新160个CrackMe 007--Reg.exe注册算法分析
(编辑:jimmy 日期: 2024/11/17 浏览:3 次 )
CrackMe程序运行后输入用户名和序列号,提示重启验证。
1.jpg
如何找到验证Call和真码比较简单,在这里我就不在赘述,大家可以参考以下教程:
文字教程:https://www.bilibili.com/read/cv18424843
视频教程:https://www.bilibili.com/video/BV1oa411z7rs
因为代码看起来比较复杂,上面两个教程都没有对注册算法进行分析。以往我总是满足于能够爆破而不思进取,搞得自己一直没有进步,这次终于国庆节长假有点时间,而某些原因又限制了出行不敢乱跑,终于潜下心来,打算痛改前非,勇攀高峰,刀口向内,自我革命,花了一天时间做了分析,并写下了人生第一个没啥X用的注册机。
具体的代码分析之前,先讲讲分析过程中个人的一些心得:动态调试是算法分析的一大利器,分析之前先以步过的方式大致的看一下每一个Call的参数及输出结果,有些调用很明显就能看出功能,可以跳过省下不少时间;动态分析目前Windows平台下x64dbg无疑是最好用的工具之一,而且现在很多都是64位的程序,OD已经力不从心了,而x64dbg一直在频繁的改进,我自从用了x64dbg以后就再也没有碰过OD了,早用早受益;x64dbg也有局限,这时可以结合IDA,将IDA分析的结果导出Map供x64dbg使用,可以看到x64dbg分析不出的一些信息,比如一些高级语言的函数,这也是事半功倍的;分析过程中及时做好代码注释,以前过分相信自己的记忆,分析过程中只看不记,总觉得回头看到就能想起,现实是随着年老色衰,往往是几秒前问候过的代码都觉得陌生,尤其是Call进去后的第一行代码注释,往往很多地方调用,来来回回翻看很不方便,如果有注释点击Call进去看就知道这段代码的功能了。
以下是注册算法的主要部分:
[Asm] 纯文本查看 复制代码
0045C61D lea edx,dword ptr ss:[ebp-0x48] 0045C620 mov eax,dword ptr ss:[ebp-0x4] 用户名"lies2022"0045C623 call <reg.sub_45BE3C> 计算用户名MD5(32)0045C628 lea eax,dword ptr ss:[ebp-0x48] 前一个Call返回的MD50045C62B lea edx,dword ptr ss:[ebp-0x1C] 0045C62E call reg.45BEB0 MD5转字符串0045C633 lea edx,dword ptr ss:[ebp-0x48] "f3b715cab9553c8aaff743c61562a308"0045C636 mov eax,dword ptr ss:[ebp-0x8] 到期时间"110512"0045C639 call <reg.sub_45BE3C> 到期时间MD50045C63E lea eax,dword ptr ss:[ebp-0x48] 前一个Call返回的MD50045C641 lea edx,dword ptr ss:[ebp-0x20] 0045C644 call reg.45BEB0 MD5转字符串0045C649 lea eax,dword ptr ss:[ebp-0x4C] "316a6f4ced05edfc00f35e2699f0b762"0045C64C mov ecx,dword ptr ss:[ebp-0x20] 0045C64F mov edx,dword ptr ss:[ebp-0x1C] 0045C652 call <reg.@System@@LStrCat3$qqrv> 前两个MD5字符串合并0045C657 mov eax,dword ptr ss:[ebp-0x4C] "f3b715cab9553c8aaff743c61562a308316a6f4ced05edfc00f35e2699f0b762"0045C65A lea edx,dword ptr ss:[ebp-0x48] 0045C65D call <reg.sub_45BE3C> 合并串MD50045C662 lea eax,dword ptr ss:[ebp-0x48] 0045C665 lea edx,dword ptr ss:[ebp-0x18] 0045C668 call reg.45BEB0 合并串MD5转字符串0045C66D lea eax,dword ptr ss:[ebp-0x10] "45a5199feb18a39980fe17a5da4dad98"0045C670 mov edx,dword ptr ss:[ebp-0x8] 0045C673 call <reg.@System@@LStrLAsg$qqrpvpxv> 0045C678 lea eax,dword ptr ss:[ebp-0x50] 0045C67B push eax 0045C67C mov ecx,0x2 取2位0045C681 mov edx,0x1 从第1位开始0045C686 mov eax,dword ptr ss:[ebp-0x10] "110512"0045C689 call <reg.Delphi_Copy_404880> 从第1位开始取2位0045C68E mov eax,dword ptr ss:[ebp-0x50] 0045C691 call <reg.Delphi_StrToInt_408528> 字符串转整数0045C696 mov ebx,eax ebx=110045C698 lea eax,dword ptr ss:[ebp-0x54] 0045C69B push eax 0045C69C mov ecx,0x2 0045C6A1 