- UID
- 346
注册时间2005-3-21
阅读权限30
最后登录1970-1-1
龙战于野
TA的每日心情 | 奋斗
2016-10-21 20:30 |
|---|
签到天数: 1 天 [LV.1]初来乍到
|
【破文标题】PYG 54 Crackme By ZHOU2X简单算法分析
【破解作者】hrbx
【作者主页】hrbx.ys168.com
【作者邮箱】hrbx@163.com
【破解平台】WinXP
【使用工具】flyOD1.10、Peid
【破解日期】2007-06-13
【软件名称】PYG 54 Crackme By ZHOU2X
【软件大小】68KB
【下载地址】https://www.chinapyg.com/viewthr ... &extra=page%3D1
【加壳方式】UPX 0.89.6 - 1.02 / 1.05 - 1.24 -> Markus & Laszlo [Overlay]
【软件简介】PYG 54 Crackme By ZHOU2X
-----------------------------------------------------------------------------------------------
【破解声明】我是一只小菜鸟,偶得一点心得,愿与大家分享:)
-----------------------------------------------------------------------------------------------
【破解过程】
1.查壳。用PEID扫描,显示为:UPX 0.89.6 - 1.02 / 1.05 - 1.24 -> Markus & Laszlo [Overlay],
由于程序有自校验,就带壳分析吧。
2.试运行。输入注册信息后点"注册"按钮,没有任何提示。
3.追出算法。OD载入CrackMe,F9运行,输入注册信息:
==============================
用户名:hrbx
注册码:9876543210
==============================
"万能断点"下断,立即中断:
77D33545 F3:A5 rep movs dword ptr es:[edi],dword ptr ds:[esi] ; 在此中断
77D33547 8BC8 mov ecx,eax
77D33549 83E1 03 and ecx,3
77D3354C F3:A4 rep movs byte ptr es:[edi],byte ptr ds:[esi]
77D3354E E8 E3FBFFFF call USER32.77D33136
77D33553 5F pop edi
Alt+F9返回,来到易语言的krnln库:
100AE3EE FF15 74250C10 call dword ptr ds:[<&USER32.CallWindowProcA>]
100AE3F4 5E pop esi ; 返回到这里
100AE3F5 5D pop ebp
100AE3F6 C2 0C00 retn 0C
观察堆栈友好提示:
0012F224 100AE9B5 返回到 krnln.100AE9B5
0012F228 0000000D
0012F22C 0000000B
0012F230 00AF4050 ASCII "9876543210" <======注意假码存放地址:00AF4050
0012F234 0000000D
命令栏输入:d 00AF4050,在数据窗口中对假码"9876543210"下"内存访问"断点,
7C80C6FE 8A08 mov cl,byte ptr ds:[eax] ; 来到
7C80C700 40 inc eax
7C80C701 84C9 test cl,cl
7C80C703 ^ 75 F9 jnz short kernel32.7C80C6FE
7C80C705 2BC2 sub eax,edx
7C80C707 834D FC FF or dword ptr ss:[ebp-4],FFFFFFFF
7C80C70B E8 FB5DFFFF call kernel32.7C80250B
7C80C710 C2 0400 retn 4
F8往下走,直到返回程序领空,来到:
0040FDE9 E8 C7010000 call PYG_54_C.0040FFB5
0040FDEE 83C4 10 add esp,10 ; 来到这里
0040FDF1 8945 FC mov dword ptr ss:[ebp-4],eax
向上查找,来到0040FD2A处F2在此下断,清除"内存访问"断点,F9运行程序,点"注册"按钮后立即中断:
0040FD2A 55 push ebp
0040FD2B 8BEC mov ebp,esp
0040FD2D 81EC 14000000 sub esp,14
0040FD33 68 00000000 push 0
0040FD38 BB 08010000 mov ebx,108
0040FD3D E8 6D020000 call PYG_54_C.0040FFAF
0040FD42 83C4 04 add esp,4
0040FD45 8945 FC mov dword ptr ss:[ebp-4],eax
0040FD48 68 08C14000 push PYG_54_C.0040C108 ; "PYG 54 Crackme By ZHOU2X.exe"
0040FD4D FF75 FC push dword ptr ss:[ebp-4]
0040FD50 E8 DCF8FFFF call PYG_54_C.0040F631 ; 检验程序名称
0040FD55 83C4 08 add esp,8
0040FD58 83F8 00 cmp eax,0
0040FD5B B8 00000000 mov eax,0
0040FD60 0F94C0 sete al
0040FD63 8945 F8 mov dword ptr ss:[ebp-8],eax
0040FD66 8B5D FC mov ebx,dword ptr ss:[ebp-4]
0040FD69 85DB test ebx,ebx
0040FD6B 74 09 je short PYG_54_C.0040FD76
0040FD6D 53 push ebx
0040FD6E E8 30020000 call PYG_54_C.0040FFA3
0040FD73 83C4 04 add esp,4
0040FD76 837D F8 00 cmp dword ptr ss:[ebp-8],0
0040FD7A 0F84 B2010000 je PYG_54_C.0040FF32 ; 不等则Over
0040FD80 68 00000000 push 0
0040FD85 BB 08010000 mov ebx,108
0040FD8A E8 20020000 call PYG_54_C.0040FFAF
0040FD8F 83C4 04 add esp,4
0040FD92 8945 FC mov dword ptr ss:[ebp-4],eax
0040FD95 68 04000080 push 80000004
0040FD9A 6A 00 push 0
0040FD9C 8B45 FC mov eax,dword ptr ss:[ebp-4]
0040FD9F 85C0 test eax,eax
0040FDA1 75 05 jnz short PYG_54_C.0040FDA8
0040FDA3 B8 25C14000 mov eax,PYG_54_C.0040C125
0040FDA8 50 push eax
0040FDA9 68 01000000 push 1
0040FDAE BB 58020000 mov ebx,258
0040FDB3 E8 F7010000 call PYG_54_C.0040FFAF
0040FDB8 83C4 10 add esp,10
0040FDBB 8945 F8 mov dword ptr ss:[ebp-8],eax
0040FDBE 8B5D FC mov ebx,dword ptr ss:[ebp-4]
0040FDC1 85DB test ebx,ebx
0040FDC3 74 09 je short PYG_54_C.0040FDCE
0040FDC5 53 push ebx
0040FDC6 E8 D8010000 call PYG_54_C.0040FFA3 ; 获取程序大小
0040FDCB 83C4 04 add esp,4
0040FDCE 817D F8 2A5D0900 cmp dword ptr ss:[ebp-8],95D2A ; 程序大小与0x95D2A(613674字节)比较
0040FDD5 0F8F 48010000 jg PYG_54_C.0040FF23 ; 大于则Over
0040FDDB 6A FF push -1
0040FDDD 6A 08 push 8
0040FDDF 68 08000116 push 16010008
0040FDE4 68 01000152 push 52010001
0040FDE9 E8 C7010000 call PYG_54_C.0040FFB5 ; 获取注册码
0040FDEE 83C4 10 add esp,10
0040FDF1 8945 FC mov dword ptr ss:[ebp-4],eax ; EAX="9876543210"
0040FDF4 68 04000080 push 80000004
0040FDF9 6A 00 push 0
0040FDFB 8B45 FC mov eax,dword ptr ss:[ebp-4]
0040FDFE 85C0 test eax,eax
0040FE00 75 05 jnz short PYG_54_C.0040FE07
0040FE02 B8 25C14000 mov eax,PYG_54_C.0040C125
0040FE07 50 push eax
0040FE08 68 01000000 push 1
0040FE0D BB 50010000 mov ebx,150
0040FE12 E8 98010000 call PYG_54_C.0040FFAF
0040FE17 83C4 10 add esp,10
0040FE1A 8945 F8 mov dword ptr ss:[ebp-8],eax
0040FE1D 8B5D FC mov ebx,dword ptr ss:[ebp-4]
0040FE20 85DB test ebx,ebx
0040FE22 74 09 je short PYG_54_C.0040FE2D
0040FE24 53 push ebx
0040FE25 E8 79010000 call PYG_54_C.0040FFA3
0040FE2A 83C4 04 add esp,4
0040FE2D 6A 01 push 1
0040FE2F 68 01000000 push 1
0040FE34 8D45 F8 lea eax,dword ptr ss:[ebp-8]
0040FE37 50 push eax
0040FE38 E8 10FDFFFF call PYG_54_C.0040FB4D ; 取注册码"9876543210"的MD5值
0040FE3D 8945 F4 mov dword ptr ss:[ebp-C],eax ; EAX="e388c1c5df4933fa01f6da9f92595589"
0040FE40 8B5D F8 mov ebx,dword ptr ss:[ebp-8]
0040FE43 85DB test ebx,ebx
0040FE45 74 09 je short PYG_54_C.0040FE50
0040FE47 53 push ebx
0040FE48 E8 56010000 call PYG_54_C.0040FFA3
0040FE4D 83C4 04 add esp,4
0040FE50 68 04000080 push 80000004
0040FE55 6A 00 push 0
0040FE57 8B45 F4 mov eax,dword ptr ss:[ebp-C]
0040FE5A 85C0 test eax,eax
0040FE5C 75 05 jnz short PYG_54_C.0040FE63
0040FE5E B8 25C14000 mov eax,PYG_54_C.0040C125
0040FE63 50 push eax ; EAX="e388c1c5df4933fa01f6da9f92595589"
0040FE64 68 01000000 push 1
0040FE69 BB 50010000 mov ebx,150
0040FE6E E8 3C010000 call PYG_54_C.0040FFAF ; 注册码的MD5值转为大写
0040FE73 83C4 10 add esp,10
0040FE76 8945 F0 mov dword ptr ss:[ebp-10],eax ; EAX="E388C1C5DF4933FA01F6DA9F92595589"
0040FE79 8B5D F4 mov ebx,dword ptr ss:[ebp-C]
0040FE7C 85DB test ebx,ebx
0040FE7E 74 09 je short PYG_54_C.0040FE89
0040FE80 53 push ebx
0040FE81 E8 1D010000 call PYG_54_C.0040FFA3
0040FE86 83C4 04 add esp,4
0040FE89 A1 3821AF00 mov eax,dword ptr ds:[AF2138] ; EAX=ds:[AF2138]
0040FE8E 50 push eax ; EAX="17891C20A6D57F9B72F5FD3CC0142D4F"
0040FE8F FF75 F0 push dword ptr ss:[ebp-10] ; 注册码MD5值"E388C1C5DF4933FA01F6DA9F92595589"
0040FE92 E8 9AF7FFFF call PYG_54_C.0040F631 ; 比较两者是否相等
0040FE97 83C4 08 add esp,8
0040FE9A 83F8 00 cmp eax,0
0040FE9D B8 00000000 mov eax,0
0040FEA2 0F94C0 sete al
0040FEA5 8945 EC mov dword ptr ss:[ebp-14],eax
0040FEA8 8B5D F0 mov ebx,dword ptr ss:[ebp-10]
0040FEAB 85DB test ebx,ebx
0040FEAD 74 09 je short PYG_54_C.0040FEB8
0040FEAF 53 push ebx
0040FEB0 E8 EE000000 call PYG_54_C.0040FFA3
0040FEB5 83C4 04 add esp,4
0040FEB8 837D EC 00 cmp dword ptr ss:[ebp-14],0
0040FEBC 0F84 5C000000 je PYG_54_C.0040FF1E ; 跳则Over
看一下ds:[AF2138]处的数据是如何获得的。
命令栏输入:d 00AF2138,对00AF2138处下断:右键--断点--设置内存访问断点,
F9运行程序,随便更改一下用户名,立即中断:
0040FB30 8B1D 3821AF00 mov ebx,dword ptr ds:[AF2138] ; 在此中断
0040FB36 85DB test ebx,ebx
0040FB38 74 09 je short PYG_54_C.0040FB43
中断后清除内存访问断点,向上查找,来到0040FA2A处F2下断,F9运行程序,更改用户名,立即中断:
0040FA2A 55 push ebp ; F2下断
0040FA2B 8BEC mov ebp,esp
0040FA2D 81EC 18000000 sub esp,18
0040FA33 6A FF push -1
0040FA35 6A 08 push 8
0040FA37 68 03000116 push 16010003
0040FA3C 68 01000152 push 52010001
0040FA41 E8 6F050000 call PYG_54_C.0040FFB5 ; 获取用户名
0040FA46 83C4 10 add esp,10
0040FA49 8945 FC mov dword ptr ss:[ebp-4],eax ; 用户名"hrbx"
0040FA4C 68 34C14000 push PYG_54_C.0040C134 ; 字符串"https://www.chinapyg.com/"
0040FA51 FF75 FC push dword ptr ss:[ebp-4]
0040FA54 B9 02000000 mov ecx,2
0040FA59 E8 70FFFFFF call PYG_54_C.0040F9CE ; 连接用户名与网址字符串,组成新字符串
0040FA5E 83C4 08 add esp,8
0040FA61 8945 F8 mov dword ptr ss:[ebp-8],eax ; ASCII "hrbxhttps://www.chinapyg.com/"
0040FA64 8B5D FC mov ebx,dword ptr ss:[ebp-4]
0040FA67 85DB test ebx,ebx
0040FA69 74 09 je short PYG_54_C.0040FA74
0040FA6B 53 push ebx
0040FA6C E8 32050000 call PYG_54_C.0040FFA3
0040FA71 83C4 04 add esp,4
0040FA74 6A 01 push 1
0040FA76 68 01000000 push 1
0040FA7B 8D45 F8 lea eax,dword ptr ss:[ebp-8]
0040FA7E 50 push eax
0040FA7F E8 C9000000 call PYG_54_C.0040FB4D ; 取连接后得到的新字符串的MD5值
0040FA84 8945 F4 mov dword ptr ss:[ebp-C],eax ; "7a94207450f22deaaa0e4408d2f0a5b0"
0040FA87 8B5D F8 mov ebx,dword ptr ss:[ebp-8]
0040FA8A 85DB test ebx,ebx
0040FA8C 74 09 je short PYG_54_C.0040FA97
0040FA8E 53 push ebx
0040FA8F E8 0F050000 call PYG_54_C.0040FFA3
0040FA94 83C4 04 add esp,4
0040FA97 68 04000080 push 80000004
0040FA9C 6A 00 push 0
0040FA9E 8B45 F4 mov eax,dword ptr ss:[ebp-C]
0040FAA1 85C0 test eax,eax
0040FAA3 75 05 jnz short PYG_54_C.0040FAAA
0040FAA5 B8 25C14000 mov eax,PYG_54_C.0040C125
0040FAAA 50 push eax ; MD5值"7a94207450f22deaaa0e4408d2f0a5b0"
0040FAAB 68 01000000 push 1
0040FAB0 BB 50010000 mov ebx,150
0040FAB5 E8 F5040000 call PYG_54_C.0040FFAF ; MD5值转为大写
0040FABA 83C4 10 add esp,10
0040FABD 8945 F0 mov dword ptr ss:[ebp-10],eax ; EAX="7A94207450F22DEAAA0E4408D2F0A5B0"
0040FAC0 8B5D F4 mov ebx,dword ptr ss:[ebp-C]
0040FAC3 85DB test ebx,ebx
0040FAC5 74 09 je short PYG_54_C.0040FAD0
0040FAC7 53 push ebx
0040FAC8 E8 D6040000 call PYG_54_C.0040FFA3
0040FACD 83C4 04 add esp,4
0040FAD0 6A 01 push 1
0040FAD2 68 01000000 push 1
0040FAD7 8D45 F0 lea eax,dword ptr ss:[ebp-10]
0040FADA 50 push eax
0040FADB E8 6D000000 call PYG_54_C.0040FB4D ; MD5值转为大写字符串后再取MD5值
0040FAE0 8945 EC mov dword ptr ss:[ebp-14],eax ; ASCII "17891c20a6d57f9b72f5fd3cc0142d4f"
0040FAE3 8B5D F0 mov ebx,dword ptr ss:[ebp-10]
0040FAE6 85DB test ebx,ebx
0040FAE8 74 09 je short PYG_54_C.0040FAF3
0040FAEA 53 push ebx
0040FAEB E8 B3040000 call PYG_54_C.0040FFA3
0040FAF0 83C4 04 add esp,4
0040FAF3 68 04000080 push 80000004
0040FAF8 6A 00 push 0
0040FAFA 8B45 EC mov eax,dword ptr ss:[ebp-14]
0040FAFD 85C0 test eax,eax
0040FAFF 75 05 jnz short PYG_54_C.0040FB06
0040FB01 B8 25C14000 mov eax,PYG_54_C.0040C125
0040FB06 50 push eax ; ASCII "17891c20a6d57f9b72f5fd3cc0142d4f"
0040FB07 68 01000000 push 1
0040FB0C BB 50010000 mov ebx,150
0040FB11 E8 99040000 call PYG_54_C.0040FFAF ; 第2次的MD5值转为大写
0040FB16 83C4 10 add esp,10
0040FB19 8945 E8 mov dword ptr ss:[ebp-18],eax ; "17891C20A6D57F9B72F5FD3CC0142D4F"
0040FB1C 8B5D EC mov ebx,dword ptr ss:[ebp-14]
0040FB1F 85DB test ebx,ebx
0040FB21 74 09 je short PYG_54_C.0040FB2C
0040FB23 53 push ebx
0040FB24 E8 7A040000 call PYG_54_C.0040FFA3
0040FB29 83C4 04 add esp,4
0040FB2C 8B45 E8 mov eax,dword ptr ss:[ebp-18]
0040FB2F 50 push eax
0040FB30 8B1D 3821AF00 mov ebx,dword ptr ds:[AF2138] ; 在此中断
0040FB36 85DB test ebx,ebx
0040FB38 74 09 je short PYG_54_C.0040FB43
0040FB3A 53 push ebx
0040FB3B E8 63040000 call PYG_54_C.0040FFA3
0040FB40 83C4 04 add esp,4
0040FB43 58 pop eax ; 第2次的MD5值字符串"17891C20A6D57F9B72F5FD3CC0142D4F"
0040FB44 A3 3821AF00 mov dword ptr ds:[AF2138],eax ; 字符串存入ds:[AF2138]
0040FB49 8BE5 mov esp,ebp
0040FB4B 5D pop ebp
0040FB4C C3 retn
-----------------------------------------------------------------------------------------------
【破解总结】
1.用户名与字符串"https://www.chinapyg.com/"连接后取MD5值即为注册码。
2.程序在注册时检验程序名称及大小,在启动前也似乎也有检验,请高手指点。
========================================
用户名:hrbx
注册码:7A94207450F22DEAAA0E4408D2F0A5B0
========================================
-----------------------------------------------------------------------------------------------
【版权声明】本文纯属技术交流, 转载请注明作者并保持文章的完整, 谢谢!
[ 本帖最后由 hrbx 于 2007-6-13 19:46 编辑 ] |
|
IP卡
发表于 2007-6-13 19:40:05
提升卡
置顶卡
变色卡
千斤顶
显身卡
楼主
发表于 2007-6-17 20:47:29
