IDA提取程序关键代码做Keygen

标题： IDA提取程序关键代码做Keygen
作者：KuNgBiM
时间：2007-03-06 04:20
附件：tut.keygen.rar
链接：http://bbs.pediy.com/showthread.php?t=40620

【文章标题】: IDA提取程序关键代码做Keygen
【文章作者】: KuNgBiM
【作者邮箱】: kungbim@163.com
【作者主页】: http://www.crkcn.com
【软件名称】: HCC's Crackme
【软件大小】: 4KB
【下载地址】: 附件下载
【加壳方式】: N/A
【保护方式】: 序列号
【编写语言】: MASM32 / TASM32
【使用工具】: IDA 4.8
【作者声明】: 只是感兴趣，没有其他目的。失误之处敬请诸位大侠赐教!
--------------------------------------------------------------------------------
【详细过程】
  由于目标为MASM32/TASM32的程序，所以直接用IDA分析：

  找到这里：

  .text:00401180 ; =============== S U B R O U T I N E ?=====================================
  .text:00401180
  .text:00401180 ; Attributes: bp-based frame
  .text:00401180
  .text:00401180 ; int __stdcall sub_401180(HWND hWnd,UINT Msg,WPARAM wParam,LPARAM lParam)
  .text:00401180 sub_401180      proc near               ; DATA XREF: sub_40101D+14o
  .text:00401180
  .text:00401180 hWnd            = dword ptr  8
  .text:00401180 Msg             = dword ptr  0Ch
  .text:00401180 wParam          = dword ptr  10h
  .text:00401180 lParam          = dword ptr  14h
  .text:00401180
  .text:00401180                 push    ebp
  .text:00401181                 mov     ebp, esp
  .text:00401183                 cmp     [ebp+Msg], 2
  .text:00401187                 jnz     short loc_401195
  .text:00401189                 push    0               ; nExitCode
  .text:0040118B                 call    PostQuitMessage
  .text:00401190                 jmp     loc_401268
  .text:00401195 ; ---------------------------------------------------------------------------
  .text:00401195
  .text:00401195 loc_401195:                             ; CODE XREF: sub_401180+7j
  .text:00401195                 cmp     [ebp+Msg], 10h
  .text:00401199                 jnz     short loc_4011A8
  .text:0040119B                 push    [ebp+hWnd]      ; hWnd
  .text:0040119E                 call    DestroyWindow
  .text:004011A3                 jmp     loc_401268
  .text:004011A8 ; ---------------------------------------------------------------------------
  .text:004011A8
  .text:004011A8 loc_4011A8:                             ; CODE XREF: sub_401180+19j
  .text:004011A8                 cmp     [ebp+Msg], 111h
  .text:004011AF                 jnz     loc_401253
  .text:004011B5                 mov     eax, [ebp+wParam]
  .text:004011B8                 cmp     [ebp+lParam], 0
  .text:004011BC                 jz      loc_401268
  .text:004011C2                 mov     edx, [ebp+wParam]
  .text:004011C5                 shr     edx, 10h
  .text:004011C8                 or      dx, dx
  .text:004011CB                 jnz     loc_401251
  .text:004011D1                 cmp     ax, 67h
  .text:004011D5                 jnz     short loc_401251
  .text:004011D7                 push    19h             ; nMaxCount
  .text:004011D9                 push    offset String   ; lpString
  .text:004011DE                 push    66h             ; nIDDlgItem
  .text:004011E0                 push    [ebp+hWnd]      ; hDlg
  .text:004011E3                 call    GetDlgItemTextA
  .text:004011E8                 push    1Eh             ; nMaxCount
  .text:004011EA                 push    offset byte_40307C ; lpString
  .text:004011EF                 push    65h             ; nIDDlgItem
  .text:004011F1                 push    [ebp+hWnd]      ; hDlg
  .text:004011F4                 call    GetDlgItemTextA ; 获取文本框1
  .text:004011F9                 cmp     eax, 6          ; 是否大于等于6位
  .text:004011FC                 jb      short loc_401251; 如果不是则跳！GAME OVER！
  .text:004011FE                 mov     ecx, eax        ; 获取用户名位数
  .text:00401200                 mov     ebx, 0Fh        ; 初始化长度
  .text:00401205                 sub     ecx, 4          ; 循环次数等于字符串长度减4
  .text:00401208                 mov     dword_4030C4, ecx
  .text:0040120E                 push    edi
  .text:0040120F                 push    offset unk_403051
  .text:00401214                 push    offset unk_403061
  .text:00401219                 call    sub_40126E      ; 算法CALL
  .text:0040121E                 push    ebx             ; 返回的计算结果
  .text:0040121F                 push    offset String
  .text:00401224                 call    sub_401330
  .text:00401229                 pop     ebx
  .text:0040122A                 pop     edi
  .text:0040122B                 cmp     eax, ebx
  .text:0040122D                 jnz     short loc_401251
  .text:0040122F                 push    40h             ; uType
  .text:00401231                 push    offset Caption  ; "wee"
  .text:00401236                 push    offset Text     ; "You did it! Now make a keygen =)"
  .text:0040123B                 push    0               ; hWnd
  .text:0040123D                 call    MessageBoxA
  .text:00401242                 push    offset aCrackmeCracked ; "Crackme - cracked!"
  .text:00401247                 push    [ebp+hWnd]      ; hWnd
  .text:0040124A                 call    SetWindowTextA
  .text:0040124F                 jmp     short $+2
  .text:00401251
  .text:00401251 loc_401251:                             ; CODE XREF: sub_401180+4Bj
  .text:00401251                                         ; sub_401180+55j ...
  .text:00401251                 jmp     short loc_401268
  .text:00401253 ; ---------------------------------------------------------------------------
  .text:00401253
  .text:00401253 loc_401253:                             ; CODE XREF: sub_401180+2Fj
  .text:00401253                 push    [ebp+lParam]    ; lParam
  .text:00401256                 push    [ebp+wParam]    ; wParam
  .text:00401259                 push    [ebp+Msg]       ; Msg
  .text:0040125C                 push    [ebp+hWnd]      ; hWnd
  .text:0040125F                 call    DefWindowProcA
  .text:00401264                 leave
  .text:00401265                 retn    10h
  .text:00401268 ; ---------------------------------------------------------------------------
  .text:00401268
  .text:00401268 loc_401268:                             ; CODE XREF: sub_401180+10j
  .text:00401268                                         ; sub_401180+23j ...
  .text:00401268                 xor     eax, eax
  .text:0040126A                 leave
  .text:0040126B                 retn    10h
  .text:0040126B sub_401180      endp
  .text:0040126B
  .text:0040126E
  .text:0040126E ; =============== S U B R O U T I N E ?=====================================
  .text:0040126E
  .text:0040126E ; Attributes: bp-based frame
  .text:0040126E
  .text:0040126E sub_40126E      proc near               ; CODE XREF: sub_401180+99p
  .text:0040126E                 push    ebp
  .text:0040126F                 mov     ebp, esp
  .text:00401271                 add     esp, 0FFFFFFFCh
  .text:00401274                 xor     edx, edx
  .text:00401276                 xor     eax, eax
  .text:00401278                 xor     ecx, ecx
  .text:0040127A                 xor     esi, esi
  .text:0040127C                 xor     edi, edi
  .text:0040127E
  .text:0040127E loc_40127E:                             ; CODE XREF: sub_40126E+21j
  .text:0040127E                 movsx   eax, byte_403080[ecx] ; 这里开始计算咯
  .text:00401285                 imul    ebx, eax
  .text:00401288                 inc     ecx
  .text:00401289                 cmp     dword_4030C4, ecx
  .text:0040128F                 jnz     short loc_40127E      ; 循环计算
  .text:00401291                 lea     ecx, ds:1337h[ebx*2]
  .text:00401298                 xor     cx, cx
  .text:0040129B                 lea     ecx, [ecx+ebx*4]
  .text:0040129E                 xor     ebx, ecx              ; 计算完毕
  .text:004012A0                 leave
  .text:004012A1                 retn    8                     ; 返回结果
  .text:004012A1 sub_40126E      endp

--------------------------------------------------------------------------------
【注册机源码】

  .386
  .model flat,stdcall
  option casemap:none

  ;     include files
  ;     ~~~~~~~~~~~~~
        include D:\MASM32\INCLUDE\windows.inc
        include D:\MASM32\INCLUDE\masm32.inc
        include D:\MASM32\INCLUDE\gdi32.inc
        include D:\MASM32\INCLUDE\user32.inc
        include D:\MASM32\INCLUDE\kernel32.inc
        include D:\MASM32\INCLUDE\Comctl32.inc
        include D:\MASM32\INCLUDE\comdlg32.inc
        include D:\MASM32\INCLUDE\shell32.inc

  ;     libraries
  ;     ~~~~~~~~~
        includelib D:\MASM32\LIB\masm32.lib

        includelib D:\MASM32\LIB\gdi32.lib
        includelib D:\MASM32\LIB\user32.lib
        includelib D:\MASM32\LIB\kernel32.lib
        includelib D:\MASM32\LIB\Comctl32.lib
        includelib D:\MASM32\LIB\comdlg32.lib
        includelib D:\MASM32\LIB\shell32.lib


  .const

  IDC_BUTTON    equ     1000
  IDC_BOX1      equ     3000
  IDC_BOX2      equ     3001

  DlgProc PROTO :DWORD,:DWORD,:DWORD,:DWORD

  .data
   szHiba db "请输入大于等于6位的用户名",0
  .data?

   hInstance dd ?
   szInput1 db 25 dup (?)
   LInput1 db ?
   szOutput db 25 dup (?)
   LOutput db ?
   aktive_h dd ?

  .code

  start:
    invoke GetModuleHandle, NULL
    mov    hInstance,eax


    push NULL
    push offset DlgProc
          push NULL
    Call j1

    db 'MYDIALOG',0

    j1:
          push eax
    Call DialogBoxParam

    invoke ExitProcess,eax

  DlgProc proc hWnd:HWND, uMsg:UINT, wParam:WPARAM, lParam:LPARAM
    .IF uMsg==WM_INITDIALOG
      invoke GetDlgItem, hWnd,IDC_BOX1
      invoke SetFocus,eax
            invoke  SetDlgItemText,hWnd,IDC_BOX2,offset szHiba
    .ELSEIF uMsg==WM_CLOSE
      invoke  PostQuitMessage,0
    .ELSEIF uMsg==WM_COMMAND
      mov     eax,wParam
      and     eax,0ffffh
      cmp     eax,IDC_BOX1
      jne Default
      biztos:
      mov     esi,hWnd
      call    GenerateKey
      xor eax,eax
      ret

    .ELSE
      mov eax,FALSE
      ret
    .ENDIF

  Default:
    mov eax,TRUE
    ret
  DlgProc endp




  GenerateKey:
     mov aktive_h,esi
     invoke  GetDlgItemText,aktive_h,IDC_BOX1,offset szInput1,30  ; 获取文本框1
     cmp    eax,6          ; 是否大于等于6位
     jb      NoName        ; 如果不是则跳！不计算

     mov [LInput1],al

     call    Keygen
     invoke  SetDlgItemText,esi,IDC_BOX2,eax
     ret
  NoName:

     invoke  SetDlgItemText,esi,IDC_BOX2,offset szHiba
      ret


  .CODE

  Keygen:
   push esi                         ; 计算加密算法循环次数
   xor esi,esi
   mov eax,0fh                      ; 初始化长度
   mov edx,offset szInput1          ; 获取文本框1中字符串长度
   movsx ecx,byte ptr[LInput1]      ; 送ECX保留
   sub ecx,4                        ; 循环次数等于字符串长度减4


   l1:
     movsx ebx,byte ptr[4+edx+esi]  ; 这里开始计算咯
     imul eax,ebx
     inc esi
     cmp esi,ecx
     jne l1                         ; 循环计算

  lea         ecx,[eax*2+1337h]
  xor         cx,cx
  lea         ecx,[ecx+eax*4]
  xor         eax,ecx               ; 计算完毕


  mov ebx,offset szOutput
  add ebx,10
  xor ecx,ecx
  kezdet_1:
  push ebx
  mov ebx,10h
  cdq
  idiv ebx

  cmp dl,0fh
  jb nemf
  sub dl,0f0h
  nemf:
  cmp dl,0ah
  jb nemABCDEF

  add dl,7

  nemABCDEF:
  add edx,30h

  pop ebx
  mov [ebx],dl
  dec ebx

  cmp eax,0FFFFFFFh
  je kezdet_nek
  cmp eax,0
  je kezdet_nek
  jmp kezdet_1
  kezdet_nek:

  mov eax,ebx
  inc eax
  pop esi
   ret
  end start

--------------------------------------------------------------------------------
【版权声明】: 本文原创于看雪技术论坛, 转载请注明作者并保持文章的完整, 谢谢!

                                                       2007年03月06日 AM 04:14:01