- UID
- 346
注册时间2005-3-21
阅读权限30
最后登录1970-1-1
龙战于野
TA的每日心情 | 奋斗
2016-10-21 20:30 |
|---|
签到天数: 1 天 [LV.1]初来乍到
|
- 【破文标题】aLoNg3x.1-CrackMe简单算法分析+VB注册机源码
- 【破解作者】hrbx
- 【作者主页】hrbx.ys168.com
- 【作者邮箱】hrbx@163.com
- 【破解平台】WinXP
- 【使用工具】flyOD1.10、Peid
- 【破解日期】2006-5-16
- 【软件名称】aLoNg3x.1-CrackMe
- 【软件大小】344KB
- 【下载地址】https://www.chinapyg.com/viewthread.php?tid=4815&extra=page%3D1
- 【加壳方式】无
- 【软件简介】aLoNg3x.1-CrackMe
- -----------------------------------------------------------------------------------------------
- 【破解声明】我是一只小菜鸟,偶得一点心得,愿与大家分享:)
- -----------------------------------------------------------------------------------------------
- 【破解过程】
- 0.前言。这个CrackMe本身并没有多大的难度,只是比较具有欺骗性。开始以为那个"Cancella"按钮是用于清除
- 注册码的"Cancel"按钮,把注意力都放在使CrackMe的灰色按钮可用,而事实上并非如此。
- 1.查壳。用PEID扫描,显示为:Borland Delphi 6.0 - 7.0。
- 2.试运行。输入注册信息,"OK"按钮为灰色不可用,点击"Cancella"按钮注册码被清空,无任何错误提示。
- 通过DeDe分析得知,"OK"按钮按钮事件开始地址为00442D64,"Cancella"按钮按钮事件开始地址为00442EA8。
- 3.一切从"Cancella"按钮开始。OD载入CrackMe,Ctrl+G,输入:00442EA8,回车,来到00442EA8处F2下断,
- F9运行,输入注册信息:
- ========================
- Nome:honrbx
- Codice:987654321
- ========================
- 点击"Cancella"按钮,立即中断:
- 00442EA8 55 push ebp ; F2中此下断,中断后F8往下走
- 00442EA9 8BEC mov ebp,esp
- 00442EAB 6A 00 push 0
- 00442EAD 53 push ebx
- 00442EAE 8BD8 mov ebx,eax
- 00442EB0 33C0 xor eax,eax
- 00442EB2 55 push ebp
- 00442EB3 68 322F4400 push aLoNg3x_.00442F32
- 00442EB8 64:FF30 push dword ptr fs:[eax]
- 00442EBB 64:8920 mov dword ptr fs:[eax],esp
- 00442EBE 8D55 FC lea edx,dword ptr ss:[ebp-4]
- 00442EC1 8B83 E0020000 mov eax,dword ptr ds:[ebx+2E0]
- 00442EC7 E8 F403FEFF call aLoNg3x_.004232C0
- 00442ECC 8B45 FC mov eax,dword ptr ss:[ebp-4] ; 假码"987654321"
- 00442ECF E8 9C47FCFF call aLoNg3x_.00407670 ; 假码转为16进制整数
- 00442ED4 50 push eax ; EAX=0x3ADE68B1(987654321)
- 00442ED5 8D55 FC lea edx,dword ptr ss:[ebp-4]
- 00442ED8 8B83 DC020000 mov eax,dword ptr ds:[ebx+2DC]
- 00442EDE E8 DD03FEFF call aLoNg3x_.004232C0
- 00442EE3 8B45 FC mov eax,dword ptr ss:[ebp-4] ; 用户名"honrbx"
- 00442EE6 5A pop edx
- 00442EE7 E8 08FCFFFF call aLoNg3x_.00442AF4 ; 关键CALL-1,F7进入
- 00442EEC 84C0 test al,al
- 00442EEE 74 1C je short aLoNg3x_.00442F0C ; 暴破点1,Nop掉
- 00442EF0 33D2 xor edx,edx
- 00442EF2 8B83 D0020000 mov eax,dword ptr ds:[ebx+2D0]
- 00442EF8 E8 B302FEFF call aLoNg3x_.004231B0
- 00442EFD B2 01 mov dl,1
- 00442EFF 8B83 CC020000 mov eax,dword ptr ds:[ebx+2CC]
- 00442F05 8B08 mov ecx,dword ptr ds:[eax]
- 00442F07 FF51 60 call dword ptr ds:[ecx+60]
- 00442F0A EB 10 jmp short aLoNg3x_.00442F1C
- 00442F0C BA 482F4400 mov edx,aLoNg3x_.00442F48 ; 0
- 00442F11 8B83 E0020000 mov eax,dword ptr ds:[ebx+2E0]
- 00442F17 E8 D403FEFF call aLoNg3x_.004232F0
- 00442F1C 33C0 xor eax,eax
- 00442F1E 5A pop edx
- 00442F1F 59 pop ecx
- 00442F20 59 pop ecx
- 00442F21 64:8910 mov dword ptr fs:[eax],edx
- 00442F24 68 392F4400 push aLoNg3x_.00442F39
- 00442F29 8D45 FC lea eax,dword ptr ss:[ebp-4]
- 00442F2C E8 8708FCFF call aLoNg3x_.004037B8
- 00442F31 C3 retn
- F7进入00442EE7处的关键CALL-1,来到:
- 00442AF4 55 push ebp
- 00442AF5 8BEC mov ebp,esp
- 00442AF7 83C4 F8 add esp,-8
- 00442AFA 53 push ebx
- 00442AFB 56 push esi
- 00442AFC 8955 F8 mov dword ptr ss:[ebp-8],edx
- 00442AFF 8945 FC mov dword ptr ss:[ebp-4],eax
- 00442B02 8B45 FC mov eax,dword ptr ss:[ebp-4]
- 00442B05 E8 DE10FCFF call aLoNg3x_.00403BE8
- 00442B0A 33C0 xor eax,eax
- 00442B0C 55 push ebp
- 00442B0D 68 902B4400 push aLoNg3x_.00442B90
- 00442B12 64:FF30 push dword ptr fs:[eax]
- 00442B15 64:8920 mov dword ptr fs:[eax],esp
- 00442B18 8B45 FC mov eax,dword ptr ss:[ebp-4] ; 用户名"honrbx"
- 00442B1B E8 140FFCFF call aLoNg3x_.00403A34 ; 获取用户名长度,EAX=6
- 00442B20 83F8 05 cmp eax,5 ; 用户名长度与5比较
- 00442B23 7E 53 jle short aLoNg3x_.00442B78 ; 小于等于则Over
- 00442B25 8B45 FC mov eax,dword ptr ss:[ebp-4] ; 用户名"honrbx"
- 00442B28 0FB640 04 movzx eax,byte ptr ds:[eax+4] ; 取用户名第5位字符的ASCII值,EAX=0x62('b')
- 00442B2C B9 07000000 mov ecx,7 ; ECX=7
- 00442B31 33D2 xor edx,edx
- 00442B33 F7F1 div ecx ; EAX/ECX,商给EAX,余数给EDX
- 00442B35 8BC2 mov eax,edx ; EAX=EDX,余数给EAX
- 00442B37 83C0 02 add eax,2 ; EAX=EAX+2
- 00442B3A E8 E1FEFFFF call aLoNg3x_.00442A20
- 00442B3F 8BF0 mov esi,eax ; ESI=EAX
- 00442B41 33DB xor ebx,ebx
- 00442B43 8B45 FC mov eax,dword ptr ss:[ebp-4] ; 用户名"honrbx"
- 00442B46 E8 E90EFCFF call aLoNg3x_.00403A34 ; 获取用户名长度,EAX=6
- 00442B4B 85C0 test eax,eax
- 00442B4D 7E 16 jle short aLoNg3x_.00442B65
- 00442B4F BA 01000000 mov edx,1
- 00442B54 8B4D FC mov ecx,dword ptr ss:[ebp-4] ; 用户名"honrbx"
- 00442B57 0FB64C11 FF movzx ecx,byte ptr ds:[ecx+edx-1] ; 依次取用户名每一位字符的ASCII值给ECX
- 00442B5C 0FAFCE imul ecx,esi ; ECX=ECX*ESI,ESI初值为上面用户名第5位字符运算所得结果
- 00442B5F 03D9 add ebx,ecx ; EBX=EBX+ECX
- 00442B61 42 inc edx ; EBX=0x522(1314)
- 00442B62 48 dec eax
- 00442B63 ^ 75 EF jnz short aLoNg3x_.00442B54 ; 没取完用户名则跳回去继续
- 00442B65 2B5D F8 sub ebx,dword ptr ss:[ebp-8] ; EBX=EBX-ss:[ebp-8],ss:[ebp-8]=3ADE68B1假码的16进制数
- 00442B68 81FB 697A0000 cmp ebx,7A69 ; EBX与0x7A69(31337)比较
- 00442B6E 75 04 jnz short aLoNg3x_.00442B74 ; 不等则Over
- 00442B70 B3 01 mov bl,1 ; 相等则赋值BL=1
- 00442B72 EB 06 jmp short aLoNg3x_.00442B7A
- 00442B74 33DB xor ebx,ebx
- 00442B76 EB 02 jmp short aLoNg3x_.00442B7A
- 00442B78 33DB xor ebx,ebx
- 00442B7A 33C0 xor eax,eax
- 00442B7C 5A pop edx
- 00442B7D 59 pop ecx
- 00442B7E 59 pop ecx
- 00442B7F 64:8910 mov dword ptr fs:[eax],edx
- 00442B82 68 972B4400 push aLoNg3x_.00442B97
- 00442B87 8D45 FC lea eax,dword ptr ss:[ebp-4]
- 00442B8A E8 290CFCFF call aLoNg3x_.004037B8
- 00442B8F C3 retn
- 程序取用户名经过运算后与输入的注册码相减再与0x7A69比较,故注册码应为:0x522(1314)-0x7A69(31337)=-30023.
- 4.解决"OK"按钮。不退出OD,更改注册信息为:
- ========================
- Nome:honrbx
- Codice:-30023
- ========================
- 点击"Cancella"按钮,"Cancella"按钮变为不可见,同时"OK"按钮也变为可点击。
- Ctrl+G,输入通过DeDe找到的"OK"按钮按钮事件开始地址:00442D64,回车,来到00442D64处F2下断,点击"OK"按钮,
- 立即中断:
- 00442D64 55 push ebp ; F2在此下断,中断后F8往下
- 00442D65 8BEC mov ebp,esp
- 00442D67 6A 00 push 0
- 00442D69 53 push ebx
- 00442D6A 8BD8 mov ebx,eax
- 00442D6C 33C0 xor eax,eax
- 00442D6E 55 push ebp
- 00442D6F 68 ED2D4400 push aLoNg3x_.00442DED
- 00442D74 64:FF30 push dword ptr fs:[eax]
- 00442D77 64:8920 mov dword ptr fs:[eax],esp
- 00442D7A 8B83 D0020000 mov eax,dword ptr ds:[ebx+2D0]
- 00442D80 8078 47 01 cmp byte ptr ds:[eax+47],1
- 00442D84 75 12 jnz short aLoNg3x_.00442D98
- 00442D86 BA 002E4400 mov edx,aLoNg3x_.00442E00 ; 0
- 00442D8B 8B83 E0020000 mov eax,dword ptr ds:[ebx+2E0]
- 00442D91 E8 5A05FEFF call aLoNg3x_.004232F0
- 00442D96 EB 3F jmp short aLoNg3x_.00442DD7
- 00442D98 8D55 FC lea edx,dword ptr ss:[ebp-4]
- 00442D9B 8B83 E0020000 mov eax,dword ptr ds:[ebx+2E0]
- 00442DA1 E8 1A05FEFF call aLoNg3x_.004232C0
- 00442DA6 8B45 FC mov eax,dword ptr ss:[ebp-4] ; 注册码"-30023"
- 00442DA9 E8 C248FCFF call aLoNg3x_.00407670
- 00442DAE 50 push eax
- 00442DAF 8D55 FC lea edx,dword ptr ss:[ebp-4]
- 00442DB2 8B83 DC020000 mov eax,dword ptr ds:[ebx+2DC]
- 00442DB8 E8 0305FEFF call aLoNg3x_.004232C0
- 00442DBD 8B45 FC mov eax,dword ptr ss:[ebp-4] ; 用户名"honrbx"
- 00442DC0 5A pop edx
- 00442DC1 E8 DAFDFFFF call aLoNg3x_.00442BA0 ; 关键CALL-2,F7进入
- 00442DC6 84C0 test al,al
- 00442DC8 74 0D je short aLoNg3x_.00442DD7 ; 暴破点2,Nop掉
- 00442DCA 33D2 xor edx,edx
- 00442DCC 8B83 CC020000 mov eax,dword ptr ds:[ebx+2CC]
- 00442DD2 E8 D903FEFF call aLoNg3x_.004231B0
- 00442DD7 33C0 xor eax,eax
- 00442DD9 5A pop edx
- 00442DDA 59 pop ecx
- 00442DDB 59 pop ecx
- 00442DDC 64:8910 mov dword ptr fs:[eax],edx
- 00442DDF 68 F42D4400 push aLoNg3x_.00442DF4
- 00442DE4 8D45 FC lea eax,dword ptr ss:[ebp-4]
- 00442DE7 E8 CC09FCFF call aLoNg3x_.004037B8
- 00442DEC C3 retn
- F7进入00442DC1处的关键CALL-2,来到:
- 00442BA0 55 push ebp
- 00442BA1 8BEC mov ebp,esp
- 00442BA3 6A 00 push 0
- 00442BA5 6A 00 push 0
- 00442BA7 6A 00 push 0
- 00442BA9 53 push ebx
- 00442BAA 56 push esi
- 00442BAB 8BF2 mov esi,edx
- 00442BAD 8945 FC mov dword ptr ss:[ebp-4],eax
- 00442BB0 8B45 FC mov eax,dword ptr ss:[ebp-4]
- 00442BB3 E8 3010FCFF call aLoNg3x_.00403BE8
- 00442BB8 33C0 xor eax,eax
- 00442BBA 55 push ebp
- 00442BBB 68 672C4400 push aLoNg3x_.00442C67
- 00442BC0 64:FF30 push dword ptr fs:[eax]
- 00442BC3 64:8920 mov dword ptr fs:[eax],esp
- 00442BC6 33DB xor ebx,ebx
- 00442BC8 8D55 F8 lea edx,dword ptr ss:[ebp-8]
- 00442BCB 8BC6 mov eax,esi
- 00442BCD E8 6E4AFCFF call aLoNg3x_.00407640
- 00442BD2 8D45 F4 lea eax,dword ptr ss:[ebp-C]
- 00442BD5 8B55 F8 mov edx,dword ptr ss:[ebp-8]
- 00442BD8 E8 730CFCFF call aLoNg3x_.00403850
- 00442BDD 8B45 F8 mov eax,dword ptr ss:[ebp-8] ; 注册码"-30023"
- 00442BE0 E8 4F0EFCFF call aLoNg3x_.00403A34 ; 获取注册码长度,EAX=6
- 00442BE5 83F8 05 cmp eax,5 ; 注册码长度与5比较
- 00442BE8 7E 60 jle short aLoNg3x_.00442C4A ; 小于等于则Over
- 00442BEA 8B45 F8 mov eax,dword ptr ss:[ebp-8] ; 注册码"-30023"
- 00442BED E8 420EFCFF call aLoNg3x_.00403A34 ; 获取注册码长度,EAX=6
- 00442BF2 8BF0 mov esi,eax
- 00442BF4 83FE 01 cmp esi,1 ; 注册码长度与1比较
- 00442BF7 7C 2F jl short aLoNg3x_.00442C28 ; 小于则Over
- 00442BF9 8D45 F4 lea eax,dword ptr ss:[ebp-C]
- 00442BFC E8 0310FCFF call aLoNg3x_.00403C04
- 00442C01 8D4430 FF lea eax,dword ptr ds:[eax+esi-1]
- 00442C05 50 push eax
- 00442C06 8B45 F8 mov eax,dword ptr ss:[ebp-8] ; 注册码"-30023"
- 00442C09 0FB64430 FF movzx eax,byte ptr ds:[eax+esi-1] ; 依次取注册码每一位字符的ASCII值给EAX
- 00442C0E F7E8 imul eax ; EAX=EAX*EAX
- 00442C10 0FBFC0 movsx eax,ax ; EAX=AX
- 00442C13 F7EE imul esi ; EAX=EAX*ESI,ESI为取出的字符的位置
- 00442C15 B9 19000000 mov ecx,19 ; ECX=0x19
- 00442C1A 99 cdq
- 00442C1B F7F9 idiv ecx ; EAX/ECX,商给EAX,余数给EDX
- 00442C1D 83C2 41 add edx,41 ; EDX=EDX+0x41
- 00442C20 58 pop eax
- 00442C21 8810 mov byte ptr ds:[eax],dl ; DL保存
- 00442C23 4E dec esi
- 00442C24 85F6 test esi,esi
- 00442C26 ^ 75 D1 jnz short aLoNg3x_.00442BF9 ; 没取完注册码则跳回去继续循环
- 00442C28 8B45 F4 mov eax,dword ptr ss:[ebp-C] ; 计算所得的用户名"ACMQAG"
- 00442C2B 8B55 FC mov edx,dword ptr ss:[ebp-4] ; 输入的用户名"honrbx"
- 00442C2E E8 110FFCFF call aLoNg3x_.00403B44 ; 比较两者是否相等
- 00442C33 75 17 jnz short aLoNg3x_.00442C4C ; 不等则Over
- 00442C35 8B45 FC mov eax,dword ptr ss:[ebp-4]
- 00442C38 8B55 F4 mov edx,dword ptr ss:[ebp-C]
- 00442C3B E8 040FFCFF call aLoNg3x_.00403B44
- 00442C40 75 04 jnz short aLoNg3x_.00442C46
- 00442C42 B3 01 mov bl,1
- 00442C44 EB 06 jmp short aLoNg3x_.00442C4C
- 00442C46 33DB xor ebx,ebx
- 00442C48 EB 02 jmp short aLoNg3x_.00442C4C
- 00442C4A 33DB xor ebx,ebx
- 00442C4C 33C0 xor eax,eax
- 00442C4E 5A pop edx
- 00442C4F 59 pop ecx
- 00442C50 59 pop ecx
- 00442C51 64:8910 mov dword ptr fs:[eax],edx
- 00442C54 68 6E2C4400 push aLoNg3x_.00442C6E
- 00442C59 8D45 F4 lea eax,dword ptr ss:[ebp-C]
- 00442C5C BA 03000000 mov edx,3
- 00442C61 E8 760BFCFF call aLoNg3x_.004037DC
- 00442C66 C3 retn
- -----------------------------------------------------------------------------------------------
- 【破解总结】
- 1.程序先取用户名运算得到一数值与输入的注册码相减,结果与0x7A69比较,相等则隐藏"Cancella"按钮,同时使"OK"按钮变为可用。
- 2.点击"OK"按钮时,取输入的注册码经过运算得到一字符串与输入的用户名比较,相等则隐藏"OK"按钮。
- 一组可用注册码:
- ========================
- (1)隐藏"Cancella"按钮
- Nome:honrbx
- Codice:-30023
- (2)隐藏"OK"按钮
- Nome:ACMQAG
- Codice:-30023
- ========================
- 暴破更改以下位置:
- 00442EEE je short aLoNg3x_.00442F0C ; je====>Nop
- 00442DC8 je short aLoNg3x_.00442DD7 ; je====>Nop
- 【VB注册机源码】
- Private Sub Generate_Click()
- On Error Resume Next
- Dim Name As String
- Dim Code As String
- Dim Codice As Long
- Dim length As Integer
- Dim num As Integer
- Dim i As Integer
- If GetCodice.Value = True Then
-
- Name = Text1.Text
- length = Len(Name)
- Codice = 0
-
- If (length <= 5 Or length > 10) Then
- Text2.Text = "Name is too long or too short!"
- Else
- num = Asc(Mid(Name, 5, 1)) Mod 7 + 2
- For i = 1 To length
- Codice = Codice + Asc(Mid(Name, i, 1)) * num
- Next i
- Codice = Codice - &H7A69
- Text2.Text = Codice
- End If
- End If
- If GetName.Value = True Then
- Code = Text2.Text
- length = Len(Code)
- Name = ""
-
- If (length <= 5 Or length > 9) Then
- Text1.Text = "Codice is too long or too short!"
- Else
-
- For i = 1 To length
- num = Asc(Mid(Code, i, 1)) * Asc(Mid(Code, i, 1)) * i Mod &H19 + &H41
- Name = Name & Chr(num)
- Next i
- Text1.Text = Name
- End If
- End If
- End Sub
- -----------------------------------------------------------------------------------------------
- 【版权声明】本文纯属技术交流, 转载请注明作者并保持文章的完整, 谢谢!
|
本帖子中包含更多资源
您需要 登录 才可以下载或查看,没有账号?加入我们
x
|
IP卡
发表于 2006-5-16 16:56:36
提升卡
置顶卡
变色卡
千斤顶
显身卡
发表于 2006-5-16 18:20:51
发表于 2006-5-16 19:09:39
发表于 2006-5-16 21:10:14
发表于 2006-5-17 19:07:57
发表于 2006-7-23 00:10:14