【破文标题】:快刀斩乱麻 3.3的分析过程
【破文作者】:cracker_lee[BCG]
【作者邮箱】:cracker_lee@126.com
【软件名称】:快刀斩乱麻 3.3
【加壳方式】:UPX 0.89.6 - 1.02 / 1.05 - 1.24 -> Markus & Laszlo
【下载地址】:http://www.shareware.cn/pub/11243.html
【保护方式】:注册码+NAG
【编译语言】:Microsoft Visual C++ 6.0
【调试环境】:WinXP、PEiD、Ollydbg
【破解日期】:2005-06-14
【作者声明】:初学Crack,只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!
—————————————————————————————————
【破解过程】:
首先用PEID看了一下,发现是UPX 0.89.6 - 1.02 / 1.05 - 1.24 -> Markus & Laszlo,这中壳没什么好说的,OD载入后,直接向下找到POPAD,F4到后,
接下来的JMP就到了入口点。方式一脱壳,能运行。
重新加载脱壳后的文件:
bp GetWindowTextA,中断后ALT+F9返回
00405752 E8 E17E0000 call <jmp.&MFC42.#2364>
00405757 83C6 70 add esi,70 //返回到这里
0040575A 56 push esi
0040575B 68 30040000 push 430
00405760 57 push edi
00405761 E8 C07E0000 call <jmp.&MFC42.#2370>//这里也会中断,ALT+F9返回
00405766 5F pop edi
00405767 5E pop esi
00405768 C2 0400 retn 4//这里回返回到下面的系统代码段
73D38DC6 C745 08 01000000 mov dword ptr ss:[ebp+8],1//同样ALT+F9
73D38DCD 8B45 E8 mov eax,dword ptr ss:[ebp-18]
73D38DD0 8B4D F4 mov ecx,dword ptr ss:[ebp-C]
73D38DD3 8987 B8000000 mov dword ptr ds:[edi+B8],eax
73D38DD9 8B45 08 mov eax,dword ptr ss:[ebp+8]
73D38DDC 5F pop edi
73D38DDD 5E pop esi
73D38DDE 64:890D 00000000 mov dword ptr fs:[0],ecx
73D38DE5 5B pop ebx
73D38DE6 C9 leave
73D38DE7 C2 0400 retn 4
0040141E E8 BFC00000 call <jmp.&MFC42.#6334>
00401423 8B0D 585C4100 mov ecx,dword ptr ds:[415C58] //返回后到这里
00401429 BE 1E000000 mov esi,1E
0040142E 68 585C4100 push x-cut.00415C58 ; ASCII "xN:"
00401433 BF 01000000 mov edi,1
00401438 8B41 F8 mov eax,dword ptr ds:[ecx-8] ; 用户名长度
0040143B 8D4C24 14 lea ecx,dword ptr ss:[esp+14]
0040143F 2BF0 sub esi,eax ; 1E减去长度,用于需要填充多少个0
00401441 E8 96C00000 call <jmp.&MFC42.#858>
00401446 8B15 585C4100 mov edx,dword ptr ds:[415C58]
0040144C 8B42 F8 mov eax,dword ptr ds:[edx-8]
0040144F 83F8 1E cmp eax,1E ; 比较是否需要填充0
00401452 7D 3A jge short x-cut.0040148E
00401454 3BF3 cmp esi,ebx
00401456 7E 66 jle short x-cut.004014BE ; 比较是否需要填充0
00401458 68 68504100 push x-cut.00415068
0040145D 8D4424 18 lea eax,dword ptr ss:[esp+18]
00401461 68 585C4100 push x-cut.00415C58 ; ASCII "xN:"
00401466 50 push eax
00401467 E8 6AC00000 call <jmp.&MFC42.#924>
0040146C 50 push eax ; 取到用户名
0040146D B9 585C4100 mov ecx,x-cut.00415C58 ; ASCII "xN:"
00401472 C64424 28 01 mov byte ptr ss:[esp+28],1
00401477 E8 60C00000 call <jmp.&MFC42.#858>
0040147C 8D4C24 14 lea ecx,dword ptr ss:[esp+14]
00401480 885C24 24 mov byte ptr ss:[esp+24],bl
00401484 E8 DBBF0000 call <jmp.&MFC42.#800>
00401489 4E dec esi
0040148A ^ 75 CC jnz short x-cut.00401458
0040148C EB 30 jmp short x-cut.004014BE
0040148E 7E 2E jle short x-cut.004014BE
00401490 8D4C24 14 lea ecx,dword ptr ss:[esp+14]
00401494 6A 1E push 1E
00401496 51 push ecx
00401497 B9 585C4100 mov ecx,x-cut.00415C58 ; ASCII "xN:"
0040149C E8 2FC00000 call <jmp.&MFC42.#4129>
004014A1 50 push eax
004014A2 B9 585C4100 mov ecx,x-cut.00415C58 ; ASCII "xN:"
004014A7 C64424 28 02 mov byte ptr ss:[esp+28],2
004014AC E8 2BC00000 call <jmp.&MFC42.#858>
004014B1 8D4C24 14 lea ecx,dword ptr ss:[esp+14]
004014B5 885C24 24 mov byte ptr ss:[esp+24],bl
004014B9 E8 A6BF0000 call <jmp.&MFC42.#800>
004014BE 55 push ebp //直接跳到这里
004014BF 8B2D 585C4100 mov ebp,dword ptr ds:[415C58]
004014C5 33C9 xor ecx,ecx
004014C7 8A0429 mov al,byte ptr ds:[ecx+ebp] ; 取每次取用户名第一位
004014CA 83E0 7F and eax,7F //与7F与
004014CD 69C0 3B2E0800 imul eax,eax,82E3B //与82E3B乘(假设J结果为X)
004014D3 8BF0 mov esi,eax
004014D5 B8 E10217B8 mov eax,B81702E1
004014DA F7EE imul esi //用常数B81702E1*x(假设结果为Y)
004014DC 03D6 add edx,esi //Y的EDX加上X
004014DE C1FA 06 sar edx,6 //Y的EDX算术右移6位(假设结果为Z)
004014E1 8BC2 mov eax,edx
004014E3 C1E8 1F shr eax,1F //将Z逻辑右移1F位
004014E6 03D0 add edx,eax //Z+上面的结果
004014E8 41 inc ecx ; ECX记数
004014E9 83F9 1E cmp ecx,1E //判断是否完毕
004014EC 8DBC17 7A078500 lea edi,dword ptr ds:[edi+edx+85077>//每一次结果都放入EDI,并加上本次结算的结果,在加85077
004014F3 ^ 7C D2 jl short x-cut.004014C7
004014F5 A1 545C4100 mov eax,dword ptr ds:[415C54]
004014FA 5D pop ebp
004014FB 3BC7 cmp eax,edi //关键比较,EDI为真注册码
004014FD 74 14 je short x-cut.00401513
004014FF 53 push ebx
00401500 53 push ebx
00401501 68 58504100 push x-cut.00415058
00401506 E8 BFBF0000 call <jmp.&MFC42.#1200>
0040150B 393D 545C4100 cmp dword ptr ds:[415C54],edi//提示注册码不正确
00401511 75 5C jnz short x-cut.0040156F
00401513 8D4C24 18 lea ecx,dword ptr ss:[esp+18]
00401517 8D5424 0C lea edx,dword ptr ss:[esp+C]
0040151B 51 push ecx //后面是将信息写入注册表
0040151C 52 push edx
0040151D 53 push ebx
0040151E 68 3F000F00 push 0F003F
00401523 53 push ebx
00401524 53 push ebx
00401525 53 push ebx
00401526 68 38504100 push x-cut.00415038 ; ASCII "MIME\Database\Charset\sciJSD"
0040152B 68 00000080 push 80000000
00401530 C74424 38 08000000 mov dword ptr ss:[esp+38],8
00401538 FF15 00004100 call dword ptr ds:[<&ADVAPI32.RegCr>; ADVAPI32.RegCreateKeyExA
0040153E 8B4C24 0C mov ecx,dword ptr ss:[esp+C]
00401542 8D4424 14 lea eax,dword ptr ss:[esp+14]
00401546 6A 04 push 4
00401548 50 push eax
00401549 6A 04 push 4
0040154B 53 push ebx
0040154C 68 30504100 push x-cut.00415030 ; ASCII "option"
00401551 51 push ecx
00401552 FF15 04004100 call dword ptr ds:[<&ADVAPI32.RegSe>; ADVAPI32.RegSetValueExA
00401558 8B5424 0C mov edx,dword ptr ss:[esp+C]
0040155C 52 push edx
0040155D FF15 08004100 call dword ptr ds:[<&ADVAPI32.RegCl>; ADVAPI32.RegCloseKey
----------------------------------------------------------------
总结一下:
首先会将用户名用0填充为30位
然后依次取用户名的每一位
首先与7F,接着乘82E3B(结果记为X)
将X*B81702E1(结果记为Y,Y的高位EDX记为Y1)
在将Y1+X的结果算术右移6位(结果记为Z)
然后在将Z+上Z逻辑右移1F位的结果
每一次结果都放入EDI,并加上本次结算的结果,在加85077
注册成功后会将结果信息写入注册表
因此我的注册码是:
用户名:cracker_lee[BCG]
注册码:277388784
----------------------------------------------------------------------
【版权声明】 本文纯属技术交流, 转载请注明作者并保持文章的完整, 谢谢!