[原创]AfKayAs Crackme1.0破解分析
【破文作者】qxtianlong【所属组织】无
【作者主页】http://qxtianlong.77169.com
【 E-mail 】kk5910@sina.com
【 作者QQ 】249935058
【文章题目】Crackme的详解
【软件名称】AfKayAs Crackme1.0
【下载地址】
【加密方式】注册码
【加壳方式】无
【破解工具】OD, W32,peid
【软件限制】无
【破解平台】wxp
=======================================================================================================
【软件简介】
Crackme生存的唯一目的就是让我们练手之用!
=======================================================================================================
【文章简介】
我的破解很菜,写这篇东西是给对这个 crackme 有兴趣的兄弟们,分享一下破解心得
=======================================================================================================
【解密过程】
pediy查壳无壳,VB程序
首先试运行,输入试练码qxtianlong,78787878,确认后出现友好提示
W32载入分析字符串,you get wrong,双击来到
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040258B(C)
|
* Possible StringData Ref from Code Obj ->"YYou Get Wrong"
:004025E5 68C81B4000 push 00401BC8 ****来到这,向上看
:004025EA 689C1B4000 push 00401B9C
:004025EF FFD7 call edi
:004025F1 8BD0 mov edx, eax
:004025F3 8D4DE8 lea ecx, dword ptr
:004025F6 FFD3 call ebx
:004025F8 50 push eax
* Possible StringData Ref from Code Obj ->"TTry Again"
|
:004025F9 68E81B4000 push 00401BE8
:004025FE FFD7 call edi
:00402600 8945CC mov dword ptr , eax
:00402603 8D4594 lea eax, dword ptr
:00402606 8D4DA4 lea ecx, dword ptr
:00402609 50 push eax
:0040260A 8D55B4 lea edx, dword ptr
:0040260D 51 push ecx
:0040260E 52 push edx
:0040260F 8D45C4 lea eax, dword ptr
:00402612 6A00 push 00000000
:00402614 50 push eax
:00402615 C745C408000000 mov , 00000008
*************************************************************************************
从0040258B跳来,向上找到他
:00402563 FF15F4404000 Call dword ptr
:00402569 83C40C add esp, 0000000C
:0040256C B904000280 mov ecx, 80020004
:00402571 B80A000000 mov eax, 0000000A
:00402576 894D9C mov dword ptr , ecx
:00402579 6685F6 test si, si
:0040257C 894594 mov dword ptr , eax
:0040257F 894DAC mov dword ptr , ecx
:00402582 8945A4 mov dword ptr , eax
:00402585 894DBC mov dword ptr , ecx
:00402588 8945B4 mov dword ptr , eax
:0040258B 7458 je 004025E5 *****这里跳过去的,跳就死,这里可以爆破
* Possible StringData Ref from Code Obj ->"YYou Get It"
|
:0040258D 68801B4000 push 00401B80
:00402592 689C1B4000 push 00401B9C
:00402597 FFD7 call edi
:00402599 8BD0 mov edx, eax
:0040259B 8D4DE8 lea ecx, dword ptr
:0040259E FFD3 call ebx
:004025A0 50 push eax
* Possible StringData Ref from Code Obj ->"KKeyGen It Now"
|
:004025A1 68A81B4000 push 00401BA8
:004025A6 FFD7 call edi
:004025A8 8D4D94 lea ecx, dword ptr
:004025AB 8945CC mov dword ptr , eax
:004025AE 8D55A4 lea edx, dword ptr
:004025B1 51 push ecx
:004025B2 8D45B4 lea eax, dword ptr
:004025B5 52 push edx
:004025B6 50 push eax
:004025B7 8D4DC4 lea ecx, dword ptr
:004025BA 6A00 push 00000000
:004025BC 51 push ecx
:004025BD C745C408000000 mov , 00000008
我们在0040258B下断,用OD分析,F9运行输入试练码,确定后断在
:0040258B 7458 je 004025E5
我们向上找00402310 55 push ebp在此下断,然后F9出现错误提示,确认后,点OK
断在刚才的push ebp处,F8过一直到
0040240F 8B45 E4 mov eax,dword ptr ss: 看到qxtianlong
00402412 50 push eax
00402413 8B1A mov ebx,dword ptr ds:
00402415 FF15 E4404000 call dword ptr ds:[<&MSVBVM50.__vbaL>; MSVBVM50.__vbaLenBstr 取字符串长度
0040241B 8BF8 mov edi,eax edi=A
0040241D 8B4D E8 mov ecx,dword ptr ss:
00402420 69FF FB7C0100 imul edi,edi,17CFB edi=A*17CFB=EE1CE
00402426 51 push ecx
00402427 0F80 91020000 jo CrackMe1.004026BE 无溢出
0040242D FF15 F8404000 call dword ptr ds:[<&MSVBVM50.#516>] ; MSVBVM50.rtcAnsiValueBstr//Asc(string)
00402433 0FBFD0 movsx edx,ax 取用户名第一个字母Asc码 ax=71
00402436 03FA add edi,edx adi=adi+edx=EE1CE+71=EE23F
00402438 /0F80 80020000 jo CrackMe1.004026BE 无溢出
0040243E |57 push edi
0040243F FF15 E0404000 call dword ptr ds:[<&MSVBVM50.__vbaS>; MSVBVM50.__vbaStrI4
00402445 8BD0 mov edx,eax //***975423
00402447 8D4D E0 lea ecx,dword ptr ss:
0040244A FF15 70414000 call dword ptr ds:[<&MSVBVM50.__vbaS>; MSVBVM50.__vbaStrMove
00402450 8BBD 50FFFFFF mov edi,dword ptr ss:
00402456 50 push eax
00402457 57 push edi
00402458 FF93 A4000000 call dword ptr ds: ; MSVBVM50.74070D32
0040245E 85C0 test eax,eax EAX=0
00402460 7D 12 jge short CrackMe1.00402474 大于或等于跳转
00402462 68 A4000000 push 0A4
00402467 68 5C1B4000 push CrackMe1.00401B5C
0040246C 57 push edi
0040246D 50 push eax
0040246E FF15 04414000 call dword ptr ds:[<&MSVBVM50.__vbaH>; MSVBVM50.__vbaHresultCheckObj
00402474 8D45 E0 lea eax,dword ptr ss:
中间省略N行来到
00402510 8B45 E8 mov eax,dword ptr ss: //假码
00402513 8B4D E4 mov ecx,dword ptr ss: //中间码
00402516 8B3D 00414000 mov edi,dword ptr ds:[<&MSVBVM50.__v>; MSVBVM50.__vbaStrCat
0040251C 50 push eax //假码入栈
0040251D 68 701B4000 push CrackMe1.00401B70 ; UNICODE "AKA-"//入栈
00402522 51 push ecx //中间码入栈
00402523 FFD7 call edi //连接AKA-和中间码EAX可以看到真码
00402525 8B1D 70414000 mov ebx,dword ptr ds:[<&MSVBVM50.__v>; MSVBVM50.__vbaStrMove
0040252B 8BD0 mov edx,eax
0040252D 8D4D E0 lea ecx,dword ptr ss:
00402530 FFD3 call ebx
00402532 50 push eax
00402533 FF15 28414000 call dword ptr ds:[<&MSVBVM50.__vbaS>; MSVBVM50.__vbaStrCmp//真码假码比较
中间省略N行来到
0040258B /74 58 je short CrackMe1.004025E5 跳就死
上面已经分析过了
OK!收工,今天网络有问题,一直到现在才好了,那么就发到论坛里吧!对于我没有网的日子真是难度啊~~^_^
【解密心得】
明码比较,主要找关键点,算法并不是很难
大概是取用户名位数*0x17CFB+用户名第一个字母的asc码,然后转化为十进制
然后AKA-连接上转化的数字就是最后的注册码
name:qxtianlong
serial:AKA-975423
爆破:0040258B /74 58 je short CrackMe1.004025E5 je-->jne 或74-->75
算法注册机
写的很粗略,没有做任何优化和检查,大家将就着看吧!*_*要睡了~~~~~
#include <stdio.h>
#include <string.h>
#include<conio.h>
int main()
{
char name;
char temp[]="AKA-";
unsigned long tem;
int i;
printf("*************************\n");
printf(" Keyken by qxtianlong\n");
printf("2005 - 10 - 13 夜\n");
printf("*************************\n");
printf("请输入用户名:");
scanf("%s",name);
i=strlen(name);
tem=i*0x17CFB+name;
printf("您的注册码是:");
printf("%s%lu\n",temp,tem);
getch();
return 0;
}
=======================================================================================================
【破解声明】我是一个小小菜虫子,文章如有错误,请高手指正!
【版权声明】本文纯属技术交流, 转载请注明作者并保持文章的完整, 谢谢!
=======================================================================================================
2005-10-13(夜)
页:
[1]