系统 : Windows xp
程序 : CrackMe#1
程序下载地址 :http://pan.baidu.com/s/1nuagj6h
要求 : 编写注册机
使用工具 :IDA & OD
可在看雪论坛中查找关于此程序的破文:http://bbs.pediy.com/showthread.php?t=29063
IDA载入程序,找出提示破解成功的字串“You cracked the UBC CrackMe#1 ! Please send your solution to ubcrackers@hotmail.com !”并定位关键代码:
/. push ebp
|. 8BEC mov ebp, esp
|. 6A push
|. push ebx
|. 8BD8 mov ebx, eax
|. 33C0 xor eax, eax
0045880A |. push ebp
0045880B |. push
|. :FF30 push dword ptr fs:[eax]
|. : mov dword ptr fs:[eax], esp
|. E8 45FFFFFF call ; 获取用户名
0045881B |. 8D55 FC lea edx, dword ptr [ebp-] ; 取一段内存
0045881E |. 8B83 D0020000 mov eax, dword ptr [ebx+2D0]
|. E8 97CDFCFF call 004255C0 ; 获取序列号
|. 8B45 FC mov eax, dword ptr [ebp-] ; 取序列号
0045882C |. E8 43EFFAFF call ; F(序列号)
|. 3B05 44B84500 cmp eax, dword ptr [45B844]
|. 1B jnz short
|. B8 mov eax, ; ASCII "You cracked the UBC CrackMe#1 ! Please send your solution to ubcrackers@hotmail.com !"
0045883E |. E8 29C1FEFF call 0044496C
|. BA E8884500 mov edx, 004588E8 ; ASCII "CRACKED"
|. A1 3CB84500 mov eax, dword ptr [45B83C]
0045884D |. E8 9ECDFCFF call 004255F0
|. EB 0A jmp short 0045885E
|> B8 F8884500 mov eax, 004588F8 ; ASCII "Try Again !"
|. E8 0EC1FEFF call 0044496C
进入F(序列号):
/$ push ebp
|. 8BEC mov ebp, esp
|. 83C4 F0 add esp, -
0040777A |. push ebx
0040777B |. push esi
0040777C |. 33D2 xor edx, edx
0040777E |. F8 mov dword ptr [ebp-], edx
|. 8BD8 mov ebx, eax
|. 33C0 xor eax, eax
|. push ebp
|. DC774000 push 004077DC
0040778B |. :FF30 push dword ptr fs:[eax]
0040778E |. : mov dword ptr fs:[eax], esp
|. 8D55 FC lea edx, dword ptr [ebp-]
|. 8BC3 mov eax, ebx
|. E8 D9B1FFFF call ; 关键call
0040779B |. 8BF0 mov esi, eax
0040779D |. 837D FC cmp dword ptr [ebp-],
004077A1 |. je short 004077C6
004077A3 |. 8D55 F8 lea edx, dword ptr [ebp-]
004077A6 |. A1 90A44500 mov eax, dword ptr [45A490]
004077AB |. E8 A4D6FFFF call 00404E54
004077B0 |. 8B45 F8 mov eax, dword ptr [ebp-]
004077B3 |. push eax
004077B4 |. 895D F0 mov dword ptr [ebp-], ebx
004077B7 |. C645 F4 0B mov byte ptr [ebp-C], 0B
004077BB |. 8D55 F0 lea edx, dword ptr [ebp-]
004077BE |. 33C9 xor ecx, ecx
004077C0 |. pop eax
004077C1 |. E8 A6FCFFFF call 0040746C
004077C6 |> 33C0 xor eax, eax
004077C8 |. 5A pop edx
004077C9 |. pop ecx
004077CA |. pop ecx
004077CB |. : mov dword ptr fs:[eax], edx
004077CE |. E3774000 push 004077E3
004077D3 |> 8D45 F8 lea eax, dword ptr [ebp-]
004077D6 |. E8 0DC0FFFF call 004037E8
004077DB \. C3 retn
关键call:
/$ push ebx
|. push esi
|. push edi
|. 89C6 mov esi, eax
|. push eax
0040297A |. 85C0 test eax, eax ; 序列号为空?
0040297C |. je short 004029F1
0040297E |. 31C0 xor eax, eax
|. 31DB xor ebx, ebx
|. BF CCCCCC0C mov edi, 0CCCCCCC
|> 8A1E /mov bl, byte ptr [esi] ; 迭代序列号
|. |inc esi
0040298A |. 80FB |cmp bl, ; 字符 = 0x20?
0040298D |.^ F8 \je short ; 不是则退出循环
0040298F |. B5 mov ch,
|. 80FB 2D cmp bl, 2D ; Switch (cases 24..78)
|. je short 004029FF
|. 80FB 2B cmp bl, 2B ; ‘+’
|. je short 00402A01
0040299B |. 80FB cmp bl,
0040299E |. je short 00402A06
004029A0 |. 80FB cmp bl,
004029A3 |. je short 00402A06
004029A5 |. 80FB cmp bl,
004029A8 |. 5C je short 00402A06
004029AA |. 80FB cmp bl,
004029AD |. jnz short 004029C2
004029AF |. 8A1E mov bl, byte ptr [esi] ; Case 30 ('0') of switch 00402991
004029B1 |. inc esi
004029B2 |. 80FB cmp bl,
004029B5 |. 4F je short 00402A06
004029B7 |. 80FB cmp bl,
004029BA |. 4A je short 00402A06
004029BC |. 84DB test bl, bl
004029BE |. je short 004029E0
004029C0 |. EB jmp short 004029C6
004029C2 |> 84DB test bl, bl ; Default case of switch 00402991
004029C4 |. je short 004029FA ; 为空则跳转
004029C6 |> 80EB /sub bl,
004029C9 |. 80FB |cmp bl, ; 高于9?
