CrackMe Nr.7简单算法分析
【破文标题】CrackMe Nr.7简单算法分析
【破解作者】hrbx
【作者主页】hrbx.ys168.com
【作者邮箱】[email protected]
【破解平台】WinXP
【使用工具】flyOD1.10、Peid
【破解日期】2006-05-29
【软件名称】CrackMe Nr.7
【软件大小】383KB
【下载地址】见附件
【加壳方式】无
【软件简介】CrackMe Nr.7
-----------------------------------------------------------------------------------------------
【破解声明】我是一只小菜鸟,偶得一点心得,愿与大家分享:)
-----------------------------------------------------------------------------------------------
【破解过程】
1.查壳。用Peid扫描,显示为:Borland Delphi 4.0 - 5.0,无壳。
2.试运行CrackMe。CrackMe分为5个等级:Nag、Password、Serial、CheckBox、TrackBar。
3.开始各个击破吧。
3-1.去掉启动时的Nag提示。
OD载入CrackMe,命令栏下断点:bp MessageBoxA,回车,F9运行,中断:
77D36476 u>833D D0C3D677 00 cmp dword ptr ds:,0
77D3647D 0F85 885B0100 jnz user32.77D4C00B
77D36483 6A 00 push 0
77D36485 FF7424 14 push dword ptr ss:
堆栈友好提示:
0012FF20 00441CF7 /CALL 到 MessageBoxA 来自 CrackMe_.00441CF2
0012FF24 000805FE |hOwner = 000805FE ('Crackme_7',class='TApplication')
0012FF28 00A93544 |Text = "Hello, I'm a NAG.Please kill me...."
0012FF2C 00A93578 |Title = "Sorry..."
0012FF30 00000000 \Style = MB_OK|MB_APPLMODAL
0012FF34 0012FFA8 指针到下一个 SEH 记录
0012FF38 00441D59 SE 句柄
Alt+F9返回,弹出Nag提示窗体,点击"确定"按钮,来到:
00441CF1 |.50 push eax
00441CF2 |.E8 5946FCFF call <jmp.&user32.MessageBoxA>
00441CF7 |.8945 F8 mov dword ptr ss:,eax ;Alt+F9返回到这里
00441CFA |.33C0 xor eax,eax
00441CFC |.5A pop edx
F8几步,经过retn后,来到:
0044D09C .59 pop ecx
0044D09D E8 724BFFFF call CrackMe_.00441C14 ;调用Nag窗体,Nop掉
0044D0A2 .A1 A0ED4400 mov eax,dword ptr ds: ;F8直到这里
0044D0A7 .8B00 mov eax,dword ptr ds:
0044D0A9 .E8 7649FFFF call CrackMe_.00441A24
0044D0AE .A1 A0ED4400 mov eax,dword ptr ds:
Nop掉0044D09D处的Call,就去掉了启动时的Nag提示。
3-2.寻找Password.
OD载入CrackMe,右键--Ultra String Reference--Find ASCII,查找“right password”,
找到后双击,来到:
0044C512 |.BA 78C54400 mov edx,CrackMe_.0044C578 ;right password,双击后来到这里
0044C517 |.8B83 E8020000mov eax,dword ptr ds:
0044C51D |.E8 3293FDFF call CrackMe_.00425854
0044C522 |.EB 22 jmp short CrackMe_.0044C546
0044C524 |>BA 90C54400 mov edx,CrackMe_.0044C590 ;wrong password
向上查找,来到0044C3A4处F2下断,Ctrl+F2重新载入CrackMe,F9运行,输入Password:
==========================
Password:9876543210
==========================
点击"Check"标签,立即中断:
0044C3A4 /.55 push ebp ;F2在此下断,中断后F8往下走
0044C3A5 |.8BEC mov ebp,esp
0044C3A7 |.B9 06000000 mov ecx,6
0044C3AC |>6A 00 /push 0
0044C3AE |.6A 00 |push 0
0044C3B0 |.49 |dec ecx
0044C3B1 |.^ 75 F9 \jnz short CrackMe_.0044C3AC
0044C3B3 |.53 push ebx
0044C3B4 |.8BD8 mov ebx,eax
0044C3B6 |.33C0 xor eax,eax
0044C3B8 |.55 push ebp
0044C3B9 |.68 61C54400 push CrackMe_.0044C561
0044C3BE |.64:FF30 push dword ptr fs:
0044C3C1 |.64:8920 mov dword ptr fs:,esp
0044C3C4 |.8D55 FC lea edx,dword ptr ss:
0044C3C7 |.8B83 E8020000mov eax,dword ptr ds:
0044C3CD |.E8 5294FDFF call CrackMe_.00425824
0044C3D2 |.8B45 FC mov eax,dword ptr ss: ;假码"9876543210"
0044C3D5 |.E8 9A76FBFF call CrackMe_.00403A74 ;获取假码长度,EAX=0xA
0044C3DA |.83F8 0C cmp eax,0C ;假码长度与0xC比较
0044C3DD |.0F85 53010000jnz CrackMe_.0044C536 ;不等则Over,暴破点1,Nop掉
0044C3E3 |.8D55 FC lea edx,dword ptr ss:
0044C3E6 |.8B83 E8020000mov eax,dword ptr ds:
0044C3EC |.E8 3394FDFF call CrackMe_.00425824
0044C3F1 |.8B45 FC mov eax,dword ptr ss: ;假码"9876543210"
0044C3F4 |.8038 43 cmp byte ptr ds:,43 ;假码第1位与0x43('C')比较
0044C3F7 |.0F85 27010000jnz CrackMe_.0044C524 ;不等则Over,暴破点2,Nop掉
0044C3FD |.8D55 F8 lea edx,dword ptr ss:
0044C400 |.8B83 E8020000mov eax,dword ptr ds:
0044C406 |.E8 1994FDFF call CrackMe_.00425824
0044C40B |.8B45 F8 mov eax,dword ptr ss:
0044C40E |.8078 03 6F cmp byte ptr ds:,6F ;假码第4位与0x6F('o')比较
0044C412 |.0F85 0C010000jnz CrackMe_.0044C524 ;不等则Over,暴破点3,Nop掉
0044C418 |.8D55 F4 lea edx,dword ptr ss:
0044C41B |.8B83 E8020000mov eax,dword ptr ds:
0044C421 |.E8 FE93FDFF call CrackMe_.00425824
0044C426 |.8B45 F4 mov eax,dword ptr ss:
0044C429 |.8078 08 6F cmp byte ptr ds:,6F ;假码第9位与0x6F('o')比较
0044C42D |.0F85 F1000000jnz CrackMe_.0044C524 ;不等则Over,暴破点4,Nop掉
0044C433 |.8D55 F0 lea edx,dword ptr ss:
0044C436 |.8B83 E8020000mov eax,dword ptr ds:
0044C43C |.E8 E393FDFF call CrackMe_.00425824
0044C441 |.8B45 F0 mov eax,dword ptr ss:
0044C444 |.8078 01 6C cmp byte ptr ds:,6C ;假码第2位与0x6C('l')比较
0044C448 |.0F85 D6000000jnz CrackMe_.0044C524 ;不等则Over,暴破点5,Nop掉
0044C44E |.8D55 EC lea edx,dword ptr ss:
0044C451 |.8B83 E8020000mov eax,dword ptr ds:
0044C457 |.E8 C893FDFF call CrackMe_.00425824
0044C45C |.8B45 EC mov eax,dword ptr ss:
0044C45F |.8078 04 20 cmp byte ptr ds:,20 ;假码第5位与0x20(' ')比较
0044C463 |.0F85 BB000000jnz CrackMe_.0044C524 ;不等则Over,暴破点6,Nop掉
0044C469 |.8D55 E8 lea edx,dword ptr ss:
0044C46C |.8B83 E8020000mov eax,dword ptr ds:
0044C472 |.E8 AD93FDFF call CrackMe_.00425824
0044C477 |.8B45 E8 mov eax,dword ptr ss:
0044C47A |.8078 0A 52 cmp byte ptr ds:,52 ;假码第11位与0x52('R')比较
0044C47E |.0F85 A0000000jnz CrackMe_.0044C524 ;不等则Over,暴破点7,Nop掉
0044C484 |.8D55 E4 lea edx,dword ptr ss:
0044C487 |.8B83 E8020000mov eax,dword ptr ds:
0044C48D |.E8 9293FDFF call CrackMe_.00425824
0044C492 |.8B45 E4 mov eax,dword ptr ss:
0044C495 |.8078 07 75 cmp byte ptr ds:,75 ;假码第8位与0x75('u')比较
0044C499 |.0F85 85000000jnz CrackMe_.0044C524 ;不等则Over,暴破点8,Nop掉
0044C49F |.8D55 E0 lea edx,dword ptr ss:
0044C4A2 |.8B83 E8020000mov eax,dword ptr ds:
0044C4A8 |.E8 7793FDFF call CrackMe_.00425824
0044C4AD |.8B45 E0 mov eax,dword ptr ss:
0044C4B0 |.8078 09 6E cmp byte ptr ds:,6E ;假码第10位与0x6E('n')比较
0044C4B4 |.75 6E jnz short CrackMe_.0044C524 ;不等则Over,暴破点9,Nop掉
0044C4B6 |.8D55 DC lea edx,dword ptr ss:
0044C4B9 |.8B83 E8020000mov eax,dword ptr ds:
0044C4BF |.E8 6093FDFF call CrackMe_.00425824
0044C4C4 |.8B45 DC mov eax,dword ptr ss:
0044C4C7 |.8078 02 6E cmp byte ptr ds:,6E ;假码第3位与0x6E('n')比较
0044C4CB |.75 57 jnz short CrackMe_.0044C524 ;不等则Over,暴破点10,Nop掉
0044C4CD |.8D55 D8 lea edx,dword ptr ss:
0044C4D0 |.8B83 E8020000mov eax,dword ptr ds:
0044C4D6 |.E8 4993FDFF call CrackMe_.00425824
0044C4DB |.8B45 D8 mov eax,dword ptr ss:
0044C4DE |.8078 05 69 cmp byte ptr ds:,69 ;假码第6位与0x69('i')比较
0044C4E2 |.75 40 jnz short CrackMe_.0044C524 ;不等则Over,暴破点11,Nop掉
0044C4E4 |.8D55 D4 lea edx,dword ptr ss:
0044C4E7 |.8B83 E8020000mov eax,dword ptr ds:
0044C4ED |.E8 3293FDFF call CrackMe_.00425824
0044C4F2 |.8B45 D4 mov eax,dword ptr ss:
0044C4F5 |.8078 0B 6E cmp byte ptr ds:,6E ;假码第12位与0x6E('n')比较
0044C4F9 |.75 29 jnz short CrackMe_.0044C524 ;不等则Over,暴破点12,Nop掉
0044C4FB |.8D55 D0 lea edx,dword ptr ss:
0044C4FE |.8B83 E8020000mov eax,dword ptr ds:
0044C504 |.E8 1B93FDFF call CrackMe_.00425824
0044C509 |.8B45 D0 mov eax,dword ptr ss:
0044C50C |.8078 06 67 cmp byte ptr ds:,67 ;假码第7位与0x67('g')比较
0044C510 |.75 12 jnz short CrackMe_.0044C524 ;不等则Over,暴破点13,Nop掉
0044C512 |.BA 78C54400 mov edx,CrackMe_.0044C578 ;right password
0044C517 |.8B83 E8020000mov eax,dword ptr ds:
0044C51D |.E8 3293FDFF call CrackMe_.00425854
0044C522 |.EB 22 jmp short CrackMe_.0044C546
0044C524 |>BA 90C54400 mov edx,CrackMe_.0044C590 ;wrong password
0044C529 |.8B83 E8020000mov eax,dword ptr ds:
0044C52F |.E8 2093FDFF call CrackMe_.00425854
0044C534 |.EB 10 jmp short CrackMe_.0044C546
0044C536 |>BA 90C54400 mov edx,CrackMe_.0044C590 ;wrong password
0044C53B |.8B83 E8020000mov eax,dword ptr ds:
0044C541 |.E8 0E93FDFF call CrackMe_.00425854
0044C546 |>33C0 xor eax,eax
0044C548 |.5A pop edx
0044C549 |.59 pop ecx
程序逐位取输入的Password与固定字符比较,相等则通过。Password为固定值:Clno iguonRn。
3-3.Serial简单算法分析。
OD载入CrackMe,右键--Ultra String Reference--Find ASCII,查找"You have found the correct Serial :)",
找到后双击,来到:
0044C763 |.BA CCC74400 mov edx,CrackMe_.0044C7CC ;you have found the correct serial :)
0044C768 |.E8 E790FDFF call CrackMe_.00425854
0044C76D |>33C0 xor eax,eax
向上查找,来到0044C648处F2下断,Ctrl+F2重新载入CrackMe,F9运行,输入注册信息:
==========================
Name:hrbxhui
Company:h2h Studios
Serial:9876543210
==========================
点击"Check"标签,立即中断:
0044C648 /.55 push ebp ;F2在此下断,中断后F8往下走
0044C649 |.8BEC mov ebp,esp
0044C64B |.83C4 F8 add esp,-8
0044C64E |.53 push ebx
0044C64F |.56 push esi
0044C650 |.33C9 xor ecx,ecx
0044C652 |.894D F8 mov dword ptr ss:,ecx
0044C655 |.8BF0 mov esi,eax
0044C657 |.33C0 xor eax,eax
0044C659 |.55 push ebp
0044C65A |.68 83C74400 push CrackMe_.0044C783
0044C65F |.64:FF30 push dword ptr fs:
0044C662 |.64:8920 mov dword ptr fs:,esp
0044C665 |.33C0 xor eax,eax
0044C667 |.8945 FC mov dword ptr ss:,eax
0044C66A |.A1 80F84400 mov eax,dword ptr ds:
0044C66F |.E8 0074FBFF call CrackMe_.00403A74 ;获取用户名长度,EAX=7
0044C674 |.83F8 06 cmp eax,6 ;用户名长度与6比较
0044C677 |.0F8E F0000000jle CrackMe_.0044C76D ;小于等于则Over,暴破点1,Nop掉
0044C67D |.A1 80F84400 mov eax,dword ptr ds:
0044C682 |.E8 ED73FBFF call CrackMe_.00403A74 ;获取用户名长度,EAX=7
0044C687 |.83F8 14 cmp eax,14 ;用户名长度与0x14(20)比较
0044C68A |.0F8D DD000000jge CrackMe_.0044C76D ;大于等于则Over,暴破点2,Nop掉
0044C690 |.A1 80F84400 mov eax,dword ptr ds:
0044C695 |.E8 DA73FBFF call CrackMe_.00403A74
0044C69A |.85C0 test eax,eax
0044C69C |.7E 17 jle short CrackMe_.0044C6B5
0044C69E |.BA 01000000 mov edx,1
0044C6A3 |>8B0D 80F84400/mov ecx,dword ptr ds: ;用户名"hrbxhui"
0044C6A9 |.0FB64C11 FF |movzx ecx,byte ptr ds: ;依次取用户名每一位字符的ASCII值
0044C6AE |.014D FC |add dword ptr ss:,ecx ;将用户名所有字符的ASCII值累加
0044C6B1 |.42 |inc edx ;ASCII值累加之和为0x2FA(762)
0044C6B2 |.48 |dec eax
0044C6B3 |.^ 75 EE \jnz short CrackMe_.0044C6A3
0044C6B5 |>A1 84F84400 mov eax,dword ptr ds:
0044C6BA |.E8 B573FBFF call CrackMe_.00403A74 ;获取公司名称长度,EAX=0xB
0044C6BF |.83F8 02 cmp eax,2 ;公司名称长度与2比较
0044C6C2 |.7E 18 jle short CrackMe_.0044C6DC ;小于等于则Over,暴破点3,Nop掉
0044C6C4 |.A1 84F84400 mov eax,dword ptr ds:
0044C6C9 |.E8 A673FBFF call CrackMe_.00403A74 ;获取公司名称长度,EAX=0xB
0044C6CE |.83F8 08 cmp eax,8 ;公司名称长度与8比较
0044C6D1 |.7D 09 jge short CrackMe_.0044C6DC ;大于等于则跳
0044C6D3 |.8B45 FC mov eax,dword ptr ss: ;公司名称长度若小于8
0044C6D6 |.6BC0 02 imul eax,eax,2 ;则将公司名称长度乘2,EAX=EAX*2
0044C6D9 |.8945 FC mov dword ptr ss:,eax
0044C6DC |>68 98C74400 push CrackMe_.0044C798 ;i love cracking and
0044C6E1 |.8D55 F8 lea edx,dword ptr ss:
0044C6E4 |.8B45 FC mov eax,dword ptr ss:
0044C6E7 |.E8 68B0FBFF call CrackMe_.00407754 ;ASCII值累加之和10进制形式转为字符串
0044C6EC |.FF75 F8 push dword ptr ss: ;0x2FA(762)-->"762"
0044C6EF |.68 B8C74400 push CrackMe_.0044C7B8 ; girls ;)
0044C6F4 |.B8 8CF84400 mov eax,CrackMe_.0044F88C ;连接成字符串str1"I Love Cracking and 762 Girls ;)"
0044C6F9 |.BA 03000000 mov edx,3
0044C6FE |.E8 3174FBFF call CrackMe_.00403B34
0044C703 |.33C0 xor eax,eax
0044C705 |.8945 FC mov dword ptr ss:,eax
0044C708 |.A1 88F84400 mov eax,dword ptr ds:
0044C70D |.E8 6273FBFF call CrackMe_.00403A74 ;获取假码"9876543210"长度,EAX=0xA(10)
0044C712 |.8BD8 mov ebx,eax ;EBX=EAX=0xA
0044C714 |.A1 8CF84400 mov eax,dword ptr ds:
0044C719 |.E8 5673FBFF call CrackMe_.00403A74 ;获取字符串str1长度,EAX=0x20(32)
0044C71E |.3BD8 cmp ebx,eax ;比较假码与字符串长度是否相等
0044C720 |.75 4B jnz short CrackMe_.0044C76D ;不等则Over,暴破点4,Nop掉
0044C722 |.A1 88F84400 mov eax,dword ptr ds:
0044C727 |.E8 4873FBFF call CrackMe_.00403A74
0044C72C |.85C0 test eax,eax
0044C72E |.7E 27 jle short CrackMe_.0044C757
0044C730 |.BA 01000000 mov edx,1
0044C735 |>8B0D 88F84400/mov ecx,dword ptr ds: ;假码"9876543210"长度
0044C73B |.0FB64C11 FF |movzx ecx,byte ptr ds: ;依次取假码每一位字符的ASCII值
0044C740 |.034D FC |add ecx,dword ptr ss: ;将地址ss:处的值加到字符的ASCII值
0044C743 |.8B1D 8CF84400|mov ebx,dword ptr ds: ;字符串str1"I Love Cracking and 762 Girls ;)"
0044C749 |.0FB65C13 FF |movzx ebx,byte ptr ds: ;依次取字符串str1每一位字符的ASCII值
0044C74E |.2BCB |sub ecx,ebx ;依次减去字符串str中取出的字符的ASCII值
0044C750 |.894D FC |mov dword ptr ss:,ecx ;将相减的差保存在ss:中
0044C753 |.42 |inc edx
0044C754 |.48 |dec eax
0044C755 |.^ 75 DE \jnz short CrackMe_.0044C735
0044C757 |>837D FC 00 cmp dword ptr ss:,0 ;比较地址ss:处的值是否为0
0044C75B |.75 10 jnz short CrackMe_.0044C76D ;不等则Over,暴破点5,Nop掉
0044C75D |.8B86 14030000mov eax,dword ptr ds:
0044C763 |.BA CCC74400 mov edx,CrackMe_.0044C7CC ;you have found the correct serial :)
0044C768 |.E8 E790FDFF call CrackMe_.00425854
用户名和公司长度有一定限制,取用户名各位字符的ASCII值累加,结果与固定字符串连接,再与输入的注册码比较。
3-4.心形CheckBoxes之旅。由于CrackMe是用Delphi编写的,还是用Dede分析一下吧。
Dede载入CrackMe,很容易找到CheckBoxes对应的SpeedButton3Click,双击来到如下位置:
0044C7F4 55 push ebp
0044C7F5 8BEC mov ebp, esp
0044C7F7 6A00 push $00
0044C7F9 53 push ebx
0044C7FA 8BD8 mov ebx, eax
0044C7FC 33C0 xor eax, eax
0044C7FE 55 push ebp
* Possible String Reference to: '閾i?腽?
|
0044C7FF 6820C94400 push $0044C920
***** TRY
|
0044C804 64FF30 push dword ptr fs:
0044C807 648920 mov fs:, esp
* Reference to control TForm1.cb3 : TCheckBox <====CheckBox3
|
0044C80A 8B8324030000 mov eax,
0044C810 8B10 mov edx,
* Reference to method TCheckBox.GetChecked()
|
0044C812 FF92B8000000 call dword ptr
0044C818 84C0 test al, al
0044C81A 0F84CD000000 jz 0044C8ED
* Reference to control TForm1.cb5 : TCheckBox <====CheckBox5
|
0044C820 8B8328030000 mov eax,
0044C826 8B10 mov edx,
* Reference to method TCheckBox.GetChecked()
|
0044C828 FF92B8000000 call dword ptr
0044C82E 84C0 test al, al
0044C830 0F84B7000000 jz 0044C8ED
* Reference to control TForm1.cb6 : TCheckBox <====CheckBox6
|
0044C836 8B832C030000 mov eax,
0044C83C 8B10 mov edx,
* Reference to method TCheckBox.GetChecked()
|
0044C83E FF92B8000000 call dword ptr
0044C844 84C0 test al, al
0044C846 0F84A1000000 jz 0044C8ED
* Reference to control TForm1.cb12 : TCheckBox <====CheckBox12
|
0044C84C 8B8358030000 mov eax,
0044C852 8B10 mov edx,
* Reference to method TCheckBox.GetChecked()
|
0044C854 FF92B8000000 call dword ptr
0044C85A 84C0 test al, al
0044C85C 0F848B000000 jz 0044C8ED
* Reference to control TForm1.cb15 : TCheckBox <====CheckBox15
|
0044C862 8B8364030000 mov eax,
0044C868 8B10 mov edx,
* Reference to method TCheckBox.GetChecked()
|
0044C86A FF92B8000000 call dword ptr
0044C870 84C0 test al, al
0044C872 7479 jz 0044C8ED
* Reference to control TForm1.cb20 : TCheckBox <====CheckBox20
|
0044C874 8B8330030000 mov eax,
0044C87A 8B10 mov edx,
* Reference to method TCheckBox.GetChecked()
|
0044C87C FF92B8000000 call dword ptr
0044C882 84C0 test al, al
0044C884 7467 jz 0044C8ED
* Reference to control TForm1.cb9 : TCheckBox <====CheckBox9
|
0044C886 8B834C030000 mov eax,
0044C88C 8B10 mov edx,
* Reference to method TCheckBox.GetChecked()
|
0044C88E FF92B8000000 call dword ptr
0044C894 84C0 test al, al
0044C896 7455 jz 0044C8ED
* Reference to control TForm1.cb11 : TCheckBox <====CheckBox11
|
0044C898 8B8354030000 mov eax,
0044C89E 8B10 mov edx,
* Reference to method TCheckBox.GetChecked()
|
0044C8A0 FF92B8000000 call dword ptr
0044C8A6 84C0 test al, al
0044C8A8 7443 jz 0044C8ED
* Reference to control TForm1.cb13 : TCheckBox <====CheckBox13
|
0044C8AA 8B835C030000 mov eax,
0044C8B0 8B10 mov edx,
* Reference to method TCheckBox.GetChecked()
|
0044C8B2 FF92B8000000 call dword ptr
0044C8B8 84C0 test al, al
0044C8BA 7431 jz 0044C8ED
* Reference to control TForm1.cb19 : TCheckBox <====CheckBox19
|
0044C8BC 8B833C030000 mov eax,
0044C8C2 8B10 mov edx,
* Reference to method TCheckBox.GetChecked()
|
0044C8C4 FF92B8000000 call dword ptr
0044C8CA 84C0 test al, al
0044C8CC 741F jz 0044C8ED
0044C8CE 8D45FC lea eax,
* Possible String Reference to: '条舾鲼辚螭哨榔材驸忸噤抖' <====加密的成功提示"You are a GOOD Cracker!!"
|
0044C8D1 BA34C94400 mov edx, $0044C934
* Reference to: System.Proc_00403890
|
0044C8D6 E8B56FFBFF call 00403890
0044C8DB 8D45FC lea eax,
* Reference to: crack.Proc_0044BF00
|
0044C8DE E81DF6FFFF call 0044BF00
0044C8E3 8B45FC mov eax,
* Reference to: dialogs.ShowMessage(AnsiString);
|
0044C8E6 E80989FFFF call 004451F4
0044C8EB EB1D jmp 0044C90A
0044C8ED 8D45FC lea eax,
* Possible String Reference to: '?骝琛?帙?赙甬?ろ?铊?' <====加密的错误提示"Sorry,but this is wrong!"
|
0044C8F0 BA58C94400 mov edx, $0044C958
* Reference to: System.Proc_00403890
|
0044C8F5 E8966FFBFF call 00403890
0044C8FA 8D45FC lea eax,
* Reference to: crack.Proc_0044BF00
|
0044C8FD E8FEF5FFFF call 0044BF00
0044C902 8B45FC mov eax,
* Reference to: dialogs.ShowMessage(AnsiString);
|
0044C905 E8EA88FFFF call 004451F4
0044C90A 33C0 xor eax, eax
0044C90C 5A pop edx
0044C90D 59 pop ecx
0044C90E 59 pop ecx
0044C90F 648910 mov fs:, edx
****** FINALLY
Dede已经分析得很清楚了,需要选中10个CheckBox。
OD载入CrackMe,Ctrl+G,输入:0044C7F4,回车,直接到0044C7F4处F2下断,F9运行,逐个点击CheckBox,直到使0044C81A处的跳转实现,
则点击的CheckBox即为CheckBox3,接着只需再使0044C830处的跳转实现,其它的CheckBox即可全部推测出来。
0044C7F4 /.55 push ebp
0044C7F5 |.8BEC mov ebp,esp
0044C7F7 |.6A 00 push 0
0044C7F9 |.53 push ebx
0044C7FA |.8BD8 mov ebx,eax
0044C7FC |.33C0 xor eax,eax
0044C7FE |.55 push ebp
0044C7FF |.68 20C94400 push CrackMe_.0044C920
0044C804 |.64:FF30 push dword ptr fs:
0044C807 |.64:8920 mov dword ptr fs:,esp
0044C80A |.8B83 24030000mov eax,dword ptr ds:
0044C810 |.8B10 mov edx,dword ptr ds:
0044C812 |.FF92 B8000000call dword ptr ds: ;检查CheckBox3是否选中
0044C818 |.84C0 test al,al
0044C81A |.0F84 CD000000je CrackMe_.0044C8ED ;暴破点1,Nop掉
0044C820 |.8B83 28030000mov eax,dword ptr ds:
0044C826 |.8B10 mov edx,dword ptr ds:
0044C828 |.FF92 B8000000call dword ptr ds: ;检查CheckBox5是否选中
0044C82E |.84C0 test al,al
0044C830 |. /0F84 B7000000je CrackMe_.0044C8ED ;暴破点2,Nop掉
0044C836 |.8B83 2C030000mov eax,dword ptr ds:
0044C83C |.8B10 mov edx,dword ptr ds:
以心形CheckBoxes第1列上面那个CheckBox作为第1个,顺时针方向从1至20编号.
分别选中编号为3、5、6、9、11、12、13、15、19、20的CheckBox即可过关。
3-5.TrackBar浮点运算。同样,用Dede分析得知TrackBar对应SpeedButton4Click.
TForm1.SpeedButton4Click对应事件为:
0044CB40 E807F6FFFF call 0044C14C
OD载入CrackMe,Ctrl+G,输入:0044C14C,回车,直接到0044C14C处F2下断,F9运行,
依次拖动TrackBar,使Serial为12345,点击"Check"标签,立即中断:
0044C14C /$55 push ebp
0044C14D |.8BEC mov ebp,esp
0044C14F |.83C4 98 add esp,-68
0044C152 |.53 push ebx
0044C153 |.33D2 xor edx,edx
0044C155 |.8955 C4 mov dword ptr ss:,edx
0044C158 |.8955 FC mov dword ptr ss:,edx
0044C15B |.8955 F8 mov dword ptr ss:,edx
0044C15E |.8BD8 mov ebx,eax
0044C160 |.33C0 xor eax,eax
0044C162 |.55 push ebp
0044C163 |.68 44C34400 push CrackMe_.0044C344
0044C168 |.64:FF30 push dword ptr fs:
0044C16B |.64:8920 mov dword ptr fs:,esp
0044C16E |.8D55 C4 lea edx,dword ptr ss:
0044C171 |.8B83 80030000mov eax,dword ptr ds:
0044C177 |.E8 A896FDFF call CrackMe_.00425824
0044C17C |.8B45 C4 mov eax,dword ptr ss:
0044C17F |.E8 B0C0FBFF call CrackMe_.00408234
0044C184 |.DD5D E8 fstp qword ptr ss: ;第1个数1.0
0044C187 |.9B wait
0044C188 |.8D55 C4 lea edx,dword ptr ss:
0044C18B |.8B83 98030000mov eax,dword ptr ds:
0044C191 |.E8 8E96FDFF call CrackMe_.00425824
0044C196 |.8B45 C4 mov eax,dword ptr ss:
0044C199 |.E8 96C0FBFF call CrackMe_.00408234
0044C19E |.DD5D E0 fstp qword ptr ss: ;第2个数2.0
0044C1A1 |.9B wait
0044C1A2 |.8D55 C4 lea edx,dword ptr ss:
0044C1A5 |.8B83 9C030000mov eax,dword ptr ds:
0044C1AB |.E8 7496FDFF call CrackMe_.00425824
0044C1B0 |.8B45 C4 mov eax,dword ptr ss:
0044C1B3 |.E8 7CC0FBFF call CrackMe_.00408234
0044C1B8 |.DD5D D8 fstp qword ptr ss: ;第3个数3.0
0044C1BB |.9B wait
0044C1BC |.8D55 C4 lea edx,dword ptr ss:
0044C1BF |.8B83 A0030000mov eax,dword ptr ds:
0044C1C5 |.E8 5A96FDFF call CrackMe_.00425824
0044C1CA |.8B45 C4 mov eax,dword ptr ss:
0044C1CD |.E8 62C0FBFF call CrackMe_.00408234
0044C1D2 |.DD5D D0 fstp qword ptr ss: ;第4个数4.0
0044C1D5 |.9B wait
0044C1D6 |.8D55 C4 lea edx,dword ptr ss:
0044C1D9 |.8B83 A4030000mov eax,dword ptr ds:
0044C1DF |.E8 4096FDFF call CrackMe_.00425824
0044C1E4 |.8B45 C4 mov eax,dword ptr ss:
0044C1E7 |.E8 48C0FBFF call CrackMe_.00408234
0044C1EC |.DD5D C8 fstp qword ptr ss: ;第5个数5.0
0044C1EF |.9B wait
0044C1F0 |.DD45 E0 fld qword ptr ss: ;第2个数字,2.0
0044C1F3 |.83C4 F4 add esp,-0C
0044C1F6 |.DB3C24 fstp tbyte ptr ss:
0044C1F9 |.9B wait
0044C1FA |.B8 03000000 mov eax,3 ; EAX=3
0044C1FF |.E8 ECF6FCFF call CrackMe_.0041B8F0 ; 第2个数字的3次方,2^3=8
0044C204 |.D805 50C34400fadd dword ptr ds: ;结果加上第1个常数5.0(ds:=5.0),8.0+5.0=
13.0
0044C20A |.D9FA fsqrt ;13开平方=3.60555127546398929
0044C20C |.E8 F365FBFF call CrackMe_.00402804 ;fcos=cos(3.605555127546398929)
0044C211 |.DB7D B8 fstp tbyte ptr ss: ;st=-0.8942880585582759936
0044C214 |.9B wait
0044C215 |.D905 54C34400fld dword ptr ds: ;第2个常数1.0(ds:=1.0)
0044C21B |.DC45 E8 fadd qword ptr ss: ;第2个常数加上第1个数字,1.0+1.0=2.0
0044C21E |.D9FA fsqrt ;st=2.0,相加结果开平方,st=1.4142135623730951680
0044C220 |.D9E0 fchs ;取相反数,st=-1.4142135623730951680
0044C222 |.DB6D B8 fld tbyte ptr ss: ;装载第2个数字运算结果,ss:=-
0.8942880585582759936
0044C225 |.DEC1 faddp st(1),st ;两数相加
0044C227 |.DB7D AC fstp tbyte ptr ss: ;st=-2.3085016209313710080
0044C22A |.9B wait
0044C22B |.D905 58C34400fld dword ptr ds: ;第3个常数3.0(ds:=3.0)
0044C231 |.DC4D D8 fmul qword ptr ss: ;第3个常数乘以第3个数字,3.0*3.0=9.0
0044C234 |.D805 54C34400fadd dword ptr ds: ;乘法结果加上第2个常数1.0,9.0+1.0=10.0
0044C23A |.D9ED fldln2 ;st0=1n2=0.6931471805599453184,st1=10
0044C23C |.D9C9 fxch st(1) ;fxch,st(0),st(1)互相交换,交换后
st0=10.0,st1=0.6931471805599453184
0044C23E |.D9F1 fyl2x ;fyl2x指令:st(0)<--st(0)*log2(st(1)),st(0)
=2.3025850929940456960 ,即求ln(st(1))=ln10
0044C240 |.DB6D AC fld tbyte ptr ss: ;ss:=-2.3085016209313710080,st(0)=-
2.3085016209313710080
0044C243 |.DEC1 faddp st(1),st ;st(1)+st,上面两浮点数相加
0044C245 |.DB7D A0 fstp tbyte ptr ss: ;st=-0.0059165279373252168
0044C248 |.9B wait
0044C249 |.D905 5CC34400fld dword ptr ds: ;第4个常数2.0(ds:=2.0)
0044C24F |.DC45 D0 fadd qword ptr ss: ;第4个常数加上第4个数字4.0,4.0*2.0=6.0
0044C252 |.D9FA fsqrt ;相加结果开平方,st=2.4494897427831777280
0044C254 |.DB6D A0 fld tbyte ptr ss: ;ss:=-0.0059165279373252168
0044C257 |.DEE1 fsubrp st(1),st ;减去开平方的结果=-2.4554062707205027840
0044C259 |.D905 58C34400fld dword ptr ds: ;第3个常数3.0(ds:=3.0)
0044C25F |.DC4D C8 fmul qword ptr ss: ;第3个数字乘发第5个数字5.0,3.0*5.0=15.0
0044C262 |.D835 5CC34400fdiv dword ptr ds: ;乘法结果除以第4个常数2.0,15.0/2.0=7.5
0044C268 |.DEC1 faddp st(1),st ;7.5+(-2.4554062707205027840)=5.0445937292794972160
0044C26A |.DB2D 60C34400fld tbyte ptr ds: ;第5个常数0.37(ds:=0.37)
0044C270 |.DEC1 faddp st(1),st ;0.37+5.044593729279497216=5.4145937292794972160
0044C272 |.D80D 6CC34400fmul dword ptr ds: ;乘以第6个常数1000.0(ds:=1000.000)
0044C278 |.DD5D F0 fstp qword ptr ss: ;得到st=5414.5937292794972160
0044C27B |.9B wait
0044C27C |.DD45 F0 fld qword ptr ss:
0044C27F |.E8 9065FBFF call CrackMe_.00402814 ;乘法结果取整转为16进制形式,5415-->0x1527
0044C284 |.8945 98 mov dword ptr ss:,eax ;EAX=00001527
0044C287 |.8955 9C mov dword ptr ss:,edx
0044C28A |.DF6D 98 fild qword ptr ss:
0044C28D |.83C4 F4 add esp,-0C
0044C290 |.DB3C24 fstp tbyte ptr ss: ; st=5415.0000000000000000
0044C293 |.9B wait
0044C294 |.8D45 FC lea eax,dword ptr ss:
0044C297 |.E8 68BFFBFF call CrackMe_.00408204 ;运算结果转为字符串,取字符串长度,EAX=4
0044C29C |.8D45 FC lea eax,dword ptr ss:
0044C29F |.E8 5CFCFFFF call CrackMe_.0044BF00 ;关键Call-1,F7进入
0044C2A4 |.8B45 FC mov eax,dword ptr ss: ;结果赋给EAX,D EAX,为00A95630B5 B5 BC BB 档蓟
0044C2A7 |.BA 78C34400 mov edx,CrackMe_.0044C378 ;字符串"岛埠",D EDX,为0044C378B5 BA B2 BA 岛埠
0044C2AC |.E8 D378FBFF call CrackMe_.00403B84 ;比较两者是否相等
0044C2B1 |.75 38 jnz short CrackMe_.0044C2EB ;不等则Over,暴破点,Nop掉
0044C2B3 |.8D45 F8 lea eax,dword ptr ss:
F7进入0044C29F处的关键Call-1,来到:
0044BF00 /$53 push ebx
0044BF01 |.56 push esi
0044BF02 |.57 push edi
0044BF03 |.51 push ecx
0044BF04 |.8BF0 mov esi,eax
0044BF06 |.8B06 mov eax,dword ptr ds: ;"5415"
0044BF08 |.E8 677BFBFF call CrackMe_.00403A74
0044BF0D |.8B15 98EE4400mov edx,dword ptr ds:
0044BF13 |.8902 mov dword ptr ds:,eax
0044BF15 |.8B06 mov eax,dword ptr ds:
0044BF17 |.E8 587BFBFF call CrackMe_.00403A74
0044BF1C |.84C0 test al,al
0044BF1E |.76 38 jbe short CrackMe_.0044BF58
0044BF20 |.880424 mov byte ptr ss:,al
0044BF23 |.B3 01 mov bl,1
