aLoNg3x.1-CrackMe简单算法分析+VB注册机源码
【破文标题】aLoNg3x.1-CrackMe简单算法分析+VB注册机源码
【破解作者】hrbx
【作者主页】hrbx.ys168.com
【作者邮箱】hrbx@163.com
【破解平台】WinXP
【使用工具】flyOD1.10、Peid
【破解日期】2006-5-16
【软件名称】aLoNg3x.1-CrackMe
【软件大小】344KB
【下载地址】https://www.chinapyg.com/viewthread.php?tid=4815&extra=page%3D1
【加壳方式】无
【软件简介】aLoNg3x.1-CrackMe
-----------------------------------------------------------------------------------------------
【破解声明】我是一只小菜鸟,偶得一点心得,愿与大家分享:)
-----------------------------------------------------------------------------------------------
【破解过程】
0.前言。这个CrackMe本身并没有多大的难度,只是比较具有欺骗性。开始以为那个"Cancella"按钮是用于清除
注册码的"Cancel"按钮,把注意力都放在使CrackMe的灰色按钮可用,而事实上并非如此。
1.查壳。用PEID扫描,显示为:Borland Delphi 6.0 - 7.0。
2.试运行。输入注册信息,"OK"按钮为灰色不可用,点击"Cancella"按钮注册码被清空,无任何错误提示。
通过DeDe分析得知,"OK"按钮按钮事件开始地址为00442D64,"Cancella"按钮按钮事件开始地址为00442EA8。
3.一切从"Cancella"按钮开始。OD载入CrackMe,Ctrl+G,输入:00442EA8,回车,来到00442EA8处F2下断,
F9运行,输入注册信息:
========================
Nome:honrbx
Codice:987654321
========================
点击"Cancella"按钮,立即中断:
00442EA8 55 push ebp ; F2中此下断,中断后F8往下走
00442EA9 8BEC mov ebp,esp
00442EAB 6A 00 push 0
00442EAD 53 push ebx
00442EAE 8BD8 mov ebx,eax
00442EB0 33C0 xor eax,eax
00442EB2 55 push ebp
00442EB3 68 322F4400 push aLoNg3x_.00442F32
00442EB8 64:FF30 push dword ptr fs:
00442EBB 64:8920 mov dword ptr fs:,esp
00442EBE 8D55 FC lea edx,dword ptr ss:
00442EC1 8B83 E0020000 mov eax,dword ptr ds:
00442EC7 E8 F403FEFF call aLoNg3x_.004232C0
00442ECC 8B45 FC mov eax,dword ptr ss: ; 假码"987654321"
00442ECF E8 9C47FCFF call aLoNg3x_.00407670 ; 假码转为16进制整数
00442ED4 50 push eax ; EAX=0x3ADE68B1(987654321)
00442ED5 8D55 FC lea edx,dword ptr ss:
00442ED8 8B83 DC020000 mov eax,dword ptr ds:
00442EDE E8 DD03FEFF call aLoNg3x_.004232C0
00442EE3 8B45 FC mov eax,dword ptr ss: ; 用户名"honrbx"
00442EE6 5A pop edx
00442EE7 E8 08FCFFFF call aLoNg3x_.00442AF4 ; 关键CALL-1,F7进入
00442EEC 84C0 test al,al
00442EEE 74 1C je short aLoNg3x_.00442F0C ; 暴破点1,Nop掉
00442EF0 33D2 xor edx,edx
00442EF2 8B83 D0020000 mov eax,dword ptr ds:
00442EF8 E8 B302FEFF call aLoNg3x_.004231B0
00442EFD B2 01 mov dl,1
00442EFF 8B83 CC020000 mov eax,dword ptr ds:
00442F05 8B08 mov ecx,dword ptr ds:
00442F07 FF51 60 call dword ptr ds:
00442F0A EB 10 jmp short aLoNg3x_.00442F1C
00442F0C BA 482F4400 mov edx,aLoNg3x_.00442F48 ; 0
00442F11 8B83 E0020000 mov eax,dword ptr ds:
00442F17 E8 D403FEFF call aLoNg3x_.004232F0
00442F1C 33C0 xor eax,eax
00442F1E 5A pop edx
00442F1F 59 pop ecx
00442F20 59 pop ecx
00442F21 64:8910 mov dword ptr fs:,edx
