本帖最后由 yypE 于 2015-6-17 13:01 编辑
好一阵子没上论坛了,发个KM保护ID~
KM在某首发,这里直接转过来:
要求:
提供2组可用Name与AccessCode即可,同样欢迎爆破练习
KM特征:
UPX
关键代码处虚拟,不影响追码爆破~
奖励酌情...
KM下载地址:
KeygenMe.rar
(76.87 KB, 下载次数: 669)
==============================
//请没有玩过的朋友跳过以下分析内容,玩过之后再来==
==============================
分析过程:
源码如下:
- #include "iostream.h"
- #include "stdio.h"
- #include "math.h"
- #include "VirtualizerSDK.h"
-
- int code[]=
- {
- 149314,149314,138208,85146,39488,134506,119698,123400,124634,39488,
- 143144,128336,129570,141910,39488,92550,124634,149314,127102,124634,
- 135740,95018,124634,54296,129570,125868,39488,149314,136974,144378,
- 46892,141910,124634,124634,39488,143144,128336,129570,141910,39488,
- 38254,39488,75274,75274,75274,75274,75274,75274,75274,75274,
- 143144,124634,148080,143144,39488,129570,135740,39488,149314,136974,
- 38254,75274,75274,75274,75274,75274,75274,75274,75274,75274,
- 144378,140676,39488,97486,83912,39488,136974,140676,39488,119698,
- 38254,75274,0,39488,39488,92550,124634,149314,127102,124634,
- 144378,140676,39488,97486,83912,39488,136974,140676,39488,119698,
- 38254,135740,95018,124634,39488,120932,149314,39488,149314,149314,
- 135740,149314,39488,138208,140676,136974,127102,140676,119698,134506,
- 38254,138208,85146,0,39488,39488,39488,39488,39488,61700,
- 135740,149314,39488,138208,140676,136974,127102,140676,119698,134506,
- 38254,59232,60466,65402,55530,66636,55530,60466,60466,0,
- 141910,54296,129570,143144,39488,138208,140676,136974,145612,124634,
- 38254,39488,75274,75274,75274,75274,75274,75274,75274,75274,
- 141910,39488,143144,128336,119698,143144,39488,149314,136974,144378,
- 38254,75274,75274,75274,75274,75274,75274,75274,75274,75274,
- 48126,119698,140676,124634,39488,140676,124634,119698,133272,133272,
- 38254,75274,1522756,1522756,1522756,1522756,1522756,1522756,1522756,0,
- 149314,39488,127102,140676,124634,119698,143144,40722,81444,59232,
- 38254,39488,98720,133272,124634,119698,141910,124634,39488,85146,
- 141910,54296,129570,143144,39488,138208,140676,136974,145612,124634,
- 38254,135740,143144,124634,140676,39488,109826,136974,144378,140676,
- 144378,140676,39488,97486,83912,39488,136974,140676,39488,119698,
- 38254,39488,96252,119698,134506,124634,49360,69104,50594,71572,
- 144378,140676,39488,97486,83912,39488,136974,140676,39488,119698,
- 39488,13574,13574,13574,13574,13574,13574,13574,13574,309734,
- 144378,140676,39488,97486,83912,39488,136974,140676,39488,119698,
- 75274,136974,273948,410922,547896,684870,821844,958818,1095792,309734,
- 144378,140676,39488,97486,83912,39488,136974,140676,39488,119698,
- 76508,81444,83912,78976,115996,78976,2468,3702,7404,309734,
- 141910,54296,129570,143144,39488,138208,140676,136974,145612,124634,
- 77742,141910,54296,129570,143144,39488,138208,140676,136974,309734,
- 144378,140676,39488,97486,83912,39488,136974,140676,39488,119698,
- 38254,39488,98720,133272,124634,119698,141910,124634,39488,85146,
- 144378,140676,39488,97486,83912,39488,136974,140676,39488,119698,
- 38254,135740,143144,124634,140676,39488,80210,122166,122166,124634,
- 144378,140676,39488,97486,83912,39488,136974,140676,39488,119698,
- 38254,141910,141910,39488,82678,136974,123400,124634,49360,1522756,
- 144378,140676,39488,97486,83912,39488,136974,140676,39488,119698,
- 38254,69104,50594,71572,1522756,1522756,1522756,1522756,1522756,1522756,
- 144378,140676,39488,97486,83912,39488,136974,140676,39488,119698,
- 39488,14808,25914,14808,25914,13574,38254,64168,54296,544194,
- 143144,128336,129570,141910,39488,92550,124634,149314,127102,124634,
- 78976,233226,161654,166590,170292,186334,135740,12340,24680,568874,
- 143144,128336,129570,141910,39488,92550,124634,149314,127102,124634,
- 80210,0,0,0,0,0,0,0,12340,24680,
- 143144,128336,129570,141910,39488,92550,124634,149314,127102,124634,
- 81444,0,0,0,0,0,0,0,12340,24680,
