Buzz'm_Frog's CrackMe #2 分析

这个Crackme是用Borland C++ Builder 写的，和delphi很类似...

使用好几种方法下断点都不行，很郁闷...

最后只有上《加密与解密三》上找办法，终于，功夫不负有心人，找到了，O(∩_∩)O~

找到之后，下断点，看算法，就简单了....

00401400  /.  55            push    ebp
00401401  |.  8BEC          mov     ebp, esp
00401403  |.  83C4 90       add     esp, -70
00401406  |.  53            push    ebx
00401407  |.  8955 A8       mov     dword ptr [ebp-58], edx
0040140A  |.  8945 AC       mov     dword ptr [ebp-54], eax
0040140D  |.  B8 BC234300   mov     eax, 004323BC
00401412  |.  E8 4D8A0200   call    00429E64
00401417  |.  66:C745 C0 08>mov     word ptr [ebp-40], 8
0040141D  |.  8D45 FC       lea     eax, dword ptr [ebp-4]
00401420  |.  E8 C3040000   call    004018E8
00401425  |.  FF45 CC       inc     dword ptr [ebp-34]
00401428  |.  66:C745 C0 14>mov     word ptr [ebp-40], 14
0040142E  |.  66:C745 C0 20>mov     word ptr [ebp-40], 20
00401434  |.  8D45 F8       lea     eax, dword ptr [ebp-8]
00401437  |.  E8 AC040000   call    004018E8
0040143C  |.  FF45 CC       inc     dword ptr [ebp-34]
0040143F  |.  66:C745 C0 14>mov     word ptr [ebp-40], 14
00401445  |.  66:C745 C0 2C>mov     word ptr [ebp-40], 2C
0040144B  |.  8D45 F4       lea     eax, dword ptr [ebp-C]
0040144E  |.  E8 95040000   call    004018E8
00401453  |.  FF45 CC       inc     dword ptr [ebp-34]
00401456  |.  66:C745 C0 14>mov     word ptr [ebp-40], 14
0040145C  |.  C645 A7 00    mov     byte ptr [ebp-59], 0
00401460  |.  66:C745 C0 38>mov     word ptr [ebp-40], 38
00401466  |.  8D45 F0       lea     eax, dword ptr [ebp-10]
00401469  |.  E8 7A040000   call    004018E8
0040146E  |.  8BD0          mov     edx, eax
00401470  |.  FF45 CC       inc     dword ptr [ebp-34]
00401473  |.  8B4D AC       mov     ecx, dword ptr [ebp-54]
00401476  |.  8B81 C8010000 mov     eax, dword ptr [ecx+1C8]
0040147C  |.  E8 BF920000   call    0040A740
00401481  |.  8D55 F0       lea     edx, dword ptr [ebp-10]
00401484  |.  8D45 FC       lea     eax, dword ptr [ebp-4]
00401487  |.  E8 3FE00000   call    0040F4CB
0040148C  |.  FF4D CC       dec     dword ptr [ebp-34]
0040148F  |.  8D45 F0       lea     eax, dword ptr [ebp-10]
00401492  |.  BA 02000000   mov     edx, 2
00401497  |.  E8 00E00000   call    0040F49C                         ;  edx = 用户名
0040149C  |.  66:C745 C0 44>mov     word ptr [ebp-40], 44
004014A2  |.  8D45 EC       lea     eax, dword ptr [ebp-14]
004014A5  |.  E8 3E040000   call    004018E8
004014AA  |.  8BD0          mov     edx, eax
004014AC  |.  FF45 CC       inc     dword ptr [ebp-34]
004014AF  |.  8B4D AC       mov     ecx, dword ptr [ebp-54]
004014B2  |.  8B81 CC010000 mov     eax, dword ptr [ecx+1CC]
004014B8  |.  E8 83920000   call    0040A740
004014BD  |.  8D55 EC       lea     edx, dword ptr [ebp-14]
004014C0  |.  8D45 F8       lea     eax, dword ptr [ebp-8]
004014C3  |.  E8 03E00000   call    0040F4CB
004014C8  |.  FF4D CC       dec     dword ptr [ebp-34]
004014CB  |.  8D45 EC       lea     eax, dword ptr [ebp-14]
004014CE  |.  BA 02000000   mov     edx, 2
004014D3  |.  E8 C4DF0000   call    0040F49C                         ;  edx = 注册码
004014D8  |.  33C9          xor     ecx, ecx
004014DA  |.  894D A0       mov     dword ptr [ebp-60], ecx
004014DD  |.  66:C745 C0 14>mov     word ptr [ebp-40], 14
004014E3  |.  C745 9C 01000>mov     dword ptr [ebp-64], 1
004014EA  |.  8D45 F8       lea     eax, dword ptr [ebp-8]
004014ED  |.  E8 B2EA0000   call    0040FFA4
004014F2  |.  8945 98       mov     dword ptr [ebp-68], eax
004014F5  |.  33D2          xor     edx, edx
004014F7  |.  8955 94       mov     dword ptr [ebp-6C], edx
004014FA  |.  EB 15         jmp     short 00401511
004014FC  |>  8D45 FC       /lea     eax, dword ptr [ebp-4]
004014FF  |.  E8 14040000   |call    00401918
00401504  |.  8B55 94       |mov     edx, dword ptr [ebp-6C]
00401507  |.  0FBE0C10      |movsx   ecx, byte ptr [eax+edx]
0040150B  |.  014D A0       |add     dword ptr [ebp-60], ecx
0040150E  |.  FF45 94       |inc     dword ptr [ebp-6C]
00401511  |>  8D45 FC        lea     eax, dword ptr [ebp-4]
00401514  |.  E8 DDE10000   |call    0040F6F6
00401519  |.  3B45 94       |cmp     eax, dword ptr [ebp-6C]
0040151C  |.^ 7F DE         \jg      short 004014FC                  ;  计算用户名每个字符的值的和，放入[ebp-6C]中
0040151E  |.  6955 A0 32130>imul    edx, dword ptr [ebp-60], 1332    ;  乘以0x1332，放入edx中
00401525  |.  8955 A0       mov     dword ptr [ebp-60], edx
00401528  |.  694D A0 32130>imul    ecx, dword ptr [ebp-60], 1332    ;  再乘以0x1332，放入ecx中
0040152F  |.  894D A0       mov     dword ptr [ebp-60], ecx
00401532  |.  6945 A0 32130>imul    eax, dword ptr [ebp-60], 1332    ;  再乘以0x1332，放入eax中
00401539  |.  8945 A0       mov     dword ptr [ebp-60], eax
0040153C  |.  8145 A0 4A0F0>add     dword ptr [ebp-60], 0F4A         ;  最后加上0x0F4A，放入[ebp-6C]中，得出正确的注册码
00401543  |.  8B55 98       mov     edx, dword ptr [ebp-68]          ;  输入的注册码
00401546  |.  3B55 A0       cmp     edx, dword ptr [ebp-60]          ;  真码假码比较
00401549  |.  0F85 71010000 jnz     004016C0
0040154F  |.  66:C745 C0 50>mov     word ptr [ebp-40], 50
00401555  |.  8D45 E8       lea     eax, dword ptr [ebp-18]
00401558  |.  8B55 A0       mov     edx, dword ptr [ebp-60]
0040155B  |.  E8 69DE0000   call    0040F3C9
00401560  |.  FF45 CC       inc     dword ptr [ebp-34]

注册机也非常简单:

#include <iostream>
using namespace std;

int main(void)
{
    char name[40];

    cout << "Name:";
    cin >> name;
    unsigned int sum = 0;
    for (int i = 0;i<strlen(name);i++)
    {
        sum = sum + name[i];
    }

    cout << sum * 0x1332 * 0x1332 * 0x1332 + 0xF4A;

    cin.get();
    cin.get();

    return 0;

}