HappyTown CrackMe_0008 简单算法分析

hrbx · 发表于 2005-12-19 00:02:14

【破文标题】HappyTown CrackMe_0008 简单算法分析
【破解作者】hrbx
【作者主页】hrbx.ys168.com
【作者邮箱】[email protected]
【破解平台】WinXP
【使用工具】flyOD1.10、Peid
【破解日期】2005-12-18
【软件名称】HappyTown CrackMe_0008
【软件大小】471KB
【下载地址】看雪论坛
【加壳方式】未知
【软件简介】HappyTown CrackMe_0008
-----------------------------------------------------------------------------------------------
【破解声明】我是一只小菜鸟，偶得一点心得，愿与大家分享：）
-----------------------------------------------------------------------------------------------
【破解过程】
1.脱壳。用Peid扫描程序，显示为：Not a valid PE file。OD载入，来到：
00455D1D > $ 40 inc eax ; OD载入后，来到这里
00455D1E . 41 inc ecx
00455D1F .^ 0F84 03FFFFFF je CrackMe_.00455C28
00455D25 . C1E1 02 shl ecx,2
00455D28 . C1E8 03 shr eax,3
00455D2B . 61 popad
00455D2C . 67:64:FF36 0000 push dword ptr fs:[0] ; F8到这里，ESP变化了
00455D32 . 55 push ebp
00455D33 . 8BEC mov ebp,esp
00455D35 . 6A FF push -1
F8走到00455D2C处,观察寄存器：
EAX FFFFFFFF
ECX 8053D88F
EDX 0012FFC8
EBX F1578CF0
ESP 0012FFE4 <========ESP变成0012FFE4
EBP FFFFFFFF
ESI 00000001
EDI 77E614C7 kernel32.77E614C7
EIP 00455D2C CrackMe_.00455D2C
根据ESP定律，命令栏下断 hr 0012ffe4，回车，F9运行，来到：
00455D50 . 8BE8 mov ebp,eax ; F9运行后来这里，F8两次
00455D52 . 6A 70 push 70
00455D54 . 6A FF push -1 ; F8到这里，ESP变化了
00455D56 . E8 23000000 call CrackMe_.00455D7E
00455D5B .^ E9 B8FEFFFF jmp CrackMe_.00455C18
再F8两次走到00455D56处，观察寄存器：
EAX 0012FFE0
ECX 8053D88F
EDX 0012FFC8
EBX F3B50CF0
ESP 0012FFE0 <========ESP变成0012FFE0
EBP 0012FFE0
ESI 00000000
EDI 77E614C7 kernel32.77E614C7
EIP 00455D54 CrackMe_.00455D54
根据ESP定律，命令栏下断 hr 0012ffe0，回车，F9运行，来到：
00455D93 |. 896C24 10 mov dword ptr ss:[esp+10],ebp ; F9后中断在这里,F8往下走
00455D97 |. 8D6C24 10 lea ebp,dword ptr ss:[esp+10]
00455D9B |. 2BE0 sub esp,eax
00455D9D |. 53 push ebx
00455D9E |. 56 push esi
00455D9F |. 57 push edi
00455DA0 |. 8B45 F8 mov eax,dword ptr ss:[ebp-8]
00455DA3 |. 8965 E8 mov dword ptr ss:[ebp-18],esp
00455DA6 |. 50 push eax
00455DA7 |. 8B45 FC mov eax,dword ptr ss:[ebp-4]
00455DAA |. C745 FC FFFFFFFF mov dword ptr ss:[ebp-4],-1
00455DB1 |. 8945 F8 mov dword ptr ss:[ebp-8],eax
00455DB4 \. C3 retn
继续F8，直到来到：
00455C18 > /55 push ebp ; OEP，可以DUMP
00455C19 . |8BEC mov ebp,esp
00455C1B . |83C4 F0 add esp,-10
00455C1E . |53 push ebx
00455C1F . |B8 305A4500 mov eax,CrackMe_.00455A30
00455C24 |E8 db E8
用LordPE完整脱壳，SuperImportREC填入00055C18，获取输入表，全部有效,修复抓取文件，可以运行了。
再次用Peid核心扫描，显示为：Borland Delphi 6.0 - 7.0。
2.试运行。输入注册信息，点Check按钮后程序没有任何提示。通过DeDe分析得知，确定按钮事件开始地址为00455338。
3.追出算法。OD载入，Ctrl+G,输入 00455338，回车，在00455338处按F2下断，F9运行，输入注册信息：
================================
Name：hrbxhui
Serial：9876543210
================================
点击Check按钮立即中断：
00455338 /. 55 push ebp ; 在此下断，中断后F8往下走
00455339 |. 8BEC mov ebp,esp
0045533B |. B9 06000000 mov ecx,6
00455340 |> 6A 00 /push 0
00455342 |. 6A 00 |push 0
00455344 |. 49 |dec ecx
00455345 |.^ 75 F9 \jnz short dumped_.00455340
00455347 |. 53 push ebx
00455348 |. 56 push esi
00455349 |. 57 push edi
0045534A |. 8BF8 mov edi,eax
0045534C |. BB 148C4500 mov ebx,dumped_.00458C14
00455351 |. BE 108C4500 mov esi,dumped_.00458C10
00455356 |. 33C0 xor eax,eax
00455358 |. 55 push ebp
00455359 |. 68 77594500 push dumped_.00455977
0045535E |. 64:FF30 push dword ptr fs:[eax]
00455361 |. 64:8920 mov dword ptr fs:[eax],esp
00455364 |. 8D45 E8 lea eax,dword ptr ss:[ebp-18]
00455367 |. BA 90594500 mov edx,dumped_.00455990
0045536C |. E8 7BEBFAFF call dumped_.00403EEC
