【分析 0x04】初会加密（真）

时间：2016-04-27 22:47:40 阅读：283 评论：0 收藏：0 [点我收藏+]

标签：

 1 004016D5          .  83C4 1C           add esp,0x1C
 2 004016D8          .  52                push edx                                       ; |FileName => "KwazyWeb.bit"
 3 004016D9          .  E8 1C010000       call <jmp.&KERNEL32.CreateFileA>               ; \CreateFileA
 4 004016DE          .  83F8 FF           cmp eax,-0x1
 5 004016E1          .  74 64             je short PacMe.00401747
 6 004016E3          .  A3 44344000       mov dword ptr ds:[0x403444],eax
 7 004016E8          .  6A 00             push 0x0                                       ; /pOverlapped = NULL
 8 004016EA          .  68 48344000       push PacMe.00403448                            ; |pBytesRead = PacMe.00403448
 9 004016EF          .  6A 01             push 0x1                                       ; |BytesToRead = 0x1
10 004016F1          .  68 FA344000       push PacMe.004034FA                            ; |Buffer = PacMe.004034FA
11 004016F6          .  FF35 44344000     push dword ptr ds:[0x403444]                   ; |hFile = 00000264 (window)
12 004016FC          .  E8 11010000       call <jmp.&KERNEL32.ReadFile>                  ; \ReadFile 设读取出的为number
13 00401701          .  0FB605 FA344000   movzx eax,byte ptr ds:[0x4034FA]                  ; 文件中第一个字符指明个数eax=number
14 00401708          .  85C0              test eax,eax
15 0040170A          .  74 3B             je short PacMe.00401747                        ;  如果文件内容空 退出
16 0040170C          .  6A 00             push 0x0                                       ; /pOverlapped = NULL
17 0040170E          .  68 48344000       push PacMe.00403448                            ; |pBytesRead = PacMe.00403448
18 00401713          .  50                push eax                                       ; |BytesToRead
19 00401714          .  68 88324000       push PacMe.00403288                            ; |Buffer = PacMe.00403288
20 00401719          .  FF35 44344000     push dword ptr ds:[0x403444]                   ; |hFile = 00000264 (window)
21 0040171F          .  E8 EE000000       call <jmp.&KERNEL32.ReadFile>                  ; \ReadFile
22 00401724          .  E8 D7F8FFFF       call PacMe.00401000                            ;  根据上面的eax=number读取number个字符
23 {
24     00401000         /$  33C0              xor eax,eax
25     00401002         |.  33D2              xor edx,edx
26     00401004         |.  33C9              xor ecx,ecx
27     00401006         |.  8A0D FA344000     mov cl,byte ptr ds:[0x4034FA]
28     0040100C         |.  BE 88324000       mov esi,PacMe.00403288                         ;  ASCII 
29     00401011         |>  AC                /lods byte ptr ds:[esi]                        ;  从esi指向的空间取出一个字符
30     00401012         |.  03D0              |add edx,eax                                   ;  相加
31     00401014         |.^ E2 FB             \loopd short PacMe.00401011
32     00401016         |.  8815 FB344000     mov byte ptr ds:[0x4034FB],dl                   ;将number个字符相加最后得到的低8位(设为k1)放到4034FB中
33     0040101C         \.  C3                retn
34 }
35 00401729          .  6A 00             push 0x0                                       ; /pOverlapped = NULL
36 0040172B          .  68 48344000       push PacMe.00403448                            ; |pBytesRead = PacMe.00403448
37 00401730          .  6A 12             push 0x12                                      ; |BytesToRead = 12 (18.)
38 00401732          .  68 E8344000       push PacMe.004034E8                            ; |Buffer = PacMe.004034E8
39 00401737          .  FF35 44344000     push dword ptr ds:[0x403444]                   ; |hFile = 00000264 (window)
40 0040173D          .  E8 D0000000       call <jmp.&KERNEL32.ReadFile>                  ; \ReadFile 此处读取的是在number之后的字符串

  1 ;这里可以猜测key的组成为 : n(指代后面有n位username) n位字符 18个要跟n位进行异或的字符
  2 00401742          .  E8 82F9FFFF       call PacMe.004010C9                            ;  验证核心
  3 {
  4     004010C9         /$  55                push ebp
  5     004010CA         |.  8BEC              mov ebp,esp
  6     004010CC         |.  83C4 FC           add esp,-0x4
  7     004010CF         |.  68 65334000       push PacMe.00403365                            
  8     ; /String2 =   
  9     ;  ****************
 10     ;  C*......*...****
 11     ;  .*.****...*....*
 12     ;  .*..**********.*
 13     ;  ..*....*...*...*
 14     ;  *.****.*.*...***
 15     ;  *.*....*.*******
 16     ;  ..*.***..*.....*
 17     ;  .*..***.**.***.*
 18     ;  ...****....*X..*
 19     ;  **************** 
 20     004010D4         |.  68 BC314000       push PacMe.004031BC                            ; |String1 = PacMe.004031BC
 21     004010D9         |.  E8 3A070000       call <jmp.&KERNEL32.lstrcpyA>                  ; \lstrcpyA
 22     004010DE         |.  C705 84314000 CC3>mov dword ptr ds:[0x403184],PacMe.004031CC     ;  ASCII
 23     ;  C*......*...****
 24     ;  .*.****...*....*
 25     ;  .*..**********.*
 26     ;  ..*....*...*...*
 27     ;  *.****.*.*...***
 28     ;  *.*....*.*******
 29     ;  ..*.***..*.....*
 30     ;  .*..***.**.***.*
 31     ;  ...****....*X..*
 32     004010E8         |.  E8 30FFFFFF       call PacMe.0040101D                            ;  对上面的字符串和文件内容字符的和作异或
 33     {
 34         0040101D         /$  8A15 FB344000     mov dl,byte ptr ds:[0x4034FB]                  ;  第二次求和的值放到dl中
 35         00401023         |.  B9 12000000       mov ecx,0x12
 36         00401028         |.  B8 E8344000       mov eax,PacMe.004034E8                         ;  eax指向第三次读取的数据
 37         0040102D         |>  3010              /xor byte ptr ds:[eax],dl                      ; ds:[eax] xor k1
 38         0040102F         |.  40                |inc eax
 39         00401030         |.^ E2 FB             \loopd short PacMe.0040102D
 40         00401032         \.  C3                retn
 41     }
 42     004010ED         |.  C645 FE 00        mov byte ptr ss:[ebp-0x2],0x0                  ;  y=0
 43     004010F1         |.  33C0              xor eax,eax
 44     004010F3         |.  33C9              xor ecx,ecx                                    ;  清零
 45     004010F5         |>  C645 FF 08        /mov byte ptr ss:[ebp-0x1],0x8                 ;  x=8
 46     004010F9         |>  806D FF 02        |/sub byte ptr ss:[ebp-0x1],0x2                ;  x=x-2=6
 47     004010FD         |.  0FB64D FE         ||movzx ecx,byte ptr ss:[ebp-0x2]              ;  ecx=y=0
 48     ; 每次这里拿异或后的字符其中两位(从高到低)作为移动方向
 49     00401101         |.  81C1 E8344000     ||add ecx,PacMe.004034E8                       ;  ecx+第三次处理后字符串首地址 s
 50     00401107         |.  8A01              ||mov al,byte ptr ds:[ecx]                     ;  al = s[ecx]
 51     00401109         |.  8A4D FF           ||mov cl,byte ptr ss:[ebp-0x1]
 52     0040110C         |.  D2E8              ||shr al,cl                                    ;  al >> x
 53     0040110E         |.  24 03             ||and al,0x3                                   ;  al & 3 这个时候al取值有四种 代表四种方向
 54     00401110         |.  E8 1EFFFFFF       ||call PacMe.00401033                          ;  根据al的值进行移动
 55     {
 56         ; 0: 向上移
 57         ; 1: 向右移
 58         ; 2: 向下移
 59         ; 3: 向左移
 60         00401033          $  55                push ebp
 61         00401034          .  8BEC              mov ebp,esp
 62         00401036          .  83C4 F8           add esp,-0x8
 63         00401039          .  8B15 84314000     mov edx,dword ptr ds:[0x403184]                ;  PacMe.004031CC
 64         0040103F          .  8955 FC           mov dword ptr ss:[ebp-0x4],edx
 65         00401042          .  0AC0              or al,al                                       ;  Switch (cases 0..2)
 66         00401044          .  75 09             jnz short PacMe.0040104F
 67         00401046          .  832D 84314000 10  sub dword ptr ds:[0x403184],0x10               ;  c - 10h; Case 0 of switch 00401042
 68         0040104D          .  EB 1F             jmp short PacMe.0040106E
 69         0040104F          >  3C 01             cmp al,0x1
 70         00401051          .  75 08             jnz short PacMe.0040105B
 71         00401053          .  FF05 84314000     inc dword ptr ds:[0x403184]                    ;  c + 1; Case 1 of switch 00401042
 72         00401059          .  EB 13             jmp short PacMe.0040106E
 73         0040105B          >  3C 02             cmp al,0x2
 74         0040105D          .  75 09             jnz short PacMe.00401068
 75         0040105F          .  8305 84314000 10  add dword ptr ds:[0x403184],0x10               ;  c + 10h; Case 2 of switch 00401042
 76         00401066          .  EB 06             jmp short PacMe.0040106E
 77         00401068          >  FF0D 84314000     dec dword ptr ds:[0x403184]                    ;  c - 1; Default case of switch 00401042
 78         0040106E          >  8B15 84314000     mov edx,dword ptr ds:[0x403184]                ;  edx指向移动后的位置
 79         00401074          .  8A02              mov al,byte ptr ds:[edx]
 80         00401076          .  3C 2A             cmp al,0x2A                                    ;  检查al是否为*
 81         00401078          .  75 06             jnz short PacMe.00401080                       ;  是* 则不移动 返回0
 82         0040107A          .  33C0              xor eax,eax
 83         0040107C          .  C9                leave
 84         0040107D          .  C3                retn
 85         0040107E          .  EB 33             jmp short PacMe.004010B3
 86         00401080          >  3C 58             cmp al,0x58                                    ;  看al是不是X
 87         00401082             75 2F             jnz short PacMe.004010B3                       ;  是X就注册成功 否则跳转
 88         00401084          .  6A 00             push 0x0                                       ; /Style = MB_OK|MB_APPLMODAL
 89         00401086          .  8D15 59334000     lea edx,dword ptr ds:[0x403359]                ; |
 90         0040108C          .  52                push edx                                       ; |Title => "Success.."
 91         0040108D          .  8D15 EC324000     lea edx,dword ptr ds:[0x4032EC]                ; |
 92         00401093          .  52                push edx                                       ; |Text => "Congratulations!
 93         00401094          .  6A 00             push 0x0                                       ; |hOwner = NULL
 94         00401096          .  8D15 AC174000     lea edx,dword ptr ds:[0x4017AC]                ; |
 95         0040109C          .  FFD2              call edx                                       ; \MessageBoxA
 96         0040109E          .  8D15 7B324000     lea edx,dword ptr ds:[0x40327B]
 97         004010A4          .  52                push edx                                       ; /Text => "Cracked by : uuuuuuu"
 98         004010A5          .  FF35 20344000     push dword ptr ds:[0x403420]                   ; |hWnd = 001E01D0 (‘UNREGISTERED!‘,class=‘Edit‘,parent=001B0394)
 99         004010AB          .  8D15 DC174000     lea edx,dword ptr ds:[0x4017DC]                ; |
100         004010B1          .  FFD2              call edx                                       ; \SetWindowTextA
101         004010B3          >  8B15 84314000     mov edx,dword ptr ds:[0x403184]                ;  当前位置记录为C
102         004010B9          .  C602 43           mov byte ptr ds:[edx],0x43
103         004010BC          .  8B55 FC           mov edx,dword ptr ss:[ebp-0x4]
104         004010BF          .  C602 20           mov byte ptr ds:[edx],0x20                     ;  刚刚走的位置记录为空格
105         004010C2          .  B8 01000000       mov eax,0x1                                    ;  返回1代表没有结束
106         004010C7          .  C9                leave
107         004010C8          .  C3                retn
108     }
109     00401115         |.  85C0              ||test eax,eax                                 ;  eax如果返回0 则注册成功
110     00401117         |.  74 11             ||je short PacMe.0040112A
111     00401119         |.  0FB655 FF         ||movzx edx,byte ptr ss:[ebp-0x1]              ;  不为0 则 edx=x
112     0040111D         |.  85D2              ||test edx,edx                                 ;  如果四个方向遍历了，就结束内层循环
113     0040111F         |.^ 75 D8             |\jnz short PacMe.004010F9                     ;  否则再小循环，往其他方向走
114     00401121         |.  FE45 FE           |inc byte ptr ss:[ebp-0x2]                     ;  y+1
115     00401124         |.  807D FE 12        |cmp byte ptr ss:[ebp-0x2],0x12                ;  if y>18 结束外层循环
116     00401128         |.^ 75 CB             \jnz short PacMe.004010F5                      ;  外层循环18次
117     ;总共循环 18*4 次 在这个范围内必须走到X
118     0040112A         |>  C9                leave
119     0040112B         \.  C3                retn
120 }
121 
122 00401754          >  FF75 14           push dword ptr ss:[ebp+0x14]                   ; /lParam; Default case of switch 004012D8
123 00401757          .  FF75 10           push dword ptr ss:[ebp+0x10]                   ; |wParam
124 0040175A          .  FF75 0C           push dword ptr ss:[ebp+0xC]                    ; |Message
125 0040175D          .  FF75 08           push dword ptr ss:[ebp+0x8]                    ; |hWnd
126 00401760          .  E8 17000000       call <jmp.&USER32.DefWindowProcA>              ; \DefWindowProcA
127 00401765          .  C9                leave
128 00401766          .  C2 1000           retn 0x10
129 00401769          >  33C0              xor eax,eax
130 0040176B          .  C9                leave
131 0040176C          .  C2 1000           retn 0x10

这个程序主要就是进行一个深搜 - - 保证在 18*4内搜索到X就好

 1 #include <iostream>
 2 #include <fstream>
 3 #include <iomanip>
 4 using namespace std;
 5 #define ROW 9
 6 #define COL 16
 7 #define TIMES 18*4
 8 
 9 unsigned char key[TIMES] = { 0 };
10 int des[4][2]=
11 {
12     {-1,0},//上
13     {0,1},//右
14     {1,0},//下
15     {0,-1}//左
16 };
17 bool keygen(char g[ROW][COL],int x,int y,int keyn)
18 {
19     if (g[x][y] == ‘X‘)
20         return true;
21     if (keyn > TIMES)
22         return false;
23     g[x][y] = ‘ ‘;
24     for (int i = 0;i < 4;i++)
25     {
26         int nx = des[i][0] + x;
27         int ny = des[i][1] + y;
28         if (nx >= 0 && ny >= 0 && (nx < ROW) && (ny < COL)&&g[nx][ny]!=‘*‘&&g[nx][ny] != ‘ ‘)
29         {
30             key[keyn] = i;
31             if (keyn == 70)
32                 cout << ‘ ‘;
33             if (keygen(g, nx, ny, keyn + 1))
34                 return true;
35             g[nx][ny] = ‘.‘;
36             key[keyn] = -1;
37         }
38     }
39 }
40 
41 int main()
42 {
43     unsigned char name[8] = { 0 };
44     char g[ROW][COL] = { 0 };
45     unsigned char kk[TIMES / 4] = { 0 };
46     for (int i = 0;i < TIMES;i++)
47         key[i] = -1;
48     for (int i = 0;i < ROW;i++)
49         for (int j = 0; j < COL; j++)
50             cin >> g[i][j];
51     ofstream outfile;
52     outfile.open("KwazyWeb.bit");
53     if (keygen(g, 0, 0, 0))
54     {
55         for (int i = 0;i < TIMES;i += 4)
56         {
57             char kx = key[i];
58             kx = (kx << 2) | key[i + 1];
59             kx = (kx << 2) | key[i + 2];
60             kx = (kx << 2) | key[i + 3];
61             cout << hex<< kx << ‘ ‘;
62             kk[i / 4] = kx;
63         }
64         cout << endl;
65     }
66     unsigned int number;
67     cout << "请输入用户名字符个数";
68     cin >> number;
69     outfile << hex << unsigned char(number);
70     cout << "请输入用户名";
71     cin >> name;
72     unsigned int c = 0;
73     for (int i = 0;i < number;i++)
74     {
75         c += name[i];
76         outfile << hex << name[i];
77     }
78     cout << unsigned char(c);
79     for (int i = 0;i < TIMES / 4;i++)
80     {
81         kk[i] ^= unsigned char(c);
82         cout << hex << kk[i]<<‘ ‘;
83         outfile << hex << kk[i];
84     }
85     outfile.close();
86     system("pause");
87     return 0;
88 }