首页 > 学术百科

indomit's indoKGM1 Crackme

标题: indomit's indoKGM1 Crackme

作者: laowanghai

时间: 2006-04-24 17:17

附件: indokgm1.rar

链接: bbs.pediy/showthread.php?threadid=24614

详细信息:

【软件名称】indomit's indoKGM1

【下载地址】Crackmes.de

【应用平台】Win2000

【软件大小】42 KB

【软件限制】Name/Serial

【破解声明】Me Crack CrackMe

【破解工具】OllyDbg

【软件简介】作者介绍该软件"Hello All!

This my first crackme and it very easy. Just find the correct serial,

create keygen, and write a small tut. =)

But it have TWO ways to key it:

1: For newbie: Find serial for your name

which make a goodboy message :)

2: For profi : Try to find name & serial

which make a VERY goodboy message %)

It was perfect if you try to create keygen without brute force.

And of coz, patches disallowed.

It hasn't any

辽宁锦州监狱起火

Good luck! ;)

PS: Tested only on Windows XP SP2.

Difficulty: 1 - Very easy, for newbies

Platform: Windows

Language: Borland Delphi

========================================================================================

【分析过程】

1 用PEID查看，没有加壳,Delphi写的程序，用DEDE查看，没有什么有价值的信息。

2 用OD打开程序，搜索字符串，定位到下面的代码：

0040861C > $ 55 PUSH EBP

0040861D . 8BEC MOV EBP,ESP

0040861F . 83C4 F0 ADD ESP,-10

00408622 . 53 PUSH EBX

00408623 . 56 PUSH ESI

00408624 . A1 B0934000 MOV EAX,DWORD PTR DS:[4093B0]

00408629 . C600 01 MOV BYTE PTR DS:[EAX],1

0040862C . B8 DC854000 MOV EAX,indoKGM1.004085DC

00408631 . E8 06C5FFFF CALL indoKGM1.00404B3C

00408636 . 33C0 XOR EAX,EAX

00408638 . 55 PUSH EBP

00408639 . 68 A1884000 PUSH indoKGM1.004088A1

0040863E . 64:FF30 PUSH DWORD PTR FS:[EAX]

00408641 . 64:8920 MOV DWORD PTR FS:[EAX],ESP

00408644 . C605 B4A74000>MOV BYTE PTR DS:[40A7B4],0

0040864B . 33C0 XOR EAX,EAX

0040864D . A3 A0A74000 MOV DWORD PTR DS:[40A7A0],EAX

00408652 . 33C0 XOR EAX,EAX

忻州师范学院学报

00408654 . A3 BCA74000 MOV DWORD PTR DS:[40A7BC],EAX

00408659 . A1 04934000 MOV EAX,DWORD PTR DS:[409304]

0040865E . BA B8884000 MOV EDX,indoKGM1.004088B8 ; ASCII 0A,"<<---[ Key"

00408663 . E8 78BAFFFF CALL indoKGM1.004040E0

00408668 . E8 87A7FFFF CALL indoKGM1.00402DF4

0040866D . E8 BA9FFFFF CALL indoKGM1.0040262C

00408672 > A1 04934000 MOV EAX,DWORD PTR DS:[409304]

00408677 . BA EC884000 MOV EDX,indoKGM1.004088EC ; ASCII 0A,"--> Name: "

0040867C . E8 5FBAFFFF CALL indoKGM1.004040E0

00408681 . E8 52A3FFFF CALL indoKGM1.004029D8

00408686 . E8 A19FFFFF CALL indoKGM1.0040262C

0040868B . BA 98A74000 MOV EDX,indoKGM1.0040A798

00408690 . A1 70934000 MOV EAX,DWORD PTR DS:[409370]

004086

95 . E8 D6A4FFFF CALL indoKGM1.00402B70

0040869A . A1 70934000 MOV EAX,DWORD PTR DS:[409370]

