无提示CrackMe算法分析

来源：互联网发布：万国数据杜秋编辑：程序博客网时间：2024/05/29 11:27

【文章标题】: 无提示CrackMe分析【文章作者】: odison【作者邮箱】: odison@126.com【软件大小】: 7k【下载地址】: http://d.namipan.com/d/de02d8fba8e68441419bea6cc26c84c30834d5083c270000

【加壳方式】: ASPack 2.x (without poly) -> Alexey Solodovnikov [Overlay]【使用工具】: peid,od,IDA,AspackDie【作者声明】: 不是感兴趣，有其他目的。啊哈~

【详细过程】  首先打开程序，输入用户名序列号点击注册，没有提示。    peid查壳，显示ASPack 2.x (without poly) -> Alexey Solodovnikov [Overlay]，用AspackDie脱壳，脱壳后输入表有问题，  但是程序能够打开，说明脱壳算是成功，我们先不管它。    od载入，bp GetDlgItemTextA    输入      name:odison      serial:123456789    点击check，程序断在系统空间，alt+F9切换回程序领空    00401528    68 00010000     PUSH 100                                 ; /Count = 100 (256)  0040152D    8D85 00FFFFFF   LEA EAX,DWORD PTR SS:[EBP-100]           ; |  00401533    50              PUSH EAX                                 ; |buffer  00401534    6A 65           PUSH 65                                  ; |ControlID = 65 (100)  00401536    FF75 08         PUSH DWORD PTR SS:[EBP+8]                ; |hWnd  00401539    E8 FA010000     CALL        ; /GetDlgItemTextA  0040153E    89C3            MOV EBX,EAX  00401540    09DB            OR EBX,EBX  00401542    75 04           JNZ SHORT unpacked.00401548  00401544    31C0            XOR EAX,EAX  00401546    EB 50           JMP SHORT unpacked.00401598  00401548    BF BC020000     MOV EDI,2BC  0040154D    BE 30000000     MOV ESI,30  00401552    B8 48000000     MOV EAX,48  00401557    99              CDQ  00401558    F7FB            IDIV EBX  0040155A    29C6            SUB ESI,EAX  0040155C    8D34B6          LEA ESI,DWORD PTR DS:[ESI+ESI*4]  0040155F    29F7            SUB EDI,ESI  00401561    6BFF 6B         IMUL EDI,EDI,6B  00401564    81EF 6CCF0000   SUB EDI,0CF6C  0040156A    81FF 00230000   CMP EDI,2300                             ; EDI=(2bc-(30-48/namelen)*5)*6b-cf6c >=190  <=2300  00401570    7F 08           JG SHORT unpacked.0040157A  00401572    81FF 90010000   CMP EDI,190  00401578    7D 04           JGE SHORT unpacked.0040157E  0040157A    31C0            XOR EAX,EAX  0040157C    EB 1A           JMP SHORT unpacked.00401598  0040157E    8D85 00FFFFFF   LEA EAX,DWORD PTR SS:[EBP-100]      00401584    50              PUSH EAX                                 ; /name  00401585    53              PUSH EBX                                 ; |name_len  00401586    FF75 08         PUSH DWORD PTR SS:[EBP+8]                ; |hDlg  00401589    E8 77FDFFFF     CALL unpacked.00401305                   ; /keygen  {    00401305    55              PUSH EBP  00401306    89E5            MOV EBP,ESP  00401308    81EC 2C040000   SUB ESP,42C  0040130E    53              PUSH EBX  0040130F    56              PUSH ESI  00401310    57              PUSH EDI  00401311    8DBD FCFEFFFF   LEA EDI,DWORD PTR SS:[EBP-104]  00401317    8D35 38204000   LEA ESI,DWORD PTR DS:[402038]  0040131D    B9 40000000     MOV ECX,40  00401322    F3:A5           REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS>  00401324    8DBD E1FBFFFF   LEA EDI,DWORD PTR SS:[EBP-41F]  0040132A    8D35 38214000   LEA ESI,DWORD PTR DS:[402138]  00401330    B9 40000000     MOV ECX,40  00401335    F3:A5           REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS>  00401337    8DBD E1FDFFFF   LEA EDI,DWORD PTR SS:[EBP-21F]  0040133D    8D35 38224000   LEA ESI,DWORD PTR DS:[402238]  00401343    B9 40000000     MOV ECX,40  00401348    F3:A5           REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS>  0040134A    8DBD E1FCFFFF   LEA EDI,DWORD PTR SS:[EBP-31F]  00401350    8D35 38234000   LEA ESI,DWORD PTR DS:[402338]  00401356    B9 40000000     MOV ECX,40  0040135B    F3:A5           REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS>  0040135D    8DBD DCFBFFFF   LEA EDI,DWORD PTR SS:[EBP-424]  00401363    8D35 38244000   LEA ESI,DWORD PTR DS:[402438]  00401369    B9 05000000     MOV ECX,5  0040136E    F3:A4           REP MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[>  00401370    8DBD D6FBFFFF   LEA EDI,DWORD PTR SS:[EBP-42A]  00401376    8D35 3D244000   LEA ESI,DWORD PTR DS:[40243D]  0040137C    B9 03000000     MOV ECX,3  00401381    F3:66:A5        REP MOVS WORD PTR ES:[EDI],WORD PTR DS:[>  00401384    8DBD E1FEFFFF   LEA EDI,DWORD PTR SS:[EBP-11F]  0040138A    8D35 43244000   LEA ESI,DWORD PTR DS:[402443]  00401390    B9 1B000000     MOV ECX,1B  00401395    F3:A4           REP MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[>  00401397    C745 FC 0000000>MOV DWORD PTR SS:[EBP-4],0  0040139E    68 00010000     PUSH 100  004013A3    8D85 E1FCFFFF   LEA EAX,DWORD PTR SS:[EBP-31F]  004013A9    50              PUSH EAX  004013AA    6A 66           PUSH 66  004013AC    FF75 08         PUSH DWORD PTR SS:[EBP+8]  004013AF    E8 84030000     CALL   004013B4    09C0            OR EAX,EAX  004013B6    0F84 48010000   JE unpacked.00401504  004013BC    B8 CF110000     MOV EAX,11CF  004013C1    0FB68D E1FCFFFF MOVZX ECX,BYTE PTR SS:[EBP-31F]  004013C8    99              CDQ  004013C9    F7F9            IDIV ECX  004013CB    83FA 17         CMP EDX,17                               ; 11b8 = 11cf - 17  004013CE    74 07           JE SHORT unpacked.004013D7  004013D0    31C0            XOR EAX,EAX  004013D2    E9 2D010000     JMP unpacked.00401504  004013D7    31DB            XOR EBX,EBX  004013D9    EB 0B           JMP SHORT unpacked.004013E6  004013DB    8B45 10         MOV EAX,DWORD PTR SS:[EBP+10]  004013DE    0FBE0418        MOVSX EAX,BYTE PTR DS:[EAX+EBX]  004013E2    0145 FC         ADD DWORD PTR SS:[EBP-4],EAX  004013E5    43              INC EBX  004013E6    3B5D 0C         CMP EBX,DWORD PTR SS:[EBP+C]  004013E9  ^ 7C F0           JL SHORT unpacked.004013DB  004013EB    31DB            XOR EBX,EBX  004013ED    E9 83000000     JMP unpacked.00401475  004013F2    8B55 10         MOV EDX,DWORD PTR SS:[EBP+10]  004013F5    0FBE3C1A        MOVSX EDI,BYTE PTR DS:[EDX+EBX]  004013F9    8B75 FC         MOV ESI,DWORD PTR SS:[EBP-4]  004013FC    89D9            MOV ECX,EBX  004013FE    C1E1 02         SHL ECX,2  00401401    89DA            MOV EDX,EBX  00401403    42              INC EDX  00401404    29D1            SUB ECX,EDX  00401406    0FB68C0D E1FEFF>MOVZX ECX,BYTE PTR SS:[EBP+ECX-11F]  0040140E    89FA            MOV EDX,EDI  00401410    31CA            XOR EDX,ECX  00401412    89F1            MOV ECX,ESI  00401414    0FAFCB          IMUL ECX,EBX  00401417    29F1            SUB ECX,ESI  00401419    89CE            MOV ESI,ECX  0040141B    83F6 FF         XOR ESI,FFFFFFFF  0040141E    8DB432 4D010000 LEA ESI,DWORD PTR DS:[EDX+ESI+14D]  00401425    8B4D 0C         MOV ECX,DWORD PTR SS:[EBP+C]  00401428    89DA            MOV EDX,EBX  0040142A    83C2 03         ADD EDX,3  0040142D    0FAFCA          IMUL ECX,EDX  00401430    0FAFCF          IMUL ECX,EDI  00401433    89F0            MOV EAX,ESI  00401435    01C8            ADD EAX,ECX  00401437    B9 0A000000     MOV ECX,0A  0040143C    31D2            XOR EDX,EDX  0040143E    F7F1            DIV ECX  00401440    83C2 30         ADD EDX,30  00401443    88941D FCFEFFFF MOV BYTE PTR SS:[EBP+EBX-104],DL  0040144A    0FB6BC1D FCFEFF>MOVZX EDI,BYTE PTR SS:[EBP+EBX-104]  00401452    81F7 ACAD0000   XOR EDI,0ADAC  00401458    89DE            MOV ESI,EBX  0040145A    83C6 02         ADD ESI,2  0040145D    89F8            MOV EAX,EDI  0040145F    0FAFC6          IMUL EAX,ESI  00401462    B9 0A000000     MOV ECX,0A  00401467    99              CDQ  00401468    F7F9            IDIV ECX  0040146A    83C2 30         ADD EDX,30  0040146D    88941D FCFEFFFF MOV BYTE PTR SS:[EBP+EBX-104],DL  00401474    43              INC EBX  00401475    3B5D 0C         CMP EBX,DWORD PTR SS:[EBP+C]  00401478  ^ 0F8C 74FFFFFF   JL unpacked.004013F2  0040147E    8D85 FCFEFFFF   LEA EAX,DWORD PTR SS:[EBP-104]  00401484    50              PUSH EAX  00401485    6A 54           PUSH 54  00401487    8D85 DCFBFFFF   LEA EAX,DWORD PTR SS:[EBP-424]  0040148D    50              PUSH EAX  0040148E    8D85 E1FBFFFF   LEA EAX,DWORD PTR SS:[EBP-41F]  00401494    50              PUSH EAX  00401495    E8 CE020000     CALL   0040149A    8B7D 0C         MOV EDI,DWORD PTR SS:[EBP+C]  0040149D    89F8            MOV EAX,EDI  0040149F    0FAF45 FC       IMUL EAX,DWORD PTR SS:[EBP-4]  004014A3    B9 64000000     MOV ECX,64  004014A8    99              CDQ  004014A9    F7F9            IDIV ECX  004014AB    89D7            MOV EDI,EDX  004014AD    83C7 30         ADD EDI,30  004014B0    57              PUSH EDI  004014B1    8DBD E1FBFFFF   LEA EDI,DWORD PTR SS:[EBP-41F]  004014B7    57              PUSH EDI  004014B8    8DBD D6FBFFFF   LEA EDI,DWORD PTR SS:[EBP-42A]  004014BE    57              PUSH EDI  004014BF    8DBD E1FDFFFF   LEA EDI,DWORD PTR SS:[EBP-21F]  004014C5    57              PUSH EDI  004014C6    E8 9D020000     CALL   004014CB    83C4 20         ADD ESP,20  004014CE    8D8D E1FDFFFF   LEA ECX,DWORD PTR SS:[EBP-21F]  004014D4    83C8 FF         OR EAX,FFFFFFFF  004014D7    40              INC EAX  004014D8    803C01 00       CMP BYTE PTR DS:[ECX+EAX],0  004014DC  ^ 75 F9           JNZ SHORT unpacked.004014D7              ; /  004014DE    50              PUSH EAX                                 ; |arg3 midkey_len  004014DF    8D85 E1FCFFFF   LEA EAX,DWORD PTR SS:[EBP-31F]           ; |  004014E5    50              PUSH EAX                                 ; |arg2 key(input)  004014E6    8D85 E1FDFFFF   LEA EAX,DWORD PTR SS:[EBP-21F]           ; |  004014EC    50              PUSH EAX                                 ; |arg1 midkey  004014ED    E8 D0FDFFFF     CALL unpacked.004012C2                   ; /keycheck          {                 004012C2    55              PUSH EBP  004012C3    89E5            MOV EBP,ESP  004012C5    53              PUSH EBX  004012C6    56              PUSH ESI  004012C7    57              PUSH EDI  004012C8    8B5D 10         MOV EBX,DWORD PTR SS:[EBP+10]  004012CB    31F6            XOR ESI,ESI  004012CD    46              INC ESI  004012CE    EB 29           JMP SHORT unpacked.004012F9  004012D0    8B55 08         MOV EDX,DWORD PTR SS:[EBP+8]  004012D3    0FBE3C32        MOVSX EDI,BYTE PTR DS:[EDX+ESI]  004012D7    89F8            MOV EAX,EDI  004012D9    83F0 20         XOR EAX,20  004012DC    B9 0A000000     MOV ECX,0A  004012E1    99              CDQ  004012E2    F7F9            IDIV ECX  004012E4    89D7            MOV EDI,EDX  004012E6    83C7 30         ADD EDI,30  004012E9    8B55 0C         MOV EDX,DWORD PTR SS:[EBP+C]  004012EC    0FBE1432        MOVSX EDX,BYTE PTR DS:[EDX+ESI]  004012F0    39D7            CMP EDI,EDX  004012F2    74 04           JE SHORT unpacked.004012F8  004012F4    31C0            XOR EAX,EAX  004012F6    EB 08           JMP SHORT unpacked.00401300  004012F8    46              INC ESI  004012F9    39DE            CMP ESI,EBX  004012FB  ^ 7C D3           JL SHORT unpacked.004012D0  004012FD    31C0            XOR EAX,EAX  004012FF    40              INC EAX  00401300    5F              POP EDI  00401301    5E              POP ESI  00401302    5B              POP EBX  00401303    5D              POP EBP  00401304    C3              RETN          }            ...  }  ...    部分代码省略    此时，我们对于该crackme结构有了大致的了解，也知道了主要的两个函数地址，好的，打开IDA，载入unpacked.exe,  定位到 第一个函数  keygen 按F5 使用hex-ray生成代码（当然还得经过人为的整理，修改变量名等）：      UINT __cdecl keygen(HWND hDlg, int namelength, char *name)  {    signed int i; // ecx@1    const CHAR *v4; // edi@1    int v5; // esi@1    UINT result; // eax@4    int j; // ebx@7    int k; // ebx@10    signed int midkey_len; // eax@13    const CHAR v10; // [sp+Eh] [bp-42Ah]@1    const CHAR v11; // [sp+14h] [bp-424h]@1    CHAR v12; // [sp+19h] [bp-41Fh]@1    CHAR Key; // [sp+119h] [bp-31Fh]@1    char midkey[256]; // [sp+219h] [bp-21Fh]@1    char table[27]; // [sp+319h] [bp-11Fh]@4    char tempkey[256]; // [sp+334h] [bp-104h]@1    int asctotal; // [sp+434h] [bp-4h]@4      memcpy(tempkey, &unk_402038, sizeof(tempkey));    memcpy(&v12, &unk_402138, 0x100u);            // v12 = ??T?ˉ    memcpy(midkey, &unk_402238, sizeof(midkey));    memcpy(&Key, &unk_402338, 0x100u);    memcpy((void *)&v11, "%c%s", 5u);    v4 = &v10;    v5 = (int)"%s-%d";    for ( i = 3; i; --i )    {      *(_WORD *)v4 = *(_WORD *)v5;      v5 += 2;      v4 += 2;    }    memcpy(table, "ABCDEFGHIJKLMNOPQRSTUVWXYZ", sizeof(table));    asctotal = 0;    result = GetDlgItemTextA(hDlg, 102, &Key, 256);    if ( result )    {      if ( 4559 % (unsigned __int8)Key == 23 )      {        for ( j = 0; j < namelength; ++j )          asctotal += name[j];        for ( k = 0; k < namelength; ++k )        {          tempkey[k] = (unsigned __int8)(name[k] * (k + 3) * (_BYTE)namelength                                       + (table[4 * k - (k + 1)] ^ name[k])                                       + ~(k * (_BYTE)asctotal - (_BYTE)asctotal)                                       + 0x4D)                     % 0xAu                     + 0x30;          tempkey[k] = (k + 2) * ((unsigned __int8)tempkey[k] ^ 0xADAC) % 10 + 0x30;        }        wsprintfA(&v12, &v11, 84, tempkey);       // 84 = 'T'  v12 = Ttmpkey        wsprintfA(midkey, &v10, &v12, asctotal * namelength % 100 + 0x30);// midkey = Tkey +'-' + lastnum        midkey_len = -1;        // midkey_len = strlen(midkey);        do          ++midkey_len;        while ( midkey[midkey_len] );        if ( keycheck(midkey, &Key, midkey_len) ) // //check rtn =0 ?ò?yè·          result = 1;        else          result = 0;      }      else      {        result = 0;      }    }    return result;  }     重复上述操作可以得到 keycheck的代码如下：      signed int __cdecl keycheck(char *midkey, char *key, signed int midkey_len)  {    signed int i; // esi@1      for ( i = 1; i < midkey_len; ++i )    {      if ( (midkey[i] ^ 0x20) % 10 + 0x30 != key[i] )        return 0;    }    return 1;  }     上述的代码结构相比较与汇编来说清晰了很多，这样也有助于我们写出注册机。  char table[]="ABCDEFGHIJKLMNOPQRSTUVWXYZ";char* keygen(char* name,char* table){  int name_len=strlen(name),total=0,temp;  char * midkey;    for(i=0;i<name_len;i++)  {    total+=name[i];    }  midkey[0]='T';  for(i=0;i<name_len;i++)  {    temp=(((((name[i]^table[i*3-1])+((total*i-total)^0xffffffff)+0x14d+(i+3)*name_len*name[i])%10+0x30)^0xadac)*(i+2))%10+0x30;    midkey[i+1]=temp;  }  midkey[name_len+1]='/0';  temp=(name_len*total)%0x64+0x30;  ultoa(temp,lastnum,10);  strcat(midkey,"-");  strcat(midkey,lastnum);  int midkey_len=strlen(midkey);  for(i=1;i<midkey_len;i++)  {    midkey[i]=((midkey[i]^0x20)%10+0x30);  }  return *midkey;}  
【经验总结】  这个crackme是很早以前的东西，看雪里的破文应该也有一大堆，我写此文主要是介绍IDA结合OD对于写注册机的帮助。  hex-ray的强大由此文可见一斑。    当然，单纯的用OD也是可以分析算法过程的，就好比单纯的用IDA也是能分析。    此文只是提供一种思路。  

【版权声明】: Copyright  2010 odison. All Rights Reserved.
                                                       2010年10月05日 8:47:45