軟體 - 一個keyfile型的crackme的拆解

[psac]

一個keyfile型的crackme的拆解

【文章標題】: 一個keyfile型的crackme的拆解
【下載位址】: 自己搜索下載
【作者聲明】: 只是感興趣，沒有其他目的。失誤之處敬請諸位大俠賜教!
--------------------------------------------------------------------------------
【詳細過程】
004265B2 837D FC 00 cmp dword ptr [ebp-4], 0
004265B6 75 15 jnz short 004265CD //判斷KEY文件是否為空
004265B8 BA 64674200 mov edx, 00426764 ; key file is empty!
004265BD 8B83 B0010000 mov eax, [ebx+1B0]


00426616 8A1C16 mov bl, [esi+edx] //讀取KEY文件
00426619 84DB test bl, bl
0042661B 74 29 je short 00426646 //當前字元為0時，認為用戶名完
0042661D E8 16000000 call 00426638
00426622 52 push edx


00426623 F7E3 mul ebx //每位字元累乘
00426625 5A pop edx
00426626 35 326D5463 xor eax, 63546D32 //結果與定植異或
0042662B FEC2 inc dl
0042662D 39CA cmp edx, ecx
0042662F 74 42 je short 00426673 //判斷文件是否讀完
00426631 80FA FF cmp dl, 0FF
00426634 74 3D je short 00426673
00426636 ^ EB DE jmp short 00426616


0042664B 42 inc edx //認為用戶名讀完就跳到此處
0042664C 83C2 04 add edx, 4
0042664F 39D1 cmp ecx, edx
00426651 75 20 jnz short 00426673 //對KEY文件大小做驗證，
00426653 83EA 04 sub edx, 4
00426656 85C0 test eax, eax
00426658 76 02 jbe short 0042665C
0042665A D1E8 shr eax, 1 //運算結果右移一位
0042665C 3B0416 cmp eax, [esi+edx] //右移後與KEY文件後四個字節比較
0042665F 75 09 jnz short 0042666A //後四個字節既所謂的註冊碼
00426661 B8 00000000 mov eax, 0
00426666 8907 mov [edi], eax
00426668 EB 10 jmp short 0042667A //相等則註冊成功！！！
0042666A B8 01000000 mov eax, 1
0042666F 8907 mov [edi], eax
00426671 EB 07 jmp short 0042667A
00426673 B8 02000000 mov eax, 2
00426678 8907 mov [edi], eax
0042667A 5E pop esi
0042667B 5F pop edi
0042667C 5B pop ebx
0042667D 8A85 FBFFFEFF mov al, [ebp+FFFEFFFB]
00426683 2C 01 sub al, 1
00426685 72 08 jb short 0042668F
00426687 74 4A je short 004266D3
00426689 FEC8 dec al
0042668B 74 58 je short 004266E5
0042668D EB 66 jmp short 004266F5
0042668F BA 80674200 mov edx, 00426780 ; valid key file found!
00426694 8B83 B0010000 mov eax, [ebx+1B0]
0042669A E8 F5B5FEFF call 00411C94
0042669F BA A0674200 mov edx, 004267A0 ; registered to:




算法總結：
KEY文件包括三部分：1、用戶名；2、字節00；3、註冊碼（一個雙字）。用戶名每位累加並與定植運算後得到的雙字應與註冊碼相同。


KeyenMaker src（c語言實現）:

/*************KeyenMaker src****************/
/************code by elance*****************/
/*******************************************/
#include "stdio.h"
#include "conio.h"
#include "math.h"
#include "string.h"
void main()
{
unsigned long cs1=0x63546D32;
unsigned long temp=0x1;
static char name[30];
char sn[6];
int name_len;
int sn_len;
int i;
FILE *kf;
printf("Please input your register name:\n");
gets(name);
name_len=strlen(name);
for(i=0;i<name_len;i++)
{
temp=temp*name^cs1;
}
temp=temp>>1;
sn[0]=0;
sn[1]=temp;
sn[2]=temp>>8;
sn[3]=temp>>16;
sn[4]=temp>>24;

strcat(name,"");
name_len=strlen(name);
sn_len=strlen(sn);
if((kf=fopen("fcrackme.key","wt"))==NULL)
{
printf("error on creating KeyFile!!!");
getch();
exit(1);
}
else
{

fwrite(name,name_len,1,kf);
i=0;
while(i<5)
{
fputc(sn,kf);
i++;
}

printf("\n\n\nKeyFile has created!\n");
puts("Made By eLance");
}
getch();
}

--------------------------------------------------------------------------------