【CrackMe】Acid burn追码写注册机

前言

暴力破解虽然很爽,但追码写注册机才是技术活,在吾爱找到一个CrackMe集合,有160个,打算慢慢研究慢慢写,如果我都能解出来的话。

程序下载地址:http://download.csdn.net/detail/dad9988/9891206
难度:★
使用工具:ollydbg吾爱破解专版
运行环境:windows 7 x64

程序截图

这个集合第一个作者是Acid burn

正确提示

错误提示

验证方式

需要输入username与key,程序会根据username计算key,符合规则则弹出正确提示。

分析过程

从截图很容易看出来这个CrackMe是利用消息框反馈结果,直接下消息框断点,返回程序领空。

1
2
3
4
5
0042F998 /. 55 push ebp
0042F999 |. 8BEC mov ebp,esp
0042F99B |. 33C9 xor ecx,ecx
0042F99D |. 51 push ecx
0042F99E |. 51 push ecx

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
0042F9C8 |. E8 8BB0FEFF call Acid_bur.0041AA58 ; 得到输入的username
0042F9CD |. 8B45 F0 mov eax,[local.4]
0042F9D0 |. E8 DB40FDFF call Acid_bur.00403AB0
0042F9D5 |. A3 6C174300 mov dword ptr ds:[0x43176C],eax ; username存入0x43176c
0042F9DA |. 8D55 F0 lea edx,[local.4]
0042F9DD |. 8B83 DC010000 mov eax,dword ptr ds:[ebx+0x1DC]
0042F9E3 |. E8 70B0FEFF call Acid_bur.0041AA58
0042F9E8 |. 8B45 F0 mov eax,[local.4]
0042F9EB |. 0FB600 movzx eax,byte ptr ds:[eax] ; 取第一位
0042F9EE |. 8BF0 mov esi,eax
0042F9F0 |. C1E6 03 shl esi,0x3 ; esi左移三位 esi=188
0042F9F3 |. 2BF0 sub esi,eax ; eax=esi-eax
0042F9F5 |. 8D55 EC lea edx,[local.5]
0042F9F8 |. 8B83 DC010000 mov eax,dword ptr ds:[ebx+0x1DC]
0042F9FE |. E8 55B0FEFF call Acid_bur.0041AA58
0042FA03 |. 8B45 EC mov eax,[local.5]
0042FA06 |. 0FB640 01 movzx eax,byte ptr ds:[eax+0x1] ; 取第二位
0042FA0A |. C1E0 04 shl eax,0x4 ; eax左移四位
0042FA0D |. 03F0 add esi,eax ; 加上上次运算的结果
0042FA0F 8935 54174300 mov dword ptr ds:[0x431754],esi ; 存放到 0x431754
0042FA15 |. 8D55 F0 lea edx,[local.4]
0042FA18 |. 8B83 DC010000 mov eax,dword ptr ds:[ebx+0x1DC]
0042FA1E |. E8 35B0FEFF call Acid_bur.0041AA58
0042FA23 |. 8B45 F0 mov eax,[local.4]
0042FA26 |. 0FB640 03 movzx eax,byte ptr ds:[eax+0x3] ; 取第四位
0042FA2A |. 6BF0 0B imul esi,eax,0xB ; esi=eax*0xB
0042FA2D |. 8D55 EC lea edx,[local.5]
0042FA30 |. 8B83 DC010000 mov eax,dword ptr ds:[ebx+0x1DC]
0042FA36 |. E8 1DB0FEFF call Acid_bur.0041AA58
0042FA3B |. 8B45 EC mov eax,[local.5]
0042FA3E |. 0FB640 02 movzx eax,byte ptr ds:[eax+0x2] ; 取第三位
0042FA42 |. 6BC0 0E imul eax,eax,0xE ; eax=eax*0xE
0042FA45 |. 03F0 add esi,eax ; 加上第四位运算结果
0042FA47 |. 8935 58174300 mov dword ptr ds:[0x431758],esi ; 存放到0x431758
0042FA4D |. A1 6C174300 mov eax,dword ptr ds:[0x43176C]
0042FA52 |. E8 D96EFDFF call Acid_bur.00406930
0042FA57 |. 83F8 04 cmp eax,0x4 ; //判断输入的用户名小于4位则提示错误---------
0042FA5A |. 7D 1D jge short Acid_bur.0042FA79
0042FA5C |. 6A 00 push 0x0
0042FA5E |. B9 74FB4200 mov ecx,Acid_bur.0042FB74 ; Try Again!
0042FA63 |. BA 80FB4200 mov edx,Acid_bur.0042FB80 ; Sorry , The serial is incorect !
0042FA68 |. A1 480A4300 mov eax,dword ptr ds:[0x430A48]
0042FA6D |. 8B00 mov eax,dword ptr ds:[eax]
0042FA6F |. E8 FCA6FFFF call Acid_bur.0042A170

刚开始我认识这段程序反复取值进行运算,并存放起来,在后面肯定会用到,结果发现他最后只是进行一个长度是否为4位的判断,之后的运算也并没有用到这里的计算结果,很坑。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
0042FA87 |. 8B45 F0 mov eax,[local.4] ; 输入的内容存入EAX
0042FA8A |. 0FB600 movzx eax,byte ptr ds:[eax] ; 取第一位存入EAX
0042FA8D |. F72D 50174300 imul dword ptr ds:[0x431750]
0042FA93 |. A3 50174300 mov dword ptr ds:[0x431750],eax
0042FA98 |. A1 50174300 mov eax,dword ptr ds:[0x431750]
0042FA9D |. 0105 50174300 add dword ptr ds:[0x431750],eax ; [0x431750]=EAX*[0x431750]*2
0042FAA3 |. 8D45 FC lea eax,[local.1]
0042FAA6 |. BA ACFB4200 mov edx,Acid_bur.0042FBAC ; CW
0042FAAB |. E8 583CFDFF call Acid_bur.00403708
0042FAB0 |. 8D45 F8 lea eax,[local.2]
0042FAB3 |. BA B8FB4200 mov edx,Acid_bur.0042FBB8 ; CRACK
0042FAB8 |. E8 4B3CFDFF call Acid_bur.00403708
0042FABD |. FF75 FC push [local.1]
0042FAC0 |. 68 C8FB4200 push Acid_bur.0042FBC8 ; -
0042FAC5 |. 8D55 E8 lea edx,[local.6]
0042FAC8 |. A1 50174300 mov eax,dword ptr ds:[0x431750]
0042FACD |. E8 466CFDFF call Acid_bur.00406718 ; ////////////////////某种计算规则
0042FAD2 |. FF75 E8 push [local.6]
0042FAD5 |. 68 C8FB4200 push Acid_bur.0042FBC8 ; -
0042FADA |. FF75 F8 push [local.2] ; msctf.752379E5

[0x431750]=EAX[0x431750]2
0x431750在程序开头会直接赋值0x29

mov dword ptr ds:[0x431750],0x29

最后一段,关键点在于某种算法规则这里。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
0042FACD |. E8 466CFDFF call Acid_bur.00406718 ; ////////////////////某种计算规则
0042FAD2 |. FF75 E8 push [local.6]
0042FAD5 |. 68 C8FB4200 push Acid_bur.0042FBC8 ; -
0042FADA |. FF75 F8 push [local.2]
0042FADD |. 8D45 F4 lea eax,[local.3]
0042FAE0 |. BA 05000000 mov edx,0x5
0042FAE5 |. E8 C23EFDFF call Acid_bur.004039AC
0042FAEA |. 8D55 F0 lea edx,[local.4]
0042FAED |. 8B83 E0010000 mov eax,dword ptr ds:[ebx+0x1E0]
0042FAF3 |. E8 60AFFEFF call Acid_bur.0041AA58
0042FAF8 |. 8B55 F0 mov edx,[local.4]
0042FAFB |. 8B45 F4 mov eax,[local.3]
0042FAFE |. E8 F93EFDFF call Acid_bur.004039FC
0042FB03 |. 75 1A jnz short Acid_bur.0042FB1F
0042FB05 |. 6A 00 push 0x0
0042FB07 |. B9 CCFB4200 mov ecx,Acid_bur.0042FBCC ; Congratz !!
0042FB0C |. BA D8FB4200 mov edx,Acid_bur.0042FBD8 ; Good job dude =)
0042FB11 |. A1 480A4300 mov eax,dword ptr ds:[0x430A48]
0042FB16 |. 8B00 mov eax,dword ptr ds:[eax]
0042FB18 |. E8 53A6FFFF call Acid_bur.0042A170
0042FB1D |. EB 18 jmp short Acid_bur.0042FB37
0042FB1F |> 6A 00 push 0x0
0042FB21 |. B9 74FB4200 mov ecx,Acid_bur.0042FB74 ; Try Again!
0042FB26 |. BA 80FB4200 mov edx,Acid_bur.0042FB80 ; Sorry , The serial is incorect !
0042FB2B |. A1 480A4300 mov eax,dword ptr ds:[0x430A48]
0042FB30 |. 8B00 mov eax,dword ptr ds:[eax]
0042FB32 |. E8 39A6FFFF call Acid_bur.0042A170

0042FAFE |. E8 F93EFDFF call Acid_bur.004039FC

这里为最终判断call,会比对生成的key与我输入的key,进行判断,暴力破解的话直接修改这里。

0042FB03 |. /75 1A jnz short Acid_bur.0042FB1F

最终生成key算法。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
00406DC2 |$ B9 0A000000 mov ecx,0xA ; Case 55 ('U') of switch 00406D9A
00406DC7 |> 8D75 C4 lea esi,[local.15]
00406DCA |> 31D2 /xor edx,edx
00406DCC |. F7F1 |div ecx ; 计算循环----------
00406DCE |. 80C2 30 |add dl,0x30
00406DD1 |. 80FA 3A |cmp dl,0x3A
00406DD4 |. 72 03 |jb short Acid_bur.00406DD9
00406DD6 |. 80C2 07 |add dl,0x7
00406DD9 |> 4E |dec esi
00406DDA |. 8816 |mov byte ptr ds:[esi],dl
00406DDC |. 09C0 |or eax,eax
00406DDE |.^ 75 EA \jnz short Acid_bur.00406DCA
00406DE0 |. 8D4D C4 lea ecx,[local.15]
00406DE3 |. 29F1 sub ecx,esi
00406DE5 |. 8B55 E0 mov edx,[local.8]
00406DE8 |. 83FA 10 cmp edx,0x10
00406DEB |. 72 01 jb short Acid_bur.00406DEE
00406DED |. C3 retn

xor edx,edx
div ecx //这里与eax进行运算

eax取自

1
2
3
4
5
6
7
0042FA87 |. 8B45 F0 mov eax,[local.4] ; 输入的内容存入EAX
0042FA8A |. 0FB600 movzx eax,byte ptr ds:[eax] ; 取第一位存入EAX
0042FA8D |. F72D 50174300 imul dword ptr ds:[0x431750]
0042FA93 |. A3 50174300 mov dword ptr ds:[0x431750],eax
0042FA98 |. A1 50174300 mov eax,dword ptr ds:[0x431750]
0042FA9D |. 0105 50174300 add dword ptr ds:[0x431750],eax ; [0x431750]=EAX*[0x431750]*2
0042FAA3 |. 8D45 FC lea eax,[local.1]

根据算法写python脚本

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
#coding=utf-8
#coding=utf-8
import binascii
strUserName = raw_input("userNaem: ")
a = int(binascii.b2a_hex(strUserName[0]),16) * int('0x29',16) * 2
print str(hex(a))
strA = ''
for i in range(0,4):
b = a % 10
a = a / 10
strA = str(b) + strA
print 'CW-' + str(strA) + '-CRACKED'

总结

细心的人其实已经看出来了,

1
2
3
b = a % 10
a = a / 10
strA = str(b) + strA

这不就是他本身么,OD跟踪的时候是十六进制,最后进入一个call,这个call的作用就是进制转换。

1
2
3
4
5
6
7
8
9
10
00406DCA |> /31D2 /xor edx,edx
00406DCC |. |F7F1 |div ecx ; 计算循环----------
00406DCE |. |80C2 30 |add dl,0x30
00406DD1 |. |80FA 3A |cmp dl,0x3A
00406DD4 |. |72 03 |jb short Acid_bur.00406DD9
00406DD6 |. |80C2 07 |add dl,0x7
00406DD9 |> |4E |dec esi
00406DDA |. |8816 |mov byte ptr ds:[esi],dl
00406DDC |. |09C0 |or eax,eax
00406DDE |.^\75 EA \jnz short Acid_bur.00406DCA

key计算可以优化一下

1
2
3
4
5
6
#coding=utf-8
import binascii
strUserName = raw_input("userNaem:")
a = int(binascii.b2a_hex(strUserName[0]),16) * int('0x29',16) * 2
print 'CW-' + str(a) + '-CRACKED'