⭐ 欢迎来到虫虫下载站! | 📦 资源下载 📁 资源专辑 ℹ️ 关于我们
⭐ 虫虫下载站
📤 上传资源

📄 chap6-1-41.htm.primary

📁 加密与解密,软件加密保护技术与解决方案,看雪文档!
💻 PRIMARY
📖 第 1 页 / 共 5 页
字号:
🔍
12345 
          <br>
          &nbsp; :00401129&nbsp; &nbsp; PUSH&nbsp; &nbsp; 004020FD&nbsp; &nbsp; 
          &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; ; PUSH要用来比较的数据,实际全是0 
          <br>
          &nbsp; :0040112E&nbsp; &nbsp; CALL&nbsp; &nbsp; KERNEL32!lstrcmp&nbsp; 
          &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; ; 比较它们 <br>
          &nbsp; :00401133&nbsp; &nbsp; CMP&nbsp; &nbsp; EAX,00&nbsp; &nbsp; &nbsp; 
          &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; ; EAX=0则比较相等,注册成功 
          <br>
          &nbsp; :00401136&nbsp; &nbsp; JZ&nbsp; &nbsp; &nbsp; 0040113E&nbsp; 
          &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
          ; <br>
          &nbsp; :00401138&nbsp; &nbsp; JMP&nbsp; &nbsp; 00401158&nbsp; &nbsp; 
          &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; ; 否则Unregistered 
          <br>
          <br>
          3) 我们分析上面代码后,得知N0P3X.KEY中的字符要和43H XOR结果为0,即可注册成功。43H的ASCII码是C.所以N0P3X.KEY内容是任意个数的:CCCCCCCCCC 
  </table>
</div>
<div id="KB4Parent" class="parent"> <span class="p9"><a href="#" onClick="expandIt('KB4'); return false"> 
  4、习题四 答案</a></span></div>
<div id="KB4Child" class="child"> <span class="p9">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;</span> 
  <table width="100%" cellspacing="0" align="center">
    <tr bgcolor="#EFEFEF"> 
      <td> 
        <p><span class="p9">Mikl0的破解教程 <br>
          目标:Kwazy_W's PacMe <br>
          工具:SoftICE <br>
          <br>
          </span> </p>
        <blockquote> 
          <p> 大家好!花了足足3个多钟头,终于搞定了这个程序。这个程序的确可以说是crackme中的经典,而且很有趣味,又佩服作者设计它时的用心良苦和精巧构思。相信很多人都可以轻易的crack掉这个东东,但是我是新手,虽然有心做一名cracker,但是学艺不精,因而花了很长的时间才得以解决,实在是惭愧。在此,只是写出我的一点想法和感受,和大家探讨一下,希望各位大虾多多指教! 
            <br>
            <br>
            &nbsp; 言归正传,开始看这个程序。程序的check按钮是检查该目录下一个key文件,并显示是否注册成功。按照我平时的习惯,先用W32Dasm查看一番(可惜我用的W32Dasm版本中文支持都不好,:(,不知道哪里有没有好用的版本),发现有如下的字符串:Congratulations!&nbsp; 
            Mail me (KwazyWebbit@hotmail",呵呵,多少和我们的目标有些关系的,双击看到如下内容: <br>
            <br>
            * Reference To: GDI32.MoveToEx, Ord:0147h <br>
            &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
            &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; | <br>
            :0040113D E812070000&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
            Call 00401854 <br>
            :00401142 FF7518&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
            &nbsp; push [ebp+18] <br>
            :00401145 FF7514&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
            &nbsp; push [ebp+14] <br>
            :00401148 FF7508&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
            &nbsp; push [ebp+08] <br>
            <br>
            * Reference To: GDI32.LineTo, Ord:0144h <br>
            &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
            &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; | <br>
            :0040114B E8FE060000&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
            Call 0040184E <br>
            :00401150 C9&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
            &nbsp; &nbsp; &nbsp; leave <br>
            :00401151 C21400&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
            &nbsp; ret 0014 <br>
            <br>
            <br>
            :00401154 33D2&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
            &nbsp; &nbsp; xor edx, edx <br>
            :00401156 B82E522E55&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
            mov eax, 552E522E <br>
            :0040115B B9454D414C&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
            mov ecx, 4C414D45 <br>
            :00401160 33C1&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
            &nbsp; &nbsp; xor eax, ecx <br>
            :00401162 0553494854&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
            add eax, 54484953 <br>
            :00401167 B941205349&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
            mov ecx, 49532041 <br>
            :0040116C 0BC1&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
            &nbsp; &nbsp; or eax, ecx <br>
            :0040116E 2D454B4146&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
            sub eax, 46414B45 <br>
            :00401173 23D0&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
            &nbsp; &nbsp; and edx, eax <br>
            :00401175 81FADEC0AD0B&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; cmp 
            edx, 0BADC0DE <br>
            :0040117B 7513&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
            &nbsp; &nbsp; jne 00401190 <br>
            :0040117D 6A00&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
            &nbsp; &nbsp; push 00000000 <br>
            <br>
            * Possible StringData Ref from Data Obj ->"Success.." <br>
            &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
            &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; | <br>
            :0040117F 6859334000&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
            push 00403359 <br>
            <br>
            * Possible StringData Ref from Data Obj ->"Congratulations!&nbsp; 
            Mail me (KwazyWebbit@hotmail" <br>
            &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
            &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
            ->".com) how you did it.&nbsp; Dont forget " <br>
            &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
            &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
            ->"to include your keyfile! =]" <br>
            &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
            &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; | <br>
            :00401184 68EC324000&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
            push 004032EC <br>
            :00401189 6A00&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
            &nbsp; &nbsp; push 00000000 <br>
            <br>
            * Reference To: USER32.MessageBoxA, Ord:01BBh&nbsp; &nbsp; &nbsp; 
            &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; ;显示一个对话框,告诉你已经成功了!!!!!!!! 
            <br>
            &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
            &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; | <br>
            :0040118B E81C060000&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
            Call 004017AC <br>
            <br>
            * Referenced by a (U)nconditional or (C)onditional Jump at Address: 
            <br>
            |:0040117B(C) <br>
            | <br>
            :00401190 C3&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
            &nbsp; &nbsp; &nbsp; ret <br>
            <br>
            <br>
            &nbsp; &nbsp; 分析一下,该字符串是用作参数,由系统调用MessageBoxA向你报告你已经成功破解了!然后就是返回。向前看,觉得实在不着边际(我水平有限),于是放弃用W32Dasm静态分析,不得不请出元老级工具SoftIce。在这之前先用File 
            Monitor跟踪分析一下, <br>
            2&nbsp; &nbsp;&nbsp;20:11:42&nbsp; &nbsp;&nbsp;Pacme&nbsp; &nbsp;&nbsp;Open&nbsp; 
            &nbsp;&nbsp;C:\WINDOWS\DESKTOP\KWAZYWEB.BIT&nbsp; &nbsp;&nbsp;NOTFOUND&nbsp; 
            &nbsp;&nbsp;OPENEXISTING READONLY DENYNONE <br>
            &nbsp; &nbsp;&nbsp; <br>
            &nbsp; &nbsp; 发现启动或者按check按钮时,要打开一个名为kwazyweb.bit的文件,于是生成一个空文件,命名为kwazyweb.bit,继续分析 
            <br>
            380&nbsp; &nbsp;&nbsp;20:12:32&nbsp; &nbsp;&nbsp;Pacme&nbsp; &nbsp;&nbsp;Open&nbsp; 
            &nbsp;&nbsp;C:\WINDOWS\DESKTOP\KWAZYWEB.BIT&nbsp; &nbsp;&nbsp;SUCCESS&nbsp; 
            &nbsp;&nbsp;OPENEXISTING READONLY DENYNONE &nbsp; &nbsp;&nbsp; <br>
            381&nbsp; &nbsp;&nbsp;20:12:32&nbsp; &nbsp;&nbsp;Pacme&nbsp; &nbsp;&nbsp;Read&nbsp; 
            &nbsp;&nbsp;C:\WINDOWS\DESKTOP\KWAZYWEB.BIT&nbsp; &nbsp;&nbsp;SUCCESS&nbsp; 
            &nbsp;&nbsp;Offset: 0 Length: 1&nbsp; &nbsp;&nbsp; <br>
            382&nbsp; &nbsp;&nbsp;20:12:32&nbsp; &nbsp;&nbsp;Pacme&nbsp; &nbsp;&nbsp;Close&nbsp; 
            &nbsp;&nbsp;C:\WINDOWS\DESKTOP\KWAZYWEB.BIT&nbsp; &nbsp;&nbsp;SUCCESS&nbsp; 
            &nbsp;&nbsp;CLOSE_FINAL <br>
            &nbsp; &nbsp;&nbsp; <br>
            &nbsp; &nbsp; 程序从文件头读取一个字节,往文件中写入一个字节‘1’,continue、、、 <br>
            1183&nbsp; &nbsp;&nbsp;20:13:00&nbsp; &nbsp;&nbsp;Pacme&nbsp; &nbsp;&nbsp;Open&nbsp; 
            &nbsp;&nbsp;C:\WINDOWS\DESKTOP\KWAZYWEB.BIT&nbsp; &nbsp;&nbsp;SUCCESS&nbsp; 
            &nbsp;&nbsp;OPENEXISTING READONLY DENYNONE &nbsp; &nbsp;&nbsp; <br>
            1184&nbsp; &nbsp;&nbsp;20:13:00&nbsp; &nbsp;&nbsp;Pacme&nbsp; &nbsp;&nbsp;Read&nbsp; 
            &nbsp;&nbsp;C:\WINDOWS\DESKTOP\KWAZYWEB.BIT&nbsp; &nbsp;&nbsp;SUCCESS&nbsp; 
            &nbsp;&nbsp;Offset: 0 Length: 1&nbsp; &nbsp;&nbsp; <br>
            1185&nbsp; &nbsp;&nbsp;20:13:00&nbsp; &nbsp;&nbsp;Pacme&nbsp; &nbsp;&nbsp;Read&nbsp; 
            &nbsp;&nbsp;C:\WINDOWS\DESKTOP\KWAZYWEB.BIT&nbsp; &nbsp;&nbsp;SUCCESS&nbsp; 
            &nbsp;&nbsp;Offset: 1 Length: 49&nbsp; &nbsp;&nbsp; <br>
            1186&nbsp; &nbsp;&nbsp;20:13:00&nbsp; &nbsp;&nbsp;Pacme&nbsp; &nbsp;&nbsp;Read&nbsp; 
            &nbsp;&nbsp;C:\WINDOWS\DESKTOP\KWAZYWEB.BIT&nbsp; &nbsp;&nbsp;SUCCESS&nbsp; 
            &nbsp;&nbsp;Offset: 1 Length: 18&nbsp; &nbsp;&nbsp; <br>
            1187&nbsp; &nbsp;&nbsp;20:13:00&nbsp; &nbsp;&nbsp;Pacme&nbsp; &nbsp;&nbsp;Close&nbsp; 
            &nbsp;&nbsp;C:\WINDOWS\DESKTOP\KWAZYWEB.BIT&nbsp; &nbsp;&nbsp;SUCCESS&nbsp; 
            &nbsp;&nbsp;CLOSE_FINAL&nbsp; &nbsp;&nbsp; <br>
            <br>
