Đăng ngày: 23:18 25-10-2008
Huong dan viet KEYGEN OF: crackme#1.exe
Tools()
---------
1. Hview ©SEN --> HVI
2. W32DASM V8.93 --> W32
3. crackme#1.exe --> C#1
HeLp()
--------
1)deprotect:
Dau tien ban cu thu load C#1 trong W32 xem no ra sao, nhu thuong le bam vao menu Refs/.., ca 3 muc ( Menu.., Dialog.., String.. ) deu trang ca. (khong van de gi), thoat khoi menu va ta tiep tuc an F10:
Ta toi doan code sau:
:00401000 PUSH 0 ;
* Reference To:KERNEL32.GetModuleHandleA, Ord:0000h
|
:00401002 CALL 4068A3
:00401007 MOV DWORD PTR [4070FB],EAX
:0040100C XOR EAX,EAX
:0040100E MOV AX,67
:00401012 PUSH 0
:00401014 PUSH 0040102C ;
:00401019 PUSH 0
:0040101B PUSH EAX
:0040101C PUSH DWORD PTR [4070FB]
* Reference To: USER32.DialogBoxParamA, Ord:0000h
|
:00401022 CALL 40686d
* Reference To: KERNEL32.ExitProcess, Ord:0000h
|
:00401027 CALL 4068a9
Doan ma tren la bo khung cua chuong trinh, phan rau ria nam o phia sau, tiep tuc keo xuong phia duoi va dung lai khi den doan ma sau:
:004011D6 enter 0000,00
.
.
:004011DF cmp bye ptr [4070FA],0 ---|
:004011E6 jmp 004011E9 <---- khong on
Ban doc doan ma nay, thay co dieu gi do khong on thi phai lam gi co chuyen vua cmp xong da jmp (la qua di mat), thuong sau cmp se la jnz, jz , jne, je, jnb,... hoac la jxx khac. Do vay ta thu tim xem co cai jxx nao ma xx<>mp (jxx <> jmp) o doan ma duoi khong, tot nhat ta nen vao HVI.
Trong HVI nhay toi .004011E6. Keo xuong 1 it ban thay tai:
.00401232: jne .00401C80 <--
co jne<>jmp roi, nhu the thi doan ma giua cmp va jne no lam cai quai gi?
ban tiep tuc keo xuong phia duoi ban thay co nhieu doan co ma tuong tu
nhu doan ma tren (ma giua cmp,jne).
va...
Theo thong ke cua toi thi, C#1 chi co 3 mau code duoc lap lai 1 cach kha don gian:
mau1[19]=(235,1,131,156,235,1,213,235,8,53,157,235,1,137,235,3,11,235,247);
mau2[24]=(96,232,3,0,0,0,131,235,14,235,1,12,88,235,1,53,64,235,1,54,255,224,11,97);
mau3[24]=(235,1,227,96,232,3,0,0,0,210,235,11,88,235,1,72,64,235,1,53,255,224,231,97);
Chuong trinh C#1 duoc viet theo kieu:
lenh1: vao ten
mau1[19]
lenh2: kiem tra ten
mau2[24]
lenh3: vao serial
mau1[19]
mau3[24]
.
.
co nghia la mau1[19],mau2[24],mau3[24] co hoac khong chang anh huong gi. ki thuat co ten "muta code", duoc su dung trong 1 so virus (tu nhung nam <=95). vi vay, de cho ma duoc sang sua chung ta hay don sach 3 mau tren bang canh: tim 3 mau tren va dien (nop=90h=khong lam gi). toi da viet 1 chuong trinh de thu hien viec tren (uprotect.PAS).
{deprotect.pas}
type
m24=Array[1..24] of Byte;
const
p19: Array[1..19] of Byte =(235,1,131,156,235,1,213,235,8,53,157,235,1,137,235,3,11,235,247);
p24: m24 =(96,232,3,0,0,0,131,235,14,235,1,12,88,235,1,53,64,235,1,54,255,224,11,97);
c24: m24 =(235,1,227,96,232,3,0,0,0,210,235,11,88,235,1,72,64,235,1,53,255,224,231,97);
var f:file;
buf:m24;
i,j,m,n:integer;
se:longint;
begin
write('Please wait.');
assign(f,'CrackMe1.EXE');
reset(f,1);
se:=$7e6; {}
repeat
seek(f,se);
fillchar(buf[1],24,0);
blockread(f,buf[1],24,j);
for m:=1 to 19 do {p19}
if buf[m]<>p19[m] then begin m:=1;break;end;
for i:=1 to 24 do {p24}
if buf[i]<>p24[i] then begin i:=1;break;end;
for n:=1 to 24 do {c24}
if buf[n]<>c24[n] then begin n:=1;break;end;
buf[1]:=$90; {fill nop}
seek(f,se);
if m<>1 then
begin
for m:=1 to 19 do
blockwrite(f,buf[1],1);
inc(se,m)
end else
if i<>1 then
begin
for i:=1 to 24 do
blockwrite(f,buf[1],1);
inc(se,i);
end else
if n<>1 then
begin
write('.');
for n:=1 to 24 do
blockwrite(f,buf[1],1);
inc(se,n);
end else
inc(se);
until j<24; {that's all}
close(f);
writeln('OK.');
end.
2)keygen:
Truoc tien ban chay deprotect.exe (o phan I). Khi da deproctect thi van de viet keygen la kha don gian (doi voi C#1). Ta load C#1 trong W32, va bat dau: Ta lai bam vao menu Refs/.., van trang. Nhu vay thi may xau(string) thong bao (not corect serial) o dau roi ? ban nghi no duoc bao ve? dung roi do: ban hay xem doan ma sau:
:004011DF:
.
. (**)
.
:00401C80
kha dai day, nhung viec no lam lai rat don gian:
mov esi,40702E
@loop:
mov al,[esi]
je @end
xor al,43
mov [esi],al
inc esi
jmp @loop
@end
(doan ma tren toi da luoc bo nhung lenh khong can thiet cua C#1) C#1 da bao ve xau(string) bang cach XOR chung voi 0x43.
bay gio ta unXOR va luoc bo doan ma (**) xem sao: vao HVI co 2 viec:
1.dien nop=0x90 vao (**)
2.unXOR (40702E)
viec 1: dien toan bo 0x90 tu .004011DF -> .00401C80
(hoac dat 1 lech jmp 1280 tai .004011DF)
viec 2:
thuc hien kha thu cong hoac ban tu viet 1 ct lam dieu nay.
[40702e+i] = [40702e+i]^0x43 (i=0..203=0xCC-1)
Xong 2 viec tren la lai load C#1 trong W32, lai vao Refs/.., ai cha cai gi day co 1 muc da bat sang: ta click vao (String Data References) va cong viec con lai la cua ban. toi da doc va viet duoc keygen sau.
{keygen.pas}
var
ten: string;
i,w: byte;
crc,se: longint;
begin
asm mov ax,3;int $10;end;
writeln('----'#13#10'Crackme#1 for softcracker_vn - Keygen by dactrung'#13#10'----');
write('Name: ');readln(ten);
write('Code: ');
crc:= 0;
for i:= 1 to length(ten) do
begin
w:= ord(ten[i]);
if not(ten[i] in ['A'..'z']) then
w:= (w mod 10)+ ord('A')+ (w div 10);
if w<$61 then w:=w+ $20;
w:= w-$61;
crc:= (crc shl 1)+ w;
end;
crc:=crc xor $17021995;
se :=crc xor $43545CD1; {magic number}
se :=se xor $26051976;
write(se);
readln;
end.
------Het Phan III ----
4bien 23:22 25-10-2008