系统 : Windows xp
程序 : k4n2
程序下载地址 :http://pan.baidu.com/s/1sklslvJ
要求 : 注册机编写
使用工具 : IDA Pro & OD
“PEDIY CrackMe 2007”中关于此程序的破文标题为“Borland C++写的Crackme的算法分析(适合新手)”,可在“搜索”标签下查找。
使用IDA载入程序,根据成功/失败的字符串提示找到关键代码,本程序中关键代码在401052处:
00401052 |. B9 19000000 mov ecx, 19
00401057 |. F3:A5 rep movs dword ptr es:[edi], dword ptr [esi] ; edi的值在这里确定下来,0012F538
00401059 |. 33C0 xor eax, eax
0040105B |. 8945 C4 mov dword ptr [ebp-3C], eax
0040105E |. 33D2 xor edx, edx
00401060 |. 8955 C0 mov dword ptr [ebp-40], edx
00401063 |. 33C9 xor ecx, ecx
00401065 |. 894D BC mov dword ptr [ebp-44], ecx
00401068 |. 33C0 xor eax, eax
0040106A |. 8945 B8 mov dword ptr [ebp-48], eax
0040106D |. 33D2 xor edx, edx
0040106F |. 8955 B4 mov dword ptr [ebp-4C], edx
00401072 |. 33C9 xor ecx, ecx
00401074 |. 894D B0 mov dword ptr [ebp-50], ecx
00401077 |. 33C0 xor eax, eax
00401079 |. 8945 AC mov dword ptr [ebp-54], eax
0040107C |. 33D2 xor edx, edx
0040107E |. 8955 A8 mov dword ptr [ebp-58], edx
00401081 |. 6A 66 push 66 ; /ControlID = 66 (102.)
00401083 |. 53 push ebx ; |hWnd
00401084 |. E8 D99C0000 call <jmp.&USER32.GetDlgItem> ; \GetDlgItem
00401089 |. 6A 64 push 64 ; /Count = 64 (100.)
0040108B |. 8D8D 44FFFFFF lea ecx, dword ptr [ebp-BC] ; |
00401091 |. 51 push ecx ; |Buffer
00401092 |. 50 push eax ; |hWnd
00401093 |. E8 D69C0000 call <jmp.&USER32.GetWindowTextA> ; \GetWindowTextA
00401098 |. 6A 68 push 68 ; /ControlID = 68 (104.)
0040109A |. 53 push ebx ; |hWnd
0040109B |. E8 C29C0000 call <jmp.&USER32.GetDlgItem> ; \GetDlgItem
004010A0 |. 6A 64 push 64 ; /Count = 64 (100.)
004010A2 |. 8D95 E0FEFFFF lea edx, dword ptr [ebp-120] ; |
004010A8 |. 52 push edx ; |Buffer
004010A9 |. 50 push eax ; |hWnd
004010AA |. E8 BF9C0000 call <jmp.&USER32.GetWindowTextA> ; \GetWindowTextA
004010AF |. 6A 67 push 67 ; /ControlID = 67 (103.)