0040869F . E8 38A5FFFF CALL indoKGM1.00402BDC

004086A4 . E8 839FFFFF CALL indoKGM1.0040262C

004086A9 . A1 98A74000 MOV EAX,DWORD PTR DS:[40A798]

004086AE . E8 01B8FFFF CALL indoKGM1.00403EB4

004086B3 . 8BD8 MOV EBX,EAX

004086B5 . 83FB 04 CMP EBX,4

004086B8 . 7C 05 JL SHORT indoKGM1.004086BF

004086BA . 83FB 10 CMP EBX,10

004086BD . 7E 19 JLE SHORT indoKGM1.004086D8

004086BF > A1 04934000 MOV EAX,DWORD PTR DS:[409304]

004086C4 . BA 00894000 MOV EDX,indoKGM1.00408900 ; ASCII 0A,"<--! Plz, "

004086C9 . E8 12BAFFFF CALL indoKGM1.004040E0

004086CE . E8 21A7FFFF CALL indoKGM1.00402DF4

004086D3 . E8 549FFFFF CALL indoKGM1.0040262C

004086D8 > 83FB 04 CMP EBX,4

004086DB .^ 7C 95 JL SHORT indoKGM1.00408672

004086DD . 83FB 10 CMP EBX,10

004086E0 .^ 7F 90 JG SHORT indoKGM1.00408672

004086E2 . A1 04934000 MOV EAX,DWORD PTR DS:[409304]

004086E7 . BA 2C894000 MOV EDX,indoKGM1.0040892C ; ASCII 0A,"--> Serial"

004086EC . E8 EFB9FFFF CALL indoKGM1.004040E0

004086F1 . E8 E2A2FFFF CALL indoKGM1.004029D8

004086F6 . E8 319FFFFF CALL indoKGM1.0040262C

004086FB . BA 9CA74000 MOV EDX,indoKGM1.0040A79C

00408700 . A1 70934000 MOV EAX,DWORD PTR DS:[409370]

00408705 . E8 66A4FFFF CALL indoKGM1.00402B70

0040870A . A1 70934000 MOV EAX,DWORD PTR DS:[409370]

0040870F . E8 C8A4FFFF CALL indoKGM1.00402BDC

00408714 . E8 139FFFFF CALL indoKGM1.0040262C

00408719 . A1 9CA74000 MOV EAX,DWORD PTR DS:[40A79C]

0040871E . E8 91B7FFFF CALL indoKGM1.00403EB4

00408723 . 83F8 10 CMP EAX,10

00408726 . 74 0A JE SHORT indoKGM1.00408732

00408728 . E8 77FDFFFF CALL indoKGM1.004084A4

0040872D . E9 39010000 JMP indoKGM1.0040886B

00408732 > B8 01000000 MOV EAX,1

00408737 . BE A4A74000 MOV ESI,indoKGM1.0040A7A4 ; 用户输入的注册码

0040873C > 8B15 9CA74000 MOV EDX,DWORD PTR DS:[40A79C]

00408742 . 8A5402 FF MOV DL,BYTE PTR DS:[EDX+EAX-1]

00408746 . 8BCA MOV ECX,EDX

专家：人民币大幅贬值可能性不大

00408748 . 80C1 BF ADD CL,0BF

0040874B . 80E9 06 SUB CL,6

0040874E . 73 04 JNB SHORT indoKGM1.00408754 ; 判断用户输入的注册码是否合法

00408750 . 8816 MOV BYTE PTR DS:[ESI],DL

00408752 . EB 18 JMP SHORT indoKGM1.0040876C

00408754 > 8BCA MOV ECX,EDX

00408756 . 80C1 D0 ADD CL,0D0

00408759 . 80E9 0A SUB CL,0A

0040875C . 73 04 JNB SHORT indoKGM1.00408762 ; 判断用户输入的注册码是否合法

0040875E . 8816 MOV BYTE PTR DS:[ESI],DL

00408760 . EB 0A JMP SHORT indoKGM1.0040876C

00408762 > E8 3DFDFFFF CALL indoKGM1.004084A4 ; 如果不合

法，调用错误注册码的函数

00408767 . E9 FF000000 JMP indoKGM1.0040886B

0040876C > 40 INC EAX

0040876D . 46 INC ESI

0040876E . 83F8 11 CMP EAX,11

00408771 .^ 75 C9 JNZ SHORT indoKGM1.0040873C

00408773 . 50 PUSH EAX

00408774 . 53 PUSH EBX

00408775 . 51 PUSH ECX

00408776 . 52 PUSH EDX

00408777 . 31C0 XOR EAX,EAX

00408779 . 31DB XOR EBX,EBX

0040877B . 31C9 XOR ECX,ECX

0040877D . 31D2 XOR EDX,EDX

0040877F . 8B0D 98A74000 MOV ECX,DWORD PTR DS:[40A798] ; 用户名称

00408785 > 0FB619 MOVZX EBX,BYTE PTR DS:[ECX]

00408788 . 31D3 XOR EBX,EDX

0040878A . 01D8 ADD EAX,EBX

0040878C . C1C0 07 ROL EAX,7

0040878F . 89DA MOV EDX,EBX

00408791 . 41 INC ECX

00408792 . 8039 00 CMP BYTE PTR DS:[ECX],0

00408795 .^ 75 EE JNZ SHORT indoKGM1.00408785

00408797 . 31C9 XOR ECX,ECX

00408799 > 31D8 XOR EAX,EBX

0040879B . C1C3 10 ROL EBX,10

0040879E . 01D3 ADD EBX,EDX

004087A0 . 31D8 XOR EAX,EBX

004087A2 . C1C0 03 ROL EAX,3

004087A5 . 31D0 XOR EAX,EDX

004087A7 . C1C2 08 ROL EDX,8

004087AA . 01DA ADD EDX,EBX

004087AC . 31D0 XOR EAX,EDX

004087AE . C1C0 05 ROL EAX,5

004087B1 . 41 INC ECX

004087B2 . 83F9 0A CMP ECX,0A

004087B5 .^ 75 E2 JNZ SHORT indoKGM1.00408799

004087B7 . A3 A0A74000 MOV DWORD PTR DS:[40A7A0],EAX ; 写入关键数据Data1

004087BC . 5A POP EDX

004087BD . 59 POP ECX

004087BE . 5B POP EBX

004087BF . 58 POP EAX

004087C0 . B8 01000000 MOV EAX,1

004087C5 . BA A4A74000 MOV EDX,indoKGM1.0040A7A4 ; 用户输入的注册码

004087CA > 33C9 XOR ECX,ECX

004087CC . 8A0A MOV CL,BYTE PTR DS:[EDX]

004087CE . 310D BCA74000 XOR DWORD PTR DS:[40A7BC],ECX ; 关键数据Data2的处理

004087D4 . 83F8 10 CMP EAX,10

004087D7 . 74 07 JE SHORT indoKGM1.004087E0

004087D9 . C125 BCA74000>SHL DWORD PTR DS:[40A7BC],2 ; 关键数据Data2的处理

004087E0 > 40 INC EAX

004087E1 . 42 INC EDX

004087E2 . 83F8 11 CMP EAX,11

004087E5 .^ 75 E3 JNZ SHORT indoKGM1.004087CA

004087E7 . A1 BCA74000 MOV EAX,DWORD PTR DS:[40A7BC]

004087EC . C1E8 0C SHR EAX,0C

004087EF . C1E0 0C SHL EAX,0C

004087F2 . 8B15 A0A74000 MOV EDX,DWORD PTR DS:[40A7A0]

004087F8 . C1EA 14 SHR EDX,14

004087FB . 03C2 ADD EAX,EDX

004087FD . 8B15 A0A74000 MOV EDX,DWORD PTR DS:[40A7A0]