004029CC |. 2C |ja short 004029FA
004029CE |. 39F8 |cmp eax, edi ; 高于0CCCCCCC?
004029D0 |. |ja short 004029FA
004029D2 |. 8D0480 |lea eax, dword ptr [eax+eax*] ; eax = eax + eax*4
004029D5 |. 01C0 |add eax, eax ; eax += eax
004029D7 |. 01D8 |add eax, ebx ; 累加
004029D9 |. 8A1E |mov bl, byte ptr [esi] ; 取下一个字符
004029DB |. |inc esi
004029DC |. 84DB |test bl, bl ; 不为空?
004029DE |.^ E6 \jnz short 004029C6
004029E0 |> FECD dec ch
004029E2 |. je short 004029F4
004029E4 |. 85C0 test eax, eax
004029E6 |. 7C jl short 004029FA
004029E8 |> pop ecx
004029E9 |. 31F6 xor esi, esi
004029EB |> mov dword ptr [edx], esi
004029ED |. 5F pop edi
004029EE |. 5E pop esi
004029EF |. 5B pop ebx
004029F0 |. C3 retn
再回去看看程序流程中的关键比对,将eax与45B844处的数据进行对比。这里,对45B844下写入断点,重新运行程序发现关键算法:
004587A2 |. 33C0 xor eax, eax ; 清空eax
004587A4 |. mov dword ptr [ebx], eax ; 对内存置零
004587A6 |. 8B07 mov eax, dword ptr [edi] ; 取用户名
004587A8 |. E8 B7B2FAFF call 00403A64 ; 计算长度
004587AD |. 85C0 test eax, eax ; 为空?
004587AF |. 7E jle short 004587CA
004587B1 |. C706 mov dword ptr [esi],
004587B7 |> 8B17 /mov edx, dword ptr [edi] ; 取用户名
004587B9 |. 8B0E |mov ecx, dword ptr [esi]
004587BB |. 0FB6540A FF |movzx edx, byte ptr [edx+ecx-] ; 迭代字串
004587C0 |. C1E2 |shl edx, ; 逻辑左移3位
004587C3 |. |add dword ptr [ebx], edx ; 与内存值累加
004587C5 |. FF06 |inc dword ptr [esi] ; 循环变量自增
004587C7 |. |dec eax ; 长度-1
004587C8 |.^ ED \jnz short 004587B7
004587CA |> 8B07 mov eax, dword ptr [edi]
004587CC |. E8 93B2FAFF call 00403A64 ; 计算长度
004587D1 |. C1E0 shl eax, ; 长度逻辑左移3位
004587D4 |. add dword ptr [ebx], eax ; 与内存值累加
004587D6 |. 8B03 mov eax, dword ptr [ebx]
004587D8 |. C1E0 shl eax, ; 长度逻辑左移2位
004587DB |. mov dword ptr [ebx], eax ; 存入内存
004587DD |. 33C0 xor eax, eax
004587DF |. 5A pop edx
004587E0 |. pop ecx
004587E1 |. pop ecx
004587E2 |. : mov dword ptr fs:[eax], edx
004587E5 |. FA874500 push 004587FA
004587EA |> 8D45 FC lea eax, dword ptr [ebp-]
004587ED |. E8 F6AFFAFF call 004037E8
004587F2 \. C3 retn
至此,程序算法流程已经分析得差不多了。马上动手编写注册机。
我们直接打开http://www.cnblogs.com/ZRBYYXDM/p/5115596.html中搭建的框架,并修改OnBtnDecrypt函数如下:
void CKengen_TemplateDlg::OnBtnDecrypt()
{
// TODO: Add your control notification handler code here
CString str;
GetDlgItemText( IDC_EDIT_NAME,str ); //获取用户名字串基本信息。
int len = str.GetLength(); int FNameres = ;
if ( len != ){ //格式控制。
for ( int i = ; i != len ; i++ )
FNameres += str[i] << ; FNameres += len << ;
FNameres = FNameres << ; //模拟F(序列号):十进制转化十六进制
/*
CString serial = "1234"; int FSelres = 0;
for ( int j = 0 ; j != serial.GetLength() ; j++ ){
FSelres *= 10;
FSelres += ( serial[j] - 0x30 );
}
*/ if ( FNameres > 0x0CCCCCCC )
return ; CString PassWord;
PassWord.Format( "%d",FNameres );
SetDlgItemText( IDC_EDIT_PASSWORD,PassWord );
}
else
MessageBox( "用户名格式错误!" );
}
再在OnInitDialog中添加此代码修改标题:SetWindowText(_T("crackme1_Keygen"));
运行效果: