新CrackMe160之018 - CrackMe_0006
汇编写的,可以直接看OD源码:
00401000 /$ 55 push ebp
00401001 |. 8BEC mov ebp,esp
00401003 |. 83C4 FC add esp,-0x4
00401006 |. 53 push ebx
00401007 |. 56 push esi ; CrackMe_.<ModuleEntryPoint>
00401008 |. 57 push edi ; CrackMe_.<ModuleEntryPoint>
00401009 |. 33D2 xor edx,edx ; CrackMe_.<ModuleEntryPoint>
0040100B |. 8B45 08 mov eax,[arg.1]
0040100E |. 8B4D 0C mov ecx,[arg.2]
00401011 |. F7F9 idiv ecx ; CrackMe_.<ModuleEntryPoint>
00401013 |. 8BC2 mov eax,edx ; CrackMe_.<ModuleEntryPoint>
00401015 |. 5F pop edi ; kernel32.76B0FCC9
00401016 |. 5E pop esi ; kernel32.76B0FCC9
00401017 |. 5B pop ebx ; kernel32.76B0FCC9
00401018 |. C9 leave
00401019 \. C2 0800 retn 0x8
0040101C /$ 55 push ebp
0040101D |. 8BEC mov ebp,esp
0040101F |. 83C4 FC add esp,-0x4
00401022 |. 53 push ebx
00401023 |. 56 push esi ; CrackMe_.<ModuleEntryPoint>
00401024 |. 57 push edi ; CrackMe_.<ModuleEntryPoint>
00401025 |. 33D2 xor edx,edx ; CrackMe_.<ModuleEntryPoint>
00401027 |. 8B45 08 mov eax,[arg.1]
0040102A |. 8B4D 0C mov ecx,[arg.2]
0040102D |. F7F9 idiv ecx ; CrackMe_.<ModuleEntryPoint>
0040102F |. 5F pop edi ; kernel32.76B0FCC9
00401030 |. 5E pop esi ; kernel32.76B0FCC9
00401031 |. 5B pop ebx ; kernel32.76B0FCC9
00401032 |. C9 leave
00401033 \. C2 0800 retn 0x8
00401036 /$ 55 push ebp
00401037 |. 8BEC mov ebp,esp
00401039 |. 8B75 08 mov esi,[arg.1]
0040103C |. FC cld
0040103D |. 33D2 xor edx,edx ; CrackMe_.<ModuleEntryPoint>
0040103F |. B8 01000000 mov eax,0x1
00401044 |> 0FB60E /movzx ecx,byte ptr ds:[esi]
00401047 |. 46 |inc esi ; CrackMe_.<ModuleEntryPoint>
00401048 |. 0BC9 |or ecx,ecx ; CrackMe_.<ModuleEntryPoint>
0040104A |. 74 06 |je short CrackMe_.00401052
0040104C |. F7E1 |mul ecx ; CrackMe_.<ModuleEntryPoint>
0040104E |. 03C2 |add eax,edx ; CrackMe_.<ModuleEntryPoint>
00401050 |.^ EB F2 \jmp short CrackMe_.00401044
00401052 |> C9 leave
00401053 \. C2 0400 retn 0x4
00401056 /$ 55 push ebp
00401057 |. 8BEC mov ebp,esp
00401059 |. 83C4 FC add esp,-0x4
0040105C |. 53 push ebx
0040105D |. 56 push esi ; CrackMe_.<ModuleEntryPoint>
0040105E |. 57 push edi ; CrackMe_.<ModuleEntryPoint>
0040105F |. 9B wait
00401060 |. DBE3 finit
00401062 |. DB45 08 fild [arg.1]
00401065 |. D9C0 fld st
00401067 |. DEC9 fmulp st(1),st
00401069 |. DB45 0C fild [arg.2]
0040106C |. D9C0 fld st
0040106E |. DEC9 fmulp st(1),st
00401070 |. DEC1 faddp st(1),st
00401072 |. D9FA fsqrt
00401074 |. DB5D FC fistp [local.1]
00401077 |. 8B45 FC mov eax,[local.1] ; kernel32.BaseThreadInitThunk
0040107A |. 5F pop edi ; kernel32.76B0FCC9
0040107B |. 5E pop esi ; kernel32.76B0FCC9
0040107C |. 5B pop ebx ; kernel32.76B0FCC9
0040107D |. C9 leave
0040107E \. C2 0800 retn 0x8
00401081 /$ 55 push ebp
00401082 |. 8BEC mov ebp,esp
00401084 |. 53 push ebx
00401085 |. 56 push esi ; CrackMe_.<ModuleEntryPoint>
00401086 |. 57 push edi ; CrackMe_.<ModuleEntryPoint>
00401087 |. 8B45 08 mov eax,[arg.1]
0040108A |. 8D55 0C lea edx,[arg.2]
0040108D |. 8A0A mov cl,byte ptr ds:[edx]
0040108F |. D3C0 rol eax,cl
00401091 |. 5F pop edi ; kernel32.76B0FCC9
00401092 |. 5E pop esi ; kernel32.76B0FCC9
00401093 |. 5B pop ebx ; kernel32.76B0FCC9
00401094 |. C9 leave
00401095 \. C2 0800 retn 0x8
00401098 /$ 55 push ebp
00401099 |. 8BEC mov ebp,esp
0040109B |. 53 push ebx
0040109C |. 56 push esi ; CrackMe_.<ModuleEntryPoint>
0040109D |. 57 push edi ; CrackMe_.<ModuleEntryPoint>
0040109E |. 8B45 08 mov eax,[arg.1]
004010A1 |. 8D55 0C lea edx,[arg.2]
004010A4 |. 8A0A mov cl,byte ptr ds:[edx]
004010A6 |. D3E0 shl eax,cl
004010A8 |. 5F pop edi ; kernel32.76B0FCC9
004010A9 |. 5E pop esi ; kernel32.76B0FCC9
004010AA |. 5B pop ebx ; kernel32.76B0FCC9
004010AB |. C9 leave
004010AC \. C2 0800 retn 0x8
004010AF /$ 55 push ebp
004010B0 |. 8BEC mov ebp,esp
004010B2 |. 53 push ebx
004010B3 |. 57 push edi ; CrackMe_.<ModuleEntryPoint>
004010B4 |. 56 push esi ; CrackMe_.<ModuleEntryPoint>
004010B5 |. 8B45 08 mov eax,[arg.1]
004010B8 |. 0345 0C add eax,[arg.2]
004010BB |. 5E pop esi ; kernel32.76B0FCC9
004010BC |. 5F pop edi ; kernel32.76B0FCC9
004010BD |. 5B pop ebx ; kernel32.76B0FCC9
004010BE |. C9 leave
004010BF \. C2 0800 retn 0x8
004010C2 /$ 55 push ebp
004010C3 |. 8BEC mov ebp,esp
004010C5 |. 81C4 F8FEFFFF add esp,-0x108
004010CB |. 53 push ebx
004010CC |. 57 push edi ; CrackMe_.<ModuleEntryPoint>
004010CD |. 56 push esi ; CrackMe_.<ModuleEntryPoint>
004010CE |. 68 80000000 push 0x80 ; /pFileSystemNameSize = 00000080
004010D3 |. 8D85 F8FEFFFF lea eax,[local.66] ; |
004010D9 |. 50 push eax ; |pFileSystemNameBuffer = 0019FFCC
004010DA |. 8D85 78FFFFFF lea eax,[local.34] ; |
004010E0 |. 50 push eax ; |pFileSystemFlags = 0019FFCC
004010E1 |. 68 FF000000 push 0xFF ; |pMaxFilenameLength = 000000FF
004010E6 |. 8D85 7CFFFFFF lea eax,[local.33] ; |
004010EC |. 50 push eax ; |pVolumeSerialNumber = 0019FFCC
004010ED |. 68 80000000 push 0x80 ; |MaxVolumeNameSize = 80 (128.)
004010F2 |. 8D45 80 lea eax,[local.32] ; |
004010F5 |. 50 push eax ; |VolumeNameBuffer = 0019FFCC
004010F6 |. FF75 08 push [arg.1] ; |RootPathName = ""
004010F9 |. E8 22020000 call <jmp.&kernel32.GetVolumeInformation>; \GetVolumeInformationA
004010FE |. 8B85 7CFFFFFF mov eax,[local.33]
00401104 |. 5E pop esi ; kernel32.76B0FCC9
00401105 |. 5F pop edi ; kernel32.76B0FCC9
00401106 |. 5B pop ebx ; kernel32.76B0FCC9
00401107 |. C9 leave
00401108 \. C2 0400 retn 0x4
0040110B >/$ 6A 00 push 0x0 ; /pModule = NULL
0040110D |. E8 08020000 call <jmp.&kernel32.GetModuleHandleA> ; \GetModuleHandleA
00401112 |. A3 00314000 mov dword ptr ds:[0x403100],eax
00401117 |. E8 3A020000 call <jmp.&comctl32.InitCommonControls> ; [InitCommonControls
0040111C |. 6A 00 push 0x0 ; /lParam = NULL
0040111E |. 68 39114000 push CrackMe_.00401139 ; |DlgProc = CrackMe_.00401139
00401123 |. 6A 00 push 0x0 ; |hOwner = NULL
00401125 |. 6A 65 push 0x65 ; |pTemplate = 0x65
00401127 |. FF35 00314000 push dword ptr ds:[0x403100] ; |hInst = NULL
0040112D |. E8 FA010000 call <jmp.&user32.DialogBoxParamA> ; \DialogBoxParamA
00401132 |. 6A 00 push 0x0 ; /ExitCode = 0x0
00401134 \. E8 DB010000 call <jmp.&kernel32.ExitProcess> ; \ExitProcess
00401139 /. 55 push ebp
0040113A |. 8BEC mov ebp,esp
0040113C |. 81C4 ECFEFFFF add esp,-0x114
00401142 |. 8B45 0C mov eax,[arg.2]
00401145 |. 3D 10010000 cmp eax,0x110 ; Switch (cases 10..111)
0040114A |. 75 38 jnz short CrackMe_.00401184
0040114C |. 6A 0A push 0xA ; /RsrcName = 10.; Case 110 (WM_INITDIALOG) of switch 00401145
0040114E |. FF35 00314000 push dword ptr ds:[0x403100] ; |hInst = NULL
00401154 |. E8 E5010000 call <jmp.&user32.LoadIconA> ; \LoadIconA
00401159 |. 50 push eax ; /lParam = 0x19FFCC
0040115A |. 6A 0A push 0xA ; |wParam = 0xA
0040115C |. 68 80000000 push 0x80 ; |Message = WM_SETICON
00401161 |. FF75 08 push [arg.1] ; |hWnd = 0x225000
00401164 |. E8 E7010000 call <jmp.&user32.SendMessageA> ; \SendMessageA
00401169 |. 6A 00 push 0x0 ; /lParam = 0x0
0040116B |. 6A 64 push 0x64 ; |wParam = 0x64
0040116D |. 68 C5000000 push 0xC5 ; |Message = EM_LIMITTEXT
00401172 |. 68 EC030000 push 0x3EC ; |ControlID = 3EC (1004.)
00401177 |. FF75 08 push [arg.1] ; |hWnd = 00225000
0040117A |. E8 CB010000 call <jmp.&user32.SendDlgItemMessageA> ; \SendDlgItemMessageA
0040117F |. E9 87010000 jmp CrackMe_.0040130B
00401184 |> 3D 11010000 cmp eax,0x111
00401189 |. 0F85 62010000 jnz CrackMe_.004012F1
0040118F |. 8B45 10 mov eax,[arg.3] ; Case 111 (WM_COMMAND) of switch 00401145
00401192 |. 66:3D EF03 cmp ax,0x3EF
00401196 |. 75 0F jnz short CrackMe_.004011A7
00401198 |. 6A 00 push 0x0 ; /Result = 0x0
0040119A |. FF75 08 push [arg.1] ; |hWnd = 00225000
0040119D |. E8 90010000 call <jmp.&user32.EndDialog> ; \EndDialog
004011A2 |. E9 64010000 jmp CrackMe_.0040130B
004011A7 |> 66:3D F003 cmp ax,0x3F0
004011AB |. 75 19 jnz short CrackMe_.004011C6
004011AD |. 6A 40 push 0x40 ; /Style = MB_OK|MB_ICONASTERISK|MB_APPLMODAL
004011AF |. 68 D1204000 push CrackMe_.004020D1 ; |Title = "About this CrackMe Key Gen"
004011B4 |. 68 84204000 push CrackMe_.00402084 ; |Text = "This is my 6th CrackMe,and Programmed with Win32ASM.[HappyTown]"
004011B9 |. FF75 08 push [arg.1] ; |hOwner = 00225000
004011BC |. E8 83010000 call <jmp.&user32.MessageBoxA> ; \MessageBoxA
004011C1 |. E9 45010000 jmp CrackMe_.0040130B
004011C6 |> 66:3D EE03 cmp ax,0x3EE
004011CA |. 0F85 3B010000 jnz CrackMe_.0040130B
004011D0 |. 68 43204000 push CrackMe_.00402043 ; ASCII "c:\"
004011D5 |. E8 E8FEFFFF call CrackMe_.004010C2
004011DA |. 8945 FC mov [local.1],eax
004011DD |. 6A 05 push 0x5
004011DF |. FF75 FC push [local.1] ; kernel32.BaseThreadInitThunk
004011E2 |. E8 B1FEFFFF call CrackMe_.00401098
004011E7 |. 6A 0D push 0xD
004011E9 |. 50 push eax
004011EA |. E8 92FEFFFF call CrackMe_.00401081
004011EF |. 68 47204000 push CrackMe_.00402047 ; ASCII "d:\"
004011F4 |. E8 C9FEFFFF call CrackMe_.004010C2
004011F9 |. 8945 F8 mov [local.2],eax
004011FC |. FF75 F8 push [local.2]
004011FF |. FF75 FC push [local.1] ; kernel32.BaseThreadInitThunk
00401202 |. E8 A8FEFFFF call CrackMe_.004010AF
00401207 |. 6A 05 push 0x5
00401209 |. 50 push eax
0040120A |. E8 89FEFFFF call CrackMe_.00401098
0040120F |. 6A 0D push 0xD
00401211 |. 50 push eax
00401212 |. E8 6AFEFFFF call CrackMe_.00401081
00401217 |. FF75 F8 push [local.2]
0040121A |. FF75 FC push [local.1] ; kernel32.BaseThreadInitThunk
0040121D |. E8 34FEFFFF call CrackMe_.00401056
00401222 |. 8945 F0 mov [local.4],eax
00401225 |. 68 80000000 push 0x80 ; /Count = 80 (128.)
0040122A |. 68 04314000 push CrackMe_.00403104 ; |Buffer = CrackMe_.00403104
0040122F |. 68 EC030000 push 0x3EC ; |ControlID = 3EC (1004.)
00401234 |. FF75 08 push [arg.1] ; |hWnd = 00225000
00401237 |. E8 FC000000 call <jmp.&user32.GetDlgItemTextA> ; \GetDlgItemTextA
0040123C |. 8945 F4 mov [local.3],eax
0040123F |. 837D F4 04 cmp [local.3],0x4
00401243 |. 73 04 jnb short CrackMe_.00401249
00401245 |. C9 leave
00401246 |. C2 1000 retn 0x10
00401249 |> 68 04314000 push CrackMe_.00403104
0040124E |. E8 E3FDFFFF call CrackMe_.00401036
00401253 |. 6A 01 push 0x1
00401255 |. 50 push eax
00401256 |. E8 26FEFFFF call CrackMe_.00401081
0040125B |. 0B45 F0 or eax,[local.4]
0040125E |. 25 FFFFFF0F and eax,0xFFFFFFF
00401263 |. 8945 EC mov [local.5],eax
00401266 |. 33C9 xor ecx,ecx ; CrackMe_.<ModuleEntryPoint>
00401268 |. 33D2 xor edx,edx ; CrackMe_.<ModuleEntryPoint>
0040126A |. 8D35 00304000 lea esi,dword ptr ds:[0x403000]
00401270 |. 8B45 EC mov eax,[local.5]
00401273 |> 8945 EC /mov [local.5],eax
00401276 |. 6A 10 |push 0x10
00401278 |. 50 |push eax
00401279 |. E8 82FDFFFF |call CrackMe_.00401000
0040127E |. 8BC8 |mov ecx,eax
00401280 |. 8D3D 73204000 |lea edi,dword ptr ds:[0x402073]
00401286 |. 8A0439 |mov al,byte ptr ds:[ecx+edi]
00401289 |. 8806 |mov byte ptr ds:[esi],al
0040128B |. 8B45 EC |mov eax,[local.5]
0040128E |. 6A 04 |push 0x4
00401290 |. 50 |push eax
00401291 |. E8 86FDFFFF |call CrackMe_.0040101C
00401296 |. 8945 EC |mov [local.5],eax
00401299 |. 0BC0 |or eax,eax
0040129B |. 74 04 |je short CrackMe_.004012A1
0040129D |. 46 |inc esi ; CrackMe_.<ModuleEntryPoint>
0040129E |. 47 |inc edi ; CrackMe_.<ModuleEntryPoint>
0040129F |.^ EB D2 \jmp short CrackMe_.00401273
004012A1 |> 68 00010000 push 0x100 ; /Count = 100 (256.)
004012A6 |. 8D85 ECFEFFFF lea eax,[local.69] ; |
004012AC |. 50 push eax ; |Buffer = 0019FFCC
004012AD |. 68 ED030000 push 0x3ED ; |ControlID = 3ED (1005.)
004012B2 |. FF75 08 push [arg.1] ; |hWnd = 00225000
004012B5 |. E8 7E000000 call <jmp.&user32.GetDlgItemTextA> ; \GetDlgItemTextA
004012BA |. 0BC0 or eax,eax
004012BC |. 75 04 jnz short CrackMe_.004012C2
004012BE |. C9 leave
004012BF |. C2 1000 retn 0x10
004012C2 |> 68 00304000 push CrackMe_.00403000 ; /String2 = "" ;;; 计算的结果
004012C7 |. 8D85 ECFEFFFF lea eax,[local.69] ; |
004012CD |. 50 push eax ; |String1 = "?" ;;; 输入的系列号
004012CE |. E8 53000000 call <jmp.&kernel32.lstrcmpA> ; \lstrcmpA
004012D3 |. 0BC0 or eax,eax
004012D5 |. 75 18 jnz short CrackMe_.004012EF
004012D7 |. 6A 40 push 0x40 ; /Style = MB_OK|MB_ICONASTERISK|MB_APPLMODAL
004012D9 |. 68 08214000 push CrackMe_.00402108 ; |Title = "Congratulations"
004012DE |. 68 F9204000 push CrackMe_.004020F9 ; |Text = "GOOD JOB, MAN!"
004012E3 |. FF75 08 push [arg.1] ; |hOwner = 00225000
004012E6 |. E8 59000000 call <jmp.&user32.MessageBoxA> ; \MessageBoxA
004012EB |. C9 leave
004012EC |. C2 1000 retn 0x10
004012EF |> EB 1A jmp short CrackMe_.0040130B
004012F1 |> 83F8 10 cmp eax,0x10
004012F4 |. 75 0C jnz short CrackMe_.00401302
004012F6 |. 6A 00 push 0x0 ; /Result = 0x0; Case 10 (WM_CLOSE) of switch 00401145
004012F8 |. FF75 08 push [arg.1] ; |hWnd = 00225000
004012FB |. E8 32000000 call <jmp.&user32.EndDialog> ; \EndDialog
00401300 |. EB 09 jmp short CrackMe_.0040130B
00401302 |> B8 00000000 mov eax,0x0 ; Default case of switch 00401145
00401307 |. C9 leave
00401308 |. C2 1000 retn 0x10
0040130B |> B8 01000000 mov eax,0x1
00401310 |. C9 leave
00401311 \. C2 1000 retn 0x10
00401314 .- FF25 14204000 jmp dword ptr ds:[<&kernel32.ExitProcess>; kernel32.ExitProcess
0040131A $- FF25 10204000 jmp dword ptr ds:[<&kernel32.GetModuleHa>; kernel32.GetModuleHandleA
00401320 $- FF25 0C204000 jmp dword ptr ds:[<&kernel32.GetVolumeIn>; kernel32.GetVolumeInformationA
00401326 $- FF25 08204000 jmp dword ptr ds:[<&kernel32.lstrcmpA>] ; kernel32.lstrcmpA
0040132C $- FF25 20204000 jmp dword ptr ds:[<&user32.DialogBoxPara>; user32.DialogBoxParamA
00401332 $- FF25 1C204000 jmp dword ptr ds:[<&user32.EndDialog>] ; user32.EndDialog
00401338 $- FF25 34204000 jmp dword ptr ds:[<&user32.GetDlgItemTex>; user32.GetDlgItemTextA
0040133E $- FF25 24204000 jmp dword ptr ds:[<&user32.LoadIconA>] ; user32.LoadIconA
00401344 $- FF25 28204000 jmp dword ptr ds:[<&user32.MessageBoxA>] ; user32.MessageBoxA
0040134A $- FF25 2C204000 jmp dword ptr ds:[<&user32.SendDlgItemMe>; user32.SendDlgItemMessageA
00401350 $- FF25 30204000 jmp dword ptr ds:[<&user32.SendMessageA>>; user32.SendMessageA
00401356 $- FF25 00204000 jmp dword ptr ds:[<&comctl32.InitCommonC>; comctl32.InitCommonControls
0040135C 00 db 00
300多行,也不是很多,按钮事件一下就能找到,就在程序最后面,004012CE处可以追码,下个断点,随便输入用户名系列号,此处可得到正确的系列号
我们是要分析算法,不是为了追码,所以,在方法入口下好断点,F8单步跟踪算法:
1). 将每一位相乘,溢出部分加到个位
2). 结果rlt左移一位
3). rlt = rlt or [local4]
4). rlt = rlt and 0xFFFFFFF
5). rlt循环mod 0x10, 余数作为位置对应在固定串"071362de9f8ab45c"中找到值
其中[local4]又是上一个方法赋值的[00401222]处,我们需要继续分析这个值怎么来的
1). 取C盘系列号num1 //这里有个疑问,没有C,D盘的程序会怎样呢?_
2). 取D盘系列号num2
3). num12+num2再开根,就是求直角三角形的斜边得到[local4]
到此算法分析完成中间作者加了一些无用的算法, 下面是注册机代码:
#include <stdio.h>
#include <string.h>
#include <windows.h>
DWORD myGetVolumeInformation(char *vol);
int main() {
char user[21] = {0};
char code[21] = {0};
char *str = (char *)"071362de9f8ab45c";
printf("用户名: ");
fgets(user, sizeof(user), stdin);
int edx, i, j = 0, len = strlen(user);
DWORD sc = myGetVolumeInformation("C:\\");
DWORD sd = myGetVolumeInformation("D:\\");
//硬盘系列号一般是9位,pow后18位后2位可能会错(double型精度17位),但不影响开根后的整数部分值
unsigned int s4 = sqrt(pow(sc, 2) + pow(sd, 2));
unsigned long long rlt = 1;
for(i=0; i<len-1; i++){
rlt *= user[i];
edx = rlt >> 32;
rlt = (rlt & 0xFFFFFFFF) + edx;
}
rlt = rlt << 1;
rlt = rlt | s4;
rlt = rlt & 0xFFFFFFF;
edx = 1;
while(rlt > 0){
edx = rlt & 0xF;
rlt = rlt / 4;
code[j++] = str[edx];
}
printf("系列号: %s\r\n", code);
getchar();
return 0;
}
DWORD myGetVolumeInformation(char *vol){
DWORD serialNumber = 0;
BOOL result;
char volumeNameBuffer[MAX_PATH + 1] = {0};
DWORD volumeSerialNumber = 0;
DWORD maximumComponentLength = 0;
DWORD fileSystemFlags = 0;
char fileSystemNameBuffer[MAX_PATH + 1] = {0};
result = GetVolumeInformationA(
vol, // 根目录路径,C盘
volumeNameBuffer, // 卷名称缓冲区
MAX_PATH + 1, // 卷名称缓冲区大小
&serialNumber, // 序列号指针
&maximumComponentLength, // 最大组件长度指针
&fileSystemFlags, // 文件系统标志指针
fileSystemNameBuffer, // 文件系统名称缓冲区
MAX_PATH + 1 // 文件系统名称缓冲区大小
);
return serialNumber;
}
运行示例:
用户名: abcde
系列号: e4ef5ca5cc3bc3
使用的工具连接(工具有点多有点大,可以先下OD,其它的后面慢慢下) 点击前往下载
下面是我的OD的界面布局,我觉得这4个是最常用的界面,其它的我基本上没用到~
浙公网安备 33010602011771号