zoukankan      html  css  js  c++  java
  • 复健小CM

    系统 : Windows xp

    程序 : Keygenme # 2

    程序下载地址 :http://pan.baidu.com/s/1qYIk2HQ

    要求 : 注册机编写 

    使用工具 : OD

    可在“PEDIY CrackMe 2007”中查找关于此程序的讨论,标题为“一个据说是新手级Crackme的分析”。

    运行程序,查找字符串定位关键算法位置。大致的看一下程序主体:

    004014AF  |.  C74424 04 CE0>mov     dword ptr [esp+4], 004400CE      ;  enter user-name: enter user-id: enter password: access granted !
    004014B7  |.  C70424 C03344>mov     dword ptr [esp], 004433C0
    004014BE  |.  E8 95AE0300   call    0043C358
    004014C3  |.  C74424 04 28B>mov     dword ptr [esp+4], 0043B128
    004014CB  |.  890424        mov     dword ptr [esp], eax
    004014CE  |.  E8 DD8D0200   call    0042A2B0
    004014D3  |.  C74424 04 CF0>mov     dword ptr [esp+4], 004400CF      ;  enter user-name: enter user-id: enter password: access granted !
    004014DB  |.  C70424 C03344>mov     dword ptr [esp], 004433C0
    004014E2  |.  E8 71AE0300   call    0043C358
    004014E7  |.  8D85 F8FEFFFF lea     eax, dword ptr [ebp-108]         ; |
    004014ED  |.  890424        mov     dword ptr [esp], eax             ; |
    004014F0  |.  E8 8BF40000   call    <jmp.&msvcrt.gets>               ; gets
    004014F5  |.  80BD F8FEFFFF>cmp     byte ptr [ebp-108], 0            ;  是否为空?
    004014FC  |.  0F84 A8010000 je      004016AA                         ;  是则失败
    00401502  |.  C74424 04 E10>mov     dword ptr [esp+4], 004400E1      ;  enter user-id: enter password: access granted !
    0040150A  |.  C70424 C03344>mov     dword ptr [esp], 004433C0
    00401511  |.  E8 42AE0300   call    0043C358
    00401516  |.  8D85 DCFEFFFF lea     eax, dword ptr [ebp-124]
    0040151C  |.  894424 04     mov     dword ptr [esp+4], eax
    00401520  |.  C70424 603444>mov     dword ptr [esp], 00443460
    00401527  |.  E8 C4720200   call    004287F0                         ;  读入id的子程序
    0040152C  |.  C785 D8FEFFFF>mov     dword ptr [ebp-128], 0           ;  循环变量初始化
    00401536  |>  8D85 F8FEFFFF /lea     eax, dword ptr [ebp-108]        ; |
    0040153C  |.  890424        |mov     dword ptr [esp], eax            ; |
    0040153F  |.  E8 2CF40000   |call    <jmp.&msvcrt.strlen>            ; strlen
    00401544  |.  3B85 D8FEFFFF |cmp     eax, dword ptr [ebp-128]        ;  长度低于等于 循环变量
    0040154A  |.  76 5B         |jbe     short 004015A7                  ;  则跳出循环
    0040154C  |.  8D45 F8       |lea     eax, dword ptr [ebp-8]
    0040154F  |.  0385 D8FEFFFF |add     eax, dword ptr [ebp-128]        ;  地址 加上 循环变量
    00401555  |.  2D 00010000   |sub     eax, 100                        ;  还原成User-Name
    0040155A  |.  0FBE00        |movsx   eax, byte ptr [eax]             ;  扩展载入到eax
    0040155D  |.  8985 F4FEFFFF |mov     dword ptr [ebp-10C], eax
    00401563  |.  8D85 F4FEFFFF |lea     eax, dword ptr [ebp-10C]
    00401569  |.  8100 656C2A03 |add     dword ptr [eax], 32A6C65        ;  保存的值加上一个 固定数值
    0040156F  |.  8B85 DCFEFFFF |mov     eax, dword ptr [ebp-124]        ;  读入的id
    00401575  |.  0FAF85 DCFEFF>|imul    eax, dword ptr [ebp-124]
    0040157C  |.  01C0          |add     eax, eax
    0040157E  |.  0385 F4FEFFFF |add     eax, dword ptr [ebp-10C]        ;  加上之前保存的值
    00401584  |.  05 237AD602   |add     eax, 2D67A23                    ;  再加
    00401589  |.  8985 F4FEFFFF |mov     dword ptr [ebp-10C], eax
    0040158F  |.  8B95 F4FEFFFF |mov     edx, dword ptr [ebp-10C]        ;  存入edx
    00401595  |.  8D85 F0FEFFFF |lea     eax, dword ptr [ebp-110]
    0040159B  |.  0110          |add     dword ptr [eax], edx
    0040159D  |.  8D85 D8FEFFFF |lea     eax, dword ptr [ebp-128]
    004015A3  |.  FF00          |inc     dword ptr [eax]                 ;  循环变量自增
    004015A5  |.^ EB 8F         jmp     short 00401536
    004015A7  |>  C74424 04 F10>mov     dword ptr [esp+4], 004400F1      ;  enter password: access granted !
    004015AF  |.  C70424 C03344>mov     dword ptr [esp], 004433C0
    004015B6  |.  E8 9DAD0300   call    0043C358
    004015BB  |.  8D85 E8FEFFFF lea     eax, dword ptr [ebp-118]
    004015C1  |.  894424 04     mov     dword ptr [esp+4], eax
    004015C5  |.  C70424 603444>mov     dword ptr [esp], 00443460
    004015CC  |.  E8 1F720200   call    004287F0
    004015D1  |.  C74424 04 CE0>mov     dword ptr [esp+4], 004400CE      ;  enter user-name: enter user-id: enter password: access granted !
    004015D9  |.  C70424 C03344>mov     dword ptr [esp], 004433C0
    004015E0  |.  E8 73AD0300   call    0043C358
    004015E5  |.  C74424 04 28B>mov     dword ptr [esp+4], 0043B128
    004015ED  |.  890424        mov     dword ptr [esp], eax
    004015F0  |.  E8 BB8C0200   call    0042A2B0
    004015F5  |.  8B85 F0FEFFFF mov     eax, dword ptr [ebp-110]
    004015FB  |.  3B85 E8FEFFFF cmp     eax, dword ptr [ebp-118]
    00401601      75 3A         jnz     short 0040163D
    00401603  |.  C74424 04 020>mov     dword ptr [esp+4], 00440102      ;  access granted !
    0040160B  |.  C70424 C03344>mov     dword ptr [esp], 004433C0
    00401612  |.  E8 41AD0300   call    0043C358
    00401617  |.  C74424 04 28B>mov     dword ptr [esp+4], 0043B128
    0040161F  |.  890424        mov     dword ptr [esp], eax
    00401622  |.  E8 898C0200   call    0042A2B0
    00401627  |.  C74424 04 140>mov     dword ptr [esp+4], 00440114      ;  you did it cracker...now make a keygen !access denied !press any key to continue...access violation !
    0040162F  |.  C70424 C03344>mov     dword ptr [esp], 004433C0
    00401636  |.  E8 1DAD0300   call    0043C358
    0040163B  |.  EB 5C         jmp     short 00401699
    0040163D  |>  C74424 04 3D0>mov     dword ptr [esp+4], 0044013D      ;  access denied !press any key to continue...access violation !

