简单反汇编之CrackMe6分析 vc注册机
2010-03-03 22:27
232 查看
这个creakme算法不错,是通过中间注册码来进行比较的。
打开程序试着注册了下,没提示错误。
先检测是否加壳,ASPack 2.x (without poly) -> Alexey Solodovnikov [Overlay]
把它拖到AspackDie1.41图标上,脱壳有些小问题,全部选是。
程序可以打开,那就可以了,脱壳成功。。
进入下一步。
用W32dasm载入,看看用的什么函数来取字符串的,发现熟悉的GetDlgItemTextA,好了,其他也就不看了,直接用OD载入,BP GetDlgItemTextA,F9运行,输入用户名和假码。
整个过程都是以EAX是否为0为标记,错误则置0.
下面是VC的注册机:
打开程序试着注册了下,没提示错误。
先检测是否加壳,ASPack 2.x (without poly) -> Alexey Solodovnikov [Overlay]
把它拖到AspackDie1.41图标上,脱壳有些小问题,全部选是。
程序可以打开,那就可以了,脱壳成功。。
进入下一步。
用W32dasm载入,看看用的什么函数来取字符串的,发现熟悉的GetDlgItemTextA,好了,其他也就不看了,直接用OD载入,BP GetDlgItemTextA,F9运行,输入用户名和假码。
name:4nil Fserial:78787878 CHECK后被断下,按ALT+F9回到程序领空。 按F2下个断在GetDlgItemTextA后面的语句,下次就可以从这里开始了。 让我们先来看代码。 00401528 |. 68 00010000 PUSH 100 ; /Count = 100 (256.) 0040152D |. 8D85 00FFFFFF LEA EAX,DWORD PTR SS:[EBP-100] ; | 00401533 |. 50 PUSH EAX ; |Buffer 00401534 |. 6A 65 PUSH 65 ; |ControlID = 65 (101.) 00401536 |. FF75 08 PUSH DWORD PTR SS:[EBP+8] ; |hWnd 00401539 |. E8 FA010000 CALL <JMP.&USER32.GetDlgItemTextA> ; /GetDlgItemTextA 0040153E |. 89C3 MOV EBX,EAX 00401540 |. 09DB OR EBX,EBX 00401542 |. 75 04 JNZ SHORT unpacked.00401548 //用户名不空就跳,否则就挂 00401544 |. 31C0 XOR EAX,EAX 00401546 |. EB 50 JMP SHORT unpacked.00401598 00401548 |> BF BC020000 MOV EDI,2BC 0040154D |. BE 30000000 MOV ESI,30 00401552 |. B8 48000000 MOV EAX,48 00401557 |. 99 CDQ 00401558 |. F7FB IDIV EBX 0040155A |. 29C6 SUB ESI,EAX 0040155C |. 8D34B6 LEA ESI,DWORD PTR DS:[ESI+ESI*4] 0040155F |. 29F7 SUB EDI,ESI 00401561 |. 6BFF 6B IMUL EDI,EDI,6B 00401564 |. 81EF 6CCF0000 SUB EDI,0CF6C 0040156A |. 81FF 00230000 CMP EDI,2300 //EDI=(2bc-(30-48/namelen)*5)*6b-cf6c,得出的EDI必须在190-2300之间,否则就挂 00401570 |. 7F 08 JG SHORT unpacked.0040157A 00401572 |. 81FF 90010000 CMP EDI,190 00401578 |. 7D 04 JGE SHORT unpacked.0040157E 0040157A |> 31C0 XOR EAX,EAX 0040157C |. EB 1A JMP SHORT unpacked.00401598 0040157E |> 8D85 00FFFFFF LEA EAX,DWORD PTR SS:[EBP-100] 00401584 |. 50 PUSH EAX //用户名地址 00401585 |. 53 PUSH EBX //用户名长度 00401586 |. FF75 08 PUSH DWORD PTR SS:[EBP+8] 00401589 |. E8 77FDFFFF CALL unpacked. 00401305 { 00401305 /$ 55 PUSH EBP 00401306 |. 89E5 MOV EBP,ESP 00401308 |. 81EC 2C040000 SUB ESP,42C 0040130E |. 53 PUSH EBX 0040130F |. 56 PUSH ESI 00401310 |. 57 PUSH EDI 00401311 |. 8DBD FCFEFFFF LEA EDI,DWORD PTR SS:[EBP-104] 00401317 |. 8D35 38204000 LEA ESI,DWORD PTR DS:[402038] 0040131D |. B9 40000000 MOV ECX,40 00401322 |. F3:A5 REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS> 00401324 |. 8DBD E1FBFFFF LEA EDI,DWORD PTR SS:[EBP-41F] 0040132A |. 8D35 38214000 LEA ESI,DWORD PTR DS:[402138] 00401330 |. B9 40000000 MOV ECX,40 00401335 |. F3:A5 REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS> 00401337 |. 8DBD E1FDFFFF LEA EDI,DWORD PTR SS:[EBP-21F] 0040133D |. 8D35 38224000 LEA ESI,DWORD PTR DS:[402238] 00401343 |. B9 40000000 MOV ECX,40 00401348 |. F3:A5 REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS> 0040134A |. 8DBD E1FCFFFF LEA EDI,DWORD PTR SS:[EBP-31F] 00401350 |. 8D35 38234000 LEA ESI,DWORD PTR DS:[402338] 00401356 |. B9 40000000 MOV ECX,40 0040135B |. F3:A5 REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS> 0040135D |. 8DBD DCFBFFFF LEA EDI,DWORD PTR SS:[EBP-424] 00401363 |. 8D35 38244000 LEA ESI,DWORD PTR DS:[402438] 00401369 |. B9 05000000 MOV ECX,5 0040136E |. F3:A4 REP MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[> 00401370 |. 8DBD D6FBFFFF LEA EDI,DWORD PTR SS:[EBP-42A] 00401376 |. 8D35 3D244000 LEA ESI,DWORD PTR DS:[40243D] 0040137C |. B9 03000000 MOV ECX,3 00401381 |. F3:66:A5 REP MOVS WORD PTR ES:[EDI],WORD PTR DS:[> 00401384 |. 8DBD E1FEFFFF LEA EDI,DWORD PTR SS:[EBP-11F] 0040138A |. 8D35 43244000 LEA ESI,DWORD PTR DS:[402443] 00401390 |. B9 1B000000 MOV ECX,1B 00401395 |. F3:A4 REP MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[> 00401397 |. C745 FC 000000>MOV DWORD PTR SS:[EBP-4],0 0040139E |. 68 00010000 PUSH 100 ; /Count = 100 (256.) 004013A3 |. 8D85 E1FCFFFF LEA EAX,DWORD PTR SS:[EBP-31F] ; | 004013A9 |. 50 PUSH EAX ; |Buffer 004013AA |. 6A 66 PUSH 66 ; |ControlID = 66 (102.) 004013AC |. FF75 08 PUSH DWORD PTR SS:[EBP+8] ; |hWnd 004013AF |. E8 84030000 CALL <JMP.&USER32.GetDlgItemTextA> ; /GetDlgItemTextA 004013B4 |. 09C0 OR EAX,EAX 004013B6 |. 0F84 48010000 JE unpacked.00401504 //不能为空,否则挂 004013BC |. B8 CF110000 MOV EAX,11CF 004013C1 |. 0FB68D E1FCFFF>MOVZX ECX,BYTE PTR SS:[EBP-31F] 004013C8 |. 99 CDQ 004013C9 |. F7F9 IDIV ECX 004013CB |. 83FA 17 CMP EDX,17 //11b8=(11cf-17)必须整除注册码第一位的ASCII值,否则又挂。 004013CE |. 74 07 JE SHORT unpacked. 004013D7 004013D0 |. 31C0 XOR EAX,EAX 004013D2 |. E9 2D010000 JMP unpacked.00401504 004013D7 |> 31DB XOR EBX,EBX 004013D9 |. EB 0B JMP SHORT unpacked. 004013E6 004013DB |> 8B45 10 /MOV EAX,DWORD PTR SS:[EBP+10] 004013DE |. 0FBE0418 |MOVSX EAX,BYTE PTR DS:[EAX+EBX] 004013E2 |. 0145 FC |ADD DWORD PTR SS:[EBP-4],EAX 004013E5 |. 43 |INC EBX 004013E6 |> 3B5D 0C CMP EBX,DWORD PTR SS:[EBP+C] 004013E9 |.^7C F0 /JL SHORT unpacked. 004013DB //把用户名每位的ASCII值相加,结果在12F850 004013EB |. 31DB XOR EBX,EBX 004013ED |. E9 83000000 JMP unpacked. 