简单反汇编之CrackMe6分析 vc注册机
2010-03-03 22:27
232 查看
这个creakme算法不错,是通过中间注册码来进行比较的。
打开程序试着注册了下,没提示错误。
先检测是否加壳,ASPack 2.x (without poly) -> Alexey Solodovnikov [Overlay]
把它拖到AspackDie1.41图标上,脱壳有些小问题,全部选是。
程序可以打开,那就可以了,脱壳成功。。
进入下一步。
用W32dasm载入,看看用的什么函数来取字符串的,发现熟悉的GetDlgItemTextA,好了,其他也就不看了,直接用OD载入,BP GetDlgItemTextA,F9运行,输入用户名和假码。
整个过程都是以EAX是否为0为标记,错误则置0.
下面是VC的注册机:
打开程序试着注册了下,没提示错误。
先检测是否加壳,ASPack 2.x (without poly) -> Alexey Solodovnikov [Overlay]
把它拖到AspackDie1.41图标上,脱壳有些小问题,全部选是。
程序可以打开,那就可以了,脱壳成功。。
进入下一步。
用W32dasm载入,看看用的什么函数来取字符串的,发现熟悉的GetDlgItemTextA,好了,其他也就不看了,直接用OD载入,BP GetDlgItemTextA,F9运行,输入用户名和假码。
name:4nil
Fserial:78787878
CHECK后被断下,按ALT+F9回到程序领空。
按F2下个断在GetDlgItemTextA后面的语句,下次就可以从这里开始了。
让我们先来看代码。
00401528 |. 68 00010000 PUSH 100 ; /Count = 100 (256.)
0040152D |. 8D85 00FFFFFF LEA EAX,DWORD PTR SS:[EBP-100] ; |
00401533 |. 50 PUSH EAX ; |Buffer
00401534 |. 6A 65 PUSH 65 ; |ControlID = 65 (101.)
00401536 |. FF75 08 PUSH DWORD PTR SS:[EBP+8] ; |hWnd
00401539 |. E8 FA010000 CALL <JMP.&USER32.GetDlgItemTextA> ; /GetDlgItemTextA
0040153E |. 89C3 MOV EBX,EAX
00401540 |. 09DB OR EBX,EBX
00401542 |. 75 04 JNZ SHORT unpacked.00401548 //用户名不空就跳,否则就挂
00401544 |. 31C0 XOR EAX,EAX
00401546 |. EB 50 JMP SHORT unpacked.00401598
00401548 |> BF BC020000 MOV EDI,2BC
0040154D |. BE 30000000 MOV ESI,30
00401552 |. B8 48000000 MOV EAX,48
00401557 |. 99 CDQ
00401558 |. F7FB IDIV EBX
0040155A |. 29C6 SUB ESI,EAX
0040155C |. 8D34B6 LEA ESI,DWORD PTR DS:[ESI+ESI*4]
0040155F |. 29F7 SUB EDI,ESI
00401561 |. 6BFF 6B IMUL EDI,EDI,6B
00401564 |. 81EF 6CCF0000 SUB EDI,0CF6C
0040156A |. 81FF 00230000 CMP EDI,2300 //EDI=(2bc-(30-48/namelen)*5)*6b-cf6c,得出的EDI必须在190-2300之间,否则就挂
00401570 |. 7F 08 JG SHORT unpacked.0040157A
00401572 |. 81FF 90010000 CMP EDI,190
00401578 |. 7D 04 JGE SHORT unpacked.0040157E
0040157A |> 31C0 XOR EAX,EAX
0040157C |. EB 1A JMP SHORT unpacked.00401598
0040157E |> 8D85 00FFFFFF LEA EAX,DWORD PTR SS:[EBP-100]
00401584 |. 50 PUSH EAX //用户名地址
00401585 |. 53 PUSH EBX //用户名长度
00401586 |. FF75 08 PUSH DWORD PTR SS:[EBP+8]
00401589 |. E8 77FDFFFF CALL unpacked. 00401305
{
00401305 /$ 55 PUSH EBP
00401306 |. 89E5 MOV EBP,ESP
00401308 |. 81EC 2C040000 SUB ESP,42C
0040130E |. 53 PUSH EBX
0040130F |. 56 PUSH ESI
00401310 |. 57 PUSH EDI
00401311 |. 8DBD FCFEFFFF LEA EDI,DWORD PTR SS:[EBP-104]
00401317 |. 8D35 38204000 LEA ESI,DWORD PTR DS:[402038]
0040131D |. B9 40000000 MOV ECX,40
00401322 |. F3:A5 REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS>
00401324 |. 8DBD E1FBFFFF LEA EDI,DWORD PTR SS:[EBP-41F]
0040132A |. 8D35 38214000 LEA ESI,DWORD PTR DS:[402138]
00401330 |. B9 40000000 MOV ECX,40
00401335 |. F3:A5 REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS>
00401337 |. 8DBD E1FDFFFF LEA EDI,DWORD PTR SS:[EBP-21F]
0040133D |. 8D35 38224000 LEA ESI,DWORD PTR DS:[402238]
00401343 |. B9 40000000 MOV ECX,40
00401348 |. F3:A5 REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS>
0040134A |. 8DBD E1FCFFFF LEA EDI,DWORD PTR SS:[EBP-31F]
00401350 |. 8D35 38234000 LEA ESI,DWORD PTR DS:[402338]
00401356 |. B9 40000000 MOV ECX,40
0040135B |. F3:A5 REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS>
0040135D |. 8DBD DCFBFFFF LEA EDI,DWORD PTR SS:[EBP-424]
00401363 |. 8D35 38244000 LEA ESI,DWORD PTR DS:[402438]
00401369 |. B9 05000000 MOV ECX,5
0040136E |. F3:A4 REP MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[>
00401370 |. 8DBD D6FBFFFF LEA EDI,DWORD PTR SS:[EBP-42A]
00401376 |. 8D35 3D244000 LEA ESI,DWORD PTR DS:[40243D]
0040137C |. B9 03000000 MOV ECX,3
00401381 |. F3:66:A5 REP MOVS WORD PTR ES:[EDI],WORD PTR DS:[>
00401384 |. 8DBD E1FEFFFF LEA EDI,DWORD PTR SS:[EBP-11F]
0040138A |. 8D35 43244000 LEA ESI,DWORD PTR DS:[402443]
00401390 |. B9 1B000000 MOV ECX,1B
00401395 |. F3:A4 REP MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[>
00401397 |. C745 FC 000000>MOV DWORD PTR SS:[EBP-4],0
0040139E |. 68 00010000 PUSH 100 ; /Count = 100 (256.)
004013A3 |. 8D85 E1FCFFFF LEA EAX,DWORD PTR SS:[EBP-31F] ; |
004013A9 |. 50 PUSH EAX ; |Buffer
004013AA |. 6A 66 PUSH 66 ; |ControlID = 66 (102.)
004013AC |. FF75 08 PUSH DWORD PTR SS:[EBP+8] ; |hWnd
004013AF |. E8 84030000 CALL <JMP.&USER32.GetDlgItemTextA> ; /GetDlgItemTextA
004013B4 |. 09C0 OR EAX,EAX
004013B6 |. 0F84 48010000 JE unpacked.00401504 //不能为空,否则挂
004013BC |. B8 CF110000 MOV EAX,11CF
004013C1 |. 0FB68D E1FCFFF>MOVZX ECX,BYTE PTR SS:[EBP-31F]
004013C8 |. 99 CDQ
004013C9 |. F7F9 IDIV ECX
004013CB |. 83FA 17 CMP EDX,17 //11b8=(11cf-17)必须整除注册码第一位的ASCII值,否则又挂。
004013CE |. 74 07 JE SHORT unpacked. 004013D7
004013D0 |. 31C0 XOR EAX,EAX
004013D2 |. E9 2D010000 JMP unpacked.00401504
004013D7 |> 31DB XOR EBX,EBX
004013D9 |. EB 0B JMP SHORT unpacked. 004013E6
004013DB |> 8B45 10 /MOV EAX,DWORD PTR SS:[EBP+10]
004013DE |. 0FBE0418 |MOVSX EAX,BYTE PTR DS:[EAX+EBX]
004013E2 |. 0145 FC |ADD DWORD PTR SS:[EBP-4],EAX
004013E5 |. 43 |INC EBX
004013E6 |> 3B5D 0C CMP EBX,DWORD PTR SS:[EBP+C]
004013E9 |.^7C F0 /JL SHORT unpacked. 004013DB //把用户名每位的ASCII值相加,结果在12F850
004013EB |. 31DB XOR EBX,EBX
004013ED |. E9 83000000 JMP unpacked. 00401475
004013F2 |> 8B55 10 /MOV EDX,DWORD PTR SS:[EBP+10]
004013F5 |. 0FBE3C1A |MOVSX EDI,BYTE PTR DS:[EDX+EBX]
004013F9 |. 8B75 FC |MOV ESI,DWORD PTR SS:[EBP-4]
004013FC |. 89D9 |MOV ECX,EBX
004013FE |. C1E1 02 |SHL ECX,2
00401401 |. 89DA |MOV EDX,EBX
00401403 |. 42 |INC EDX
00401404 |. 29D1 |SUB ECX,EDX
00401406 |. 0FB68C0D E1FEF>|MOVZX ECX,BYTE PTR SS:[EBP+ECX-11F]
0040140E |. 89FA |MOV EDX,EDI
00401410 |. 31CA |XOR EDX,ECX
00401412 |. 89F1 |MOV ECX,ESI
00401414 |. 0FAFCB |IMUL ECX,EBX
00401417 |. 29F1 |SUB ECX,ESI
00401419 |. 89CE |MOV ESI,ECX
0040141B |. 83F6 FF |XOR ESI,FFFFFFFF
0040141E |. 8DB432 4D01000>|LEA ESI,DWORD PTR DS:[EDX+ESI+14D]
00401425 |. 8B4D 0C |MOV ECX,DWORD PTR SS:[EBP+C]
00401428 |. 89DA |MOV EDX,EBX
0040142A |. 83C2 03 |ADD EDX,3
0040142D |. 0FAFCA |IMUL ECX,EDX
00401430 |. 0FAFCF |IMUL ECX,EDI
00401433 |. 89F0 |MOV EAX,ESI
00401435 |. 01C8 |ADD EAX,ECX
00401437 |. B9 0A000000 |MOV ECX,0A
0040143C |. 31D2 |XOR EDX,EDX
0040143E |. F7F1 |DIV ECX
00401440 |. 83C2 30 |ADD EDX,30
00401443 |. 88941D FCFEFFF>|MOV BYTE PTR SS:[EBP+EBX-104],DL
0040144A |. 0FB6BC1D FCFEF>|MOVZX EDI,BYTE PTR SS:[EBP+EBX-104]
00401452 |. 81F7 ACAD0000 |XOR EDI,0ADAC
00401458 |. 89DE |MOV ESI,EBX
0040145A |. 83C6 02 |ADD ESI,2
0040145D |. 89F8 |MOV EAX,EDI
0040145F |. 0FAFC6 |IMUL EAX,ESI
00401462 |. B9 0A000000 |MOV ECX,0A
00401467 |. 99 |CDQ
00401468 |. F7F9 |IDIV ECX
0040146A |. 83C2 30 |ADD EDX,30
0040146D |. 88941D FCFEFFF>|MOV BYTE PTR SS:[EBP+EBX-104],DL
00401474 |. 43 |INC EBX
00401475 |> 3B5D 0C CMP EBX,DWORD PTR SS:[EBP+C]
00401478 |.^0F8C 74FFFFFF /JL unpacked. 004013F2 //一系列运算得到部分中间注册码
0040147E |. 8D85 FCFEFFFF LEA EAX,DWORD PTR SS:[EBP-104]
00401484 |. 50 PUSH EAX
00401485 |. 6A 54 PUSH 54
00401487 |. 8D85 DCFBFFFF LEA EAX,DWORD PTR SS:[EBP-424]
0040148D |. 50 PUSH EAX ; |Format
0040148E |. 8D85 E1FBFFFF LEA EAX,DWORD PTR SS:[EBP-41F] ; |
00401494 |. 50 PUSH EAX ; |s
00401495 |. E8 CE020000 CALL <JMP.&USER32.wsprintfA> ; /wsprintfA//写成'T'+部分中间注册码,我的是T4095
0040149A |. 8B7D 0C MOV EDI,DWORD PTR SS:[EBP+C] //用户名长度
0040149D |. 89F8 MOV EAX,EDI
0040149F |. 0FAF45 FC IMUL EAX,DWORD PTR SS:[EBP-4] //12F850里用户名每位的ASCII值相加结果
004014A3 |. B9 64000000 MOV ECX,64
004014A8 |. 99 CDQ
004014A9 |. F7F9 IDIV ECX
004014AB |. 89D7 MOV EDI,EDX
004014AD |. 83C7 30 ADD EDI,30
004014B0 |. 57 PUSH EDI //这个后面有用,我的是0x30=48(dec)
004014B1 |. 8DBD E1FBFFFF LEA EDI,DWORD PTR SS:[EBP-41F]
004014B7 |. 57 PUSH EDI
004014B8 |. 8DBD D6FBFFFF LEA EDI,DWORD PTR SS:[EBP-42A]
004014BE |. 57 PUSH EDI ; |Format
004014BF |. 8DBD E1FDFFFF LEA EDI,DWORD PTR SS:[EBP-21F] ; |
004014C5 |. 57 PUSH EDI ; |s
004014C6 |. E8 9D020000 CALL <JMP.&USER32.wsprintfA> ; /wsprintfA//前面得到的'T'+中间注册码+'-'+前面计算得的一个EDI的十进制形式,所以我的是'T4095-48'.
