返回列表 发帖
yongmin 该用户已被删除
楼主 跳转到 » 倒序看帖
打印
tT
yongmin发表于 2006-12-4 10:38 | 只看该作者

[转载]Savage';s Slayer';s Crackme # 1算法分析

破文标题】Savage';s Slayer';s Crackme # 1算法分析 【破文作者】XXNB 【作者邮箱】 【作者主页】http://free.ys168.com/?binbinbin7456 【破解工具】OD 【破解平台】xpsp2 【软件名称】Savage';s Slayer';s Crackme # 1 【软件大小】 【原版下载】 【保护方式】 【软件简介】Easy for first Difficulty: 1 - Very easy, for newbies Platform: Windows Language: Assembler Published: 25. Nov, 2006 Downloads: 7 【破解声明】向大侠们学习!!!只为学习!请尊重作者的劳动成功! ------------------------------------------------------------------------ 【破解过程】 可以去 http://www.crackmes.de 这个网站下载 1、这个crackme非常有趣。我早上下的然后看啊看啊,就是不知道在哪里下断好。不过我在跟踪的过程发现,要用到计算机名,还要用到一个“reg.key”文件,于是我就建立了个“reg.key”文件。写入:123456789。运行,还是没能找到关键点,因为它根本就没有读取文件,怎么回事??。然后我就复制我的用户名BINBIN到“reg.key”文件里。跟踪的时候,发现居然能读取BINBIN这个字符串,我当时奇怪得很。 最终,在我的试验下原来发现下面的00401292这句开始是对计算机名运算的,先是得到计算机名Ascii码累加值,然后一个循环减。最终结果要等于0,于是我知道当然是减用户名的Ascii码累加值才能等于0。原来,程序是读取你的剪切板的数据的。 所以,如果要使得register按钮有效,就必须复制自己的计算机名,然后按下check,就会出现“Step 1 ok -> now Register it!”了、。 注册按钮有效后就是读取文件了。首先,读取“reg.key”文件的字节数,一定要大于等于8位字节才有效。具体看下面代码注释。 0040108B |. 51 push ecx ; /pBufferSize => KeyMe1.0040333A 0040108C |. 68 3B324000 push 0040323B ; |BINBIN 00401091 |. E8 86020000 call ; \GetComputerNameA 00401096 |. 68 3B324000 push 0040323B ; /BINBIN 0040109B |. E8 A0020000 call ; \lstrlenA 004010A0 |. A3 46334000 mov dword ptr [403346], eax ; 计算机名长度 004010A5 |. 59 pop ecx 004010A6 |. 58 pop eax 004010A7 |. 60 pushad 004010A8 |. 9C pushfd 004010A9 |. BE 3B324000 mov esi, 0040323B ; 计算机名 004010AE |. C705 3E334000>mov dword ptr [40333E], 0 004010B8 |> AC /lods byte ptr [esi] ; 这里这个循环就是得到计算机名的累加值了 004010B9 |. 0FB6C0 |movzx eax, al 004010BC |. 0105 3E334000 |add dword ptr [40333E], eax 004010C2 |. 3C 00 |cmp al, 0 004010C4 |.^ 75 F2 \jnz short 004010B8 004010C6 |. 9D popfd 004010C7 |. 61 popad 004010C8 |. 33C0 xor eax, eax 004010CA |. C9 leave 004010CB |. C2 1000 retn 10 004010CE |> 837D 0C 10 cmp dword ptr [ebp+C], 10 004010D2 |. 75 0A jnz short 004010DE 004010D4 |. 6A 00 push 0 ; /Result = 0 004010D6 |. FF75 08 push dword ptr [ebp+8] ; |hWnd 004010D9 |. E8 7A020000 call ; \EndDialog 004010DE |> 817D 0C 11010>cmp dword ptr [ebp+C], 111 004010E5 |. 0F85 19020000 jnz 00401304 004010EB |. 8B45 10 mov eax, dword ptr [ebp+10] 004010EE |. 66:83F8 68 cmp ax, 68 ; (Initial CPU selection) 004010F2 |. 75 0A jnz short 004010FE 004010F4 |. 6A 00 push 0 ; /Result = 0 004010F6 |. FF75 08 push dword ptr [ebp+8] ; |hWnd 004010F9 |. E8 5A020000 call ; \EndDialog 004010FE |> 66:83F8 69 cmp ax, 69 00401102 |. 75 13 jnz short 00401117 00401104 |. 6A 40 push 40 ; /Style = MB_OK|MB_ICONASTERISK|MB_APPLMODAL 00401106 |. 68 00304000 push 00403000 ; |[ info ] 0040110B |. 68 09304000 push 00403009 ; |[ KeyMe # 1 coded by Slayer ]\r\n\r\nRules : No patching at all. >> Keygen it <<\r\n\r\nSolutions : slayeronthefly@yahoo.com\r\n\r\nAll accepted solutions will be awarded by source code 00401110 |. 6A 00 push 0 ; |hOwner = NULL 00401112 |. E8 59020000 call ; \MessageBoxA 00401117 |> 66:83F8 6A cmp ax, 6A 0040111B |. 0F85 41010000 jnz 00401262 00401121 |. 6A 00 push 0 ; /hTemplateFile = NULL 00401123 |. 68 80000000 push 80 ; |Attributes = NORMAL 00401128 |. 6A 03 push 3 ; |Mode = OPEN_EXISTING 0040112A |. 6A 00 push 0 ; |pSecurity = NULL 0040112C |. 6A 01 push 1 ; |ShareMode = FILE_SHARE_READ 0040112E |. 68 00000080 push 80000000 ; |Access = GENERIC_READ 00401133 |. 68 26314000 push 00403126 ; |reg.key 00401138 |. E8 D3010000 call ; \CreateFileA 0040113D |. 83F8 FF cmp eax, -1 00401140 |. 75 05 jnz short 00401147 00401142 |. E9 E7000000 jmp 0040122E 00401147 |> A3 4A334000 mov dword ptr [40334A], eax 0040114C |. 6A 00 push 0 ; /pFileSizeHigh = NULL 0040114E |. FF35 4A334000 push dword ptr [40334A] ; |hFile = 00000088 (window) 00401154 |. E8 C9010000 call ; \GetFileSize 00401159 |. 83F8 08 cmp eax, 8 ; 文件的字节一定不能小于8 0040115C |. 73 10 jnb short 0040116E 0040115E |. FF35 4A334000 push dword ptr [40334A] ; /hObject = 00000088 (window) 00401164 |. E8 A1010000 call ; \CloseHandle 00401169 |. E9 C0000000 jmp 0040122E 0040116E |> A3 52334000 mov dword ptr [403352], eax ; 存储计算机名的位数 00401173 |. FF35 52334000 push dword ptr [403352] ; /MemSize = 8 00401179 |. 6A 40 push 40 ; |Flags = GPTR 0040117B |. E8 AE010000 call ; \GlobalAlloc 00401180 |. 0BC0 or eax, eax 00401182 |. 75 1F jnz short 004011A3 00401184 |. 68 0D314000 push 0040310D ; /Memory allocation error! 00401189 |. 6A 66 push 66 ; |ControlID = 66 (102.) 0040118B |. FF75 08 push dword ptr [ebp+8] ; |hWnd 0040118E |. E8 EF010000 call ; \SetDlgItemTextA 00401193 |. FF35 4A334000 push dword ptr [40334A] ; /hObject = 00000088 (window) 00401199 |. E8 6C010000 call ; \CloseHandle 0040119E |. E9 B4000000 jmp 00401257 004011A3 |> A3 4E334000 mov dword ptr [40334E], eax 004011A8 |. 6A 00 push 0 ; /pOverlapped = NULL 004011AA |. 68 2E314000 push 0040312E ; |A 004011AF |. FF35 52334000 push dword ptr [403352] ; |BytesToRead = 8 004011B5 |. FF35 4E334000 push dword ptr [40334E] ; |Buffer = 00149A20 004011BB |. FF35 4A334000 push dword ptr [40334A] ; |hFile = 00000088 (window) 004011C1 |. E8 74010000 call ; \ReadFile 004011C6 |. 0BC0 or eax, eax 004011C8 |. 75 18 jnz short 004011E2 004011CA |. FF35 4A334000 push dword ptr [40334A] ; /hObject = 00000088 (window) 004011D0 |. E8 35010000 call ; \CloseHandle 004011D5 |. FF35 4E334000 push dword ptr [40334E] ; /hMem = 00149A20 004011DB |. E8 54010000 call ; \GlobalFree 004011E0 |. EB 4C jmp short 0040122E 004011E2 |> FF35 4A334000 push dword ptr [40334A] ; /hObject = 00000088 (window) 004011E8 |. E8 1D010000 call ; \CloseHandle 004011ED |. 56 push esi 004011EE |. 52 push edx 004011EF |. 8B35 4E334000 mov esi, dword ptr [40334E] 004011F5 |. 8B06 mov eax, dword ptr [esi] ; 第一个值到eax。这个值是key文件中前4位倒过来的ascii码值 004011F7 |. 83C6 04 add esi, 4 004011FA |. 8B16 mov edx, dword ptr [esi] ; 第二个值到edx。这个当然就是5~8位倒过来的ascii码值了 004011FC |. 33C2 xor eax, edx ; 前面两个值异或。结果在eax 004011FE |. 8B15 42334000 mov edx, dword ptr [403342] ; 这里好像总是0的 00401204 |. 03C2 add eax, edx ; 加0相当于没有加 00401206 |. 5A pop edx 00401207 |. 5E pop esi 00401208 |. 3B05 3E334000 cmp eax, dword ptr [40333E] ; 计算机名的ascii累加值和上面运算的结果比较。相等就成功 0040120E 75 1E jnz short 0040122E ; 这里就是关键跳了。 00401210 |. 68 D9304000 push 004030D9 ; /Good work. You have done it! 00401215 |. 6A 66 push 66 ; |ControlID = 66 (102.) 00401217 |. FF75 08 push dword ptr [ebp+8] ; |hWnd 0040121A |. E8 63010000 call ; \SetDlgItemTextA 0040121F |. 6A 00 push 0 ; /Enable = FALSE 00401221 |. FF35 5A334000 push dword ptr [40335A] ; |hWnd = 002A03C2 (';-> Register <-';,class=';Button';,parent=00280320) 00401227 |. E8 26010000 call ; \EnableWindow 0040122C |. EB 29 jmp short 00401257 0040122E |> 68 F6304000 push 004030F6 ; /Registration failed!!! 00401233 |. 6A 66 push 66 ; |ControlID = 66 (102.) 00401235 |. FF75 08 push dword ptr [ebp+8] ; |hWnd 00401238 |. E8 45010000 call ; \SetDlgItemTextA 0040123D |. 6A 00 push 0 ; /Enable = FALSE 0040123F |. FF35 5A334000 push dword ptr [40335A] ; |hWnd = 002A03C2 (';-> Register <-';,class=';Button';,parent=00280320) 00401245 |. E8 08010000 call ; \EnableWindow 0040124A |. 6A 01 push 1 ; /Enable = TRUE 0040124C |. FF35 56334000 push dword ptr [403356] ; |hWnd = 001B0330 (';Check';,class=';Button';,parent=00280320) 00401252 |. E8 FB000000 call ; \EnableWindow 00401257 |> FF35 4E334000 push dword ptr [40334E] ; /hMem = 00149A20 0040125D |. E8 D2000000 call ; \GlobalFree 00401262 |> 66:83F8 67 cmp ax, 67 00401266 |. 0F85 98000000 jnz 00401304 0040126C |. 6A 00 push 0 ; /hWnd = NULL 0040126E |. E8 03010000 call ; \OpenClipboard 00401273 |. 6A 01 push 1 ; /Format = CF_TEXT 00401275 |. E8 E4000000 call ; \GetClipboardData 0040127A |. 0BC0 or eax, eax 0040127C |. 74 72 je short 004012F0 0040127E |. A3 33324000 mov dword ptr [403233], eax 00401283 |. 60 pushad 00401284 |. 9C pushfd 00401285 |. BE 33324000 mov esi, 00403233 0040128A |. 8B36 mov esi, dword ptr [esi] 0040128C |. FF35 3E334000 push dword ptr [40333E] 00401292 |. 8F05 42334000 pop dword ptr [403342] ; 计算机名累加值出栈 00401298 |. 8B0D 46334000 mov ecx, dword ptr [403346] ; 用户名位数 0040129E |> 8A5431 FF /mov dl, byte ptr [ecx+esi-1] ; 从固定字符串的第六位开始倒着取 004012A2 |. 0FB6D2 |movzx edx, dl 004012A5 |. 2915 42334000 |sub dword ptr [403342], edx ; 计算机名累加值-取得的ascii码值 004012AB |. 49 |dec ecx 004012AC |.^ 75 F0 \jnz short 0040129E 004012AE |. 9D popfd 004012AF |. 61 popad 004012B0 |. A1 42334000 mov eax, dword ptr [403342] ; 这里就是上面循环减后的值了 004012B5 |. 6BC0 FF imul eax, eax, -1 ; eax×(-1)放到eax 004012B8 |. 83C0 01 add eax, 1 ; eax+1 004012BB |. 6BC0 FF imul eax, eax, -1 ; eax×(-1)放到eax。又乘以-1干嘛 004012BE |. 83C0 01 add eax, 1 ; 又+1。相当于没事在这里乱弄 004012C1 |. 0BC0 or eax, eax ; 跟到这里,发现计算机名的累加值减甚么东西能得到0能。当然就是减自己了 004012C3 |. 75 2B jnz short 004012F0 ; 所以,一定要复制计算机名到剪切板才能成功。 004012C5 |. 68 BB304000 push 004030BB ; /Step 1 ok -> now Register it! 004012CA |. 6A 66 push 66 ; |ControlID = 66 (102.) 004012CC |. FF75 08 push dword ptr [ebp+8] ; |hWnd 004012CF |. E8 AE000000 call ; \SetDlgItemTextA 004012D4 |. 6A 00 push 0 ; /Enable = FALSE 004012D6 |. FF35 56334000 push dword ptr [403356] ; |hWnd = 001B0330 (';Check';,class=';Button';,parent=00280320) 004012DC |. E8 71000000 call ; \EnableWindow 004012E1 |. 6A 01 push 1 ; /Enable = TRUE 004012E3 |. FF35 5A334000 push dword ptr [40335A] ; |hWnd = 002A03C2 (';-> Register <-';,class=';Button';,parent=00280320) 004012E9 |. E8 64000000 call ; \EnableWindow 004012EE |. EB 0F jmp short 004012FF 004012F0 |> 68 F6304000 push 004030F6 ; /Registration failed!!! 004012F5 |. 6A 66 push 66 ; |ControlID = 66 (102.) 004012F7 |. FF75 08 push dword ptr [ebp+8] ; |hWnd 004012FA |. E8 83000000 call ; \SetDlgItemTextA 004012FF |> E8 42000000 call ; [CloseClipboard 00401304 |> 33C0 xor eax, eax 00401306 |. C9 leave 00401307 \. C2 1000 retn 10 1、先假设我的计算机名是:BINBIN。 我在“reg.key”文件里输入的是:12345678 读取“reg.key”文件的算法是:读取前4位,倒过来取ascii码值的16进制字符串,得到:34333231; 再读取后5~8位,倒过来取ascii码值的16进制字符串,得到:38373635 两个数异或,得到0C040404。这个数和计算机名的ascii码累加值比较,如果相等就注册成功。“Good work. You have done it!” 2、所以,相对于我的计算机名:BINBIN。 Ascii码累加值是01B2。甚么东西和甚么东西异或能得到01B2呢??? 由于我的计算机名比较特殊经过我的测试,在“reg.key”文件里输入“2210
收藏 分享

返回列表 回复 发帖