0044BF25 |>B8 1C000000 /mov eax,1C ;EAX=0x1C
0044BF2A |.E8 516AFBFF |call CrackMe_.00402980 ;关键Call-2,F7进入
0044BF2F |.0D 80000000 |or eax,80 ;EAX=EAX or 0x80
0044BF34 |.8BFB |mov edi,ebx
0044BF36 |.81E7 FF000000|and edi,0FF
0044BF3C |.8B16 |mov edx,dword ptr ds: ;运算结果"5415"
0044BF3E |.0FB6543A FF |movzx edx,byte ptr ds: ;依次取运算结果"5415"每一位字符的ASCII值
0044BF43 |.33C2 |xor eax,edx ;EAX=EAX xor EDX
0044BF45 |.50 |push eax ;xor结果保存
0044BF46 |.8BC6 |mov eax,esi
0044BF48 |.E8 F77CFBFF |call CrackMe_.00403C44
0044BF4D |.5A |pop edx
0044BF4E |.885438 FF |mov byte ptr ds:,dl
0044BF52 |.43 |inc ebx
0044BF53 |.FE0C24 |dec byte ptr ss:
0044BF56 |.^ 75 CD \jnz short CrackMe_.0044BF25
0044BF58 |>5A pop edx
0044BF59 |.5F pop edi
0044BF5A |.5E pop esi
0044BF5B |.5B pop ebx
0044BF5C \.C3 retn
F7进入0044BF2A处的关键Call-2,来到:
00402980 /$6915 40F04400 >imul edx,dword ptr ds:,8088405 ;ds:=4,初值为运算结果的长度
0040298A |.42 inc edx ;EDX=EDX+1
0040298B |.8915 40F04400mov dword ptr ds:,edx ;EDX保存
00402991 |.F7E2 mul edx ;EAX=EAX*EDX,EAX初值为0x1C
00402993 |.89D0 mov eax,edx ;EAX=EDX
00402995 \.C3 retn
浮点运算结果转为字符串后依次取每位字符串的ASCII值进行运算,最终结果与固定值B5 BA B2 BA 比较,相等则成功。
反推浮点运算结果所得数值(设为4位),经0044BF2A处的CALL以后,到0044BF2F处时EAX依次为83,89,86,8D,于是
83 xor B5 = 36('6')
89 xor BA = 33('3')
86 xor B2 = 34('4')
8D xor BA = 37('7')
故只需浮点运算最终结果为6347.0最可注册成功。
-----------------------------------------------------------------------------------------------
【破解总结】
1.Nag采用下断MessageBoxA即可轻松去除。
2.Password为固定值:Clno iguonRn。
3.Serial计算时,用户名和公司长度有一定限制,取用户名各位字符的ASCII值累加,结果与固定字符串连接,记为str1.
注册码长度必须与字符串str1长度相等;
注册码各位字符的ASCII值累加之和必须与字符串str1各位字符的ASCII值累加之和相等。
4.先确定CheckBox3及CheckBox5,其它CheckBoxes即可确定。以心形CheckBoxes第1列上面那个CheckBox作为第1个,
顺时针方向从1至20编号,分别选中编号为3、5、6、9、11、12、13、15、19、20的CheckBox即可过关。
5.TrackBar采用简单浮点运算,运算结果经xor后与固定值B5BAB2BA比较,相等则成功。
注册信息:
========================================
Password:Clno iguonRn
========================================
Name:hrbxhui
Company:h2h Studios
Serial:I Love Cracking and 762 Girls ;)
========================================
TrackBar Serial:14435
========================================
【VB注册机源码】(For TrackBar Serial)
Private Sub KeyGen_Click()
Dim n1 As Double
Dim n2 As Double
Dim n3 As Double
Dim n4 As Double
Dim n5 As Double
Dim sum As Long
Dim temp As Long
sum = 0
temp = (99999 - 10000) * Rnd() + 10000
For i = temp To 99999
n1 = Int(i / 10000)
n2 = Int((i Mod 10000) / 1000)
n3 = Int((i Mod 1000) / 100)
n4 = Int((i Mod 100) / 10)
n5 = i Mod 10
n1 = Sqr(n1 + 1) * (-1)
n2 = Cos(Sqr(n2 * n2 * n2 + 5))
n3 = Log(n3 * 3 + 1)
n4 = Sqr(n4 + 2)
n5 = n5 * 3# / 2#
sum = Int((n1 + n2 + n3 - n4 + n5 + 0.37) * 100000) / 100
If sum = 6347 Then GoTo Success:
Next i
Success:
Text1 = i
End Sub
-----------------------------------------------------------------------------------------------
【版权声明】本文纯属技术交流, 转载请注明作者并保持文章的完整, 谢谢!
[ 本帖最后由 hrbx 于 2006-5-30 01:37 编辑 ] 原帖由 hrbx 于 2006-5-30 01:33 发表
【破文标题】CrackMe Nr.7简单算法分析
【破解作者】hrbx
【作者主页】hrbx.ys168.com
【作者邮箱】[email protected]
【破解平台】WinXP
【使用工具】flyOD1.10、Peid
【破解日期】2006-05-29
【软件名称】C ...
惊呼!!!原是如此简单。。。 好教程,学习了! 分析得真仔细,认真学习! 学习了,能不能出个DEDE使用引导 唉,我什么时候才能达到这样的程度呀
页:
[1]