00442F24 68 392F4400 push aLoNg3x_.00442F39
00442F29 8D45 FC lea eax,dword ptr ss:
00442F2C E8 8708FCFF call aLoNg3x_.004037B8
00442F31 C3 retn
F7进入00442EE7处的关键CALL-1,来到:
00442AF4 55 push ebp
00442AF5 8BEC mov ebp,esp
00442AF7 83C4 F8 add esp,-8
00442AFA 53 push ebx
00442AFB 56 push esi
00442AFC 8955 F8 mov dword ptr ss:,edx
00442AFF 8945 FC mov dword ptr ss:,eax
00442B02 8B45 FC mov eax,dword ptr ss:
00442B05 E8 DE10FCFF call aLoNg3x_.00403BE8
00442B0A 33C0 xor eax,eax
00442B0C 55 push ebp
00442B0D 68 902B4400 push aLoNg3x_.00442B90
00442B12 64:FF30 push dword ptr fs:
00442B15 64:8920 mov dword ptr fs:,esp
00442B18 8B45 FC mov eax,dword ptr ss: ; 用户名"honrbx"
00442B1B E8 140FFCFF call aLoNg3x_.00403A34 ; 获取用户名长度,EAX=6
00442B20 83F8 05 cmp eax,5 ; 用户名长度与5比较
00442B23 7E 53 jle short aLoNg3x_.00442B78 ; 小于等于则Over
00442B25 8B45 FC mov eax,dword ptr ss: ; 用户名"honrbx"
00442B28 0FB640 04 movzx eax,byte ptr ds: ; 取用户名第5位字符的ASCII值,EAX=0x62('b')
00442B2C B9 07000000 mov ecx,7 ; ECX=7
00442B31 33D2 xor edx,edx
00442B33 F7F1 div ecx ; EAX/ECX,商给EAX,余数给EDX
00442B35 8BC2 mov eax,edx ; EAX=EDX,余数给EAX
00442B37 83C0 02 add eax,2 ; EAX=EAX+2
00442B3A E8 E1FEFFFF call aLoNg3x_.00442A20
00442B3F 8BF0 mov esi,eax ; ESI=EAX
00442B41 33DB xor ebx,ebx
00442B43 8B45 FC mov eax,dword ptr ss: ; 用户名"honrbx"
00442B46 E8 E90EFCFF call aLoNg3x_.00403A34 ; 获取用户名长度,EAX=6
00442B4B 85C0 test eax,eax
00442B4D 7E 16 jle short aLoNg3x_.00442B65
00442B4F BA 01000000 mov edx,1
00442B54 8B4D FC mov ecx,dword ptr ss: ; 用户名"honrbx"
00442B57 0FB64C11 FF movzx ecx,byte ptr ds:; 依次取用户名每一位字符的ASCII值给ECX
00442B5C 0FAFCE imul ecx,esi ; ECX=ECX*ESI,ESI初值为上面用户名第5位字符运算所得结果
00442B5F 03D9 add ebx,ecx ; EBX=EBX+ECX
00442B61 42 inc edx ; EBX=0x522(1314)
00442B62 48 dec eax
00442B63 ^ 75 EF jnz short aLoNg3x_.00442B54 ; 没取完用户名则跳回去继续
00442B65 2B5D F8 sub ebx,dword ptr ss: ; EBX=EBX-ss:,ss:=3ADE68B1假码的16进制数
00442B68 81FB 697A0000 cmp ebx,7A69 ; EBX与0x7A69(31337)比较
00442B6E 75 04 jnz short aLoNg3x_.00442B74 ; 不等则Over
00442B70 B3 01 mov bl,1 ; 相等则赋值BL=1
00442B72 EB 06 jmp short aLoNg3x_.00442B7A
00442B74 33DB xor ebx,ebx
00442B76 EB 02 jmp short aLoNg3x_.00442B7A
00442B78 33DB xor ebx,ebx
00442B7A 33C0 xor eax,eax
00442B7C 5A pop edx
00442B7D 59 pop ecx
00442B7E 59 pop ecx
00442B7F 64:8910 mov dword ptr fs:,edx
00442B82 68 972B4400 push aLoNg3x_.00442B97
00442B87 8D45 FC lea eax,dword ptr ss:
00442B8A E8 290CFCFF call aLoNg3x_.004037B8
00442B8F C3 retn
程序取用户名经过运算后与输入的注册码相减再与0x7A69比较,故注册码应为:0x522(1314)-0x7A69(31337)=-30023.