004014CB |. 83C4 20 ADD ESP,20
004014CE |. 8D8D E1FDFFFF LEA ECX,DWORD PTR SS:[EBP-21F]
004014D4 |. 83C8 FF OR EAX,FFFFFFFF
004014D7 |> 40 /INC EAX
004014D8 |. 803C01 00 |CMP BYTE PTR DS:[ECX+EAX],0
004014DC |.^75 F9 /JNZ SHORT unpacked. 004014D7
004014DE |. 50 PUSH EAX ; /Arg3//中间注册码长度
004014DF |. 8D85 E1FCFFFF LEA EAX,DWORD PTR SS:[EBP-31F] ; |
004014E5 |. 50 PUSH EAX ; |Arg2//假注册码
004014E6 |. 8D85 E1FDFFFF LEA EAX,DWORD PTR SS:[EBP-21F] ; |
004014EC |. 50 PUSH EAX ; |Arg1//中间注册码
004014ED |. E8 D0FDFFFF CALL unpacked. 004012C2 ; /unpacked. 004012C2
{
004012C2 /$ 55 PUSH EBP
004012C3 |. 89E5 MOV EBP,ESP
004012C5 |. 53 PUSH EBX
004012C6 |. 56 PUSH ESI
004012C7 |. 57 PUSH EDI
004012C8 |. 8B5D 10 MOV EBX,DWORD PTR SS:[EBP+10]
004012CB |. 31F6 XOR ESI,ESI
004012CD |. 46 INC ESI
004012CE |. EB 29 JMP SHORT unpacked. 004012F9
004012D0 |> 8B55 08 /MOV EDX,DWORD PTR SS:[EBP+8]
004012D3 |. 0FBE3C32 |MOVSX EDI,BYTE PTR DS:[EDX+ESI]
004012D7 |. 89F8 |MOV EAX,EDI
004012D9 |. 83F0 20 |XOR EAX,20
004012DC |. B9 0A000000 |MOV ECX,0A
004012E1 |. 99 |CDQ
004012E2 |. F7F9 |IDIV ECX
004012E4 |. 89D7 |MOV EDI,EDX
004012E6 |. 83C7 30 |ADD EDI,30
004012E9 |. 8B55 0C |MOV EDX,DWORD PTR SS:[EBP+C]
004012EC |. 0FBE1432 |MOVSX EDX,BYTE PTR DS:[EDX+ESI]
004012F0 |. 39D7 |CMP EDI,EDX //关键比较,将中间注册码还原为真注册码逐位比较
004012F2 74 04 |JE SHORT unpacked. 004012F8
//我把它改成JNE,然后一位位看,也可以直接到栈的12F534直接看,就是换成数字,还有顺序问题.
