飘云阁[破]keygenme#2.saytos.MASM - Powered by Discuz! Archiver

hbqjxhw 发表于 2007-1-22 23:35:07

[破]keygenme#2.saytos.MASM

【破文作者】 hbqjxhw
【文章题目】 [破]keygenme#2.saytos.MASM
【下载地址】 http://www.crackmes.de/users/saytos/keygenme2/
----------------------------------------------------------------------------------------------
【破解工具】 OllyDBG+汉化第三版
【破解平台】 WinXP SP2
----------------------------------------------------------------------------------------------
【文章简介】

.:.:. Keygenme#2.:.:.
---------------------------------

Compiled in : MASM

Date    : 5.01.2007 3.57 am

YES       : keygen with src

NO       : self-keygenning,patch,serial-fishing

Tested on : WinXp SP2

Happy cracking :)

saytos
   /2007

----------------------------------------------------------------------------------------------
【破解过程】

004010E2|.6A 1E       PUSH 1E                            ; /Length = 1E (30.)
004010E4|.68 65804000 PUSH keygenme.00408065             ; |hbqjxhw
004010E9|.E8 4E360000 CALL <JMP.&KERNEL32.RtlZeroMemory> ; \RtlZeroMemory
004010EE|.6A 64       PUSH 64                            ; /Length = 64 (100.)
004010F0|.68 B5804000 PUSH keygenme.004080B5             ; |abef02ce08a87dd1596456a8c30c6f6e
004010F5|.E8 42360000 CALL <JMP.&KERNEL32.RtlZeroMemory> ; \RtlZeroMemory
004010FA|.6A 32       PUSH 32                            ; /Length = 32 (50.)
004010FC|.68 83804000 PUSH keygenme.00408083             ; |ABEF02CE08A87DD15964X6A8C30C6F6$-92AFCE9324E2FC95
00401101|.E8 36360000 CALL <JMP.&KERNEL32.RtlZeroMemory> ; \RtlZeroMemory
00401106|.6A 32       PUSH 32                            ; /Length = 32 (50.)
00401108|.68 37824000 PUSH keygenme.00408237             ; |ABEF02CE08A87DD15964X6A8C30C6F6$-92AFCE9324E2FC95
0040110D|.E8 2A360000 CALL <JMP.&KERNEL32.RtlZeroMemory> ; \RtlZeroMemory
00401112|.6A 14       PUSH 14                            ; /Count = 14 (20.)
00401114|.68 65804000 PUSH keygenme.00408065             ; |hbqjxhw
00401119|.68 EB030000 PUSH 3EB                            ; |ControlID = 3EB (1003.)
0040111E|.FF75 08    PUSH DWORD PTR SS:          ; |hWnd
00401121|.E8 52360000 CALL <JMP.&user32.GetDlgItemTextA> ; \GetDlgItemTextA
00401126|.0AC0       OR AL,AL
00401128|.75 0A       JNZ SHORT keygenme.00401134       ;判断Name是否为空
0040112A|.E8 E0010000 CALL keygenme.0040130F
0040112F|.E9 D2010000 JMP keygenme.00401306
00401134|>6A 32       PUSH 32                            ; /Count = 32 (50.)
00401136|.68 83804000 PUSH keygenme.00408083             ; |ABEF02CE08A87DD15964X6A8C30C6F6$-92AFCE9324E2FC95
0040113B|.68 ED030000 PUSH 3ED                            ; |ControlID = 3ED (1005.)