00455371 |. 8D45 E4 lea eax,dword ptr ss:[ebp-1C]
00455374 |. BA A0594500 mov edx,dumped_.004559A0
00455379 |. E8 6EEBFAFF call dumped_.00403EEC
0045537E |. 8D45 E0 lea eax,dword ptr ss:[ebp-20]
00455381 |. BA B0594500 mov edx,dumped_.004559B0
00455386 |. E8 61EBFAFF call dumped_.00403EEC
0045538B |. 8D55 FC lea edx,dword ptr ss:[ebp-4] ; 用户名"hrbxhui"
0045538E |. 8B87 04030000 mov eax,dword ptr ds:[edi+304]
00455394 |. E8 0FE6FDFF call dumped_.004339A8
00455399 |. BA 04000000 mov edx,4 ; EDX＝4
0045539E |. 8B45 FC mov eax,dword ptr ss:[ebp-4]
004553A1 |. E8 CEFAFFFF call dumped_.00454E74 ; 比较用户名长度是否大于4位
004553A6 |. 803B 00 cmp byte ptr ds:[ebx],0
004553A9 |. 0F84 AD050000 je dumped_.0045595C ; 暴破点1，NOP掉
004553AF |. BA 10000000 mov edx,10 ; EDX＝0X10(16)
004553B4 |. 8B45 FC mov eax,dword ptr ss:[ebp-4]
004553B7 |. E8 18FBFFFF call dumped_.00454ED4 ; 比较用户名长度是否小于16位
004553BC |. 803B 00 cmp byte ptr ds:[ebx],0
004553BF |. 0F84 97050000 je dumped_.0045595C ; 暴破点2，NOP掉
004553C5 |. 8D55 F4 lea edx,dword ptr ss:[ebp-C]
004553C8 |. 8B87 0C030000 mov eax,dword ptr ds:[edi+30C]
004553CE |. E8 D5E5FDFF call dumped_.004339A8
004553D3 |. BA 0C000000 mov edx,0C ; EDX=0XC
004553D8 |. 8B45 F4 mov eax,dword ptr ss:[ebp-C] ; 假码"9876543210"
004553DB |. E8 54FBFFFF call dumped_.00454F34 ; 比较注册码是否等于0xC(12)位
004553E0 |. 803B 00 cmp byte ptr ds:[ebx],0
004553E3 |. 0F84 73050000 je dumped_.0045595C ; 暴破点3，NOP掉
004553E9 |. 8D45 F8 lea eax,dword ptr ss:[ebp-8]
004553EC |. 50 push eax
004553ED |. B9 06000000 mov ecx,6 ; ECX＝6
004553F2 |. BA 01000000 mov edx,1 ; EDX＝1
004553F7 |. 8B06 mov eax,dword ptr ds:[esi] ; 固定字符串"ORACLE-BenQ-HP-IBM-SIEMENS-CISCO SYSTEMS- ; intel-Sun-DELL-SYBASE-Maxtor-lenovo"
004553F9 |. E8 76EFFAFF call dumped_.00404374 ; 从固定字符串第1位开始起取6位，即第1段"ORACLE"
004553FE |. 8B45 F8 mov eax,dword ptr ss:[ebp-8] ; EAX="ORACLE"
00455401 |. E8 AEF8FFFF call dumped_.00454CB4 ; "ORACLE"各位字符的ASCII值相加,EAX＝0X1B6
00455406 |. 50 push eax
00455407 |. 8B45 FC mov eax,dword ptr ss:[ebp-4] ; 用户名"hrbxhui"
0045540A |. E8 A5F8FFFF call dumped_.00454CB4 ; 用户名"hrbxhui"各位字符的ASCII值相加,EDX＝0X2FA
0045540F |. 5A pop edx
00455410 |. E8 47FAFFFF call dumped_.00454E5C ; EAX=EAX xor EDX=0X34C
00455415 |. BA 0A000000 mov edx,0A ; EDX=0XA
0045541A |. E8 45FAFFFF call dumped_.00454E64 ; EAX/EDX,并将余数EDX给EAX，EAX＝4
0045541F |. 8D55 F0 lea edx,dword ptr ss:[ebp-10]
00455422 |. E8 F928FBFF call dumped_.00407D20
00455427 |. 8D45 EC lea eax,dword ptr ss:[ebp-14]
0045542A |. 50 push eax
0045542B |. B9 01000000 mov ecx,1 ; ECX＝1
00455430 |. BA 01000000 mov edx,1 ; EDX＝1
00455435 |. 8B45 F4 mov eax,dword ptr ss:[ebp-C] ; 假码"987654321012"
00455438 |. E8 37EFFAFF call dumped_.00404374 ; 从假码第1位开始起取1位，即"9"
0045543D |. 8B55 F0 mov edx,dword ptr ss:[ebp-10] ; ss:[ebp-10]=0x34("4")
00455440 |. 8B45 EC mov eax,dword ptr ss:[ebp-14] ; ss:[ebp-14]=0x39("9")
00455443 |. E8 4CFBFFFF call dumped_.00454F94 ; 比较是否相等
00455448 |. 803B 00 cmp byte ptr ds:[ebx],0
0045544B |. 0F84 0B050000 je dumped_.0045595C ; 暴破点4，NOP掉
00455451 |. 8D45 F8 lea eax,dword ptr ss:[ebp-8]
00455454 |. 50 push eax
00455455 |. B9 04000000 mov ecx,4 ; ECX＝4
0045545A |. BA 08000000 mov edx,8 ; EDX＝8
0045545F |. 8B06 mov eax,dword ptr ds:[esi] ; 固定字符串"ORACLE-BenQ-HP-IBM-SIEMENS-CISCO SYSTEMS- ; intel-Sun-DELL-SYBASE-Maxtor-lenovo"
00455461 |. E8 0EEFFAFF call dumped_.00404374 ; 从固定字符串第8位开始起取4位，即第2段"BenQ"
00455466 |. 8B45 F8 mov eax,dword ptr ss:[ebp-8] ; EAX＝"BenQ"
