chenx221/Reverse
1
0
Fork 0
Code Pull Requests Activity
82372320dc
Reverse/bytel0rds_crackme_n1.other_mp2k/solve.md
Chenx221 6d8615ace5
solved new crackme 
*更新周期改成2天
2024-10-21 16:31:14 +08:00

338 lines
21 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

先来通过的凭证:
```
Name: chenx221
RegKey: 123-456-789-X
Serial: 11141
```
细节:
检查长度然后带着name, regkey,serial进`crackme_1.403790`
```assembly
00403B2 | 6A 14 | push 14 |
00403B2 | 8D85 F3FBFFFF | lea eax,dword ptr ss:[ebp-40D] | name
00403B3 | 50 | push eax |
00403B3 | 6A 05 | push 5 |
00403B3 | 8B45 08 | mov eax,dword ptr ss:[ebp+8] |
00403B3 | 50 | push eax |
00403B3 | E8 0DFBFFFF | call <JMP.&_GetDlgItemTextA@16> |
00403B3 | 8D45 F8 | lea eax,dword ptr ss:[ebp-8] | [ebp-08]:"123-456-789-X"
00403B4 | 8D95 F3FBFFFF | lea edx,dword ptr ss:[ebp-40D] |
00403B4 | E8 FFF4FFFF | call crackme_1.40304C |
00403B4 | 8B45 F8 | mov eax,dword ptr ss:[ebp-8] | [ebp-08]:Name
00403B5 | E8 3FF5FFFF | call <crackme_1.GetLength> |
00403B5 | 83F8 05 | cmp eax,5 |
00403B5 | 0F8C 91000000 | jl <crackme_1.Fail> | length >= 5
00403B5 | 6A 14 | push 14 |
00403B6 | 8D85 F3FBFFFF | lea eax,dword ptr ss:[ebp-40D] |
00403B6 | 50 | push eax |
00403B6 | 6A 06 | push 6 |
00403B6 | 8B45 08 | mov eax,dword ptr ss:[ebp+8] |
00403B6 | 50 | push eax |
00403B6 | E8 DAFAFFFF | call <JMP.&_GetDlgItemTextA@16> |
00403B7 | 8D45 F4 | lea eax,dword ptr ss:[ebp-C] | [ebp-0C]:"11141"
00403B7 | 8D95 F3FBFFFF | lea edx,dword ptr ss:[ebp-40D] |
00403B7 | E8 CCF4FFFF | call crackme_1.40304C |
00403B8 | 8B45 F4 | mov eax,dword ptr ss:[ebp-C] | RegKey
00403B8 | E8 0CF5FFFF | call <crackme_1.GetLength> |
00403B8 | 83F8 0D | cmp eax,D | length == 13
00403B8 | 75 62 | jne <crackme_1.Fail> |
00403B8 | 6A 14 | push 14 |
00403B8 | 8D85 F3FBFFFF | lea eax,dword ptr ss:[ebp-40D] |
00403B9 | 50 | push eax |
00403B9 | 6A 07 | push 7 |
00403B9 | 8B45 08 | mov eax,dword ptr ss:[ebp+8] |
00403B9 | 50 | push eax |
00403B9 | E8 ABFAFFFF | call <JMP.&_GetDlgItemTextA@16> |
00403BA | 8D45 FC | lea eax,dword ptr ss:[ebp-4] | [ebp-04]:"chenx221"
00403BA | 8D95 F3FBFFFF | lea edx,dword ptr ss:[ebp-40D] |
00403BA | E8 9DF4FFFF | call crackme_1.40304C |
00403BA | 8B45 FC | mov eax,dword ptr ss:[ebp-4] | Serial
00403BB | E8 DDF4FFFF | call <crackme_1.GetLength> |
00403BB | 83F8 05 | cmp eax,5 | length == 5
00403BB | 75 33 | jne <crackme_1.Fail> |
00403BB | 8B4D FC | mov ecx,dword ptr ss:[ebp-4] | S
00403BB | 8B55 F4 | mov edx,dword ptr ss:[ebp-C] | R
00403BC | 8B45 F8 | mov eax,dword ptr ss:[ebp-8] | N
00403BC | E8 C6FBFFFF | call crackme_1.403790 |
```
name字符ascii求和然后统计1的个数
```assembly
0040379 | 55 | push ebp |
0040379 | 8BEC | mov ebp,esp |
0040379 | 83C4 E8 | add esp,FFFFFFE8 |
0040379 | 53 | push ebx |
0040379 | 56 | push esi |
0040379 | 57 | push edi | edi:&"1010101011"
0040379 | 33DB | xor ebx,ebx |
0040379 | 895D E8 | mov dword ptr ss:[ebp-18],ebx | [ebp-18]:"1010101011"
0040379 | 895D EC | mov dword ptr ss:[ebp-14],ebx |
004037A | 895D F0 | mov dword ptr ss:[ebp-10],ebx | [ebp-10]:"122xnehc"
004037A | 894D F4 | mov dword ptr ss:[ebp-C],ecx | S
004037A | 8955 F8 | mov dword ptr ss:[ebp-8],edx | R
004037A | 8945 FC | mov dword ptr ss:[ebp-4],eax | N
004037A | 8B45 FC | mov eax,dword ptr ss:[ebp-4] | Name
004037B | E8 9FF9FFFF | call <crackme_1.LStrAddRef> |
004037B | 8B45 F8 | mov eax,dword ptr ss:[ebp-8] | RegKey
004037B | E8 97F9FFFF | call <crackme_1.LStrAddRef> |
004037B | 8B45 F4 | mov eax,dword ptr ss:[ebp-C] | Serial
004037C | E8 8FF9FFFF | call <crackme_1.LStrAddRef> |
004037C | BF 68564000 | mov edi,crackme_1.405668 | edi:&"1010101011", 405668:&"1010101011"
004037C | 33C0 | xor eax,eax |
004037C | 55 | push ebp |
004037C | 68 8D3A4000 | push crackme_1.403A8D |
004037D | 64:FF30 | push dword ptr fs:[eax] |
004037D | 64:8920 | mov dword ptr fs:[eax],esp |
004037D | C705 88564000 040000 | mov dword ptr ds:[405688],4 |
004037E | 33C0 | xor eax,eax |
004037E | A3 6C564000 | mov dword ptr ds:[40566C],eax |
004037E | 8BC7 | mov eax,edi | edi:&"1010101011"
004037E | E8 58F7FFFF | call <crackme_1.LStrClr> |
004037F | 8D45 F0 | lea eax,dword ptr ss:[ebp-10] | [ebp-10]:"122xnehc"
004037F | E8 50F7FFFF | call <crackme_1.LStrClr> |
004037F | 8B45 FC | mov eax,dword ptr ss:[ebp-4] | [ebp-04]:"chenx221"
004037F | E8 94F8FFFF | call <crackme_1.GetLength> |
0040380 | 8BF0 | mov esi,eax |
0040380 | 85F6 | test esi,esi |
0040380 | 7E 26 | jle crackme_1.40382C |
0040380 | BB 01000000 | mov ebx,1 |
0040380 | 8D45 EC | lea eax,dword ptr ss:[ebp-14] |
0040380 | 8B55 FC | mov edx,dword ptr ss:[ebp-4] | [ebp-04]:"chenx221"
0040381 | 8A541A FF | mov dl,byte ptr ds:[edx+ebx-1] |
0040381 | E8 22F8FFFF | call crackme_1.40303C |
0040381 | 8B55 EC | mov edx,dword ptr ss:[ebp-14] |
0040381 | 8D45 F0 | lea eax,dword ptr ss:[ebp-10] | [ebp-10]:"122xnehc"
0040382 | 8B4D F0 | mov ecx,dword ptr ss:[ebp-10] | [ebp-10]:"122xnehc"
0040382 | E8 B8F8FFFF | call <crackme_1.LStrCat3> |
0040382 | 43 | inc ebx |
0040382 | 4E | dec esi |
0040382 | 75 DF | jne crackme_1.40380B |
0040382 | 8B45 F0 | mov eax,dword ptr ss:[ebp-10] | [ebp-10]:翻转Name
0040382 | E8 60F8FFFF | call <crackme_1.GetLength> |
0040383 | 8BF0 | mov esi,eax |
0040383 | 85F6 | test esi,esi |
0040383 | 7E 17 | jle crackme_1.403851 |
0040383 | BB 01000000 | mov ebx,1 |
0040383 | 8B45 F0 | mov eax,dword ptr ss:[ebp-10] | [ebp-10]:"122xnehc"
0040384 | 0FB64418 FF | movzx eax,byte ptr ds:[eax+ebx-1] |
0040384 | 0105 6C564000 | add dword ptr ds:[40566C],eax |
0040384 | 43 | inc ebx |
0040384 | 4E | dec esi |
0040384 | 75 EE | jne crackme_1.40383F |
0040385 | 8D55 E8 | lea edx,dword ptr ss:[ebp-18] | [ebp-18]:"1010101011"
0040385 | A1 6C564000 | mov eax,dword ptr ds:[40566C] | 累加ascii
0040385 | E8 7AFEFFFF | call <crackme_1.Hex2Bin> |
0040385 | 8B55 E8 | mov edx,dword ptr ss:[ebp-18] | 累加结果的二进制(不用不足位数
0040386 | 8BC7 | mov eax,edi | edi:&"1010101011"
0040386 | E8 34F7FFFF | call <crackme_1.LStrAsg> |
0040386 | 33C0 | xor eax,eax |
0040386 | A3 6C564000 | mov dword ptr ds:[40566C],eax |
0040386 | 8B07 | mov eax,dword ptr ds:[edi] | [edi]:"1010101011"
0040387 | E8 1EF8FFFF | call <crackme_1.GetLength> | 获取二进制长度
0040387 | 8BF0 | mov esi,eax |
0040387 | 85F6 | test esi,esi |
0040387 | 7E 18 | jle crackme_1.403894 | 统计二进制1的个数
0040387 | BB 01000000 | mov ebx,1 |
0040388 | 8B07 | mov eax,dword ptr ds:[edi] | [edi]:"1010101011"
0040388 | 807C18 FF 31 | cmp byte ptr ds:[eax+ebx-1],31 | 31:'1'
0040388 | 75 06 | jne crackme_1.403890 |
0040388 | FF05 6C564000 | inc dword ptr ds:[40566C] |
0040389 | 43 | inc ebx |
0040389 | 4E | dec esi |
0040389 | 75 ED | jne crackme_1.403881 |
0040389 | 33C0 | xor eax,eax |
```
regkey检查格式并求一个值
```c#
for (int i = 0; i < RegKey.Length; i++)
{
if (i == 3 || i == 7 || i == 11)
continue; //这几个位置检查'-'
else if (i == 12)
{
regSum += RegKey[i] % 2;
continue;
}
int n = int.Parse(RegKey[i].ToString());
if (i < 3)
regSum += n * (0xB - (i + 1));
else if (i < 7)
regSum += n * (0xC - (i + 1));
else if (i < 11)
regSum += n * (0xD - (i + 1));
}
```
```assembly
0040389 | A3 70564000 | mov dword ptr ds:[405670],eax |
0040389 | BB 01000000 | mov ebx,1 |
004038A | 8B45 F8 | mov eax,dword ptr ss:[ebp-8] | RegKey
004038A | 8A5418 FF | mov dl,byte ptr ds:[eax+ebx-1] |
004038A | 8BC2 | mov eax,edx |
004038A | 3C 31 | cmp al,31 | <"1"
004038A | 0F82 C1010000 | jb <crackme_1.Fail2> |
004038B | 3C 39 | cmp al,39 | >"9"
004038B | 0F87 B9010000 | ja <crackme_1.Fail2> |
004038B | 33C0 | xor eax,eax |
004038B | 8AC2 | mov al,dl |
004038B | 83E8 30 | sub eax,30 | "数"2数
004038C | BA 0B000000 | mov edx,B | 0B:'\v'
004038C | 2BD3 | sub edx,ebx |
004038C | F7EA | imul edx |
004038C | 0105 70564000 | add dword ptr ds:[405670],eax |
004038C | 43 | inc ebx |
004038D | 83FB 04 | cmp ebx,4 |
004038D | 75 CB | jne crackme_1.4038A0 |
004038D | 8B45 F8 | mov eax,dword ptr ss:[ebp-8] | [ebp-08]:"123-456-789-X"
004038D | 8078 03 2D | cmp byte ptr ds:[eax+3],2D | 第四位需要-
004038D | 0F85 90010000 | jne <crackme_1.Fail2> |
004038E | BB 05000000 | mov ebx,5 |
004038E | 8B45 F8 | mov eax,dword ptr ss:[ebp-8] | [ebp-08]:"123-456-789-X"
004038E | 8A4418 FF | mov al,byte ptr ds:[eax+ebx-1] |
004038E | 8BD0 | mov edx,eax |
004038F | 80FA 31 | cmp dl,31 | 31:'1'
004038F | 0F82 79010000 | jb <crackme_1.Fail2> |
004038F | 80FA 39 | cmp dl,39 | 39:'9'
004038F | 0F87 70010000 | ja <crackme_1.Fail2> |
0040390 | 25 FF000000 | and eax,FF |
0040390 | 83E8 30 | sub eax,30 |
0040390 | BA 0C000000 | mov edx,C | 0C:'\f'
0040390 | 2BD3 | sub edx,ebx |
0040391 | F7EA | imul edx |
0040391 | 0105 70564000 | add dword ptr ds:[405670],eax |
0040391 | 43 | inc ebx |
0040391 | 83FB 08 | cmp ebx,8 |
0040391 | 75 C8 | jne crackme_1.4038E7 |
0040391 | 8B45 F8 | mov eax,dword ptr ss:[ebp-8] | [ebp-08]:"123-456-789-X"
0040392 | 8078 07 2D | cmp byte ptr ds:[eax+7],2D | 第八位-
0040392 | 0F85 46010000 | jne <crackme_1.Fail2> |
0040392 | BB 09000000 | mov ebx,9 | 09:'\t'
0040393 | 8B45 F8 | mov eax,dword ptr ss:[ebp-8] | [ebp-08]:"123-456-789-X"
0040393 | 8A4418 FF | mov al,byte ptr ds:[eax+ebx-1] |
0040393 | 8BD0 | mov edx,eax |
0040393 | 80FA 31 | cmp dl,31 | 31:'1'
0040393 | 0F82 2F010000 | jb <crackme_1.Fail2> |
0040394 | 80FA 39 | cmp dl,39 | 39:'9'
0040394 | 0F87 26010000 | ja <crackme_1.Fail2> |
0040394 | 25 FF000000 | and eax,FF |
0040395 | 83E8 30 | sub eax,30 |
0040395 | BA 0D000000 | mov edx,D | 0D:'\r'
0040395 | 2BD3 | sub edx,ebx |
0040395 | F7EA | imul edx |
0040395 | 0105 70564000 | add dword ptr ds:[405670],eax |
0040396 | 43 | inc ebx |
0040396 | 83FB 0C | cmp ebx,C | 0C:'\f'
0040396 | 75 C8 | jne crackme_1.403931 |
0040396 | 8B45 F8 | mov eax,dword ptr ss:[ebp-8] | [ebp-08]:"123-456-789-X"
0040396 | 8078 0B 2D | cmp byte ptr ds:[eax+B],2D | 第十二位-
0040397 | 0F85 FC000000 | jne <crackme_1.Fail2> |
0040397 | 8B45 F8 | mov eax,dword ptr ss:[ebp-8] | [ebp-08]:"123-456-789-X"
0040397 | 8A50 0C | mov dl,byte ptr ds:[eax+C] |
0040397 | 8BC2 | mov eax,edx |
0040397 | 3C 41 | cmp al,41 | 41:'A'
0040398 | 0F82 EC000000 | jb <crackme_1.Fail2> |
0040398 | 3C 5A | cmp al,5A | 5A:'Z'
0040398 | 0F87 E4000000 | ja <crackme_1.Fail2> |
0040398 | 33C0 | xor eax,eax |
0040399 | 8AC2 | mov al,dl |
0040399 | 83E0 01 | and eax,1 |
0040399 | 0105 70564000 | add dword ptr ds:[405670],eax |
```
计算前面的值^二进制1的个数 (v1)
```assembly
0040399 | 33C0 | xor eax,eax |
0040399 | 8905 7C564000 | mov dword ptr ds:[40567C],eax |
004039A | C705 80564000 000000 | mov dword ptr ds:[405680],80000000 |
004039A | 66:C705 84564000 FF3 | mov word ptr ds:[405684],3FFF | 00405684:"-@"
004039B | 8B35 6C564000 | mov esi,dword ptr ds:[40566C] | 二进制中1的个数
004039B | 85F6 | test esi,esi |
004039B | 7E 18 | jle crackme_1.4039D8 |
004039C | DB05 70564000 | fild dword ptr ds:[405670] | 前面的结果^1的个数
004039C | DB2D 7C564000 | fld tword ptr ds:[40567C] |
004039C | DEC9 | fmulp st(1),st(0) |
004039C | DB3D 7C564000 | fstp tword ptr ds:[40567C] |
004039D | 9B | fwait |
004039D | 4E | dec esi |
004039D | 75 E8 | jne crackme_1.4039C0 |
```
Serial字符串转数值
```assembly
004039D | 8B45 F4 | mov eax,dword ptr ss:[ebp-C] | Serial
004039D | E8 B4F6FFFF | call <crackme_1.GetLength> |
004039E | 8BF0 | mov esi,eax |
004039E | 85F6 | test esi,esi |
004039E | 7E 18 | jle crackme_1.4039FE |
004039E | BB 01000000 | mov ebx,1 |
004039E | 8B45 F4 | mov eax,dword ptr ss:[ebp-C] | 检查Serial是否都是数
004039E | 8A4418 FF | mov al,byte ptr ds:[eax+ebx-1] |
004039F | 3C 31 | cmp al,31 | 31:'1'
004039F | 72 7C | jb <crackme_1.Fail2> |
004039F | 3C 39 | cmp al,39 | 39:'9'
004039F | 77 78 | ja <crackme_1.Fail2> |
004039F | 43 | inc ebx |
004039F | 4E | dec esi |
004039F | 75 ED | jne crackme_1.4039EB |
004039F | 33C0 | xor eax,eax |
00403A0 | A3 74564000 | mov dword ptr ds:[405674],eax |
00403A0 | C705 78564000 010000 | mov dword ptr ds:[405678],1 |
00403A0 | 8B45 F4 | mov eax,dword ptr ss:[ebp-C] | [ebp-0C]:"11141"
00403A1 | E8 7DF6FFFF | call <crackme_1.GetLength> |
00403A1 | 8BF0 | mov esi,eax |
00403A1 | 4E | dec esi |
00403A1 | 85F6 | test esi,esi |
00403A1 | 7C 37 | jl crackme_1.403A55 | 字符串转数
00403A1 | 46 | inc esi |
00403A1 | 33DB | xor ebx,ebx |
00403A2 | 8B45 F4 | mov eax,dword ptr ss:[ebp-C] | [ebp-0C]:"11141"
00403A2 | E8 6BF6FFFF | call <crackme_1.GetLength> |
00403A2 | 2BC3 | sub eax,ebx |
00403A2 | 8B55 F4 | mov edx,dword ptr ss:[ebp-C] | [ebp-0C]:"11141"
00403A2 | 0FB64402 FF | movzx eax,byte ptr ds:[edx+eax-1] | 从最后一位开始
00403A3 | 83E8 30 | sub eax,30 | -0 字符转数
00403A3 | F72D 78564000 | imul dword ptr ds:[405678] |
00403A3 | 0105 74564000 | add dword ptr ds:[405674],eax |
00403A4 | A1 78564000 | mov eax,dword ptr ds:[405678] |
00403A4 | 03C0 | add eax,eax | *2
00403A4 | 8D0480 | lea eax,dword ptr ds:[eax+eax*4] | *5
00403A4 | A3 78564000 | mov dword ptr ds:[405678],eax |
00403A5 | 43 | inc ebx |
00403A5 | 4E | dec esi |
00403A5 | 75 CC | jne crackme_1.403A21 |
```
前面的前面 算的v1 % 上面序列号数值
```assembly
00403A5 | 99 | cdq |
00403A5 | 52 | push edx |
00403A5 | 50 | push eax |
00403A5 | DB2D 7C564000 | fld tword ptr ds:[40567C] |
00403A6 | E8 14EBFFFF | call crackme_1.40257C |
00403A6 | E8 63F7FFFF | call crackme_1.4031D0 | 之前算的^结果 % 上面的结果
00403A6 | A3 88564000 | mov dword ptr ds:[405688],eax |
```
检查模数是否是素数是的就成功了
```
00403BC | A1 88564000 | mov eax,dword ptr ds:[405688] |
00403BC | E8 80FBFFFF | call crackme_1.403754 | 判断素数
00403BD | 3C 01 | cmp al,1 |
00403BD | 75 17 | jne <crackme_1.Fail> |
00403BD | 6A 40 | push 40 | Success
00403BD | 68 4C3C4000 | push crackme_1.403C4C | 403C4C:"Succeed!"
00403BD | 68 583C4000 | push crackme_1.403C58 | 403C58:"Great you got a working Serial and key,now write a keygen and send it to me!"
00403BE | 8B45 08 | mov eax,dword ptr ss:[ebp+8] |
00403BE | 50 | push eax |
00403BE | E8 67FAFFFF | call <JMP.&_MessageBoxA@16> |
```
View Git Blame Copy Permalink