新CrackMe160之052 - tc.2
与旧版140相同
Delphi的程序, 使用IDR查看源码, keyfile按钮事件:
Unit1_real::TForm1.Button1Click
00427D40 push ebp
00427D41 mov ebp,esp
00427D43 add esp,0FFFFFE30
00427D49 push ebx
00427D4A push esi
00427D4B push edi
00427D4C xor ecx,ecx
00427D4E mov dword ptr [ebp-1D0],ecx
00427D54 mov ebx,eax
00427D56 xor eax,eax
00427D58 push ebp
00427D59 push 427EB8
00427D5E push dword ptr fs:[eax]
00427D61 mov dword ptr fs:[eax],esp
00427D64 mov eax,dword ptr [ebx+1E4]; TForm1.OpenDialog1:TOpenDialog
00427D6A mov edx,dword ptr [eax]
00427D6C call dword ptr [edx+34]; TOpenDialog.Execute
00427D6F test al,al
>00427D71 je 00427E9F
00427D77 lea edx,[ebp-1D0]
00427D7D mov eax,dword ptr [ebx+1E4]; TForm1.OpenDialog1:TOpenDialog
00427D83 call TOpenDialog.GetFileName
00427D88 mov edx,dword ptr [ebp-1D0]
00427D8E lea eax,[ebp-1CC]
00427D94 call @Assign
00427D99 lea eax,[ebp-1CC]
00427D9F call @ResetText
00427DA4 call @_IOTest
00427DA9 mov edx,42A6EC; gvar_0042A6EC:AnsiString
00427DAE lea eax,[ebp-1CC]
00427DB4 call @ReadLString
00427DB9 lea eax,[ebp-1CC]
00427DBF call @ReadLn
00427DC4 call @_IOTest
00427DC9 lea eax,[ebp-1CC]
00427DCF call @Close
00427DD4 call @_IOTest
00427DD9 mov eax,[0042A6EC]; gvar_0042A6EC:AnsiString
00427DDE mov edx,427ED0; 'Runtime Error: 12FF:024' ;;;;;;;;;;;;;;;;;;;固定串
00427DE3 call @LStrCmp ;;;;;;;;;;;;;;;;;;;;;;;;;关键对比
>00427DE8 jne 00427DF6
00427DEA mov dword ptr ds:[42A6E8],2; gvar_0042A6E8
>00427DF4 jmp 00427E5D
00427DF6 mov dword ptr ds:[42A6E8],1; gvar_0042A6E8
00427E00 push 0
00427E02 push 427EE8; 'Error'
00427E07 push 427EF0; 'Invalid Keyfile'
00427E0C mov eax,[00429938]; ^Application:TApplication
00427E11 mov eax,dword ptr [eax]
00427E13 mov eax,dword ptr [eax+24]; TApplication.?f24:Integer
00427E16 push eax
00427E17 call user32.MessageBoxA
00427E1C xor edx,edx
00427E1E mov eax,dword ptr [ebx+1E8]; TForm1.Edit1:TEdit
00427E24 call TForm.SetEnabled
00427E29 xor edx,edx
00427E2B mov eax,dword ptr [ebx+1EC]; TForm1.Edit2:TEdit
00427E31 call TForm.SetEnabled
00427E36 xor edx,edx
00427E38 mov eax,dword ptr [ebx+1E0]; TForm1.Button2:TButton
00427E3E call TForm.SetEnabled
00427E43 xor edx,edx
00427E45 mov eax,dword ptr [ebx+1E8]; TForm1.Edit1:TEdit
00427E4B call TControl.SetText
00427E50 xor edx,edx
00427E52 mov eax,dword ptr [ebx+1EC]; TForm1.Edit2:TEdit
00427E58 call TControl.SetText
00427E5D mov eax,[0042A6EC]; gvar_0042A6EC:AnsiString
00427E62 call @LStrLen
00427E67 add eax,7
00427E6A cmp eax,1E
>00427E6D jne 00427E9F
00427E6F cmp dword ptr ds:[42A6E8],2; gvar_0042A6E8
>00427E76 jne 00427E9F
00427E78 mov dl,1
00427E7A mov eax,dword ptr [ebx+1E8]; TForm1.Edit1:TEdit
00427E80 call TForm.SetEnabled
00427E85 mov dl,1
00427E87 mov eax,dword ptr [ebx+1EC]; TForm1.Edit2:TEdit
00427E8D call TForm.SetEnabled
00427E92 mov dl,1
00427E94 mov eax,dword ptr [ebx+1E0]; TForm1.Button2:TButton
00427E9A call TForm.SetEnabled
00427E9F xor eax,eax
00427EA1 pop edx
00427EA2 pop ecx
00427EA3 pop ecx
00427EA4 mov dword ptr fs:[eax],edx
00427EA7 push 427EBF
00427EAC lea eax,[ebp-1D0]
00427EB2 call @LStrClr
00427EB7 ret
<00427EB8 jmp @HandleFinally
<00427EBD jmp 00427EAC
00427EBF pop edi
00427EC0 pop esi
00427EC1 pop ebx
00427EC2 mov esp,ebp
00427EC4 pop ebp
00427EC5 ret
所以keyfile.txt文件内容明显就是: Runtime Error: 12FF:024,
验证完keyfile后, 输入框可用了, Register按钮也亮起来了, 我们继续看注册事件:
Unit1_real::TForm1.Button2Click
00427F00 push ebp
00427F01 mov ebp,esp
00427F03 add esp,0FFFFFBD0
00427F09 push ebx
00427F0A push esi
00427F0B push edi
00427F0C xor ecx,ecx
00427F0E mov dword ptr [ebp-430],ecx
00427F14 mov dword ptr [ebp-8],ecx
00427F17 mov dword ptr [ebp-0C],ecx
00427F1A mov edi,eax
00427F1C mov ecx,20
00427F21 lea eax,[ebp-94]
00427F27 mov edx,dword ptr ds:[40107C]; String
00427F2D call @InitializeArray
00427F32 xor eax,eax
00427F34 push ebp
00427F35 push 4281E0
00427F3A push dword ptr fs:[eax]
00427F3D mov dword ptr fs:[eax],esp
00427F40 mov eax,[0042A6EC]; gvar_0042A6EC:AnsiString
00427F45 call @LStrLen
00427F4A add eax,7
00427F4D cmp eax,1E
>00427F50 jne 004281A4
00427F56 cmp dword ptr ds:[42A6E8],2; gvar_0042A6E8
>00427F5D jne 004281A4
00427F63 mov eax,dword ptr [edi+1E8]; TForm1.Edit1:TEdit
00427F69 mov dl,1
00427F6B call TForm.SetEnabled
00427F70 mov eax,dword ptr [edi+1EC]; TForm1.Edit2:TEdit
00427F76 mov dl,1
00427F78 call TForm.SetEnabled
00427F7D lea edx,[ebp-430]
00427F83 mov eax,dword ptr [edi+1E8]; TForm1.Edit1:TEdit
00427F89 call TControl.GetText
00427F8E cmp dword ptr [ebp-430],0
>00427F95 je 004281A4
00427F9B lea edx,[ebp-430]
00427FA1 mov eax,dword ptr [edi+1E8]; TForm1.Edit1:TEdit
00427FA7 call TControl.GetText
00427FAC mov eax,dword ptr [ebp-430]
00427FB2 call @LStrLen
00427FB7 mov esi,eax
00427FB9 test esi,esi
>00427FBB jle 00428005
00427FBD mov dword ptr [ebp-4],1
00427FC4 lea ebx,[ebp-94]
00427FCA lea eax,[ebp-8]
00427FCD push eax
00427FCE lea edx,[ebp-430]
00427FD4 mov eax,dword ptr [edi+1E8]; TForm1.Edit1:TEdit
00427FDA call TControl.GetText
00427FDF mov eax,dword ptr [ebp-430]
00427FE5 mov ecx,1
00427FEA mov edx,dword ptr [ebp-4]
00427FED call @LStrCopy
00427FF2 mov eax,ebx
00427FF4 mov edx,dword ptr [ebp-8]
00427FF7 call @LStrAsg
00427FFC inc dword ptr [ebp-4]
00427FFF add ebx,4
00428002 dec esi
<00428003 jne 00427FCA
00428005 mov edx,4281F8; '666'
0042800A lea eax,[ebp-260]
00428010 call @Assign
00428015 lea eax,[ebp-260]
0042801B call @RewritText
00428020 call @_IOTest
00428025 lea edx,[ebp-430]
0042802B mov eax,dword ptr [edi+1E8]; TForm1.Edit1:TEdit
00428031 call TControl.GetText
00428036 mov eax,dword ptr [ebp-430]
0042803C call @LStrLen
00428041 mov esi,eax
00428043 test esi,esi
>00428045 jle 0042806A
00428047 lea ebx,[ebp-94]
0042804D mov edx,dword ptr [ebx]
0042804F lea eax,[ebp-260]
00428055 call @Write0Bool
0042805A call @WriteLn
0042805F call @_IOTest
00428064 add ebx,4
00428067 dec esi
<00428068 jne 0042804D
0042806A lea eax,[ebp-260]
00428070 call @Close
00428075 call @_IOTest
0042807A xor ebx,ebx
0042807C xor esi,esi
0042807E mov edx,4281F8; '666'
00428083 lea eax,[ebp-42C]
00428089 call @Assign
0042808E lea eax,[ebp-42C]
00428094 call @ResetText
00428099 call @_IOTest
0042809E xor eax,eax
004280A0 mov dword ptr [ebp-14],eax
004280A3 inc dword ptr [ebp-14] ;;;;;;;;;;从这里开始循环, 关键算法
004280A6 lea eax,[ebp-42C]
004280AC call @ReadChar
004280B1 mov byte ptr [ebp-0D],al
004280B4 lea eax,[ebp-42C]
004280BA call @ReadLn
004280BF call @_IOTest
004280C4 mov al,byte ptr [ebp-0D] ;;;;;;取当前位
004280C7 sub bl,al ;;;;;;;bl -= al
004280C9 add bl,byte ptr [ebp-14] ;;;;;;;bl += i
004280CC xor eax,eax
004280CE mov al,bl
004280D0 add si,ax ;;;;;;;;;si += bl
004280D3 lea eax,[ebp-42C]
004280D9 call @EofText
004280DE call @_IOTest
004280E3 test al,al
<004280E5 je 004280A3 ;;;;;;;;到这里结束循环
004280E7 lea eax,[ebp-42C]
004280ED call @Close
004280F2 call @_IOTest
004280F7 lea eax,[ebp-42C]
004280FD call @Erase
00428102 call @_IOTest
00428107 cmp si,438D ;;;;;;如果比0x438D小则加上0x45E6, 直到大了为止
>0042810C jae 0042811A
0042810E add si,45E6
00428113 cmp si,438D
<00428118 jb 0042810E
0042811A lea edx,[ebp-0C]
0042811D movzx eax,si
00428120 call IntToStr
00428125 lea edx,[ebp-0C]
00428128 mov ecx,3
0042812D mov eax,428204; '-' ;;;;;;在结果第3位插入减号
00428132 call @LStrInsert
00428137 lea edx,[ebp-0C]
0042813A mov ecx,5
0042813F mov eax,428204; '-' ;;;;;;;在结果第5位插入减号
00428144 call @LStrInsert
00428149 lea edx,[ebp-430]
0042814F mov eax,dword ptr [edi+1EC]; TForm1.Edit2:TEdit
00428155 call TControl.GetText
0042815A mov eax,dword ptr [ebp-430]
00428160 mov edx,dword ptr [ebp-0C]
00428163 call @LStrCmp ;;;;;;;;;;;对比系列号
>00428168 jne 00428188
0042816A push 0
0042816C push 428208; 'Gratulations'
00428171 push 428218; 'Well Done! Try the next CrackMe.'
00428176 mov eax,[00429938]; ^Application:TApplication
0042817B mov eax,dword ptr [eax]
0042817D mov eax,dword ptr [eax+24]; TApplication.?f24:Integer
00428180 push eax
00428181 call user32.MessageBoxA
>00428186 jmp 004281A4
00428188 push 0
0042818A push 42823C; 'No way'
0042818F push 428244; 'Wrong entry! Try again.'
00428194 mov eax,[00429938]; ^Application:TApplication
00428199 mov eax,dword ptr [eax]
0042819B mov eax,dword ptr [eax+24]; TApplication.?f24:Integer
0042819E push eax
0042819F call user32.MessageBoxA
004281A4 xor eax,eax
004281A6 pop edx
004281A7 pop ecx
004281A8 pop ecx
004281A9 mov dword ptr fs:[eax],edx
004281AC push 4281E7
004281B1 lea eax,[ebp-430]
004281B7 call @LStrClr
004281BC lea eax,[ebp-94]
004281C2 mov ecx,20
004281C7 mov edx,dword ptr ds:[40107C]; String
004281CD call @FinalizeArray
004281D2 lea eax,[ebp-0C]
004281D5 mov edx,2
004281DA call @LStrArrayClr
004281DF ret
<004281E0 jmp @HandleFinally
<004281E5 jmp 004281B1
004281E7 pop edi
004281E8 pop esi
004281E9 pop ebx
004281EA mov esp,ebp
004281EC pop ebp
004281ED ret
算法分析完了, 这个没办法口算只能写注册机了:
#include <stdio.h>
#include <string.h>
int main() {
char user[21] = {0};
char code[11] = {0};
printf("用户名: "); scanf("%s", user);
int len = strlen(user);
int si = 0;
unsigned char al = 0, bl = 0;
for(int i=0; i<len; i++) {
al = user[i];
bl -= al;
bl += (i+1);
si += bl;
}
if(si < 0x438D){
si += 0x45E6;
}
sprintf(code, "%d", si);
code[6] = code[4];
code[5] = code[3];
code[4] = '-';
code[3] = code[2];
code[2] = '-';
printf("系列号: %s\n", code);
getchar();getchar();
return 0;
}
示例结果:
用户名: abc
系列号: 18-3-42
使用的工具连接(工具有点多有点大,可以先下OD,其它的后面慢慢下) 点击前往下载
下面是我的OD的界面布局,我觉得这4个是最常用的界面,其它的我基本上没用到~
浙公网安备 33010602011771号