首页
论坛
课程
招聘
[CrackMe]CFF CrackMe4的分析
2011-2-8 11:10 7461

[CrackMe]CFF CrackMe4的分析

2011-2-8 11:10
7461
【破文标题】CFF CrackMe4的分析
【破文作者】Fcrane
【作者邮箱】[EMAIL="delcpp@gmail.com"]delcpp@gmail.com[/EMAIL]
【破解工具】OD
【破解平台】windows xp sp3
【软件名称】CrackMe#4.exe
【软件大小】180 KB (184,832 字节)
【保护方式】UPX
【下载地址】见附件,一个脱壳了,一个没有
------------------------------------------------------------------------------------------------
【破解声明】非常简单的一个Crackme,高手请无视....
------------------------------------------------------------------------------------------------
【破解过程】
一、查壳
UPX 0.89.6 - 1.02 / 1.05 - 2.90 (Delphi) stub -> Markus & Laszlo
二、脱壳
使用peid自带的通用脱壳器脱壳。检测到入口点为00458250。脱壳后正常工作。
三、算法研究:
使用字符串查找功能,找到"Congratz !"字符串。
双击来到00457E37处。
向上看,到这一段程序的起始位置00457BAC。
四、代码分析:

 
00457BAC  /.  55            push    ebp
00457BAD  |.  8BEC          mov     ebp, esp
00457BAF  |.  33C9          xor     ecx, ecx
00457BB1  |.  51            push    ecx
00457BB2  |.  51            push    ecx
00457BB3  |.  51            push    ecx
00457BB4  |.  51            push    ecx
00457BB5  |.  51            push    ecx
00457BB6  |.  51            push    ecx
00457BB7  |.  51            push    ecx
00457BB8  |.  53            push    ebx
00457BB9  |.  56            push    esi
00457BBA  |.  8BD8          mov     ebx, eax
00457BBC  |.  33C0          xor     eax, eax
00457BBE  |.  55            push    ebp
00457BBF  |.  68 8A7E4500   push    00457E8A
00457BC4  |.  64:FF30       push    dword ptr fs:[eax]
00457BC7  |.  64:8920       mov     dword ptr fs:[eax], esp
00457BCA  |.  8D55 FC       lea     edx, dword ptr [ebp-4]
00457BCD  |.  8B83 D8020000 mov     eax, dword ptr [ebx+2D8]
00457BD3  |.  E8 08C3FCFF   call    00423EE0
00457BD8  |.  837D FC 00    cmp     dword ptr [ebp-4], 0             ;  判断输入的用户名是否为空
00457BDC  |.  75 18         jnz     short 00457BF6                   ;  如果是空,则出现提示的对话框
00457BDE  |.  6A 00         push    0
00457BE0  |.  B9 987E4500   mov     ecx, 00457E98                    ;  ASCII "Enter your Name !"
00457BE5  |.  BA AC7E4500   mov     edx, 00457EAC                    ;  ASCII "You must enter your Name !"
00457BEA  |.  A1 98A54500   mov     eax, dword ptr [45A598]
00457BEF  |.  8B00          mov     eax, dword ptr [eax]
00457BF1  |.  E8 3A85FEFF   call    00440130
00457BF6  |>  8D55 FC       lea     edx, dword ptr [ebp-4]
00457BF9  |.  8B83 DC020000 mov     eax, dword ptr [ebx+2DC]
00457BFF  |.  E8 DCC2FCFF   call    00423EE0
00457C04  |.  837D FC 00    cmp     dword ptr [ebp-4], 0             ;  判断输入的注册码是否为空
00457C08  |.  75 18         jnz     short 00457C22                   ;  如果是空,则出现提示的对话框
00457C0A  |.  6A 00         push    0
00457C0C  |.  B9 C87E4500   mov     ecx, 00457EC8                    ;  ASCII "Enter a Serial !"
00457C11  |.  BA DC7E4500   mov     edx, 00457EDC                    ;  ASCII "You must enter a Serial !"
00457C16  |.  A1 98A54500   mov     eax, dword ptr [45A598]
00457C1B  |.  8B00          mov     eax, dword ptr [eax]
00457C1D  |.  E8 0E85FEFF   call    00440130
00457C22  |>  33C0          xor     eax, eax                         ;  eax=0
00457C24  |.  A3 40B84500   mov     dword ptr [45B840], eax
00457C29  |.  8D55 FC       lea     edx, dword ptr [ebp-4]
00457C2C  |.  8B83 D8020000 mov     eax, dword ptr [ebx+2D8]