医用拉链00408803 . C1E2 14 SHL EDX,14

00408806 . C1EA 14 SHR EDX,14

00408809 . 33C2 XOR EAX,EDX

0040880B . 8B15 A0A

74000 MOV EDX,DWORD PTR DS:[40A7A0]

00408811 . C1E2 0C SHL EDX,0C

00408814 . C1EA 18 SHR EDX,18

00408817 . 33C2 XOR EAX,EDX

00408819 . A3 BCA74000 MOV DWORD PTR DS:[40A7BC],EAX

0040881E . A1 BCA74000 MOV EAX,DWORD PTR DS:[40A7BC]

00408823 . 3B05 A0A74000 CMP EAX,DWORD PTR DS:[40A7A0]

00408829 . 75 07 JNZ SHORT indoKGM1.00408832

0040882B . E8 B0FCFFFF CALL indoKGM1.004084E0

00408830 . EB 39 JMP SHORT indoKGM1.0040886B

00408832 > \E8 CDFBFFFF CALL indoKGM1.00408404 ; 注册码是否正确比较函数

00408837 . 84C0 TEST AL,AL

00408839 . 74 07 JE SHORT indoKGM1.00408842

0040883B . C605 B4A74000>MOV BYTE PTR DS:[40A7B4],1

00408842 > 803D B4A74000>CMP BYTE PTR DS:[40A7B4],0

00408849 . 74 1B JE SHORT indoKGM1.00408866

0040884B . A1 04934000 MOV EAX,DWORD PTR DS:[409304]

00408850 . BA 44894000 MOV EDX,indoKGM1.00408944 ; ASCII "

<-- You did it! Now write a small tutorial! -->

<-- And not forget about keygen ;) -->

00408855 . E8 86B8FFFF CALL indoKGM1.004040E0

0040885A . E8 95A5FFFF CALL indoKGM1.00402DF4

0040885F . E8 C89DFFFF CALL indoKGM1.0040262C

00408864 . EB 05 JMP SHORT indoKGM1.0040886B

00408866 > E8 39FCFFFF CALL indoKGM1.004084A4

0040886B > A1 04934000 MOV EAX,DWORD PTR DS:[409304]

00408870 . BA A8894000 MOV EDX,indoKGM1.004089A8 ; ASCII "Hit <Enter> to exit"

00408875 . E8 66B8FFFF CALL indoKGM1.004040E0

0040887A . E8 75A5FFFF CALL indoKGM1.00402DF4

0040887F . E8 A89DFFFF CALL indoKGM1.0040262C

00408884 . A1 70934000 MOV EAX,DWORD PTR DS:[409370]

00408889 . E8 4EA3FFFF CALL indoKGM1.00402BDC

0040888E . E8 999DFFFF CALL indoKGM1.0040262C

00408893 . 33C0 XOR EAX,EAX

00408895 . 5A POP EDX

00408896 . 59 POP ECX

00408897 . 59 POP ECX

00408898 . 64:8910 MOV DWORD PTR FS:[EAX],EDX

0040889B . 68 A8884000 PUSH indoKGM1.004088A8

004088A0 > C3 RETN ; RET used as a jump to 004088A8

其中00408832 > \E8 CDFBFFFF CALL indoKGM1.00408404 ; 注册码是否正确比较函数代码分析如下：

00408404 /$ 55 PUSH EBP

00408405 |. 8BEC MOV EBP,ESP

00408407 |. 83C4 EC ADD ESP,-14

0040840A |. 53 PUSH EBX

0040840B |. 33C0 XOR EAX,EAX

0040840D |. 8945 FC MOV DWORD PTR SS:[EBP-4],EAX

00408410 |. 33C0 XOR EAX,EAX

00408412 |. 55 PUSH EBP

00408413 |. 68 7F844000 PUSH indoKGM1.0040847F

00408418 |. 64:FF30 PUSH DWORD PTR FS:[EAX]

