代码分析.asm

这是我写的第一个CreckMe的注册机,很简单的,用以练习OLLYDBG反汇编调试器的使用.

00401139   $  6A 32         PUSH 32                                  ; /Count = 32 (50.)
0040113B   .  68 F3204000   PUSH Crackme1.004020F3                   ; |Buffer = Crackme1.004020F3
00401140   .  68 C8000000   PUSH 0C8                                 ; |ControlID = C8 (200.)
00401145   .  FF75 08       PUSH DWORD PTR SS:[EBP+8]                ; |hWnd
00401148   .  E8 DE000000   CALL <JMP.&USER32.GetDlgItemTextA>       ; \GetDlgItemTextA
0040114D   .  83F8 00       CMP EAX,0              ;获取用户名
00401150   .  0F84 99000000 JE Crackme1.004011EF   ;>>>>>>>>>>>>>>>>>没有获取字符,跳(4)
00401156   .  83F8 04       CMP EAX,4
00401159   .  0F82 90000000 JB Crackme1.004011EF   ;>>>>>>>>>>>>>>>>>如果字符数小于4,跳(4)
0040115F   .  33C9          XOR ECX,ECX            ;ECX=0
00401161   .  33DB          XOR EBX,EBX            ;EBX=0
00401163   .  33F6          XOR ESI,ESI            ;ESI=0
00401165   .  8945 FC       MOV DWORD PTR SS:[EBP-4],EAX  ;保存字符数
00401168   >  0FBE81 F32040>MOVSX EAX,BYTE PTR DS:[ECX+4020F3] ;将用户名第ECX个字符送到EAX----(1)
0040116F   .  83F8 20       CMP EAX,20   
00401172   .  74 07         JE SHORT Crackme1.0040117B;>>>>>>>>>>>>>>>>>>>>>如果是空格,跳(2)
00401174   .  6BC0 04       IMUL EAX,EAX,4	;EAX=EAX*4
00401177   .  03D8          ADD EBX,EAX		;EBX=EAX+EBX
00401179   .  8BF3          MOV ESI,EBX		;ESI=EBX
0040117B   >  41            INC ECX     ;>>>>>>>>>>>>>>>>>>>>>>如果是空格,跳到这---------------(2)
0040117C   .  3B4D FC       CMP ECX,DWORD PTR SS:[EBP-4] ;判断是否取完字符
0040117F   .^ 75 E7         JNZ SHORT Crackme1.00401168 ;如果还没,跳到(1)
00401181   .  83FE 00       CMP ESI,0 ;判断ESI是否为零
00401184   .  74 69         JE SHORT Crackme1.004011EF ;>>>>如果为0,跳到(4)
00401186   .  BB 89476500   MOV EBX,654789	;EBX=0x654789
0040118B   >  0FBE81 F22040>MOVSX EAX,BYTE PTR DS:[ECX+4020F2]	;将用户名第ECX个字符送到EAX----(5)
00401192   .  4B            DEC EBX             ;EBX=EBX-1
00401193   .  6BC3 02       IMUL EAX,EBX,2	;EAX=EBX*2
00401196   .  03D8          ADD EBX,EAX		;EBX=EBX+EAX
00401198   .  4B            DEC EBX		;EBX=EBX-1
00401199   .  49            DEC ECX		;ECX=ECX-1
0040119A   .^ 75 EF         JNZ SHORT Crackme1.0040118B         ;ECX(字符数未递减到0),跳(5)
0040119C   .  56            PUSH ESI                                 ; /<%lu>
0040119D   .  53            PUSH EBX                                 ; |<%lX>
0040119E   .  68 C7204000   PUSH Crackme1.004020C7                   ; |Format = "BS-%lX-%lu"
004011A3   .  68 BB214000   PUSH Crackme1.004021BB                   ; |s = Crackme1.004021BB 字符保存到此
004011A8   .  E8 6C000000   CALL <JMP.&USER32.wsprintfA>             ; \wsprintfA
004011AD   .  58            POP EAX
004011AE   .  58            POP EAX
004011AF   .  58            POP EAX
004011B0   .  58            POP EAX
004011B1   .  E8 01000000   CALL Crackme1.004011B7       ;CALL(6)       
004011B6   .  C3            RETN
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>(6)
004011B7   $  33C9          XOR ECX,ECX
004011B9   .  6A 32         PUSH 32                                  ; /Count = 32 (50.)
004011BB   .  68 57214000   PUSH Crackme1.00402157                   ; |Buffer = Crackme1.00402157
004011C0   .  68 C9000000   PUSH 0C9                                 ; |ControlID = C9 (201.)
004011C5   .  FF75 08       PUSH DWORD PTR SS:[EBP+8]                ; |hWnd
004011C8   .  E8 5E000000   CALL <JMP.&USER32.GetDlgItemTextA>       ; \GetDlgItemTextA
004011CD   .  83F8 00       CMP EAX,0				;获取序列号,如果为空
004011D0   .  74 1D         JE SHORT Crackme1.004011EF		;跳(4)
004011D2   .  33C9          XOR ECX,ECX				;ECX=0
;.............>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>(8)
004011D4   >  0FBE81 572140>MOVSX EAX,BYTE PTR DS:[ECX+402157]	;序列号
004011DB   .  0FBE99 BB2140>MOVSX EBX,BYTE PTR DS:[ECX+4021BB]	;用户名处理后的结果
004011E2   .  3BC3          CMP EAX,EBX
004011E4   .  75 09         JNZ SHORT Crackme1.004011EF		;逐个字符比较,如果不相等,跳(4)
004011E6   .  83F8 00       CMP EAX,0				;判断序列号是否结束
004011E9   .  74 19         JE SHORT Crackme1.00401204		;如果是,跳(7)
004011EB   .  41            INC ECX				;继续下一字符
004011EC   .^ EB E6         JMP SHORT Crackme1.004011D4		;跳(8)
004011EE   .  C3            RETN
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>--------------------(4)
004011EF   >  6A 10         PUSH 10                                  ; /Style = MB_OK|MB_ICONHAND|MB_APPLMODAL
004011F1   .  68 E4204000   PUSH Crackme1.004020E4                   ; |Title = "Nope"
004011F6   .  68 E9204000   PUSH Crackme1.004020E9                   ; |Text = "Try again"
004011FB   .  FF75 08       PUSH DWORD PTR SS:[EBP+8]                ; |hOwner
004011FE   .  E8 34000000   CALL <JMP.&USER32.MessageBoxA>           ; \MessageBoxA
00401203   .  C3            RETN
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>(7)
00401204   >  6A 40         PUSH 40                                  ; /Style = MB_OK|MB_ICONASTERISK|MB_APPLMODAL
00401206   .  68 D2204000   PUSH Crackme1.004020D2                   ; |Title = "Solved"
0040120B   .  68 D9204000   PUSH Crackme1.004020D9                   ; |Text = "Well done."
00401210   .  FF75 08       PUSH DWORD PTR SS:[EBP+8]                ; |hOwner
00401213   .  E8 1F000000   CALL <JMP.&USER32.MessageBoxA>           ; \MessageBoxA
00401218   .  C3            RETN

;跟踪结果:
;用户名:firecow
;注册码:BS-613A0E4F-3004
;其实这个CrackMe做得不太好,根本不需要分析代码,可以通过内存数据的抓取就很容易找到注册码.