- UID
- 8853
注册时间2006-3-3
阅读权限10
最后登录1970-1-1
周游历练
该用户从未签到
|
【文章标题】: bbbbbbbbbbbbbbbbbbbbbb
【文章作者】: rcracker
【软件名称】: 黑夜彩虹之再放个CrackMe~~~
【下载地址】: PYG-----------自己搜索下载
【使用工具】: OD
【操作平台】: XP
【作者声明】: 只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!
--------------------------------------------------------------------------------
【详细过程】
首先大概分析一下:我靠!好像是MD5的,用cryptosearcher分析了一下还真是MD5的,立马把看雪老大书中的密码学这一章看了又看,翻了又翻。
又到网上看了关于MD5的文章,当自认为还可以时开始分析了小黑的CRACKME,但是连屁都没摸到-----------此时我估计小黑应该是一脸得意的/:D /:D /:D "奸笑" 啊!!!
经过XXXX次分析,终于...嘿嘿....。
断点:随便
00457C08 . 8D55 F4 LEA EDX,DWORD PTR SS:[EBP-C]
00457C0B . 8B83 00030000 MOV EAX,DWORD PTR DS:[EBX+300]
00457C11 . E8 0ACDFDFF CALL CrackMe_.00434920
00457C16 . 8B45 F4 MOV EAX,DWORD PTR SS:[EBP-C] ; 你输入的假码
00457C19 . 8D55 F8 LEA EDX,DWORD PTR SS:[EBP-8]
00457C1C . E8 F3F6FFFF CALL CrackMe_.00457314 ;这里应该是烟雾弹-----------不重要
00457C21 . 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8]
00457C24 . 8D4D FC LEA ECX,DWORD PTR SS:[EBP-4]
00457C27 . 8B15 1CBC4500 MOV EDX,DWORD PTR DS:[45BC1C] ; 固定串“0a739b5eba9d0ee27f868fec655abcc4"---这里有点MD5的味道。
00457C2D . E8 1AF6FFFF CALL CrackMe_.0045724C ;这里也应该是烟雾弹---------不重要
00457C32 . 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
00457C35 . 50 PUSH EAX
00457C36 . 8D55 F0 LEA EDX,DWORD PTR SS:[EBP-10]
00457C39 . 8B83 F8020000 MOV EAX,DWORD PTR DS:[EBX+2F8]
00457C3F . E8 DCCCFDFF CALL CrackMe_.00434920
00457C44 . 8B55 F0 MOV EDX,DWORD PTR SS:[EBP-10] ;你的机器码
00457C47 . 58 POP EAX ;机器码的位数
00457C48 . E8 57C7FAFF CALL CrackMe_.004043A4 ;关键CALL
00457C4D 75 0D JNZ SHORT CrackMe_.00457C5C ;关键跳转--------爆破点。
00457C4F . B2 01 MOV DL,1
00457C51 . 8B83 08030000 MOV EAX,DWORD PTR DS:[EBX+308]
00457C57 . E8 E4CBFDFF CALL CrackMe_.00434840
00457C5C > 33C0 XOR EAX,EAX
00457C5E . 5A POP EDX
00457C5F . 59 POP ECX
00457C60 . 59 POP ECX
00457C61 . 64:8910 MOV DWORD PTR FS:[EAX],EDX
-------------------------------关键CALL------------------------------------------------
004043A4 /$ 53 PUSH EBX
004043A5 |. 56 PUSH ESI
004043A6 |. 57 PUSH EDI
004043A7 |. 89C6 MOV ESI,EAX
004043A9 |. 89D7 MOV EDI,EDX
004043AB |. 39D0 CMP EAX,EDX ;机器码是否为空。一般空是跳向失败的而这里却空就正确。(这里还不明显!)
004043AD 0F84 8F000000 JE CrackMe_.00404442
004043B3 |. 85F6 TEST ESI,ESI
004043B5 |. 74 68 JE SHORT CrackMe_.0040441F
004043B7 |. 85FF TEST EDI,EDI
004043B9 |. 74 6B JE SHORT CrackMe_.00404426
004043BB |. 8B46 FC MOV EAX,DWORD PTR DS:[ESI-4]
004043BE |. 8B57 FC MOV EDX,DWORD PTR DS:[EDI-4]
004043C1 |. 29D0 SUB EAX,EDX
004043C3 |. 77 02 JA SHORT CrackMe_.004043C7
004043C5 |. 01C2 ADD EDX,EAX
004043C7 |> 52 PUSH EDX
004043C8 |. C1EA 02 SHR EDX,2
004043CB |. 74 26 JE SHORT CrackMe_.004043F3
004043CD |> 8B0E /MOV ECX,DWORD PTR DS:[ESI]
004043CF |. 8B1F |MOV EBX,DWORD PTR DS:[EDI]
004043D1 |. 39D9 |CMP ECX,EBX
004043D3 |. 75 58 |JNZ SHORT CrackMe_.0040442D
004043D5 |. 4A |DEC EDX
004043D6 |. 74 15 |JE SHORT CrackMe_.004043ED
004043D8 |. 8B4E 04 |MOV ECX,DWORD PTR DS:[ESI+4]
004043DB |. 8B5F 04 |MOV EBX,DWORD PTR DS:[EDI+4]
004043DE |. 39D9 |CMP ECX,EBX
004043E0 |. 75 4B |JNZ SHORT CrackMe_.0040442D
004043E2 |. 83C6 08 |ADD ESI,8
004043E5 |. 83C7 08 |ADD EDI,8
004043E8 |. 4A |DEC EDX
004043E9 |.^ 75 E2 \JNZ SHORT CrackMe_.004043CD
004043EB |. EB 06 JMP SHORT CrackMe_.004043F3
004043ED |> 83C6 04 ADD ESI,4
004043F0 |. 83C7 04 ADD EDI,4
004043F3 |> 5A POP EDX
004043F4 |. 83E2 03 AND EDX,3
004043F7 |. 74 22 JE SHORT CrackMe_.0040441B
004043F9 |. 8B0E MOV ECX,DWORD PTR DS:[ESI]
004043FB |. 8B1F MOV EBX,DWORD PTR DS:[EDI]
004043FD |. 38D9 CMP CL,BL
004043FF |. 75 41 JNZ SHORT CrackMe_.00404442
00404401 |. 4A DEC EDX
00404402 |. 74 17 JE SHORT CrackMe_.0040441B
00404404 |. 38FD CMP CH,BH
00404406 |. 75 3A JNZ SHORT CrackMe_.00404442
00404408 |. 4A DEC EDX
00404409 |. 74 10 JE SHORT CrackMe_.0040441B
0040440B |. 81E3 0000FF00 AND EBX,0FF0000
00404411 |. 81E1 0000FF00 AND ECX,0FF0000
00404417 |. 39D9 CMP ECX,EBX
00404419 |. 75 27 JNZ SHORT CrackMe_.00404442
0040441B |> 01C0 ADD EAX,EAX
0040441D |. EB 23 JMP SHORT CrackMe_.00404442
0040441F |> 8B57 FC MOV EDX,DWORD PTR DS:[EDI-4]
00404422 |. 29D0 SUB EAX,EDX ;用0减去机器码的位数,如果机器码的位数为0,那么关键跳转处不跳,即注册成功!(这里很明显啊!)
00404424 |. EB 1C JMP SHORT CrackMe_.00404442
00404426 |> 8B46 FC MOV EAX,DWORD PTR DS:[ESI-4]
00404429 |. 29D0 SUB EAX,EDX
0040442B |. EB 15 JMP SHORT CrackMe_.00404442
0040442D |> 5A POP EDX
0040442E |. 38D9 CMP CL,BL
00404430 |. 75 10 JNZ SHORT CrackMe_.00404442
00404432 |. 38FD CMP CH,BH
00404434 |. 75 0C JNZ SHORT CrackMe_.00404442
00404436 |. C1E9 10 SHR ECX,10
00404439 |. C1EB 10 SHR EBX,10
0040443C |. 38D9 CMP CL,BL
0040443E |. 75 02 JNZ SHORT CrackMe_.00404442
00404440 |. 38FD CMP CH,BH
00404442 |> 5F POP EDI
00404443 |. 5E POP ESI
00404444 |. 5B POP EBX
00404445 \. C3 RETN
00404446 8BC0 MOV EAX,EAX
--------------------------------------------------------------------------------
【经验总结】
小黑果然是小黑,不仅太黑还太阴险了。机器码为空,注册码不能为空随便输入就能注册成功!!
--------------------------------------------------------------------------------
【版权声明】: 本文原创于PYG技术论坛, 转载请注明作者并保持文章的完整, 谢谢! |
|
IP卡
发表于 2006-8-3 14:44:33
提升卡
置顶卡
变色卡
千斤顶
显身卡
发表于 2006-8-3 15:14:20
发表于 2006-8-3 16:00:55
发表于 2006-8-3 16:22:20
楼主