00401475 004013F2 |> 8B55 10 /MOV EDX,DWORD PTR SS:[EBP+10] 004013F5 |. 0FBE3C1A |MOVSX EDI,BYTE PTR DS:[EDX+EBX] 004013F9 |. 8B75 FC |MOV ESI,DWORD PTR SS:[EBP-4] 004013FC |. 89D9 |MOV ECX,EBX 004013FE |. C1E1 02 |SHL ECX,2 00401401 |. 89DA |MOV EDX,EBX 00401403 |. 42 |INC EDX 00401404 |. 29D1 |SUB ECX,EDX 00401406 |. 0FB68C0D E1FEF>|MOVZX ECX,BYTE PTR SS:[EBP+ECX-11F] 0040140E |. 89FA |MOV EDX,EDI 00401410 |. 31CA |XOR EDX,ECX 00401412 |. 89F1 |MOV ECX,ESI 00401414 |. 0FAFCB |IMUL ECX,EBX 00401417 |. 29F1 |SUB ECX,ESI 00401419 |. 89CE |MOV ESI,ECX 0040141B |. 83F6 FF |XOR ESI,FFFFFFFF 0040141E |. 8DB432 4D01000>|LEA ESI,DWORD PTR DS:[EDX+ESI+14D] 00401425 |. 8B4D 0C |MOV ECX,DWORD PTR SS:[EBP+C] 00401428 |. 89DA |MOV EDX,EBX 0040142A |. 83C2 03 |ADD EDX,3 0040142D |. 0FAFCA |IMUL ECX,EDX 00401430 |. 0FAFCF |IMUL ECX,EDI 00401433 |. 89F0 |MOV EAX,ESI 00401435 |. 01C8 |ADD EAX,ECX 00401437 |. B9 0A000000 |MOV ECX,0A 0040143C |. 31D2 |XOR EDX,EDX 0040143E |. F7F1 |DIV ECX 00401440 |. 83C2 30 |ADD EDX,30 00401443 |. 88941D FCFEFFF>|MOV BYTE PTR SS:[EBP+EBX-104],DL 0040144A |. 0FB6BC1D FCFEF>|MOVZX EDI,BYTE PTR SS:[EBP+EBX-104] 00401452 |. 81F7 ACAD0000 |XOR EDI,0ADAC 00401458 |. 89DE |MOV ESI,EBX 0040145A |. 83C6 02 |ADD ESI,2 0040145D |. 89F8 |MOV EAX,EDI 0040145F |. 0FAFC6 |IMUL EAX,ESI 00401462 |. B9 0A000000 |MOV ECX,0A 00401467 |. 99 |CDQ 00401468 |. F7F9 |IDIV ECX 0040146A |. 83C2 30 |ADD EDX,30 0040146D |. 88941D FCFEFFF>|MOV BYTE PTR SS:[EBP+EBX-104],DL 00401474 |. 43 |INC EBX 00401475 |> 3B5D 0C CMP EBX,DWORD PTR SS:[EBP+C] 00401478 |.^0F8C 74FFFFFF /JL unpacked. 004013F2 //一系列运算得到部分中间注册码 0040147E |. 8D85 FCFEFFFF LEA EAX,DWORD PTR SS:[EBP-104] 00401484 |. 50 PUSH EAX 00401485 |. 6A 54 PUSH 54 00401487 |. 8D85 DCFBFFFF LEA EAX,DWORD PTR SS:[EBP-424] 0040148D |. 50 PUSH EAX ; |Format 0040148E |. 8D85 E1FBFFFF LEA EAX,DWORD PTR SS:[EBP-41F] ; | 00401494 |. 50 PUSH EAX ; |s 00401495 |. E8 CE020000 CALL <JMP.&USER32.wsprintfA> ; /wsprintfA//写成'T'+部分中间注册码,我的是T4095 0040149A |. 8B7D 0C MOV EDI,DWORD PTR SS:[EBP+C] //用户名长度 0040149D |. 89F8 MOV EAX,EDI 0040149F |. 0FAF45 FC IMUL EAX,DWORD PTR SS:[EBP-4] //12F850里用户名每位的ASCII值相加结果 004014A3 |. B9 64000000 MOV ECX,64 004014A8 |. 99 CDQ 004014A9 |. F7F9 IDIV ECX 004014AB |. 89D7 MOV EDI,EDX 004014AD |. 83C7 30 ADD EDI,30 004014B0 |. 57 PUSH EDI //这个后面有用,我的是0x30=48(dec) 004014B1 |. 8DBD E1FBFFFF LEA EDI,DWORD PTR SS:[EBP-41F] 004014B7 |. 57 PUSH EDI 004014B8 |. 8DBD D6FBFFFF LEA EDI,DWORD PTR SS:[EBP-42A] 004014BE |. 57 PUSH EDI ; |Format 004014BF |. 8DBD E1FDFFFF LEA EDI,DWORD PTR SS:[EBP-21F] ; | 004014C5 |. 57 PUSH EDI ; |s 004014C6 |. E8 9D020000 CALL <JMP.&USER32.wsprintfA> ; /wsprintfA//前面得到的'T'+中间注册码+'-'+前面计算得的一个EDI的十进制形式,所以我的是'T4095-48'. 004014CB |. 83C4 20 ADD ESP,20 004014CE |. 8D8D E1FDFFFF LEA ECX,DWORD PTR SS:[EBP-21F] 004014D4 |. 83C8 FF OR EAX,FFFFFFFF 004014D7 |> 40 /INC EAX 004014D8 |. 803C01 00 |CMP BYTE PTR DS:[ECX+EAX],0 004014DC |.^75 F9 /JNZ SHORT unpacked. 004014D7 004014DE |. 50 PUSH EAX ; /Arg3//中间注册码长度 004014DF |. 8D85 E1FCFFFF LEA EAX,DWORD PTR SS:[EBP-31F] ; | 004014E5 |. 50 PUSH EAX ; |Arg2//假注册码 004014E6 |. 8D85 E1FDFFFF LEA EAX,DWORD PTR SS:[EBP-21F] ; | 004014EC |. 50 PUSH EAX ; |Arg1//中间注册码 004014ED |. E8 D0FDFFFF CALL unpacked. 004012C2 ; /unpacked. 004012C2 { 004012C2 /$ 55 PUSH EBP 004012C3 |. 89E5 MOV EBP,ESP 004012C5 |. 53 PUSH EBX 004012C6 |. 56 PUSH ESI 004012C7 |. 57 PUSH EDI 004012C8 |. 8B5D 10 MOV EBX,DWORD PTR SS:[EBP+10] 004012CB |. 31F6 XOR ESI,ESI 004012CD |. 46 INC ESI 004012CE |. EB 29 JMP SHORT unpacked. 004012F9 004012D0 |> 8B55 08 /MOV EDX,DWORD PTR SS:[EBP+8] 004012D3 |. 0FBE3C32 |MOVSX EDI,BYTE PTR DS:[EDX+ESI] 004012D7 |. 89F8 |MOV EAX,EDI 004012D9 |. 83F0 20 |XOR EAX,20 004012DC |. B9 0A000000 |MOV ECX,0A 004012E1 |. 99 |CDQ 004012E2 |. F7F9 |IDIV ECX 004012E4 |. 89D7 |MOV EDI,EDX 004012E6 |. 83C7 30 |ADD EDI,30 004012E9 |. 8B55 0C |MOV EDX,DWORD PTR SS:[EBP+C] 004012EC |. 0FBE1432 |MOVSX EDX,BYTE PTR DS:[EDX+ESI] 004012F0 |. 39D7 |CMP EDI,EDX //关键比较,将中间注册码还原为真注册码逐位比较 004012F2 74 04 |JE SHORT unpacked. 004012F8 //我把它改成JNE,然后一位位看,也可以直接到栈的12F534直接看,就是换成数字,还有顺序问题. 004012F4 |. 31C0 |XOR EAX,EAX 004012F6 |. EB 08 |JMP SHORT unpacked.00401300 004012F8 |> 46 |INC ESI 004012F9 |> 39DE CMP ESI,EBX 004012FB |.^7C D3 /JL SHORT unpacked. 004012D0 004012FD |. 31C0 XOR EAX,EAX 004012FF |. 40 INC EAX 00401300 |> 5F POP EDI 00401301 |. 5E POP ESI 00401302 |. 5B POP EBX 00401303 |. 5D POP EBP 00401304 /. C3 RETN } 004014F2 |. 83C4 0C ADD ESP,0C 004014F5 |. 83F8 00 CMP EAX,0 004014F8 |. 75 07 JNZ SHORT unpacked.00401501 004014FA |. B8 00000000 MOV EAX,0 004014FF |. EB 03 JMP SHORT unpacked.00401504 00401501 |> 31C0 XOR EAX,EAX 00401503 |. 40 INC EAX 00401504 |> 5F POP EDI 00401505 |. 5E POP ESI 00401506 |. 5B POP EBX 00401507 |. C9 LEAVE 00401508 /. C3 RETN } 0040158E |. 83C4 0C ADD ESP,0C 00401591 |. 09C0 OR EAX,EAX 00401593 |. 74 03 JE SHORT unpacked.00401598 00401595 |. 31C0 XOR EAX,EAX 00401597 |. 40 INC EAX 00401598 |> 5F POP EDI 00401599 |. 5E POP ESI 0040159A |. 5B POP EBX 0040159B |. C9 LEAVE 0040159C /. C3 RETN
整个过程都是以EAX是否为0为标记,错误则置0.
