📄 md5+rsa crackme破解实例(娃娃).txt
字号:
标 题:一篇关于密码学的入门级破解实例-BiSHoP's CrackMe4 (30千字)
发信人:娃娃[CCG]
时 间:2002-11-9 12:11:56
详细信息:
一篇关于密码学的入门级破解实例
BiSHoP 的 LockLess CrackMe4 破解
昨天整理电脑时候偶然发现的一个CrackMe 作者为:BiSHoP
难度:简单
算法: MD5+RSA130
使用工具: 我修改的 TRW2000 1.23 (这个CrackMe包含有SoftICE,TRW等调试器的Anti代码 使用我修改的这个版本不会被察觉)
W32Dasm 10.0 (用的是Killer修改的版本~ 感谢Killer)
RSATool2.17 (tE!/[TMG]的RSA工具 Cool)
BigInt Calculator Pro 1.2 (感谢Stkman/[CCG]提供给我的KeyFile )
运行CrackMe 输入相关信息 Name:娃娃 Organization:[CCG] Registeration Code:38383838
* Reference To: USER32.GetDlgItemTextA, Ord:0000h
|
:00401544 8B3DCCB04000 mov edi, dword ptr [0040B0CC]
:0040154A 8D9424B0000000 lea edx, dword ptr [esp+000000B0]
:00401551 6A32 push 00000032
:00401553 52 push edx
:00401554 68EB030000 push 000003EB
:00401559 56 push esi
:0040155A FFD7 call edi
:0040155C 85C0 test eax, eax
:0040155E 7521 jne 00401581 /检测用户名位数是否为0 需要跳转
:00401560 6A40 push 00000040
* Possible StringData Ref from Data Obj ->"Name"
|
:00401562 6838C44000 push 0040C438
* Possible StringData Ref from Data Obj ->"Please enter a name."
|
:00401567 6820C44000 push 0040C420
:0040156C 56 push esi
* Reference To: USER32.MessageBoxA, Ord:0000h
|
:0040156D FF15D0B04000 Call dword ptr [0040B0D0]
:00401573 5F pop edi
:00401574 5E pop esi
:00401575 33C0 xor eax, eax
:00401577 5B pop ebx
:00401578 81C488010000 add esp, 00000188
:0040157E C21000 ret 0010
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040155E(C)
|
:00401581 8D8424E8000000 lea eax, dword ptr [esp+000000E8]
:00401588 6A32 push 00000032
:0040158A 50 push eax
:0040158B 68EC030000 push 000003EC
:00401590 56 push esi
:00401591 FFD7 call edi
:00401593 85C0 test eax, eax
:00401595 7521 jne 004015B8 /组织名位数不能为0 需要跳转
:00401597 6A40 push 00000040
* Possible StringData Ref from Data Obj ->"Company"
|
:00401599 6818C44000 push 0040C418
* Possible StringData Ref from Data Obj ->"Please enter company or organization."
|
:0040159E 68F0C34000 push 0040C3F0
:004015A3 56 push esi
* Reference To: USER32.MessageBoxA, Ord:0000h
|
:004015A4 FF15D0B04000 Call dword ptr [0040B0D0]
:004015AA 5F pop edi
:004015AB 5E pop esi
:004015AC 33C0 xor eax, eax
:004015AE 5B pop ebx
:004015AF 81C488010000 add esp, 00000188
:004015B5 C21000 ret 0010
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00401595(C)
|
* Reference To: KERNEL32.lstrcpyA, Ord:0000h
|
:004015B8 8B1D10B04000 mov ebx, dword ptr [0040B010]
:004015BE 8D8C24B0000000 lea ecx, dword ptr [esp+000000B0]
:004015C5 8D942420010000 lea edx, dword ptr [esp+00000120]
:004015CC 51 push ecx
:004015CD 52 push edx
:004015CE FFD3 call ebx
:004015D0 8D8424E8000000 lea eax, dword ptr [esp+000000E8]
:004015D7 8D8C24B0000000 lea ecx, dword ptr [esp+000000B0]
:004015DE 50 push eax /EAX中存放用户名
:004015DF 51 push ecx /ECX中存放组织名
* Reference To: KERNEL32.lstrlenA, Ord:0000h
|
:004015E0 FF1578B04000 Call dword ptr [0040B078]
:004015E6 8D940424010000 lea edx, dword ptr [esp+eax+00000124]
:004015ED 52 push edx
:004015EE FFD3 call ebx /调用LSTRCPYA将用户名和组织名合并
:004015F0 8D44242C lea eax, dword ptr [esp+2C]
:004015F4 8D8C2420010000 lea ecx, dword ptr [esp+00000120]
:004015FB 50 push eax
:004015FC 51 push ecx
:004015FD E86EFBFFFF call 00401170 *//关键Call(1)
:00401602 8D542434 lea edx, dword ptr [esp+34]
:00401606 52 push edx /EDX中存放Hash运算结果 设结果为Temp便于后面分析
:00401607 E8F4F9FFFF call 00401000
:0040160C 83C40C add esp, 0000000C
:0040160F 8D442478 lea eax, dword ptr [esp+78]
:00401613 6A32 push 00000032
:00401615 50 push eax
:00401616 68ED030000 push 000003ED
:0040161B 56 push esi
:0040161C FFD7 call edi
:0040161E 85C0 test eax, eax
:00401620 7521 jne 00401643 /检测注册码位数是否为0 必须跳转
:00401622 6A40 push 00000040
* Possible StringData Ref from Data Obj ->"Registeration"
|
:00401624 68E0C34000 push 0040C3E0
* Possible StringData Ref from Data Obj ->"Please enter your registeration "
->"code."
|
:00401629 68B8C34000 push 0040C3B8
:0040162E 56 push esi
* Reference To: USER32.MessageBoxA, Ord:0000h
|
:0040162F FF15D0B04000 Call dword ptr [0040B0D0]
:00401635 5F pop edi
:00401636 5E pop esi
:00401637 33C0 xor eax, eax
:00401639 5B pop ebx
:0040163A 81C488010000 add esp, 00000188
:00401640 C21000 ret 0010
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00401620(C)
|
:00401643 8D4C2478 lea ecx, dword ptr [esp+78]
:00401647 51 push ecx /ECX中存放Registeration Code
:00401648 E843FAFFFF call 00401090 /此Call检测Registeration Code中是否含有非法字符 (合法范围:0123456789ABCDEF)
:0040164D 83C404 add esp, 00000004
:00401650 83F801 cmp eax, 00000001 /EAX为标志位 若检测出Registeration Code含有非法字符 EAX为0
:00401653 7526 jne 0040167B /不能跳转
:00401655 8D542450 lea edx, dword ptr [esp+50]
:00401659 8D442478 lea eax, dword ptr [esp+78]
:0040165D 52 push edx
:0040165E 50 push eax /EAX=Registeration Code
:0040165F E86CFAFFFF call 004010D0 *//关键Call(2)
:00401664 83C408 add esp, 00000008
:00401667 8D4C242C lea ecx, dword ptr [esp+2C]
:0040166B 8D542450 lea edx, dword ptr [esp+50]
:0040166F 51 push ecx /ECX=Temp
:00401670 52 push edx /EDX存放Registeration Code经过关键Call2后的Hash运算结果 设为Temp2
* Reference To: KERNEL32.lstrcmpA, Ord:0000h //调用lstrcmpA进行比较 所以若temp=temp2则注册成功
|
:00401671 FF150CB04000 Call dword ptr [0040B00C]
:00401677 85C0 test eax, eax /EAX为注册成功与否的标志
:00401679 7421 je 0040169C /跳转则注册成功
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00401653(C)
|
:0040167B 6A10 push 00000010
* Possible StringData Ref from Data Obj ->"Invalid code"
|
:0040167D 68A8C34000 push 0040C3A8
* Possible StringData Ref from Data Obj ->"Sorry, the registeration code "
->"you entered is invalid."
|
:00401682 6870C34000 push 0040C370
:00401687 56 push esi
* Reference To: USER32.MessageBoxA, Ord:0000h
|
:00401688 FF15D0B04000 Call dword ptr [0040B0D0]
:0040168E 5F pop edi
:0040168F 5E pop esi
:00401690 33C0 xor eax, eax
:00401692 5B pop ebx
:00401693 81C488010000 add esp, 00000188
:00401699 C21000 ret 0010
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00401679(C)
|
:0040169C 6A40 push 00000040
* Possible StringData Ref from Data Obj ->"Thank you!"
|
:0040169E 6864C34000 push 0040C364
* Possible StringData Ref from Data Obj ->"Thank you for your support, the "
->"program has been registered!"
|
:004016A3 6824C34000 push 0040C324
:004016A8 56 push esi
* Reference To: USER32.MessageBoxA, Ord:0000h
|
:004016A9 FF15D0B04000 Call dword ptr [0040B0D0]
:004016AF 5F pop edi
:004016B0 5E pop esi
:004016B1 33C0 xor eax, eax
:004016B3 5B pop ebx
:004016B4 81C488010000 add esp, 00000188
:004016BA C21000 ret 0010
*************************************关键Call(1)***********************************************
* Referenced by a CALL at Address:
|:004015FD
|
:00401170 B8001A0000 mov eax, 00001A00
:00401175 E8565D0000 call 00406ED0
:0040117A 33C0 xor eax, eax
:0040117C 53 push ebx
:0040117D 89442405 mov dword ptr [esp+05], eax
:00401181 56 push esi
:00401182 8944240D mov dword ptr [esp+0D], eax
:00401186 57 push edi
:00401187 89442415 mov dword ptr [esp+15], eax
:0040118B 33DB xor ebx, ebx
:0040118D 89442419 mov dword ptr [esp+19], eax
:00401191 B908000000 mov ecx, 00000008
:00401196 668944241D mov word ptr [esp+1D], ax
:0040119B 8D7C2421 lea edi, dword ptr [esp+21]
:0040119F 8844241F mov byte ptr [esp+1F], al
:004011A3 885C2420 mov byte ptr [esp+20], bl
:004011A7 F3 repz
:004011A8 AB stosd
:004011A9 8D4C2444 lea ecx, dword ptr [esp+44]
:004011AD 885C240C mov byte ptr [esp+0C], bl
:004011B1 51 push ecx
:004011B2 66AB stosw
:004011B4 E847060000 call 00401800
:004011B9 8BB424141A0000 mov esi, dword ptr [esp+00001A14]
:004011C0 83C404 add esp, 00000004
:004011C3 56 push esi
* Reference To: KERNEL32.lstrlenA, Ord:0000h
|
:004011C4 FF1578B04000 Call dword ptr [0040B078]
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -