欢迎来到 黑吧安全网 聚焦网络安全前沿资讯,精华内容,交流技术心得!

一个需用run跟踪的CrackMe的破解

来源:转载 作者:佚名 时间:2009-06-16 TAG: 我要投稿
【文章标题】: 一个需用run跟踪的CrackMe的破解

  【文章作者】: bxm

  【作者邮箱】: bxm78@163.com

  【保护方式】: name,serial

  【编写语言】: Borland C++

  【使用工具】: peid,od

  【操作平台】: winxp

  【作者声明】: 只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!

  --------------------------------------------------------------------------------

  【详细过程】

  用peid查壳,无壳,运行,输入name与serial,无任何提示,用OD载入,查找字符串,无有用信息,下getwindowtexta和getdlgitemtexta断不下来,下消息断点好象也不行,只好用RUN跟踪了,最后确定在[0040160A]下普通断点,详细分析如下:

  0040160A |. 8D45 D4 lea eax, [ebp-2C]

  0040160D |. 8D55 EC lea edx, [ebp-14]

  00401610 |. E8 C3E10000 call 0040F7D8 ; 此Call 1功能:检查serial的前3位,若为字符串“CA-”,则置AL为1,否则置0

  00401615 |. 50 push eax ; /Arg1

  00401616 |. FF4D 9C dec dword ptr [ebp-64] ; |

  00401619 |. 8D45 D4 lea eax, [ebp-2C] ; |

  0040161C |. BA 02000000 mov edx, 2 ; |

  00401621 |. E8 D2E00000 call 0040F6F8 ; \Crackme-.0040F6F8

  00401626 |. 59 pop ecx

  00401627 |. 84C9 test cl, cl ; CL中值,就是上面CALL 1中返回值AL

  00401629 0F84 26030000 je 00401955 ; 不相等,完蛋

  0040162F |. 66:C745 90 98>mov word ptr [ebp-70], 98

  00401635 |. 8D45 D0 lea eax, [ebp-30]

  00401638 |. E8 BB030000 call 004019F8

  0040163D |. 50 push eax

  0040163E |. FF45 9C inc dword ptr [ebp-64]

  00401641 |. 8D45 F8 lea eax, [ebp-8]

  00401644 |. E8 09E30000 call 0040F952

  00401649 |. 8BD0 mov edx, eax ; |

  0040164B |. 83C2 FC add edx, -4 ; |

  0040164E |. 8D45 F8 lea eax, [ebp-8] ; |

  00401651 |. B9 05000000 mov ecx, 5 ; |

  00401656 |. E8 18EB0000 call 00410173 ; \Crackme-.00410173

  0040165B |. 8D45 D0 lea eax, [ebp-30]

  0040165E |. 8D55 E8 lea edx, [ebp-18]

  00401661 |. E8 72E10000 call 0040F7D8 ; 此Call 2功能:检查serial的后5位,若为字符串“-3914”,则置AL为1,否则置0

  00401666 |. 50 push eax ; /Arg1

  00401667 |. FF4D 9C dec dword ptr [ebp-64] ; |

  0040166A |. 8D45 D0 lea eax, [ebp-30] ; |

  0040166D |. BA 02000000 mov edx, 2 ; |

  00401672 |. E8 81E00000 call 0040F6F8 ; \Crackme-.0040F6F8

  00401677 |. 59 pop ecx

  00401678 |. 84C9 test cl, cl ; CL中值,就是上面CALL 2中返回值AL

  0040167A 0F84 D5020000 je 00401955 ; 不相等,完蛋

  00401680 |. 33C0 xor eax, eax

  00401682 |. 8985 74FFFFFF mov [ebp-8C], eax

  00401688 |. 66:C745 90 14>mov word ptr [ebp-70], 14

  0040168E |. 33D2 xor edx, edx

  00401690 |. 8995 70FFFFFF mov [ebp-90], edx ; [ebp-90]清0

  00401696 |. EB 1E jmp short 004016B6

  00401698 |> 8D45 FC /lea eax, [ebp-4]

  0040169B |. E8 88030000 |call 00401A28 ; EAX中返回name

  004016A0 |. 8B95 70FFFFFF |mov edx, [ebp-90]

  004016A6 |. 0FBE0C10 |movsx ecx, byte ptr [eax+edx] ; name的每个字符依次进入ECX

  004016AA |. 018D 74FFFFFF |add [ebp-8C], ecx ; 累加于[ebp-8c]

  004016B0 |. FF85 70FFFFFF |inc dword ptr [ebp-90] ; [ebp-90]作为循环计数器

  004016B6 |> 8D45 FC lea eax, [ebp-4]

  004016B9 |. E8 94E20000 |call 0040F952 ; EAX中返回name的长度

  004016BE |. 3B85 70FFFFFF |cmp eax, [ebp-90] ; name读取完没?

  004016C4 |.^ 7F D2 \jg short 00401698 ; 没有,继续读

  004016C6 |. 8B95 74FFFFFF mov edx, [ebp-8C] ; [ebp-8c]入EDX

  004016CC |. 0FAF95 74FFFF>imul edx, [ebp-8C] ; EDX*[ebp-8c]

  004016D3 |. 81C2 AC000000 add edx, 0AC ; EDX+0AC

  004016D9 |. 8995 74FFFFFF mov [ebp-8C], edx ; 我的最终结果为2EE10

  004016DF |. 66:C745 90 A4>mov word ptr [ebp-70], 0A4

  004016E5 |. 8D45 CC lea eax, [ebp-34]

  004016E8 |. 8B95 74FFFFFF mov edx, [ebp-8C] ; [ebp-8c]入EDX

  004016EE |. E8 32DF0000 call 0040F625 ; 把EDX中的数转换成十进制的字符串,放在EDX中返回,我的为“192016”

  004016F3 |. FF45 9C inc dword ptr [ebp-64]

  004016F6 |. 8D55 CC lea edx, [ebp-34]

  004016F9 |. 8D45 F4 lea eax, [ebp-C]

  004016FC |. E8 26E00000 call 0040F727

  00401701 |. FF4D 9C dec dword ptr [ebp-64]

  00401704 |. 8D45 CC lea eax, [ebp-34]

  00401707 |. BA 02000000 mov edx, 2

  0040170C |. E8 E7DF0000 call 0040F6F8

  00401711 |. 66:C745 90 B0>mov word ptr [ebp-70], 0B0

  00401717 |. 8D45 C8 lea eax, [ebp-38]

  0040171A |. E8 D9020000 call 004019F8

  0040171F |. 8BC8 mov ecx, eax

  00401721 |. FF45 9C inc dword ptr [ebp-64]

  00401724 |. 8D55 F4 lea edx, [ebp-C]

  00401727 |. 8D45 EC lea eax, [ebp-14]

  0040172A |. E8 20E00000 call 0040F74F

  0040172F |. 8D55 C8 lea edx, [ebp-38]

  00401732 |. 52 push edx

  00401733 |. 8D45 C4 lea eax, [ebp-3C]

  00401736 |. E8 BD020000 call 004019F8

  0040173B |. 8BC8 mov ecx, eax

  0040173D |. FF45 9C inc dword ptr [ebp-64]

  00401740 |. 8D55 E8 lea edx, [ebp-18]

  00401743 |. 58 pop eax

  00401744 |. E8 06E00000 call 0040F74F

  00401749 |. 8D55 C4 lea edx, [ebp-3C]

  0040174C |. 8D45 F0 lea eax, [ebp-10]

  0040174F |. E8 D3DF0000 call 0040F727

  00401754 |. FF4D 9C dec dword ptr [ebp-64]

  00401757 |. 8D45 C4 lea eax, [ebp-3C]