4.解决"OK"按钮。不退出OD,更改注册信息为:
========================
Nome:honrbx
Codice:-30023
========================
点击"Cancella"按钮,"Cancella"按钮变为不可见,同时"OK"按钮也变为可点击。
Ctrl+G,输入通过DeDe找到的"OK"按钮按钮事件开始地址:00442D64,回车,来到00442D64处F2下断,点击"OK"按钮,
立即中断:
00442D64 55 push ebp ; F2在此下断,中断后F8往下
00442D65 8BEC mov ebp,esp
00442D67 6A 00 push 0
00442D69 53 push ebx
00442D6A 8BD8 mov ebx,eax
00442D6C 33C0 xor eax,eax
00442D6E 55 push ebp
00442D6F 68 ED2D4400 push aLoNg3x_.00442DED
00442D74 64:FF30 push dword ptr fs:
00442D77 64:8920 mov dword ptr fs:,esp
00442D7A 8B83 D0020000 mov eax,dword ptr ds:
00442D80 8078 47 01 cmp byte ptr ds:,1
00442D84 75 12 jnz short aLoNg3x_.00442D98
00442D86 BA 002E4400 mov edx,aLoNg3x_.00442E00 ; 0
00442D8B 8B83 E0020000 mov eax,dword ptr ds:
00442D91 E8 5A05FEFF call aLoNg3x_.004232F0
00442D96 EB 3F jmp short aLoNg3x_.00442DD7
00442D98 8D55 FC lea edx,dword ptr ss:
00442D9B 8B83 E0020000 mov eax,dword ptr ds:
00442DA1 E8 1A05FEFF call aLoNg3x_.004232C0
00442DA6 8B45 FC mov eax,dword ptr ss: ; 注册码"-30023"
00442DA9 E8 C248FCFF call aLoNg3x_.00407670
00442DAE 50 push eax
00442DAF 8D55 FC lea edx,dword ptr ss:
00442DB2 8B83 DC020000 mov eax,dword ptr ds:
00442DB8 E8 0305FEFF call aLoNg3x_.004232C0
00442DBD 8B45 FC mov eax,dword ptr ss: ; 用户名"honrbx"
00442DC0 5A pop edx
00442DC1 E8 DAFDFFFF call aLoNg3x_.00442BA0 ; 关键CALL-2,F7进入
00442DC6 84C0 test al,al
00442DC8 74 0D je short aLoNg3x_.00442DD7 ; 暴破点2,Nop掉
00442DCA 33D2 xor edx,edx
00442DCC 8B83 CC020000 mov eax,dword ptr ds:
00442DD2 E8 D903FEFF call aLoNg3x_.004231B0
00442DD7 33C0 xor eax,eax
00442DD9 5A pop edx
00442DDA 59 pop ecx
00442DDB 59 pop ecx
00442DDC 64:8910 mov dword ptr fs:,edx
00442DDF 68 F42D4400 push aLoNg3x_.00442DF4
00442DE4 8D45 FC lea eax,dword ptr ss:
00442DE7 E8 CC09FCFF call aLoNg3x_.004037B8
00442DEC C3 retn
F7进入00442DC1处的关键CALL-2,来到:
00442BA0 55 push ebp
00442BA1 8BEC mov ebp,esp
00442BA3 6A 00 push 0
00442BA5 6A 00 push 0
00442BA7 6A 00 push 0
00442BA9 53 push ebx
00442BAA 56 push esi
00442BAB 8BF2 mov esi,edx
00442BAD 8945 FC mov dword ptr ss:,eax
00442BB0 8B45 FC mov eax,dword ptr ss:
00442BB3 E8 3010FCFF call aLoNg3x_.00403BE8
00442BB8 33C0 xor eax,eax
00442BBA 55 push ebp
00442BBB 68 672C4400 push aLoNg3x_.00442C67
00442BC0 64:FF30 push dword ptr fs:
00442BC3 64:8920 mov dword ptr fs:,esp
00442BC6 33DB xor ebx,ebx
00442BC8 8D55 F8 lea edx,dword ptr ss:
00442BCB 8BC6 mov eax,esi
00442BCD E8 6E4AFCFF call aLoNg3x_.00407640
00442BD2 8D45 F4 lea eax,dword ptr ss:
00442BD5 8B55 F8 mov edx,dword ptr ss:
00442BD8 E8 730CFCFF call aLoNg3x_.00403850
00442BDD 8B45 F8 mov eax,dword ptr ss: ; 注册码"-30023"
00442BE0 E8 4F0EFCFF call aLoNg3x_.00403A34 ; 获取注册码长度,EAX=6
00442BE5 83F8 05 cmp eax,5 ; 注册码长度与5比较
00442BE8 7E 60 jle short aLoNg3x_.00442C4A ; 小于等于则Over
00442BEA 8B45 F8 mov eax,dword ptr ss: ; 注册码"-30023"
00442BED E8 420EFCFF call aLoNg3x_.00403A34 ; 获取注册码长度,EAX=6
00442BF2 8BF0 mov esi,eax
00442BF4 83FE 01 cmp esi,1 ; 注册码长度与1比较
00442BF7 7C 2F jl short aLoNg3x_.00442C28 ; 小于则Over
00442BF9 8D45 F4 lea eax,dword ptr ss:
00442BFC E8 0310FCFF call aLoNg3x_.00403C04
00442C01 8D4430 FF lea eax,dword ptr ds:
00442C05 50 push eax
00442C06 8B45 F8 mov eax,dword ptr ss: ; 注册码"-30023"
00442C09 0FB64430 FF movzx eax,byte ptr ds:; 依次取注册码每一位字符的ASCII值给EAX
00442C0E F7E8 imul eax ; EAX=EAX*EAX
00442C10 0FBFC0 movsx eax,ax ; EAX=AX
00442C13 F7EE imul esi ; EAX=EAX*ESI,ESI为取出的字符的位置
00442C15 B9 19000000 mov ecx,19 ; ECX=0x19
00442C1A 99 cdq
00442C1B F7F9 idiv ecx ; EAX/ECX,商给EAX,余数给EDX
00442C1D 83C2 41 add edx,41 ; EDX=EDX+0x41
00442C20 58 pop eax
00442C21 8810 mov byte ptr ds:,dl ; DL保存
00442C23 4E dec esi
00442C24 85F6 test esi,esi
00442C26 ^ 75 D1 jnz short aLoNg3x_.00442BF9 ; 没取完注册码则跳回去继续循环
00442C28 8B45 F4 mov eax,dword ptr ss: ; 计算所得的用户名"ACMQAG"
00442C2B 8B55 FC mov edx,dword ptr ss: ; 输入的用户名"honrbx"
00442C2E E8 110FFCFF call aLoNg3x_.00403B44 ; 比较两者是否相等
00442C33 75 17 jnz short aLoNg3x_.00442C4C ; 不等则Over
00442C35 8B45 FC mov eax,dword ptr ss:
00442C38 8B55 F4 mov edx,dword ptr ss:
00442C3B E8 040FFCFF call aLoNg3x_.00403B44
00442C40 75 04 jnz short aLoNg3x_.00442C46
00442C42 B3 01 mov bl,1
00442C44 EB 06 jmp short aLoNg3x_.00442C4C
00442C46 33DB xor ebx,ebx
00442C48 EB 02 jmp short aLoNg3x_.00442C4C
00442C4A 33DB xor ebx,ebx
00442C4C 33C0 xor eax,eax
00442C4E 5A pop edx
00442C4F 59 pop ecx
00442C50 59 pop ecx
00442C51 64:8910 mov dword ptr fs:,edx
00442C54 68 6E2C4400 push aLoNg3x_.00442C6E
00442C59 8D45 F4 lea eax,dword ptr ss:
00442C5C BA 03000000 mov edx,3
00442C61 E8 760BFCFF call aLoNg3x_.004037DC
00442C66 C3 retn
-----------------------------------------------------------------------------------------------
【破解总结】
1.程序先取用户名运算得到一数值与输入的注册码相减,结果与0x7A69比较,相等则隐藏"Cancella"按钮,同时使"OK"按钮变为可用。
2.点击"OK"按钮时,取输入的注册码经过运算得到一字符串与输入的用户名比较,相等则隐藏"OK"按钮。
一组可用注册码:
========================
(1)隐藏"Cancella"按钮
Nome:honrbx
Codice:-30023
(2)隐藏"OK"按钮
Nome:ACMQAG
Codice:-30023
========================
暴破更改以下位置:
00442EEE je short aLoNg3x_.00442F0C ; je====>Nop
00442DC8 je short aLoNg3x_.00442DD7 ; je====>Nop
【VB注册机源码】
Private Sub Generate_Click()
On Error Resume Next
Dim Name As String
Dim Code As String
Dim Codice As Long
Dim length As Integer
Dim num As Integer
Dim i As Integer
If GetCodice.Value = True Then
Name = Text1.Text
length = Len(Name)
Codice = 0
If (length <= 5 Or length > 10) Then
Text2.Text = "Name is too long or too short!"
Else
num = Asc(Mid(Name, 5, 1)) Mod 7 + 2
For i = 1 To length
Codice = Codice + Asc(Mid(Name, i, 1)) * num
Next i
Codice = Codice - &H7A69
Text2.Text = Codice
End If
End If
If GetName.Value = True Then
Code = Text2.Text
length = Len(Code)
Name = ""
If (length <= 5 Or length > 9) Then
Text1.Text = "Codice is too long or too short!"
Else
For i = 1 To length
num = Asc(Mid(Code, i, 1)) * Asc(Mid(Code, i, 1)) * i Mod &H19 + &H41
Name = Name & Chr(num)
Next i
Text1.Text = Name
End If
End If
End Sub
-----------------------------------------------------------------------------------------------
【版权声明】本文纯属技术交流, 转载请注明作者并保持文章的完整, 谢谢!
学习啦,谢谢 有点明白
关键一是要用DEDE找到程序两个命令按钮的入口地址下断
关键二是找到关键跳
不明白的是如果不懂算法能否追到真码 注册机做的好漂亮~ 好文,学习了``` 收藏,学习中 原帖由 风球 于 2006-5-17 19:07 发表
好文,学习了```
The same! UpUpUP! 厉害,这都能破解,佩服学习一下 强,这个偶明天认真学习下
页:
[1]