00455469 |. E8 46F8FFFF call dumped_.00454CB4 ; "BenQ"各位字符的ASCII值相加, EAX=0X166
0045546E |. 50 push eax
0045546F |. 8B45 FC mov eax,dword ptr ss:[ebp-4] ; 用户名"hrbxhui"
00455472 |. E8 3DF8FFFF call dumped_.00454CB4 ; 用户名"hrbxhui"各位字符的ASCII值相加, EDX＝0X2FA
00455477 |. 5A pop edx
00455478 |. E8 E3F9FFFF call dumped_.00454E60 ; EAX=EAX and EDX=0X62
0045547D |. BA 0A000000 mov edx,0A ; EDX=0XA
00455482 |. E8 DDF9FFFF call dumped_.00454E64 ; EAX/EDX,并将余数EDX给EAX，EAX＝8
00455487 |. 8D55 F0 lea edx,dword ptr ss:[ebp-10]
0045548A |. E8 9128FBFF call dumped_.00407D20
0045548F |. 8D45 EC lea eax,dword ptr ss:[ebp-14]
00455492 |. 50 push eax
00455493 |. B9 01000000 mov ecx,1 ; ECX=1
00455498 |. BA 02000000 mov edx,2 ; EDX=2
0045549D |. 8B45 F4 mov eax,dword ptr ss:[ebp-C] ; 假码"987654321012"
004554A0 |. E8 CFEEFAFF call dumped_.00404374 ; 从假码第2位开始起取1位，即"8"
004554A5 |. 8B55 F0 mov edx,dword ptr ss:[ebp-10] ; ss:[ebp-10]=0x38("8")
004554A8 |. 8B45 EC mov eax,dword ptr ss:[ebp-14] ; ss:[ebp-14]=0x38("8")
004554AB |. E8 E4FAFFFF call dumped_.00454F94 ; 比较是否相等
004554B0 |. 803B 00 cmp byte ptr ds:[ebx],0
004554B3 |. 0F84 A3040000 je dumped_.0045595C ; 暴破点5，NOP掉
004554B9 |. 8D45 F8 lea eax,dword ptr ss:[ebp-8]
004554BC |. 50 push eax ; 以下过程大致相同，故简略注释
004554BD |. B9 02000000 mov ecx,2 ; ECX=2
004554C2 |. BA 0D000000 mov edx,0D ; EDX=0XD
004554C7 |. 8B06 mov eax,dword ptr ds:[esi]
004554C9 |. E8 A6EEFAFF call dumped_.00404374 ; 从固定字符串第0XD位开始起取2位，即第3段"HP"
004554CE |. 8B45 F8 mov eax,dword ptr ss:[ebp-8]
004554D1 |. E8 DEF7FFFF call dumped_.00454CB4
004554D6 |. 50 push eax
004554D7 |. 8B45 FC mov eax,dword ptr ss:[ebp-4]
004554DA |. E8 D5F7FFFF call dumped_.00454CB4
004554DF |. 5A pop edx
004554E0 |. E8 7BF9FFFF call dumped_.00454E60 ; EAX=EAX and EDX
004554E5 |. BA 0A000000 mov edx,0A
004554EA |. E8 75F9FFFF call dumped_.00454E64
004554EF |. 8D55 F0 lea edx,dword ptr ss:[ebp-10]
004554F2 |. E8 2928FBFF call dumped_.00407D20
004554F7 |. 8D45 EC lea eax,dword ptr ss:[ebp-14]
004554FA |. 50 push eax
004554FB |. B9 01000000 mov ecx,1
00455500 |. BA 03000000 mov edx,3
00455505 |. 8B45 F4 mov eax,dword ptr ss:[ebp-C]
00455508 |. E8 67EEFAFF call dumped_.00404374
0045550D |. 8B55 F0 mov edx,dword ptr ss:[ebp-10]
00455510 |. 8B45 EC mov eax,dword ptr ss:[ebp-14]
00455513 |. E8 7CFAFFFF call dumped_.00454F94
00455518 |. 803B 00 cmp byte ptr ds:[ebx],0
0045551B |. 0F84 3B040000 je dumped_.0045595C ; 暴破点6，NOP掉
00455521 |. 8D45 F8 lea eax,dword ptr ss:[ebp-8]
00455524 |. 50 push eax
00455525 |. B9 03000000 mov ecx,3
0045552A |. BA 10000000 mov edx,10
0045552F |. 8B06 mov eax,dword ptr ds:[esi]
00455531 |. E8 3EEEFAFF call dumped_.00404374
00455536 |. 8B45 F8 mov eax,dword ptr ss:[ebp-8]
00455539 |. E8 76F7FFFF call dumped_.00454CB4
0045553E |. 50 push eax
0045553F |. 8B45 FC mov eax,dword ptr ss:[ebp-4]
00455542 |. E8 6DF7FFFF call dumped_.00454CB4
00455547 |. 5A pop edx
00455548 |. E8 0FF9FFFF call dumped_.00454E5C ; EAX=EAX xor EDX
0045554D |. BA 0A000000 mov edx,0A
00455552 |. E8 0DF9FFFF call dumped_.00454E64
00455557 |. 8D55 F0 lea edx,dword ptr ss:[ebp-10]
0045555A |. E8 C127FBFF call dumped_.00407D20
0045555F |. 8D45 EC lea eax,dword ptr ss:[ebp-14]
00455562 |. 50 push eax
00455563 |. B9 01000000 mov ecx,1
00455568 |. BA 04000000 mov edx,4
0045556D |. 8B45 F4 mov eax,dword ptr ss:[ebp-C]
00455570 |. E8 FFEDFAFF call dumped_.00404374
00455575 |. 8B55 F0 mov edx,dword ptr ss:[ebp-10]
00455578 |. 8B45 EC mov eax,dword ptr ss:[ebp-14]
0045557B |. E8 14FAFFFF call dumped_.00454F94
00455580 |. 803B 00 cmp byte ptr ds:[ebx],0
00455583 |. 0F84 D3030000 je dumped_.0045595C ; 暴破点7，NOP掉
00455589 |. 8D45 F8 lea eax,dword ptr ss:[ebp-8]
0045558C |. 50 push eax
0045558D |. B9 07000000 mov ecx,7
00455592 |. BA 14000000 mov edx,14
00455597 |. 8B06 mov eax,dword ptr ds:[esi]
00455599 |. E8 D6EDFAFF call dumped_.00404374
0045559E |. 8B45 F8 mov eax,dword ptr ss:[ebp-8]
004555A1 |. E8 0EF7FFFF call dumped_.00454CB4
004555A6 |. 50 push eax
004555A7 |. 8B45 FC mov eax,dword ptr ss:[ebp-4]
004555AA |. E8 05F7FFFF call dumped_.00454CB4
004555AF |. 5A pop edx
004555B0 |. E8 A7F8FFFF call dumped_.00454E5C ; EAX=EAX xor EDX
004555B5 |. BA 07000000 mov edx,7
004555BA |. E8 A5F8FFFF call dumped_.00454E64
004555BF |. 8D55 F0 lea edx,dword ptr ss:[ebp-10]
004555C2 |. E8 5927FBFF call dumped_.00407D20
004555C7 |. 8D45 EC lea eax,dword ptr ss:[ebp-14]
004555CA |. 50 push eax
004555CB |. B9 01000000 mov ecx,1
004555D0 |. BA 05000000 mov edx,5
004555D5 |. 8B45 F4 mov eax,dword ptr ss:[ebp-C]
004555D8 |. E8 97EDFAFF call dumped_.00404374
004555DD |. 8B55 F0 mov edx,dword ptr ss:[ebp-10]
004555E0 |. 8B45 EC mov eax,dword ptr ss:[ebp-14]
004555E3 |. E8 ACF9FFFF call dumped_.00454F94
004555E8 |. 803B 00 cmp byte ptr ds:[ebx],0
004555EB |. 0F84 6B030000 je dumped_.0045595C ; 暴破点8，NOP掉
004555F1 |. 8D45 F8 lea eax,dword ptr ss:[ebp-8]
004555F4 |. 50 push eax
004555F5 |. B9 0D000000 mov ecx,0D
004555FA |. BA 1C000000 mov edx,1C
004555FF |. 8B06 mov eax,dword ptr ds:[esi]
00455601 |. E8 6EEDFAFF call dumped_.00404374
00455606 |. 8B45 F8 mov eax,dword ptr ss:[ebp-8]
00455609 |. E8 A6F6FFFF call dumped_.00454CB4
0045560E |. 50 push eax
0045560F |. 8B45 FC mov eax,dword ptr ss:[ebp-4]
00455612 |. E8 9DF6FFFF call dumped_.00454CB4
00455617 |. 5A pop edx
00455618 |. E8 43F8FFFF call dumped_.00454E60 ; EAX=EAX and EDX
0045561D |. BA 09000000 mov edx,9 ; EDX=9
00455622 |. E8 3DF8FFFF call dumped_.00454E64
00455627 |. 8D55 F0 lea edx,dword ptr ss:[ebp-10]
0045562A |. E8 F126FBFF call dumped_.00407D20
0045562F |. 8D45 EC lea eax,dword ptr ss:[ebp-14]
00455632 |. 50 push eax
00455633 |. B9 01000000 mov ecx,1
00455638 |. BA 06000000 mov edx,6
0045563D |. 8B45 F4 mov eax,dword ptr ss:[ebp-C]
00455640 |. E8 2FEDFAFF call dumped_.00404374
00455645 |. 8B55 F0 mov edx,dword ptr ss:[ebp-10]
00455648 |. 8B45 EC mov eax,dword ptr ss:[ebp-14]
0045564B |. E8 44F9FFFF call dumped_.00454F94
00455650 |. 803B 00 cmp byte ptr ds:[ebx],0
00455653 |. 0F84 03030000 je dumped_.0045595C ; 暴破点9，NOP掉
00455659 |. 8D45 F8 lea eax,dword ptr ss:[ebp-8]
0045565C |. 50 push eax
0045565D |. B9 05000000 mov ecx,5
00455662 |. BA 2A000000 mov edx,2A
00455667 |. 8B06 mov eax,dword ptr ds:[esi]
00455669 |. E8 06EDFAFF call dumped_.00404374
0045566E |. 8B45 F8 mov eax,dword ptr ss:[ebp-8]
00455671 |. E8 3EF6FFFF call dumped_.00454CB4
00455676 |. 50 push eax
00455677 |. 8B45 FC mov eax,dword ptr ss:[ebp-4]
0045567A |. E8 35F6FFFF call dumped_.00454CB4
0045567F |. 5A pop edx
00455680 |. E8 DBF7FFFF call dumped_.00454E60 ; EAX=EAX and EDX
00455685 |. BA 0A000000 mov edx,0A
0045568A |. E8 D5F7FFFF call dumped_.00454E64
0045568F |. 8D55 F0 lea edx,dword ptr ss:[ebp-10]
00455692 |. E8 8926FBFF call dumped_.00407D20
00455697 |. 8D45 EC lea eax,dword ptr ss:[ebp-14]
0045569A |. 50 push eax
0045569B |. B9 01000000 mov ecx,1
004556A0 |. BA 07000000 mov edx,7
004556A5 |. 8B45 F4 mov eax,dword ptr ss:[ebp-C]
004556A8 |. E8 C7ECFAFF call dumped_.00404374
004556AD |. 8B55 F0 mov edx,dword ptr ss:[ebp-10]
004556B0 |. 8B45 EC mov eax,dword ptr ss:[ebp-14]
004556B3 |. E8 DCF8FFFF call dumped_.00454F94
004556B8 |. 803B 00 cmp byte ptr ds:[ebx],0
004556BB |. 0F84 9B020000 je dumped_.0045595C ; 暴破点10，NOP掉
004556C1 |. 8D45 F8 lea eax,dword ptr ss:[ebp-8]
004556C4 |. 50 push eax
004556C5 |. B9 03000000 mov ecx,3
004556CA |. BA 30000000 mov edx,30
004556CF |. 8B06 mov eax,dword ptr ds:[esi]
004556D1 |. E8 9EECFAFF call dumped_.00404374
004556D6 |. 8B45 F8 mov eax,dword ptr ss:[ebp-8]
004556D9 |. E8 D6F5FFFF call dumped_.00454CB4
004556DE |. 50 push eax
004556DF |. 8B45 FC mov eax,dword ptr ss:[ebp-4]
004556E2 |. E8 CDF5FFFF call dumped_.00454CB4
004556E7 |. 5A pop edx
004556E8 |. E8 6FF7FFFF call dumped_.00454E5C ; EAX=EAX xor EDX
004556ED |. BA 09000000 mov edx,9 ; EDX=9
004556F2 |. E8 6DF7FFFF call dumped_.00454E64
004556F7 |. 8D55 F0 lea edx,dword ptr ss:[ebp-10]
004556FA |. E8 2126FBFF call dumped_.00407D20
004556FF |. 8D45 EC lea eax,dword ptr ss:[ebp-14]
00455702 |. 50 push eax
00455703 |. B9 01000000 mov ecx,1
00455708 |. BA 08000000 mov edx,8
0045570D |. 8B45 F4 mov eax,dword ptr ss:[ebp-C]
00455710 |. E8 5FECFAFF call dumped_.00404374
00455715 |. 8B55 F0 mov edx,dword ptr ss:[ebp-10]
00455718 |. 8B45 EC mov eax,dword ptr ss:[ebp-14]
0045571B |. E8 74F8FFFF call dumped_.00454F94
00455720 |. 803B 00 cmp byte ptr ds:[ebx],0
00455723 |. 0F84 33020000 je dumped_.0045595C ; 暴破点11，NOP掉
00455729 |. 8D45 F8 lea eax,dword ptr ss:[ebp-8]
0045572C |. 50 push eax
0045572D |. B9 04000000 mov ecx,4
00455732 |. BA 34000000 mov edx,34
00455737 |. 8B06 mov eax,dword ptr ds:[esi]
00455739 |. E8 36ECFAFF call dumped_.00404374
0045573E |. 8B45 F8 mov eax,dword ptr ss:[ebp-8]
00455741 |. E8 6EF5FFFF call dumped_.00454CB4
00455746 |. 50 push eax
00455747 |. 8B45 FC mov eax,dword ptr ss:[ebp-4]
0045574A |. E8 65F5FFFF call dumped_.00454CB4
0045574F |. 5A pop edx
00455750 |. E8 07F7FFFF call dumped_.00454E5C ; EAX=EAX xor EDX
00455755 |. BA 07000000 mov edx,7
0045575A |. E8 05F7FFFF call dumped_.00454E64
0045575F |. 8D55 F0 lea edx,dword ptr ss:[ebp-10]
00455762 |. E8 B925FBFF call dumped_.00407D20
00455767 |. 8D45 EC lea eax,dword ptr ss:[ebp-14]
0045576A |. 50 push eax
0045576B |. B9 01000000 mov ecx,1
00455770 |. BA 09000000 mov edx,9
00455775 |. 8B45 F4 mov eax,dword ptr ss:[ebp-C]
00455778 |. E8 F7EBFAFF call dumped_.00404374
0045577D |. 8B55 F0 mov edx,dword ptr ss:[ebp-10]
00455780 |. 8B45 EC mov eax,dword ptr ss:[ebp-14]
00455783 |. E8 0CF8FFFF call dumped_.00454F94
00455788 |. 803B 00 cmp byte ptr ds:[ebx],0
0045578B |. 0F84 CB010000 je dumped_.0045595C ; 暴破点12，NOP掉
00455791 |. 8D45 F8 lea eax,dword ptr ss:[ebp-8]
00455794 |. 50 push eax
00455795 |. B9 06000000 mov ecx,6
0045579A |. BA 39000000 mov edx,39
0045579F |. 8B06 mov eax,dword ptr ds:[esi]
004557A1 |. E8 CEEBFAFF call dumped_.00404374
004557A6 |. 8B45 F8 mov eax,dword ptr ss:[ebp-8]
004557A9 |. E8 06F5FFFF call dumped_.00454CB4
004557AE |. 50 push eax
004557AF |. 8B45 FC mov eax,dword ptr ss:[ebp-4]
004557B2 |. E8 FDF4FFFF call dumped_.00454CB4
004557B7 |. 5A pop edx
004557B8 |. E8 9FF6FFFF call dumped_.00454E5C ; EAX=EAX xor EDX
004557BD |. BA 0A000000 mov edx,0A
004557C2 |. E8 9DF6FFFF call dumped_.00454E64
004557C7 |. 8D55 F0 lea edx,dword ptr ss:[ebp-10]
004557CA |. E8 5125FBFF call dumped_.00407D20
004557CF |. 8D45 EC lea eax,dword ptr ss:[ebp-14]
004557D2 |. 50 push eax
004557D3 |. B9 01000000 mov ecx,1
004557D8 |. BA 0A000000 mov edx,0A
004557DD |. 8B45 F4 mov eax,dword ptr ss:[ebp-C]
004557E0 |. E8 8FEBFAFF call dumped_.00404374
004557E5 |. 8B55 F0 mov edx,dword ptr ss:[ebp-10]
004557E8 |. 8B45 EC mov eax,dword ptr ss:[ebp-14]
004557EB |. E8 A4F7FFFF call dumped_.00454F94
004557F0 |. 803B 00 cmp byte ptr ds:[ebx],0
004557F3 |. 0F84 63010000 je dumped_.0045595C ; 暴破点13，NOP掉
004557F9 |. 8D45 F8 lea eax,dword ptr ss:[ebp-8]
004557FC |. 50 push eax
004557FD |. B9 06000000 mov ecx,6
00455802 |. BA 40000000 mov edx,40
00455807 |. 8B06 mov eax,dword ptr ds:[esi]
00455809 |. E8 66EBFAFF call dumped_.00404374
0045580E |. 8B45 F8 mov eax,dword ptr ss:[ebp-8]
00455811 |. E8 9EF4FFFF call dumped_.00454CB4
00455816 |. 50 push eax
00455817 |. 8B45 FC mov eax,dword ptr ss:[ebp-4]
0045581A |. E8 95F4FFFF call dumped_.00454CB4
0045581F |. 5A pop edx
00455820 |. E8 3BF6FFFF call dumped_.00454E60 ; EAX=EAX and EDX
00455825 |. BA 0A000000 mov edx,0A
0045582A |. E8 35F6FFFF call dumped_.00454E64
0045582F |. 8D55 F0 lea edx,dword ptr ss:[ebp-10]
00455832 |. E8 E924FBFF call dumped_.00407D20
00455837 |. 8D45 EC lea eax,dword ptr ss:[ebp-14]
0045583A |. 50 push eax
0045583B |. B9 01000000 mov ecx,1
00455840 |. BA 0B000000 mov edx,0B
00455845 |. 8B45 F4 mov eax,dword ptr ss:[ebp-C]
00455848 |. E8 27EBFAFF call dumped_.00404374
0045584D |. 8B55 F0 mov edx,dword ptr ss:[ebp-10]
00455850 |. 8B45 EC mov eax,dword ptr ss:[ebp-14]
00455853 |. E8 3CF7FFFF call dumped_.00454F94
00455858 |. 803B 00 cmp byte ptr ds:[ebx],0
0045585B |. 0F84 FB000000 je dumped_.0045595C ; 暴破点14，NOP掉
00455861 |. 8D45 F8 lea eax,dword ptr ss:[ebp-8]
00455864 |. 50 push eax
00455865 |. B9 06000000 mov ecx,6
0045586A |. BA 47000000 mov edx,47
0045586F |. 8B06 mov eax,dword ptr ds:[esi]
00455871 |. E8 FEEAFAFF call dumped_.00404374
00455876 |. 8B45 F8 mov eax,dword ptr ss:[ebp-8]
00455879 |. E8 36F4FFFF call dumped_.00454CB4
0045587E |. 50 push eax
0045587F |. 8B45 FC mov eax,dword ptr ss:[ebp-4]
00455882 |. E8 2DF4FFFF call dumped_.00454CB4
00455887 |. 5A pop edx
00455888 |. E8 D3F5FFFF call dumped_.00454E60 ; EAX=EAX and EDX
0045588D |. BA 09000000 mov edx,9 ; EDX=9
00455892 |. E8 CDF5FFFF call dumped_.00454E64
00455897 |. 8D55 F0 lea edx,dword ptr ss:[ebp-10]
0045589A |. E8 8124FBFF call dumped_.00407D20
0045589F |. 8D45 EC lea eax,dword ptr ss:[ebp-14]
004558A2 |. 50 push eax
004558A3 |. B9 01000000 mov ecx,1
004558A8 |. BA 0C000000 mov edx,0C
004558AD |. 8B45 F4 mov eax,dword ptr ss:[ebp-C]
004558B0 |. E8 BFEAFAFF call dumped_.00404374
004558B5 |. 8B55 F0 mov edx,dword ptr ss:[ebp-10]
004558B8 |. 8B45 EC mov eax,dword ptr ss:[ebp-14]
004558BB |. E8 D4F6FFFF call dumped_.00454F94
004558C0 |. 803B 00 cmp byte ptr ds:[ebx],0
004558C3 |. 0F84 93000000 je dumped_.0045595C ; 暴破点15，NOP掉
004558C9 |. E8 DAF3FFFF call dumped_.00454CA8 ; 关键CALL，F7进入
004558CE |. 3D FE010000 cmp eax,1FE ; 比较是否等于0X1FE(510)
004558D3 |. 0F85 83000000 jnz dumped_.0045595C ; 暴破点16，NOP掉
004558D9 |. E8 F662FBFF call dumped_.0040BBD4
004558DE |. 8D45 DC lea eax,dword ptr ss:[ebp-24]
004558E1 |. 50 push eax
关键CALL，F7进入004558C9处的关键CALL，来到：
00454CA8 /$ A1 048C4500 mov eax,dword ptr ds:[458C04]
00454CAD |. 8B40 48 mov eax,dword ptr ds:[eax+48] ; ds:[009C1FE0]=000001BA
00454CB0 \. C3 retn
程序将ds:[009C1FE0]处的数据赋值给EAX，看看ds:[009C1FE0]处的数据是如何得到的。
命令栏输入： D 009C1FE0，得到如下数据：
===========================================================================
009C1FE0 BA 01 00 00 15 01 00 00 AB 00 00 00 00 00 00 01 ?....?.....
009C1FF0 01 00 00 00 00 00 00 00 01 03 00 00 00 00 00 00 .............
===========================================================================
在009C1FE0处下内存写入断点，F9运行程序，中断在以下位置：
0043A52D |. 8943 48 mov dword ptr ds:[ebx+48],eax ; 中断在这里
0043A530 |. 8B4424 0C mov eax,dword ptr ss:[esp+C]
0043A534 |. 2B4424 04 sub eax,dword ptr ss:[esp+4]
0043A538 |. 8943 4C mov dword ptr ds:[ebx+4C],eax
向上查看，来到：
0043A4D1 |> \54 push esp
0043A4D2 |. 8B83 80010000 mov eax,dword ptr ds:[ebx+180]
0043A4D8 |. 50 push eax
0043A4D9 |. E8 4AC0FCFF call <jmp.&user32.GetWindowRect>
0043A4DE |> 6A F0 push -10
0043A4E0 |. 8B83 80010000 mov eax,dword ptr ds:[ebx+180]
0043A4E6 |. 50 push eax
0043A4E7 |. E8 2CC0FCFF call <jmp.&user32.GetWindowLongA> ; 调用GetWindowLongA函数获取程序窗体长度
0043A4EC |. A9 00000040 test eax,40000000
0043A4F1 |. 74 26 je short dumped_.0043A519
0043A4F3 |. 6A F8 push -8
0043A4F5 |. 8B83 80010000 mov eax,dword ptr ds:[ebx+180]
0043A4FB |. 50 push eax
0043A4FC |. E8 17C0FCFF call <jmp.&user32.GetWindowLongA> ; GetWindowLongA
0043A501 |. 8BF0 mov esi,eax
0043A503 |. 85F6 test esi,esi
0043A505 |. 74 12 je short dumped_.0043A519
0043A507 |. 54 push esp ; pPoint
0043A508 |. 56 push esi
0043A509 |. E8 6AC1FCFF call <jmp.&user32.ScreenToClient>
0043A50E |. 8D4424 08 lea eax,dword ptr ss:[esp+8]
0043A512 |. 50 push eax
0043A513 |. 56 push esi
0043A514 |. E8 5FC1FCFF call <jmp.&user32.ScreenToClient>
0043A519 |> 8B0424 mov eax,dword ptr ss:[esp]
0043A51C |. 8943 40 mov dword ptr ds:[ebx+40],eax
0043A51F |. 8B4424 04 mov eax,dword ptr ss:[esp+4]
0043A523 |. 8943 44 mov dword ptr ds:[ebx+44],eax
0043A526 |. 8B4424 08 mov eax,dword ptr ss:[esp+8]
0043A52A |. 2B0424 sub eax,dword ptr ss:[esp]
0043A52D |. 8943 48 mov dword ptr ds:[ebx+48],eax ; 将程序窗体长度EAX值保存
程序调用GetWindowLongA函数获取程序窗体长度，然后与固定值0x1FE(510)比较。
-----------------------------------------------------------------------------------------------
【破解总结】
1.用户名长度必需大于4位且小于16位，注册码固定为12位。
2. 固定字符串"ORACLE-BenQ-HP-IBM-SIEMENS-CISCO SYSTEMS-intel-Sun-DELL-SYBASE-Maxtor-lenovo"，
取用户各位字符ASCII的累加值分别与固定字符串的每一段各位字符ASCII的累加值进行xor或and运算，结果除以0xA(0X9)，
依次连接所得余数即为注册码。
3.最后，程序比较窗口长度是否为0x1FE(510)像素(约15.94厘米)，是则注册成功。
一组可用注册码：
Name：hrbxhui
Serial：482601600941
暴破更改以下位置：
004553A9 je dumped_.0045595C ; je====> NOP
004553BF je dumped_.0045595C ; je====> NOP
004553E3 je dumped_.0045595C ; je====> NOP
0045544B je dumped_.0045595C ; je====> NOP
004554B3 je dumped_.0045595C ; je====> NOP
0045551B je dumped_.0045595C ; je====> NOP
00455583 je dumped_.0045595C ; je====> NOP
004555EB je dumped_.0045595C ; je====> NOP
00455653 je dumped_.0045595C ; je====> NOP
004556BB je dumped_.0045595C ; je====> NOP
00455723 je dumped_.0045595C ; je====> NOP
0045578B je dumped_.0045595C ; je====> NOP
004557F3 je dumped_.0045595C ; je====> NOP
0045585B je dumped_.0045595C ; je====> NOP
004558C3 je dumped_.0045595C ; je====> NOP
004558D3 jnz dumped_.0045595C ; jnz===> NOP
-----------------------------------------------------------------------------------------------
【版权声明】本文纯属技术交流, 转载请注明作者并保持文章的完整, 谢谢!

