⭐ 欢迎来到虫虫下载站! | 📦 资源下载 📁 资源专辑 ℹ️ 关于我们
⭐ 虫虫下载站
📤 上传资源

📄 chap6-1-41.htm.primary

📁 加密与解密,软件加密保护技术与解决方案,看雪文档!
💻 PRIMARY
📖 第 1 页 / 共 5 页
字号:
🔍
12345 
          因此在W32DASM下查找出现的错误,具体如下: <br>
          <br>
          * Possible StringData Ref from Code Obj ->"No way" <br>
          &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
          &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; | <br>
          :0042818A 683C824200&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
          push 0042823C <br>
          <br>
          * Possible StringData Ref from Code Obj ->"Wrong entry! Try again." 
          <br>
          <br>
          向上你会看到: <br>
          * Referenced by a (U)nconditional or (C)onditional Jump at Address: 
          <br>
          |:0042810C(C) <br>
          | <br>
          :0042811A 8D55F4&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
          &nbsp; lea edx, dword ptr [ebp-0C] <br>
          :0042811D 0FB7C6&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
          &nbsp; movzx eax, si <br>
          :00428120 E8E3E1FDFF&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
          call 00406308 <br>
          :00428125 8D55F4&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
          &nbsp; lea edx, dword ptr [ebp-0C] <br>
          :00428128 B903000000&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
          mov ecx, 00000003 <br>
          :0042812D B804824200&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
          mov eax, 00428204 <br>
          :00428132 E8CDB6FDFF&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
          call 00403804 <br>
          :00428137 8D55F4&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
          &nbsp; lea edx, dword ptr [ebp-0C] <br>
          :0042813A B905000000&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
          mov ecx, 00000005 <br>
          :0042813F B804824200&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
          mov eax, 00428204 <br>
          :00428144 E8BBB6FDFF&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
          call 00403804 <br>
          :00428149 8D95D0FBFFFF&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; lea 
          edx, dword ptr [ebp+FFFFFBD0] <br>
          :0042814F 8B87EC010000&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; mov 
          eax, dword ptr [edi+000001EC] <br>
          :00428155 E8E6D5FEFF&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
          call 00415740 <br>
          :0042815A 8B85D0FBFFFF&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; mov 
          eax, dword ptr [ebp+FFFFFBD0] <br>
          :00428160 8B55F4&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
          &nbsp; mov edx, dword ptr [ebp-0C] <br>
          :00428163 E820B5FDFF&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
          call 00403688&nbsp; &nbsp;&nbsp;&nbsp; &nbsp;&nbsp; //计算序列号 <br>
          :00428168 751E&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
          &nbsp; &nbsp; jne 00428188&nbsp; &nbsp;&nbsp;&nbsp; &nbsp;&nbsp; //如两者相等,刚成功。 
          <br>
          :0042816A 6A00&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
          &nbsp; &nbsp; push 00000000 <br>
          <br>
          * Possible StringData Ref from Code Obj ->"Gratulations" <br>
          &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
          &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; | <br>
          :0042816C 6808824200&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
          push 00428208 <br>
          <br>
          * Possible StringData Ref from Code Obj ->"Well Done! Try the next CrackMe." 
