• 破解 CrackMe#1 [UBC] by bRaINbuSY


    系统 : Windows xp

    程序 : CrackMe#1

    程序下载地址 :http://pan.baidu.com/s/1nuagj6h

    要求 : 编写注册机

    使用工具 :IDA & OD 

    可在看雪论坛中查找关于此程序的破文:http://bbs.pediy.com/showthread.php?t=29063

    IDA载入程序,找出提示破解成功的字串“You cracked the UBC CrackMe#1 ! Please send your solution to ubcrackers@hotmail.com !”并定位关键代码:

    00458800  /.  55            push    ebp
    00458801  |.  8BEC          mov     ebp, esp
    00458803  |.  6A 00         push    0
    00458805  |.  53            push    ebx
    00458806  |.  8BD8          mov     ebx, eax
    00458808  |.  33C0          xor     eax, eax
    0045880A  |.  55            push    ebp
    0045880B  |.  68 74884500   push    00458874
    00458810  |.  64:FF30       push    dword ptr fs:[eax]
    00458813  |.  64:8920       mov     dword ptr fs:[eax], esp
    00458816  |.  E8 45FFFFFF   call    00458760                         ;  获取用户名
    0045881B  |.  8D55 FC       lea     edx, dword ptr [ebp-4]           ;  取一段内存
    0045881E  |.  8B83 D0020000 mov     eax, dword ptr [ebx+2D0]
    00458824  |.  E8 97CDFCFF   call    004255C0                         ;  获取序列号
    00458829  |.  8B45 FC       mov     eax, dword ptr [ebp-4]           ;  取序列号
    0045882C  |.  E8 43EFFAFF   call    00407774                         ;  F(序列号)
    00458831  |.  3B05 44B84500 cmp     eax, dword ptr [45B844]
    00458837  |.  75 1B         jnz     short 00458854
    00458839  |.  B8 88884500   mov     eax, 00458888                    ;  ASCII "You cracked the UBC CrackMe#1 ! Please send your solution to ubcrackers@hotmail.com !"
    0045883E  |.  E8 29C1FEFF   call    0044496C
    00458843  |.  BA E8884500   mov     edx, 004588E8                    ;  ASCII "CRACKED"
    00458848  |.  A1 3CB84500   mov     eax, dword ptr [45B83C]
    0045884D  |.  E8 9ECDFCFF   call    004255F0
    00458852  |.  EB 0A         jmp     short 0045885E
    00458854  |>  B8 F8884500   mov     eax, 004588F8                    ;  ASCII "Try Again !"
    00458859  |.  E8 0EC1FEFF   call    0044496C

    进入F(序列号):

    00407774  /$  55            push    ebp
    00407775  |.  8BEC          mov     ebp, esp
    00407777  |.  83C4 F0       add     esp, -10
    0040777A  |.  53            push    ebx
    0040777B  |.  56            push    esi
    0040777C  |.  33D2          xor     edx, edx
    0040777E  |.  8955 F8       mov     dword ptr [ebp-8], edx
    00407781  |.  8BD8          mov     ebx, eax
    00407783  |.  33C0          xor     eax, eax
    00407785  |.  55            push    ebp
    00407786  |.  68 DC774000   push    004077DC
    0040778B  |.  64:FF30       push    dword ptr fs:[eax]
    0040778E  |.  64:8920       mov     dword ptr fs:[eax], esp
    00407791  |.  8D55 FC       lea     edx, dword ptr [ebp-4]
    00407794  |.  8BC3          mov     eax, ebx
    00407796  |.  E8 D9B1FFFF   call    00402974                         ;  关键call
    0040779B  |.  8BF0          mov     esi, eax
    0040779D  |.  837D FC 00    cmp     dword ptr [ebp-4], 0
    004077A1  |.  74 23         je      short 004077C6
    004077A3  |.  8D55 F8       lea     edx, dword ptr [ebp-8]
    004077A6  |.  A1 90A44500   mov     eax, dword ptr [45A490]
    004077AB  |.  E8 A4D6FFFF   call    00404E54
    004077B0  |.  8B45 F8       mov     eax, dword ptr [ebp-8]
    004077B3  |.  50            push    eax
    004077B4  |.  895D F0       mov     dword ptr [ebp-10], ebx
    004077B7  |.  C645 F4 0B    mov     byte ptr [ebp-C], 0B
    004077BB  |.  8D55 F0       lea     edx, dword ptr [ebp-10]
    004077BE  |.  33C9          xor     ecx, ecx
    004077C0  |.  58            pop     eax
    004077C1  |.  E8 A6FCFFFF   call    0040746C
    004077C6  |>  33C0          xor     eax, eax
    004077C8  |.  5A            pop     edx
    004077C9  |.  59            pop     ecx
    004077CA  |.  59            pop     ecx
    004077CB  |.  64:8910       mov     dword ptr fs:[eax], edx
    004077CE  |.  68 E3774000   push    004077E3
    004077D3  |>  8D45 F8       lea     eax, dword ptr [ebp-8]
    004077D6  |.  E8 0DC0FFFF   call    004037E8
    004077DB  .  C3            retn

    关键call:

    00402974  /$  53            push    ebx
    00402975  |.  56            push    esi
    00402976  |.  57            push    edi
    00402977  |.  89C6          mov     esi, eax
    00402979  |.  50            push    eax
    0040297A  |.  85C0          test    eax, eax                         ;  序列号为空?
    0040297C  |.  74 73         je      short 004029F1
    0040297E  |.  31C0          xor     eax, eax
    00402980  |.  31DB          xor     ebx, ebx
    00402982  |.  BF CCCCCC0C   mov     edi, 0CCCCCCC
    00402987  |>  8A1E          /mov     bl, byte ptr [esi]              ;  迭代序列号
    00402989  |.  46            |inc     esi
    0040298A  |.  80FB 20       |cmp     bl, 20                          ;  字符 = 0x20?
    0040298D  |.^ 74 F8         je      short 00402987                  ;  不是则退出循环
    0040298F  |.  B5 00         mov     ch, 0
    00402991  |.  80FB 2D       cmp     bl, 2D                           ;  Switch (cases 24..78)
    00402994  |.  74 69         je      short 004029FF
    00402996  |.  80FB 2B       cmp     bl, 2B                           ;  ‘+’
    00402999  |.  74 66         je      short 00402A01
    0040299B  |.  80FB 24       cmp     bl, 24
    0040299E  |.  74 66         je      short 00402A06
    004029A0  |.  80FB 78       cmp     bl, 78
    004029A3  |.  74 61         je      short 00402A06
    004029A5  |.  80FB 58       cmp     bl, 58
    004029A8  |.  74 5C         je      short 00402A06
    004029AA  |.  80FB 30       cmp     bl, 30
    004029AD  |.  75 13         jnz     short 004029C2
    004029AF  |.  8A1E          mov     bl, byte ptr [esi]               ;  Case 30 ('0') of switch 00402991
    004029B1  |.  46            inc     esi
    004029B2  |.  80FB 78       cmp     bl, 78
    004029B5  |.  74 4F         je      short 00402A06
    004029B7  |.  80FB 58       cmp     bl, 58
    004029BA  |.  74 4A         je      short 00402A06
    004029BC  |.  84DB          test    bl, bl
    004029BE  |.  74 20         je      short 004029E0
    004029C0  |.  EB 04         jmp     short 004029C6
    004029C2  |>  84DB          test    bl, bl                           ;  Default case of switch 00402991
    004029C4  |.  74 34         je      short 004029FA                   ;  为空则跳转
    004029C6  |>  80EB 30       /sub     bl, 30
    004029C9  |.  80FB 09       |cmp     bl, 9                           ;  高于9?
    004029CC  |.  77 2C         |ja      short 004029FA
    004029CE  |.  39F8          |cmp     eax, edi                        ;  高于0CCCCCCC?
    004029D0  |.  77 28         |ja      short 004029FA
    004029D2  |.  8D0480        |lea     eax, dword ptr [eax+eax*4]      ;  eax = eax + eax*4
    004029D5  |.  01C0          |add     eax, eax                        ;  eax += eax
    004029D7  |.  01D8          |add     eax, ebx                        ;  累加
    004029D9  |.  8A1E          |mov     bl, byte ptr [esi]              ;  取下一个字符
    004029DB  |.  46            |inc     esi
    004029DC  |.  84DB          |test    bl, bl                          ;  不为空?
    004029DE  |.^ 75 E6         jnz     short 004029C6
    004029E0  |>  FECD          dec     ch
    004029E2  |.  74 10         je      short 004029F4
    004029E4  |.  85C0          test    eax, eax
    004029E6  |.  7C 12         jl      short 004029FA
    004029E8  |>  59            pop     ecx
    004029E9  |.  31F6          xor     esi, esi
    004029EB  |>  8932          mov     dword ptr [edx], esi
    004029ED  |.  5F            pop     edi
    004029EE  |.  5E            pop     esi
    004029EF  |.  5B            pop     ebx
    004029F0  |.  C3            retn

    再回去看看程序流程中的关键比对,将eax与45B844处的数据进行对比。这里,对45B844下写入断点,重新运行程序发现关键算法:

    004587A2  |.  33C0          xor     eax, eax                         ;  清空eax
    004587A4  |.  8903          mov     dword ptr [ebx], eax             ;  对内存置零
    004587A6  |.  8B07          mov     eax, dword ptr [edi]             ;  取用户名
    004587A8  |.  E8 B7B2FAFF   call    00403A64                         ;  计算长度
    004587AD  |.  85C0          test    eax, eax                         ;  为空?
    004587AF  |.  7E 19         jle     short 004587CA
    004587B1  |.  C706 01000000 mov     dword ptr [esi], 1
    004587B7  |>  8B17          /mov     edx, dword ptr [edi]            ;  取用户名
    004587B9  |.  8B0E          |mov     ecx, dword ptr [esi]
    004587BB  |.  0FB6540A FF   |movzx   edx, byte ptr [edx+ecx-1]       ;  迭代字串
    004587C0  |.  C1E2 03       |shl     edx, 3                          ;  逻辑左移3位
    004587C3  |.  0113          |add     dword ptr [ebx], edx            ;  与内存值累加
    004587C5  |.  FF06          |inc     dword ptr [esi]                 ;  循环变量自增
    004587C7  |.  48            |dec     eax                             ;  长度-1
    004587C8  |.^ 75 ED         jnz     short 004587B7
    004587CA  |>  8B07          mov     eax, dword ptr [edi]
    004587CC  |.  E8 93B2FAFF   call    00403A64                         ;  计算长度
    004587D1  |.  C1E0 03       shl     eax, 3                           ;  长度逻辑左移3位
    004587D4  |.  0103          add     dword ptr [ebx], eax             ;  与内存值累加
    004587D6  |.  8B03          mov     eax, dword ptr [ebx]
    004587D8  |.  C1E0 02       shl     eax, 2                           ;  长度逻辑左移2位
    004587DB  |.  8903          mov     dword ptr [ebx], eax             ;  存入内存
    004587DD  |.  33C0          xor     eax, eax
    004587DF  |.  5A            pop     edx
    004587E0  |.  59            pop     ecx
    004587E1  |.  59            pop     ecx
    004587E2  |.  64:8910       mov     dword ptr fs:[eax], edx
    004587E5  |.  68 FA874500   push    004587FA
    004587EA  |>  8D45 FC       lea     eax, dword ptr [ebp-4]
    004587ED  |.  E8 F6AFFAFF   call    004037E8
    004587F2  .  C3            retn

    至此,程序算法流程已经分析得差不多了。马上动手编写注册机。

    我们直接打开http://www.cnblogs.com/ZRBYYXDM/p/5115596.html中搭建的框架,并修改OnBtnDecrypt函数如下:

    void CKengen_TemplateDlg::OnBtnDecrypt() 
    {
        // TODO: Add your control notification handler code here
        CString str;
        GetDlgItemText( IDC_EDIT_NAME,str );                    //获取用户名字串基本信息。
        int len = str.GetLength();
    
        int FNameres = 0;
        if ( len != 0 ){                                        //格式控制。
            for ( int i = 0 ; i != len ; i++ )
                FNameres += str[i] << 3;
    
            FNameres += len << 3;
            FNameres = FNameres << 2;
    
            //模拟F(序列号):十进制转化十六进制
            /*
                CString serial = "1234";
                
                int FSelres = 0;
                for ( int j = 0 ; j != serial.GetLength() ; j++ ){
                    FSelres *= 10;
                    FSelres += ( serial[j] - 0x30 );
                }
            */
    
            if ( FNameres > 0x0CCCCCCC )
                return ;
    
            CString PassWord;
            PassWord.Format( "%d",FNameres );
            SetDlgItemText( IDC_EDIT_PASSWORD,PassWord );
        }
        else
            MessageBox( "用户名格式错误!" );
    }

    再在OnInitDialog中添加此代码修改标题:SetWindowText(_T("crackme1_Keygen"));

    运行效果:

    我们一路奋战,不是为了改变世界,而是不让世界改变我们 ——《熔炉》
  • 相关阅读:
    LINQ to Entities 查询中的标准查询运算符
    LINQ to Entities 基于方法的查询语法
    ajax 与 form 提交的区别
    i++ & ++i 区别
    sizeof 数据类型大小 32位&64位
    标准数据类型宏定义
    long & int 区别
    类函数修饰 const
    指针
    数组
  • 原文地址:https://www.cnblogs.com/ZRBYYXDM/p/5144456.html
Copyright © 2020-2023  润新知