查看單個文章
舊 2006-08-24, 09:02 PM   #1
psac
榮譽會員
 
psac 的頭像
榮譽勳章
UID - 3662
在線等級: 級別:30 | 在線時長:1048小時 | 升級還需:37小時級別:30 | 在線時長:1048小時 | 升級還需:37小時級別:30 | 在線時長:1048小時 | 升級還需:37小時級別:30 | 在線時長:1048小時 | 升級還需:37小時級別:30 | 在線時長:1048小時 | 升級還需:37小時
註冊日期: 2002-12-07
住址: 木柵市立動物園
文章: 17381
現金: 5253 金幣
資產: 33853 金幣
預設 Thigo'Next Generation KeyGen的分析

Thigo'Next Generation KeyGen的分析

這是TMG的Thigo的一個keyfile類型的crackme,號稱NEXT GENERATION KEYGEN,個人感覺不枉此稱號.

00401126 |. /75 0A jnz short 00401132 //目錄下必須有名為key.dat的文件
00401128 |. |68 08524000 push 00405208 ; you should put a file named key.dat in this dir...
0040112D |. |E9 26010000 jmp 00401258
00401132 |> \8D45 FC lea eax, [ebp-4]
00401135 |. 53 push ebx ; /pOverlapped
00401136 |. 50 push eax ; |pBytesRead
00401137 |. 8D85 A8FEFFFF lea eax, [ebp-158] ; |
0040113D |. 68 00010000 push 100 ; |BytesToRead = 100 (256.)
00401142 |. 50 push eax ; |Buffer
00401143 |. 56 push esi ; |hFile
00401144 |. FF15 18404000 call [<&KERNEL32.ReadFile>] ; \ReadFile
0040114A |. 56 push esi ; /hObject
0040114B |. FF15 1C404000 call [<&KERNEL32.CloseHandle>] ; \CloseHandle

0040115A |> 308C05 A8FEFF>/xor [ebp+eax-158], cl //文件長度與文件的每位XOR
00401161 |. 40 |inc eax
00401162 |. 3BC1 |cmp eax, ecx
00401164 |.^ 72 F4 \jb short 0040115A
00401166 |> 80B5 A8FEFFFF>xor byte ptr [ebp-158], 54 //文件的前三位分別再做變換
0040116D |. 80B5 A9FEFFFF>xor byte ptr [ebp-157], 4D
00401174 |. 80B5 AAFEFFFF>xor byte ptr [ebp-156], 47
0040117B |. 3BCF cmp ecx, edi
0040117D |. 8BF7 mov esi, edi
0040117F |. 76 27 jbe short 004011A8
00401181 |> 8A95 A8FEFFFF /mov dl, [ebp-158] //文件的前三位與後邊的做XOR
00401187 |. 8D8435 A9FEFF>|lea eax, [ebp+esi-157]
0040118E |. 03F7 |add esi, edi
00401190 |. 3050 FF |xor [eax-1], dl
00401193 |. 8A95 A9FEFFFF |mov dl, [ebp-157]
00401199 |. 3010 |xor [eax], dl
0040119B |. 8A95 AAFEFFFF |mov dl, [ebp-156]
004011A1 |. 3050 01 |xor [eax+1], dl
004011A4 |. 3BF1 |cmp esi, ecx
004011A6 |.^ 72 D9 \jb short 00401181


004011A8 |> BE 30504000 mov esi, 00405030
004011AD |. 889C0D A8FEFF>mov [ebp+ecx-158], bl
004011B4 |. 33FF xor edi, edi
004011B6 |. 8BC6 mov eax, esi
004011B8 |> 8A8C3D A8FEFF>/mov cl, [ebp+edi-158] //文件前三位與405030起的一端資料做XOR
004011BF |. 3008 |xor [eax], cl
004011C1 |. 40 |inc eax
004011C2 47 inc edi
004011C3 |. 83FF 03 |cmp edi, 3
004011C6 |. 75 02 |jnz short 004011CA
004011C8 |. 33FF |xor edi, edi
004011CA |> 8038 FF |cmp byte ptr [eax], 0FF
004011CD |.^ 75 E9 \jnz short 004011B8
******上邊這段是關鍵,因為後邊的指令與上邊的變換結果有關!!!*********

004011CF |. 0FB605 325040>movzx eax, byte ptr [405032]
004011D6 |. 0FB60D 315040>movzx ecx, byte ptr [405031]
004011DD |. 0FAFC1 imul eax, ecx
004011E0 0FB60D 305040>movzx ecx, byte ptr [405030]
004011E7 0FAFC1 imul eax, ecx
004011EA 3D F48B2A00 cmp eax, 2A8BF4 //文件前三位的變換結果的積要等於2A8BF4
004011EF 74 07 je short 004011F8
004011F1 |. 68 E4514000 push 004051E4 ; are u sure it's a good keyfile ??
004011F6 |. EB 60 jmp short 00401258
004011F8 |> 8A8D A8FEFFFF mov cl, [ebp-158]
004011FE |. 33C0 xor eax, eax
00401200 |> 884C05 D0 /mov [ebp+eax-30], cl //文件要有一處在變換後得20,不然會出錯
00401204 |. 8A8C05 A9FEFF>|mov cl, [ebp+eax-157]
0040120B |. 40 |inc eax
0040120C |. 80F9 20 |cmp cl, 20
0040120F |.^ 75 EF \jnz short 00401200
......
......


00401235 |. 885C15 A8 mov [ebp+edx-58], bl //改變一段記憶體的內容
00401239 |. 50 push eax ; /pOldProtect
0040123A |. 6A 40 push 40 ; |NewProtect = PAGE_EXECUTE_READWRITE
0040123C |. 68 7F010000 push 17F ; |Size = 17F (383.)
00401241 |. 56 push esi ; |Address
00401242 |. FF15 68404000 call [<&KERNEL32.VirtualProtect>] ; \VirtualProtect
00401248 |. 8D45 D0 lea eax, [ebp-30]
0040124B |. 50 push eax
0040124C |. 8D45 A8 lea eax, [ebp-58]
0040124F |. 50 push eax
00401250 |. FFD6 call esi //關鍵!!!裡邊就是剛才說的有文件內容變換來的指令!!!00401252 |. 59 pop ecx
00401253 |. 8D45 D0 lea eax, [ebp-30]
00401256 |. 59 pop ecx
00401257 |. 50 push eax
00401258 |> 68 EC030000 push 3EC ; |ControlID = 3EC (1004.)
0040125D |. FF75 08 push dword ptr [ebp+8] ; |hWnd
00401260 |. FF15 C0404000 call [<&USER32.SetDlgItemTextA>] ; \SetDlgItemTextA

此CRACKME採用資料與代碼結合的思想,關鍵的指令由註冊文件得到。怪不得Thigo成它為next generation keygens.... 不過這個畢竟只是CRACKME,Thigo並沒採用一些很強的加密保護算法,如果真要採用一些不可逆的算法的話,看雪老大也說"目前的技術是無法破解的 ".


c語言註冊機關鍵代碼:
char t=0x54;
char m=0x4d;
char g=0x47;
char x,y,z;
char name[20];
char sn[20];
char name_len;
char fenge;
char i;
char kf_len;
FILE *kf;
printf("please in put your name:\n");

gets(name);
name_len=strlen(name);
kf_len=name_len+4;


x=0x55^t^kf_len^0x1e;
y=0x8b^m^kf_len^0xbf;
z=0xec^g^kf_len^0xa2;


for(i=0;i<name_len;i++)
{
if((i+1)%3==1)
sn=y^kf_len^m^name^kf_len;
if((i+1)%3==2)
sn=z^kf_len^g^name^kf_len;
if((i+1)%3==0)
sn=x^kf_len^t^name^kf_len;
}
fenge=x^kf_len^t^0x20^kf_len;

if((kf=fopen("key.dat","wt"))==NULL)
{
printf("error on creating KeyFile!!!");
getch();
exit(1);
}
else
{
fputc(x,kf);
fputc(y,kf);
fputc(z,kf);
fputc(fenge,kf);
i=0;
while(i<name_len)
{
fputc(sn,kf);
i++;
}
}
printf("\nThigo'crackme is cracked!\n\nKeygenMaker Is cODEd By eLnce.");

}

呵呵,ikki在看雪的文章發的比我早,也可能更詳細:
http://bbs.pediy.com/showthread.php?threadid=30337
__________________
http://bbsimg.qianlong.com/upload/01/08/29/68/1082968_1136014649812.gif
psac 目前離線  
送花文章: 3, 收花文章: 1631 篇, 收花: 3205 次