标 题:破解CRACKME(CTM) (7千字)
发信人:VitaminC
时 间:2002-3-18 22:53:02
详细信息:
破解CRACKME(CTM):
终于,偿试着去破一个不是关于NUM.的程序,费了好大的力也终于把他OK了.
这个程度是关于KEYFILE的,呵呵...对于我入手只能用看雪老师的教程上教的,先用FILEMON去找出它是读什么FILE的...
运行程式说没有找到KEYFILE...
好在FILEMON好用,一下子就被我找到了KEYFILE的文件名:CTM_CM02.KEY,好了,那就做一个!
内容是1234abcd的文本件,再将它文件名改为CTM_CM02.KEY再运行,说无效的KEYFILE!(心里一阵高兴,因为自己乱做的文件它也说是KEYFILE!本来那个KEYFILE用HEX
WORKSHOP做好点...)
好!那就在SICE里用BPX READFILE设断,再用F11来到这:
...
:00403E85 50
push eax
:00403E86 56
push esi
:00403E87 FF33
push dword ptr [ebx]
:00403E89 E8B6D3FFFF call 00401244/*这个CALL用READFILE取得数据*/
:00403E8E 48
dec eax
:00403E8F 58
pop eax
:00403E90 59
pop ecx
:00403E91 751F
jne 00403EB2
...
对了,程序是用了UPX加壳的...后我就跟到这:
...
:00426616 8A1C16
mov bl, byte ptr [esi+edx]/*移入在KEYFILE里的每个字符*/
:00426619 84DB
test bl, bl
:0042661B 7429
je 00426646/*只有这个是个宝!*/
:0042661D E816000000 call 00426638
:00426622 52
push edx
:00426623 F7E3
mul ebx
:00426625 5A
pop edx
:00426626 35326D5463 xor eax,
63546D32/*得到经过计算的NUM.*/
:0042662B FEC2
inc dl
:0042662D 39CA
cmp edx, ecx
:0042662F 7442
je 00426673/*循环完了出去的*/
:00426631 80FAFF
cmp dl, FF
:00426634 743D
je 00426673/*????*/
:00426636 EBDE
jmp 00426616/*这里用于循环*/
* Referenced by a CALL at Addresses:
|:0042661D , :00426646
|
:00426638 57
push edi
:00426639 8DBDF4FFFEFF lea edi, dword
ptr [ebp+FFFEFFF4]
:0042663F 8B3F
mov edi, dword ptr [edi]
:00426641 881C17
mov byte ptr [edi+edx], bl
:00426644 5F
pop edi
:00426645 C3
ret
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0042661B(C)
|
:00426646 E8EDFFFFFF call 00426638
:0042664B 42
inc edx
:0042664C 83C204
add edx, 00000004
:0042664F 39D1
cmp ecx, edx
:00426651 7520
jne 00426673
:00426653 83EA04
sub edx, 00000004
:00426656 85C0
test eax, eax
:00426658 7602
jbe 0042665C
:0042665A D1E8
shr eax, 1
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00426658(C)
|
:0042665C 3B0416
cmp eax, dword ptr [esi+edx]
:0042665F 7509
jne 0042666A
:00426661 B800000000 mov eax,
00000000
:00426666 8907
mov dword ptr [edi], eax
:00426668 EB10
jmp 0042667A
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0042665F(C)
|
:0042666A B801000000 mov eax,
00000001
:0042666F 8907
mov dword ptr [edi], eax
:00426671 EB07
jmp 0042667A
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:0042662F(C), :00426634(C), :00426651(C)
|
:00426673 B802000000 mov eax,
00000002 /*这行来的2!*/
:00426678 8907
mov dword ptr [edi], eax
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00426668(U), :00426671(U)
|
:0042667A 5E
pop esi
:0042667B 5F
pop edi
:0042667C 5B
pop ebx
:0042667D 8A85FBFFFEFF mov al, byte
ptr [ebp+FFFEFFFB]
:00426683 2C01
sub al, 01 /*那只有这里使AL为<0才行了*/
:00426685 7208
jb 0042668F/*那么只有这个JUMP才能OK!了*/
:00426687 744A
je 004266D3/*这里跳则是:"Key file contains wrong serial!"*/
:00426689 FEC8
dec al
:0042668B 7458
je 004266E5 /*这里跳则是:"Key file is not valid!"*/
:0042668D EB66
jmp 004266F5
...
一看,高兴啊,它算NUM.了...一会就找到了那个算出来的NUM.了,快比较吧!让我找到正确的NUM.哟~~~~于是我就跟啊跟啊...
终于,它没有用那个所谓的NUM.来比较...是我找不到比较的地方,我就不信邪!我还重跟...
错了,我错了...再这样跟它一百年也没用....(哈哈!好个姓菜的!^O^)它老是给我来'
于是,在山穷水尽时,我又想到了一村,哈哈哈...
我用W32DASM的串式参考,我找"Key file is not valid!":
...
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0042668B(C) /*只有一个JUMP,好!*/
|
* Possible StringData Ref from Data Obj ->"Key file is not valid!"
|
:004266E5 BAE0674200 mov edx,
004267E0
:004266EA 8B83B0010000 mov eax, dword
ptr [ebx+000001B0]
:004266F0 E89FB5FEFF call 00411C94
...
我再找"Key file contains wrong serial!"
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00426687(C) /*也只有一个JUMP!*/
|
* Possible StringData Ref from Data Obj ->"Key file contains wrong serial!"
|
:004266D3 BAB8674200 mov edx,
004267B8
:004266D8 8B83B0010000 mov eax, dword
ptr [ebx+000001B0]
:004266DE E8B1B5FEFF call 00411C94
:004266E3 EB10
jmp 004266F5
...
再看上面的代码,分析一下...
但怪的是,在我每计算完那个NUM.出来后,那个AL到了:0042667D MOV后总是为2!那我就看MOV的2是哪来的!向上一看,是:00426673
B802000000 mov eax, 00000002来的!再一分析,只要我正常的在那里完整的计算完那个所谓的NUM.的那个2就一定来!那么要成功便要'不正常'的跳出循环!在循环里共有三个JE,其中第二个JE是正常出来了的,第三个JE要输入好长的NUM.可能吗?那就只有:0042661B这个JE了...那就是说要在NUM.里有00H则可以不遇上那个该死的2!
那就使BL=00H,果然到了又一村,呵呵...
...
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0042661B(C)
|
:00426646 E8EDFFFFFF call 00426638/*不用理它*/
:0042664B 42
inc edx /*EDX是到达00H的NUM.的位数*/
:0042664C 83C204
add edx, 00000004/*加4位*/
:0042664F 39D1
cmp ecx, edx/*要等于总位数*/
:00426651 7520
jne 00426673
:00426653 83EA04
sub edx, 00000004/*回到原状*/
:00426656 85C0
test eax, eax
:00426658 7602
jbe 0042665C
:0042665A D1E8
shr eax, 1/*使EAX变化(逻辑右移)*/
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00426658(C)
|
:0042665C 3B0416
cmp eax, dword ptr [esi+edx]/*比较EAX和NUM.余下的4位!*/
:0042665F 7509
jne 0042666A
...
细心跟踪,你会发现,00H后只能有4位数的NUM.并那4位要和EAX(:0042665C的)里的值相等!那么要是你在NUM.的第一位里就使它为00H,那么EAX就是00000000H了,也就是说,最简单的KEYFILE就是只有0000000000H这四个数的NUM.的KEYFILE了!好!用HEX
WORKSHOP把KEYFILE改好!一试,OK!
...可是,可是REGISTERED TO:给谁?
唉!那就只好前面写上Vitamin C00xxxxxxxx在SICE里找到xxxxxxxx的值:2FC868F2->F268C82F填上去!就行了![前面加上NAME在注册后出现NAME参考了别人的教程因为我没有精力找出如何出现你的大名了...;(].
OK!
Vitamin C[抗坏血酸].2002.2.9.HY.GD.CHI.