00457C32  |.  E8 A9C2FCFF   call    00423EE0
00457C37  |.  8B45 FC       mov     eax, dword ptr [ebp-4]
00457C3A  |.  E8 F9BFFAFF   call    00403C38
00457C3F  |.  A3 44B84500   mov     dword ptr [45B844], eax          ;  eax中为输入的用户名
00457C44  |.  A1 44B84500   mov     eax, dword ptr [45B844]
00457C49  |.  E8 82FDFAFF   call    004079D0                         ;  计算用户名的长度
00457C4E  |.  83F8 06       cmp     eax, 6                           ;  输入的用户名至少为6位,否则弹出提示对话框
00457C51  |.  73 1D         jnb     short 00457C70
00457C53  |.  6A 00         push    0
00457C55  |.  B9 F87E4500   mov     ecx, 00457EF8                    ;  ASCII "Name too short !"
00457C5A  |.  BA 0C7F4500   mov     edx, 00457F0C                    ;  ASCII "Your Name must be at least 6 Chars 
long !"
00457C5F  |.  A1 98A54500   mov     eax, dword ptr [45A598]
00457C64  |.  8B00          mov     eax, dword ptr [eax]
00457C66  |.  E8 C584FEFF   call    00440130
00457C6B  |.  E9 59010000   jmp     00457DC9
00457C70  |>  8D55 FC       lea     edx, dword ptr [ebp-4]
00457C73  |.  8B83 D8020000 mov     eax, dword ptr [ebx+2D8]
00457C79  |.  E8 62C2FCFF   call    00423EE0
00457C7E  |.  8B45 FC       mov     eax, dword ptr [ebp-4]           ;  eax中为用户名
00457C81  |.  BA 01000000   mov     edx, 1
00457C86  |.  4A            dec     edx
00457C87  |.  3B50 FC       cmp     edx, dword ptr [eax-4]
00457C8A  |.  72 05         jb      short 00457C91
00457C8C  |.  E8 F3AEFAFF   call    00402B84
00457C91  |>  42            inc     edx
00457C92  |.  0FB64410 FF   movzx   eax, byte ptr [eax+edx-1]        ;  取用户名的第一个字母的ascii值
00457C97  |.  6BF0 02       imul    esi, eax, 2                      ;  将第一个字母值×2
00457C9A  |.  71 05         jno     short 00457CA1
00457C9C  |.  E8 EBAEFAFF   call    00402B8C
00457CA1  |>  8D55 F8       lea     edx, dword ptr [ebp-8]
00457CA4  |.  8B83 D8020000 mov     eax, dword ptr [ebx+2D8]
00457CAA  |.  E8 31C2FCFF   call    00423EE0
00457CAF  |.  8B45 F8       mov     eax, dword ptr [ebp-8]
00457CB2  |.  BA 02000000   mov     edx, 2
00457CB7  |.  4A            dec     edx
00457CB8  |.  3B50 FC       cmp     edx, dword ptr [eax-4]
00457CBB  |.  72 05         jb      short 00457CC2
00457CBD  |.  E8 C2AEFAFF   call    00402B84
00457CC2  |>  42            inc     edx
00457CC3  |.  0FB64410 FF   movzx   eax, byte ptr [eax+edx-1]        ;  取用户名的第二个字母的ascii值
00457CC8  |.  6BC0 02       imul    eax, eax, 2                      ;  将第二个字母值×2
00457CCB  |.  71 05         jno     short 00457CD2
00457CCD  |.  E8 BAAEFAFF   call    00402B8C
00457CD2  |>  03F0          add     esi, eax
00457CD4  |.  71 05         jno     short 00457CDB
00457CD6  |.  E8 B1AEFAFF   call    00402B8C
00457CDB  |>  8D55 F4       lea     edx, dword ptr [ebp-C]
00457CDE  |.  8B83 D8020000 mov     eax, dword ptr [ebx+2D8]
00457CE4  |.  E8 F7C1FCFF   call    00423EE0
00457CE9  |.  8B45 F4       mov     eax, dword ptr [ebp-C]
00457CEC  |.  BA 03000000   mov     edx, 3
00457CF1  |.  4A            dec     edx
00457CF2  |.  3B50 FC       cmp     edx, dword ptr [eax-4]
00457CF5  |.  72 05         jb      short 00457CFC
00457CF7  |.  E8 88AEFAFF   call    00402B84
00457CFC  |>  42            inc     edx
00457CFD  |.  0FB64410 FF   movzx   eax, byte ptr [eax+edx-1]        ;  取用户名的第三个字母的ascii值
00457D02  |.  6BC0 02       imul    eax, eax, 2                      ;  将第三个字母的值×2
00457D05  |.  71 05         jno     short 00457D0C
00457D07  |.  E8 80AEFAFF   call    00402B8C
00457D0C  |>  03F0          add     esi, eax
00457D0E  |.  71 05         jno     short 00457D15
00457D10  |.  E8 77AEFAFF   call    00402B8C
00457D15  |>  8D55 F0       lea     edx, dword ptr [ebp-10]
00457D18  |.  8B83 D8020000 mov     eax, dword ptr [ebx+2D8]
00457D1E  |.  E8 BDC1FCFF   call    00423EE0
00457D23  |.  8B45 F0       mov     eax, dword ptr [ebp-10]
00457D26  |.  BA 04000000   mov     edx, 4
00457D2B  |.  4A            dec     edx
00457D2C  |.  3B50 FC       cmp     edx, dword ptr [eax-4]
00457D2F  |.  72 05         jb      short 00457D36
00457D31  |.  E8 4EAEFAFF   call    00402B84
00457D36  |>  42            inc     edx
00457D37  |.  0FB64410 FF   movzx   eax, byte ptr [eax+edx-1]        ;  第四个
00457D3C  |.  6BC0 02       imul    eax, eax, 2
00457D3F  |.  71 05         jno     short 00457D46
00457D41  |.  E8 46AEFAFF   call    00402B8C
00457D46  |>  03F0          add     esi, eax
00457D48  |.  71 05         jno     short 00457D4F
00457D4A  |.  E8 3DAEFAFF   call    00402B8C
00457D4F  |>  8D55 EC       lea     edx, dword ptr [ebp-14]
00457D52  |.  8B83 D8020000 mov     eax, dword ptr [ebx+2D8]
00457D58  |.  E8 83C1FCFF   call    00423EE0
00457D5D  |.  8B45 EC       mov     eax, dword ptr [ebp-14]
00457D60  |.  BA 05000000   mov     edx, 5
00457D65  |.  4A            dec     edx
00457D66  |.  3B50 FC       cmp     edx, dword ptr [eax-4]
00457D69  |.  72 05         jb      short 00457D70
00457D6B  |.  E8 14AEFAFF   call    00402B84
00457D70  |>  42            inc     edx
00457D71  |.  0FB64410 FF   movzx   eax, byte ptr [eax+edx-1]        ;  第五个字母
00457D76  |.  6BC0 02       imul    eax, eax, 2
00457D79  |.  71 05         jno     short 00457D80
00457D7B  |.  E8 0CAEFAFF   call    00402B8C
00457D80  |>  03F0          add     esi, eax
00457D82  |.  71 05         jno     short 00457D89
00457D84  |.  E8 03AEFAFF   call    00402B8C
00457D89  |>  8D55 E8       lea     edx, dword ptr [ebp-18]
00457D8C  |.  8B83 D8020000 mov     eax, dword ptr [ebx+2D8]
00457D92  |.  E8 49C1FCFF   call    00423EE0
00457D97  |.  8B45 E8       mov     eax, dword ptr [ebp-18]
00457D9A  |.  BA 06000000   mov     edx, 6
00457D9F  |.  4A            dec     edx
00457DA0  |.  3B50 FC       cmp     edx, dword ptr [eax-4]
00457DA3  |.  72 05         jb      short 00457DAA
00457DA5  |.  E8 DAADFAFF   call    00402B84
00457DAA  |>  42            inc     edx
00457DAB  |.  0FB64410 FF   movzx   eax, byte ptr [eax+edx-1]        ;  第六个字母
00457DB0  |.  6BC0 02       imul    eax, eax, 2
00457DB3  |.  71 05         jno     short 00457DBA
00457DB5  |.  E8 D2ADFAFF   call    00402B8C
00457DBA  |>  03F0          add     esi, eax                         ;  所有字母的值乘以2,累加到esi中
00457DBC  |.  71 05         jno     short 00457DC3
00457DBE  |.  E8 C9ADFAFF   call    00402B8C
00457DC3  |>  8935 40B84500 mov     dword ptr [45B840], esi          ;  将esi的值放入ds:[0045B840]中
00457DC9  |>  A1 44B84500   mov     eax, dword ptr [45B844]
00457DCE  |.  E8 FDFBFAFF   call    004079D0                         ;  计算出eax,(字符串长度)
00457DD3  |.  6BC0 02       imul    eax, eax, 2                      ;  字符长度×2
00457DD6  |.  73 05         jnb     short 00457DDD
00457DD8  |.  E8 AFADFAFF   call    00402B8C
00457DDD  |>  33D2          xor     edx, edx
00457DDF  |.  52            push    edx
00457DE0  |.  50            push    eax
00457DE1  |.  A1 40B84500   mov     eax, dword ptr [45B840]          ;  将ds:[0045B840]中的值放入eax中,即eax=esi
00457DE6  |.  99            cdq
00457DE7  |.  030424        add     eax, dword ptr [esp]             ;  将eax的值 + 字符串长度的值
00457DEA  |.  135424 04     adc     edx, dword ptr [esp+4]
00457DEE  |.  71 05         jno     short 00457DF5
00457DF0  |.  E8 97ADFAFF   call    00402B8C
00457DF5  |>  83C4 08       add     esp, 8
00457DF8  |.  50            push    eax
00457DF9  |.  C1F8 1F       sar     eax, 1F
00457DFC  |.  3BC2          cmp     eax, edx
00457DFE  |.  58            pop     eax
00457DFF  |.  74 05         je      short 00457E06
00457E01  |.  E8 7EADFAFF   call    00402B84
00457E06  |>  A3 40B84500   mov     dword ptr [45B840], eax
00457E0B  |.  8D55 E4       lea     edx, dword ptr [ebp-1C]
00457E0E  |.  A1 40B84500   mov     eax, dword ptr [45B840]
00457E13  |.  E8 2CF9FAFF   call    00407744                         ;  计算注册码
00457E18  |.  8B45 E4       mov     eax, dword ptr [ebp-1C]
00457E1B  |.  50            push    eax                              ;  正确的注册码
00457E1C  |.  8D55 FC       lea     edx, dword ptr [ebp-4]
00457E1F  |.  8B83 DC020000 mov     eax, dword ptr [ebx+2DC]
00457E25  |.  E8 B6C0FCFF   call    00423EE0
00457E2A  |.  8B55 FC       mov     edx, dword ptr [ebp-4]           ;  假注册码
00457E2D  |.  58            pop     eax
00457E2E  |.  E8 51BDFAFF   call    00403B84                         ;  将假码与真码进行比较的子程序
00457E33  |.  75 1A         jnz     short 00457E4F                   ;  将此处取反即可爆破
00457E35  |.  6A 00         push    0
00457E37  |.  B9 387F4500   mov     ecx, 00457F38                    ;  ASCII "Congratz !"
00457E3C  |.  BA 447F4500   mov     edx, 00457F44                    ;  ASCII "You cracked the CFF CrackMe #4 ! 
Please send your solution to [EMAIL="acidbytes@gmx.net"]acidbytes@gmx.net[/EMAIL] !"
00457E41  |.  A1 98A54500   mov     eax, dword ptr [45A598]
00457E46  |.  8B00          mov     eax, dword ptr [eax]
00457E48  |.  E8 E382FEFF   call    00440130
00457E4D  |.  EB 18         jmp     short 00457E67
00457E4F  |>  6A 00         push    0
00457E51  |.  B9 987F4500   mov     ecx, 00457F98                    ;  ASCII "Serial not valid"
00457E56  |.  BA AC7F4500   mov     edx, 00457FAC                    ;  ASCII "The Serial you entered is in any 
case not valid !"
00457E5B  |.  A1 98A54500   mov     eax, dword ptr [45A598]
00457E60  |.  8B00          mov     eax, dword ptr [eax]
00457E62  |.  E8 C982FEFF   call    00440130
00457E67  |>  33C0          xor     eax, eax
00457E69  |.  5A            pop     edx
00457E6A  |.  59            pop     ecx
00457E6B  |.  59            pop     ecx
00457E6C  |.  64:8910       mov     dword ptr fs:[eax], edx
00457E6F  |.  68 917E4500   push    00457E91
00457E74  |>  8D45 E4       lea     eax, dword ptr [ebp-1C]
00457E77  |.  E8 7CB9FAFF   call    004037F8
00457E7C  |.  8D45 E8       lea     eax, dword ptr [ebp-18]
00457E7F  |.  BA 06000000   mov     edx, 6
00457E84  |.  E8 93B9FAFF   call    0040381C
00457E89  \.  C3            retn


五、算法研究

5.1 用户名必须大于等于6位。
5.2 取用户名前六个字母,每个字母的ascii值,乘以2,并累加,得到值A
5.2 取用户名长度,乘以2,得到值B
5.3 将A+B,转换成字符串,得到注册码。
六、注册机编写
(VisualC++6.0 下测试通过)

#include <iostream>
#include <string>
using namespace std;
int main(void)
{
 cout << "Name(>=6 chars):\n";
    string username;
    int namelen;
 cin>> username;
 namelen = username.length();
 
 if (namelen <6)
 {
  cout << "Name must at least 6 chars";
 }
 else
 {
 
  const char* aa = username.c_str();
  int sum = 0;
 
  for (int i =0;i<6;i++)
  {
   sum += (int)((unsigned char)(aa[i])) * 2; //考虑到用户名可能是汉字,需要使用unsigned char 
进行转换
   cout << sum<<endl;
  }
  sum += namelen*2;
  cout << "serial is:" << sum << endl;
 }
 return 0;
}
 


------------------------------------------------------------------------------------------------
【破解总结】
算法不是很麻烦,但是在写注册机的时候,遇到了一些小麻烦。
如果用户输入的用户名是中文,就会计算错误。
因为char类型默认是有符号的,而计算时需要使用无符号的。
这点需要注意一下。

[培训] 优秀毕业生寄语:恭喜id:一颗金柚子获得阿里offer《安卓高级研修班》火热招生!!!

上传的附件:
收藏
点赞0
打赏
分享
最新回复 (4)
雪    币: 239
活跃值: 活跃值 (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
amulin 活跃值 2011-2-22 18:07
2
0
感谢分享经验
这个算法不难
雪    币: 939
活跃值: 活跃值 (368)
能力值: ( LV6,RANK:90 )
在线值:
发帖
回帖
粉丝
elianmeng 活跃值 1 2011-2-23 09:36
3
0
能不能逆向一下程序的算法
感觉这样的分析没有什么意思
雪    币: 251
活跃值: 活跃值 (11)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
lykonglong 活跃值 2011-2-23 09:36
4
0
特别支持一下!
雪    币: 939
活跃值: 活跃值 (368)
能力值: ( LV6,RANK:90 )
在线值:
发帖
回帖
粉丝
elianmeng 活跃值 1 2011-2-23 09:37
5
0
我说的逆向程序算法是指:根据汇编指令转变成相应的C指令
有点像ida的F5的功能
游客
登录 | 注册 方可回帖
返回