系统 : Windows xp
程序 : AD_CM#3
程序下载地址 :http://pan.baidu.com/s/1skwXPVn
要求 : 编写注册机
使用工具 :IDA & OD
可在看雪论坛中查找关于此程序的破文:http://bbs.pediy.com/showthread.php?t=28995
IDA载入程序,找出提示破解成功的字串“Well done Cracker, You did it!”并定位关键代码:
0045817F |. 8D55 FC lea edx, dword ptr [ebp-4]
00458182 |. 8B87 D8020000 mov eax, dword ptr [edi+2D8]
00458188 |. E8 FFBEFCFF call 0042408C
0045818D |. 8D55 F0 lea edx, dword ptr [ebp-10]
00458190 |. 8B87 D8020000 mov eax, dword ptr [edi+2D8]
00458196 |. E8 F1BEFCFF call 0042408C
0045819B |. 837D F0 00 cmp dword ptr [ebp-10], 0 ; 用户名为空?
0045819F |. 75 0A jnz short 004581AB
004581A1 |. B8 88824500 mov eax, 00458288 ; ASCII "Enter you name, pls."
004581A6 |. E8 39C1FEFF call 004442E4
004581AB |> 8D55 EC lea edx, dword ptr [ebp-14]
004581AE |. 8B87 DC020000 mov eax, dword ptr [edi+2DC]
004581B4 |. E8 D3BEFCFF call 0042408C
004581B9 |. 837D EC 00 cmp dword ptr [ebp-14], 0 ; 序列号为空?
004581BD |. 75 0A jnz short 004581C9
004581BF |. B8 A8824500 mov eax, 004582A8 ; ASCII "Enter the serial, pls."
004581C4 |. E8 1BC1FEFF call 004442E4
004581C9 |> 8B45 FC mov eax, dword ptr [ebp-4] ; 取用户名
004581CC |. E8 ABB9FAFF call 00403B7C ; 取长度
004581D1 |. 8BD8 mov ebx, eax
004581D3 |. 85DB test ebx, ebx
004581D5 |. 7E 2D jle short 00458204
004581D7 |. BE 01000000 mov esi, 1 ; 初始化循环变量
004581DC |> 8B45 FC /mov eax, dword ptr [ebp-4] ; 取用户名
004581DF |. 0FB64430 FF |movzx eax, byte ptr [eax+esi-1] ; 迭代用户名字串
004581E4 |. B9 03000000 |mov ecx, 3
004581E9 |. 33D2 |xor edx, edx
004581EB |. F7F1 |div ecx ; 字符 除以 3
004581ED |. 8D55 E8 |lea edx, dword ptr [ebp-18] ; 取一段内存
004581F0 |. E8 0FF9FAFF |call 00407B04 ; 将商将从十六进制的数据转化为十进制的字串
004581F5 |. 8B55 E8 |mov edx, dword ptr [ebp-18]
004581F8 |. 8D45 F8 |lea eax, dword ptr [ebp-8] ; 取一段内存
004581FB |. E8 84B9FAFF |call 00403B84 ; 连接算出的子密钥
00458200 |. 46 |inc esi ; 循环变量自增
00458201 |. 4B |dec ebx
00458202 |.^ 75 D8 jnz short 004581DC
00458204 |> 8D45 F4 lea eax, dword ptr [ebp-C] ; 取一段内存
00458207 |. 8B4D F8 mov ecx, dword ptr [ebp-8] ; 取连接好的密钥
0045820A |. BA C8824500 mov edx, 004582C8 ; ASCII "ADCM3-"
0045820F |. E8 B4B9FAFF call 00403BC8 ; 连接字串
00458214 |. 8D55 E4 lea edx, dword ptr [ebp-1C] ; 取一段内存
00458217 |. 8B87 DC020000 mov eax, dword ptr [edi+2DC]
0045821D |. E8 6ABEFCFF call 0042408C
00458222 |. 8B55 E4 mov edx, dword ptr [ebp-1C] ; 取序列号
00458225 |. 8B45 F4 mov eax, dword ptr [ebp-C] ; 取连接好的密钥
00458228 |. E8 5FBAFAFF call 00403C8C ; 对比字串,返回0 表示字串相同
0045822D |. 75 0A jnz short 00458239
0045822F |. B8 D8824500 mov eax, 004582D8 ; ASCII "Well done Cracker, You did it!"
以上,算法分析完毕,这真的是一个非常简单的crackme,我们直接打开http://www.cnblogs.com/ZRBYYXDM/p/5115596.html中搭建的框架,并修改OnBtnDecrypt函数如下:
void CKengen_TemplateDlg::OnBtnDecrypt()
{
// TODO: Add your control notification handler code here
CString str;
GetDlgItemText( IDC_EDIT_NAME,str ); //获取用户名字串基本信息。
int len = str.GetLength();
CString Temp,PassWord;
if ( len != 0 ){ //格式控制。
for ( int i = 0 ; i != len ; i++ ){
Temp.Format( "%d",( str[i] / 3 ) );
PassWord += Temp;
}
PassWord = "ADCM3-" + PassWord;
SetDlgItemText( IDC_EDIT_PASSWORD,PassWord );
}
else
MessageBox( "用户名格式错误!" );
}
再在OnInitDialog中添加此代码修改标题:SetWindowText(_T("AD_CM#3_Keygen"));
运行效果:
