好友
阅读权限40
听众
最后登录1970-1-1
|
我是用户
发表于 2013-7-14 21:20
本帖最后由 我是用户 于 2013-7-15 18:47 编辑
【软件名称】: Delphi1
【作者邮箱】: 2714608453@qq.com
【下载地址】: 见附件
【软件语言】: Delphi
【使用工具】: OD
【操作平台】: XP SP2
【作者声明】: 只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!
1.查壳
如图1:
Delphi的,无误。
2.算法分析
打开程序,界面如图2:
程序由RANDOM按钮生成一个随机ID,然后根据这个ID算出Key1和Key2来验证。
我们随便输入Key1和Key2,点击Check,弹出错误对话框。
如图3:
搜索字符串或者堆栈回溯都可以找到关键CALL,这里我们就不作分析了
这个CrackMe的要求是写出注册机,那么我们就直接分析算法吧。
关键Call分析:
[C++] 纯文本查看 复制代码 004BFC80 >/. 55 push ebp ; _TForm3_Button2Click
004BFC81 |. 8BEC mov ebp,esp
004BFC83 |. B9 05000000 mov ecx,0x5
004BFC88 >|> 6A 00 /push 0x0 ; loc_4BFC88
004BFC8A |. 6A 00 |push 0x0
004BFC8C |. 49 |dec ecx ; USER32.77D1882A
004BFC8D |.^ 75 F9 \jnz short <KEYGENME.loc_4BFC88>
004BFC8F |. 51 push ecx ; USER32.77D1882A
004BFC90 |. 8955 F0 mov [local.4],edx
004BFC93 |. 8945 FC mov [local.1],eax
004BFC96 |. 33C0 xor eax,eax
004BFC98 |. 55 push ebp
004BFC99 |. 68 99FE4B00 push <KEYGENME.loc_4BFE99>
004BFC9E |. 64:FF30 push dword ptr fs:[eax]
004BFCA1 |. 64:8920 mov dword ptr fs:[eax],esp
004BFCA4 |. 8D55 EC lea edx,[local.5] ; 返回值
004BFCA7 |. 8B45 FC mov eax,[local.1]
004BFCAA |. 8B80 8C030000 mov eax,dword ptr ds:[eax+0x38C] ; 取Licens的内容
004BFCB0 |. E8 333BFBFF call <KEYGENME.GetText> ; GetText
004BFCB5 |. 8D45 EC lea eax,[local.5]
004BFCB8 |. 50 push eax
004BFCB9 |. 8D55 E8 lea edx,[local.6]
004BFCBC |. 8B45 FC mov eax,[local.1]
004BFCBF |. 8B80 90030000 mov eax,dword ptr ds:[eax+0x390] ; 取licens2的内容
004BFCC5 |. E8 1E3BFBFF call <KEYGENME.GetText> ; GetText
004BFCCA |. 8B55 E8 mov edx,[local.6] ; USER32.77D71088
004BFCCD |. 58 pop eax ; uxtheme.5ADC4729
004BFCCE |. E8 3577F4FF call <KEYGENME.sub_407408> ; 将licens与licens2连接
004BFCD3 |. 837D EC 00 cmp [local.5],0x0
004BFCD7 |. 75 1D jnz short <KEYGENME.loc_4BFCF6> ; 为空就死
004BFCD9 |. 6A 10 push 0x10
004BFCDB |. B9 A4FE4B00 mov ecx,<KEYGENME.aError_0> ; UNICODE "Error"
004BFCE0 |. BA B0FE4B00 mov edx,<KEYGENME.aPleaseInsertYo> ; UNICODE "Please insert your licens Nummbers"
004BFCE5 |. A1 E0934C00 mov eax,dword ptr ds:[<off_4C93E0>]
004BFCEA |. 8B00 mov eax,dword ptr ds:[eax]
004BFCEC |. E8 F3DCFFFF call <KEYGENME.sub_4BD9E4>
004BFCF1 |. E9 6E010000 jmp <KEYGENME.loc_4BFE64>
004BFCF6 >|> A1 B4F24C00 mov eax,dword ptr ds:[<dword_4CF2B4>] ; loc_4BFCF6
004BFCFB |. E8 5CC7F5FF call <KEYGENME.转成十六进制>
004BFD00 |. A3 E4F24C00 mov dword ptr ds:[<dword_4CF2E4>],eax
004BFD05 |. 8D55 E4 lea edx,[local.7]
004BFD08 |. 8B45 FC mov eax,[local.1]
004BFD0B |. 8B80 88030000 mov eax,dword ptr ds:[eax+0x388] ; 取随机数
004BFD11 |. E8 D23AFBFF call <KEYGENME.GetText> ; GetText
004BFD16 |. 8B45 E4 mov eax,[local.7] ; USER32.77D18BD9
004BFD19 |. E8 3EC7F5FF call <KEYGENME.转成十六进制>
004BFD1E |. A3 E0F24C00 mov dword ptr ds:[<dword_4CF2E0>],eax
004BFD23 |. A1 E4F24C00 mov eax,dword ptr ds:[<dword_4CF2E4>]
004BFD28 |. F72D E0F24C00 imul dword ptr ds:[<dword_4CF2E0>] ; 随机数转成十六进制*8
004BFD2E |. A3 C8F24C00 mov dword ptr ds:[<dword_4CF2C8>],eax
004BFD33 |. 8D55 E0 lea edx,[local.8]
004BFD36 |. A1 C8F24C00 mov eax,dword ptr ds:[<dword_4CF2C8>]
004BFD3B |. E8 48C5F5FF call <KEYGENME.转成十进制> ; 积转成十进制
004BFD40 |. 8B55 E0 mov edx,[local.8]
004BFD43 |. B8 CCF24C00 mov eax,offset <KEYGENME.dword_4CF2CC>
004BFD48 |. E8 536FF4FF call <KEYGENME.复制字符串>
004BFD4D |. B8 CCF24C00 mov eax,offset <KEYGENME.dword_4CF2CC>
004BFD52 |. B9 05000000 mov ecx,0x5
004BFD57 |. BA 01000000 mov edx,0x1
004BFD5C |. E8 B778F4FF call <KEYGENME.取字符> ; 取最后四位
004BFD61 |. BA CCF24C00 mov edx,offset <KEYGENME.dword_4CF2CC>
004BFD66 |. B9 01000000 mov ecx,0x1
004BFD6B |. B8 04FF4B00 mov eax,<KEYGENME.a1337> ; UNICODE "1337"
004BFD70 |. E8 0779F4FF call <KEYGENME.连接字符> ; 连接最后四位
004BFD75 |. B8 D0F24C00 mov eax,offset <KEYGENME.dword_4CF2D0>
004BFD7A |. 8B15 CCF24C00 mov edx,dword ptr ds:[<dword_4CF2CC>]
004BFD80 |. E8 1B6FF4FF call <KEYGENME.复制字符串>
004BFD85 |. A1 D0F24C00 mov eax,dword ptr ds:[<dword_4CF2D0>]
004BFD8A |. 8945 F8 mov [local.2],eax
004BFD8D |. 8B45 F8 mov eax,[local.2]
004BFD90 |. 8945 F4 mov [local.3],eax
004BFD93 |. 837D F4 00 cmp [local.3],0x0
004BFD97 |. 74 0B je short <KEYGENME.loc_4BFDA4>
004BFD99 |. 8B45 F4 mov eax,[local.3]
004BFD9C |. 83E8 04 sub eax,0x4
004BFD9F |. 8B00 mov eax,dword ptr ds:[eax]
004BFDA1 |. 8945 F4 mov [local.3],eax
004BFDA4 >|> A1 D0F24C00 mov eax,dword ptr ds:[<dword_4CF2D0>] ; loc_4BFDA4
004BFDA9 |. E8 AEC6F5FF call <KEYGENME.转成十六进制> ; 1337+最后四位转成十六进制
004BFDAE |. A3 D4F24C00 mov dword ptr ds:[<dword_4CF2D4>],eax
004BFDB3 |. A1 D4F24C00 mov eax,dword ptr ds:[<dword_4CF2D4>]
004BFDB8 |. 05 39050000 add eax,0x539 ; 加上0x539
004BFDBD |. A3 D8F24C00 mov dword ptr ds:[<dword_4CF2D8>],eax
004BFDC2 |. 8D55 DC lea edx,[local.9]
004BFDC5 |. A1 D8F24C00 mov eax,dword ptr ds:[<dword_4CF2D8>]
004BFDCA |. E8 B9C4F5FF call <KEYGENME.转成十进制> ; 转成十进制
004BFDCF |. 8B55 DC mov edx,[local.9]
004BFDD2 |. B8 DCF24C00 mov eax,offset <KEYGENME.dword_4CF2DC>
004BFDD7 |. E8 C46EF4FF call <KEYGENME.复制字符串>
004BFDDC |. BA DCF24C00 mov edx,offset <KEYGENME.dword_4CF2DC>
004BFDE1 |. B9 01000000 mov ecx,0x1
004BFDE6 |. B8 1CFF4B00 mov eax,<KEYGENME.aBananenbauer> ; UNICODE "Bananenbauer"
004BFDEB |. E8 8C78F4FF call <KEYGENME.连接字符> ; 与Bananenbauer连接
004BFDF0 |. 8D55 D8 lea edx,[local.10]
004BFDF3 |. 8B45 FC mov eax,[local.1]
004BFDF6 |. 8B80 8C030000 mov eax,dword ptr ds:[eax+0x38C] ; 取licen的内容
004BFDFC |. E8 E739FBFF call <KEYGENME.GetText> ; GetText
004BFE01 |. 8B45 D8 mov eax,[local.10]
004BFE04 |. 8B15 DCF24C00 mov edx,dword ptr ds:[<dword_4CF2DC>]
004BFE0A |. E8 8977F4FF call <KEYGENME.比较> ; 比较
004BFE0F |. 75 3B jnz short <KEYGENME.loc_4BFE4C>
004BFE11 |. 8D55 D4 lea edx,[local.11]
004BFE14 |. 8B45 FC mov eax,[local.1]
004BFE17 |. 8B80 90030000 mov eax,dword ptr ds:[eax+0x390] ; 取licens2的内容
004BFE1D |. E8 C639FBFF call <KEYGENME.GetText>
004BFE22 |. 8B45 D4 mov eax,[local.11] ; uxtheme.5ADC3C02
004BFE25 |. 8B15 D0F24C00 mov edx,dword ptr ds:[<dword_4CF2D0>]
004BFE2B |. E8 6877F4FF call <KEYGENME.比较> ; 比较2
004BFE30 |. 75 32 jnz short <KEYGENME.loc_4BFE64>
004BFE32 |. 6A 40 push 0x40
004BFE34 |. B9 38FF4B00 mov ecx,<KEYGENME.aCodedByBananen> ; UNICODE "Coded by Bananenbauer"
004BFE39 |. BA 64FF4B00 mov edx,<KEYGENME.aNiceYouDidIt> ; UNICODE "Nice,you did it :)"
004BFE3E |. A1 E0934C00 mov eax,dword ptr ds:[<off_4C93E0>]
004BFE43 |. 8B00 mov eax,dword ptr ds:[eax]
004BFE45 |. E8 9ADBFFFF call <KEYGENME.sub_4BD9E4>
004BFE4A |. EB 18 jmp short <KEYGENME.loc_4BFE64>
004BFE4C >|> 6A 10 push 0x10 ; loc_4BFE4C
004BFE4E |. B9 8CFF4B00 mov ecx,<KEYGENME.aErrorYouFailed> ; UNICODE "ERROR:YOU failed"
004BFE53 |. BA B0FF4B00 mov edx,<KEYGENME.off_4BFFB0> ; UNICODE "FAIL XD"
004BFE58 |. A1 E0934C00 mov eax,dword ptr ds:[<off_4C93E0>]
004BFE5D |. 8B00 mov eax,dword ptr ds:[eax]
004BFE5F |. E8 80DBFFFF call <KEYGENME.sub_4BD9E4>
004BFE64 >|> 33C0 xor eax,eax ; loc_4BFE64
004BFE66 |. 5A pop edx ; uxtheme.5ADC4729
004BFE67 |. 59 pop ecx ; uxtheme.5ADC4729
004BFE68 |. 59 pop ecx ; uxtheme.5ADC4729
004BFE69 |. 64:8910 mov dword ptr fs:[eax],edx
004BFE6C |. 68 A0FE4B00 push <KEYGENME.loc_4BFEA0>
004BFE71 >|> 8D45 D4 lea eax,[local.11] ; loc_4BFE71
004BFE74 |. BA 02000000 mov edx,0x2
004BFE79 |. E8 C26AF4FF call <KEYGENME.sub_406940>
004BFE7E |. 8D45 DC lea eax,[local.9]
004BFE81 |. BA 02000000 mov edx,0x2
004BFE86 |. E8 B56AF4FF call <KEYGENME.sub_406940>
004BFE8B |. 8D45 E4 lea eax,[local.7]
004BFE8E |. BA 03000000 mov edx,0x3
004BFE93 |. E8 A86AF4FF call <KEYGENME.sub_406940>
004BFE98 \. C3 retn
004BFE99 > .^ E9 B260F4FF jmp <KEYGENME.System::__linkproc__ HandleFinally(void)> ; loc_4BFE99
004BFE9E .^ EB D1 jmp short <KEYGENME.loc_4BFE71>
004BFEA0 > . 8BE5 mov esp,ebp ; loc_4BFEA0
004BFEA2 . 5D pop ebp ; uxtheme.5ADC4729
004BFEA3 . C3 retn
这个算法很简单,我已经注释在代码处了,下面奉上注册机源码
[Delphi] 纯文本查看 复制代码 begin
RandNum:=Trim(edit1.Text); //获得随机数
Long1:=StrToInt(RandNum);
Long1:=Long1*8;
Str1:=IntToStr(Long1);
Str1:=RightStr(Str1,4);
Key2:='1337'+Str1;
Str1:=IntToStr(StrToInt('1337'+Str1)+$539);
Key1:='Bananenbauer'+Str1;
edit2.Text:=Key1;
edit3.Text:=Key2;
//MessageDlg(Key1,mtInformation,[mbok,mbyes],0);
end;
注册成功如图4:
|
免费评分
-
查看全部评分
|