004010B1 |. 53 push ebx ; |hWnd
004010B2 |. E8 AB9C0000 call <jmp.&USER32.GetDlgItem> ; \GetDlgItem
004010B7 |. 8945 FC mov dword ptr [ebp-4], eax
004010BA |. 8D85 44FFFFFF lea eax, dword ptr [ebp-BC]
004010C0 |. 50 push eax
004010C1 |. E8 2A060000 call 004016F0
004010C6 |. 59 pop ecx
004010C7 |. 8945 D4 mov dword ptr [ebp-2C], eax
004010CA |. 8D8D E0FEFFFF lea ecx, dword ptr [ebp-120]
004010D0 |. 51 push ecx
004010D1 |. E8 1A060000 call 004016F0
004010D6 |. 59 pop ecx
004010D7 |. 68 EAB04000 push 0040B0EA
004010DC |. E8 0F060000 call 004016F0
004010E1 |. 59 pop ecx
004010E2 |. 68 0EB14000 push 0040B10E
004010E7 |. E8 04060000 call 004016F0
004010EC |. 59 pop ecx
004010ED |. 837D D4 03 cmp dword ptr [ebp-2C], 3 ; 用户名字串长度<=3 ,则跳转
004010F1 |. 0F8E 38010000 jle 0040122F ; 是则跳转到出错函数
004010F7 |. 33D2 xor edx, edx
004010F9 |. 33DB xor ebx, ebx
004010FB |. 8B55 D4 mov edx, dword ptr [ebp-2C] ; edx = 长度
004010FE |. 0155 C4 add dword ptr [ebp-3C], edx ; 长度赋给变量3C(假设有这么个变量)
00401101 |. 0155 C4 add dword ptr [ebp-3C], edx ; 变量 = 长度 * 2
00401104 |. 8BC2 mov eax, edx
00401106 |. 83C0 05 add eax, 5 ; eax = 长度+5
00401109 |. 8945 B8 mov dword ptr [ebp-48], eax ; 结果保存至变量48(假设)
0040110C |. 33C0 xor eax, eax
0040110E |. 8BCF mov ecx, edi
00401110 |. 83C1 04 add ecx, 4
00401113 |. 894D B4 mov dword ptr [ebp-4C], ecx ; 变量4C(假设)的值=0012F538+4
00401116 |. 33C9 xor ecx, ecx
00401118 |. 0155 BC add dword ptr [ebp-44], edx
0040111B |. 017D BC add dword ptr [ebp-44], edi ; 变量44(假设)=用户名字串长度+edi(0012F538)
0040111E |. 6BFF 03 imul edi, edi, 3
00401121 |. 897D C0 mov dword ptr [ebp-40], edi ; 变量40(假设)=0012F538*3
00401124 |. 33FF xor edi, edi
00401126 |. 0FBE8C05 44FF>movsx ecx, byte ptr [ebp+eax-BC] ; 取字符串首个字符
0040112E |. 83F9 61 cmp ecx, 61 ; 如果该字符不是小写字母或是‘{}|~’
00401131 |. 7C 07 jl short 0040113A ; 则跳转进入子程序进行一些操作
00401133 |. 90 nop
00401134 |. 90 nop
00401135 |. 90 nop
00401136 |. 90 nop
00401137 |. 83E9 20 sub ecx, 20 ; 是小写字母则转换为大写
0040113A |> 8BF1 mov esi, ecx
0040113C |. 03DE add ebx, esi
0040113E |. 0FAFD9 imul ebx, ecx
00401141 |. 4A dec edx
00401142 |> 0FBE8C2F 44FF>/movsx ecx, byte ptr [edi+ebp-BC] ; 遍历用户名字符串,该指令取前一个字符
0040114A |. 0FBEB42F 45FF>|movsx esi, byte ptr [edi+ebp-BB] ; 该指令取出后一个字符
00401152 |. 83F9 61 |cmp ecx, 61 ; 如果前一个字符是小写字母,则跳转
00401155 |. 7D 12 |jge short 00401169 ; 将字符转换为大写
00401157 |. 90 |nop
00401158 |. 90 |nop
00401159 |. 90 |nop
0040115A |. 90 |nop
0040115B |> 83FE 61 |cmp esi, 61 ; 如果后一个字符是小写字母,则跳转
0040115E |. 7D 0E |jge short 0040116E
00401160 |. 90 |nop
00401161 |. 90 |nop
00401162 |. 90 |nop
00401163 |. 90 |nop
00401164 |. EB 0B |jmp short 00401171
00401166 | 90 |nop
00401167 | 90 |nop
00401168 | 90 |nop
00401169 |> 83E9 20 |sub ecx, 20
0040116C |.^ EB ED |jmp short 0040115B
0040116E |> 83EE 20 |sub esi, 20 ; 将字符转换为大写
00401171 |> 47 |inc edi ; 索引变量自增
00401172 |. 03DE |add ebx, esi ; 对ebx进行一些操作。。
00401174 |. 0FAFD9 |imul ebx, ecx
00401177 |. 4A |dec edx ; 循环变量自减
00401178 |.^ 75 C8 \jnz short 00401142
0040117A |. 895D C8 mov dword ptr [ebp-38], ebx ; 循环的目的看似是转换大小写,其实是对ebx的值做调整,最后保存至变量38(假设)
0040117D |. 33C9 xor ecx, ecx
0040117F |. 33D2 xor edx, edx
00401181 |. 33DB xor ebx, ebx
00401183 |. 33C0 xor eax, eax
00401185 |. 837D D4 32 cmp dword ptr [ebp-2C], 32 ; 如果用户名字串长度大于等于32h,则跳转
00401189 |. 0F8D A0000000 jge 0040122F ; 是则跳转到出错函数
0040118F |> 0FBE840D 44FF>/movsx eax, byte ptr [ebp+ecx-BC] ; 遍历用户名字符串
00401197 |. 03C1 |add eax, ecx ; 加上循环变量
00401199 |. 03D8 |add ebx, eax ; 累加的值存入ebx
0040119B |. 41 |inc ecx
0040119C |. 3B4D D4 |cmp ecx, dword ptr [ebp-2C]
0040119F |.^ 75 EE \jnz short 0040118F
004011A1 |. D1C0 rol eax, 1 ; 把eax循环左移1次,每次从最高位(最左)移出的数据位都补充到最低位
004011A3 |. 35 40E20100 xor eax, 1E240 ; 将eax与1E240h异或
004011A8 |. 8945 B0 mov dword ptr [ebp-50], eax ; 保存至变量50(假设)
004011AB |. 33C9 xor ecx, ecx
004011AD |. 33D2 xor edx, edx
004011AF |. 33DB xor ebx, ebx
004011B1 |. 33C0 xor eax, eax
004011B3 |> 0FBE840D 44FF>/movsx eax, byte ptr [ebp+ecx-BC] ; 遍历用户名字符串
004011BB |. 6BD0 06 |imul edx, eax, 6 ; edx = eax * 6
004011BE |. 33C2 |xor eax, edx
004011C0 |. 03D8 |add ebx, eax
004011C2 |. 41 |inc ecx
004011C3 |. 3B4D D4 |cmp ecx, dword ptr [ebp-2C]
004011C6 |.^ 75 EB \jnz short 004011B3
004011C8 |. 035D B0 add ebx, dword ptr [ebp-50] ; 结果加上变量50(假设)
004011CB |. 895D AC mov dword ptr [ebp-54], ebx ; 保存至变量54(假设)
004011CE |. FF75 C0 push dword ptr [ebp-40]
004011D1 |. FF75 C4 push dword ptr [ebp-3C]
004011D4 |. FF75 BC push dword ptr [ebp-44]
004011D7 |. FF75 C8 push dword ptr [ebp-38]
004011DA |. FF75 B4 push dword ptr [ebp-4C]
004011DD |. FF75 B8 push dword ptr [ebp-48]
004011E0 |. FF75 AC push dword ptr [ebp-54]
004011E3 |. FF75 B0 push dword ptr [ebp-50]
004011E6 |. 68 38B44000 push 0040B438 ; ASCII "%lX%lu-%lu%lX-%lu%lu-%lX%lX"
004011EB |. 8D85 7CFEFFFF lea eax, dword ptr [ebp-184]
004011F1 |. 50 push eax
004011F2 |. E8 8D3D0000 call 00404F84 ; 将数据按照格式保存至ebp-184
004011F7 |. 83C4 28 add esp, 28 ; 平衡堆栈
004011FA |. 8D95 7CFEFFFF lea edx, dword ptr [ebp-184]
00401200 |. 52 push edx ; /String2
00401201 |. 8D8D E0FEFFFF lea ecx, dword ptr [ebp-120] ; |
00401207 |. 51 push ecx ; |String1
00401208 |. E8 399C0000 call <jmp.&KERNEL32.lstrcmpA> ; \lstrcmpA
0040120D |. 85C0 test eax, eax
0040120F |. 75 0F jnz short 00401220
00401211 |. 68 54B44000 push 0040B454 ; /Text = "Congratulations! IF this number comes *FROM YOUR* keygen, Write a tutorial dude ;)."
00401216 |. FF75 FC push dword ptr [ebp-4] ; |hWnd
00401219 |. E8 2C9B0000 call <jmp.&USER32.SetWindowTextA> ; \SetWindowTextA
0040121E |. EB 1C jmp short 0040123C
00401220 |> 68 A8B44000 push 0040B4A8 ; /Text = "This serial is *NOT* Valid!! Try again... : UNREGISTERED"
00401225 |. FF75 FC push dword ptr [ebp-4] ; |hWnd
00401228 |. E8 1D9B0000 call <jmp.&USER32.SetWindowTextA> ; \SetWindowTextA
0040122D |. EB 0D jmp short 0040123C
0040122F |> 68 E1B44000 push 0040B4E1 ; /Text = "Name must contain more than 3 chars!"
00401234 |. FF75 FC push dword ptr [ebp-4] ; |hWnd
00401237 |. E8 0E9B0000 call <jmp.&USER32.SetWindowTextA> ; \SetWindowTextA
好了,算法到这里分析完毕,我们根据加密算法开始编写注册机吧!
复制一份http://www.cnblogs.com/ZRBYYXDM/p/5002789.html中搭建的MFC窗口程序,打开并修改OnOk函数如下:
void CSerialNumber_KeygenDlg::OnOK()
{
// TODO: Add extra validation here
CString str;
GetDlgItem( IDC_EDIT_NAME )->GetWindowText( str ); //获取用户名
int len = str.GetLength(); //获取长度
if ( len <= 3 || len >= 50 )
MessageBox( "用户名必须长度大于3、小于50!" );
else
{
unsigned int Serial[8] = { 0,0,0,0,0,0,0,0 }; //存放组成密钥的字串。
Serial[0] += (str[len - 1] + len - 1); //变量50
__asm {
push eax
mov eax,Serial[0]
rol eax,1
mov Serial[0],eax
pop eax
}
Serial[0] ^= 0x1E240;
int i = 0;
for ( i = 0 ; i != len ; i++ ) //变量54
Serial[1] += (str[i] * 6) ^ str[i];
Serial[1] += Serial[0];
Serial[2] = len + 5; //变量48
Serial[3] = 0x12F538+4; //变量4C
//变量38
if ( str[0] >= 0x61 ) //如果第一个字符是小写字符
Serial[4] = str[0] - 0x20;
else
Serial[4] = str[0];
Serial[4] *= Serial[4];
str.MakeUpper(); //将小写转换为大写。
for ( i = 0 ; i != (len - 1) ; i++ ){
Serial[4] += str[i + 1];
Serial[4] *= str[i];
}
Serial[5] = len + 0x12F538; //变量44
Serial[6] = len * 2; //变量3C
Serial[7] = 0x12F538 * 3; //变量40
CString res;
res.Format( _T("%lX%lu-%lu%lX-%lu%lu-%lX%lX"),Serial[0],Serial[1],
Serial[2],Serial[3],Serial[4],Serial[5],Serial[6],Serial[7] );
GetDlgItem( IDC_EDIT_Number )->SetWindowText( res );
}
//CDialog::OnOK(); //屏蔽基类OnOk函数
}
再在OnInitDialog中添加此代码修改标题:SetWindowText(_T("k4n2_Keygen"));
运行程序,并将解密得到的序列号黏贴至k4n2程序中,单击check。。。
效果拔群:
时间: 2024-08-24 20:08:06