好友
阅读权限40
听众
最后登录1970-1-1
|
CM是什么?Crackme是什么?这是什么东西?楼主发的什么?
他们都是一些公开给别人尝试破解的小程序,制作 Crackme 的人可能是程序员,想测试一下自己的软件保护技术,也可能是一位 Cracker,想挑战一下其它 Cracker 的破解实力,也可能是一些正在学习破解的人,自己编一些小程序给自己破解,KeyGenMe是要求别人做出它的 keygen (序号产生器), ReverseMe 要求别人把它的算法做出逆向分析, UnpackMe 是要求别人把它成功脱壳,本版块禁止回复非技术无关水贴。
查找字符串。到达:
004012DF /75 45 jnz short crcme1.00401326
004012E1 . |6A 00 push0; /Style = MB_OK|MB_APPLMODAL
004012E3 . |68 1B204000 pushcrcme1.0040201B; |Title = "-=ACG=- T h e B e s t -=ACG=-"
004012E8 . |68 77204000 pushcrcme1.00402077; |Text = "Yeah You Did It!!!
Czyli nareszczie ci si?uda硂
Teraz mo縠sz przy彻czy?si?do ACG"
004012ED . |FF75 08 pushdword ptr ss:[ebp+8] ; |hOwner = 00401000
004012F0 . |E8 5D010000 call<jmp.&USER32.MessageBoxA>; \MessageBoxA
004012F5 . |EB 55 jmp short crcme1.0040134C
004012F7 > |6A 00 push0; /Style = MB_OK|MB_APPLMODAL
004012F9 . |68 1B204000 pushcrcme1.0040201B; |Title = "-=ACG=- T h e B e s t -=ACG=-"
004012FE . |68 7F214000 pushcrcme1.0040217F; |Text = "No BPX Allowed!!!
I oczywi渟ie standard:
nie mo縩a zak砤da?pu砤pek!"
00401303 . |FF75 08 pushdword ptr ss:[ebp+8] ; |hOwner = 00401000
00401306 . |E8 47010000 call<jmp.&USER32.MessageBoxA>; \MessageBoxA
0040130B . |EB 19 jmp short crcme1.00401326
0040130D > |6A 00 push0; /Style = MB_OK|MB_APPLMODAL
0040130F . |68 1B204000 pushcrcme1.0040201B; |Title = "-=ACG=- T h e B e s t -=ACG=-"
00401314 . |68 21234000 pushcrcme1.00402321; |Text = "Gdzie mi grzebiesz w exe'cu??
Jak cie trzepne to se w muzgu pogrzebiesz"
00401319 . |FF75 08 pushdword ptr ss:[ebp+8] ; |hOwner = 00401000
0040131C . |E8 31010000 call<jmp.&USER32.MessageBoxA>; \MessageBoxA
00401321 .^|E9 BCFEFFFF jmp crcme1.004011E2
00401326 > \6A 10 push10 ; /Style = MB_OK|MB_ICONHAND|MB_APPLMODAL
00401328 .68 1B204000 pushcrcme1.0040201B; |Title = "-=ACG=- T h e B e s t -=ACG=-"
0040132D .68 CE204000 pushcrcme1.004020CE; |Text = "Nic z tego!!!"
00401332 .FF75 08 pushdword ptr ss:[ebp+8] ; |hOwner = 00401000
00401335 .E8 18010000 call<jmp.&USER32.MessageBoxA>; \MessageBoxA
0040133A .68 DD204000 pushcrcme1.004020DD; /Text = ""
0040133F .68 EA030000 push3EA; |ControlID = 3EA (1002.)
00401344 .FF75 08 pushdword ptr ss:[ebp+8] ; |hWnd = 00401000
00401347 .E8 F4000000 call<jmp.&USER32.SetDlgItemTextA>; \SetDlgItemTextA
0040134C >61popad
0040134D >EB 41 jmp short crcme1.00401390
往上看到算法关键
0040124C .6A 28 push28 ; /Count = 28 (40.)