            &nbsp; &nbsp; 发现程序读取文件的次数由原来的一次变到了三次,研究一下,发现第二次读取数据的长度49刚好是'1'的ASCII值,好,这只是猜测。到W32Dasm中证实一下,发现ReadFile调用的次数刚好是3次,而且,第二次读取的长度为eax,就是第一次读取的数值,这不是巧合!!!第三次读的长度为0x12,刚好是十进制18,与File 
            Monitor分析结果完全吻合。 <br>
            <br>
            :004016EA 6848344000&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
            push 00403448 <br>
            :004016EF 6A01&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
            &nbsp; &nbsp; push 00000001 <br>
            :004016F1 68FA344000&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
            push 004034FA <br>
            :004016F6 FF3544344000&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; push 
            dword ptr [00403444] <br>
            <br>
            * Reference To: KERNEL32.ReadFile, Ord:01FDh <br>
            &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
            &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; | <br>
            :004016FC E811010000&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
            Call 00401812&nbsp; &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; 
            &nbsp;&nbsp;;读取文件的第一个字节,保存在[004034FA]中 <br>
            :00401701 0FB605FA344000&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; movzx eax, 
            byte ptr [004034FA] <br>
            :00401708 85C0&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
            &nbsp; &nbsp; test eax, eax <br>
            :0040170A 743B&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
            &nbsp; &nbsp; je 00401747 <br>
            :0040170C 6A00&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
            &nbsp; &nbsp; push 00000000 <br>
            :0040170E 6848344000&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
            push 00403448 <br>
            :00401713 50&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
            &nbsp; &nbsp; &nbsp; push eax <br>
            :00401714 6888324000&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
            push 00403288&nbsp; &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; 
            &nbsp;&nbsp;;i am here,hehe <br>
            :00401719 FF3544344000&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; push 
            dword ptr [00403444] <br>
            <br>
            * Reference To: KERNEL32.ReadFile, Ord:01FDh <br>
            &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
            &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; | <br>
            :0040171F E8EE000000&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
            Call 00401812&nbsp; &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; 
            &nbsp;&nbsp;;从第二个字节开始读取数据,长度由eax,即第一个字 <br>
            &nbsp; &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; 
            &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; 
            &nbsp;&nbsp;;的大小决定 <br>
            :00401724 E8D7F8FFFF&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 
            call 00401000&nbsp; &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; 
            &nbsp;&nbsp;;计算一个关键数据,一定要进去看看,:) <br>
            :00401729 6A00&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;
12345

⌨️ 快捷键说明

复制代码 Ctrl + C
搜索代码 Ctrl + F
全屏模式 F11
切换主题 Ctrl + Shift + D
显示快捷键 ?
增大字号 Ctrl + =
减小字号 Ctrl + -