首页 > 代码库 > 强大反调试cm的奇葩破解
强大反调试cm的奇葩破解
系统 : Windows xp
程序 : Crackme-xp
程序下载地址 :http://pan.baidu.com/s/1slUwmVr
要求 : 编写注册机
使用工具 : OD & IDA
可在看雪论坛中查找关于此程序的破文:传送门
这是一个拥有强大反调试机制的cm,无法查询到关键子串、下获取窗口文本的断点没用,设置对按钮下消息断点都没用。
然后用IDA打开后却发现了函数表里有:
。。。。。。。。。。。。。。。。。。
这个懂点英文的人都能看出来是 注册按钮的处理函数吧?所以前面那么多防护机制是为了什么?
直接定位关键代码:
00401444 /. 55 push ebp ; btn_click00401445 |. 8BEC mov ebp, esp00401447 |. 81C4 70FFFFFF add esp, -900040144D |. 8995 78FFFFFF mov dword ptr [ebp-88], edx00401453 |. 8985 7CFFFFFF mov dword ptr [ebp-84], eax00401459 |. B8 04654300 mov eax, 004365040040145E |. E8 71CC0200 call 0042E0D400401463 |. 66:C745 90 08>mov word ptr [ebp-70], 800401469 |. 8D45 FC lea eax, dword ptr [ebp-4]0040146C |. E8 87050000 call 004019F800401471 |. FF45 9C inc dword ptr [ebp-64]00401474 |. 66:C745 90 14>mov word ptr [ebp-70], 140040147A |. 66:C745 90 20>mov word ptr [ebp-70], 2000401480 |. 8D45 F8 lea eax, dword ptr [ebp-8]00401483 |. E8 70050000 call 004019F800401488 |. FF45 9C inc dword ptr [ebp-64]0040148B |. 66:C745 90 14>mov word ptr [ebp-70], 1400401491 |. 66:C745 90 2C>mov word ptr [ebp-70], 2C00401497 |. 8D45 F4 lea eax, dword ptr [ebp-C]0040149A |. E8 59050000 call 004019F80040149F |. FF45 9C inc dword ptr [ebp-64]004014A2 |. 66:C745 90 14>mov word ptr [ebp-70], 14004014A8 |. 66:C745 90 38>mov word ptr [ebp-70], 38004014AE |. 8D45 F0 lea eax, dword ptr [ebp-10]004014B1 |. E8 42050000 call 004019F8004014B6 |. FF45 9C inc dword ptr [ebp-64]004014B9 |. 66:C745 90 14>mov word ptr [ebp-70], 14004014BF |. 66:C745 90 44>mov word ptr [ebp-70], 44004014C5 |. 8D45 EC lea eax, dword ptr [ebp-14]004014C8 |. E8 2B050000 call 004019F8004014CD |. FF45 9C inc dword ptr [ebp-64]004014D0 |. 66:C745 90 14>mov word ptr [ebp-70], 14004014D6 |. 66:C745 90 50>mov word ptr [ebp-70], 50004014DC |. 8D45 E8 lea eax, dword ptr [ebp-18]004014DF |. E8 14050000 call 004019F8004014E4 |. FF45 9C inc dword ptr [ebp-64]004014E7 |. 66:C745 90 14>mov word ptr [ebp-70], 14004014ED |. 66:C745 90 5C>mov word ptr [ebp-70], 5C004014F3 |. 8D45 E4 lea eax, dword ptr [ebp-1C]004014F6 |. E8 FD040000 call 004019F8004014FB |. 8BD0 mov edx, eax004014FD |. FF45 9C inc dword ptr [ebp-64]00401500 |. 8B0D E0AE4300 mov ecx, dword ptr [43AEE0]00401506 |. 8B81 F0010000 mov eax, dword ptr [ecx+1F0]0040150C |. E8 8B940000 call 0040A99C00401511 |. 8D55 E4 lea edx, dword ptr [ebp-1C]00401514 |. 8D45 EC lea eax, dword ptr [ebp-14]00401517 |. E8 0BE20000 call 0040F7270040151C |. FF4D 9C dec dword ptr [ebp-64]0040151F |. 8D45 E4 lea eax, dword ptr [ebp-1C]00401522 |. BA 02000000 mov edx, 200401527 |. E8 CCE10000 call 0040F6F80040152C |. 66:C745 90 68>mov word ptr [ebp-70], 6800401532 |. 8D45 E0 lea eax, dword ptr [ebp-20]00401535 |. E8 BE040000 call 004019F80040153A |. 8BD0 mov edx, eax0040153C |. FF45 9C inc dword ptr [ebp-64]0040153F |. 8B0D E0AE4300 mov ecx, dword ptr [43AEE0]00401545 |. 8B81 F4010000 mov eax, dword ptr [ecx+1F4]0040154B |. E8 4C940000 call 0040A99C00401550 |. 8D55 E0 lea edx, dword ptr [ebp-20]00401553 |. 8D45 E8 lea eax, dword ptr [ebp-18]00401556 |. E8 CCE10000 call 0040F7270040155B |. FF4D 9C dec dword ptr [ebp-64]0040155E |. 8D45 E0 lea eax, dword ptr [ebp-20]00401561 |. BA 02000000 mov edx, 200401566 |. E8 8DE10000 call 0040F6F80040156B |. 66:C745 90 74>mov word ptr [ebp-70], 7400401571 |. 8D45 DC lea eax, dword ptr [ebp-24]00401574 |. E8 7F040000 call 004019F800401579 |. 8BD0 mov edx, eax0040157B |. FF45 9C inc dword ptr [ebp-64]0040157E |. 8B0D E0AE4300 mov ecx, dword ptr [43AEE0]00401584 |. 8B81 D0010000 mov eax, dword ptr [ecx+1D0]0040158A |. E8 0D940000 call 0040A99C0040158F |. 8D55 DC lea edx, dword ptr [ebp-24]00401592 |. 8D45 FC lea eax, dword ptr [ebp-4]00401595 |. E8 8DE10000 call 0040F7270040159A |. FF4D 9C dec dword ptr [ebp-64]0040159D |. 8D45 DC lea eax, dword ptr [ebp-24]004015A0 |. BA 02000000 mov edx, 2004015A5 |. E8 4EE10000 call 0040F6F8004015AA |. 66:C745 90 80>mov word ptr [ebp-70], 80004015B0 |. 8D45 D8 lea eax, dword ptr [ebp-28]004015B3 |. E8 40040000 call 004019F8004015B8 |. 8BD0 mov edx, eax004015BA |. FF45 9C inc dword ptr [ebp-64]004015BD |. 8B0D E0AE4300 mov ecx, dword ptr [43AEE0]004015C3 |. 8B81 D4010000 mov eax, dword ptr [ecx+1D4]004015C9 |. E8 CE930000 call 0040A99C004015CE |. 8D55 D8 lea edx, dword ptr [ebp-28]004015D1 |. 8D45 F8 lea eax, dword ptr [ebp-8]004015D4 |. E8 4EE10000 call 0040F727004015D9 |. FF4D 9C dec dword ptr [ebp-64]004015DC |. 8D45 D8 lea eax, dword ptr [ebp-28]004015DF |. BA 02000000 mov edx, 2004015E4 |. E8 0FE10000 call 0040F6F8004015E9 |. 66:C745 90 8C>mov word ptr [ebp-70], 8C004015EF |. 8D45 D4 lea eax, dword ptr [ebp-2C]004015F2 |. E8 01040000 call 004019F8004015F7 |. 50 push eax004015F8 |. FF45 9C inc dword ptr [ebp-64]004015FB |. 8D45 F8 lea eax, dword ptr [ebp-8]004015FE |. B9 03000000 mov ecx, 300401603 |. 33D2 xor edx, edx00401605 |. E8 69EB0000 call 004101730040160A |. 8D45 D4 lea eax, dword ptr [ebp-2C] ; (initial cpu selection)0040160D |. 8D55 EC lea edx, dword ptr [ebp-14]00401610 |. E8 C3E10000 call 0040F7D8 ; 判断call00401615 |. 50 push eax ; 压入函数结果00401616 |. FF4D 9C dec dword ptr [ebp-64]00401619 |. 8D45 D4 lea eax, dword ptr [ebp-2C]0040161C |. BA 02000000 mov edx, 200401621 |. E8 D2E00000 call 0040F6F800401626 |. 59 pop ecx00401627 |. 84C9 test cl, cl ; 测试的是栈顶元素,所以压入元素的函数就是判断函数00401629 |. 0F84 26030000 je 004019550040162F |. 66:C745 90 98>mov word ptr [ebp-70], 9800401635 |. 8D45 D0 lea eax, dword ptr [ebp-30]00401638 |. E8 BB030000 call 004019F80040163D |. 50 push eax0040163E |. FF45 9C inc dword ptr [ebp-64]00401641 |. 8D45 F8 lea eax, dword ptr [ebp-8]00401644 |. E8 09E30000 call 0040F95200401649 |. 8BD0 mov edx, eax0040164B |. 83C2 FC add edx, -40040164E |. 8D45 F8 lea eax, dword ptr [ebp-8]00401651 |. B9 05000000 mov ecx, 500401656 |. E8 18EB0000 call 004101730040165B |. 8D45 D0 lea eax, dword ptr [ebp-30]0040165E |. 8D55 E8 lea edx, dword ptr [ebp-18]00401661 |. E8 72E10000 call 0040F7D8 ; 判断call00401666 |. 50 push eax ; 压入函数结果00401667 |. FF4D 9C dec dword ptr [ebp-64]0040166A |. 8D45 D0 lea eax, dword ptr [ebp-30]0040166D |. BA 02000000 mov edx, 200401672 |. E8 81E00000 call 0040F6F800401677 |. 59 pop ecx00401678 |. 84C9 test cl, cl0040167A |. 0F84 D5020000 je 0040195500401680 |. 33C0 xor eax, eax00401682 |. 8985 74FFFFFF mov dword ptr [ebp-8C], eax00401688 |. 66:C745 90 14>mov word ptr [ebp-70], 140040168E |. 33D2 xor edx, edx00401690 |. 8995 70FFFFFF mov dword ptr [ebp-90], edx00401696 |. EB 1E jmp short 004016B600401698 |> 8D45 FC /lea eax, dword ptr [ebp-4]0040169B |. E8 88030000 |call 00401A28004016A0 |. 8B95 70FFFFFF |mov edx, dword ptr [ebp-90]004016A6 |. 0FBE0C10 |movsx ecx, byte ptr [eax+edx] ; 迭代用户名字符串004016AA |. 018D 74FFFFFF |add dword ptr [ebp-8C], ecx ; 累加004016B0 |. FF85 70FFFFFF |inc dword ptr [ebp-90] ; 循环变量自增004016B6 |> 8D45 FC lea eax, dword ptr [ebp-4]004016B9 |. E8 94E20000 |call 0040F952 ; 获取长度004016BE |. 3B85 70FFFFFF |cmp eax, dword ptr [ebp-90] ; 遍历完毕?004016C4 |.^ 7F D2 \jg short 00401698004016C6 |. 8B95 74FFFFFF mov edx, dword ptr [ebp-8C] ; 获取累加结果004016CC |. 0FAF95 74FFFF>imul edx, dword ptr [ebp-8C]004016D3 |. 81C2 AC000000 add edx, 0AC004016D9 |. 8995 74FFFFFF mov dword ptr [ebp-8C], edx ; 保存结果004016DF |. 66:C745 90 A4>mov word ptr [ebp-70], 0A4004016E5 |. 8D45 CC lea eax, dword ptr [ebp-34]004016E8 |. 8B95 74FFFFFF mov edx, dword ptr [ebp-8C]004016EE |. E8 32DF0000 call 0040F625004016F3 |. FF45 9C inc dword ptr [ebp-64]004016F6 |. 8D55 CC lea edx, dword ptr [ebp-34]004016F9 |. 8D45 F4 lea eax, dword ptr [ebp-C]004016FC |. E8 26E00000 call 0040F72700401701 |. FF4D 9C dec dword ptr [ebp-64]00401704 |. 8D45 CC lea eax, dword ptr [ebp-34]00401707 |. BA 02000000 mov edx, 20040170C |. E8 E7DF0000 call 0040F6F800401711 |. 66:C745 90 B0>mov word ptr [ebp-70], 0B000401717 |. 8D45 C8 lea eax, dword ptr [ebp-38]0040171A |. E8 D9020000 call 004019F80040171F |. 8BC8 mov ecx, eax00401721 |. FF45 9C inc dword ptr [ebp-64]00401724 |. 8D55 F4 lea edx, dword ptr [ebp-C]00401727 |. 8D45 EC lea eax, dword ptr [ebp-14]0040172A |. E8 20E00000 call 0040F74F0040172F |. 8D55 C8 lea edx, dword ptr [ebp-38]00401732 |. 52 push edx00401733 |. 8D45 C4 lea eax, dword ptr [ebp-3C]00401736 |. E8 BD020000 call 004019F80040173B |. 8BC8 mov ecx, eax0040173D |. FF45 9C inc dword ptr [ebp-64]00401740 |. 8D55 E8 lea edx, dword ptr [ebp-18]00401743 |. 58 pop eax00401744 |. E8 06E00000 call 0040F74F00401749 |. 8D55 C4 lea edx, dword ptr [ebp-3C]0040174C |. 8D45 F0 lea eax, dword ptr [ebp-10]0040174F |. E8 D3DF0000 call 0040F72700401754 |. FF4D 9C dec dword ptr [ebp-64]00401757 |. 8D45 C4 lea eax, dword ptr [ebp-3C]0040175A |. BA 02000000 mov edx, 20040175F |. E8 94DF0000 call 0040F6F800401764 |. FF4D 9C dec dword ptr [ebp-64]00401767 |. 8D45 C8 lea eax, dword ptr [ebp-38]0040176A |. BA 02000000 mov edx, 20040176F |. E8 84DF0000 call 0040F6F800401774 |. 8D55 F0 lea edx, dword ptr [ebp-10]00401777 |. 8D45 F8 lea eax, dword ptr [ebp-8]0040177A |. E8 59E00000 call 0040F7D8 ; 判断call0040177F |. 84C0 test al, al00401781 |. 0F84 CE010000 je 0040195500401787 |. 66:C745 90 BC>mov word ptr [ebp-70], 0BC0040178D |. 8D45 C0 lea eax, dword ptr [ebp-40]00401790 |. E8 63020000 call 004019F800401795 |. FF45 9C inc dword ptr [ebp-64]00401798 |. 66:C745 90 C8>mov word ptr [ebp-70], 0C80040179E |. 66:C745 90 D4>mov word ptr [ebp-70], 0D4004017A4 |. 8D45 BC lea eax, dword ptr [ebp-44]004017A7 |. E8 4C020000 call 004019F8004017AC |. FF45 9C inc dword ptr [ebp-64]004017AF |. 66:C745 90 C8>mov word ptr [ebp-70], 0C8004017B5 |. 66:C745 90 E0>mov word ptr [ebp-70], 0E0004017BB |. 8D45 B8 lea eax, dword ptr [ebp-48]004017BE |. E8 35020000 call 004019F8004017C3 |. FF45 9C inc dword ptr [ebp-64]004017C6 |. 66:C745 90 C8>mov word ptr [ebp-70], 0C8004017CC |. 66:C745 90 EC>mov word ptr [ebp-70], 0EC004017D2 |. 8D45 B4 lea eax, dword ptr [ebp-4C]004017D5 |. E8 1E020000 call 004019F8004017DA |. FF45 9C inc dword ptr [ebp-64]004017DD |. 66:C745 90 C8>mov word ptr [ebp-70], 0C8004017E3 |. 66:C745 90 F8>mov word ptr [ebp-70], 0F8004017E9 |. 8D45 B0 lea eax, dword ptr [ebp-50]004017EC |. E8 07020000 call 004019F8004017F1 |. 8BD0 mov edx, eax004017F3 |. FF45 9C inc dword ptr [ebp-64]004017F6 |. 8B0D E0AE4300 mov ecx, dword ptr [43AEE0]004017FC |. 8B81 E0010000 mov eax, dword ptr [ecx+1E0]00401802 |. E8 95910000 call 0040A99C00401807 |. 8D55 B0 lea edx, dword ptr [ebp-50]0040180A |. 8D45 C0 lea eax, dword ptr [ebp-40]0040180D |. E8 15DF0000 call 0040F72700401812 |. FF4D 9C dec dword ptr [ebp-64]00401815 |. 8D45 B0 lea eax, dword ptr [ebp-50]00401818 |. BA 02000000 mov edx, 20040181D |. E8 D6DE0000 call 0040F6F800401822 |. 66:C745 90 04>mov word ptr [ebp-70], 10400401828 |. 8D45 AC lea eax, dword ptr [ebp-54]0040182B |. E8 C8010000 call 004019F800401830 |. 8BD0 mov edx, eax00401832 |. FF45 9C inc dword ptr [ebp-64]00401835 |. 8B0D E0AE4300 mov ecx, dword ptr [43AEE0]0040183B |. 8B81 E4010000 mov eax, dword ptr [ecx+1E4]00401841 |. E8 56910000 call 0040A99C00401846 |. 8D55 AC lea edx, dword ptr [ebp-54]00401849 |. 8D45 BC lea eax, dword ptr [ebp-44]0040184C |. E8 D6DE0000 call 0040F72700401851 |. FF4D 9C dec dword ptr [ebp-64]00401854 |. 8D45 AC lea eax, dword ptr [ebp-54]00401857 |. BA 02000000 mov edx, 20040185C |. E8 97DE0000 call 0040F6F800401861 |. 66:C745 90 10>mov word ptr [ebp-70], 11000401867 |. 8D45 A8 lea eax, dword ptr [ebp-58]0040186A |. E8 89010000 call 004019F80040186F |. 8BD0 mov edx, eax00401871 |. FF45 9C inc dword ptr [ebp-64]00401874 |. 8B0D E0AE4300 mov ecx, dword ptr [43AEE0]0040187A |. 8B81 E8010000 mov eax, dword ptr [ecx+1E8]00401880 |. E8 17910000 call 0040A99C00401885 |. 8D55 A8 lea edx, dword ptr [ebp-58]00401888 |. 8D45 B8 lea eax, dword ptr [ebp-48]0040188B |. E8 97DE0000 call 0040F72700401890 |. FF4D 9C dec dword ptr [ebp-64]00401893 |. 8D45 A8 lea eax, dword ptr [ebp-58]00401896 |. BA 02000000 mov edx, 20040189B |. E8 58DE0000 call 0040F6F8004018A0 |. 66:C745 90 1C>mov word ptr [ebp-70], 11C004018A6 |. 8D45 A4 lea eax, dword ptr [ebp-5C]004018A9 |. E8 4A010000 call 004019F8004018AE |. 8BD0 mov edx, eax004018B0 |. FF45 9C inc dword ptr [ebp-64]004018B3 |. 8B0D E0AE4300 mov ecx, dword ptr [43AEE0]004018B9 |. 8B81 EC010000 mov eax, dword ptr [ecx+1EC]004018BF |. E8 D8900000 call 0040A99C004018C4 |. 8D55 A4 lea edx, dword ptr [ebp-5C]004018C7 |. 8D45 B4 lea eax, dword ptr [ebp-4C]004018CA |. E8 58DE0000 call 0040F727004018CF |. FF4D 9C dec dword ptr [ebp-64]004018D2 |. 8D45 A4 lea eax, dword ptr [ebp-5C]004018D5 |. BA 02000000 mov edx, 2004018DA |. E8 19DE0000 call 0040F6F8004018DF |. 6A 00 push 0004018E1 |. 8D45 BC lea eax, dword ptr [ebp-44]004018E4 |. E8 3F010000 call 00401A28004018E9 |. 50 push eax004018EA |. 8D45 C0 lea eax, dword ptr [ebp-40]004018ED |. E8 36010000 call 00401A28004018F2 |. 50 push eax ; |Text004018F3 |. 6A 00 push 0 ; |hOwner = NULL004018F5 |. E8 A63A0300 call <jmp.&USER32.MessageBoxA> ; \MessageBoxA004018FA |. 6A 40 push 40004018FC |. 8D45 B4 lea eax, dword ptr [ebp-4C]004018FF |. E8 24010000 call 00401A2800401904 |. 50 push eax00401905 |. 8D45 B8 lea eax, dword ptr [ebp-48]00401908 |. E8 1B010000 call 00401A280040190D |. 50 push eax ; |Text0040190E |. 6A 00 push 0 ; |hOwner = NULL00401910 |. E8 8B3A0300 call <jmp.&USER32.MessageBoxA> ; \MessageBoxA其中判断call的代码:
0040F7D8 /$ 55 push ebp0040F7D9 |. 8BEC mov ebp, esp0040F7DB |. 53 push ebx0040F7DC |. 8B00 mov eax, dword ptr [eax]0040F7DE |. 8B12 mov edx, dword ptr [edx]0040F7E0 |. E8 B7640100 call 00425C9C ; 两个字符串是否相同?0040F7E5 |. 0F94C0 sete al0040F7E8 |. 83E0 01 and eax, 10040F7EB |. 5B pop ebx0040F7EC |. 5D pop ebp0040F7ED \. C3 retn就是一个很简单的加密,直接打开http://www.cnblogs.com/ZRBYYXDM/p/5115596.html中搭建的框架,修改OnBtnDecrypt函数如下:
void CKengen_TemplateDlg::OnBtnDecrypt() { // TODO: Add your control notification handler code here CString str; GetDlgItemText( IDC_EDIT_NAME,str ); //获取用户名字串基本信息。 int len = str.GetLength(); DWORD Res = 0; if ( len != 0 ){ //格式控制。 unsigned sum = 0; for ( int i = 0 ; i != len ; i++ ) sum += str[i]; CString PassWord; PassWord.Format( "CA-%d-3914",sum * sum + 0xAC ); SetDlgItemText( IDC_EDIT_PASSWORD,PassWord ); } else MessageBox( "用户名格式错误!" );}再在OnInitDialog中添加此代码修改标题:SetWindowText(_T("Keygen"));
运行效果:
强大反调试cm的奇葩破解
声明:以上内容来自用户投稿及互联网公开渠道收集整理发布,本网站不拥有所有权,未作人工编辑处理,也不承担相关法律责任,若内容有误或涉及侵权可进行投诉: 投诉/举报 工作人员会在5个工作日内联系你,一经查实,本站将立刻删除涉嫌侵权内容。