|
|
Crackme:HappyTown的crackme_0025
工具:Ollydbg,PEiD
在Crackme的发布贴(http://bbs.pediy.com/showthread.php...;threadid=33406)里,这个Crackme已经被讨论的差不多了,我就捡个便宜些个注册机好了。
用HorstStein在Crackme24的分析中使用的方法(http://bbs.pediy.com/showthread.php...lldbg动态调试:
0040130A |. 8D4424 10 LEA EAX,DWORD PTR SS:[ESP+10]
0040130E |. 8D4C24 2C LEA ECX,DWORD PTR SS:[ESP+2C]
00401312 |. 50 PUSH EAX
00401313 |. 8D5424 24 LEA EDX,DWORD PTR SS:[ESP+24]
00401317 |. 51 PUSH ECX
00401318 |. 52 PUSH EDX
00401319 |. E8 F2000000 CALL <CrackMe_.sub_401410> ; KANAL
0040131E |. 6A 00 PUSH 0
00401320 |. C785 34020000 >MOV DWORD PTR SS:[EBP+234],10
0040132A |. E8 B1060000 CALL <CrackMe_._mirvar>
0040132F |. 6A 00 PUSH 0
00401331 |. 8BF0 MOV ESI,EAX
00401333 |. E8 A8060000 CALL <CrackMe_._mirvar>
00401338 |. 6A 00 PUSH 0
0040133A |. 8BF8 MOV EDI,EAX
0040133C |. E8 9F060000 CALL <CrackMe_._mirvar>
00401341 |. 6A 00 PUSH 0
00401343 |. 8BD8 MOV EBX,EAX
00401345 |. E8 96060000 CALL <CrackMe_._mirvar>
0040134A |. 68 18D14000 PUSH CrackMe_.0040D118 ; ASCII "16EDE8A1E238448FCFB017368DC4DC026F44BD6C5A531286267C16B9B6DC6EE0"
0040134F |. 57 PUSH EDI
00401350 |. 8BE8 MOV EBP,EAX
00401352 |. E8 A9280000 CALL <CrackMe_._cinstr>
00401357 |. 68 D4D04000 PUSH CrackMe_.0040D0D4 ; ASCII "E7D47A8E307241130434E06254CE6561B4AF1790119DCB4B4544081A60B0A1BB"
0040135C |. 55 PUSH EBP
0040135D |. E8 9E280000 CALL <CrackMe_._cinstr>
00401362 |. 8B4424 54 MOV EAX,DWORD PTR SS:[ESP+54]
00401366 |. 8D8C24 2001000>LEA ECX,DWORD PTR SS:[ESP+120]
0040136D |. 51 PUSH ECX
0040136E |. 53 PUSH EBX
0040136F |. C780 34020000 >MOV DWORD PTR DS:[EAX+234],100
00401379 |. E8 82280000 CALL <CrackMe_._cinstr>
0040137E |. 8B5424 5C MOV EDX,DWORD PTR SS:[ESP+5C]
00401382 |. 56 PUSH ESI ; ret
00401383 |. 55 PUSH EBP ; p=E7D4...
00401384 |. 53 PUSH EBX ; x=name
00401385 |. 57 PUSH EDI ; a=16ED...
00401386 |. C782 34020000 >MOV DWORD PTR DS:[EDX+234],10
00401390 |. E8 3B220000 CALL <CrackMe_._powmod>
00401395 |. 83C4 44 ADD ESP,44
00401398 |. 56 PUSH ESI ; ret
00401399 |. 55 PUSH EBP ; p=E7D4...
0040139A |. 56 PUSH ESI ; x=ret
0040139B |. 57 PUSH EDI ; a=16ED...
0040139C |. E8 2F220000 CALL <CrackMe_._powmod>
004013A1 |. 8D8424 CC01000>LEA EAX,DWORD PTR SS:[ESP+1CC]
004013A8 |. 6A 00 PUSH 0
004013AA |. 50 PUSH EAX
004013AB |. 56 PUSH ESI
004013AC |. 6A 00 PUSH 0
004013AE |. E8 CD1F0000 CALL <CrackMe_._big_to_bytes>
004013B3 |. 56 PUSH ESI
004013B4 |. E8 F70F0000 CALL <CrackMe_._mirkill>
004013B9 |. 55 PUSH EBP
004013BA |. E8 F10F0000 CALL <CrackMe_._mirkill>
004013BF |. 57 PUSH EDI
004013C0 |. E8 EB0F0000 CALL <CrackMe_._mirkill>
004013C5 |. 53 PUSH EBX
004013C6 |. E8 E50F0000 CALL <CrackMe_._mirkill>
004013CB |. 83C4 30 ADD ESP,30
004013CE |. E8 FD0F0000 CALL <CrackMe_.sub_4023D0>
004013D3 |. B9 02000000 MOV ECX,2
004013D8 |. 8DBC24 BC01000>LEA EDI,DWORD PTR SS:[ESP+1BC]
004013DF |. 8D7424 20 LEA ESI,DWORD PTR SS:[ESP+20]
004013E3 |. 33D2 XOR EDX,EDX
004013E5 |. F3:A7 REPE CMPS DWORD PTR ES:[EDI],DWORD PTR D>
004013E7 |. 5F POP EDI
004013E8 |. 8BC2 MOV EAX,EDX
004013EA |. 5E POP ESI
004013EB |. 5D POP EBP
004013EC |. 0F94C0 SETE AL
004013EF |. 5B POP EBX
004013F0 |. 81C4 74020000 ADD ESP,274
004013F6 |. C3 RETN
很明了:
x1=tea(serial,key)
powmod(a,x,p,ret);
x2=powmod(a,ret,p,ret);
x1=x2就成功!
|
|