    一个比较典型的二元函数加密的例子,算法也很简单。唯一的难点是不能对存放id的地址下内存断点,一旦这样操作就会导致读取失败,不过用硬件断点可以很方便地解决问题。

    打开http://www.cnblogs.com/ZRBYYXDM/p/5115596.html中搭建的框架,加入新的ID文本编辑框控件,并在消息响应函数中加上解密代码:

    void CKengen_TemplateDlg::OnBtnDecrypt() 
    {
        // TODO: Add your control notification handler code here
        CString str,ID;
        GetDlgItemText( IDC_EDIT_NAME,str );                    //获取用户名字串基本信息。
        GetDlgItemText( IDC_EDIT_ID,ID );
    
        if ( str.GetLength() && ID.GetLength() ){               //格式控制。
            int IDnum = atoi( ID );
            DWORD Res = 0,Sum = 0;
            for ( int i = 0 ; i != str.GetLength() ; i++ ){
                Sum = IDnum * IDnum;
                Sum += Sum;
                Sum += ( str.GetAt(i) + 0x32A6C65 );
                Sum += 0x2D67A23;
                Res += Sum;
            }
    
            CString PassWord;
            PassWord.Format( "%d",Res );
            SetDlgItemText( IDC_EDIT_PASSWORD,PassWord );
        }
        else
            MessageBox( "用户名格式错误!" );
    }

    继续完善一下拷贝按钮:

    void CKengen_TemplateDlg::OnBtnCopy() 
    {
        // TODO: Add your control notification handler code here
        CString cmd;
        GetDlgItemText( IDC_BTN_COPY,cmd );
    
        if ( OpenClipboard() ){                                        //打开剪贴板
            CString str;
            HANDLE hClip;
            char *pBuf;
    
            EmptyClipboard();
            
            if ( cmd == "拷贝用户名" )                                //如果命令是拷贝用户名
                GetDlgItemText( IDC_EDIT_NAME,str );
            else{
                if ( cmd == "拷贝ID" )
                    GetDlgItemText( IDC_EDIT_ID,str );
                else
                    GetDlgItemText( IDC_EDIT_PASSWORD,str );
            }
    
            hClip = GlobalAlloc( GMEM_MOVEABLE,str.GetLength() + 1 );
            pBuf = (char*)GlobalLock( hClip );
            strcpy( pBuf,str );
            GlobalUnlock( hClip );
            SetClipboardData( CF_TEXT,hClip );
            CloseClipboard();
    
            if ( cmd == "拷贝用户名" ){                                //变换命令
                SetDlgItemText( IDC_BTN_COPY,"拷贝ID" );
                SetDlgItemText( IDC_STC_MSG,"拷贝用户名成功!" );    //提示成功
            }
            else{
                if ( cmd == "拷贝ID" ){
                    SetDlgItemText( IDC_BTN_COPY,"拷贝序列号" );
                    SetDlgItemText( IDC_STC_MSG,"拷贝ID成功!" );
                }
                else{
                    SetDlgItemText( IDC_BTN_COPY,"拷贝用户名" );
                    SetDlgItemText( IDC_STC_MSG,"拷贝序列号成功!" );
                }
            }
        }
        else
            SetDlgItemText( IDC_STC_MSG,"拷贝失败!" );
    }

    再在OnInitDialog中添加此代码修改标题:SetWindowText(_T("CRACKME_Keygen"));

    运行效果:

  • 相关阅读:
    Nexus3.0私服搭建
    JavaScript
    Spring基础
    Hibernate注解
    HTML5
    Apache Tomcat
    Java安装(Ubuntu)
    C++ 日期 & 时间
    C++ 引用
    C++ 指针
  • 原文地址:https://www.cnblogs.com/ZRBYYXDM/p/5722487.html
Copyright © 2011-2022 走看看