-
-
[原创]一枚KeygenMe分析
-
发表于: 2014-9-30 13:41
-
在crackme.de上发现了很好玩的KeygenMe,花了挺长时间分析了下。由于还是小菜一枚,有什么错误请大家指出来,多多交流。还有祝大家国庆快乐!
一、概述
先看作者对本程序的要求:
Information:
============
- platform: Windows
- language: C
- protection: find it out
Goals:
======
GOLD: * create a working keygen
* remove the nag screen
SILVER: * get a working username/serial combination
* remove the nag screen
BRONZE: * make it accept every username/serial combination
* remove the nag screen
WOOD: * remove the nag screen || make it accept every username/serial combination
Good luck and happy reversing!
MaxX0r // RTN
28aK9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6%4N6#2)9J5k6i4u0@1L8W2)9J5k6s2c8W2j5h3#2Q4x3X3g2U0j5H3`.`.
程序没有加壳,直接OD走起。
二、去掉nag窗口
由于要去掉nag窗口,我们先找到与窗口生成有关的API,在MessageBox和CreateWindows上下断点。单步步入CreateWindows时,发现此API开头已被修改,跳转回了KeygenMe代码。
77D2D0A3 >- E9 A9546D88 jmp KeygenMe.00402551 77D2D0A8 68 00000040 push 0x40000000 77D2D0AD FF75 34 push dword ptr ss:[ebp+0x34] 77D2D0B0 FF75 30 push dword ptr ss:[ebp+0x30] 77D2D0B3 FF75 2C push dword ptr ss:[ebp+0x2C] 77D2D0B6 FF75 28 push dword ptr ss:[ebp+0x28] 77D2D0B9 FF75 24 push dword ptr ss:[ebp+0x24] 77D2D0BC FF75 20 push dword ptr ss:[ebp+0x20] 77D2D0BF FF75 1C push dword ptr ss:[ebp+0x1C] 77D2D0C2 FF75 18 push dword ptr ss:[ebp+0x18] 77D2D0C5 FF75 14 push dword ptr ss:[ebp+0x14] 77D2D0C8 FF75 10 push dword ptr ss:[ebp+0x10] 77D2D0CB FF75 0C push dword ptr ss:[ebp+0xC] 77D2D0CE FF75 08 push dword ptr ss:[ebp+0x8] 77D2D0D1 E8 BB120000 call USER32.77D2E391 77D2D0D6 5D pop ebp 77D2D0D7 C2 3000 retn 0x30
00402551 . 55 push ebp 00402552 . 8BEC mov ebp,esp 00402554 . 81EC 50010000 sub esp,0x150 0040255A . 837D 20 78 cmp dword ptr ss:[ebp+0x20],0x78 判断cratewindows控件宽度是否为0x78 0040255E . 0F85 4D030000 jnz KeygenMe.004028B1 修改此处为jmp
0040199F > \50 push eax 004019A0 . 33C0 xor eax,eax 004019A2 . 0F9BC0 setpo al 004019A5 . 52 push edx 004019A6 . 33D0 xor edx,eax 004019A8 . C1E2 02 shl edx,0x2 004019AB . 92 xchg eax,edx 004019AC . 5A pop edx 004019AD . 0BC1 or eax,ecx 004019AF . 58 pop eax
PatList_test=_Test [CODE_Test] S = 5033C00F9BC05233D0C1E202925A0BC158 R = 9090909090909090909090909090909090
00401BB7 >-/EB FE jmp XKeygenMe.00401BB7 00401BB9 . |50 push eax 00401BBA .^\EB FB jmp XKeygenMe.00401BB7
00401F2D . 0F31 rdtsc 00401F2F . 2B45 88 sub eax,dword ptr ss:[ebp-0x78] 00401F32 . 3D 00000700 cmp eax,0x70000 00401F37 . 76 03 jbe XKeygenMe.00401F3C 00401F39 . FF4D F4 dec dword ptr ss:[ebp-0xC]
00401936 > /8B45 E4 mov eax,dword ptr ss:[ebp-0x1C] 00401939 . |40 inc eax 0040193A . |8945 E4 mov dword ptr ss:[ebp-0x1C],eax 0040193D > |837D E4 11 cmp dword ptr ss:[ebp-0x1C],0x11 00401941 . |73 49 jnb XKeygenMe.0040198C ; 循环次数小等于17 00401943 . |8B45 E4 mov eax,dword ptr ss:[ebp-0x1C] 00401946 . |0FB78445 40FF>movzx eax,word ptr ss:[ebp+eax*2-0xC0] 0040194E . |85C0 test eax,eax 00401950 . |74 3A je XKeygenMe.0040198C ; username[i]==0时跳出循环 00401952 . |8B45 E4 mov eax,dword ptr ss:[ebp-0x1C] 00401955 . |0FB78C45 40FF>movzx ecx,word ptr ss:[ebp+eax*2-0xC0] 0040195D . |0FAF4D E4 imul ecx,dword ptr ss:[ebp-0x1C] ; a1=username[i]*i 00401961 . |8B75 E4 mov esi,dword ptr ss:[ebp-0x1C] 00401964 . |83C6 08 add esi,0x8 ; i+8 00401967 . |8B45 E8 mov eax,dword ptr ss:[ebp-0x18] ; a3=[ebp-0x18],a3初始化为0 0040196A . |99 cdq 0040196B . |F7FE idiv esi ; a2=a3/(i+8) 0040196D . |03C8 add ecx,eax 0040196F . |0FAF4D E4 imul ecx,dword ptr ss:[ebp-0x1C] ; (a1+a2)*i 00401973 . |034D E8 add ecx,dword ptr ss:[ebp-0x18] ; a3+(a1+a2)*i 00401976 . |894D E8 mov dword ptr ss:[ebp-0x18],ecx 00401979 . |8B45 E4 mov eax,dword ptr ss:[ebp-0x1C] 0040197C . |0FB78445 40FF>movzx eax,word ptr ss:[ebp+eax*2-0xC0] 00401984 . |0345 EC add eax,dword ptr ss:[ebp-0x14] ; sum=username各项累加 00401987 . |8945 EC mov dword ptr ss:[ebp-0x14],eax 0040198A .^\EB AA jmp XKeygenMe.00401936
|
|
|---|---|
|
|
|
|
|
|
|
|
|
|
|
 向前辈多多学习
|
|
|
能分析出个所以然来的,都不可小视
|
|
|
|
