abexcm5的分析

【破文标题】abexcm5的分析
【破文作者】delcpp
【作者邮箱】delcpp@gmail.com
【破解工具】OD
【破解平台】windows xp sp3
【软件名称】abexcm5.exe
【软件大小】8K
【保护方式】无
【软件简介】软件来自FpX的CrackMe
------------------------------------------------------------------------------------------------
【破解过程】

0040106C  |> \6A 25         push    25                               ; /Count = 25 (37.)
0040106E  |.  68 24234000   push    00402324                         ; |Buffer = abexcm5.00402324
00401073  |.  6A 68         push    68                               ; |ControlID = 68 (104.)
00401075  |.  FF75 08       push    dword ptr [ebp+8]                ; |hWnd
00401078  |.  E8 F4000000   call    <jmp.&USER32.GetDlgItemTextA>    ; \GetDlgItemTextA
0040107D  |.  6A 00         push    0                                ; /pFileSystemNameSize = NULL
0040107F  |.  6A 00         push    0                                ; |pFileSystemNameBuffer = NULL
00401081  |.  68 C8204000   push    004020C8                         ; |pFileSystemFlags = abexcm5.004020C8
00401086  |.  68 90214000   push    00402190                         ; |pMaxFilenameLength = abexcm5.00402190
0040108B  |.  68 94214000   push    00402194                         ; |pVolumeSerialNumber = abexcm5.00402194
00401090  |.  6A 32         push    32                               ; |MaxVolumeNameSize = 32 (50.)
00401092  |.  68 5C224000   push    0040225C                         ; |VolumeNameBuffer = abexcm5.0040225C
00401097  |.  6A 00         push    0                                ; |RootPathName = NULL
00401099  |.  E8 B5000000   call    <jmp.&KERNEL32.GetVolumeInformat>; \GetVolumeInformationA
0040109E  |.  68 F3234000   push    004023F3                         ; /StringToAdd = "4562-ABEX"
004010A3  |.  68 5C224000   push    0040225C                         ; |ConcatString = ""
004010A8  |.  E8 94000000   call    <jmp.&KERNEL32.lstrcatA>         ; \lstrcatA
004010AD  |.  B2 02         mov     dl, 2
004010AF  |>  8305 5C224000>/add     dword ptr [40225C], 1
004010B6  |.  8305 5D224000>|add     dword ptr [40225D], 1
004010BD  |.  8305 5E224000>|add     dword ptr [40225E], 1
004010C4  |.  8305 5F224000>|add     dword ptr [40225F], 1
004010CB  |.  FECA          |dec     dl
004010CD  |.^ 75 E0         \jnz     short 004010AF
004010CF  |.  68 FD234000   push    004023FD                         ; /StringToAdd = "L2C-5781"
004010D4  |.  68 00204000   push    00402000                         ; |ConcatString = ""
004010D9  |.  E8 63000000   call    <jmp.&KERNEL32.lstrcatA>         ; \lstrcatA
004010DE  |.  68 5C224000   push    0040225C                         ; /StringToAdd = ""
004010E3  |.  68 00204000   push    00402000                         ; |ConcatString = ""
004010E8  |.  E8 54000000   call    <jmp.&KERNEL32.lstrcatA>         ; \lstrcatA
004010ED  |.  68 24234000   push    00402324                         ; /String2 = ""
004010F2  |.  68 00204000   push    00402000                         ; |String1 = ""
004010F7  |.  E8 51000000   call    <jmp.&KERNEL32.lstrcmpiA>        ; \lstrcmpiA
004010FC  |.  83F8 00       cmp     eax, 0
004010FF  |.  74 16         je      short 00401117
00401101  |.  6A 00         push    0                                ; /Style = MB_OK|MB_APPLMODAL
00401103  |.  68 34244000   push    00402434                         ; |Title = "Error!"
00401108  |.  68 3B244000   push    0040243B                         ; |Text = "The serial you entered is not correct!"
0040110D  |.  FF75 08       push    dword ptr [ebp+8]                ; |hOwner
00401110  |.  E8 56000000   call    <jmp.&USER32.MessageBoxA>        ; \MessageBoxA
00401115  |.  EB 16         jmp     short 0040112D
00401117  |>  6A 00         push    0                                ; /Style = MB_OK|MB_APPLMODAL
00401119  |.  68 06244000   push    00402406                         ; |Title = "Well Done!"
0040111E  |.  68 11244000   push    00402411                         ; |Text = "Yep, you entered a correct serial!"
00401123  |.  FF75 08       push    dword ptr [ebp+8]                ; |hOwner
00401126  |.  E8 40000000   call    <jmp.&USER32.MessageBoxA>        ; \MessageBoxA
0040112B  |.  EB 00         jmp     short 0040112D
0040112D  |$  6A 00         push    0                                ; /Result = 0
0040112F  |.  FF75 08       push    dword ptr [ebp+8]                ; |hWnd
00401132  |.  E8 22000000   call    <jmp.&USER32.EndDialog>          ; \EndDialog
00401137  |.  C9            leave
00401138  \.  C2 1000       retn    10

 

------------------------------------------------------------------------------------------------
【破解总结】
这个CrackMe很简单，大致算法是：
1、取出来CrackMe所在盘的盘符，然后和4562-ABEX合并。
2、将合并后的字符串前4个字符，依次累加2。算出新字符
3、将L2C-5781和步骤2中算出来的字符合并，得出注册码。

使用Delphi XE大致还原了一下算法:

procedure TForm1.btn1Click(Sender: TObject);
var
  lpRootPathName:array[0..255] of ansiChar;
  str1:array[0..255] of ansiChar;  //获取盘符
  lpVolumeSerialNumber: DWORD;
  lpMaximumComponentLength:DWORD;
  lpFileSystemFlags:DWORD;
  lpFileSystemNameBuffer: array[0..255] of ansiChar;
  i:Integer;
  str2:array[0..255] of ansiChar;
begin
  //lpRootPathName := 'E:\';
  GetVolumeInformationA(0,str1,255,
                       @lpVolumeSerialNumber,lpMaximumComponentLength,
                       lpFileSystemFlags,lpFileSystemNameBuffer,
                       255);

  lstrcatA(str1,'4562-ABEX');   //和"4562-ABEX"合并

  str1[0] := ansiChar(ord(str1[0])+2); //前四个字符，每个加2
  str1[1] := ansiChar(ord(str1[1])+2);
  str1[2] := ansiChar(ord(str1[2])+2);
  str1[3] := ansiChar(ord(str1[3])+2);

  str2 := 'L2C-5781';       //再合并L2C_5781字符
  lstrcatA(str2,str1);
  edt1.Text := str2;
end;