很久没有练过破解,都忘得差不多了,所以找一个很简单的crackme温习一下。

moofy's keyme #2是crackmes.de上发布的一个crackme。拿到moofy's keyme #2 (mfykm2.exe)后,先用PEiD

看一下,是用C++编写的,而且没有加过壳。

运行mfykm2,随便输入key,显示“Try again!”,用OllyICE打开,查找所有参考文本字符串,可以发现

00401653 就是显示“Try again!”的语句,与之相近的一段语句(1)如下:

0040162E |. C70424 293040>mov dword ptr [esp], 00403029 ; ||ASCII "%d"
00401635 |. E8 86050000 call <jmp.&msvcrt.scanf> ;     |\scanf
0040163A |. 8B45 FC mov eax, dword ptr [ebp-4] ;      |
0040163D |. 3B05 24414000 cmp eax, dword ptr [404124] ;  |
00401643 |. 75 0E jnz short 00401653 ;           |
00401645 |. C70424 2C3040>mov dword ptr [esp], 0040302C ; |ASCII LF,"Correct :) Write a keygen and tutorial and submit it to crackmes.de",LF
0040164C |. E8 7F050000 call <jmp.&msvcrt.printf> ;    \printf
00401651 |. EB 0C jmp short 0040165F
00401653 |> C70424 723040>mov dword ptr [esp], 00403072 ; |ASCII 0A,"Try again!"
0040165A |. E8 71050000 call <jmp.&msvcrt.printf> ;    \printf
0040165F |> C70424 7F3040>mov dword ptr [esp], 0040307F ; |ASCII "PAUSE"
00401666 |. E8 45050000 call <jmp.&msvcrt.system> ;    \system
0040166B |. B8 00000000 mov eax, 0
00401670 |. C9 leave
00401671 \. C3 retn

很明显,

00401643 |. 75 0E jnz short 00401653 ;

就是比较后跳转的语句。如果暴破,直接修改这里就可以了。另外,

0040162E |. C70424 293040>mov dword ptr [esp], 00403029 ; ||ASCII "%d"
00401635 |. E8 86050000 call <jmp.&msvcrt.scanf> ;     |\scanf

这两句,就是用来输入key的语句,显然是C/C++,而且根据"%d"判断,key应该为数字。

如果再仔细跟踪到这一句:

0040163D |. 3B05 24414000 cmp eax, dword ptr [404124] ;

就会发现,eax就是我们输入的key,而正确的key就在[404124]。下面我们看看正确的key是怎么产生的。在

[404124]上下写入断点,会在004014E6, 004015E5各中断一次,而与之相关的一段语句(2)如下:

00401320 /$ 55 push ebp
00401321 |. 89E5 mov ebp, esp
00401323 |. 83EC 08 sub esp, 8
00401326 |. C74424 04 002>mov dword ptr [esp+4], 00402000 ;   |
0040132E |. C70424 104040>mov dword ptr [esp], 00404010 ;    |ASCII // UserName对应字符串
00401335 |. E8 76090000 call <jmp.&ADVAPI32.GetUserNameA> ;   \GetUserNameA
0040133A |. 83EC 08 sub esp, 8
0040133D |. C74424 04 042>mov dword ptr [esp+4], 00402004 ;   |
00401345 |. C70424 114140>mov dword ptr [esp], 00404111 ;    |ASCII // ComputerName对应字符串
0040134C |. E8 1F090000 call <jmp.&KERNEL32.GetComputerNameA> ; \GetComputerNameA
00401351 |. 83EC 08 sub esp, 8
00401354 |. C70424 104040>mov dword ptr [esp], 00404010 ;    ||ASCII // UserName对应字符串
0040135B |. E8 80080000 call <jmp.&msvcrt.strlen> ;       |\strlen
00401360 |. A3 44414000 mov dword ptr [404144], eax ;      |
00401365 |. C70424 114140>mov dword ptr [esp], 00404111 ;    |ASCII // ComputerName对应字符串
0040136C |. E8 6F080000 call <jmp.&msvcrt.strlen> ;       \strlen
00401371 |. A3 48414000 mov dword ptr [404148], eax
00401376 |. A1 44414000 mov eax, dword ptr [404144]
0040137B |. 0FAF05 484140>imul eax, dword ptr [404148]
00401382 |. A3 28414000 mov dword ptr [404128], eax
00401387 |. A1 28414000 mov eax, dword ptr [404128]
0040138C |. 0305 28414000 add eax, dword ptr [404128]
00401392 |. A3 2C414000 mov dword ptr [40412C], eax
00401397 |. A1 28414000 mov eax, dword ptr [404128]
0040139C |. 0305 2C414000 add eax, dword ptr [40412C]
004013A2 |. A3 30414000 mov dword ptr [404130], eax
004013A7 |. A1 28414000 mov eax, dword ptr [404128]
004013AC |. 0305 30414000 add eax, dword ptr [404130]
004013B2 |. A3 34414000 mov dword ptr [404134], eax
004013B7 |. 8B15 34414000 mov edx, dword ptr [404134]
004013BD |. 89D0 mov eax, edx
004013BF |. 01C0 add eax, eax
004013C1 |. 01D0 add eax, edx
004013C3 |. A3 38414000 mov dword ptr [404138], eax
004013C8 |. A1 38414000 mov eax, dword ptr [404138]
004013CD |. 0FAF05 384140>imul eax, dword ptr [404138]
004013D4 |. A3 3C414000 mov dword ptr [40413C], eax
004013D9 |. A1 28414000 mov eax, dword ptr [404128]
004013DE |. 0305 3C414000 add eax, dword ptr [40413C]
004013E4 |. A3 40414000 mov dword ptr [404140], eax
004013E9 |. 8B15 28414000 mov edx, dword ptr [404128]
004013EF |. A1 40414000 mov eax, dword ptr [404140]
004013F4 |. 29D0 sub eax, edx
004013F6 |. A3 4C414000 mov dword ptr [40414C], eax
004013FB |. A1 4C414000 mov eax, dword ptr [40414C]
00401400 |. 0FAF05 444140>imul eax, dword ptr [404144]
00401407 |. A3 54414000 mov dword ptr [404154], eax
0040140C |. C705 58414000>mov dword ptr [404158], 0
00401416 |. A1 58414000 mov eax, dword ptr [404158]
0040141B |. 0305 54414000 add eax, dword ptr [404154]
00401421 |. A3 5C414000 mov dword ptr [40415C], eax
00401426 |. A1 5C414000 mov eax, dword ptr [40415C]
0040142B |. 0FAF05 584140>imul eax, dword ptr [404158]
00401432 |. A3 60414000 mov dword ptr [404160], eax
00401437 |. A1 54414000 mov eax, dword ptr [404154]
0040143C |. 0FAF05 584140>imul eax, dword ptr [404158]
00401443 |. A3 64414000 mov dword ptr [404164], eax
00401448 |. A1 5C414000 mov eax, dword ptr [40415C]
0040144D |. 0FAF05 604140>imul eax, dword ptr [404160]
00401454 |. A3 68414000 mov dword ptr [404168], eax
00401459 |. 8B15 68414000 mov edx, dword ptr [404168]
0040145F |. A1 64414000 mov eax, dword ptr [404164]
00401464 |. 29D0 sub eax, edx
00401466 |. A3 6C414000 mov dword ptr [40416C], eax
0040146B |. A1 6C414000 mov eax, dword ptr [40416C]
00401470 |. 0FAF05 644140>imul eax, dword ptr [404164]
00401477 |. A3 70414000 mov dword ptr [404170], eax
0040147C |. A1 68414000 mov eax, dword ptr [404168]
00401481 |. 0FAF05 6C4140>imul eax, dword ptr [40416C]
00401488 |. A3 74414000 mov dword ptr [404174], eax
0040148D |. A1 74414000 mov eax, dword ptr [404174]
00401492 |. 0FAF05 604140>imul eax, dword ptr [404160]
00401499 |. A3 78414000 mov dword ptr [404178], eax
0040149E |. A1 44414000 mov eax, dword ptr [404144]
004014A3 |. 0305 78414000 add eax, dword ptr [404178]
004014A9 |. A3 7C414000 mov dword ptr [40417C], eax
004014AE |. A1 7C414000 mov eax, dword ptr [40417C]
004014B3 |. 0FAF05 484140>imul eax, dword ptr [404148]
004014BA |. A3 80414000 mov dword ptr [404180], eax
004014BF |. A1 4C414000 mov eax, dword ptr [40414C]
004014C4 |. 0305 80414000 add eax, dword ptr [404180]
004014CA |. A3 84414000 mov dword ptr [404184], eax
004014CF |. A1 84414000 mov eax, dword ptr [404184]
004014D4 |. 0FAF05 844140>imul eax, dword ptr [404184]
004014DB |. A3 88414000 mov dword ptr [404188], eax
004014E0 |. A1 88414000 mov eax, dword ptr [404188]
004014E5 |. 40 inc eax
004014E6 |. A3 24414000 mov dword ptr [404124], eax
004014EB |. A1 44414000 mov eax, dword ptr [404144]
004014F0 |. 83C0 64 add eax, 64
004014F3 |. A3 28414000 mov dword ptr [404128], eax
004014F8 |. A1 48414000 mov eax, dword ptr [404148]
004014FD |. 05 C8000000 add eax, 0C8
00401502 |. A3 2C414000 mov dword ptr [40412C], eax
00401507 |. A1 2C414000 mov eax, dword ptr [40412C]
0040150C |. 0FAF05 284140>imul eax, dword ptr [404128]
00401513 |. A3 30414000 mov dword ptr [404130], eax
00401518 |. A1 28414000 mov eax, dword ptr [404128]
0040151D |. 0FAF05 2C4140>imul eax, dword ptr [40412C]
00401524 |. 0305 30414000 add eax, dword ptr [404130]
0040152A |. A3 34414000 mov dword ptr [404134], eax
0040152F |. 8B15 28414000 mov edx, dword ptr [404128]
00401535 |. A1 34414000 mov eax, dword ptr [404134]
0040153A |. 29D0 sub eax, edx
0040153C |. A3 38414000 mov dword ptr [404138], eax
00401541 |. A1 34414000 mov eax, dword ptr [404134]
00401546 |. 0305 38414000 add eax, dword ptr [404138]
0040154C |. 2B05 30414000 sub eax, dword ptr [404130]
00401552 |. 0305 28414000 add eax, dword ptr [404128]
00401558 |. 2B05 2C414000 sub eax, dword ptr [40412C]
0040155E |. A3 3C414000 mov dword ptr [40413C], eax
00401563 |. 8B15 3C414000 mov edx, dword ptr [40413C]
00401569 |. 89D0 mov eax, edx
0040156B |. C1F8 1F sar eax, 1F
0040156E |. C1E8 1F shr eax, 1F
00401571 |. 8D0402 lea eax, dword ptr [edx+eax]
00401574 |. D1F8 sar eax, 1
00401576 |. A3 40414000 mov dword ptr [404140], eax
0040157B |. A1 3C414000 mov eax, dword ptr [40413C]
00401580 |. 0FAF05 404140>imul eax, dword ptr [404140]
00401587 |. 0FAF05 3C4140>imul eax, dword ptr [40413C]
0040158E |. 0FAF05 384140>imul eax, dword ptr [404138]
00401595 |. 0FAF05 344140>imul eax, dword ptr [404134]
0040159C |. 0FAF05 304140>imul eax, dword ptr [404130]
004015A3 |. 0FAF05 2C4140>imul eax, dword ptr [40412C]
004015AA |. 89C2 mov edx, eax
004015AC |. 0FAF15 284140>imul edx, dword ptr [404128]
004015B3 |. 89D0 mov eax, edx
004015B5 |. C1F8 1F sar eax, 1F
004015B8 |. C1E8 1F shr eax, 1F
004015BB |. 8D0402 lea eax, dword ptr [edx+eax]
004015BE |. D1F8 sar eax, 1
004015C0 |. A3 54414000 mov dword ptr [404154], eax
004015C5 |. A1 54414000 mov eax, dword ptr [404154]
004015CA |. 0FAF05 404140>imul eax, dword ptr [404140]
004015D1 |. 0FAF05 344140>imul eax, dword ptr [404134]
004015D8 |. 0FAF05 3C4140>imul eax, dword ptr [40413C]
004015DF |. 69C0 BB010000 imul eax, eax, 1BB
004015E5 |. A3 24414000 mov dword ptr [404124], eax
004015EA |. C9 leave
004015EB \. C3 retn

这段语句很长,其实没有什么难度,就是看起来比较烦,其核心就是取得UserName和ComputerName之后,将两者长

度分别存储于[404144]和[404148],并针对两者长度进行的一系列运算。只要按部就班地随之进行运算,就可以得

到正确的key了。不过,在这段语句中,似乎有一些和key的运算无关,不知是不是作者提到过的那些故意加入的无

用语句,我没有仔细考察。另外,在计算时,有几处 sar 和 shr 要特别留意,因为它们的含义是不同的。尤其是

写注册机时,运算中要考虑到两者的差异性,用不同的运算来实现。

最后,是这个crackme和我自己写的注册机,供大家参考。

谢谢!

 

曹华 2007年8月15日