复制代码

[ 本帖最后由 hrbx 于 2005-12-19 12:05 AM 编辑 ]

hrbx · 发表于 2005-12-19 00:07:19

附件上传老是说超过限制，Crackme没办法转过来，晕。

冷血书生 · 发表于 2005-12-19 08:46:05

发看雪会更受欢迎！！

pentacle · 发表于 2005-12-19 10:45:05

不错~~
支持一下~~

知道用
[ code ] [ / cole ]
代码~~

冷血书生 · 发表于 2005-12-19 10:55:34

原帖由 pentacle 于 2005-12-19 10:45 AM 发表
不错~~
支持一下~~

知道用
[ code ] [ / cole ]
代码~~

呵呵，难道说，只有你才懂吗？

可能就我不懂啦！

风球 · 发表于 2005-12-19 11:13:34

很好```
我也玩过这个东东，呵```

pentacle · 发表于 2005-12-19 11:16:18

原帖由 冷血书生 于 2005-12-19 10:55 AM 发表

呵呵，难道说，只有你才懂吗？

可能就我不懂啦！

不好意思。可能我说话的方式不对~~

我的意思是，一般发这种[code]贴的人少~~
所以我支持一下~~
因为用这种方式的人一般都很细心~~

其实我是想赞一下，:L没想让你们误会了

冷血书生 · 发表于 2005-12-19 14:02:31

原帖由 pentacle 于 2005-12-19 11:16 AM 发表

不好意思。可能我说话的方式不对~~

我的意思是，一般发这种[code]贴的人少~~
所以我支持一下~~
因为用这种方式的人一般都很细心~~

其实我是想赞一下，:L没想让你们误会了

哈哈！是我爱抓鸡脚吧！！

qxtianlong · 发表于 2005-12-21 14:31:41

厉害~学习了

=随风= · 发表于 2005-12-29 14:32:24

看得有点晕！

		自动登录	找回密码
密码			加入我们

HappyTown CrackMe_0008 简单算法分析

相关帖子