Splish破解
今天又练习了一个CrackMe,把我的学习过程记录一下。(大佬勿看,当然,给小弟点建议的话,本人愿闻其详)
这个程序名字是Splish,可能大家以前已经逆向过了,今天轮到我来PJ了{:5_187:}。
具体的思路如下:
前两个步骤我以附件的形式上传,一个.doc一个.pdf
在这,我们主要看它的算法部分:
004015E4/$55 push ebp
004015E5|.8BEC mov ebp, esp
004015E7|.6A 20 push 20 ; /Count = 20 (32.)
004015E9|.68 42324000 push 00403242 ; |Buffer = SplishDe.00403242
004015EE|.FF75 0C push dword ptr ; |hWnd
004015F1|.E8 34010000 call <jmp.&USER32.GetWindowTextA> ; \GetWindowTextA
004015F6|.85C0 test eax, eax ;注册码是否为0
004015F8|.0F84 95000000 je 00401693
004015FE|.A3 67344000 mov dword ptr , eax ;len = strlen(注册码)
00401603|.6A 0B push 0B ; /Count = B (11.)
00401605|.68 36324000 push 00403236 ; |Buffer = SplishDe.00403236
0040160A|.FF75 08 push dword ptr ; |hWnd
0040160D|.E8 18010000 call <jmp.&USER32.GetWindowTextA> ; \GetWindowTextA
00401612|.85C0 test eax, eax ;用户名是否为0
00401614|.74 68 je short 0040167E
00401616|.A3 63344000 mov dword ptr , eax ;len_name
0040161B|.33C9 xor ecx, ecx
0040161D|.33DB xor ebx, ebx ;i = 0
0040161F|.33D2 xor edx, edx ;存放 余数 remain
00401621|.8D35 36324000 lea esi, dword ptr ;esi 指向 用户名
00401627|.8D3D 58324000 lea edi, dword ptr
0040162D|.B9 0A000000 mov ecx, 0A
00401632|>0FBE041E /movsx eax, byte ptr
00401636|.99 |cdq
00401637|.F7F9 |idiv ecx
00401639|.33D3 |xor edx, ebx ;remain ^ i
0040163B|.83C2 02 |add edx, 2 ;remain = remain + 0x2
0040163E|.80FA 0A |cmp dl, 0A
00401641|.7C 03 |jl short 00401646 ;小于 跳转
00401643|.80EA 0A |sub dl, 0A
00401646|>88141F |mov byte ptr , dl ;值放入此处
00401649|.43 |inc ebx
0040164A|.3B1D 63344000 |cmp ebx, dword ptr
00401650|.^ 75 E0 \jnz short 00401632
00401652|.33C9 xor ecx, ecx
00401654|.33DB xor ebx, ebx
00401656|.33D2 xor edx, edx
00401658|.8D35 42324000 lea esi, dword ptr ;esi 指向注册码
0040165E|.8D3D 4D324000 lea edi, dword ptr
00401664|.B9 0A000000 mov ecx, 0A
00401669|>0FBE041E /movsx eax, byte ptr
0040166D|.99 |cdq
0040166E|.F7F9 |idiv ecx
00401670|.88141F |mov byte ptr , dl ;余数放入 此处
00401673|.43 |inc ebx ;i++
00401674|.3B1D 67344000 |cmp ebx, dword ptr ;是否处理完毕
0040167A|.^ 75 ED \jnz short 00401669
0040167C|.EB 2A jmp short 004016A8
0040167E|>6A 00 push 0 ; /Style = MB_OK|MB_APPLMODAL
00401680|.68 0A304000 push 0040300A ; |Splish, Splash
00401685|.68 A0304000 push 004030A0 ; |Please enter your name.
0040168A|.6A 00 push 0 ; |hOwner = NULL
0040168C|.E8 B7000000 call <jmp.&USER32.MessageBoxA> ; \MessageBoxA
00401691|.EB 62 jmp short 004016F5
00401693|>6A 00 push 0 ; /Style = MB_OK|MB_APPLMODAL
00401695|.68 0A304000 push 0040300A ; |Splish, Splash
0040169A|.68 B8304000 push 004030B8 ; |Please enter your serial number.
0040169F|.6A 00 push 0 ; |hOwner = NULL
004016A1|.E8 A2000000 call <jmp.&USER32.MessageBoxA> ; \MessageBoxA
004016A6|.EB 4D jmp short 004016F5
004016A8|>8D35 4D324000 lea esi, dword ptr
004016AE|.8D3D 58324000 lea edi, dword ptr
004016B4|.33DB xor ebx, ebx ;j = 0
004016B6|>3B1D 63344000 /cmp ebx, dword ptr ;是否循环完毕
004016BC|.74 0F |je short 004016CD ;成功!!
004016BE|.0FBE041F |movsx eax, byte ptr
004016C2|.0FBE0C1E |movsx ecx, byte ptr
004016C6|.3BC1 |cmp eax, ecx
004016C8|.75 18 |jnz short 004016E2 ;失败!
004016CA|.43 |inc ebx ;j++
004016CB|.^ EB E9 \jmp short 004016B6
004016CD|>6A 00 push 0 ; /Style = MB_OK|MB_APPLMODAL
004016CF|.68 0A304000 push 0040300A ; |Splish, Splash
004016D4|.68 42304000 push 00403042 ; |Good job, now keygen it.
004016D9|.6A 00 push 0 ; |hOwner = NULL
004016DB|.E8 68000000 call <jmp.&USER32.MessageBoxA> ; \MessageBoxA
004016E0|.EB 13 jmp short 004016F5
004016E2|>6A 00 push 0 ; /Style = MB_OK|MB_APPLMODAL
004016E4|.68 0A304000 push 0040300A ; |Splish, Splash
004016E9|.68 67304000 push 00403067 ; |Sorry, please try again.
004016EE|.6A 00 push 0 ; |hOwner = NULL
004016F0|.E8 53000000 call <jmp.&USER32.MessageBoxA> ; \MessageBoxA
004016F5|>C9 leave
004016F6\.C2 0800 retn 8
注册机代码如下:
#include<stdio.h>
#include<string.h>
int main()
{
int i;
char name;
int k1 = 0;
int len_name;
printf("请输入用户名:\n");
scanf("%s",name);
len_name = strlen(name);
for(i = 0;i < len_name;i++)
{
k1 = name % 0xA;
k1 = k1 ^ i;
k1 += 0x2;
if(k1 >= 0xA)
k1 -= 0xA;
//F2()的逆函数有很多,这里+100,输出之后,是小写的字母
printf("%c",k1+100);
}
完整的算法c代码同样在附件中
页:
[1]
2