160个CrackMe之001

cjt included in 逆向
  2930 words 6 minutes 

1. 程序分析

想要破解一个程序,必须先了解这个程序。所以,在破解过程中,对最初程序的分析很重要,它可以帮助我们理解作者的目的和意图,特别是对于注册码的处理细节,从而方便我们反向跟踪和推导。

2. 提示框

将Acid burn.exe拖拽到od中,F9运行,显示如下界面,

我们可以把这个提示框直接弄掉,通过搜索字符直接定位:

1
2
3
4
5
6

0042F786   .  B9 A0F74200   mov ecx,Acid_bur.0042F7A0                ;  hello you have to kill me!
0042F78B   .  BA BCF74200   mov edx,Acid_bur.0042F7BC                ;  Welcome to this Newbies Crackme made by ACiD BuRN [CracKerWoRlD]
0042F790   .  A1 480A4300   mov eax,dword ptr ds:[0x430A48]
0042F795   .  8B00          mov eax,dword ptr ds:[eax]
0042F797   .  E8 D4A9FFFF   call Acid_bur.0042A170
0042F79C   .  C3            retn

在地址0042F79C处断点,F8返回到它的调用函数的内容:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19

0042560F   .^\E9 00DBFDFF   jmp Acid_bur.00403114
00425614   .^ EB EE         jmp short Acid_bur.00425604
00425616   >  33C0          xor eax,eax
00425618   .  55            push ebp
00425619   .  68 4D564200   push Acid_bur.0042564D
0042561E   .  64:FF30       push dword ptr fs:[eax]
00425621   .  64:8920       mov dword ptr fs:[eax],esp
00425624   .  8B45 FC       mov eax,dword ptr ss:[ebp-0x4]
00425627   .  66:83B8 CE010>cmp word ptr ds:[eax+0x1CE],0x0
0042562F   .  74 12         je short Acid_bur.00425643               ;  这里的跳转很可疑
00425631   .  8B5D FC       mov ebx,dword ptr ss:[ebp-0x4]
00425634   .  8B55 FC       mov edx,dword ptr ss:[ebp-0x4]
00425637   .  8B83 D0010000 mov eax,dword ptr ds:[ebx+0x1D0]
0042563D   .  FF93 CC010000 call dword ptr ds:[ebx+0x1CC]            ;  刚刚的弹框调用函数
00425643   >  33C0          xor eax,eax								 ;  执行到这了
00425645   .  5A            pop edx                                  ;  0012FE5C
00425646   .  59            pop ecx                                  ;  0012FE5C
00425647   .  59            pop ecx                                  ;  0012FE5C
00425648   .  64:8910       mov dword ptr fs:[eax],edx               ;  ntdll.KiFastSystemCallRet

将那个可疑的跳转修改一下,跳过提示框的调用:

1
2
3
4
5
6
7
8
9

0042562F     /EB 12         jmp short Acid_bur.00425643              ;  这里的跳转很可疑 => 修改为jmp
00425631   . |8B5D FC       mov ebx,dword ptr ss:[ebp-0x4]
00425634   . |8B55 FC       mov edx,dword ptr ss:[ebp-0x4]
00425637   . |8B83 D0010000 mov eax,dword ptr ds:[ebx+0x1D0]
0042563D   . |FF93 CC010000 call dword ptr ds:[ebx+0x1CC]            ;  刚刚的提示框
00425643   > \33C0          xor eax,eax
00425645   .  5A            pop edx                                  ;  0012FE5C
00425646   .  59            pop ecx                                  ;  0012FE5C
00425647   .  59            pop ecx                                  ;  0012FE5C

至此,将修改的程序保存,再打开保存的程序发现提示框已经消失了。

3. 序列号生成

重新开始,可以发现软件分为了两个部分,一个是Serial/Name,需要输入用户名和注册码才能通过,另外一个Serial只需要输入一个注册码一类的东西。

选择Serial/Name,输入一个用户名和序列号:

1
2

Name:112233
Serial:44556677

点击Check it Baby! 它会弹出一个对话框提示: Sorry, The Serial is incorrect !

再换几个随意试试,发现就这一种情况。说明在校验注册码之后发现如果错误了就直接弹窗,我们只要找到弹出对话框的地方,向上跟踪,就可以找出判断是否正确的地方了,jmp或者Nop就算爆破了。

我们随意输入一个用户名和序列号(伪码):

1
2

Name:112233
Serial:44556677

点击Check it Baby! 它会弹出一个对话框提示: Sorry, The Serial is incorrect !

此时不要点击确定按钮,返回OD暂停(F12),点击堆栈-K小图标(Ctrl+K) ,如下图:

点击显示调用,看看调用的地方,发现里面是多层调用,Ctr + F9F8 抵达上多层调用的地方:

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133

0042F998  /.  55            push ebp
0042F999  |.  8BEC          mov ebp,esp
0042F99B  |.  33C9          xor ecx,ecx                              ;  user32.77D1882A
0042F99D  |.  51            push ecx                                 ;  user32.77D1882A
0042F99E  |.  51            push ecx                                 ;  user32.77D1882A
0042F99F  |.  51            push ecx                                 ;  user32.77D1882A
0042F9A0  |.  51            push ecx                                 ;  user32.77D1882A
0042F9A1  |.  51            push ecx                                 ;  user32.77D1882A
0042F9A2  |.  51            push ecx                                 ;  user32.77D1882A
0042F9A3  |.  53            push ebx
0042F9A4  |.  56            push esi
0042F9A5  |.  8BD8          mov ebx,eax
0042F9A7  |.  33C0          xor eax,eax
0042F9A9  |.  55            push ebp
0042F9AA  |.  68 67FB4200   push Acid_bur.0042FB67
0042F9AF  |.  64:FF30       push dword ptr fs:[eax]
0042F9B2  |.  64:8920       mov dword ptr fs:[eax],esp
0042F9B5  |.  C705 50174300>mov dword ptr ds:[0x431750],0x29
0042F9BF  |.  8D55 F0       lea edx,[local.4]
0042F9C2  |.  8B83 DC010000 mov eax,dword ptr ds:[ebx+0x1DC]
0042F9C8  |.  E8 8BB0FEFF   call Acid_bur.0041AA58
0042F9CD  |.  8B45 F0       mov eax,[local.4]
0042F9D0  |.  E8 DB40FDFF   call Acid_bur.00403AB0
0042F9D5  |.  A3 6C174300   mov dword ptr ds:[0x43176C],eax
0042F9DA  |.  8D55 F0       lea edx,[local.4]
0042F9DD  |.  8B83 DC010000 mov eax,dword ptr ds:[ebx+0x1DC]
0042F9E3  |.  E8 70B0FEFF   call Acid_bur.0041AA58
0042F9E8  |.  8B45 F0       mov eax,[local.4]
0042F9EB  |.  0FB600        movzx eax,byte ptr ds:[eax]
0042F9EE  |.  8BF0          mov esi,eax
0042F9F0  |.  C1E6 03       shl esi,0x3
0042F9F3  |.  2BF0          sub esi,eax
0042F9F5  |.  8D55 EC       lea edx,[local.5]
0042F9F8  |.  8B83 DC010000 mov eax,dword ptr ds:[ebx+0x1DC]
0042F9FE  |.  E8 55B0FEFF   call Acid_bur.0041AA58
0042FA03  |.  8B45 EC       mov eax,[local.5]                        ;  Acid_bur.0042467E
0042FA06  |.  0FB640 01     movzx eax,byte ptr ds:[eax+0x1]
0042FA0A  |.  C1E0 04       shl eax,0x4
0042FA0D  |.  03F0          add esi,eax
0042FA0F  |.  8935 54174300 mov dword ptr ds:[0x431754],esi
0042FA15  |.  8D55 F0       lea edx,[local.4]
0042FA18  |.  8B83 DC010000 mov eax,dword ptr ds:[ebx+0x1DC]
0042FA1E  |.  E8 35B0FEFF   call Acid_bur.0041AA58
0042FA23  |.  8B45 F0       mov eax,[local.4]
0042FA26  |.  0FB640 03     movzx eax,byte ptr ds:[eax+0x3]
0042FA2A  |.  6BF0 0B       imul esi,eax,0xB
0042FA2D  |.  8D55 EC       lea edx,[local.5]
0042FA30  |.  8B83 DC010000 mov eax,dword ptr ds:[ebx+0x1DC]
0042FA36  |.  E8 1DB0FEFF   call Acid_bur.0041AA58
0042FA3B  |.  8B45 EC       mov eax,[local.5]                        ;  112233
0042FA3E  |.  0FB640 02     movzx eax,byte ptr ds:[eax+0x2]          ;  取用户名的第三个字符
0042FA42  |.  6BC0 0E       imul eax,eax,0xE                         ;  eax = 0x32 * 0xE == 2BC
0042FA45  |.  03F0          add esi,eax
0042FA47  |.  8935 58174300 mov dword ptr ds:[0x431758],esi
0042FA4D  |.  A1 6C174300   mov eax,dword ptr ds:[0x43176C]
0042FA52  |.  E8 D96EFDFF   call Acid_bur.00406930                   ;  确定tag/serial 是否合格
0042FA57  |.  83F8 04       cmp eax,0x4
0042FA5A      7D 1D         jge short Acid_bur.0042FA79
0042FA5C  |.  6A 00         push 0x0
0042FA5E  |.  B9 74FB4200   mov ecx,Acid_bur.0042FB74                ;  ASCII 54,"ry Again!"
0042FA63  |.  BA 80FB4200   mov edx,Acid_bur.0042FB80                ;  ASCII 53,"orry , The serial is incorect !"
0042FA68  |.  A1 480A4300   mov eax,dword ptr ds:[0x430A48]
0042FA6D  |.  8B00          mov eax,dword ptr ds:[eax]
0042FA6F  |.  E8 FCA6FFFF   call Acid_bur.0042A170					 ;  弹出错误提示
0042FA74  |.  E9 BE000000   jmp Acid_bur.0042FB37
0042FA79  |>  8D55 F0       lea edx,[local.4]
0042FA7C  |.  8B83 DC010000 mov eax,dword ptr ds:[ebx+0x1DC]
0042FA82  |.  E8 D1AFFEFF   call Acid_bur.0041AA58
0042FA87  |.  8B45 F0       mov eax,[local.4]                        ;  112233
0042FA8A  |.  0FB600        movzx eax,byte ptr ds:[eax]              ;  取首字符:0x31
0042FA8D  |.  F72D 50174300 imul dword ptr ds:[0x431750]             ;  eax = 0x31 * 0x29 == 0x7D9
0042FA93  |.  A3 50174300   mov dword ptr ds:[0x431750],eax
0042FA98  |.  A1 50174300   mov eax,dword ptr ds:[0x431750]
0042FA9D  |.  0105 50174300 add dword ptr ds:[0x431750],eax
0042FAA3  |.  8D45 FC       lea eax,[local.1]
0042FAA6  |.  BA ACFB4200   mov edx,Acid_bur.0042FBAC                ;  CW
0042FAAB  |.  E8 583CFDFF   call Acid_bur.00403708
0042FAB0  |.  8D45 F8       lea eax,[local.2]
0042FAB3  |.  BA B8FB4200   mov edx,Acid_bur.0042FBB8
0042FAB8  |.  E8 4B3CFDFF   call Acid_bur.00403708
0042FABD  |.  FF75 FC       push [local.1]                           ;  CW
0042FAC0  |.  68 C8FB4200   push Acid_bur.0042FBC8                   ;  UNICODE "-"
0042FAC5  |.  8D55 E8       lea edx,[local.6]
0042FAC8  |.  A1 50174300   mov eax,dword ptr ds:[0x431750]
0042FACD  |.  E8 466CFDFF   call Acid_bur.00406718                   ;  将16进制转换为十进制字符串:0xFB2 => 4018
0042FAD2  |.  FF75 E8       push [local.6]                           ;  4018
0042FAD5  |.  68 C8FB4200   push Acid_bur.0042FBC8                   ;  UNICODE "-"
0042FADA  |.  FF75 F8       push [local.2]                           ;  CRACKED
0042FADD  |.  8D45 F4       lea eax,[local.3]                        ;  返回值
0042FAE0  |.  BA 05000000   mov edx,0x5
0042FAE5  |.  E8 C23EFDFF   call Acid_bur.004039AC
0042FAEA  |.  8D55 F0       lea edx,[local.4]
0042FAED  |.  8B83 E0010000 mov eax,dword ptr ds:[ebx+0x1E0]
0042FAF3  |.  E8 60AFFEFF   call Acid_bur.0041AA58
0042FAF8  |.  8B55 F0       mov edx,[local.4]                        ;  44556677
0042FAFB  |.  8B45 F4       mov eax,[local.3]                        ;  CW-4018-CRACKED
0042FAFE  |.  E8 F93EFDFF   call Acid_bur.004039FC                   ;  比较两个字符串是否相等
0042FB03      75 1A         jnz short Acid_bur.0042FB1F              ;  关键的跳转
0042FB05  |.  6A 00         push 0x0
0042FB07  |.  B9 CCFB4200   mov ecx,Acid_bur.0042FBCC
0042FB0C  |.  BA D8FB4200   mov edx,Acid_bur.0042FBD8
0042FB11  |.  A1 480A4300   mov eax,dword ptr ds:[0x430A48]
0042FB16  |.  8B00          mov eax,dword ptr ds:[eax]
0042FB18  |.  E8 53A6FFFF   call Acid_bur.0042A170
0042FB1D  |.  EB 18         jmp short Acid_bur.0042FB37
0042FB1F  |>  6A 00         push 0x0
0042FB21  |.  B9 74FB4200   mov ecx,Acid_bur.0042FB74                ;  ASCII 54,"ry Again!"
0042FB26  |.  BA 80FB4200   mov edx,Acid_bur.0042FB80                ;  ASCII 53,"orry , The serial is incorect !"
0042FB2B  |.  A1 480A4300   mov eax,dword ptr ds:[0x430A48]
0042FB30  |.  8B00          mov eax,dword ptr ds:[eax]
0042FB32  |.  E8 39A6FFFF   call Acid_bur.0042A170                   ;  弹出错误提示
0042FB37  |>  33C0          xor eax,eax
0042FB39  |.  5A            pop edx                                  ;  0012F990
0042FB3A  |.  59            pop ecx                                  ;  0012F990
0042FB3B  |.  59            pop ecx                                  ;  0012F990
0042FB3C  |.  64:8910       mov dword ptr fs:[eax],edx
0042FB3F  |.  68 6EFB4200   push Acid_bur.0042FB6E
0042FB44  |>  8D45 E8       lea eax,[local.6]
0042FB47  |.  E8 243BFDFF   call Acid_bur.00403670
0042FB4C  |.  8D45 EC       lea eax,[local.5]
0042FB4F  |.  BA 02000000   mov edx,0x2
0042FB54  |.  E8 3B3BFDFF   call Acid_bur.00403694
0042FB59  |.  8D45 F4       lea eax,[local.3]
0042FB5C  |.  BA 03000000   mov edx,0x3
0042FB61  |.  E8 2E3BFDFF   call Acid_bur.00403694
0042FB66  \.  C3            retn
0042FB67   .^ E9 A835FDFF   jmp Acid_bur.00403114
0042FB6C   .^ EB D6         jmp short Acid_bur.0042FB44
0042FB6E   .  5E            pop esi                                  ;  0012F990
0042FB6F   .  5B            pop ebx                                  ;  0012F990
0042FB70   .  8BE5          mov esp,ebp
0042FB72   .  5D            pop ebp                                  ;  0012F990
0042FB73   .  C3            retn

在函数入口:0042F998 进行断点调试分析,得出:取用户名第一个字母的ASNI的数字,如112233中第一个字符1对应数字0x31,然后用它乘以0x29,结果再自增一倍(即x2),将得到的数字转为10进制的字符串,在前加上”CW-”,后加上”-CRACKED”,就组成了用户名对应的注册码。

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11

#include <iostream>

int main() {
	const char* str_ = "112233";
	unsigned int cnt = str_[0] * 0x29;
	cnt += cnt;

	printf("Serial: CW-%4d-CRACKED\r\n", cnt);

	return 0;
}

4. 第二个单独的序列号

第二个单独Serial,和前面一样找到最开始调用窗口的地方:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75

0042F454   .  53            push ebx
0042F455   .  8BD8          mov ebx,eax                              ;  Acid_bur.0042F4BC
0042F457   .  A1 7C094300   mov eax,dword ptr ds:[0x43097C]
0042F45C   .  8B00          mov eax,dword ptr ds:[eax]
0042F45E   .  B2 01         mov dl,0x1
0042F460   .  E8 7B6BFFFF   call Acid_bur.00425FE0
0042F465   .  8BC3          mov eax,ebx
0042F467   .  E8 048FFFFF   call Acid_bur.00428370
0042F46C   .  5B            pop ebx                                  ;  00AD0F60
0042F46D   .  C3            retn
0042F46E      8BC0          mov eax,eax                              ;  Acid_bur.0042F4BC
0042F470  /.  55            push ebp
0042F471  |.  8BEC          mov ebp,esp
0042F473  |.  33C9          xor ecx,ecx
0042F475  |.  51            push ecx
0042F476  |.  51            push ecx
0042F477  |.  51            push ecx
0042F478  |.  51            push ecx
0042F479  |.  53            push ebx
0042F47A  |.  8BD8          mov ebx,eax                              ;  Acid_bur.0042F4BC
0042F47C  |.  33C0          xor eax,eax                              ;  Acid_bur.0042F4BC
0042F47E  |.  55            push ebp
0042F47F  |.  68 2CF54200   push Acid_bur.0042F52C
0042F484  |.  64:FF30       push dword ptr fs:[eax]
0042F487  |.  64:8920       mov dword ptr fs:[eax],esp
0042F48A  |.  8D45 FC       lea eax,[local.1]
0042F48D  |.  BA 40F54200   mov edx,Acid_bur.0042F540                ;  Hello
0042F492  |.  E8 7142FDFF   call Acid_bur.00403708
0042F497  |.  8D45 F8       lea eax,[local.2]
0042F49A  |.  BA 50F54200   mov edx,Acid_bur.0042F550                ;  Dude!
0042F49F  |.  E8 6442FDFF   call Acid_bur.00403708
0042F4A4  |.  FF75 FC       push [local.1]
0042F4A7  |.  68 60F54200   push Acid_bur.0042F560
0042F4AC  |.  FF75 F8       push [local.2]
0042F4AF  |.  8D45 F4       lea eax,[local.3]
0042F4B2  |.  BA 03000000   mov edx,0x3
0042F4B7  |.  E8 F044FDFF   call Acid_bur.004039AC
0042F4BC  |.  8D55 F0       lea edx,[local.4]
0042F4BF  |.  8B83 E0010000 mov eax,dword ptr ds:[ebx+0x1E0]
0042F4C5  |.  E8 8EB5FEFF   call Acid_bur.0041AA58
0042F4CA  |.  8B45 F0       mov eax,[local.4]                        ;  输入的用户名:112233
0042F4CD  |.  8B55 F4       mov edx,[local.3]                        ;  Hello Dude!
0042F4D0  |.  E8 2745FDFF   call Acid_bur.004039FC                   ;  字符串比较
0042F4D5  |.  75 1A         jnz short Acid_bur.0042F4F1              ;  关键的跳转
0042F4D7  |.  6A 00         push 0x0
0042F4D9  |.  B9 64F54200   mov ecx,Acid_bur.0042F564                ;  Congratz!
0042F4DE  |.  BA 70F54200   mov edx,Acid_bur.0042F570                ;  God Job dude !! =)
0042F4E3  |.  A1 480A4300   mov eax,dword ptr ds:[0x430A48]
0042F4E8  |.  8B00          mov eax,dword ptr ds:[eax]
0042F4EA  |.  E8 81ACFFFF   call Acid_bur.0042A170					 ;  成功的调用
0042F4EF  |.  EB 18         jmp short Acid_bur.0042F509
0042F4F1  |>  6A 00         push 0x0
0042F4F3  |.  B9 84F54200   mov ecx,Acid_bur.0042F584                ;  Failed!
0042F4F8  |.  BA 8CF54200   mov edx,Acid_bur.0042F58C                ;  Try Again!!
0042F4FD  |.  A1 480A4300   mov eax,dword ptr ds:[0x430A48]
0042F502  |.  8B00          mov eax,dword ptr ds:[eax]
0042F504  |.  E8 67ACFFFF   call Acid_bur.0042A170                   ;  错误提示的调用
0042F509  |>  33C0          xor eax,eax                              ;  Acid_bur.0042F4BC
0042F50B  |.  5A            pop edx                                  ;  00AD0F60
0042F50C  |.  59            pop ecx                                  ;  00AD0F60
0042F50D  |.  59            pop ecx                                  ;  00AD0F60
0042F50E  |.  64:8910       mov dword ptr fs:[eax],edx
0042F511  |.  68 33F54200   push Acid_bur.0042F533
0042F516  |>  8D45 F0       lea eax,[local.4]
0042F519  |.  E8 5241FDFF   call Acid_bur.00403670
0042F51E  |.  8D45 F4       lea eax,[local.3]
0042F521  |.  BA 03000000   mov edx,0x3
0042F526  |.  E8 6941FDFF   call Acid_bur.00403694
0042F52B  \.  C3            retn
0042F52C   .^ E9 E33BFDFF   jmp Acid_bur.00403114
0042F531   .^ EB E3         jmp short Acid_bur.0042F516
0042F533   .  5B            pop ebx                                  ;  00AD0F60
0042F534   .  8BE5          mov esp,ebp
0042F536   .  5D            pop ebp                                  ;  00AD0F60
0042F537   .  C3            retn

分析发现,序列号是固定的:Hello Dude!

Updated on 2023-07-28 
CC BY-NC 4.0
160个CrackMe
Back | Home
0%