转载一枚自写km+分析过程

yypE · 发表于 2015-6-17 12:43

本帖最后由 yypE 于 2015-6-17 13:01 编辑

好一阵子没上论坛了，发个KM保护ID~
KM在某首发，这里直接转过来：

要求：
提供2组可用Name与AccessCode即可,同样欢迎爆破练习
KM特征：
UPX
关键代码处虚拟,不影响追码爆破~
奖励酌情...
KM下载地址：
KeygenMe.rar (76.87 KB, 下载次数: 669)

2015-6-17 12:33 上传
点击文件名下载附件
KM

==============================
//请没有玩过的朋友跳过以下分析内容，玩过之后再来==
==============================

分析过程:
源码如下：

#include "iostream.h"
#include "stdio.h"
#include "math.h"
#include "VirtualizerSDK.h"
int code[]=
{
149314,149314,138208,85146,39488,134506,119698,123400,124634,39488,
143144,128336,129570,141910,39488,92550,124634,149314,127102,124634,
135740,95018,124634,54296,129570,125868,39488,149314,136974,144378,
46892,141910,124634,124634,39488,143144,128336,129570,141910,39488,
38254,39488,75274,75274,75274,75274,75274,75274,75274,75274,
143144,124634,148080,143144,39488,129570,135740,39488,149314,136974,
38254,75274,75274,75274,75274,75274,75274,75274,75274,75274,
144378,140676,39488,97486,83912,39488,136974,140676,39488,119698,
38254,75274,0,39488,39488,92550,124634,149314,127102,124634,
144378,140676,39488,97486,83912,39488,136974,140676,39488,119698,
38254,135740,95018,124634,39488,120932,149314,39488,149314,149314,
135740,149314,39488,138208,140676,136974,127102,140676,119698,134506,
38254,138208,85146,0,39488,39488,39488,39488,39488,61700,
135740,149314,39488,138208,140676,136974,127102,140676,119698,134506,
38254,59232,60466,65402,55530,66636,55530,60466,60466,0,
141910,54296,129570,143144,39488,138208,140676,136974,145612,124634,
38254,39488,75274,75274,75274,75274,75274,75274,75274,75274,
141910,39488,143144,128336,119698,143144,39488,149314,136974,144378,
38254,75274,75274,75274,75274,75274,75274,75274,75274,75274,
48126,119698,140676,124634,39488,140676,124634,119698,133272,133272,
38254,75274,1522756,1522756,1522756,1522756,1522756,1522756,1522756,0,
149314,39488,127102,140676,124634,119698,143144,40722,81444,59232,
38254,39488,98720,133272,124634,119698,141910,124634,39488,85146,
141910,54296,129570,143144,39488,138208,140676,136974,145612,124634,
38254,135740,143144,124634,140676,39488,109826,136974,144378,140676,
144378,140676,39488,97486,83912,39488,136974,140676,39488,119698,
38254,39488,96252,119698,134506,124634,49360,69104,50594,71572,
144378,140676,39488,97486,83912,39488,136974,140676,39488,119698,
39488,13574,13574,13574,13574,13574,13574,13574,13574,309734,
144378,140676,39488,97486,83912,39488,136974,140676,39488,119698,
75274,136974,273948,410922,547896,684870,821844,958818,1095792,309734,
144378,140676,39488,97486,83912,39488,136974,140676,39488,119698,
76508,81444,83912,78976,115996,78976,2468,3702,7404,309734,
141910,54296,129570,143144,39488,138208,140676,136974,145612,124634,
77742,141910,54296,129570,143144,39488,138208,140676,136974,309734,
144378,140676,39488,97486,83912,39488,136974,140676,39488,119698,
38254,39488,98720,133272,124634,119698,141910,124634,39488,85146,
144378,140676,39488,97486,83912,39488,136974,140676,39488,119698,
38254,135740,143144,124634,140676,39488,80210,122166,122166,124634,
144378,140676,39488,97486,83912,39488,136974,140676,39488,119698,
38254,141910,141910,39488,82678,136974,123400,124634,49360,1522756,
144378,140676,39488,97486,83912,39488,136974,140676,39488,119698,
38254,69104,50594,71572,1522756,1522756,1522756,1522756,1522756,1522756,
144378,140676,39488,97486,83912,39488,136974,140676,39488,119698,
39488,14808,25914,14808,25914,13574,38254,64168,54296,544194,
143144,128336,129570,141910,39488,92550,124634,149314,127102,124634,
78976,233226,161654,166590,170292,186334,135740,12340,24680,568874,
143144,128336,129570,141910,39488,92550,124634,149314,127102,124634,
80210,0,0,0,0,0,0,0,12340,24680,
143144,128336,129570,141910,39488,92550,124634,149314,127102,124634,
81444,0,0,0,0,0,0,0,12340,24680,
143144,128336,129570,141910,39488,92550,124634,149314,127102,124634,
82678,0,0,0,0,0,0,0,12340,24680,
143144,128336,129570,141910,39488,92550,124634,149314,127102,124634,
83912,0,0,0,0,0,0,0,12340,24680,
143144,128336,129570,141910,39488,92550,124634,149314,127102,124634,
85146,0,0,0,0,0,0,0,12340,24680,
143144,128336,129570,141910,39488,92550,124634,149314,127102,124634,
86380,0,0,0,0,0,0,0,12340,24680,
143144,128336,129570,141910,39488,92550,124634,149314,127102,124634,
87614,0,0,0,0,0,0,0,12340,24680,
143144,128336,129570,141910,39488,92550,124634,149314,127102,124634,
88848,0,0,0,0,0,0,0,12340,24680,
143144,128336,129570,141910,39488,92550,124634,149314,127102,124634,
143144,128336,129570,141910,39488,92550,124634,149314,127102,124634,
38254,0,39488,107358,140676,136974,135740,127102,56764,1522756,
38254,0,39488,80210,122166,122166,124634,141910,141910,1522756,
143144,128336,129570,141910,39488,92550,124634,149314,127102,124634,
38254,39488,102422,144378,122166,122166,124634,141910,141910,125868,
143144,128336,129570,141910,39488,92550,124634,149314,127102,124634,
38254,144378,133272,133272,149314,56764,1522756,1522756,1522756,1522756,
143144,128336,129570,141910,39488,92550,124634,149314,127102,124634
};
char a;
char b[256];
int e;
int ck(int num)
{
if(num!=0)return 1;else return 0;
}
int vmRun(int array[10])
{
VIRTUALIZER_START;//CodeVirtualizer加壳标志
for (int i = 0;i <10;i++)
{
if (i!=0)
{
switch (array[0])
{
case 31:
{
if (array[i]==00) {cout<<endl;break;}
if (array[i]==1234) break;
a=array[i];
cout<<a;
break;
}
}
}
else
{
if (array[0]==32)
{
e=array[9];
cin>>b;
for (int nn =0;nn < 8;nn++)
{
code[array[9]+nn]=b[0+nn];
}
}
if (array[0]==61)
{
for (int nn =0;nn < 8;nn++)
{
code[array[9]+nn]&=array[nn+1];
}
}
if (array[0]==62)
{
for (int nn =0;nn < 8;nn++)
{
if (nn<7)
code[array[9]+nn]+=(int)sin(code[array[9]+nn+1]);
else
code[array[9]+nn]+=(int)sin(code[array[9]]);
}
}
if (array[0]==63)
{
for (int nn =0;nn < 8;nn++)
{
code[array[9]+nn]=(int)(53+4*sin(code[array[9]+nn]));
}
}
if (array[0]==64)
{
for (int nn =0;nn < 8;nn++)
{
code[array[9]+nn]=code[e+nn]-code[251+nn];
}
}
for (int f=65;f<73;f++)
{
if (array[0]==f)
{
return array[9-ck(code[461+f-65])];
}
}
}
}
return 20;
VIRTUALIZER_END;
}
void main()
{
int n=0,c=0;
int array[10]={0,0,0,0,0,0,0,0,0,0};
for (int i = 0;i < sizeof(code)/sizeof(code[1]);i+=0)
{
n=0;
while(n<10)
{
array[n]=code[i+n]/1234;
n++;
}
c=vmRun(array);
i+=c;
}
cout<<endl<<endl<<endl<<endl;
getchar();
}

复制代码

这不仔细看是看不出什么来的，用了个幼儿园级别的虚拟函数vmRun来解释code
真实算法翻译成伪代码：

Put Name inArray[2 to 9];
//Array {2 3 4 56 7 8 9}
[2]= [2]and111
[3]=[3]and222
…
[9]=[9]and888 …算法（SF）1

[2]=[2]+sin([3] )//sin取整
[3]=[3]+sin([4] )
…
[9]=[9]+sin([2] )…SF2

[2]=53+4*sin( [2])//+后结果取整sin结果保留小数
[3]=53+4*sin( [3])
…
[9]=53+4*sin( [9])…SF3
//至此[2to9]中保留8位1-9字符的ASCII码（49-57）即accesscode
//明码...

简单说说这个解释器吧，main中循环抽取code中的指令（均乘以1234了，还原），一次抽取10个放在array里，丢给vmRun解释：

Array[10] info:

1	2	3	4	5	6	7	8	9	10
Type	data	data	data	data	data	data	data	data	data

其中：

Type Func       data  Func
  31    cout          0    endl
  32    cin          1234 useless
  61    SF1
  62    SF2
  63    SF3
65-72  chk

vmRun函数里头的cin /out由1位的31/32带过，接着便是61/62/63的三个算法，代码里头都能看的看清楚

最后便是check结果了,当1位是65-72时，通过检查输入的值与算出的值的异同，来设定vmRun的返回值，如果相同（即正确），则返回第10位（20），否则返回第9位（10），vmRun的返回值作为main()中for()的跳转。

根据算法可以找到爆破处（将code中的65-72中的第九位换成20就OK啦）,

65*1234=80210=01 39 52

从此处开始搜索12340（10*1234），8处替换为24680（20*1234 十六68 60）即可完成爆破

保存文件如下（把upx脱了或者直接内存补丁）

爆破结果：

同样也可以追码（明码硬伤），

code hex转int:

锁定32（cin *1234后为39488）输入name "xuepojie."之后发现：

ascii码翻译过来为21851887,输入AccessCode即可

当然这是我知道源码的情况下OD中逆向，不知道源码也可以稍稍分析下，IDA可以逆出main中的算法，不过由于vmRun虚拟处理了下，爆破的话就只能从CODE里头下手咯。。。追码什么的，简单了，已经在上文说明了。

END

ps.

@Shark恒

恒大，discuz论坛转帖子感觉都挺麻烦的，尤其是图片，嘿嘿，52的水印留着，不碍事儿哈

对了，上次来论坛还没开放CM区呢

Shark恒 · 发表于 2015-6-17 13:27

是啊，你好久没来了。

Desire · 发表于 2015-6-17 13:33

Shark恒发表于 2015-6-17 13:27
是啊，你好久没来了。

哎哟,难得有个帖子admin还跟我抢绩效

		自动登录	找回密码
密码			立即注册

[转载KeyGenMe] 转载一枚自写km+分析过程

点评

评分