如何生成CrackMe注册机之Pie

本文练习CrackeMe下载链接如下:https://reverse.put.as/wp-content/uploads/2010/08/Pie.zip。来自MacSerialJunkies 2010 Contest。
所以分析破解起来还是有点难度。
运行截图如下。

Snip20171015_0.png

0x1代码静态分析

Hopper中打开Pie,可以看到如下代码。



        ; ================ B E G I N N I N G   O F   P R O C E D U R E ================

        ; Variables:
        ;    var_8: -8
        ;    var_10: -16
        ;    var_18: -24
        ;    var_20: -32
        ;    var_28: -40


                     -[PieAppDelegate serialFieldDidChange]:
0000000100001061         push       rbp                                         ; Objective C Implementation defined at 0x1000025d8 (instance method), DATA XREF=0x1000025d8
0000000100001062         mov        rbp, rsp
0000000100001065         mov        qword [rbp+var_28], rbx
0000000100001069         mov        qword [rbp+var_20], r12
000000010000106d         mov        qword [rbp+var_18], r13
0000000100001071         mov        qword [rbp+var_10], r14
0000000100001075         mov        qword [rbp+var_8], r15
0000000100001079         sub        rsp, 0x30
000000010000107d         mov        r13, rdi
0000000100001080         mov        rdi, qword [objc_cls_ref_NSUserDefaults]    ; argument "instance" for method _objc_msgSend_fixup
0000000100001087         lea        rsi, qword [0x100002208]                    ; @selector(standardUserDefaults), argument "selector" for method _objc_msgSend_fixup
000000010000108e         call       qword [0x100002208]                         ; @selector(standardUserDefaults),_objc_msgSend_fixup
0000000100001094         mov        r15, rax
0000000100001097         lea        r14, qword [0x1000022a8]                    ; @selector(setObject:forKey:)
000000010000109e         mov        r12, qword [0x1000022a8]                    ; @selector(setObject:forKey:)
00000001000010a5         mov        rax, qword [objc_ivar_offset_PieAppDelegate_nameField]
00000001000010ac         mov        rdi, qword [r13+rax]                        ; argument "instance" for method _objc_msgSend_fixup
00000001000010b1         lea        rbx, qword [0x100002258]                    ; @selector(stringValue)
00000001000010b8         mov        rsi, rbx                                    ; argument "selector" for method _objc_msgSend_fixup
00000001000010bb         call       qword [0x100002258]                         ; @selector(stringValue),_objc_msgSend_fixup
00000001000010c1         lea        rcx, qword [cfstring_name]                  ; @"name"
00000001000010c8         mov        rdx, rax
00000001000010cb         mov        rsi, r14                                    ; argument "selector" for method _objc_msgSend_fixup
00000001000010ce         mov        rdi, r15                                    ; argument "instance" for method _objc_msgSend_fixup
00000001000010d1         call       r12                                         ; _objc_msgSend_fixup
00000001000010d4         mov        r12, qword [0x1000022a8]                    ; @selector(setObject:forKey:)
00000001000010db         mov        rax, qword [objc_ivar_offset_PieAppDelegate_serialField]
00000001000010e2         mov        rdi, qword [r13+rax]                        ; argument "instance" for method _objc_msgSend_fixup
00000001000010e7         mov        rsi, rbx                                    ; argument "selector" for method _objc_msgSend_fixup
00000001000010ea         call       qword [0x100002258]                         ; @selector(stringValue),_objc_msgSend_fixup
00000001000010f0         lea        rcx, qword [cfstring_serial]                ; @"serial"
00000001000010f7         mov        rdx, rax
00000001000010fa         mov        rsi, r14                                    ; argument "selector" for method _objc_msgSend_fixup
00000001000010fd         mov        rdi, r15                                    ; argument "instance" for method _objc_msgSend_fixup
0000000100001100         call       r12                                         ; _objc_msgSend_fixup
0000000100001103         mov        r14, qword [0x100002268]                    ; @selector(verifySerial:andName:)
000000010000110a         mov        rax, qword [objc_ivar_offset_PieAppDelegate_nameField]
0000000100001111         mov        rdi, qword [r13+rax]                        ; argument "instance" for method _objc_msgSend_fixup
0000000100001116         mov        rsi, rbx                                    ; argument "selector" for method _objc_msgSend_fixup
0000000100001119         call       qword [0x100002258]                         ; @selector(stringValue),_objc_msgSend_fixup
000000010000111f         mov        r12, rax
0000000100001122         mov        rax, qword [objc_ivar_offset_PieAppDelegate_serialField]
0000000100001129         mov        rdi, qword [r13+rax]                        ; argument "instance" for method _objc_msgSend_fixup
000000010000112e         mov        rsi, rbx                                    ; argument "selector" for method _objc_msgSend_fixup
0000000100001131         call       qword [0x100002258]                         ; @selector(stringValue),_objc_msgSend_fixup
0000000100001137         mov        rcx, r12
000000010000113a         mov        rdx, rax
000000010000113d         lea        rsi, qword [0x100002268]                    ; @selector(verifySerial:andName:), argument "selector" for method _objc_msgSend_fixup
0000000100001144         mov        rdi, r13                                    ; argument "instance" for method _objc_msgSend_fixup
0000000100001147         mov        r11, r14
000000010000114a         mov        rbx, qword [rbp+var_28]
000000010000114e         mov        r12, qword [rbp+var_20]
0000000100001152         mov        r13, qword [rbp+var_18]
0000000100001156         mov        r14, qword [rbp+var_10]
000000010000115a         mov        r15, qword [rbp+var_8]
000000010000115e         leave
000000010000115f         jmp        r11                                         ; _objc_msgSend_fixup
                        ; endp

[PieAppDelegate serialFieldDidChange]方法监听输入serial的变化,然后 调用[PieAppDelegate verifySerial:andName:]进行检验。所以真正校验的方法在 -[PieAppDelegate verifySerial:andName:]。代码如下。



        ; ================ B E G I N N I N G   O F   P R O C E D U R E ================

        ; Variables:
        ;    var_8: -8
        ;    var_10: -16
        ;    var_18: -24
        ;    var_20: -32
        ;    var_28: -40
        ;    var_38: -56
        ;    var_40: -64
        ;    var_48: -72
        ;    var_50: -80
        ;    var_58: -88
        ;    var_60: -96
        ;    var_70: -112
        ;    var_78: -120
        ;    var_80: -128
        ;    var_88: -136
        ;    var_90: -144
        ;    var_98: -152
        ;    var_A0: -160
        ;    var_A8: -168
        ;    var_B0: -176
        ;    var_B8: -184
        ;    var_C0: -192
        ;    var_C8: -200
        ;    var_D0: -208


                     -[PieAppDelegate verifySerial:andName:]:
0000000100001342         push       rbp                                         ; Objective C Implementation defined at 0x1000025c0 (instance method), DATA XREF=0x1000025c0
0000000100001343         mov        rbp, rsp
0000000100001346         mov        qword [rbp+var_28], rbx
000000010000134a         mov        qword [rbp+var_20], r12
000000010000134e         mov        qword [rbp+var_18], r13
0000000100001352         mov        qword [rbp+var_10], r14
0000000100001356         mov        qword [rbp+var_8], r15
000000010000135a         sub        rsp, 0xd0
0000000100001361         mov        qword [rbp+var_60], rdi
0000000100001365         mov        r13, rdx
0000000100001368         mov        r14, rcx
000000010000136b         mov        rdi, qword [0x100002768]                    ; argument "instance" for method _objc_msgSend_fixup
0000000100001372         mov        edx, 0x4
0000000100001377         lea        rsi, qword [0x1000022b8]                    ; @selector(dataUsingEncoding:), argument "selector" for method _objc_msgSend_fixup
000000010000137e         call       qword [0x1000022b8]                         ; @selector(dataUsingEncoding:),_objc_msgSend_fixup
0000000100001384         mov        r15, rax
0000000100001387         lea        rsi, qword [0x1000022c8]                    ; @selector(length), argument "selector" for method _objc_msgSend_fixup
000000010000138e         mov        rdi, r13                                    ; argument "instance" for method _objc_msgSend_fixup
0000000100001391         call       qword [0x1000022c8]                         ; @selector(length),_objc_msgSend_fixup
0000000100001397         cmp        rax, 0x10
000000010000139b         jne        loc_100001666

00000001000013a1         mov        edx, 0x6
00000001000013a6         lea        rsi, qword [0x1000022d8]                    ; @selector(substringToIndex:), argument "selector" for method _objc_msgSend_fixup
00000001000013ad         mov        rdi, r13                                    ; argument "instance" for method _objc_msgSend_fixup
00000001000013b0         call       qword [0x1000022d8]                         ; @selector(substringToIndex:),_objc_msgSend_fixup
00000001000013b6         mov        rdi, rax                                    ; argument "instance" for method _objc_msgSend_fixup
00000001000013b9         mov        edx, 0x4
00000001000013be         lea        rsi, qword [0x1000022b8]                    ; @selector(dataUsingEncoding:), argument "selector" for method _objc_msgSend_fixup
00000001000013c5         call       qword [0x1000022b8]                         ; @selector(dataUsingEncoding:),_objc_msgSend_fixup
00000001000013cb         mov        rbx, rax
00000001000013ce         lea        rsi, qword [0x1000022c8]                    ; @selector(length), argument "selector" for method _objc_msgSend_fixup
00000001000013d5         mov        rdi, rax                                    ; argument "instance" for method _objc_msgSend_fixup
00000001000013d8         call       qword [0x1000022c8]                         ; @selector(length),_objc_msgSend_fixup
00000001000013de         mov        r12, rax
00000001000013e1         lea        rsi, qword [0x1000022e8]                    ; @selector(bytes), argument "selector" for method _objc_msgSend_fixup
00000001000013e8         mov        rdi, rbx                                    ; argument "instance" for method _objc_msgSend_fixup
00000001000013eb         call       qword [0x1000022e8]                         ; @selector(bytes),_objc_msgSend_fixup
00000001000013f1         mov        rdi, rax                                    ; argument "d" for method imp___symbol_stub1__MD5
00000001000013f4         xor        edx, edx                                    ; argument "md" for method imp___symbol_stub1__MD5
00000001000013f6         mov        rsi, r12                                    ; argument "n" for method imp___symbol_stub1__MD5
00000001000013f9         call       imp___symbol_stub1__MD5
00000001000013fe         mov        rdx, qword [objc_cls_ref_NSString]
0000000100001405         mov        qword [rbp+var_58], rdx
0000000100001409         movzx      r9d, byte [rax+2]
000000010000140e         movzx      r8d, byte [rax+1]
0000000100001413         movzx      ecx, byte [rax]
0000000100001416         movzx      edx, byte [rax+0xf]
000000010000141a         mov        dword [rsp+0xd0+var_70], edx
000000010000141e         movzx      edx, byte [rax+0xe]
0000000100001422         mov        dword [rsp+0xd0+var_78], edx
0000000100001426         movzx      edx, byte [rax+0xd]
000000010000142a         mov        dword [rsp+0xd0+var_80], edx
000000010000142e         movzx      edx, byte [rax+0xc]
0000000100001432         mov        dword [rsp+0xd0+var_88], edx
0000000100001436         movzx      edx, byte [rax+0xb]
000000010000143a         mov        dword [rsp+0xd0+var_90], edx
000000010000143e         movzx      edx, byte [rax+0xa]
0000000100001442         mov        dword [rsp+0xd0+var_98], edx
0000000100001446         movzx      edx, byte [rax+9]
000000010000144a         mov        dword [rsp+0xd0+var_A0], edx
000000010000144e         movzx      edx, byte [rax+8]
0000000100001452         mov        dword [rsp+0xd0+var_A8], edx
0000000100001456         movzx      edx, byte [rax+7]
000000010000145a         mov        dword [rsp+0xd0+var_B0], edx
000000010000145e         movzx      edx, byte [rax+6]
0000000100001462         mov        dword [rsp+0xd0+var_B8], edx
0000000100001466         movzx      edx, byte [rax+5]
000000010000146a         mov        dword [rsp+0xd0+var_C0], edx
000000010000146e         movzx      edx, byte [rax+4]
0000000100001472         mov        dword [rsp+0xd0+var_C8], edx
0000000100001476         movzx      eax, byte [rax+3]
000000010000147a         mov        dword [rsp+0xd0+var_D0], eax
000000010000147d         lea        rdx, qword [cfstring__02X_02X_02X_02X_02X_02X_02X_02X_02X_02X_02X_02X_02X_02X_02X_02X] ; @"%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X"
0000000100001484         lea        rsi, qword [0x1000022f8]                    ; @selector(stringWithFormat:), argument "selector" for method _objc_msgSend_fixup
000000010000148b         mov        rdi, qword [rbp+var_58]                     ; argument "instance" for method _objc_msgSend_fixup
000000010000148f         xor        eax, eax
0000000100001491         call       qword [0x1000022f8]                         ; @selector(stringWithFormat:),_objc_msgSend_fixup
0000000100001497         mov        rdi, rax                                    ; argument "instance" for method _objc_msgSend_fixup
000000010000149a         mov        rdx, qword [0x100002770]
00000001000014a1         lea        rsi, qword [0x100002308]                    ; @selector(isEqualToString:), argument "selector" for method _objc_msgSend_fixup
00000001000014a8         call       qword [0x100002308]                         ; @selector(isEqualToString:),_objc_msgSend_fixup
00000001000014ae         test       al, al
00000001000014b0         je         loc_100001666

00000001000014b6         mov        edx, 0xd
00000001000014bb         lea        rsi, qword [0x100002318]                    ; @selector(characterAtIndex:), argument "selector" for method _objc_msgSend_fixup
00000001000014c2         mov        rdi, r13                                    ; argument "instance" for method _objc_msgSend_fixup
00000001000014c5         call       qword [0x100002318]                         ; @selector(characterAtIndex:),_objc_msgSend_fixup
00000001000014cb         cmp        ax, 0x46
00000001000014cf         jne        loc_100001666

00000001000014d5         mov        edx, 0x4
00000001000014da         lea        rsi, qword [0x1000022b8]                    ; @selector(dataUsingEncoding:), argument "selector" for method _objc_msgSend_fixup
00000001000014e1         mov        rdi, r14                                    ; argument "instance" for method _objc_msgSend_fixup
00000001000014e4         call       qword [0x1000022b8]                         ; @selector(dataUsingEncoding:),_objc_msgSend_fixup
00000001000014ea         mov        rbx, rax
00000001000014ed         lea        rsi, qword [0x1000022c8]                    ; @selector(length), argument "selector" for method _objc_msgSend_fixup
00000001000014f4         mov        rdi, rax                                    ; argument "instance" for method _objc_msgSend_fixup
00000001000014f7         call       qword [0x1000022c8]                         ; @selector(length),_objc_msgSend_fixup
00000001000014fd         mov        r12, rax
0000000100001500         lea        rsi, qword [0x1000022e8]                    ; @selector(bytes), argument "selector" for method _objc_msgSend_fixup
0000000100001507         mov        rdi, rbx                                    ; argument "instance" for method _objc_msgSend_fixup
000000010000150a         call       qword [0x1000022e8]                         ; @selector(bytes),_objc_msgSend_fixup
0000000100001510         mov        rdi, rax                                    ; argument "d" for method imp___symbol_stub1__MD5
0000000100001513         xor        edx, edx                                    ; argument "md" for method imp___symbol_stub1__MD5
0000000100001515         mov        rsi, r12                                    ; argument "n" for method imp___symbol_stub1__MD5
0000000100001518         call       imp___symbol_stub1__MD5
000000010000151d         movzx      r9d, byte [rax+2]
0000000100001522         movzx      r8d, byte [rax+1]
0000000100001527         movzx      ecx, byte [rax]
000000010000152a         movzx      edx, byte [rax+7]
000000010000152e         mov        dword [rsp+0xd0+var_B0], edx
0000000100001532         movzx      edx, byte [rax+6]
0000000100001536         mov        dword [rsp+0xd0+var_B8], edx
000000010000153a         movzx      edx, byte [rax+5]
000000010000153e         mov        dword [rsp+0xd0+var_C0], edx
0000000100001542         movzx      edx, byte [rax+4]
0000000100001546         mov        dword [rsp+0xd0+var_C8], edx
000000010000154a         movzx      eax, byte [rax+3]
000000010000154e         mov        dword [rsp+0xd0+var_D0], eax
0000000100001551         lea        rdx, qword [cfstring__02X_02X_02X_02X_02X_02X_02X] ; @"%02X%02X%02X%02X%02X%02X%02X"
0000000100001558         lea        rsi, qword [0x1000022f8]                    ; @selector(stringWithFormat:), argument "selector" for method _objc_msgSend_fixup
000000010000155f         mov        rdi, qword [rbp+var_58]                     ; argument "instance" for method _objc_msgSend_fixup
0000000100001563         xor        eax, eax
0000000100001565         call       qword [0x1000022f8]                         ; @selector(stringWithFormat:),_objc_msgSend_fixup
000000010000156b         mov        rdi, rax                                    ; argument "instance" for method _objc_msgSend_fixup
000000010000156e         mov        edx, 0x7
0000000100001573         lea        rsi, qword [0x1000022d8]                    ; @selector(substringToIndex:), argument "selector" for method _objc_msgSend_fixup
000000010000157a         call       qword [0x1000022d8]                         ; @selector(substringToIndex:),_objc_msgSend_fixup
0000000100001580         mov        rbx, rax
0000000100001583         mov        qword [rbp+var_38], 0x7
000000010000158b         mov        qword [rbp+var_40], 0x6
0000000100001593         mov        edx, 0x6
0000000100001598         mov        ecx, 0x7
000000010000159d         lea        rsi, qword [0x100002328]                    ; @selector(substringWithRange:), argument "selector" for method _objc_msgSend_fixup
00000001000015a4         mov        rdi, r13                                    ; argument "instance" for method _objc_msgSend_fixup
00000001000015a7         call       qword [0x100002328]                         ; @selector(substringWithRange:),_objc_msgSend_fixup
00000001000015ad         mov        rdi, rax                                    ; argument "instance" for method _objc_msgSend_fixup
00000001000015b0         mov        rdx, rbx
00000001000015b3         lea        rsi, qword [0x100002308]                    ; @selector(isEqualToString:), argument "selector" for method _objc_msgSend_fixup
00000001000015ba         call       qword [0x100002308]                         ; @selector(isEqualToString:),_objc_msgSend_fixup
00000001000015c0         test       al, al
00000001000015c2         je         loc_100001666

00000001000015c8         mov        qword [rbp+var_48], 0x2
00000001000015d0         mov        qword [rbp+var_50], 0xe
00000001000015d8         mov        edx, 0xe
00000001000015dd         mov        ecx, 0x2
00000001000015e2         lea        rsi, qword [0x100002328]                    ; @selector(substringWithRange:), argument "selector" for method _objc_msgSend_fixup
00000001000015e9         mov        rdi, r13                                    ; argument "instance" for method _objc_msgSend_fixup
00000001000015ec         call       qword [0x100002328]                         ; @selector(substringWithRange:),_objc_msgSend_fixup
00000001000015f2         mov        rdi, rax                                    ; argument "instance" for method _objc_msgSend_fixup
00000001000015f5         mov        edx, 0x4
00000001000015fa         lea        rsi, qword [0x1000022b8]                    ; @selector(dataUsingEncoding:), argument "selector" for method _objc_msgSend_fixup
0000000100001601         call       qword [0x1000022b8]                         ; @selector(dataUsingEncoding:),_objc_msgSend_fixup
0000000100001607         mov        rdi, rax                                    ; argument "instance" for method _objc_msgSend_fixup
000000010000160a         mov        rdx, r15
000000010000160d         lea        rsi, qword [0x100002338]                    ; @selector(isEqualToData:), argument "selector" for method _objc_msgSend_fixup
0000000100001614         call       qword [0x100002338]                         ; @selector(isEqualToData:),_objc_msgSend_fixup
000000010000161a         test       al, al
000000010000161c         je         loc_100001666

000000010000161e         mov        rdi, qword [objc_cls_ref_NSNotificationCenter] ; argument "instance" for method _objc_msgSend_fixup
0000000100001625         lea        rsi, qword [0x100002238]                    ; @selector(defaultCenter), argument "selector" for method _objc_msgSend_fixup
000000010000162c         call       qword [0x100002238]                         ; @selector(defaultCenter),_objc_msgSend_fixup
0000000100001632         mov        rdi, rax                                    ; argument "instance" for method _objc_msgSend_fixup
0000000100001635         mov        rcx, qword [rbp+var_60]
0000000100001639         lea        rdx, qword [cfstring_Registered]            ; @"Registered"
0000000100001640         lea        rsi, qword [0x100002348]                    ; @selector(postNotificationName:object:), argument "selector" for method _objc_msgSend_fixup
0000000100001647         mov        r11, qword [0x100002348]                    ; @selector(postNotificationName:object:)
000000010000164e         mov        rbx, qword [rbp+var_28]
0000000100001652         mov        r12, qword [rbp+var_20]
0000000100001656         mov        r13, qword [rbp+var_18]
000000010000165a         mov        r14, qword [rbp+var_10]
000000010000165e         mov        r15, qword [rbp+var_8]
0000000100001662         leave
0000000100001663         jmp        r11                                         ; _objc_msgSend_fixup
                        ; endp

                     loc_100001666:
0000000100001666         mov        rbx, qword [rbp+var_28]                     ; CODE XREF=-[PieAppDelegate verifySerial:andName:]+89, -[PieAppDelegate verifySerial:andName:]+366, -[PieAppDelegate verifySerial:andName:]+397, -[PieAppDelegate verifySerial:andName:]+640, -[PieAppDelegate verifySerial:andName:]+730
000000010000166a         mov        r12, qword [rbp+var_20]
000000010000166e         mov        r13, qword [rbp+var_18]
0000000100001672         mov        r14, qword [rbp+var_10]
0000000100001676         mov        r15, qword [rbp+var_8]
000000010000167a         leave
000000010000167b         ret
                        ; endp

在此方法中还引用了两个常量字符@"BC",@"66EAD6FE7CBE7987B7C4B1A1EED0E5A5"。如下。

0000000100002767         db  0x00 ; '.'
0000000100002768         dq         0x0000000100002168                          ; @"BC", DATA XREF=-[PieAppDelegate verifySerial:andName:]+41
0000000100002770         dq         0x0000000100002188                          ; @"66EAD6FE7CBE7987B7C4B1A1EED0E5A5", DATA XREF=-[PieAppDelegate verifySerial:andName:]+344
0000000100002778         db  0x00 ; '.'

其中,此方法开头有如下引用。得知@“BC”存入了r15。

000000010000136b         mov        rdi, qword [0x100002768]                    ; argument "instance" for method _objc_msgSend_fixup
0000000100001372         mov        edx, 0x4
0000000100001377         lea        rsi, qword [0x1000022b8]
0000000100001384         mov        r15, rax

首先,判断Serial的length长度是否是16(0x10)位,如果不是,则失败。如果长度符合,则取Serial前6位进行MD5加密,加密后的字符串截取前7位,和@"66EAD6FE7CBE7987B7C4B1A1EED0E5A5"比较,如果不相等,失败。如果相等,则继续。关键跳转如下。

000000010000149a         mov        rdx, qword [0x100002770]
00000001000014a1         lea        rsi, qword [0x100002308]                    ; @selector(isEqualToString:), argument "selector" for method _objc_msgSend_fixup
00000001000014a8         call       qword [0x100002308]                         ; @selector(isEqualToString:),_objc_msgSend_fixup
00000001000014ae         test       al, al
00000001000014b0         je         loc_100001666

所以,@"66EAD6FE7CBE7987B7C4B1A1EED0E5A5"反向MD5就得出Serial的前六位。即:KRACK- 。
接下来如下代码,比较Serial的第14位是否与F相等,不相等,则失败。

00000001000014b6         mov        edx, 0xd
00000001000014bb         lea        rsi, qword [0x100002318]                    ; @selector(characterAtIndex:), argument "selector" for method _objc_msgSend_fixup
00000001000014c2         mov        rdi, r13                                    ; argument "instance" for method _objc_msgSend_fixup
00000001000014c5         call       qword [0x100002318]                         ; @selector(characterAtIndex:),_objc_msgSend_fixup
00000001000014cb         cmp        ax, 0x46
00000001000014cf         jne        loc_100001666

后面一大段,将Name进行MD5加密,截取前7位(大写),和Serial的7-13位比较,不相等,则失败。如果相等,最后校验Serial最后的15-16位。
代码如下。

000000010000160a         mov        rdx, r15
000000010000160d         lea        rsi, qword [0x100002338]                    ; @selector(isEqualToData:), argument "selector" for method _objc_msgSend_fixup
0000000100001614         call       qword [0x100002338]                         ; @selector(isEqualToData:),_objc_msgSend_fixup
000000010000161a         test       al, al
000000010000161c         je         loc_100001666

此段代码将Serial的后两位与r15相比较。如果相等,则通过。根据上面的分析,r15为BC。所以得出Serial的最后两位为BC。

0x2 Keygen算法

根据上述分析(动态分析过程略),得出Keygen算法如下。

 Serial ="KRACK-"+ MD5(Name).upCase().subStringWithRange(0,7)+"FBC"

设Name 为MyTest。则MD5(Name).upCase().subStringWithRange(0,7)为:1A1220A,所以得出Serial为:KRACK-1A1220AFBC。

程序验证,Success。:)!

Snip20171015_5.png
Snip20171015_4.png

你可能感兴趣的:(如何生成CrackMe注册机之Pie)