004012F4 |. 31C0 |XOR EAX,EAX
004012F6 |. EB 08 |JMP SHORT unpacked.00401300
004012F8 |> 46 |INC ESI
004012F9 |> 39DE CMP ESI,EBX
004012FB |.^7C D3 /JL SHORT unpacked. 004012D0
004012FD |. 31C0 XOR EAX,EAX
004012FF |. 40 INC EAX
00401300 |> 5F POP EDI
00401301 |. 5E POP ESI
00401302 |. 5B POP EBX
00401303 |. 5D POP EBP
00401304 /. C3 RETN
}
004014F2 |. 83C4 0C ADD ESP,0C
004014F5 |. 83F8 00 CMP EAX,0
004014F8 |. 75 07 JNZ SHORT unpacked.00401501
004014FA |. B8 00000000 MOV EAX,0
004014FF |. EB 03 JMP SHORT unpacked.00401504
00401501 |> 31C0 XOR EAX,EAX
00401503 |. 40 INC EAX
00401504 |> 5F POP EDI
00401505 |. 5E POP ESI
00401506 |. 5B POP EBX
00401507 |. C9 LEAVE
00401508 /. C3 RETN
}
0040158E |. 83C4 0C ADD ESP,0C
00401591 |. 09C0 OR EAX,EAX
00401593 |. 74 03 JE SHORT unpacked.00401598
00401595 |. 31C0 XOR EAX,EAX
00401597 |. 40 INC EAX
00401598 |> 5F POP EDI
00401599 |. 5E POP ESI
0040159A |. 5B POP EBX
0040159B |. C9 LEAVE
0040159C /. C3 RETN整个过程都是以EAX是否为0为标记,错误则置0.
下面是VC的注册机:
#include"stdafx.h"
#include<string.h>
#include<windows.h>
int main(int argc, char* argv[])
{
char name[10];
char test[10];
char table[]="ABCDEFGHIJKLMNOPQRSTUVWXYZ";
printf("please enter your name:/n");
scanf("%s",name);
long lg=strlen(name);
while(lg>9 || lg<3)
{
printf("the length of char mest be between 3 and 9,please enter your name again:/n");
scanf("%s",name);
lg=strlen(name);
}
int ebp_c=0;
for(int i=0;i<lg;i++)
{
ebp_c+=name[i];
}
char res[20];
for(i=0;i<lg;i++)
{
char t=table[(i<<2)-(i+1)];
int _esi=(t^(name[i]))+((ebp_c*i-ebp_c)^0xFFFFFFFF)+0x14d;
int _ecx=(i+3)*lg*name[i];
int _edi=(LOBYTE((_esi+_ecx)%10+0x30))^0x0adac;
res[i]=LOBYTE(((i+2)*_edi)%10+0x30);
//printf("%c/n",res);
}
res[lg]='/0';
//printf("%s/n",res);
char names[]={0};
wsprintf(names,"%c%s",0x54,res);
long t=((lg*ebp_c)%0x64)+0x30;
char mdiSer[]={0};
wsprintf(mdiSer,"%s-%d",names,t);
int mdiLen=strlen(mdiSer);
char ser[20]={'6'};
for(i=1;i<mdiLen;i++)
{
ser[i]=((mdiSer[i]^0x20)%10)+0x30;
}
ser[mdiLen]='/0';
printf("your serial:/n%s/n",ser);
return 0;
}
内容来自用户分享和网络整理,不保证内容的准确性,如有侵权内容,可联系管理员处理 
相关文章推荐
- VC编译下对一个超简单的缓冲区溢出程序的原理解析以及c程序的汇编分析
- 1_简单的C程序反汇编及分析
- linux内核分析作业:以一简单C程序为例,分析汇编代码理解计算机如何工作
- Linux系统分析入门--简单汇编代码分析
- [网易云课堂]Linux内核分析(一)——简单C程序汇编代码分析
- 一个简单程序的汇编执行过程分析
- VC环境下对函数调用的汇编分析【原创】
- 通过汇编一个简单的C程序,分析汇编代码理解计算机是如何工作的
- 第一周:通过汇编一个简单的C程序,分析汇编代码理解计算机是如何工作的
- Linux汇编代码学习,反汇编简单的c及分析汇编代码工作过程
- 通过汇编一个简单的C程序,分析汇编代码理解计算机是如何工作的
- Linux内核分析——反汇编一个简单C程序
- 通过反汇编一个简单的C程序,分析汇编代码理解计算机是如何工作的
- 反汇编一个简单的C程序并分析
- 反汇编一个简单的C程序,分析汇编代码
- VC环境下对函数调用的汇编分析【原创】
- 深入理解计算机系统读书笔记之一个简单汇编程序的调试分析
- 通过汇编一个简单的C程序,分析汇编代码理解计算机是如何工作的
- 通过汇编一个简单的C程序,分析汇编代码理解计算机是如何工作的
- linux内核分析——简单代码反汇编为汇编代码分析