系统 : Windows xp
程序 : Keygenme # 2
程序下载地址 :http://pan.baidu.com/s/1qYIk2HQ
要求 : 注册机编写
使用工具 : OD
可在“PEDIY CrackMe 2007”中查找关于此程序的讨论,标题为“一个据说是新手级Crackme的分析”。
运行程序,查找字符串定位关键算法位置。大致的看一下程序主体:
004014AF |. C74424 CE0>mov dword ptr [esp+], 004400CE ; enter user-name: enter user-id: enter password: access granted !
004014B7 |. C70424 C03344>mov dword ptr [esp], 004433C0
004014BE |. E8 95AE0300 call 0043C358
004014C3 |. C74424 28B>mov dword ptr [esp+], 0043B128
004014CB |. mov dword ptr [esp], eax
004014CE |. E8 DD8D0200 call 0042A2B0
004014D3 |. C74424 CF0>mov dword ptr [esp+], 004400CF ; enter user-name: enter user-id: enter password: access granted !
004014DB |. C70424 C03344>mov dword ptr [esp], 004433C0
004014E2 |. E8 71AE0300 call 0043C358
004014E7 |. 8D85 F8FEFFFF lea eax, dword ptr [ebp-] ; |
004014ED |. mov dword ptr [esp], eax ; |
004014F0 |. E8 8BF40000 call <jmp.&msvcrt.gets> ; \gets
004014F5 |. 80BD F8FEFFFF>cmp byte ptr [ebp-], ; 是否为空?
004014FC |. 0F84 A8010000 je 004016AA ; 是则失败
|. C74424 E10>mov dword ptr [esp+], 004400E1 ; enter user-id: enter password: access granted !
0040150A |. C70424 C03344>mov dword ptr [esp], 004433C0
|. E8 42AE0300 call 0043C358
|. 8D85 DCFEFFFF lea eax, dword ptr [ebp-]
0040151C |. mov dword ptr [esp+], eax
|. C70424 >mov dword ptr [esp],
|. E8 C4720200 call 004287F0 ; 读入id的子程序
0040152C |. C785 D8FEFFFF>mov dword ptr [ebp-], ; 循环变量初始化
|> 8D85 F8FEFFFF /lea eax, dword ptr [ebp-] ; |
0040153C |. |mov dword ptr [esp], eax ; |
0040153F |. E8 2CF40000 |call <jmp.&msvcrt.strlen> ; \strlen
|. 3B85 D8FEFFFF |cmp eax, dword ptr [ebp-] ; 长度低于等于 循环变量
0040154A |. 5B |jbe short 004015A7 ; 则跳出循环
0040154C |. 8D45 F8 |lea eax, dword ptr [ebp-]
0040154F |. D8FEFFFF |add eax, dword ptr [ebp-] ; 地址 加上 循环变量
|. 2D |sub eax, ; 还原成User-Name
0040155A |. 0FBE00 |movsx eax, byte ptr [eax] ; 扩展载入到eax
0040155D |. F4FEFFFF |mov dword ptr [ebp-10C], eax
|. 8D85 F4FEFFFF |lea eax, dword ptr [ebp-10C]
|. 656C2A03 |add dword ptr [eax], 32A6C65 ; 保存的值加上一个 固定数值
0040156F |. 8B85 DCFEFFFF |mov eax, dword ptr [ebp-] ; 读入的id
|. 0FAF85 DCFEFF>|imul eax, dword ptr [ebp-]
0040157C |. 01C0 |add eax, eax
0040157E |. F4FEFFFF |add eax, dword ptr [ebp-10C] ; 加上之前保存的值
|. 237AD602 |add eax, 2D67A23 ; 再加
|. F4FEFFFF |mov dword ptr [ebp-10C], eax
0040158F |. 8B95 F4FEFFFF |mov edx, dword ptr [ebp-10C] ; 存入edx
|. 8D85 F0FEFFFF |lea eax, dword ptr [ebp-]
0040159B |. |add dword ptr [eax], edx
0040159D |. 8D85 D8FEFFFF |lea eax, dword ptr [ebp-]
004015A3 |. FF00 |inc dword ptr [eax] ; 循环变量自增
004015A5 |.^ EB 8F \jmp short
004015A7 |> C74424 F10>mov dword ptr [esp+], 004400F1 ; enter password: access granted !
004015AF |. C70424 C03344>mov dword ptr [esp], 004433C0
004015B6 |. E8 9DAD0300 call 0043C358
004015BB |. 8D85 E8FEFFFF lea eax, dword ptr [ebp-]
004015C1 |. mov dword ptr [esp+], eax
004015C5 |. C70424 >mov dword ptr [esp],
004015CC |. E8 1F720200 call 004287F0
004015D1 |. C74424 CE0>mov dword ptr [esp+], 004400CE ; enter user-name: enter user-id: enter password: access granted !
004015D9 |. C70424 C03344>mov dword ptr [esp], 004433C0
004015E0 |. E8 73AD0300 call 0043C358
004015E5 |. C74424 28B>mov dword ptr [esp+], 0043B128
004015ED |. mov dword ptr [esp], eax
004015F0 |. E8 BB8C0200 call 0042A2B0
004015F5 |. 8B85 F0FEFFFF mov eax, dword ptr [ebp-]
004015FB |. 3B85 E8FEFFFF cmp eax, dword ptr [ebp-]
3A jnz short 0040163D
|. C74424 >mov dword ptr [esp+], ; access granted !
0040160B |. C70424 C03344>mov dword ptr [esp], 004433C0
|. E8 41AD0300 call 0043C358
|. C74424 28B>mov dword ptr [esp+], 0043B128
0040161F |. mov dword ptr [esp], eax
|. E8 898C0200 call 0042A2B0
|. C74424 >mov dword ptr [esp+], ; you did it cracker...now make a keygen !access denied !press any key to continue...access violation !
0040162F |. C70424 C03344>mov dword ptr [esp], 004433C0
|. E8 1DAD0300 call 0043C358
0040163B |. EB 5C jmp short
0040163D |> C74424 3D0>mov dword ptr [esp+], 0044013D ; access denied !press any key to continue...access violation !
一个比较典型的二元函数加密的例子,算法也很简单。唯一的难点是不能对存放id的地址下内存断点,一旦这样操作就会导致读取失败,不过用硬件断点可以很方便地解决问题。
打开http://www.cnblogs.com/ZRBYYXDM/p/5115596.html中搭建的框架,加入新的ID文本编辑框控件,并在消息响应函数中加上解密代码:
void CKengen_TemplateDlg::OnBtnDecrypt()
{
// TODO: Add your control notification handler code here
CString str,ID;
GetDlgItemText( IDC_EDIT_NAME,str ); //获取用户名字串基本信息。
GetDlgItemText( IDC_EDIT_ID,ID ); if ( str.GetLength() && ID.GetLength() ){ //格式控制。
int IDnum = atoi( ID );
DWORD Res = ,Sum = ;
for ( int i = ; i != str.GetLength() ; i++ ){
Sum = IDnum * IDnum;
Sum += Sum;
Sum += ( str.GetAt(i) + 0x32A6C65 );
Sum += 0x2D67A23;
Res += Sum;
} CString PassWord;
PassWord.Format( "%d",Res );
SetDlgItemText( IDC_EDIT_PASSWORD,PassWord );
}
else
MessageBox( "用户名格式错误!" );
}
继续完善一下拷贝按钮:
void CKengen_TemplateDlg::OnBtnCopy()
{
// TODO: Add your control notification handler code here
CString cmd;
GetDlgItemText( IDC_BTN_COPY,cmd ); if ( OpenClipboard() ){ //打开剪贴板
CString str;
HANDLE hClip;
char *pBuf; EmptyClipboard(); if ( cmd == "拷贝用户名" ) //如果命令是拷贝用户名
GetDlgItemText( IDC_EDIT_NAME,str );
else{
if ( cmd == "拷贝ID" )
GetDlgItemText( IDC_EDIT_ID,str );
else
GetDlgItemText( IDC_EDIT_PASSWORD,str );
} hClip = GlobalAlloc( GMEM_MOVEABLE,str.GetLength() + );
pBuf = (char*)GlobalLock( hClip );
strcpy( pBuf,str );
GlobalUnlock( hClip );
SetClipboardData( CF_TEXT,hClip );
CloseClipboard(); if ( cmd == "拷贝用户名" ){ //变换命令
SetDlgItemText( IDC_BTN_COPY,"拷贝ID" );
SetDlgItemText( IDC_STC_MSG,"拷贝用户名成功!" ); //提示成功
}
else{
if ( cmd == "拷贝ID" ){
SetDlgItemText( IDC_BTN_COPY,"拷贝序列号" );
SetDlgItemText( IDC_STC_MSG,"拷贝ID成功!" );
}
else{
SetDlgItemText( IDC_BTN_COPY,"拷贝用户名" );
SetDlgItemText( IDC_STC_MSG,"拷贝序列号成功!" );
}
}
}
else
SetDlgItemText( IDC_STC_MSG,"拷贝失败!" );
}
再在OnInitDialog中添加此代码修改标题:SetWindowText(_T("CRACKME_Keygen"));
运行效果:
