系统 : Windows xp
程序 : cytom!c‘s
程序下载地址 :http://pan.baidu.com/s/1nulAYBv
要求 : 伪造KeyFile
使用工具 :IDA & OD & Hex Workshop
可在看雪论坛中查找关于此程序的破文:http://bbs.pediy.com/showthread.php?t=30229
IDA载入程序,找出提示破解成功的字串“Valid Key file found!”并定位关键代码:
00426572 . BA 4C674200 mov edx, 0042674C ; ASCII "ctm_cm02.key" 00426577 . 8D85 A8FEFEFF lea eax, dword ptr [ebp+FFFEFEA8] 0042657D . E8 3FD8FDFF call 00403DC1 00426582 . BA 01000000 mov edx, 1 00426587 . 8D85 A8FEFEFF lea eax, dword ptr [ebp+FFFEFEA8] 0042658D . E8 1EDCFDFF call 004041B0 00426592 . E8 4DC1FDFF call 004026E4 00426597 . 85C0 test eax, eax 00426599 . 0F85 66010000 jnz 00426705 0042659F . 8D85 A8FEFEFF lea eax, dword ptr [ebp+FFFEFEA8] 004265A5 . E8 5AD9FDFF call 00403F04 ; CreateFile,并获取长度 004265AA . E8 F9C0FDFF call 004026A8 004265AF . 8945 FC mov dword ptr [ebp-4], eax 004265B2 . 837D FC 00 cmp dword ptr [ebp-4], 0 ; 长度为0? 004265B6 . 75 15 jnz short 004265CD 004265B8 . BA 64674200 mov edx, 00426764 ; ASCII "Key file is empty!" 004265BD . 8B83 B0010000 mov eax, dword ptr [ebx+1B0] 004265C3 . E8 CCB6FEFF call 00411C94 004265C8 . E9 28010000 jmp 004266F5 004265CD > 817D FC 00000>cmp dword ptr [ebp-4], 10000 ; UNICODE "#envTSLOGsss1964=1032992" 004265D4 . 7E 07 jle short 004265DD 004265D6 . C745 FC 00000>mov dword ptr [ebp-4], 10000 ; UNICODE "#envTSLOGsss1964=1032992" 004265DD > 6A 00 push 0 004265DF . 8D95 FCFFFEFF lea edx, dword ptr [ebp+FFFEFFFC] 004265E5 . 8B4D FC mov ecx, dword ptr [ebp-4] 004265E8 . 8D85 A8FEFEFF lea eax, dword ptr [ebp+FFFEFEA8] 004265EE . E8 71D8FDFF call 00403E64 ; 读取文件内容 004265F3 . E8 B0C0FDFF call 004026A8 004265F8 . 53 push ebx 004265F9 . 57 push edi 004265FA . 56 push esi 004265FB . 8D75 FC lea esi, dword ptr [ebp-4] 004265FE . 8B0E mov ecx, dword ptr [esi] 00426600 . 8DB5 FCFFFEFF lea esi, dword ptr [ebp+FFFEFFFC] 00426606 . 8DBD FBFFFEFF lea edi, dword ptr [ebp+FFFEFFFB] 0042660C . 31C0 xor eax, eax 0042660E . 83CA FF or edx, FFFFFFFF 00426611 . 31DB xor ebx, ebx 00426613 . 40 inc eax ; eax = 1 00426614 . F7D2 not edx 00426616 > 8A1C16 mov bl, byte ptr [esi+edx] ; 迭代字串 00426619 . 84DB test bl, bl ; 字符值为0x0? 0042661B . 74 29 je short 00426646 ; 结尾字节设置为0x0才能跳转正确流程 0042661D . E8 16000000 call 00426638 ; 将文件内容写入一段内存 00426622 . 52 push edx 00426623 . F7E3 mul ebx ; eax * 字符值 00426625 . 5A pop edx 00426626 . 35 326D5463 xor eax, 63546D32 ; eax 再进行异或 0042662B . FEC2 inc dl ; 循环变量自增 0042662D . 39CA cmp edx, ecx ; 迭代完毕? 0042662F . 74 42 je short 00426673 00426631 . 80FA FF cmp dl, 0FF ; 迭代了255次? 00426634 . 74 3D je short 00426673 00426636 .^ EB DE jmp short 00426616 00426638 /$ 57 push edi 00426639 |. 8DBD F4FFFEFF lea edi, dword ptr [ebp+FFFEFFF4] 0042663F |. 8B3F mov edi, dword ptr [edi] 00426641 |. 881C17 mov byte ptr [edi+edx], bl 00426644 |. 5F pop edi 00426645 \. C3 retn 00426646 > E8 EDFFFFFF call 00426638 0042664B . 42 inc edx ; 0x0结尾后还要加上4个字节才能跳转正确流程 0042664C . 83C2 04 add edx, 4 0042664F . 39D1 cmp ecx, edx 00426651 . 75 20 jnz short 00426673 00426653 . 83EA 04 sub edx, 4 ; 还原循环变量 00426656 . 85C0 test eax, eax 00426658 . 76 02 jbe short 0042665C 0042665A . D1E8 shr eax, 1 0042665C > 3B0416 cmp eax, dword ptr [esi+edx] ; 与最后的4个字节进行对比 0042665F . 75 09 jnz short 0042666A 00426661 . B8 00000000 mov eax, 0 00426666 . 8907 mov dword ptr [edi], eax 00426668 . EB 10 jmp short 0042667A 0042666A > B8 01000000 mov eax, 1 0042666F . 8907 mov dword ptr [edi], eax 00426671 . EB 07 jmp short 0042667A 00426673 > B8 02000000 mov eax, 2 00426678 . 8907 mov dword ptr [edi], eax 0042667A > 5E pop esi 0042667B . 5F pop edi 0042667C . 5B pop ebx 0042667D . 8A85 FBFFFEFF mov al, byte ptr [ebp+FFFEFFFB] 00426683 . 2C 01 sub al, 1 ; Switch (cases 0..2) 00426685 . 72 08 jb short 0042668F 00426687 . 74 4A je short 004266D3 00426689 . FEC8 dec al 0042668B . 74 58 je short 004266E5 0042668D . EB 66 jmp short 004266F5 0042668F > BA 80674200 mov edx, 00426780 ; ASCII "Valid Key file found!"; Case 0 of switch 00426683 00426694 . 8B83 B0010000 mov eax, dword ptr [ebx+1B0] 0042669A . E8 F5B5FEFF call 00411C94 0042669F . BA A0674200 mov edx, 004267A0 ; ASCII "Registered to: " 004266A4 . 8D85 A4FEFEFF lea eax, dword ptr [ebp+FFFEFEA4] 004266AA . E8 05CCFDFF call 004032B4 004266AF . 8D85 A4FEFEFF lea eax, dword ptr [ebp+FFFEFEA4] 004266B5 . 8B95 F4FFFEFF mov edx, dword ptr [ebp+FFFEFFF4] 004266BB . E8 DCCCFDFF call 0040339C 004266C0 . 8B95 A4FEFEFF mov edx, dword ptr [ebp+FFFEFEA4] 004266C6 . 8B83 C0010000 mov eax, dword ptr [ebx+1C0] 004266CC . E8 C3B5FEFF call 00411C94 004266D1 . EB 22 jmp short 004266F5 004266D3 > BA B8674200 mov edx, 004267B8 ; ASCII "Key file contains wrong serial!"; Case 1 of switch 00426683 004266D8 . 8B83 B0010000 mov eax, dword ptr [ebx+1B0] 004266DE . E8 B1B5FEFF call 00411C94 004266E3 . EB 10 jmp short 004266F5 004266E5 > BA E0674200 mov edx, 004267E0 ; ASCII "Key file is not valid!"; Case 2 of switch 00426683 004266EA . 8B83 B0010000 mov eax, dword ptr [ebx+1B0] 004266F0 . E8 9FB5FEFF call 00411C94 004266F5 > 8D85 A8FEFEFF lea eax, dword ptr [ebp+FFFEFEA8] ; Default case of switch 00426683
总结算法:
1.KeyFile文件名应为“ctm_cm02.key”.
2.KeyFile以用户名开头,用0x0作为用户名的结束符号。若是文件内容为空或者用户名没有用0x0作为结尾,则失败。
3.迭代用户名字串并根据字串的内容生成一个值,将该值与0x0之后的四个字节的数据进行比对,如果相同,则KeyFIle是有效的。
如果用户名为“pediy”,那么相对应的KeyFile内容应该是:
运行效果:
拆解cytom!c's 的keyFile保护
时间: 2024-11-05 15:47:16