Souhail's Keygenme
这是个朋友做过的CrackMe,说注册机挺难写,跟踪了一下好像没有什么特别的,注册机也不难写额。。只是一个关键点就是要让数据符合某个表达式,用随机+穷举就行了。总体上来说应该是比较简单的。。
(要自己练的看附件吧)
发一下代码和注释:
00401000 > 6A 00 push 0x0 ; /Style = MB_OK|MB_APPLMODAL
00401002 68 00304000 push KeygenMe.00403000 ; |Title = "ItSecurity.ma KeygenMe (RESTRICTED PATCHING)"
00401007 68 2D304000 push KeygenMe.0040302D ; |Text = "Itsecurity.ma KeygenME Coded by Souhail Hammou ..."
0040100C 6A 00 push 0x0 ; |hOwner = NULL
0040100E E8 19020000 call ; \MessageBoxA
00401013 |. 68 60304000 push KeygenMe.00403060 ; /Arg1 = 00403060 ASCII "Please type your e-mail: "
00401018 |. E8 17020000 call KeygenMe.00401234 ; \KeygenMe.00401234
0040101D |. 68 C8000000 push 0xC8 ; /Arg2 = 000000C8
00401022 |. 68 60314000 push KeygenMe.00403160 ; |Arg1 = 00403160
00401027 |. E8 40020000 call KeygenMe.0040126C ; \KeygenMe.0040126C
0040102C |. 8D05 60314000 lea eax,dword ptr ds:[0x403160] ; szUserName
00401032 |. 33D2 xor edx,edx
00401034 |. 33C9 xor ecx,ecx
00401036 |> 8A18 /mov bl,byte ptr ds:[eax]
00401038 |. 80FB 40 |cmp bl,0x40
0040103B |. 74 0C |je short KeygenMe.00401049
0040103D |. 38D3 |cmp bl,dl
0040103F |. 0F84 A6010000 |je KeygenMe.004011EB ; 字符串结束之前一定要包含一个@号。。
00401045 |. 41 |inc ecx
00401046 |. 40 |inc eax
00401047 |.^ EB ED \jmp short KeygenMe.00401036 ; 计算字符串长度的
00401049 |> 80F9 03 cmp cl,0x3
0040104C |. 0F8E B9010000 jle KeygenMe.0040120B ; 一定要比3长
00401052 |. 68 7A304000 push KeygenMe.0040307A ; /Arg1 = 0040307A ASCII "Please Enter a valid serial: "
00401057 |. E8 D8010000 call KeygenMe.00401234 ; \KeygenMe.00401234
0040105C |. 68 C8000000 push 0xC8 ; /Arg2 = 000000C8
00401061 |. 68 84414000 push offset ; |Arg1 = 00404184
00401066 |. E8 01020000 call KeygenMe.0040126C ; \KeygenMe.0040126C
0040106B |. 68 84414000 push offset ; /String = ""
00401070 |. E8 C3020000 call ; \lstrlenA
00401075 |. 83F8 17 cmp eax,0x17
00401078 |. 0F85 4D010000 jnz KeygenMe.004011CB ; 密码长度=0x17
0040107E |. 8D05 84414000 lea eax,dword ptr ds:[]
00401084 |. 33DB xor ebx,ebx
00401086 |. 8B18 mov ebx,dword ptr ds:[eax] ; 放四个字节到ebx
00401088 |. 81FB 4954532D cmp ebx,0x2D535449 ; 看跟这四个字节一样不
0040108E |. 0F85 37010000 jnz KeygenMe.004011CB ; 不一样就死掉了
00401094 |. 83C0 08 add eax,0x8
00401097 |. 8038 2D cmp byte ptr ds:[eax],0x2D ; 密码的第9个字符要是0x2D
0040109A |. 0F85 2B010000 jnz KeygenMe.004011CB
004010A0 |. 33C9 xor ecx,ecx
004010A2 |. 33D2 xor edx,edx
004010A4 |. B1 03 mov cl,0x3
004010A6 |. B2 05 mov dl,0x5
004010A8 |> 03C2 /add eax,edx
004010AA |. FEC9 |dec cl
004010AC |. 8038 2D |cmp byte ptr ds:[eax],0x2D
004010AF |.^ 74 F7 \je short KeygenMe.004010A8 ; 这个位置不是2D就不循环
004010B1 |. 80F9 00 cmp cl,0x0 ; 这里必须得循环,否则cl不等于0就不能继续玩了
004010B4 |. 0F85 11010000 jnz KeygenMe.004011CB
004010BA |. 8D05 84414000 lea eax,dword ptr ds:[]
004010C0 |. 83C0 04 add eax,0x4
004010C3 |. 8B18 mov ebx,dword ptr ds:[eax] ; 第二个四字放到ebx
004010C5 |. 8D0D A8514000 lea ecx,dword ptr ds:[0x4051A8]
004010CB |. 8919 mov dword ptr ds:[ecx],ebx ; empty<---ebx
004010CD |. 83C0 05 add eax,0x5
004010D0 |. 8B18 mov ebx,dword ptr ds:[eax]
004010D2 |. 8D0D CC614000 lea ecx,dword ptr ds:[0x4061CC]
004010D8 |. 8919 mov dword ptr ds:[ecx],ebx
004010DA |. 83C0 05 add eax,0x5
004010DD |. 8B18 mov ebx,dword ptr ds:[eax]
004010DF |. 8D0D F0714000 lea ecx,dword ptr ds:[0x4071F0]
004010E5 |. 8919 mov dword ptr ds:[ecx],ebx
004010E7 |. 83C0 05 add eax,0x5
004010EA |. 8B18 mov ebx,dword ptr ds:[eax]
004010EC |. 8D0D 14824000 lea ecx,dword ptr ds:[0x408214]
004010F2 |. 8919 mov dword ptr ds:[ecx],ebx ; 雷同
004010F4 |. 33C0 xor eax,eax
004010F6 |. 33DB xor ebx,ebx
004010F8 |. 33D2 xor edx,edx
004010FA |. 33C9 xor ecx,ecx
004010FC |. 8D05 A8514000 lea eax,dword ptr ds:[0x4051A8]
00401102 |. 8B00 mov eax,dword ptr ds:[eax]
00401104 |. 2D 30303030 sub eax,0x30303030
00401109 |. 8D15 A8514000 lea edx,dword ptr ds:[0x4051A8]
0040110F |. 8902 mov dword ptr ds:[edx],eax ; 第一个empty buffer-30303030再放回去
00401111 |. 8A1A mov bl,byte ptr ds:[edx]
00401113 |. 8A4A 01 mov cl,byte ptr ds:[edx+0x1]
00401116 |. 02D9 add bl,cl
00401118 |. 8A4A 02 mov cl,byte ptr ds:[edx+0x2]
0040111B |. 02D9 add bl,cl
0040111D |. 8A4A 03 mov cl,byte ptr ds:[edx+0x3]
00401120 |. 02D9 add bl,cl
00401122 |. 80FB 10 cmp bl,0x10
00401125 |. 0F85 A0000000 jnz KeygenMe.004011CB ; 四个字节加起来必须等于0x10
0040112B |. 8D15 CC614000 lea edx,dword ptr ds:[0x4061CC]
00401131 |. 8A1A mov bl,byte ptr ds:[edx]
00401133 |. 80FB 4F cmp bl,0x4F
00401136 |. 0F85 8F000000 jnz KeygenMe.004011CB ; 这里要等于4F
0040113C |. 8A4A 01 mov cl,byte ptr ds:[edx+0x1]
0040113F |. 02D9 add bl,cl
00401141 |. 8A4A 02 mov cl,byte ptr ds:[edx+0x2]
00401144 |. 02D9 add bl,cl
00401146 |. 8A4A 03 mov cl,byte ptr ds:[edx+0x3]
00401149 |. 2AD9 sub bl,cl
0040114B |. 80FB 8F cmp bl,0x8F
0040114E |. 75 7B jnz short KeygenMe.004011CB ; 加起来要等于8F
00401150 |. 8D05 F0714000 lea eax,dword ptr ds:[0x4071F0]
00401156 |. 8B00 mov eax,dword ptr ds:[eax]
00401158 |. 2D 30303030 sub eax,0x30303030
0040115D |. 8D15 F0714000 lea edx,dword ptr ds:[0x4071F0]
00401163 |. 8902 mov dword ptr ds:[edx],eax
00401165 |. 8A1A mov bl,byte ptr ds:[edx]
00401167 |. 8A4A 01 mov cl,byte ptr ds:[edx+0x1]
0040116A |. 02D9 add bl,cl
0040116C |. 8A4A 02 mov cl,byte ptr ds:[edx+0x2]
0040116F |. 02D9 add bl,cl
00401171 |. 8A4A 03 mov cl,byte ptr ds:[edx+0x3]
00401174 |. 80E9 02 sub cl,0x2 ; 别忘记这里减去2了
00401177 |. 02D9 add bl,cl
00401179 |. 80FB 10 cmp bl,0x10
0040117C |. 75 4D jnz short KeygenMe.004011CB ; 其他的都跟第一个buffer雷同了
0040117E |. 8D05 14824000 lea eax,dword ptr ds:[0x408214]
00401184 |. 8B00 mov eax,dword ptr ds:[eax]
00401186 |. 2D 30303030 sub eax,0x30303030
0040118B |. 8D15 14824000 lea edx,dword ptr ds:[0x408214]
00401191 |. 8902 mov dword ptr ds:[edx],eax
00401193 |. 8A1A mov bl,byte ptr ds:[edx]
00401195 |. 8A4A 01 mov cl,byte ptr ds:[edx+0x1]
00401198 |. 02D9 add bl,cl
0040119A |. 8A4A 02 mov cl,byte ptr ds:[edx+0x2]
0040119D |. 02D9 add bl,cl
0040119F |. 8A4A 03 mov cl,byte ptr ds:[edx+0x3]
004011A2 |. 02D9 add bl,cl
004011A4 |. 80FB 12 cmp bl,0x12
004011A7 |. 75 22 jnz short KeygenMe.004011CB ; 这次是要等于0x12
004011A9 |. EB 00 jmp short KeygenMe.004011AB