptr ds:[46BC10]
00468620 |. E8 47BDF9FF call CrackMe0.0040436C
00468625 |. FF75 F4 push dword ptr ss:[ebp-C]
00468628 |. 8D45 F0 lea eax,dword ptr ss:[ebp-10]
0046862B |. 50 push eax
0046862C |. B9 02000000 mov ecx,2
00468631 |. BA 09000000 mov edx,9
00468636 |. A1 10BC4600 mov eax,dword ptr ds:[46BC10]
0046863B |. E8 2CBDF9FF call CrackMe0.0040436C
00468640 |. FF75 F0 push dword ptr ss:[ebp-10]
00468643 |. B8 0CBC4600 mov eax,CrackMe0.0046BC0C
00468648 |. BA 03000000 mov edx,3
0046864D |. E8 7ABBF9FF call CrackMe0.004041CC
00468652 |. A1 0CBC4600 mov eax,dword ptr ds:[46BC0C]
00468657 |. E8 44F8F9FF call CrackMe0.00407EA0
0046865C |. C1E0 03 shl eax,3 ; 年月日*2^3
0046865F |. A3 18BC4600 mov dword ptr ds:[46BC18],eax ; 好久未破软件了,这个命令不记得了,反
正就是把上面的乘积入地址"DS:[46bc18]"
00468664 |. 33C0 xor eax,eax
00468666 |. 5A pop edx
00468667 |. 59 pop ecx
00468668 |. 59 pop ecx
00468669 |. 64:8910 mov dword ptr fs:[eax],edx
0046866C |. 68 86864600 push CrackMe0.00468686
00468671 |> 8D45 F0 lea eax,dword ptr ss:[ebp-10]
00468674 |. BA 04000000 mov edx,4
00468679 |. E8 F2B7F9FF call CrackMe0.00403E70
0046867E \. C3 retn
瞅瞅call CrackMe0.00409650里的内容:
00409650 /$ 83C4 E8 add esp,-18
00409653 |. 8D4424 08 lea eax,dword ptr ss:[esp+8]
00409657 |. 50 push eax ; /pLocaltime
00409658 |. E8 83C8FFFF call <jmp.&kernel32.GetLocalTime> ; \GetLocalTime
0040965D |. 66:8B4C24 0E mov cx,word ptr ss:[esp+E] ; 当前日期入CX
00409662 |. 66:8B5424 0A mov dx,word ptr ss:[esp+A] ; 当前月份入DX
00409667 |. 66:8B4424 08 mov ax,word ptr ss:[esp+8] ; 当前年份入AX
0040966C |. E8 1BFEFFFF call CrackMe0.0040948C
00409671 |. DD1C24 fstp qword ptr ss:[esp]
00409674 |. 9B wait
00409675 |. DD0424 fld qword ptr ss:[esp]
00409678 |. 83C4 18 add esp,18
0040967B \. C3 retn
2、验证码(非注册码)算法分析
验证码应该由三部分组成:
第一部分:用户名各位ASCII值之和;
第二部分:用户名各位ASCAII值组成的字符串;
第三部分:系统年月日为20060113这种形式,乘以2的三次方,即20060113*2^3=160480904。
用户名为:busheler,系统时间是2006年1月13日
其ASCII码为:
b u s h e l e r
Dec: 98 117 115 104 101 108 101 114
Hex: 62 75 73 68 65 6C 65 72
第一部分:
98+117+115+104+101+108+101+114=858
第二部分:
62757368656C6572
第三部分:
20060113*2^3=160480904
4、注册验证过程大概是这样的:
(1)第一组注册码-18与验证码比较。
(2)第二组是直接对比,主循环每4位、4位进行验证,如果注册码数(肯定是偶数)为非4的倍数,另两组单独验证。
(3)第三组注册码+123456与验证马比较。
5、注册码算法:
用户名:busheler
第一组:858+18=876
第二组:62757368656C6572
第三组:160480904-123456=160357448
由此:
用户名:busheler
注册码:87662757368656C6572160357448
备注:
1、由于我系统时间格式的问题,该CrackMe运行时总弹出这样的对话框:"'2006-2' is not a valid integer value"...,并造成第三个验证码总为0,呵呵。感谢飘云指导,并顺利完成注册码算法分析!:)
2、关于“去除启动时的延时”及“去除退出时的Nag”未分析。
------------------------------------------------------------------------
【版权声明】交流学习,非商业应用,转载时请保证其完整! |
评分
-
查看全部评分
|
IP卡
发表于 2005-12-14 19:14:15
提升卡
置顶卡
变色卡
千斤顶
显身卡
发表于 2005-12-17 20:05:13
发表于 2005-12-23 13:25:52
楼主