- 143144,128336,129570,141910,39488,92550,124634,149314,127102,124634,
- 82678,0,0,0,0,0,0,0,12340,24680,
- 143144,128336,129570,141910,39488,92550,124634,149314,127102,124634,
- 83912,0,0,0,0,0,0,0,12340,24680,
- 143144,128336,129570,141910,39488,92550,124634,149314,127102,124634,
- 85146,0,0,0,0,0,0,0,12340,24680,
- 143144,128336,129570,141910,39488,92550,124634,149314,127102,124634,
- 86380,0,0,0,0,0,0,0,12340,24680,
- 143144,128336,129570,141910,39488,92550,124634,149314,127102,124634,
- 87614,0,0,0,0,0,0,0,12340,24680,
- 143144,128336,129570,141910,39488,92550,124634,149314,127102,124634,
- 88848,0,0,0,0,0,0,0,12340,24680,
- 143144,128336,129570,141910,39488,92550,124634,149314,127102,124634,
- 143144,128336,129570,141910,39488,92550,124634,149314,127102,124634,
- 38254,0,39488,107358,140676,136974,135740,127102,56764,1522756,
- 38254,0,39488,80210,122166,122166,124634,141910,141910,1522756,
- 143144,128336,129570,141910,39488,92550,124634,149314,127102,124634,
- 38254,39488,102422,144378,122166,122166,124634,141910,141910,125868,
- 143144,128336,129570,141910,39488,92550,124634,149314,127102,124634,
- 38254,144378,133272,133272,149314,56764,1522756,1522756,1522756,1522756,
- 143144,128336,129570,141910,39488,92550,124634,149314,127102,124634
- };
- char a;
- char b[256];
- int e;
- int ck(int num)
- {
- if(num!=0)return 1;else return 0;
- }
- int vmRun(int array[10])
- {
- VIRTUALIZER_START;//CodeVirtualizer加壳标志
- for (int i = 0;i <10;i++)
- {
- if (i!=0)
- {
- switch (array[0])
- {
- case 31:
- {
- if (array[i]==00) {cout<<endl;break;}
- if (array[i]==1234) break;
- a=array[i];
- cout<<a;
- break;
- }
- }
- }
- else
- {
- if (array[0]==32)
- {
- e=array[9];
- cin>>b;
- for (int nn =0;nn < 8;nn++)
- {
- code[array[9]+nn]=b[0+nn];
- }
- }
- if (array[0]==61)
- {
- for (int nn =0;nn < 8;nn++)
- {
- code[array[9]+nn]&=array[nn+1];
- }
- }
- if (array[0]==62)
- {
- for (int nn =0;nn < 8;nn++)
- {
- if (nn<7)
- code[array[9]+nn]+=(int)sin(code[array[9]+nn+1]);
- else
- code[array[9]+nn]+=(int)sin(code[array[9]]);
- }
- }
- if (array[0]==63)
- {
- for (int nn =0;nn < 8;nn++)
- {
- code[array[9]+nn]=(int)(53+4*sin(code[array[9]+nn]));
- }
- }
- if (array[0]==64)
- {
- for (int nn =0;nn < 8;nn++)
- {
- code[array[9]+nn]=code[e+nn]-code[251+nn];
- }
- }
- for (int f=65;f<73;f++)
- {
- if (array[0]==f)
- {
- return array[9-ck(code[461+f-65])];
- }
- }
- }
- }
-
- return 20;
- VIRTUALIZER_END;
- }
-
- void main()
- {
- int n=0,c=0;
- int array[10]={0,0,0,0,0,0,0,0,0,0};
- for (int i = 0;i < sizeof(code)/sizeof(code[1]);i+=0)
- {
- n=0;
- while(n<10)
- {
- array[n]=code[i+n]/1234;
- n++;
- }
- c=vmRun(array);
- i+=c;
- }
- cout<<endl<<endl<<endl<<endl;
- getchar();
- }
复制代码
这不仔细看是看不出什么来的,用了个幼儿园级别的虚拟函数vmRun来解释code
真实算法翻译成伪代码:
Put Name inArray[2 to 9]; //Array {2 3 4 56 7 8 9} [2]= [2]and111 [3]=[3]and222 … [9]=[9]and888 …算法(SF)1
[2]=[2]+sin([3] )//sin取整 [3]=[3]+sin([4] ) … [9]=[9]+sin([2] )…SF2
[2]=53+4*sin( [2])//+后结果取整sin结果保留小数 [3]=53+4*sin( [3]) … [9]=53+4*sin( [9])…SF3 //至此[2to9]中保留8位1-9字符的ASCII码(49-57)即accesscode //明码...
简单说说这个解释器吧,main中循环抽取code中的指令(均乘以1234了,还原),一次抽取10个放在array里,丢给vmRun解释: Array[10] info: 其中:
Type Func data Func 31 cout 0 endl 32 cin 1234 useless 61 SF1 62 SF2 63 SF3 65-72 chk
vmRun函数里头的cin /out由1位的31/32带过,接着便是61/62/63的三个算法,代码里头都能看的看清楚
最后便是check结果了,当1位是65-72时,通过检查输入的值与算出的值的异同,来设定vmRun的返回值,如果相同(即正确),则返回第10位(20),否则返回第9位(10),vmRun的返回值作为main()中for()的跳转。
根据算法可以找到爆破处(将code中的65-72中的第九位换成20就OK啦),
65*1234=80210=01 39 52
从此处开始搜索12340(10*1234),8处替换为24680(20*1234 十六68 60)即可完成爆破 保存文件如下(把upx脱了或者直接内存补丁)
爆破结果:
同样也可以追码(明码硬伤),
code hex转int:
锁定32(cin *1234后为39488)输入name "xuepojie."之后发现:
ascii码翻译过来为21851887,输入AccessCode即可
当然这是我知道源码的情况下OD中逆向,不知道源码也可以稍稍分析下,IDA可以逆出main中的算法,不过由于vmRun虚拟处理了下,爆破的话就只能从CODE里头下手咯。。。追码什么的,简单了,已经在上文说明了。 END
ps. @Shark恒 恒大,discuz论坛转帖子感觉都挺麻烦的,尤其是图片,嘿嘿,52的水印留着,不碍事儿哈 对了,上次来论坛还没开放CM区呢
|