  0040175A |. BA 02000000 mov edx, 2

  0040175F |. E8 94DF0000 call 0040F6F8 ; 此CALL连接两个固定字符串和算出的字符串,放在EDX中返回,我的为“CA-192016-3914”,这就是serial 00401764 |. FF4D 9C dec dword ptr [ebp-64]

  00401767 |. 8D45 C8 lea eax, [ebp-38]

  0040176A |. BA 02000000 mov edx, 2

  0040176F |. E8 84DF0000 call 0040F6F8

  00401774 |. 8D55 F0 lea edx, [ebp-10]

  00401777 |. 8D45 F8 lea eax, [ebp-8]

  0040177A |. E8 59E00000 call 0040F7D8 ; 检查serial是否合法,是al置1,否则置0

  0040177F |. 84C0 test al, al

  00401781 0F84 CE010000 je 00401955 ; 不相等,完蛋

  00401787 |. 66:C745 90 BC>mov word ptr [ebp-70], 0BC

  0040178D |. 8D45 C0 lea eax, [ebp-40]

  00401790 |. E8 63020000 call 004019F8

  00401795 |. FF45 9C inc dword ptr [ebp-64]

  00401798 |. 66:C745 90 C8>mov word ptr [ebp-70], 0C8

  0040179E |. 66:C745 90 D4>mov word ptr [ebp-70], 0D4

  004017A4 |. 8D45 BC lea eax, [ebp-44]

  004017A7 |. E8 4C020000 call 004019F8

  004017AC |. FF45 9C inc dword ptr [ebp-64]

  004017AF |. 66:C745 90 C8>mov word ptr [ebp-70], 0C8

  004017B5 |. 66:C745 90 E0>mov word ptr [ebp-70], 0E0

  004017BB |. 8D45 B8 lea eax, [ebp-48]

  004017BE |. E8 35020000 call 004019F8

  004017C3 |. FF45 9C inc dword ptr [ebp-64]

  004017C6 |. 66:C745 90 C8>mov word ptr [ebp-70], 0C8

  004017CC |. 66:C745 90 EC>mov word ptr [ebp-70], 0EC

  004017D2 |. 8D45 B4 lea eax, [ebp-4C]

  004017D5 |. E8 1E020000 call 004019F8

  004017DA |. FF45 9C inc dword ptr [ebp-64]

  004017DD |. 66:C745 90 C8>mov word ptr [ebp-70], 0C8

  004017E3 |. 66:C745 90 F8>mov word ptr [ebp-70], 0F8

  004017E9 |. 8D45 B0 lea eax, [ebp-50]

  004017EC |. E8 07020000 call 004019F8

  004017F1 |. 8BD0 mov edx, eax

  004017F3 |. FF45 9C inc dword ptr [ebp-64]

  004017F6 |. 8B0D E0AE4300 mov ecx, [43AEE0]

  004017FC |. 8B81 E0010000 mov eax, [ecx+1E0]

  00401802 |. E8 95910000 call 0040A99C

  00401807 |. 8D55 B0 lea edx, [ebp-50]

  0040180A |. 8D45 C0 lea eax, [ebp-40]

  0040180D |. E8 15DF0000 call 0040F727

  00401812 |. FF4D 9C dec dword ptr [ebp-64]

  00401815 |. 8D45 B0 lea eax, [ebp-50]

  00401818 |. BA 02000000 mov edx, 2

  0040181D |. E8 D6DE0000 call 0040F6F8

  00401822 |. 66:C745 90 04>mov word ptr [ebp-70], 104

  00401828 |. 8D45 AC lea eax, [ebp-54]

  0040182B |. E8 C8010000 call 004019F8

  00401830 |. 8BD0 mov edx, eax

  00401832 |. FF45 9C inc dword ptr [ebp-64]

  00401835 |. 8B0D E0AE4300 mov ecx, [43AEE0]

  0040183B |. 8B81 E4010000 mov eax, [ecx+1E4]

  00401841 |. E8 56910000 call 0040A99C

  00401846 |. 8D55 AC lea edx, [ebp-54]

