強大反調試cm的奇葩破解
系統 : Windows xpphp
程序 : Crackme-xp
html
程序下載地址 :http://pan.baidu.com/s/1slUwmVr框架
要求 : 編寫註冊機
函數
使用工具 : OD & IDA
工具
可在看雪論壇中查找關於此程序的破文:傳送門測試
這是一個擁有強大反調試機制的cm,沒法查詢到關鍵子串、下獲取窗口文本的斷點沒用,設置對按鈕下消息斷點都沒用。加密
而後用IDA打開後卻發現了函數表裏有:spa
。。。。。。。。。。。。。。。。。。調試
這個懂點英文的人都能看出來是 註冊按鈕的處理函數吧?因此前面那麼多防禦機制是爲了什麼?code
直接定位關鍵代碼:
00401444 /. 55 push ebp ; btn_click
00401445 |. 8BEC mov ebp, esp 00401447 |. 81C4 70FFFFFF add esp, -90
0040144D |. 8995 78FFFFFF mov dword ptr [ebp-88], edx 00401453 |. 8985 7CFFFFFF mov dword ptr [ebp-84], eax 00401459 |. B8 04654300 mov eax, 00436504
0040145E |. E8 71CC0200 call 0042E0D4
00401463 |. 66:C745 90 08>mov word ptr [ebp-70], 8
00401469 |. 8D45 FC lea eax, dword ptr [ebp-4] 0040146C |. E8 87050000 call 004019F8
00401471 |. FF45 9C inc dword ptr [ebp-64] 00401474 |. 66:C745 90 14>mov word ptr [ebp-70], 14
0040147A |. 66:C745 90 20>mov word ptr [ebp-70], 20
00401480 |. 8D45 F8 lea eax, dword ptr [ebp-8] 00401483 |. E8 70050000 call 004019F8
00401488 |. FF45 9C inc dword ptr [ebp-64] 0040148B |. 66:C745 90 14>mov word ptr [ebp-70], 14
00401491 |. 66:C745 90 2C>mov word ptr [ebp-70], 2C 00401497 |. 8D45 F4 lea eax, dword ptr [ebp-C] 0040149A |. E8 59050000 call 004019F8
0040149F |. FF45 9C inc dword ptr [ebp-64] 004014A2 |. 66:C745 90 14>mov word ptr [ebp-70], 14
004014A8 |. 66:C745 90 38>mov word ptr [ebp-70], 38
004014AE |. 8D45 F0 lea eax, dword ptr [ebp-10] 004014B1 |. E8 42050000 call 004019F8
004014B6 |. FF45 9C inc dword ptr [ebp-64] 004014B9 |. 66:C745 90 14>mov word ptr [ebp-70], 14
004014BF |. 66:C745 90 44>mov word ptr [ebp-70], 44
004014C5 |. 8D45 EC lea eax, dword ptr [ebp-14] 004014C8 |. E8 2B050000 call 004019F8
004014CD |. FF45 9C inc dword ptr [ebp-64] 004014D0 |. 66:C745 90 14>mov word ptr [ebp-70], 14
004014D6 |. 66:C745 90 50>mov word ptr [ebp-70], 50
004014DC |. 8D45 E8 lea eax, dword ptr [ebp-18] 004014DF |. E8 14050000 call 004019F8
004014E4 |. FF45 9C inc dword ptr [ebp-64] 004014E7 |. 66:C745 90 14>mov word ptr [ebp-70], 14
004014ED |. 66:C745 90 5C>mov word ptr [ebp-70], 5C 004014F3 |. 8D45 E4 lea eax, dword ptr [ebp-1C] 004014F6 |. E8 FD040000 call 004019F8
004014FB |. 8BD0 mov edx, eax 004014FD |. FF45 9C inc dword ptr [ebp-64] 00401500 |. 8B0D E0AE4300 mov ecx, dword ptr [43AEE0] 00401506 |. 8B81 F0010000 mov eax, dword ptr [ecx+1F0] 0040150C |. E8 8B940000 call 0040A99C
00401511 |. 8D55 E4 lea edx, dword ptr [ebp-1C] 00401514 |. 8D45 EC lea eax, dword ptr [ebp-14] 00401517 |. E8 0BE20000 call 0040F727
0040151C |. FF4D 9C dec dword ptr [ebp-64] 0040151F |. 8D45 E4 lea eax, dword ptr [ebp-1C] 00401522 |. BA 02000000 mov edx, 2
00401527 |. E8 CCE10000 call 0040F6F8
0040152C |. 66:C745 90 68>mov word ptr [ebp-70], 68
00401532 |. 8D45 E0 lea eax, dword ptr [ebp-20] 00401535 |. E8 BE040000 call 004019F8
0040153A |. 8BD0 mov edx, eax 0040153C |. FF45 9C inc dword ptr [ebp-64] 0040153F |. 8B0D E0AE4300 mov ecx, dword ptr [43AEE0] 00401545 |. 8B81 F4010000 mov eax, dword ptr [ecx+1F4] 0040154B |. E8 4C940000 call 0040A99C
00401550 |. 8D55 E0 lea edx, dword ptr [ebp-20] 00401553 |. 8D45 E8 lea eax, dword ptr [ebp-18] 00401556 |. E8 CCE10000 call 0040F727
0040155B |. FF4D 9C dec dword ptr [ebp-64] 0040155E |. 8D45 E0 lea eax, dword ptr [ebp-20] 00401561 |. BA 02000000 mov edx, 2
00401566 |. E8 8DE10000 call 0040F6F8
0040156B |. 66:C745 90 74>mov word ptr [ebp-70], 74
00401571 |. 8D45 DC lea eax, dword ptr [ebp-24] 00401574 |. E8 7F040000 call 004019F8
00401579 |. 8BD0 mov edx, eax 0040157B |. FF45 9C inc dword ptr [ebp-64] 0040157E |. 8B0D E0AE4300 mov ecx, dword ptr [43AEE0] 00401584 |. 8B81 D0010000 mov eax, dword ptr [ecx+1D0] 0040158A |. E8 0D940000 call 0040A99C
0040158F |. 8D55 DC lea edx, dword ptr [ebp-24] 00401592 |. 8D45 FC lea eax, dword ptr [ebp-4] 00401595 |. E8 8DE10000 call 0040F727
0040159A |. FF4D 9C dec dword ptr [ebp-64] 0040159D |. 8D45 DC lea eax, dword ptr [ebp-24] 004015A0 |. BA 02000000 mov edx, 2
004015A5 |. E8 4EE10000 call 0040F6F8
004015AA |. 66:C745 90 80>mov word ptr [ebp-70], 80
004015B0 |. 8D45 D8 lea eax, dword ptr [ebp-28] 004015B3 |. E8 40040000 call 004019F8
004015B8 |. 8BD0 mov edx, eax 004015BA |. FF45 9C inc dword ptr [ebp-64] 004015BD |. 8B0D E0AE4300 mov ecx, dword ptr [43AEE0] 004015C3 |. 8B81 D4010000 mov eax, dword ptr [ecx+1D4] 004015C9 |. E8 CE930000 call 0040A99C
004015CE |. 8D55 D8 lea edx, dword ptr [ebp-28] 004015D1 |. 8D45 F8 lea eax, dword ptr [ebp-8] 004015D4 |. E8 4EE10000 call 0040F727
004015D9 |. FF4D 9C dec dword ptr [ebp-64] 004015DC |. 8D45 D8 lea eax, dword ptr [ebp-28] 004015DF |. BA 02000000 mov edx, 2
004015E4 |. E8 0FE10000 call 0040F6F8
004015E9 |. 66:C745 90 8C>mov word ptr [ebp-70], 8C 004015EF |. 8D45 D4 lea eax, dword ptr [ebp-2C] 004015F2 |. E8 01040000 call 004019F8
004015F7 |. 50 push eax 004015F8 |. FF45 9C inc dword ptr [ebp-64] 004015FB |. 8D45 F8 lea eax, dword ptr [ebp-8] 004015FE |. B9 03000000 mov ecx, 3
00401603 |. 33D2 xor edx, edx 00401605 |. E8 69EB0000 call 00410173
0040160A |. 8D45 D4 lea eax, dword ptr [ebp-2C] ; (initial cpu selection)
0040160D |. 8D55 EC lea edx, dword ptr [ebp-14] 00401610 |. E8 C3E10000 call 0040F7D8 ; 判斷call
00401615 |. 50 push eax ; 壓入函數結果
00401616 |. FF4D 9C dec dword ptr [ebp-64] 00401619 |. 8D45 D4 lea eax, dword ptr [ebp-2C] 0040161C |. BA 02000000 mov edx, 2
00401621 |. E8 D2E00000 call 0040F6F8
00401626 |. 59 pop ecx 00401627 |. 84C9 test cl, cl ; 測試的是棧頂元素,因此壓入元素的函數就是判斷函數
00401629 |. 0F84 26030000 je 00401955
0040162F |. 66:C745 90 98>mov word ptr [ebp-70], 98
00401635 |. 8D45 D0 lea eax, dword ptr [ebp-30] 00401638 |. E8 BB030000 call 004019F8
0040163D |. 50 push eax 0040163E |. FF45 9C inc dword ptr [ebp-64] 00401641 |. 8D45 F8 lea eax, dword ptr [ebp-8] 00401644 |. E8 09E30000 call 0040F952
00401649 |. 8BD0 mov edx, eax 0040164B |. 83C2 FC add edx, -4
0040164E |. 8D45 F8 lea eax, dword ptr [ebp-8] 00401651 |. B9 05000000 mov ecx, 5
00401656 |. E8 18EB0000 call 00410173
0040165B |. 8D45 D0 lea eax, dword ptr [ebp-30] 0040165E |. 8D55 E8 lea edx, dword ptr [ebp-18] 00401661 |. E8 72E10000 call 0040F7D8 ; 判斷call
00401666 |. 50 push eax ; 壓入函數結果
00401667 |. FF4D 9C dec dword ptr [ebp-64] 0040166A |. 8D45 D0 lea eax, dword ptr [ebp-30] 0040166D |. BA 02000000 mov edx, 2
00401672 |. E8 81E00000 call 0040F6F8
00401677 |. 59 pop ecx 00401678 |. 84C9 test cl, cl 0040167A |. 0F84 D5020000 je 00401955
00401680 |. 33C0 xor eax, eax 00401682 |. 8985 74FFFFFF mov dword ptr [ebp-8C], eax 00401688 |. 66:C745 90 14>mov word ptr [ebp-70], 14
0040168E |. 33D2 xor edx, edx 00401690 |. 8995 70FFFFFF mov dword ptr [ebp-90], edx 00401696 |. EB 1E jmp short 004016B6
00401698 |> 8D45 FC /lea eax, dword ptr [ebp-4] 0040169B |. E8 88030000 |call 00401A28
004016A0 |. 8B95 70FFFFFF |mov edx, dword ptr [ebp-90] 004016A6 |. 0FBE0C10 |movsx ecx, byte ptr [eax+edx] ; 迭代用戶名字符串
004016AA |. 018D 74FFFFFF |add dword ptr [ebp-8C], ecx ; 累加
004016B0 |. FF85 70FFFFFF |inc dword ptr [ebp-90] ; 循環變量自增
004016B6 |> 8D45 FC lea eax, dword ptr [ebp-4] 004016B9 |. E8 94E20000 |call 0040F952 ; 獲取長度
004016BE |. 3B85 70FFFFFF |cmp eax, dword ptr [ebp-90] ; 遍歷完畢?
004016C4 |.^ 7F D2 \jg short 00401698
004016C6 |. 8B95 74FFFFFF mov edx, dword ptr [ebp-8C] ; 獲取累加結果
004016CC |. 0FAF95 74FFFF>imul edx, dword ptr [ebp-8C] 004016D3 |. 81C2 AC000000 add edx, 0AC
004016D9 |. 8995 74FFFFFF mov dword ptr [ebp-8C], edx ; 保存結果
004016DF |. 66:C745 90 A4>mov word ptr [ebp-70], 0A4
004016E5 |. 8D45 CC lea eax, dword ptr [ebp-34] 004016E8 |. 8B95 74FFFFFF mov edx, dword ptr [ebp-8C] 004016EE |. E8 32DF0000 call 0040F625
004016F3 |. FF45 9C inc dword ptr [ebp-64] 004016F6 |. 8D55 CC lea edx, dword ptr [ebp-34] 004016F9 |. 8D45 F4 lea eax, dword ptr [ebp-C] 004016FC |. E8 26E00000 call 0040F727
00401701 |. FF4D 9C dec dword ptr [ebp-64] 00401704 |. 8D45 CC lea eax, dword ptr [ebp-34] 00401707 |. BA 02000000 mov edx, 2
0040170C |. E8 E7DF0000 call 0040F6F8
00401711 |. 66:C745 90 B0>mov word ptr [ebp-70], 0B0
00401717 |. 8D45 C8 lea eax, dword ptr [ebp-38] 0040171A |. E8 D9020000 call 004019F8
0040171F |. 8BC8 mov ecx, eax 00401721 |. FF45 9C inc dword ptr [ebp-64] 00401724 |. 8D55 F4 lea edx, dword ptr [ebp-C] 00401727 |. 8D45 EC lea eax, dword ptr [ebp-14] 0040172A |. E8 20E00000 call 0040F74F
0040172F |. 8D55 C8 lea edx, dword ptr [ebp-38] 00401732 |. 52 push edx 00401733 |. 8D45 C4 lea eax, dword ptr [ebp-3C] 00401736 |. E8 BD020000 call 004019F8
0040173B |. 8BC8 mov ecx, eax 0040173D |. FF45 9C inc dword ptr [ebp-64] 00401740 |. 8D55 E8 lea edx, dword ptr [ebp-18] 00401743 |. 58 pop eax 00401744 |. E8 06E00000 call 0040F74F
00401749 |. 8D55 C4 lea edx, dword ptr [ebp-3C] 0040174C |. 8D45 F0 lea eax, dword ptr [ebp-10] 0040174F |. E8 D3DF0000 call 0040F727
00401754 |. FF4D 9C dec dword ptr [ebp-64] 00401757 |. 8D45 C4 lea eax, dword ptr [ebp-3C] 0040175A |. BA 02000000 mov edx, 2
0040175F |. E8 94DF0000 call 0040F6F8
00401764 |. FF4D 9C dec dword ptr [ebp-64] 00401767 |. 8D45 C8 lea eax, dword ptr [ebp-38] 0040176A |. BA 02000000 mov edx, 2
0040176F |. E8 84DF0000 call 0040F6F8
00401774 |. 8D55 F0 lea edx, dword ptr [ebp-10] 00401777 |. 8D45 F8 lea eax, dword ptr [ebp-8] 0040177A |. E8 59E00000 call 0040F7D8 ; 判斷call
0040177F |. 84C0 test al, al 00401781 |. 0F84 CE010000 je 00401955
00401787 |. 66:C745 90 BC>mov word ptr [ebp-70], 0BC
0040178D |. 8D45 C0 lea eax, dword ptr [ebp-40] 00401790 |. E8 63020000 call 004019F8
00401795 |. FF45 9C inc dword ptr [ebp-64] 00401798 |. 66:C745 90 C8>mov word ptr [ebp-70], 0C8
0040179E |. 66:C745 90 D4>mov word ptr [ebp-70], 0D4
004017A4 |. 8D45 BC lea eax, dword ptr [ebp-44] 004017A7 |. E8 4C020000 call 004019F8
004017AC |. FF45 9C inc dword ptr [ebp-64] 004017AF |. 66:C745 90 C8>mov word ptr [ebp-70], 0C8
004017B5 |. 66:C745 90 E0>mov word ptr [ebp-70], 0E0
004017BB |. 8D45 B8 lea eax, dword ptr [ebp-48] 004017BE |. E8 35020000 call 004019F8
004017C3 |. FF45 9C inc dword ptr [ebp-64] 004017C6 |. 66:C745 90 C8>mov word ptr [ebp-70], 0C8
004017CC |. 66:C745 90 EC>mov word ptr [ebp-70], 0EC
004017D2 |. 8D45 B4 lea eax, dword ptr [ebp-4C] 004017D5 |. E8 1E020000 call 004019F8
004017DA |. FF45 9C inc dword ptr [ebp-64] 004017DD |. 66:C745 90 C8>mov word ptr [ebp-70], 0C8
004017E3 |. 66:C745 90 F8>mov word ptr [ebp-70], 0F8
004017E9 |. 8D45 B0 lea eax, dword ptr [ebp-50] 004017EC |. E8 07020000 call 004019F8
004017F1 |. 8BD0 mov edx, eax 004017F3 |. FF45 9C inc dword ptr [ebp-64] 004017F6 |. 8B0D E0AE4300 mov ecx, dword ptr [43AEE0] 004017FC |. 8B81 E0010000 mov eax, dword ptr [ecx+1E0] 00401802 |. E8 95910000 call 0040A99C
00401807 |. 8D55 B0 lea edx, dword ptr [ebp-50] 0040180A |. 8D45 C0 lea eax, dword ptr [ebp-40] 0040180D |. E8 15DF0000 call 0040F727
00401812 |. FF4D 9C dec dword ptr [ebp-64] 00401815 |. 8D45 B0 lea eax, dword ptr [ebp-50] 00401818 |. BA 02000000 mov edx, 2
0040181D |. E8 D6DE0000 call 0040F6F8
00401822 |. 66:C745 90 04>mov word ptr [ebp-70], 104
00401828 |. 8D45 AC lea eax, dword ptr [ebp-54] 0040182B |. E8 C8010000 call 004019F8
00401830 |. 8BD0 mov edx, eax 00401832 |. FF45 9C inc dword ptr [ebp-64] 00401835 |. 8B0D E0AE4300 mov ecx, dword ptr [43AEE0] 0040183B |. 8B81 E4010000 mov eax, dword ptr [ecx+1E4] 00401841 |. E8 56910000 call 0040A99C
00401846 |. 8D55 AC lea edx, dword ptr [ebp-54] 00401849 |. 8D45 BC lea eax, dword ptr [ebp-44] 0040184C |. E8 D6DE0000 call 0040F727
00401851 |. FF4D 9C dec dword ptr [ebp-64] 00401854 |. 8D45 AC lea eax, dword ptr [ebp-54] 00401857 |. BA 02000000 mov edx, 2
0040185C |. E8 97DE0000 call 0040F6F8
00401861 |. 66:C745 90 10>mov word ptr [ebp-70], 110
00401867 |. 8D45 A8 lea eax, dword ptr [ebp-58] 0040186A |. E8 89010000 call 004019F8
0040186F |. 8BD0 mov edx, eax 00401871 |. FF45 9C inc dword ptr [ebp-64] 00401874 |. 8B0D E0AE4300 mov ecx, dword ptr [43AEE0] 0040187A |. 8B81 E8010000 mov eax, dword ptr [ecx+1E8] 00401880 |. E8 17910000 call 0040A99C
00401885 |. 8D55 A8 lea edx, dword ptr [ebp-58] 00401888 |. 8D45 B8 lea eax, dword ptr [ebp-48] 0040188B |. E8 97DE0000 call 0040F727
00401890 |. FF4D 9C dec dword ptr [ebp-64] 00401893 |. 8D45 A8 lea eax, dword ptr [ebp-58] 00401896 |. BA 02000000 mov edx, 2
0040189B |. E8 58DE0000 call 0040F6F8
004018A0 |. 66:C745 90 1C>mov word ptr [ebp-70], 11C 004018A6 |. 8D45 A4 lea eax, dword ptr [ebp-5C] 004018A9 |. E8 4A010000 call 004019F8
004018AE |. 8BD0 mov edx, eax 004018B0 |. FF45 9C inc dword ptr [ebp-64] 004018B3 |. 8B0D E0AE4300 mov ecx, dword ptr [43AEE0] 004018B9 |. 8B81 EC010000 mov eax, dword ptr [ecx+1EC] 004018BF |. E8 D8900000 call 0040A99C
004018C4 |. 8D55 A4 lea edx, dword ptr [ebp-5C] 004018C7 |. 8D45 B4 lea eax, dword ptr [ebp-4C] 004018CA |. E8 58DE0000 call 0040F727
004018CF |. FF4D 9C dec dword ptr [ebp-64] 004018D2 |. 8D45 A4 lea eax, dword ptr [ebp-5C] 004018D5 |. BA 02000000 mov edx, 2
004018DA |. E8 19DE0000 call 0040F6F8
004018DF |. 6A 00 push 0
004018E1 |. 8D45 BC lea eax, dword ptr [ebp-44] 004018E4 |. E8 3F010000 call 00401A28
004018E9 |. 50 push eax 004018EA |. 8D45 C0 lea eax, dword ptr [ebp-40] 004018ED |. E8 36010000 call 00401A28
004018F2 |. 50 push eax ; |Text
004018F3 |. 6A 00 push 0 ; |hOwner = NULL
004018F5 |. E8 A63A0300 call <jmp.&USER32.MessageBoxA> ; \MessageBoxA
004018FA |. 6A 40 push 40
004018FC |. 8D45 B4 lea eax, dword ptr [ebp-4C] 004018FF |. E8 24010000 call 00401A28
00401904 |. 50 push eax 00401905 |. 8D45 B8 lea eax, dword ptr [ebp-48] 00401908 |. E8 1B010000 call 00401A28
0040190D |. 50 push eax ; |Text
0040190E |. 6A 00 push 0 ; |hOwner = NULL
00401910 |. E8 8B3A0300 call <jmp.&USER32.MessageBoxA> ; \MessageBoxA
其中判斷call的代碼:
0040F7D8 /$ 55 push ebp 0040F7D9 |. 8BEC mov ebp, esp 0040F7DB |. 53 push ebx 0040F7DC |. 8B00 mov eax, dword ptr [eax] 0040F7DE |. 8B12 mov edx, dword ptr [edx] 0040F7E0 |. E8 B7640100 call 00425C9C ; 兩個字符串是否相同?
0040F7E5 |. 0F94C0 sete al 0040F7E8 |. 83E0 01 and eax, 1
0040F7EB |. 5B pop ebx 0040F7EC |. 5D pop ebp 0040F7ED \. C3 retn
就是一個很簡單的加密,直接打開http://www.cnblogs.com/ZRBYYXDM/p/5115596.html中搭建的框架,修改OnBtnDecrypt函數以下:
void CKengen_TemplateDlg::OnBtnDecrypt() { // TODO: Add your control notification handler code here CString str; GetDlgItemText( IDC_EDIT_NAME,str ); //獲取用戶名字串基本信息。
int len = str.GetLength(); DWORD Res = 0; if ( len != 0 ){ //格式控制。 unsigned sum = 0; for ( int i = 0 ; i != len ; i++ )
sum += str[i]; CString PassWord; PassWord.Format( "CA-%d-3914",sum * sum + 0xAC ); SetDlgItemText( IDC_EDIT_PASSWORD,PassWord ); } else MessageBox( "用戶名格式錯誤!" ); }
再在OnInitDialog中添加此代碼修改標題:SetWindowText(_T("Keygen"));
運行效果:
相關文章
- 1. 18. OD-反調試研究,破解反調試,編寫反調試
- 2. 程序員奇葩面試的奇葩問題
- 3. masonry的奇葩
- 4. 面試遇到的奇葩面試官
- 5. 奇葩面試題記錄
- 6. 面試奇葩問題
- 7. IPv6的奇葩事
- 8. ABAP-面試中的奇葩問題
- 9. 奇葩問題
- 10. Golang奇葩點
- 更多相關文章...
- • Lua 調試(Debug) - Lua 教程
- • Eclipse Debug 調試 - Eclipse 教程
- • JDK13 GA發佈:5大特性解讀
- • Flink 數據傳輸及反壓詳解
相關標籤/搜索
每日一句
-
每一个你不满意的现在,都有一个你没有努力的曾经。
最新文章
歡迎關注本站公眾號,獲取更多信息
相關文章
- 1. 18. OD-反調試研究,破解反調試,編寫反調試
- 2. 程序員奇葩面試的奇葩問題
- 3. masonry的奇葩
- 4. 面試遇到的奇葩面試官
- 5. 奇葩面試題記錄
- 6. 面試奇葩問題
- 7. IPv6的奇葩事
- 8. ABAP-面試中的奇葩問題
- 9. 奇葩問題
- 10. Golang奇葩點