mov edx,0x3 0045C6A6 mov eax,dword ptr ss:[ebp-0x10] 0045C6A9 call <reg.Delphi_Copy_404880> 0045C6AE mov eax,dword ptr ss:[ebp-0x54] 0045C6B1 call <reg.Delphi_StrToInt_408528> 0045C6B6 mov esi,eax esi=50045C6B8 lea eax,dword ptr ss:[ebp-0x58] 0045C6BB push eax 0045C6BC mov ecx,0x2 0045C6C1 mov edx,0x5 0045C6C6 mov eax,dword ptr ss:[ebp-0x10] 0045C6C9 call <reg.Delphi_Copy_404880> 0045C6CE mov eax,dword ptr ss:[ebp-0x58] 0045C6D1 call <reg.Delphi_StrToInt_408528> 0045C6D6 mov edi,eax edi=120045C6D8 lea eax,dword ptr ss:[ebp-0x5C] 0045C6DB push eax 0045C6DC lea edx,dword ptr ss:[ebp-0x60] 0045C6DF mov eax,ebx 110045C6E1 call reg.45C044 转二进制0045C6E6 mov eax,dword ptr ss:[ebp-0x60] "00001011"0045C6E9 mov ecx,0x7 0045C6EE mov edx,0x2 0045C6F3 call <reg.Delphi_Copy_404880> 第2位开始取7位0045C6F8 push dword ptr ss:[ebp-0x5C] "0001011"0045C6FB lea eax,dword ptr ss:[ebp-0x64] 0045C6FE push eax 0045C6FF lea edx,dword ptr ss:[ebp-0x68] 0045C702 mov eax,esi 50045C704 call reg.45C044 转二进制0045C709 mov eax,dword ptr ss:[ebp-0x68] "00000101"0045C70C mov ecx,0x4 0045C711 mov edx,0x5 0045C716 call <reg.Delphi_Copy_404880> 第5位开始取4位0045C71B push dword ptr ss:[ebp-0x64] "0101"0045C71E lea eax,dword ptr ss:[ebp-0x6C] 0045C721 push eax 0045C722 lea edx,dword ptr ss:[ebp-0x70] 0045C725 mov eax,edi 120045C727 call reg.45C044 转二进制0045C72C mov eax,dword ptr ss:[ebp-0x70] "00001100"0045C72F mov ecx,0x5 0045C734 mov edx,0x4 0045C739 call <reg.Delphi_Copy_404880> 第4位开始取5位0045C73E push dword ptr ss:[ebp-0x6C] "01100"0045C741 lea eax,dword ptr ss:[ebp-0x14] 0045C744 mov edx,0x3 0045C749 call <reg.@System@@LStrCatN$qqrv> 上面三个串合并"0001011010101100"0045C74E lea eax,dword ptr ss:[ebp-0x7C] 0045C751 mov edx,dword ptr ss:[ebp-0x14] 0045C754 mov dl,byte ptr ds:[edx+0x2] 0045C757 mov byte ptr ds:[eax+0x1],dl 0045C75A mov byte ptr ds:[eax],0x1 二进制串取第3位ASCII,前面插入1(0130)0045C75D lea edx,dword ptr ss:[ebp-0x7C] ^低位1表示长度0045C760 lea eax,dword ptr ss:[ebp-0x80] 0045C763 call <reg.@System@@PStrCpy$qqrp28System@%SmallString$iuc$255%t1> 0045C768 lea eax,dword ptr ss:[ebp-0x84] 0045C76E mov edx,dword ptr ss:[ebp-0x14] 0045C771 mov dl,byte ptr ds:[edx+0x3] 0045C774 mov byte ptr ds:[eax+0x1],dl 0045C777 mov byte ptr ds:[eax],0x1 二进制串取第4位ASCII,前面插入1(0131)0045C77A lea edx,dword ptr ss:[ebp-0x84] 0045C780 lea eax,dword ptr ss:[ebp-0x80] 0045C783 mov cl,0x2 0045C785 call <reg.@System@@PStrNCat$qqrv> 合并上面两串(023031)0045C78A lea edx,dword ptr ss:[ebp-0x80] ^第1位2表示长度0045C78D lea eax,dword ptr ss:[ebp-0x88] 0045C793 call <reg.@System@@PStrCpy$qqrp28System@%SmallString$iuc$255%t1> 0045C798 lea eax,dword ptr ss:[ebp-0x84] 0045C79E mov edx,dword ptr ss:[ebp-0x14] 0045C7A1 mov dl,byte ptr ds:[edx+0x4] 0045C7A4 mov byte ptr ds:[eax+0x1],dl 二进制串取第5位ASCII,前面插入1(0130)0045C7A7 mov byte ptr ds:[eax],0x1 0045C7AA lea edx,dword ptr ss:[ebp-0x84] 0045C7B0 lea eax,dword ptr ss:[ebp-0x88] 0045C7B6 mov cl,0x3 0045C7B8 call <reg.@System@@PStrNCat$qqrv> 0045C7BD lea edx,dword ptr ss:[ebp-0x88] 0045C7C3 lea eax,dword ptr ss:[ebp-0x90] 0045C7C9 call <reg.@System@@PStrCpy$qqrp28System@%SmallString$iuc$255%t1> 0045C7CE lea eax,dword ptr ss:[ebp-0x84] 0045C7D4 mov edx,dword ptr ss:[ebp-0x14] 0045C7D7 mov dl,byte ptr ds:[edx+0x8] 二进制串第9位0045C7DA mov byte ptr ds:[eax+0x1],dl 0045C7DD mov byte ptr ds:[eax],0x1 0045C7E0 lea edx,dword ptr ss:[ebp-0x84] 0045C7E6 lea eax,dword ptr ss:[ebp-0x90] 0045C7EC mov cl,0x4 0045C7EE call <reg.@System@@PStrNCat$qqrv> 0045C7F3 lea edx,dword ptr ss:[ebp-0x90] 0045C7F9 lea eax,dword ptr ss:[ebp-0x98] 0045C7FF call <reg.@System@@PStrCpy$qqrp28System@%SmallString$iuc$255%t1> 0045C804 lea eax,dword ptr ss:[ebp-0x84] 0045C80A mov edx,dword ptr ss:[ebp-0x14] 0045C80D mov dl,byte ptr ds:[edx+0x9] 二进制串第10位0045C810 mov byte ptr ds:[eax+0x1],dl 0045C813 mov byte ptr ds:[eax],0x1 0045C816 lea edx,dword ptr ss:[ebp-0x84] 0045C81C lea eax,dword ptr ss:[ebp-0x98] 0045C822 mov cl,0x5 0045C824 call <reg.@System@@PStrNCat$qqrv> 0045C829 lea edx,dword ptr ss:[ebp-0x98] 0045C82F lea eax,dword ptr ss:[ebp-0xA0] 0045C835 call <reg.@System@@PStrCpy$qqrp28System@%SmallString$iuc$255%t1> 0045C83A lea eax,dword ptr ss:[ebp-0x84] 0045C840 mov edx,dword ptr ss:[ebp-0x14] 0045C843 mov dl,byte ptr ds:[edx+0xC] 二进制串第13位0045C846 mov byte ptr ds:[eax+0x1],dl 0045C849 mov byte ptr ds:[eax],0x1 0045C84C lea edx,dword ptr ss:[ebp-0x84] 0045C852 lea eax,dword ptr ss:[ebp-0xA0] 0045C858 mov cl,0x6 0045C85A call <reg.@System@@PStrNCat$qqrv> 0045C85F lea edx,dword ptr ss:[ebp-0xA0] 0045C865 lea eax,dword ptr ss:[ebp-0xA8] 0045C86B call <reg.@System@@PStrCpy$qqrp28System@%SmallString$iuc$255%t1> 0045C870 lea eax,dword ptr ss:[ebp-0x84] 0045C876 mov edx,dword ptr ss:[ebp-0x14] 0045C879 mov dl,byte ptr ds:[edx+0xD] 二进制串第14位0045C87C mov byte ptr ds:[eax+0x1],dl 0045C87F mov byte ptr ds:[eax],0x1 0045C882 lea edx,dword ptr ss:[ebp-0x84] 0045C888 lea eax,dword ptr ss:[ebp-0xA8] 0045C88E mov cl,0x7 0045C890 call <reg.@System@@PStrNCat$qqrv> 0045C895 lea edx,dword ptr ss:[ebp-0xA8] 0045C89B lea eax,dword ptr ss:[ebp-0xB4] 0045C8A1 call <reg.@System@@PStrCpy$qqrp28System@%SmallString$iuc$255%t1> 0045C8A6 lea eax,dword ptr ss:[ebp-0x84] 0045C8AC mov edx,dword ptr ss:[ebp-0x14] 0045C8AF mov dl,byte ptr ds:[edx+0xE] 二进制串第15位0045C8B2 mov byte ptr ds:[eax+0x1],dl 0045C8B5 mov byte ptr ds:[eax],0x1 0045C8B8 lea edx,dword ptr ss:[ebp-0x84] 0045C8BE lea eax,dword ptr ss:[ebp-0xB4] 0045C8C4 mov cl,0x8 0045C8C6 call <reg.@System@@PStrNCat$qqrv> 上面8位合并"01010110"0045C8CB lea edx,dword ptr ss:[ebp-0xB4] 带长度的"01010110"0045C8D1 lea eax,dword ptr ss:[ebp-0x78] 0045C8D4 call <reg.unknown_libname_76> LStrFromPCharLen0045C8D9 mov eax,dword ptr ss:[ebp-0x78] "01010110"0045C8DC call <reg.sub_45BF94> 循环读取二进制串,遇1则将剩余循环次数n做1<<n,结果累加0045C8E1 lea ecx,dword ptr ss:[ebp-0x74] 0x560045C8E4 mov edx,0x2 0045C8E9 call <reg.@Sysutils@IntToHex$qqrii> 0045C8EE mov eax,dword ptr ss:[ebp-0x74] "56"0045C8F1 push eax 0045C8F2 lea eax,dword ptr ss:[ebp-0x7C] 0045C8F5 mov edx,dword ptr ss:[ebp-0x14] "0001011010101100"0045C8F8 mov dl,byte ptr ds:[edx] 0045C8FA mov byte ptr ds:[eax+0x1],dl 二进制串第1位(30)0045C8FD mov byte ptr ds:[eax],0x1 长度10045C900 lea edx,dword ptr ss:[ebp-0x7C] 0045C903 lea eax,dword ptr ss:[ebp-0x80] 0045C906 call <reg.@System@@PStrCpy$qqrp28System@%SmallString$iuc$255%t1> 0045C90B lea eax,dword ptr ss:[ebp-0x84] 0045C911 mov edx,dword ptr ss:[ebp-0x14] 0045C914 mov dl,byte ptr ds:[edx+0x1] 0045C917 mov byte ptr ds:[eax+0x1],dl 二进制串第2位(30)0045C91A mov byte ptr ds:[eax],0x1 0045C91D lea edx,dword ptr ss:[ebp-0x84] 0045C923 lea eax,dword ptr ss:[ebp-0x80] 0045C926 mov cl,0x2 0045C928 call <reg.@System@@PStrNCat$qqrv> 合并上面两串(023031)0045C92D lea edx,dword ptr ss:[ebp-0x80] ^第1位2表示长度0045C930 lea eax,dword ptr ss:[ebp-0x88] 0045C936 call <reg.@System@@PStrCpy$qqrp28System@%SmallString$iuc$255%t1> 0045C93B lea eax,dword ptr ss:[ebp-0x84] 0045C941 mov edx,dword ptr ss:[ebp-0x14] 0045C944 mov dl,byte ptr ds:[edx+0x5] 0045C947 mov byte ptr ds:[eax+0x1],dl 二进制串第6位(31)0045C94A mov byte ptr ds:[eax],0x1 0045C94D lea edx,dword ptr ss:[ebp-0x84] 0045C953 lea eax,dword ptr ss:[ebp-0x88] 0045C959 mov cl,0x3 0045C95B call <reg.@System@@PStrNCat$qqrv> 0045C960 lea edx,dword ptr ss:[ebp-0x88] 0045C966 lea eax,dword ptr ss:[ebp-0x90] 0045C96C call <reg.@System@@PStrCpy$qqrp28System@%SmallString$iuc$255%t1> 0045C971 lea eax,dword ptr ss:[ebp-0x84] 0045C977 mov edx,dword ptr ss:[ebp-0x14] 0045C97A mov dl,byte ptr ds:[edx+0x6] 0045C97D mov byte ptr ds:[eax+0x1],dl 二进制串第7位(31)0045C980 mov byte ptr ds:[eax],0x1 0045C983 lea edx,dword ptr ss:[ebp-0x84] 0045C989 lea eax,dword ptr ss:[ebp-0x90] 0045C98F mov cl,0x4 0045C991 call <reg.@System@@PStrNCat$qqrv> 0045C996 lea edx,dword ptr ss:[ebp-0x90] 0045C99C lea eax,dword ptr ss:[ebp-0x98] 0045C9A2 call <reg.@System@@PStrCpy$qqrp28System@%SmallString$iuc$255%t1> 0045C9A7 lea eax,dword ptr ss:[ebp-0x84] 0045C9AD mov edx,dword ptr ss:[ebp-0x14] 0045C9B0 mov dl,byte ptr ds:[edx+0x7] 0045C9B3 mov byte ptr ds:[eax+0x1],dl 二进制串第8位(30)0045C9B6 mov byte ptr ds:[eax],0x1 0045C9B9 lea edx,dword ptr ss:[ebp-0x84] 0045C9BF lea eax,dword ptr ss:[ebp-0x98] 0045C9C5 mov cl,0x5 0045C9C7 call <reg.@System@@PStrNCat$qqrv> 0045C9CC lea edx,dword ptr ss:[ebp-0x98] 0045C9D2 lea eax,dword ptr ss:[ebp-0xA0] 0045C9D8 call <reg.@System@@PStrCpy$qqrp28System@%SmallString$iuc$255%t1> 0045C9DD lea eax,dword ptr ss:[ebp-0x84] 0045C9E3 mov edx,dword ptr ss:[ebp-0x14] 0045C9E6 mov dl,byte ptr ds:[edx+0xA] 0045C9E9 mov byte ptr ds:[eax+0x1],dl 二进制串第11位(31)0045C9EC mov byte ptr ds:[eax],0x1 0045C9EF lea edx,dword ptr ss:[ebp-0x84] 0045C9F5 lea eax,dword ptr ss:[ebp-0xA0] 0045C9FB mov cl,0x6 0045C9FD call <reg.@System@@PStrNCat$qqrv> 0045CA02 lea edx,dword ptr ss:[ebp-0xA0] 0045CA08 lea eax,dword ptr ss:[ebp-0xA8] 0045CA0E call <reg.@System@@PStrCpy$qqrp28System@%SmallString$iuc$255%t1> 0045CA13 lea eax,dword ptr ss:[ebp-0x84] 0045CA19 mov edx,dword ptr ss:[ebp-0x14] 0045CA1C mov dl,byte ptr ds:[edx+0xB] 0045CA1F mov byte ptr ds:[eax+0x1],dl 二进制串第12位(30)0045CA22 mov byte ptr ds:[eax],0x1 0045CA25 lea edx,dword ptr ss:[ebp-0x84] 0045CA2B lea eax,dword ptr ss:[ebp-0xA8] 0045CA31 mov cl,0x7 0045CA33 call <reg.@System@@PStrNCat$qqrv> 0045CA38 lea edx,dword ptr ss:[ebp-0xA8] 0045CA3E lea eax,dword ptr ss:[ebp-0xB4] 0045CA44 call <reg.@System@@PStrCpy$qqrp28System@%SmallString$iuc$255%t1> 0045CA49 lea eax,dword ptr ss:[ebp-0x84] 0045CA4F mov edx,dword ptr ss:[ebp-0x14] 0045CA52 mov dl,byte ptr ds:[edx+0xF] 0045CA55 mov byte ptr ds:[eax+0x1],dl 二进制串第16位(30)0045CA58 mov byte ptr ds:[eax],0x1 0045CA5B lea edx,dword ptr ss:[ebp-0x84] 0045CA61 lea eax,dword ptr ss:[ebp-0xB4] 0045CA67 mov cl,0x8 0045CA69 call <reg.@System@@PStrNCat$qqrv> 上面8位合并"00110100"0045CA6E lea edx,dword ptr ss:[ebp-0xB4] 带长度的"00110100"0045CA74 lea eax,dword ptr ss:[ebp-0xBC] 0045CA7A call <reg.unknown_libname_76> 0045CA7F mov eax,dword ptr ss:[ebp-0xBC] "00110100"0045CA85 call <reg.sub_45BF94> 循环读取二进制串,遇1则将剩余循环次数n做1<<n,结果累加0045CA8A lea ecx,dword ptr ss:[ebp-0xB8] 0x340045CA90 mov edx,0x2 0045CA95 call <reg.@Sysutils@IntToHex$qqrii> 0045CA9A mov edx,dword ptr ss:[ebp-0xB8] "34"0045CAA0 lea eax,dword ptr ss:[ebp-0x24] 0045CAA3 pop ecx "56"上一次结果0045CAA4 call <reg.@System@@LStrCat3$qqrv> 两串合并"3456"0045CAA9 lea eax,dword ptr ss:[ebp-0xC0] 0045CAAF mov ecx,dword ptr ss:[ebp-0x1C] "f3b715cab9553c8aaff743c61562a308"用户名MD50045CAB2 mov edx,dword ptr ss:[ebp-0x24] "3456"0045CAB5 call <reg.@System@@LStrCat3$qqrv> 0045CABA mov eax,dword ptr ss:[ebp-0xC0] "3456f3b715cab9553c8aaff743c61562a308"0045CAC0 lea edx,dword ptr ss:[ebp-0x28] 0045CAC3 call <reg.sub_45C244> 将eax按位读取,与dl最后1位亦或为1则(dl^0x18)1||0x80,为0则dl1(dl初始0),结果转为16进制字符串"EA"0045CAC8 lea eax,dword ptr ss:[ebp-0x2C] 0045CACB push eax 0045CACC lea eax,dword ptr ss:[ebp-0xC8] 0045CAD2 mov ecx,dword ptr ss:[ebp-0x28] 上个Call结果"EA"0045CAD5 mov edx,dword ptr ss:[ebp-0x24] "3456"0045CAD8 call <reg.@System@@LStrCat3$qqrv> "3456"+"EA"0045CADD mov eax,dword ptr ss:[ebp-0xC8] "3456EA"0045CAE3 lea edx,dword ptr ss:[ebp-0x48] 0045CAE6 call <reg.sub_45BE3C> MD5(32)0045CAEB lea eax,dword ptr ss:[ebp-0x48] 0045CAEE lea edx,dword ptr ss:[ebp-0xC4] 0045CAF4 call reg.45BEB0 MD5转字符串0045CAF9 mov eax,dword ptr ss:[ebp-0xC4] "6189a4059d33687fea8dfe485d4e07c8"0045CAFF mov ecx,0x2 0045CB04 mov edx,0x8 0045CB09 call <reg.Delphi_Copy_404880> 第8位开始取2位"59"0045CB0E lea eax,dword ptr ss:[ebp-0xCC] 0045CB14 mov ecx,dword ptr ss:[ebp-0x18] "45a5199feb18a39980fe17a5da4dad98"合并串MD50045CB17 mov edx,dword ptr ss:[ebp-0x1C] "f3b715cab9553c8aaff743c61562a308"用户名MD50045CB1A call <reg.@System@@LStrCat3$qqrv> 合并前面2字符串0045CB1F mov eax,dword ptr ss:[ebp-0xCC] "f3b715cab9553c8aaff743c61562a30845a5199feb18a39980fe17a5da4dad98"0045CB25 lea edx,dword ptr ss:[ebp-0x30] 0045CB28 call <reg.sub_45C244> 将eax按位读取,与dl最后1位亦或为1则(dl^0x18)1||0x80,为0则dl1(dl初始0),结果转为16进制字符串"6E"0045CB2D lea eax,dword ptr ss:[ebp-0xD0] 0045CB33 mov ecx,dword ptr ss:[ebp-0x18] "45a5199feb18a39980fe17a5da4dad98"合并串MD50045CB36 mov edx,dword ptr ss:[ebp-0x20] "316a6f4ced05edfc00f35e2699f0b762"到期时间MD50045CB39 call <reg.@System@@LStrCat3$qqrv> 0045CB3E mov eax,dword ptr ss:[ebp-0xD0] "316a6f4ced05edfc00f35e2699f0b76245a5199feb18a39980fe17a5da4dad98"0045CB44 lea edx,dword ptr ss:[ebp-0x34] 0045CB47 call <reg.sub_45C244> 将eax按位读取,与dl最后1位亦或为1则(dl^0x18)1||0x80,为0则dl1(dl初始0),结果转为16进制字符串"30"0045CB4C push dword ptr ss:[ebp-0x28] 0045CB4F push dword ptr ss:[ebp-0x24] 0045CB52 push dword ptr ss:[ebp-0x2C] 0045CB55 lea eax,dword ptr ss:[ebp-0xD8] 0045CB5B mov edx,dword ptr ss:[ebp-0x18] "45a5199feb18a39980fe17a5da4dad98"0045CB5E mov dl,byte ptr ds:[edx+0x7] 从第8位开始取1位(取第8位)0045CB61 call <reg.unknown_libname_73> LStrFromPCharLen取1位0045CB66 push dword ptr ss:[ebp-0xD8] "f"0045CB6C lea eax,dword ptr ss:[ebp-0xDC] 0045CB72 mov edx,dword ptr ss:[ebp-0x18] 0045CB75 mov dl,byte ptr ds:[edx+0xE] 取第16位0045CB78 call <reg.unknown_libname_73> 0045CB7D push dword ptr ss:[ebp-0xDC] "9"0045CB83 push dword ptr ss:[ebp-0x30] 0045CB86 lea eax,dword ptr ss:[ebp-0xE0] 0045CB8C mov edx,dword ptr ss:[ebp-0x18] 0045CB8F mov dl,byte ptr ds:[edx+0x17] 取第24位0045CB92 call <reg.unknown_libname_73> 0045CB97 push dword ptr ss:[ebp-0xE0] "5"0045CB9D lea eax,dword ptr ss:[ebp-0xE4] 0045CBA3 mov edx,dword ptr ss:[ebp-0x18] 0045CBA6 mov dl,byte ptr ds:[edx+0xB] 取第12位0045CBA9 call <reg.unknown_libname_73> 0045CBAE push dword ptr ss:[ebp-0xE4] "8"0045CBB4 push dword ptr ss:[ebp-0x34] "30"来自0045CB470045CBB7 lea eax,dword ptr ss:[ebp-0xD4] 0045CBBD mov edx,0x9 9:'\t'0045CBC2 call <reg.@System@@LStrCatN$qqrv> 将上面数个字符连接,Call后出现真码0045CBC7 mov eax,dword ptr ss:[ebp-0xD4] "EA345659f96E5830"0045CBCD lea edx,dword ptr ss:[ebp-0x38] 0045CBD0 call <reg.@Sysutils@UpperCase$qqrx17System@AnsiString> 转换成大写0045CBD5 mov eax,dword ptr ss:[ebp-0xC] 0045CBD8 mov edx,dword ptr ss:[ebp-0x38] "EA345659F96E5830"真码
0045C62 call <reg.sub_45BE3C>这个调用是计算MD5的,实际上我并未跟进去,只是动态调试的时候看着像是MD5,用工具验证了一下确实结果一样,所以之前就说过动态调试的重要性,这些算法给源代码我都未必能看懂,何况是反汇编,如果硬磕估计会影响某些功能。
注册算法中0045C67C-0045CAA4之间的代码尽管很长,其实就是用有效期算出一个4位字符串,而有效期是一个固定的“110512”,因此这个结果字符串也是固定的“3456”,我们在最后写注册机的时候直接使用即可,不必复现计算过程。这部分Call里面我就不详细的说明了,Call的作用我已经在代码后面注明,感兴趣的可以自己跟进去看一下。
CrackMe是用Delphi编写的,IDA已经分析出了一些函数名,函数具体功能可以在网络上很方便的查到。
0045CAC call <reg.sub_45C244>是对输入串做计算,输出一个2位字符串,算法如下:
[Asm] 纯文本查看 复制代码
0045C274 mov eax,dword ptr ss:[ebp-0x4] "3456f3b715cab9553c8aaff743c61562a308"0045C277 call <reg.unknown_libname_78> 取长度0x240045C27C and eax,0x80000001 结果00045C281 jns reg.45C288 0045C283 dec eax 0045C284 or eax,0xFFFFFFFE 0045C287 inc eax 0045C288 dec eax 结果-10045C289 jne reg.45C298 0045C28B lea eax,dword ptr ss:[ebp-0x4] 0045C28E mov edx,reg.45C360 45C360:L"0"0045C293 call <reg.@System@@LStrCat$qqrv> 0045C298 mov eax,dword ptr ss:[ebp-0x4] "3456f3b715cab9553c8aaff743c61562a308"0045C29B call <reg.unknown_libname_78> 取长度0x240045C2A0 mov esi,eax 0045C2A2 sar esi,0x1 结果0x120045C2A4 jns reg.45C2A9 0045C2A6 adc esi,0x0 0045C2A9 test esi,esi 0045C2AB jle reg.45C2F2 0045C2AD mov edi,0x1 0045C2B2 lea ebx,dword ptr ss:[ebp-0x108] 0045C2B8 push 0x1F4 0045C2BD lea eax,dword ptr ss:[ebp-0x10C] 0045C2C3 push eax 0045C2C4 mov eax,edi 0045C2C6 dec eax 0045C2C7 mov edx,eax 0045C2C9 add edx,edx 0045C2CB inc edx 0045C2CC mov ecx,0x2 0045C2D1 mov eax,dword ptr ss:[ebp-0x4] "3456f3b715cab9553c8aaff743c61562a308"0045C2D4 call <reg.Delphi_Copy_404880> 从edx位取2位0045C2D9 mov eax,dword ptr ss:[ebp-0x10C] 取出的2位0045C2DF xor ecx,ecx 0045C2E1 mov edx,0x10 0045C2E6 call <reg.sub_45C118> StrToInt0045C2EB mov byte ptr ds:[ebx],al 0045C2ED inc edi 0045C2EE inc ebx 0045C2EF dec esi 0045C2F0 jne reg.45C2B8 以上循环将字符串转为数字0045C2F2 mov eax,dword ptr ss:[ebp-0x4] "3456f3b715cab9553c8aaff743c61562a308"0045C2F5 call <reg.unknown_libname_78> 取长度0x240045C2FA sar eax,0x1 0045C2FC jns reg.45C301 0045C2FE adc eax,0x0 0045C301 lea edx,dword ptr ss:[ebp-0x108] 0x3456f3b715cab9553c8aaff743c61562a3080045C307 mov ecx,eax 0045C309 mov eax,0xFF 0045C30E xchg edx,eax 0045C30F call reg.45C09C 将eax按位读取,与dl最后1位亦或为1则(dl^0x18)1||0x80(dl初始0)0045C314 mov ebx,eax 0045C316 mov ecx,dword ptr ss:[ebp-0x8] 0045C319 xor eax,eax 0045C31B mov al,bl 0045C31D mov edx,0x2 0045C322 call <reg.@Sysutils@IntToHex$qqrii> 将上面Call结果转为16进制字符串
到这里涉及计算的部分就结束了,剩下的部分就是把前面的计算结果拼起来,生成16位字符串,最后转换成大写的序列号。
最后写注册机,想起原来看到过一个aardio的国人开发的小巧的编程语言,早就想试试,就用他吧。于是花了半天时间学习了一下语法,敲下了总共三十行代码,边学边做平均五分钟一行的速度,是不是太笨了?不过出来的东西感觉还不错,是我喜欢的简洁明了。
注册机代码:
[C] 纯文本查看 复制代码
function ToHex(src){ var data = 0; len = string.len(src); for(i = 1; len; 2){ one = tonumber('0x' + string.slice(src, i, i + 1,)); for(j = 1; 8){ if((((one (j - 1)) & 1) ^ (data & 1)) == 1){ data = ((data ^ 0x18) 1) | 0x80; } else{ data = data 1; } } } return string.format("%02X",data);}mainForm.button.oncommand = function(id,event){ if(mainForm.edit.text == ''){mainForm.edit2.text = '请输入用户名';} else{ usermd5 = crypt.md5(mainForm.edit.text, 0); datemd5 = crypt.md5('110512', 0); catmd5 = crypt.md5(usermd5 + datemd5); Key = ToHex('3456' + usermd5); Key = Key + '3456' + string.slice(crypt.md5('3456' + Key), 8, 9) + string.slice(catmd5,8,8) + string.slice(catmd5,15,15) + ToHex(usermd5 + catmd5) + string.slice(catmd5,24,24) + string.slice(catmd5,12,12) + ToHex(datemd5 + catmd5); mainForm.edit2.text = Key; file = io.open('reg.dll', 'w'); file.write('UserName=', mainForm.edit.text, '\n'); file.write('SN=', Key, '\n'); file.close(); }}
编译好后,验证一下,注册机输入用户名,生成注册码后自动生成注册需要的reg.dll文件(其实就是个文本文件)。
4.jpg
reg.dll复制到CrackMe同目录,运行CrackMe,大功告成!
5.jpg
附件包含CrackMe及注册机。
007.rar2022-10-5 03:52 上传点击文件名下载附件
下载积分: 吾爱币 -1 CB
下一篇:微信清理大师(垃圾清理工具)