系统 : Windows xp
程序 : AD_CM#3
程序下载地址 :http://pan.baidu.com/s/1skwXPVn
要求 : 编写注册机
使用工具 :IDA & OD
可在看雪论坛中查找关于此程序的破文:http://bbs.pediy.com/showthread.php?t=28995
IDA载入程序,找出提示破解成功的字串“Well done Cracker, You did it!”并定位关键代码:
0045817F |. 8D55 FC lea edx, dword ptr [ebp-]
|. 8B87 D8020000 mov eax, dword ptr [edi+2D8]
|. E8 FFBEFCFF call 0042408C
0045818D |. 8D55 F0 lea edx, dword ptr [ebp-]
|. 8B87 D8020000 mov eax, dword ptr [edi+2D8]
|. E8 F1BEFCFF call 0042408C
0045819B |. 837D F0 cmp dword ptr [ebp-], ; 用户名为空?
0045819F |. 0A jnz short 004581AB
004581A1 |. B8 mov eax, ; ASCII "Enter you name, pls."
004581A6 |. E8 39C1FEFF call 004442E4
004581AB |> 8D55 EC lea edx, dword ptr [ebp-]
004581AE |. 8B87 DC020000 mov eax, dword ptr [edi+2DC]
004581B4 |. E8 D3BEFCFF call 0042408C
004581B9 |. 837D EC cmp dword ptr [ebp-], ; 序列号为空?
004581BD |. 0A jnz short 004581C9
004581BF |. B8 A8824500 mov eax, 004582A8 ; ASCII "Enter the serial, pls."
004581C4 |. E8 1BC1FEFF call 004442E4
004581C9 |> 8B45 FC mov eax, dword ptr [ebp-] ; 取用户名
004581CC |. E8 ABB9FAFF call 00403B7C ; 取长度
004581D1 |. 8BD8 mov ebx, eax
004581D3 |. 85DB test ebx, ebx
004581D5 |. 7E 2D jle short
004581D7 |. BE mov esi, ; 初始化循环变量
004581DC |> 8B45 FC /mov eax, dword ptr [ebp-] ; 取用户名
004581DF |. 0FB64430 FF |movzx eax, byte ptr [eax+esi-] ; 迭代用户名字串
004581E4 |. B9 |mov ecx,
004581E9 |. 33D2 |xor edx, edx
004581EB |. F7F1 |div ecx ; 字符 除以 3
004581ED |. 8D55 E8 |lea edx, dword ptr [ebp-] ; 取一段内存
004581F0 |. E8 0FF9FAFF |call 00407B04 ; 将商将从十六进制的数据转化为十进制的字串
004581F5 |. 8B55 E8 |mov edx, dword ptr [ebp-]
004581F8 |. 8D45 F8 |lea eax, dword ptr [ebp-] ; 取一段内存
004581FB |. E8 84B9FAFF |call 00403B84 ; 连接算出的子密钥
|. |inc esi ; 循环变量自增
|. 4B |dec ebx
|.^ D8 \jnz short 004581DC
|> 8D45 F4 lea eax, dword ptr [ebp-C] ; 取一段内存
|. 8B4D F8 mov ecx, dword ptr [ebp-] ; 取连接好的密钥
0045820A |. BA C8824500 mov edx, 004582C8 ; ASCII "ADCM3-"
0045820F |. E8 B4B9FAFF call 00403BC8 ; 连接字串
|. 8D55 E4 lea edx, dword ptr [ebp-1C] ; 取一段内存
|. 8B87 DC020000 mov eax, dword ptr [edi+2DC]
0045821D |. E8 6ABEFCFF call 0042408C
|. 8B55 E4 mov edx, dword ptr [ebp-1C] ; 取序列号
|. 8B45 F4 mov eax, dword ptr [ebp-C] ; 取连接好的密钥
|. E8 5FBAFAFF call 00403C8C ; 对比字串,返回0 表示字串相同
0045822D |. 0A jnz short
0045822F |. B8 D8824500 mov eax, 004582D8 ; ASCII "Well done Cracker, You did it!"
以上,算法分析完毕,这真的是一个非常简单的crackme,我们直接打开http://www.cnblogs.com/ZRBYYXDM/p/5115596.html中搭建的框架,并修改OnBtnDecrypt函数如下:
void CKengen_TemplateDlg::OnBtnDecrypt()
{
// TODO: Add your control notification handler code here
CString str;
GetDlgItemText( IDC_EDIT_NAME,str ); //获取用户名字串基本信息。
int len = str.GetLength();
CString Temp,PassWord; if ( len != ){ //格式控制。
for ( int i = ; i != len ; i++ ){
Temp.Format( "%d",( str[i] / ) );
PassWord += Temp;
} PassWord = "ADCM3-" + PassWord;
SetDlgItemText( IDC_EDIT_PASSWORD,PassWord );
}
else
MessageBox( "用户名格式错误!" );
}
再在OnInitDialog中添加此代码修改标题:SetWindowText(_T("AD_CM#3_Keygen"));
运行效果:
