|
|
目标:随便找了一个简单的CrackMe
破解工具:OD、计算器
首先用peid查壳,无壳。运行,收集足够的信息,用OD载入,通过字符串参考下断,断在下面:
00457C4E |. 83F8 06 cmp eax, 6 ; name长度必须大于等于6
00457C51 |. 73 1D jnb short 00457C70
00457C53 |. 6A 00 push 0
00457C55 |. B9 F87E4500 mov ecx, 00457EF8 ; name too short !
00457C5A |. BA 0C7F4500 mov edx, 00457F0C ; your name must be at least 6 chars long !
00457C5F |. A1 98A54500 mov eax, [45A598]
00457C64 |. 8B00 mov eax, [eax]
00457C66 |. E8 C584FEFF call 00440130
00457C6B |. E9 59010000 jmp 00457DC9
00457C70 |> 8D55 FC lea edx, [ebp-4]
00457C73 |. 8B83 D8020000 mov eax, [ebx+2D8]
00457C79 |. E8 62C2FCFF call 00423EE0
00457C7E |. 8B45 FC mov eax, [ebp-4]
00457C81 |. BA 01000000 mov edx, 1
00457C86 |. 4A dec edx
00457C87 |. 3B50 FC cmp edx, [eax-4] ; name字符串长度7
00457C8A |. 72 05 jb short 00457C91
00457C8C |. E8 F3AEFAFF call 00402B84
00457C91 |> 42 inc edx
00457C92 |. 0FB64410 FF movzx eax, byte ptr [eax+e>
00457C97 |. 6BF0 02 imul esi, eax, 2 ; name第1位*2送eax
00457C9A |. 71 05 jno short 00457CA1
00457C9C |. E8 EBAEFAFF call 00402B8C
00457CA1 |> 8D55 F8 lea edx, [ebp-8]
00457CA4 |. 8B83 D8020000 mov eax, [ebx+2D8]
00457CAA |. E8 31C2FCFF call 00423EE0
00457CAF |. 8B45 F8 mov eax, [ebp-8]
00457CB2 |. BA 02000000 mov edx, 2
00457CB7 |. 4A dec edx
00457CB8 |. 3B50 FC cmp edx, [eax-4]
00457CBB |. 72 05 jb short 00457CC2
00457CBD |. E8 C2AEFAFF call 00402B84
00457CC2 |> 42 inc edx
00457CC3 |. 0FB64410 FF movzx eax, byte ptr [eax+e>
00457CC8 |. 6BC0 02 imul eax, eax, 2 ; name第2位*2送eax
00457CCB |. 71 05 jno short 00457CD2
00457CCD |. E8 BAAEFAFF call 00402B8C
00457CD2 |> 03F0 add esi, eax ; 累加于esi
00457CD4 |. 71 05 jno short 00457CDB
00457CD6 |. E8 B1AEFAFF call 00402B8C
00457CDB |> 8D55 F4 lea edx, [ebp-C]
00457CDE |. 8B83 D8020000 mov eax, [ebx+2D8]
00457CE4 |. E8 F7C1FCFF call 00423EE0
00457CE9 |. 8B45 F4 mov eax, [ebp-C]
00457CEC |. BA 03000000 mov edx, 3
00457CF1 |. 4A dec edx
00457CF2 |. 3B50 FC cmp edx, [eax-4]
00457CF5 |. 72 05 jb short 00457CFC
00457CF7 |. E8 88AEFAFF call 00402B84
00457CFC |> 42 inc edx
00457CFD |. 0FB64410 FF movzx eax, byte ptr [eax+e>
00457D02 |. 6BC0 02 imul eax, eax, 2 ; name第3位*2送eax
00457D05 |. 71 05 jno short 00457D0C
00457D07 |. E8 80AEFAFF call 00402B8C
00457D0C |> 03F0 add esi, eax ; 累加于esi
00457D0E |. 71 05 jno short 00457D15
00457D10 |. E8 77AEFAFF call 00402B8C
00457D15 |> 8D55 F0 lea edx, [ebp-10]
00457D18 |. 8B83 D8020000 mov eax, [ebx+2D8]
00457D1E |. E8 BDC1FCFF call 00423EE0
00457D23 |. 8B45 F0 mov eax, [ebp-10]
00457D26 |. BA 04000000 mov edx, 4
00457D2B |. 4A dec edx
00457D2C |. 3B50 FC cmp edx, [eax-4]
00457D2F |. 72 05 jb short 00457D36
00457D31 |. E8 4EAEFAFF call 00402B84
00457D36 |> 42 inc edx
00457D37 |. 0FB64410 FF movzx eax, byte ptr [eax+e>
00457D3C |. 6BC0 02 imul eax, eax, 2 ; name第4位*2送eax
00457D3F |. 71 05 jno short 00457D46
00457D41 |. E8 46AEFAFF call 00402B8C
00457D46 |> 03F0 add esi, eax ; 累加于esi
00457D48 |. 71 05 jno short 00457D4F
00457D4A |. E8 3DAEFAFF call 00402B8C
00457D4F |> 8D55 EC lea edx, [ebp-14]
00457D52 |. 8B83 D8020000 mov eax, [ebx+2D8]
00457D58 |. E8 83C1FCFF call 00423EE0
00457D5D |. 8B45 EC mov eax, [ebp-14]
00457D60 |. BA 05000000 mov edx, 5
00457D65 |. 4A dec edx
00457D66 |. 3B50 FC cmp edx, [eax-4]
00457D69 |. 72 05 jb short 00457D70
00457D6B |. E8 14AEFAFF call 00402B84
00457D70 |> 42 inc edx
00457D71 |. 0FB64410 FF movzx eax, byte ptr [eax+e>
00457D76 |. 6BC0 02 imul eax, eax, 2 ; name第5位*2送eax
00457D79 |. 71 05 jno short 00457D80
00457D7B |. E8 0CAEFAFF call 00402B8C
00457D80 |> 03F0 add esi, eax
00457D82 |. 71 05 jno short 00457D89
00457D84 |. E8 03AEFAFF call 00402B8C
00457D89 |> 8D55 E8 lea edx, [ebp-18]
00457D8C |. 8B83 D8020000 mov eax, [ebx+2D8]
00457D92 |. E8 49C1FCFF call 00423EE0
00457D97 |. 8B45 E8 mov eax, [ebp-18]
00457D9A |. BA 06000000 mov edx, 6
00457D9F |. 4A dec edx
00457DA0 |. 3B50 FC cmp edx, [eax-4]
00457DA3 |. 72 05 jb short 00457DAA
00457DA5 |. E8 DAADFAFF call 00402B84
00457DAA |> 42 inc edx
00457DAB |. 0FB64410 FF movzx eax, byte ptr [eax+e>
00457DB0 |. 6BC0 02 imul eax, eax, 2 ; name第6位*2送eax
00457DB3 |. 71 05 jno short 00457DBA
00457DB5 |. E8 D2ADFAFF call 00402B8C
00457DBA |> 03F0 add esi, eax ; 累加于esi
00457DBC |. 71 05 jno short 00457DC3
00457DBE |. E8 C9ADFAFF call 00402B8C
00457DC3 |> 8935 40B84500 mov [45B840], esi ; 累加和存于[45B840]
00457DC9 |> A1 44B84500 mov eax, [45B844] ; name送eax
00457DCE |. E8 FDFBFAFF call 004079D0 ; 得到字符串长度
00457DD3 |. 6BC0 02 imul eax, eax, 2 ; name长度*2送eax
00457DD6 |. 73 05 jnb short 00457DDD
00457DD8 |. E8 AFADFAFF call 00402B8C
00457DDD |> 33D2 xor edx, edx
00457DDF |. 52 push edx
00457DE0 |. 50 push eax
00457DE1 |. A1 40B84500 mov eax, [45B840]
00457DE6 |. 99 cdq
00457DE7 |. 030424 add eax, [esp]
00457DEA |. 135424 04 adc edx, [esp+4]
00457DEE |. 71 05 jno short 00457DF5
00457DF0 |. E8 97ADFAFF call 00402B8C
00457DF5 |> 83C4 08 add esp, 8
00457DF8 |. 50 push eax
00457DF9 |. C1F8 1F sar eax, 1F
00457DFC |. 3BC2 cmp eax, edx
00457DFE |. 58 pop eax
00457DFF |. 74 05 je short 00457E06
00457E01 |. E8 7EADFAFF call 00402B84
00457E06 |> A3 40B84500 mov [45B840], eax ; 新累加和存于[45B840]
00457E0B |. 8D55 E4 lea edx, [ebp-1C]
00457E0E |. A1 40B84500 mov eax, [45B840]
00457E13 |. E8 2CF9FAFF call 00407744 ; 把累加和转换成十进制,即成注册码
00457E18 |. 8B45 E4 mov eax, [ebp-1C]
00457E1B |. 50 push eax
00457E1C |. 8D55 FC lea edx, [ebp-4]
00457E1F |. 8B83 DC020000 mov eax, [ebx+2DC]
00457E25 |. E8 B6C0FCFF call 00423EE0
00457E2A |. 8B55 FC mov edx, [ebp-4]
00457E2D |. 58 pop eax
00457E2E |. E8 51BDFAFF call 00403B84
00457E33 |. 75 1A jnz short 00457E4F
00457E35 |. 6A 00 push 0
00457E37 |. B9 387F4500 mov ecx, 00457F38 ; congratz !
00457E3C |. BA 447F4500 mov edx, 00457F44 ; you cracked the cff crackme #4 ! please send your solution to acidbytes@gmx.net !
00457E41 |. A1 98A54500 mov eax, [45A598]
00457E46 |. 8B00 mov eax, [eax]
00457E48 |. E8 E382FEFF call 00440130
算法分析:
把NAME的前6位的每一位ASCII码值*2累加记为A,再把NAME的长度*2与A相加得B,把B转换成十进制即得注册码。
注册机比较简单,略。
初次写破文,有什么不妥之处,请各位指出。
|
|
