Thigo'Next Generation KeyGen的分析
Thigo'Next Generation KeyGen的分析
這是TMG的Thigo的一個keyfile類型的crackme,號稱NEXT GENERATION KEYGEN,個人感覺不枉此稱號. 00401126 |. /75 0A jnz short 00401132 //目錄下必須有名為key.dat的文件 00401128 |. |68 08524000 push 00405208 ; you should put a file named key.dat in this dir... 0040112D |. |E9 26010000 jmp 00401258 00401132 |> \8D45 FC lea eax, [ebp-4] 00401135 |. 53 push ebx ; /pOverlapped 00401136 |. 50 push eax ; |pBytesRead 00401137 |. 8D85 A8FEFFFF lea eax, [ebp-158] ; | 0040113D |. 68 00010000 push 100 ; |BytesToRead = 100 (256.) 00401142 |. 50 push eax ; |Buffer 00401143 |. 56 push esi ; |hFile 00401144 |. FF15 18404000 call [<&KERNEL32.ReadFile>] ; \ReadFile 0040114A |. 56 push esi ; /hObject 0040114B |. FF15 1C404000 call [<&KERNEL32.CloseHandle>] ; \CloseHandle 0040115A |> 308C05 A8FEFF>/xor [ebp+eax-158], cl //文件長度與文件的每位XOR 00401161 |. 40 |inc eax 00401162 |. 3BC1 |cmp eax, ecx 00401164 |.^ 72 F4 \jb short 0040115A 00401166 |> 80B5 A8FEFFFF>xor byte ptr [ebp-158], 54 //文件的前三位分別再做變換 0040116D |. 80B5 A9FEFFFF>xor byte ptr [ebp-157], 4D 00401174 |. 80B5 AAFEFFFF>xor byte ptr [ebp-156], 47 0040117B |. 3BCF cmp ecx, edi 0040117D |. 8BF7 mov esi, edi 0040117F |. 76 27 jbe short 004011A8 00401181 |> 8A95 A8FEFFFF /mov dl, [ebp-158] //文件的前三位與後邊的做XOR 00401187 |. 8D8435 A9FEFF>|lea eax, [ebp+esi-157] 0040118E |. 03F7 |add esi, edi 00401190 |. 3050 FF |xor [eax-1], dl 00401193 |. 8A95 A9FEFFFF |mov dl, [ebp-157] 00401199 |. 3010 |xor [eax], dl 0040119B |. 8A95 AAFEFFFF |mov dl, [ebp-156] 004011A1 |. 3050 01 |xor [eax+1], dl 004011A4 |. 3BF1 |cmp esi, ecx 004011A6 |.^ 72 D9 \jb short 00401181 004011A8 |> BE 30504000 mov esi, 00405030 004011AD |. 889C0D A8FEFF>mov [ebp+ecx-158], bl 004011B4 |. 33FF xor edi, edi 004011B6 |. 8BC6 mov eax, esi 004011B8 |> 8A8C3D A8FEFF>/mov cl, [ebp+edi-158] //文件前三位與405030起的一端資料做XOR 004011BF |. 3008 |xor [eax], cl 004011C1 |. 40 |inc eax 004011C2 47 inc edi 004011C3 |. 83FF 03 |cmp edi, 3 004011C6 |. 75 02 |jnz short 004011CA 004011C8 |. 33FF |xor edi, edi 004011CA |> 8038 FF |cmp byte ptr [eax], 0FF 004011CD |.^ 75 E9 \jnz short 004011B8 ******上邊這段是關鍵,因為後邊的指令與上邊的變換結果有關!!!********* 004011CF |. 0FB605 325040>movzx eax, byte ptr [405032] 004011D6 |. 0FB60D 315040>movzx ecx, byte ptr [405031] 004011DD |. 0FAFC1 imul eax, ecx 004011E0 0FB60D 305040>movzx ecx, byte ptr [405030] 004011E7 0FAFC1 imul eax, ecx 004011EA 3D F48B2A00 cmp eax, 2A8BF4 //文件前三位的變換結果的積要等於2A8BF4 004011EF 74 07 je short 004011F8 004011F1 |. 