下面是VC的注册机:
#include"stdafx.h" #include<string.h> #include<windows.h> int main(int argc, char* argv[]) { char name[10]; char test[10]; char table[]="ABCDEFGHIJKLMNOPQRSTUVWXYZ"; printf("please enter your name:/n"); scanf("%s",name); long lg=strlen(name); while(lg>9 || lg<3) { printf("the length of char mest be between 3 and 9,please enter your name again:/n"); scanf("%s",name); lg=strlen(name); } int ebp_c=0; for(int i=0;i<lg;i++) { ebp_c+=name[i]; } char res[20]; for(i=0;i<lg;i++) { char t=table[(i<<2)-(i+1)]; int _esi=(t^(name[i]))+((ebp_c*i-ebp_c)^0xFFFFFFFF)+0x14d; int _ecx=(i+3)*lg*name[i]; int _edi=(LOBYTE((_esi+_ecx)%10+0x30))^0x0adac; res[i]=LOBYTE(((i+2)*_edi)%10+0x30); //printf("%c/n",res); } res[lg]='/0'; //printf("%s/n",res); char names[]={0}; wsprintf(names,"%c%s",0x54,res); long t=((lg*ebp_c)%0x64)+0x30; char mdiSer[]={0}; wsprintf(mdiSer,"%s-%d",names,t); int mdiLen=strlen(mdiSer); char ser[20]={'6'}; for(i=1;i<mdiLen;i++) { ser[i]=((mdiSer[i]^0x20)%10)+0x30; } ser[mdiLen]='/0'; printf("your serial:/n%s/n",ser); return 0; }
相关文章推荐
- VC编译下对一个超简单的缓冲区溢出程序的原理解析以及c程序的汇编分析
- 1_简单的C程序反汇编及分析
- linux内核分析作业:以一简单C程序为例,分析汇编代码理解计算机如何工作
- Linux系统分析入门--简单汇编代码分析
- [网易云课堂]Linux内核分析(一)——简单C程序汇编代码分析
- 一个简单程序的汇编执行过程分析
- VC环境下对函数调用的汇编分析【原创】
- 通过汇编一个简单的C程序,分析汇编代码理解计算机是如何工作的
- 第一周:通过汇编一个简单的C程序,分析汇编代码理解计算机是如何工作的
- Linux汇编代码学习,反汇编简单的c及分析汇编代码工作过程
- 通过汇编一个简单的C程序,分析汇编代码理解计算机是如何工作的
- Linux内核分析——反汇编一个简单C程序
- 通过反汇编一个简单的C程序,分析汇编代码理解计算机是如何工作的
- 反汇编一个简单的C程序并分析
- 反汇编一个简单的C程序,分析汇编代码
- VC环境下对函数调用的汇编分析【原创】
- 深入理解计算机系统读书笔记之一个简单汇编程序的调试分析
- 通过汇编一个简单的C程序,分析汇编代码理解计算机是如何工作的
- 通过汇编一个简单的C程序,分析汇编代码理解计算机是如何工作的
- linux内核分析——简单代码反汇编为汇编代码分析