0040124E .68 06214000 pushcrcme1.00402106; |Buffer = crcme1.00402106
00401253 .68 E9030000 push3E9; |ControlID = 3E9 (1001.)
00401258 .FF75 08 pushdword ptr ss:[ebp+8] ; |hWnd = 00401000
0040125B .E8 10020000 call<jmp.&USER32.GetDlgItemTextA>; \GetDlgItemTextA
00401260 .83F8 05 cmp eax, 5
00401263 .0F82 BD000000 jbcrcme1.00401326
00401269 .6A 28 push28 ; /Count = 28 (40.)
0040126B .68 2E214000 pushcrcme1.0040212E; |Buffer = crcme1.0040212E
00401270 .68 EA030000 push3EA; |ControlID = 3EA (1002.)
00401275 .FF75 08 pushdword ptr ss:[ebp+8] ; |hWnd = 00401000
00401278 .E8 F3010000 call<jmp.&USER32.GetDlgItemTextA>; \GetDlgItemTextA
以上为长度判断
0040127D .BF 06214000 mov edi, crcme1.00402106
00401282 .33DBxor ebx, ebx
00401284 .33C0xor eax, eax
清零···要开始了
00401286 >8A1Fmov bl, byte ptr ds:[edi]
00401288 .80FB 20 cmp bl, 20
ascci不小于20
0040128B .0F82 95000000 jbcrcme1.00401326
00401291 .03C3add eax, ebx
00401293 .47inc edi;ntdll.7C930738
00401294 .803F 00 cmp byte ptr ds:[edi], 0
00401297 .^ 75 ED jnz short crcme1.00401286
用户名ascci累加到EAX
00401299 .C1C0 03 rol eax, 3
eax左移3位,相当于乘以8
0040129C .35 A5150500 xor eax, 515A5
eax与515A5进行异或运算
004012A1 .50pusheax
堆栈保存eax
004012A2 .33C0xor eax, eax
004012A4 .33DBxor ebx, ebx
004012A6 .33FFxor edi, edi ;ntdll.7C930738
清零···
(
(
004012A8 .BE 2E214000 mov esi, crcme1.0040212E
004012AD >B8 0A000000 mov eax, 0A
注意eax = A
004012B2 .8A1Emov bl, byte ptr ds:[esi]
004012B4 .85DBtestebx, ebx
004012B6 .74 15 jeshort crcme1.004012CD
004012B8 .80FB 30 cmp bl, 30
004012BB .72 69 jbshort crcme1.00401326
004012BD .80FB 39 cmp bl, 39
004012C0 .7F 64 jgshort crcme1.00401326
依次取注册码字符,判断是否为数字,否则失败
004012C2 .83EB 30 sub ebx, 30
字符ascii值减去30
004012C5 .0FAFF8imuledi, eax
edi = edi * eax(A)
004012C8 .03FBadd edi, ebx
004012CA .46inc esi
004012CB .^ EB E0 jmp short crcme1.004012AD
)
)
这里不太好描述
假设注册码为123,则ascii对应为31,32,33
则edi = ((1*A+2)*A+3
004012CD >81F7 CA870000 xor edi, 87CA
edi与87CA进行异或运算
004012D3 .8BDFmov ebx, edi ;ntdll.7C930738
004012D5 .58pop eax;kernel32.7C816D4F
取出在004012A1处保存的eax
004012D6 .03C3add eax, ebx
加上ebx
004012D8 .35 E7970700 xor eax, 797E7
又异或
004012DD .85C0testeax, eax
004012DF75 45 jnz short crcme1.00401326
判断
值得一提的是:用户名和密码都运算后进行判断,避免了明码的出现! |
|
发帖前要善用【论坛搜索】功能,那里可能会有你要找的答案或者已经有人发布过相同内容了,请勿重复发帖。 |
|
|
|
|
|
|
发表于 2008-8-24 10:36
发表于 2008-8-24 11:59