68 E4514000 push 004051E4 ; are u sure it's a good keyfile ?? 004011F6 |. EB 60 jmp short 00401258 004011F8 |> 8A8D A8FEFFFF mov cl, [ebp-158] 004011FE |. 33C0 xor eax, eax 00401200 |> 884C05 D0 /mov [ebp+eax-30], cl //文件要有一處在變換後得20,不然會出錯 00401204 |. 8A8C05 A9FEFF>|mov cl, [ebp+eax-157] 0040120B |. 40 |inc eax 0040120C |. 80F9 20 |cmp cl, 20 0040120F |.^ 75 EF \jnz short 00401200 ...... ...... 00401235 |. 885C15 A8 mov [ebp+edx-58], bl //改變一段記憶體的內容 00401239 |. 50 push eax ; /pOldProtect 0040123A |. 6A 40 push 40 ; |NewProtect = PAGE_EXECUTE_READWRITE 0040123C |. 68 7F010000 push 17F ; |Size = 17F (383.) 00401241 |. 56 push esi ; |Address 00401242 |. FF15 68404000 call [<&KERNEL32.VirtualProtect>] ; \VirtualProtect 00401248 |. 8D45 D0 lea eax, [ebp-30] 0040124B |. 50 push eax 0040124C |. 8D45 A8 lea eax, [ebp-58] 0040124F |. 50 push eax 00401250 |. FFD6 call esi //關鍵!!!裡邊就是剛才說的有文件內容變換來的指令!!!00401252 |. 59 pop ecx 00401253 |. 8D45 D0 lea eax, [ebp-30] 00401256 |. 59 pop ecx 00401257 |. 50 push eax 00401258 |> 68 EC030000 push 3EC ; |ControlID = 3EC (1004.) 0040125D |. FF75 08 push dword ptr [ebp+8] ; |hWnd 00401260 |. FF15 C0404000 call [<&USER32.SetDlgItemTextA>] ; \SetDlgItemTextA 此CRACKME採用資料與代碼結合的思想,關鍵的指令由註冊文件得到。怪不得Thigo成它為next generation keygens.... 不過這個畢竟只是CRACKME,Thigo並沒採用一些很強的加密保護算法,如果真要採用一些不可逆的算法的話,看雪老大也說"目前的技術是無法破解的 ". c語言註冊機關鍵代碼: char t=0x54; char m=0x4d; char g=0x47; char x,y,z; char name[20]; char sn[20]; char name_len; char fenge; char i; char kf_len; FILE *kf; printf("please in put your name:\n"); gets(name); name_len=strlen(name); kf_len=name_len+4; x=0x55^t^kf_len^0x1e; y=0x8b^m^kf_len^0xbf; z=0xec^g^kf_len^0xa2; for(i=0;i<name_len;i++) { if((i+1)%3==1) sn=y^kf_len^m^name^kf_len; if((i+1)%3==2) sn=z^kf_len^g^name^kf_len; if((i+1)%3==0) sn=x^kf_len^t^name^kf_len; } fenge=x^kf_len^t^0x20^kf_len; if((kf=fopen("key.dat","wt"))==NULL) { printf("error on creating KeyFile!!!"); getch(); exit(1); } else { fputc(x,kf); fputc(y,kf); fputc(z,kf); fputc(fenge,kf); i=0; while(i<name_len) { fputc(sn,kf); i++; } } printf("\nThigo'crackme is cracked!\n\nKeygenMaker Is cODEd By eLnce."); } 呵呵,ikki在看雪的文章發的比我早,也可能更詳細: http://bbs.pediy.com/showthread.php?threadid=30337 |
所有時間均為台北時間。現在的時間是 04:13 PM。 |
Powered by vBulletin® 版本 3.6.8
版權所有 ©2000 - 2024, Jelsoft Enterprises Ltd.
『服務條款』
* 有問題不知道該怎麼解決嗎?請聯絡本站的系統管理員 *