00401140|.FF75 08    PUSH DWORD PTR SS:          ; |hWnd
00401143|.E8 30360000 CALL <JMP.&user32.GetDlgItemTextA> ; \GetDlgItemTextA
00401148|.0AC0       OR AL,AL
0040114A|.75 0A       JNZ SHORT keygenme.00401156       ;判断Serial是否为空
0040114C|.E8 D4010000 CALL keygenme.00401325
00401151|.E9 B0010000 JMP keygenme.00401306
00401156|>66:A3 B182400>MOV WORD PTR DS:,AX
0040115C|.83F8 31    CMP EAX,31                         ;比较Serial是否大于等于49位数
0040115F|.73 0A       JNB SHORT keygenme.0040116B
00401161|.E8 D5010000 CALL keygenme.0040133B
00401166|.E9 9B010000 JMP keygenme.00401306
0040116B|>803D 89804000>CMP BYTE PTR DS:,43       ;判断Serial第7位是否等于C
00401172|.74 0A       JE SHORT keygenme.0040117E
00401174|.E8 C2010000 CALL keygenme.0040133B
00401179|.E9 88010000 JMP keygenme.00401306
0040117E|>803D 97804000>CMP BYTE PTR DS:,58       ;判断Serial第21位是否等于X
00401185|.74 0A       JE SHORT keygenme.00401191
00401187|.E8 AF010000 CALL keygenme.0040133B
0040118C|.E9 75010000 JMP keygenme.00401306
00401191|>803D A2804000>CMP BYTE PTR DS:,24       ;判断Serial第32位是否等于$
00401198|.74 0A       JE SHORT keygenme.004011A4
0040119A|.E8 9C010000 CALL keygenme.0040133B
0040119F|.E9 62010000 JMP keygenme.00401306
004011A4|>68 65804000 PUSH keygenme.00408065             ; /hbqjxhw
004011A9|.68 B5804000 PUSH keygenme.004080B5             ; |abef02ce08a87dd1596456a8c30c6f6e
004011AE|.E8 95350000 CALL <JMP.&KERNEL32.lstrcatA>       ; \lstrcatA
004011B3|.FECA       DEC DL
004011B5|.68 A1824000 PUSH keygenme.004082A1             ; /Arg3 = 004082A1
004011BA|.52          PUSH EDX                            ; |Arg2
004011BB|.68 B5804000 PUSH keygenme.004080B5             ; |abef02ce08a87dd1596456a8c30c6f6e
004011C0|.E8 4F2C0000 CALL keygenme.00403E14             ; \标准的MD5计算
004011C5|.68 AF814000 PUSH keygenme.004081AF             ;crackmes
004011CA|.E8 71560000 CALL keygenme.00406840
004011CF|.68 65804000 PUSH keygenme.00408065             ;hbqjxhw
004011D4|.68 65804000 PUSH keygenme.00408065             ;hbqjxhw
004011D9|.E8 9A560000 CALL keygenme.00406878             ;TEA计算
004011DE|.A1 65804000 MOV EAX,DWORD PTR DS:       ;(Initial CPU selection)
004011E3|.8B15 69804000 MOV EDX,DWORD PTR DS:
004011E9|.50          PUSH EAX                            ; /<%.8x> => 0
004011EA|.52          PUSH EDX                            ; |<%.8x> => 0
004011EB|.68 5C804000 PUSH keygenme.0040805C             ; |%.8x%.8x
004011F0|.68 6A824000 PUSH keygenme.0040826A             ; |92afce9324e2fc95
004011F5|.E8 5A350000 CALL <JMP.&user32.wsprintfA>       ; \wsprintfA
004011FA|.83C4 10    ADD ESP,10
004011FD|.C605 69824000>MOV BYTE PTR DS:,2D
00401204|.68 B5804000 PUSH keygenme.004080B5             ; /abef02ce08a87dd1596456a8c30c6f6e
00401209|.68 37824000 PUSH keygenme.00408237             ; |ABEF02CE08A87DD15964X6A8C30C6F6$-92AFCE9324E2FC95
0040120E|.E8 3B350000 CALL <JMP.&KERNEL32.lstrcpyA>       ; \lstrcpyA
00401213|.68 69824000 PUSH keygenme.00408269             ; /-92afce9324e2fc95
00401218|.68 37824000 PUSH keygenme.00408237             ; |ABEF02CE08A87DD15964X6A8C30C6F6$-92AFCE9324E2FC95
0040121D|.E8 26350000 CALL <JMP.&KERNEL32.lstrcatA>       ; \MD5的值与TEA的值用“-”连接
00401222|.C605 3D824000>MOV BYTE PTR DS:,43       ;把C赋给Serial第7位
00401229|.C605 4B824000>MOV BYTE PTR DS:,78       ;把x赋给Serial第21位
00401230|.68 37824000 PUSH keygenme.00408237             ; /ABEF02CE08A87DD15964X6A8C30C6F6$-92AFCE9324E2FC95
00401235|.E8 26350000 CALL <JMP.&user32.CharUpperA>       ; \全部转换为大写字母
0040123A|.C605 56824000>MOV BYTE PTR DS:,24       ;把$赋给Serial第32位
00401241|.33C0       XOR EAX,EAX
00401243|.33DB       XOR EBX,EBX
00401245|.33D2       XOR EDX,EDX
00401247|.33C9       XOR ECX,ECX
00401249|.66:8B0D B1824>MOV CX,WORD PTR DS:
00401250|.8D35 83804000 LEA ESI,DWORD PTR DS:
00401256|.8D2D 37824000 LEA EBP,DWORD PTR DS:
0040125C|>03F0       /ADD ESI,EAX
0040125E|.03E8       |ADD EBP,EAX
00401260|.33C0       |XOR EAX,EAX
00401262|.8A1E       |MOV BL,BYTE PTR DS:
00401264|.8A55 00    |MOV DL,BYTE PTR SS:
00401267|.38D3       |CMP BL,DL                         ;Serial比较
00401269|.75 60       |JNZ SHORT keygenme.004012CB
0040126B|.40          |INC EAX
0040126C|.^ E2 EE       \LOOPD SHORT keygenme.0040125C
0040126E|.803D B3824000>CMP BYTE PTR DS:,1
00401275|.74 26       JE SHORT keygenme.0040129D
00401277|.33C9       XOR ECX,ECX
00401279|.33C0       XOR EAX,EAX
0040127B|.33DB       XOR EBX,EBX
0040127D|.B9 2C000000 MOV ECX,2C
00401282|.8D35 F6814000 LEA ESI,DWORD PTR DS:
00401288|>03F0       /ADD ESI,EAX
0040128A|.33C0       |XOR EAX,EAX
0040128C|.8A1E       |MOV BL,BYTE PTR DS:
0040128E|.80F3 40    |XOR BL,40                         ;Text = "%%0a`/7`72)4%`454`!.$`3%.$`4/`#2!#+-%3n$%a"这断TEXT每个与0X40异或之后就是成功的标志
00401291|.881E       |MOV BYTE PTR DS:,BL
00401293|.40          |INC EAX
00401294|.^ E2 F2       \LOOPD SHORT keygenme.00401288    ;(Initial CPU selection)
00401296|.C605 B3824000>MOV BYTE PTR DS:,1
0040129D|>68 F6814000 PUSH keygenme.004081F6             ; /Text = "%%0a`/7`72)4%`454`!.$`3%.$`4/`#2!#+-%3n$%a"
004012A2|.68 ED030000 PUSH 3ED                            ; |ControlID = 3ED (1005.)
004012A7|.FF35 90824000 PUSH DWORD PTR DS:          ; |hWnd = NULL
004012AD|.E8 DE340000 CALL <JMP.&user32.SetDlgItemTextA> ; \SetDlgItemTextA
004012B2|.6A 00       PUSH 0                            ; /lParam = 0
004012B4|.6A 00       PUSH 0                            ; |wParam = 0
004012B6|.6A 0A       PUSH 0A                            ; |Message = WM_ENABLE
004012B8|.68 ED030000 PUSH 3ED                            ; |ControlID = 3ED (1005.)
004012BD|.FF35 90824000 PUSH DWORD PTR DS:          ; |hWnd = NULL
004012C3|.E8 BC340000 CALL <JMP.&user32.SendDlgItemMessageA>; \SendDlgItemMessageA
004012C8|.61          POPAD
004012C9|.EB 3B       JMP SHORT keygenme.00401306
004012CB|>61          POPAD
004012CC|.E8 6A000000 CALL keygenme.0040133B
004012D1|.EB 33       JMP SHORT keygenme.00401306
004012D3|>B8 01000000 MOV EAX,1
004012D8|.EB 2C       JMP SHORT keygenme.00401306
004012DA|>83F8 10    CMP EAX,10                         ;(Initial CPU selection)
004012DD|.75 1E       JNZ SHORT keygenme.004012FD
004012DF|.68 02000900 PUSH 90002
004012E4|.68 20030000 PUSH 320
004012E9|.FF75 08    PUSH DWORD PTR SS:
004012EC|.E8 69340000 CALL <JMP.&user32.AnimateWindow>
004012F1|.6A 00       PUSH 0                            ; /Result = 0
004012F3|.FF75 08    PUSH DWORD PTR SS:          ; |hWnd
004012F6|.E8 71340000 CALL <JMP.&user32.EndDialog>       ; \EndDialog
004012FB|.EB 09       JMP SHORT keygenme.00401306
004012FD|>B8 00000000 MOV EAX,0
00401302|.C9          LEAVE
00401303|.C2 1000    RETN 10
00401306|>B8 01000000 MOV EAX,1
0040130B|.C9          LEAVE
0040130C\.C2 1000    RETN 10
0040130F/$68 B8814000 PUSH keygenme.004081B8             ; /Hmm,but who name?
00401314|.68 EB030000 PUSH 3EB                            ; |ControlID = 3EB (1003.)
00401319|.FF75 08    PUSH DWORD PTR SS:          ; |hWnd
0040131C|.E8 6F340000 CALL <JMP.&user32.SetDlgItemTextA> ; \SetDlgItemTextA
00401321|.C9          LEAVE
00401322\.C2 1000    RETN 10
00401325/$68 CA814000 PUSH keygenme.004081CA             ; /Heh,what must check?
0040132A|.68 ED030000 PUSH 3ED                            ; |ControlID = 3ED (1005.)
0040132F|.FF75 08    PUSH DWORD PTR SS:          ; |hWnd
00401332|.E8 59340000 CALL <JMP.&user32.SetDlgItemTextA> ; \SetDlgItemTextA
00401337|.C9          LEAVE
00401338\.C2 1000    RETN 10
0040133B/$68 DF814000 PUSH keygenme.004081DF             ; /Serial is not valid...
00401340|.68 ED030000 PUSH 3ED                            ; |ControlID = 3ED (1005.)
00401345|.FF75 08    PUSH DWORD PTR SS:          ; |hWnd
00401348|.E8 43340000 CALL <JMP.&user32.SetDlgItemTextA> ; \SetDlgItemTextA
0040134D|.C9          LEAVE
0040134E\.C2 1000    RETN 10

----------------------------------------------------------------------------------------------
由CALL 00403E14进入后
下面就是标准的MD5计算要用到的四个常数值
00403E68|.C706 01234567 MOV DWORD PTR DS:,67452301
00403E6E|.C746 04 89ABC>MOV DWORD PTR DS:,EFCDAB89
00403E75|.C746 08 FEDCB>MOV DWORD PTR DS:,98BADCFE
00403E7C|.C746 0C 76543>MOV DWORD PTR DS:,10325476

----------------------------------------------------------------------------------------------
由CALL 00406878进入后
TEA计算
00406878 55          PUSH EBP
00406879 8BEC          MOV EBP,ESP
0040687B 57          PUSH EDI
0040687C 56          PUSH ESI
0040687D 53          PUSH EBX
0040687E 8B75 08       MOV ESI,DWORD PTR SS:
00406881 8B06          MOV EAX,DWORD PTR DS:
00406883 8B56 04       MOV EDX,DWORD PTR DS:
00406886 33DB          XOR EBX,EBX
00406888 0FC8          BSWAP EAX---要加密的明文
0040688A 0FCA          BSWAP EDX---要加密的明文
0040688C 81C3 B979379E /ADD EBX,9E3779B9
00406892 8BCA          |MOV ECX,EDX
00406894 C1E1 04       |SHL ECX,4
00406897 8BFA          |MOV EDI,EDX
00406899 8D3413       |LEA ESI,DWORD PTR DS:
0040689C 030D 401C5100 |ADD ECX,DWORD PTR DS:---这里就是TEA要用到的密钥
004068A2 C1EF 05       |SHR EDI,5
004068A5 33CE          |XOR ECX,ESI
004068A7 033D 441C5100 |ADD EDI,DWORD PTR DS:---这里就是TEA要用到的密钥
004068AD 33CF          |XOR ECX,EDI
004068AF 03C1          |ADD EAX,ECX
004068B1 8BC8          |MOV ECX,EAX
004068B3 C1E1 04       |SHL ECX,4
004068B6 8BF8          |MOV EDI,EAX
004068B8 8D3403       |LEA ESI,DWORD PTR DS:
004068BB 030D 481C5100 |ADD ECX,DWORD PTR DS:---这里就是TEA要用到的密钥
004068C1 C1EF 05       |SHR EDI,5
004068C4 33CE          |XOR ECX,ESI
004068C6 033D 4C1C5100 |ADD EDI,DWORD PTR DS:---这里就是TEA要用到的密钥
004068CC 33CF          |XOR ECX,EDI
004068CE 03D1          |ADD EDX,ECX
004068D0 81C3 B979379E |ADD EBX,9E3779B9
004068D6 8BCA          |MOV ECX,EDX
004068D8 C1E1 04       |SHL ECX,4
004068DB 8BFA          |MOV EDI,EDX
004068DD 8D3413       |LEA ESI,DWORD PTR DS:
004068E0 030D 401C5100 |ADD ECX,DWORD PTR DS:
004068E6 C1EF 05       |SHR EDI,5
004068E9 33CE          |XOR ECX,ESI
004068EB 033D 441C5100 |ADD EDI,DWORD PTR DS:
004068F1 33CF          |XOR ECX,EDI
004068F3 03C1          |ADD EAX,ECX
004068F5 8BC8          |MOV ECX,EAX
004068F7 C1E1 04       |SHL ECX,4
004068FA 8BF8          |MOV EDI,EAX
004068FC 8D3403       |LEA ESI,DWORD PTR DS:
004068FF 030D 481C5100 |ADD ECX,DWORD PTR DS:
00406905 C1EF 05       |SHR EDI,5
00406908 33CE          |XOR ECX,ESI
0040690A 033D 4C1C5100 |ADD EDI,DWORD PTR DS:
00406910 33CF          |XOR ECX,EDI
00406912 03D1          |ADD EDX,ECX
00406914 81FB 2037EFC6 |CMP EBX,C6EF3720
0040691A^ 0F85 6CFFFFFF \JNZ keygenme.0040688C
00406920 0FC8          BSWAP EAX
00406922 0FCA          BSWAP EDX
00406924 8B75 0C       MOV ESI,DWORD PTR SS:
00406927 8906          MOV DWORD PTR DS:,EAX
00406929 8956 04       MOV DWORD PTR DS:,EDX
0040692C 5B          POP EBX
0040692D 5E          POP ESI
0040692E 5F          POP EDI
0040692F C9          LEAVE
00406930 C2 0800       RETN 8

这里就是TEA要用到的密钥（6361726373656D6B6D6D48007475622C）
00511C4063 61 72 63 73 65 6D 6B 6D 6D 48 00 74 75 62 2CcarcsemkmmH.tub,

上面的核心算法应该是下面三行：
sum+=delta;
y+=((a+(z<<4))^(sum+z))^(b+(z>>5));
z+=((c+(y<<4))^(sum+y))^(d+(y>>5));
----------------------------------------------------------------------------------------------
破解总结：
一、计算Name的MD5值.
二、计算Name的TEA值
三、把MD5的值与TEA的值用“-”连接.
四、用C替代Serial第7位,用x替代Serial第21位.
五、全部转换为大写字母.
六、用$替代Serial第32位.

----------------------------------------------------------------------------------------------
【破解声明】我是一只小菜鸟，偶得一点心得，愿与大家分享:)

【版权声明】本文纯属技术交流, 转载请注明作者并保持文章的完整, 谢谢!
----------------------------------------------------------------------------------------------
                                                                              文章写于2007-1-22 23:09:56

avel 发表于 2007-1-26 08:47:50

学习算法中～～～～

页: [1]

飘云阁's Archiver

[破]keygenme#2.saytos.MASM