          <br>
          <br>
          下面的工作就简单了,用SOFTICE和TRW2000来到00428163一行,进去,会发现: "cmp eax,edx",键入"d edx" 
          会看到正确的序列号 
  </table>
</div>
<div id="KB2Parent" class="parent"> <span class="p9"><a href="#" onClick="expandIt('KB2'); return false"> 
  2、习题二 答案</a> </span></div>
<div id="KB2Child" class="child"> <span class="p9">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;</span> 
  <table width="100%" align="center" cellspacing="0">
    <tr bgcolor="#EFEFEF"> 
      <td height="28"> 
        <p class="p9">保护类型:Keyfile Prot <br>
          这个Crackme相当容易,很适合初学者掌握KEY FILE的破解。首先第一步我们要建一个假的KEY FILE 文件, <br>
          你用记事本建一个,内容:FFFFFFFFFF.注意:程序处理这文件是按十六进制进行的,你用用十六进制工具(我用的是Hex Workshop 
          v3.02,这软件很好用)打开这文件,内容如下: <br>
          &nbsp; 00000000:&nbsp; &nbsp; &nbsp; 46 46 46 46 46 46 46 46 46 46 <br>
          <br>
          用函数ReadFile设置断点,该函数功能是从文件中读取数据。运行cracme,打开一这文件TC.KEY,你将中断,按F12或F10直到你来到: 
          <br>
          <br>
          :00429DA3&nbsp; E840A7FDFF&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; CALL&nbsp; 
          &nbsp; 004044E8&nbsp; &nbsp; &nbsp; &nbsp; ; 读文件 <br>
          :00429DA8&nbsp; E86B88FDFF&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; CALL&nbsp; 
          &nbsp; 00402618 <br>
          :00429DAD&nbsp; 33C0&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
          &nbsp; XOR&nbsp; &nbsp; EAX,EAX&nbsp; &nbsp; &nbsp; &nbsp; ; eax清零 <br>
          :00429DAF&nbsp; 8A45FF&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
          MOV&nbsp; &nbsp; AL,[EBP-01]&nbsp; &nbsp; ; al = 从TC.KEY文件读取的数据 <br>
          :00429DB2&nbsp; 03D8&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
          &nbsp; ADD&nbsp; &nbsp; EBX,EAX&nbsp; &nbsp; &nbsp; &nbsp; ; ebx = ebx 
          + al <br>
          :00429DB4&nbsp; 8D85B0FEFFFF&nbsp; &nbsp; &nbsp; &nbsp; LEA&nbsp; &nbsp; 
          EAX,[EBP-0150] <br>
          :00429DBA&nbsp; E8D5A6FDFF&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; CALL&nbsp; 
          &nbsp; 00404494 <br>
          :00429DBF&nbsp; E85488FDFF&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; CALL&nbsp; 
          &nbsp; 00402618 <br>
          :00429DC4&nbsp; 84C0&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
          &nbsp; TEST&nbsp; &nbsp; AL,AL <br>
          :00429DC6&nbsp; 74D2&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
          &nbsp; JZ&nbsp; &nbsp; &nbsp; 00429E9A&nbsp; &nbsp; &nbsp; &nbsp; ; 
          检测文件EOF(EOF文件结束标志)结束否 <br>
          :00429DC8&nbsp; 8D85B0FEFFFF&nbsp; &nbsp; &nbsp; &nbsp; LEA&nbsp; &nbsp; 
          EAX,[EBP-0150] <br>
          :00429DCE&nbsp; E885A6FDFF&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; CALL&nbsp; 
          &nbsp; 00404458 <br>
          :00429DD3&nbsp; E84088FDFF&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; CALL&nbsp; 
          &nbsp; 00402618 <br>
          :00429DD8&nbsp; 81FBA9200000&nbsp; &nbsp; &nbsp; &nbsp; CMP&nbsp; &nbsp; 
          EBX,000020A9&nbsp; &nbsp; ; keyfile中所有字符和= 20A9h <br>
          :00429DDE&nbsp; 750E&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
          &nbsp; JNZ&nbsp; &nbsp; 00429DEE&nbsp; &nbsp; &nbsp; &nbsp; ; 如不相等=> 
          invalid KEY FILE <br>
          :00429DE0&nbsp; BA4C9E4200&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; MOV&nbsp; 
          &nbsp; EDX,00429E4C&nbsp; &nbsp; ; edx = 显示: Registered - 成功 <br>
          :00429DE5&nbsp; 8BC6&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
          &nbsp; MOV&nbsp; &nbsp; EAX,ESI <br>
          :00429DE7&nbsp; E85CEEFEFF&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; CALL&nbsp; 
          &nbsp; 00418C48 <br>
          :00429DEC&nbsp; EB0C&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
          &nbsp; JMP&nbsp; &nbsp; 00429DFA <br>
          :00429DEE&nbsp; BA2C9E4200&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; MOV&nbsp; 
          &nbsp; EDX,00429E2C&nbsp; &nbsp; ; edx = 显示: Unregistered <br>
          <br>
          因此,到这里答案己出来了,我们的KEY-FILE文件的内容要等于20A9h,满足这样条件很多,如: <br>
          68 * z 加 1 * A&nbsp; 即:44*7A+40=20A9(注意:这些都是十六进制运算) <br>
          因此你用记事本建一文件,内容如下: <br>
          <br>
          zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzA 
          <br>
          <br>
          用十六进制工具打开这文本文件,会看到: <br>
          00000000:&nbsp; 7A 7A 7A 7A-7A 7A 7A 7A-7A 7A 7A 7A-7A 7A 7A 7A <br>
          00000010:&nbsp; 7A 7A 7A 7A-7A 7A 7A 7A-7A 7A 7A 7A-7A 7A 7A 7A <br>
          00000020:&nbsp; 7A 7A 7A 7A-7A 7A 7A 7A-7A 7A 7A 7A-7A 7A 7A 7A <br>
          00000030:&nbsp; 7A 7A 7A 7A-7A 7A 7A 7A-7A 7A 7A 7A-7A 7A 7A 7A <br>
          00000040:&nbsp; 7A 7A 7A 7A-41 <br>
          <br>
          这时你运行cracme,打开这KEY-FILE,标题栏出现: Registered <br>
          <br>
          现在我们再用一法,打补丁。在W32DASM打开这文件,查找Unregistered,双击来到: <br>
          <br>
          * Possible StringData Ref from Code Obj ->"Status: Unregistered" <br>
          &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
          &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; | <br>
          :00429D44 BA2C9E4200&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
          mov edx, 00429E2C&nbsp; &lt;-- 注意这 push adress <br>
          :00429D49 8BC6&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
          &nbsp; &nbsp; mov eax, esi <br>
          <br>
          再寻找 'Status: Registered - 你来到: <br>
          <br>
          * Possible StringData Ref from Code Obj ->"Status: Registered - Well 
          done" <br>
          &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
          &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; | <br>
          :00429DE0 BA4C9E4200&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
          mov edx, 00429E4C&nbsp; &lt;-- 注意这push adress <br>
          :00429DE5 8BC6&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
          &nbsp; &nbsp; mov eax, esi <br>
          :00429DE7 E85CEEFEFF&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
          call 00418C48 <br>
          :00429DEC EB0C&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
          &nbsp; &nbsp; jmp 00429DFA <br>
          <br>
          将00429D44一行改成:mov edx,00429E4C <br>
          现在寻找:BA2C9E4200 <br>
          &nbsp; 改成 :BA4C9E4200 <br>
          现在完全被cracked. 
  </table>
</div>
<div id="KB3Parent" class="parent"> <span class="p9"><a href="#" onClick="expandIt('KB3'); return false"> 
  3、习题三 答案</a> </span></div>
<div id="KB3Child" class="child"> <span class="p9">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;</span> 
  <table width="100%" align="center" cellspacing="0">
    <tr bgcolor="#EFEFEF"> 
      <td height="28"> 
        <p class="p9">这是一KEYFILE保护文件,它不象前两个中的keyfile文件名可自己定。第一步就是找到这个文件名。 <br>
          1) BPX CreateFileA来到: <br>
          0137:004010AA&nbsp; PUSH&nbsp; &nbsp; 004020E5 <br>
          0137:004010AF&nbsp; CALL&nbsp; &nbsp; 00401192&nbsp; &nbsp; &nbsp; &nbsp; 
          &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; ;下d 4020e5即可看到文件名: 
          N0P3X.KEY <br>
          0137:004010B4&nbsp; MOV&nbsp; &nbsp; [00402000],EAX <br>
          当然你在W32DASM中也能方便找到KEYFILE文件名。 <br>
          <br>
          2)建立这文件,内容随便输入点东西,运行cracme,来到: <br>
          &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
          &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
          &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; ; 004020F3内就是N0P3X.KEY读出数据 
          <br>
          &nbsp; :00401113&nbsp; &nbsp; XOR&nbsp; &nbsp; BYTE PTR [EAX+004020F3],43&nbsp; 
          &nbsp; ; 43h和N0P3X.KEY中读出的数据XOR <br>
          &nbsp; :0040111A&nbsp; &nbsp; INC&nbsp; &nbsp; EAX&nbsp; &nbsp; &nbsp; 
          &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
          &nbsp; ; EAX+1 <br>
          &nbsp; :0040111B&nbsp; &nbsp; CMP&nbsp; &nbsp; BYTE PTR [EAX+004020F3],00&nbsp; 
          &nbsp; ; 判断N0P3X.KEY中是否有内容 <br>
          &nbsp; :00401122&nbsp; &nbsp; JNZ&nbsp; &nbsp; 00401113&nbsp; &nbsp; 
          &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; ; <br>
          &nbsp; :00401124&nbsp; &nbsp; PUSH&nbsp; &nbsp; 004020F3&nbsp; &nbsp; 
          &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; ; PUSH刚才XOR的数据
12345

⌨️ 快捷键说明

复制代码 Ctrl + C
搜索代码 Ctrl + F
全屏模式 F11
切换主题 Ctrl + Shift + D
显示快捷键 ?
增大字号 Ctrl + =
减小字号 Ctrl + -