  00401849 |. 8D45 BC lea eax, [ebp-44]

  0040184C |. E8 D6DE0000 call 0040F727

  00401851 |. FF4D 9C dec dword ptr [ebp-64]

  00401854 |. 8D45 AC lea eax, [ebp-54]

  00401857 |. BA 02000000 mov edx, 2

  0040185C |. E8 97DE0000 call 0040F6F8

  00401861 |. 66:C745 90 10>mov word ptr [ebp-70], 110

  00401867 |. 8D45 A8 lea eax, [ebp-58]

  0040186A |. E8 89010000 call 004019F8

  0040186F |. 8BD0 mov edx, eax

  00401871 |. FF45 9C inc dword ptr [ebp-64]

  00401874 |. 8B0D E0AE4300 mov ecx, [43AEE0]

  0040187A |. 8B81 E8010000 mov eax, [ecx+1E8]

  00401880 |. E8 17910000 call 0040A99C

  00401885 |. 8D55 A8 lea edx, [ebp-58]

  00401888 |. 8D45 B8 lea eax, [ebp-48]

  0040188B |. E8 97DE0000 call 0040F727

  00401890 |. FF4D 9C dec dword ptr [ebp-64]

  00401893 |. 8D45 A8 lea eax, [ebp-58]

  00401896 |. BA 02000000 mov edx, 2

  0040189B |. E8 58DE0000 call 0040F6F8

  004018A0 |. 66:C745 90 1C>mov word ptr [ebp-70], 11C

  004018A6 |. 8D45 A4 lea eax, [ebp-5C]

  004018A9 |. E8 4A010000 call 004019F8

  004018AE |. 8BD0 mov edx, eax

  004018B0 |. FF45 9C inc dword ptr [ebp-64]

  004018B3 |. 8B0D E0AE4300 mov ecx, [43AEE0]

  004018B9 |. 8B81 EC010000 mov eax, [ecx+1EC]

  004018BF |. E8 D8900000 call 0040A99C

  004018C4 |. 8D55 A4 lea edx, [ebp-5C]

  004018C7 |. 8D45 B4 lea eax, [ebp-4C]

  004018CA |. E8 58DE0000 call 0040F727

  004018CF |. FF4D 9C dec dword ptr [ebp-64]

  004018D2 |. 8D45 A4 lea eax, [ebp-5C]

  004018D5 |. BA 02000000 mov edx, 2

  004018DA |. E8 19DE0000 call 0040F6F8

  004018DF |. 6A 00 push 0

  004018E1 |. 8D45 BC lea eax, [ebp-44]

  004018E4 |. E8 3F010000 call 00401A28

  004018E9 |. 50 push eax

  004018EA |. 8D45 C0 lea eax, [ebp-40]

  004018ED |. E8 36010000 call 00401A28

  004018F2 |. 50 push eax ; |Text

  004018F3 |. 6A 00 push 0 ; |hOwner = NULL

  004018F5 |. E8 A63A0300 call ; \正确提示!

  算法小结:

  1、serial的前3位与字符串“CA-”比较,如不同,则完蛋。

  2、serial的后5位与字符串“-3914”比较,如不同,则完蛋。

  3、对name进行运算,运算过程如下:

  1)取name的每个字符进行累加,结果记为A。

  2)把A*A+0xAC的结果转换成十进制的字符串,记为B。

  4、连接字符串“CA-”、B、“-3914”即成serial。

  可用的一组数据:

  name:bxm78

  serial:CA-192016-3914

  来源:看雪技术论坛

【声明】:黑吧安全网(http://www.myhack58.com)登载此文出于传递更多信息之目的,并不代表本站赞同其观点和对其真实性负责,仅适于网络安全技术爱好者学习研究使用,学习中请遵循国家相关法律法规。如有问题请联系我们,联系邮箱admin@myhack58.com,我们会在最短的时间内进行处理。
  • 最新更新
    • 相关阅读
      • 本类热门
        • 最近下载