0040841B |. 64:8920 MOV DWORD PTR FS:[EAX],ESP

0040841E |. B3 01 MOV BL,1

00408420 |. E8 53FFFFFF CALL indoKGM1.00408378

00408425 |. 84C0 TEST AL,AL

00408427 |. 74 40 JE SHORT indoKGM1.00408469

00408429 |. 8D45 FC LEA EAX,DWORD PTR SS:[EBP-4]美国地震台网

0040842C |. 50 PUSH EAX ; /Arg1

0040842D |. A1 A0A74000 MOV EAX,DWORD PTR DS:[40A7A0] ; |

00408432 |. 8945 EC MOV DWORD PTR SS:[EBP-14],EAX ; |

00408435 |. C645 F0 00 MOV BYTE PTR SS:[EBP-10],0 ; |

00408439 |. A1 BCA74000 MOV EAX,DWORD PTR DS:[40A7BC] ; |

0040843E |. 8945 F4 MOV DWORD PTR SS:[EBP-C],EAX ; |

00408441 |. C645 F8 00 MOV BYTE PTR SS:[EBP-8],0 ; |

00408445 |. 8D55 EC LEA EDX,DWORD PTR SS:[EBP-14] ; |

00408448 |. B9 01000000 MOV ECX,1 ; |

0040844D |. B8 98844000 MOV EAX,indoKGM1.00408498 ; |ASCII "%.8x%.8x"

00408452 |. E8 71DCFFFF CALL indoKGM1.004060C8 ; \indoKGM1.004060C8

00408457 |. 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4] ; 正确的注册码

0040845A |. 8B15 B8A74000 MOV EDX,DWORD PTR DS:[40A7B8] ; 你输入的注册码

00408460 |. E8 27BBFFFF CALL indoKGM1.00403F8C

00408465 |. 74 02 JE SHORT indoKGM1.00408469

00408467 |. 33DB XOR EBX,EBX

00408469 |> 33C0 XOR EAX,EAX

0040846B |. 5A POP EDX

0040846C |. 59 POP ECX

0040846D |. 59 POP ECX

0040846E |. 64:8910 MOV DWORD PTR FS:[EAX],EDX

00408471 |. 68 86844000 PUSH indoKGM1.00408486

00408476 |> 8D45 FC LEA EAX,DWORD PTR SS:[EBP-4]

00408479 |. E8 B6B7FFFF CALL indoKGM1.00403C34

0040847E \. C3 RETN

对注册码的要求必须是数字或大写的ABCDEF.

根据上面的程序，可以发现程序根据用户名称生成关键数据Data1，然后根据你输入的注册码算出关键数据Data2。正确的注册码必须是Data1和Dat2的十六进制数据的字符串。例如Data1=0x12345678.Data2=0x87654321，则正确的注册码就是“1234567887654321”。而由于生成的正确的注册码与你输入的注册码有关，这样，通过制作内存注册机的办法来获得用户名对应的注册码的办法，就不可行了。必须写程序计算了。

后经过试验发现，计算关键数据Data2的大段代码，其实与你输入的注册码的后8位数据密切相关，而你输入的注册码的后8位数据改变，Data2改变的只有下面标出的两位：

Data2 [][][][+][+][][][]

这样，在穷举计算的时候，可以计算出一个初始值，然后只用循环0xFF000次，而不是0xFFFFFFFF次。

根据上面，写出注册机如下：

说明：由于有大量的ROL，SHL，SHR等运算，我很懒了，没有自己写C语言的函数，而是嵌汇编了，代码比较乱。高手请指点。

#include "stdio.h"

#include "string.h"

char name[20];

void main()

{

int flag;

char sn[16];

血染的图腾char temp[16];

unsigned long dataAny;

unsigned long eax1,ebx1,ecx1,edx1;//说明此处必须是无符号数，否则，运算ROL时出错.

unsigned lon

本文发布于:2024-09-23 09:29:07，感谢您对本站的认可！

本文链接：https://www.17tex.com/xueshu/152858.html

上一篇：木马免杀

下一篇：0002程序绑定机器码

标签：注册码数据输入关键用户程序

留言与评论（共有 0 条评论）