系统 : Windows xp
程序 : Crackme-xp
程序下载地址 :http://pan.baidu.com/s/1slUwmVr
要求 : 编写注册机
使用工具 : OD & IDA
可在看雪论坛中查找关于此程序的破文:传送门
这是一个拥有强大反调试机制的cm,无法查询到关键子串、下获取窗口文本的断点没用,设置对按钮下消息断点都没用。
然后用IDA打开后却发现了函数表里有:
。。。。。。。。。。。。。。。。。。
这个懂点英文的人都能看出来是 注册按钮的处理函数吧?所以前面那么多防护机制是为了什么?
直接定位关键代码:
00401444 /. 55 push ebp ; btn_click
00401445 |. 8BEC mov ebp, esp
00401447 |. 81C4 70FFFFFF add esp, -90
0040144D |. 8995 78FFFFFF mov dword ptr [ebp-88], edx
00401453 |. 8985 7CFFFFFF mov dword ptr [ebp-84], eax
00401459 |. B8 04654300 mov eax, 00436504
0040145E |. E8 71CC0200 call 0042E0D4
00401463 |. 66:C745 90 08>mov word ptr [ebp-70], 8
00401469 |. 8D45 FC lea eax, dword ptr [ebp-4]
0040146C |. E8 87050000 call 004019F8
00401471 |. FF45 9C inc dword ptr [ebp-64]
00401474 |. 66:C745 90 14>mov word ptr [ebp-70], 14
0040147A |. 66:C745 90 20>mov word ptr [ebp-70], 20
00401480 |. 8D45 F8 lea eax, dword ptr [ebp-8]
00401483 |. E8 70050000 call 004019F8
00401488 |. FF45 9C inc dword ptr [ebp-64]
0040148B |. 66:C745 90 14>mov word ptr [ebp-70], 14
00401491 |. 66:C745 90 2C>mov word ptr [ebp-70], 2C
00401497 |. 8D45 F4 lea eax, dword ptr [ebp-C]
0040149A |. E8 59050000 call 004019F8
0040149F |. FF45 9C inc dword ptr [ebp-64]
004014A2 |. 66:C745 90 14>mov word ptr [ebp-70], 14
004014A8 |. 66:C745 90 38>mov word ptr [ebp-70], 38
004014AE |. 8D45 F0 lea eax, dword ptr [ebp-10]
004014B1 |. E8 42050000 call 004019F8
004014B6 |. FF45 9C inc dword ptr [ebp-64]
004014B9 |. 66:C745 90 14>mov word ptr [ebp-70], 14
004014BF |. 66:C745 90 44>mov word ptr [ebp-70], 44
004014C5 |. 8D45 EC lea eax, dword ptr [ebp-14]
004014C8 |. E8 2B050000 call 004019F8
004014CD |. FF45 9C inc dword ptr [ebp-64]
004014D0 |. 66:C745 90 14>mov word ptr [ebp-70], 14
004014D6 |. 66:C745 90 50>mov word ptr [ebp-70], 50
004014DC |. 8D45 E8 lea eax, dword ptr [ebp-18]
004014DF |. E8 14050000 call 004019F8
004014E4 |. FF45 9C inc dword ptr [ebp-64]
004014E7 |. 66:C745 90 14>mov word ptr [ebp-70], 14
004014ED |. 66:C745 90 5C>mov word ptr [ebp-70], 5C
004014F3 |. 8D45 E4 lea eax, dword ptr [ebp-1C]
004014F6 |. E8 FD040000 call 004019F8
004014FB |. 8BD0 mov edx, eax
004014FD |. FF45 9C inc dword ptr [ebp-64]
00401500 |. 8B0D E0AE4300 mov ecx, dword ptr [43AEE0]
00401506 |. 8B81 F0010000 mov eax, dword ptr [ecx+1F0]
0040150C |. E8 8B940000 call 0040A99C
00401511 |. 8D55 E4 lea edx, dword ptr [ebp-1C]
00401514 |. 8D45 EC lea eax, dword ptr [ebp-14]
00401517 |. E8 0BE20000 call 0040F727
0040151C |. FF4D 9C dec dword ptr [ebp-64]
0040151F |. 8D45 E4 lea eax, dword ptr [ebp-1C]
00401522 |. BA 02000000 mov edx, 2
00401527 |. E8 CCE10000 call 0040F6F8
0040152C |. 66:C745 90 68>mov word ptr [ebp-70], 68
00401532 |. 8D45 E0 lea eax, dword ptr [ebp-20]
00401535 |. E8 BE040000 call 004019F8
0040153A |. 8BD0 mov edx, eax
0040153C |. FF45 9C inc dword ptr [ebp-64]
0040153F |. 8B0D E0AE4300 mov ecx, dword ptr [43AEE0]
00401545 |. 8B81 F4010000 mov eax, dword ptr [ecx+1F4]
0040154B |. E8 4C940000 call 0040A99C
00401550 |. 8D55 E0 lea edx, dword ptr [ebp-20]
00401553 |. 8D45 E8 lea eax, dword ptr [ebp-18]
00401556 |. E8 CCE10000 call 0040F727
0040155B |. FF4D 9C dec dword ptr [ebp-64]
0040155E |. 8D45 E0 lea eax, dword ptr [ebp-20]
00401561 |. BA 02000000 mov edx, 2
00401566 |. E8 8DE10000 call 0040F6F8
0040156B |. 66:C745 90 74>mov word ptr [ebp-70], 74
00401571 |. 8D45 DC lea eax, dword ptr [ebp-24]
00401574 |. E8 7F040000 call 004019F8
00401579 |. 8BD0 mov edx, eax
0040157B |. FF45 9C inc dword ptr [ebp-64]
0040157E |. 8B0D E0AE4300 mov ecx, dword ptr [43AEE0]
00401584 |. 8B81 D0010000 mov eax, dword ptr [ecx+1D0]
0040158A |. E8 0D940000 call 0040A99C
0040158F |. 8D55 DC lea edx, dword ptr [ebp-24]
00401592 |. 8D45 FC lea eax, dword ptr [ebp-4]
00401595 |. E8 8DE10000 call 0040F727
0040159A |. FF4D 9C dec dword ptr [ebp-64]
0040159D |. 8D45 DC lea eax, dword ptr [ebp-24]
004015A0 |. BA 02000000 mov edx, 2
004015A5 |. E8 4EE10000 call 0040F6F8
004015AA |. 66:C745 90 80>mov word ptr [ebp-70], 80
004015B0 |. 8D45 D8 lea eax, dword ptr [ebp-28]
004015B3 |. E8 40040000 call 004019F8
004015B8 |. 8BD0 mov edx, eax
004015BA |. FF45 9C inc dword ptr [ebp-64]
004015BD |. 8B0D E0AE4300 mov ecx, dword ptr [43AEE0]
004015C3 |. 8B81 D4010000 mov eax, dword ptr [ecx+1D4]
004015C9 |. E8 CE930000 call 0040A99C
004015CE |. 8D55 D8 lea edx, dword ptr [ebp-28]
004015D1 |. 8D45 F8 lea eax, dword ptr [ebp-8]
004015D4 |. E8 4EE10000 call 0040F727
004015D9 |. FF4D 9C dec dword ptr [ebp-64]
004015DC |. 8D45 D8 lea eax, dword ptr [ebp-28]
004015DF |. BA 02000000 mov edx, 2
004015E4 |. E8 0FE10000 call 0040F6F8
004015E9 |. 66:C745 90 8C>mov word ptr [ebp-70], 8C
004015EF |. 8D45 D4 lea eax, dword ptr [ebp-2C]
004015F2 |. E8 01040000 call 004019F8
004015F7 |. 50 push eax
004015F8 |. FF45 9C inc dword ptr [ebp-64]
004015FB |. 8D45 F8 lea eax, dword ptr [ebp-8]
004015FE |. B9 03000000 mov ecx, 3
00401603 |. 33D2 xor edx, edx
00401605 |. E8 69EB0000 call 00410173
0040160A |. 8D45 D4 lea eax, dword ptr [ebp-2C] ; (initial cpu selection)
0040160D |. 8D55 EC lea edx, dword ptr [ebp-14]
00401610 |. E8 C3E10000 call 0040F7D8 ; 判断call
00401615 |. 50 push eax ; 压入函数结果
00401616 |. FF4D 9C dec dword ptr [ebp-64]
00401619 |. 8D45 D4 lea eax, dword ptr [ebp-2C]
0040161C |. BA 02000000 mov edx, 2
00401621 |. E8 D2E00000 call 0040F6F8
00401626 |. 59 pop ecx
00401627 |. 84C9 test cl, cl ; 测试的是栈顶元素,所以压入元素的函数就是判断函数
00401629 |. 0F84 26030000 je 00401955
0040162F |. 66:C745 90 98>mov word ptr [ebp-70], 98
00401635 |. 8D45 D0 lea eax, dword ptr [ebp-30]
00401638 |. E8 BB030000 call 004019F8
0040163D |. 50 push eax
0040163E |. FF45 9C inc dword ptr [ebp-64]
00401641 |. 8D45 F8 lea eax, dword ptr [ebp-8]
00401644 |. E8 09E30000 call 0040F952
00401649 |. 8BD0 mov edx, eax
0040164B |. 83C2 FC add edx, -4
0040164E |. 8D45 F8 lea eax, dword ptr [ebp-8]
00401651 |. B9 05000000 mov ecx, 5
00401656 |. E8 18EB0000 call 00410173
0040165B |. 8D45 D0 lea eax, dword ptr [ebp-30]
0040165E |. 8D55 E8 lea edx, dword ptr [ebp-18]
00401661 |. E8 72E10000 call 0040F7D8 ; 判断call
00401666 |. 50 push eax ; 压入函数结果
00401667 |. FF4D 9C dec dword ptr [ebp-64]
0040166A |. 8D45 D0 lea eax, dword ptr [ebp-30]
0040166D |. BA 02000000 mov edx, 2
00401672 |. E8 81E00000 call 0040F6F8
00401677 |. 59 pop ecx
00401678 |. 84C9 test cl, cl
0040167A |. 0F84 D5020000 je 00401955
00401680 |. 33C0 xor eax, eax
00401682 |. 8985 74FFFFFF mov dword ptr [ebp-8C], eax
00401688 |. 66:C745 90 14>mov word ptr [ebp-70], 14
0040168E |. 33D2 xor edx, edx
00401690 |. 8995 70FFFFFF mov dword ptr [ebp-90], edx
00401696 |. EB 1E jmp short 004016B6
00401698 |> 8D45 FC /lea eax, dword ptr [ebp-4]
0040169B |. E8 88030000 |call 00401A28
004016A0 |. 8B95 70FFFFFF |mov edx, dword ptr [ebp-90]
004016A6 |. 0FBE0C10 |movsx ecx, byte ptr [eax+edx] ; 迭代用户名字符串
004016AA |. 018D 74FFFFFF |add dword ptr [ebp-8C], ecx ; 累加
004016B0 |. FF85 70FFFFFF |inc dword ptr [ebp-90] ; 循环变量自增
004016B6 |> 8D45 FC lea eax, dword ptr [ebp-4]
004016B9 |. E8 94E20000 |call 0040F952 ; 获取长度
004016BE |. 3B85 70FFFFFF |cmp eax, dword ptr [ebp-90] ; 遍历完毕?
004016C4 |.^ 7F D2 jg short 00401698
004016C6 |. 8B95 74FFFFFF mov edx, dword ptr [ebp-8C] ; 获取累加结果
004016CC |. 0FAF95 74FFFF>imul edx, dword ptr [ebp-8C]
004016D3 |. 81C2 AC000000 add edx, 0AC
004016D9 |. 8995 74FFFFFF mov dword ptr [ebp-8C], edx ; 保存结果
004016DF |. 66:C745 90 A4>mov word ptr [ebp-70], 0A4
004016E5 |. 8D45 CC lea eax, dword ptr [ebp-34]
004016E8 |. 8B95 74FFFFFF mov edx, dword ptr [ebp-8C]
004016EE |. E8 32DF0000 call 0040F625
004016F3 |. FF45 9C inc dword ptr [ebp-64]
004016F6 |. 8D55 CC lea edx, dword ptr [ebp-34]
004016F9 |. 8D45 F4 lea eax, dword ptr [ebp-C]
004016FC |. E8 26E00000 call 0040F727
00401701 |. FF4D 9C dec dword ptr [ebp-64]
00401704 |. 8D45 CC lea eax, dword ptr [ebp-34]
00401707 |. BA 02000000 mov edx, 2
0040170C |. E8 E7DF0000 call 0040F6F8
00401711 |. 66:C745 90 B0>mov word ptr [ebp-70], 0B0
00401717 |. 8D45 C8 lea eax, dword ptr [ebp-38]
0040171A |. E8 D9020000 call 004019F8
0040171F |. 8BC8 mov ecx, eax
00401721 |. FF45 9C inc dword ptr [ebp-64]
00401724 |. 8D55 F4 lea edx, dword ptr [ebp-C]
00401727 |. 8D45 EC lea eax, dword ptr [ebp-14]
0040172A |. E8 20E00000 call 0040F74F
0040172F |. 8D55 C8 lea edx, dword ptr [ebp-38]
00401732 |. 52 push edx
00401733 |. 8D45 C4 lea eax, dword ptr [ebp-3C]
00401736 |. E8 BD020000 call 004019F8
0040173B |. 8BC8 mov ecx, eax
0040173D |. FF45 9C inc dword ptr [ebp-64]
00401740 |. 8D55 E8 lea edx, dword ptr [ebp-18]
00401743 |. 58 pop eax
00401744 |. E8 06E00000 call 0040F74F
00401749 |. 8D55 C4 lea edx, dword ptr [ebp-3C]
0040174C |. 8D45 F0 lea eax, dword ptr [ebp-10]
0040174F |. E8 D3DF0000 call 0040F727
00401754 |. FF4D 9C dec dword ptr [ebp-64]
00401757 |. 8D45 C4 lea eax, dword ptr [ebp-3C]
0040175A |. BA 02000000 mov edx, 2
0040175F |. E8 94DF0000 call 0040F6F8
00401764 |. FF4D 9C dec dword ptr [ebp-64]
00401767 |. 8D45 C8 lea eax, dword ptr [ebp-38]
0040176A |. BA 02000000 mov edx, 2
0040176F |. E8 84DF0000 call 0040F6F8
00401774 |. 8D55 F0 lea edx, dword ptr [ebp-10]
00401777 |. 8D45 F8 lea eax, dword ptr [ebp-8]
0040177A |. E8 59E00000 call 0040F7D8 ; 判断call
0040177F |. 84C0 test al, al
00401781 |. 0F84 CE010000 je 00401955
00401787 |. 66:C745 90 BC>mov word ptr [ebp-70], 0BC
0040178D |. 8D45 C0 lea eax, dword ptr [ebp-40]
00401790 |. E8 63020000 call 004019F8
00401795 |. FF45 9C inc dword ptr [ebp-64]
00401798 |. 66:C745 90 C8>mov word ptr [ebp-70], 0C8
0040179E |. 66:C745 90 D4>mov word ptr [ebp-70], 0D4
004017A4 |. 8D45 BC lea eax, dword ptr [ebp-44]
004017A7 |. E8 4C020000 call 004019F8
004017AC |. FF45 9C inc dword ptr [ebp-64]
004017AF |. 66:C745 90 C8>mov word ptr [ebp-70], 0C8
004017B5 |. 66:C745 90 E0>mov word ptr [ebp-70], 0E0
004017BB |. 8D45 B8 lea eax, dword ptr [ebp-48]
004017BE |. E8 35020000 call 004019F8
004017C3 |. FF45 9C inc dword ptr [ebp-64]
004017C6 |. 66:C745 90 C8>mov word ptr [ebp-70], 0C8
004017CC |. 66:C745 90 EC>mov word ptr [ebp-70], 0EC
004017D2 |. 8D45 B4 lea eax, dword ptr [ebp-4C]
004017D5 |. E8 1E020000 call 004019F8
004017DA |. FF45 9C inc dword ptr [ebp-64]
004017DD |. 66:C745 90 C8>mov word ptr [ebp-70], 0C8
004017E3 |. 66:C745 90 F8>mov word ptr [ebp-70], 0F8
004017E9 |. 8D45 B0 lea eax, dword ptr [ebp-50]
004017EC |. E8 07020000 call 004019F8
004017F1 |. 8BD0 mov edx, eax
004017F3 |. FF45 9C inc dword ptr [ebp-64]
004017F6 |. 8B0D E0AE4300 mov ecx, dword ptr [43AEE0]
004017FC |. 8B81 E0010000 mov eax, dword ptr [ecx+1E0]
00401802 |. E8 95910000 call 0040A99C
00401807 |. 8D55 B0 lea edx, dword ptr [ebp-50]
0040180A |. 8D45 C0 lea eax, dword ptr [ebp-40]
0040180D |. E8 15DF0000 call 0040F727
00401812 |. FF4D 9C dec dword ptr [ebp-64]
00401815 |. 8D45 B0 lea eax, dword ptr [ebp-50]
00401818 |. BA 02000000 mov edx, 2
0040181D |. E8 D6DE0000 call 0040F6F8
00401822 |. 66:C745 90 04>mov word ptr [ebp-70], 104
00401828 |. 8D45 AC lea eax, dword ptr [ebp-54]
0040182B |. E8 C8010000 call 004019F8
00401830 |. 8BD0 mov edx, eax
00401832 |. FF45 9C inc dword ptr [ebp-64]
00401835 |. 8B0D E0AE4300 mov ecx, dword ptr [43AEE0]
0040183B |. 8B81 E4010000 mov eax, dword ptr [ecx+1E4]
00401841 |. E8 56910000 call 0040A99C
00401846 |. 8D55 AC lea edx, dword ptr [ebp-54]
00401849 |. 8D45 BC lea eax, dword ptr [ebp-44]
0040184C |. E8 D6DE0000 call 0040F727
00401851 |. FF4D 9C dec dword ptr [ebp-64]
00401854 |. 8D45 AC lea eax, dword ptr [ebp-54]
00401857 |. BA 02000000 mov edx, 2
0040185C |. E8 97DE0000 call 0040F6F8
00401861 |. 66:C745 90 10>mov word ptr [ebp-70], 110
00401867 |. 8D45 A8 lea eax, dword ptr [ebp-58]
0040186A |. E8 89010000 call 004019F8
0040186F |. 8BD0 mov edx, eax
00401871 |. FF45 9C inc dword ptr [ebp-64]
00401874 |. 8B0D E0AE4300 mov ecx, dword ptr [43AEE0]
0040187A |. 8B81 E8010000 mov eax, dword ptr [ecx+1E8]
00401880 |. E8 17910000 call 0040A99C
00401885 |. 8D55 A8 lea edx, dword ptr [ebp-58]
00401888 |. 8D45 B8 lea eax, dword ptr [ebp-48]
0040188B |. E8 97DE0000 call 0040F727
00401890 |. FF4D 9C dec dword ptr [ebp-64]
00401893 |. 8D45 A8 lea eax, dword ptr [ebp-58]
00401896 |. BA 02000000 mov edx, 2
0040189B |. E8 58DE0000 call 0040F6F8
004018A0 |. 66:C745 90 1C>mov word ptr [ebp-70], 11C
004018A6 |. 8D45 A4 lea eax, dword ptr [ebp-5C]
004018A9 |. E8 4A010000 call 004019F8
004018AE |. 8BD0 mov edx, eax
004018B0 |. FF45 9C inc dword ptr [ebp-64]
004018B3 |. 8B0D E0AE4300 mov ecx, dword ptr [43AEE0]
004018B9 |. 8B81 EC010000 mov eax, dword ptr [ecx+1EC]
004018BF |. E8 D8900000 call 0040A99C
004018C4 |. 8D55 A4 lea edx, dword ptr [ebp-5C]
004018C7 |. 8D45 B4 lea eax, dword ptr [ebp-4C]
004018CA |. E8 58DE0000 call 0040F727
004018CF |. FF4D 9C dec dword ptr [ebp-64]
004018D2 |. 8D45 A4 lea eax, dword ptr [ebp-5C]
004018D5 |. BA 02000000 mov edx, 2
004018DA |. E8 19DE0000 call 0040F6F8
004018DF |. 6A 00 push 0
004018E1 |. 8D45 BC lea eax, dword ptr [ebp-44]
004018E4 |. E8 3F010000 call 00401A28
004018E9 |. 50 push eax
004018EA |. 8D45 C0 lea eax, dword ptr [ebp-40]
004018ED |. E8 36010000 call 00401A28
004018F2 |. 50 push eax ; |Text
004018F3 |. 6A 00 push 0 ; |hOwner = NULL
004018F5 |. E8 A63A0300 call <jmp.&USER32.MessageBoxA> ; MessageBoxA
004018FA |. 6A 40 push 40
004018FC |. 8D45 B4 lea eax, dword ptr [ebp-4C]
004018FF |. E8 24010000 call 00401A28
00401904 |. 50 push eax
00401905 |. 8D45 B8 lea eax, dword ptr [ebp-48]
00401908 |. E8 1B010000 call 00401A28
0040190D |. 50 push eax ; |Text
0040190E |. 6A 00 push 0 ; |hOwner = NULL
00401910 |. E8 8B3A0300 call <jmp.&USER32.MessageBoxA> ; MessageBoxA
其中判断call的代码:
0040F7D8 /$ 55 push ebp
0040F7D9 |. 8BEC mov ebp, esp
0040F7DB |. 53 push ebx
0040F7DC |. 8B00 mov eax, dword ptr [eax]
0040F7DE |. 8B12 mov edx, dword ptr [edx]
0040F7E0 |. E8 B7640100 call 00425C9C ; 两个字符串是否相同?
0040F7E5 |. 0F94C0 sete al
0040F7E8 |. 83E0 01 and eax, 1
0040F7EB |. 5B pop ebx
0040F7EC |. 5D pop ebp
0040F7ED . C3 retn
就是一个很简单的加密,直接打开http://www.cnblogs.com/ZRBYYXDM/p/5115596.html中搭建的框架,修改OnBtnDecrypt函数如下:
void CKengen_TemplateDlg::OnBtnDecrypt()
{
// TODO: Add your control notification handler code here
CString str;
GetDlgItemText( IDC_EDIT_NAME,str ); //获取用户名字串基本信息。
int len = str.GetLength();
DWORD Res = 0;
if ( len != 0 ){ //格式控制。
unsigned sum = 0;
for ( int i = 0 ; i != len ; i++ )
sum += str[i];
CString PassWord;
PassWord.Format( "CA-%d-3914",sum * sum + 0xAC );
SetDlgItemText( IDC_EDIT_PASSWORD,PassWord );
}
else
MessageBox( "用户名格式错误!" );
}
再在OnInitDialog中添加此代码修改标题:SetWindowText(_T("Keygen"));
运行效果:
