如何生成CrackMe注冊機之Pie

本文練習(xí)CrackeMe下載鏈接如下:https://reverse.put.as/wp-content/uploads/2010/08/Pie.zip。來自MacSerialJunkies 2010 Contest。
所以分析破解起來還是有點難度。
運行截圖如下。

Snip20171015_0.png

0x1代碼靜態(tài)分析

Hopper中打開Pie,可以看到如下代碼。



        ; ================ B E G I N N I N G   O F   P R O C E D U R E ================

        ; Variables:
        ;    var_8: -8
        ;    var_10: -16
        ;    var_18: -24
        ;    var_20: -32
        ;    var_28: -40


                     -[PieAppDelegate serialFieldDidChange]:
0000000100001061         push       rbp                                         ; Objective C Implementation defined at 0x1000025d8 (instance method), DATA XREF=0x1000025d8
0000000100001062         mov        rbp, rsp
0000000100001065         mov        qword [rbp+var_28], rbx
0000000100001069         mov        qword [rbp+var_20], r12
000000010000106d         mov        qword [rbp+var_18], r13
0000000100001071         mov        qword [rbp+var_10], r14
0000000100001075         mov        qword [rbp+var_8], r15
0000000100001079         sub        rsp, 0x30
000000010000107d         mov        r13, rdi
0000000100001080         mov        rdi, qword [objc_cls_ref_NSUserDefaults]    ; argument "instance" for method _objc_msgSend_fixup
0000000100001087         lea        rsi, qword [0x100002208]                    ; @selector(standardUserDefaults), argument "selector" for method _objc_msgSend_fixup
000000010000108e         call       qword [0x100002208]                         ; @selector(standardUserDefaults),_objc_msgSend_fixup
0000000100001094         mov        r15, rax
0000000100001097         lea        r14, qword [0x1000022a8]                    ; @selector(setObject:forKey:)
000000010000109e         mov        r12, qword [0x1000022a8]                    ; @selector(setObject:forKey:)
00000001000010a5         mov        rax, qword [objc_ivar_offset_PieAppDelegate_nameField]
00000001000010ac         mov        rdi, qword [r13+rax]                        ; argument "instance" for method _objc_msgSend_fixup
00000001000010b1         lea        rbx, qword [0x100002258]                    ; @selector(stringValue)
00000001000010b8         mov        rsi, rbx                                    ; argument "selector" for method _objc_msgSend_fixup
00000001000010bb         call       qword [0x100002258]                         ; @selector(stringValue),_objc_msgSend_fixup
00000001000010c1         lea        rcx, qword [cfstring_name]                  ; @"name"
00000001000010c8         mov        rdx, rax
00000001000010cb         mov        rsi, r14                                    ; argument "selector" for method _objc_msgSend_fixup
00000001000010ce         mov        rdi, r15                                    ; argument "instance" for method _objc_msgSend_fixup
00000001000010d1         call       r12                                         ; _objc_msgSend_fixup
00000001000010d4         mov        r12, qword [0x1000022a8]                    ; @selector(setObject:forKey:)
00000001000010db         mov        rax, qword [objc_ivar_offset_PieAppDelegate_serialField]
00000001000010e2         mov        rdi, qword [r13+rax]                        ; argument "instance" for method _objc_msgSend_fixup
00000001000010e7         mov        rsi, rbx                                    ; argument "selector" for method _objc_msgSend_fixup
00000001000010ea         call       qword [0x100002258]                         ; @selector(stringValue),_objc_msgSend_fixup
00000001000010f0         lea        rcx, qword [cfstring_serial]                ; @"serial"
00000001000010f7         mov        rdx, rax
00000001000010fa         mov        rsi, r14                                    ; argument "selector" for method _objc_msgSend_fixup
00000001000010fd         mov        rdi, r15                                    ; argument "instance" for method _objc_msgSend_fixup
0000000100001100         call       r12                                         ; _objc_msgSend_fixup
0000000100001103         mov        r14, qword [0x100002268]                    ; @selector(verifySerial:andName:)
000000010000110a         mov        rax, qword [objc_ivar_offset_PieAppDelegate_nameField]
0000000100001111         mov        rdi, qword [r13+rax]                        ; argument "instance" for method _objc_msgSend_fixup
0000000100001116         mov        rsi, rbx                                    ; argument "selector" for method _objc_msgSend_fixup
0000000100001119         call       qword [0x100002258]                         ; @selector(stringValue),_objc_msgSend_fixup
000000010000111f         mov        r12, rax
0000000100001122         mov        rax, qword [objc_ivar_offset_PieAppDelegate_serialField]
0000000100001129         mov        rdi, qword [r13+rax]                        ; argument "instance" for method _objc_msgSend_fixup
000000010000112e         mov        rsi, rbx                                    ; argument "selector" for method _objc_msgSend_fixup
0000000100001131         call       qword [0x100002258]                         ; @selector(stringValue),_objc_msgSend_fixup
0000000100001137         mov        rcx, r12
000000010000113a         mov        rdx, rax
000000010000113d         lea        rsi, qword [0x100002268]                    ; @selector(verifySerial:andName:), argument "selector" for method _objc_msgSend_fixup
0000000100001144         mov        rdi, r13                                    ; argument "instance" for method _objc_msgSend_fixup
0000000100001147         mov        r11, r14
000000010000114a         mov        rbx, qword [rbp+var_28]
000000010000114e         mov        r12, qword [rbp+var_20]
0000000100001152         mov        r13, qword [rbp+var_18]
0000000100001156         mov        r14, qword [rbp+var_10]
000000010000115a         mov        r15, qword [rbp+var_8]
000000010000115e         leave
000000010000115f         jmp        r11                                         ; _objc_msgSend_fixup
                        ; endp

[PieAppDelegate serialFieldDidChange]方法監(jiān)聽輸入serial的變化,然后 調(diào)用[PieAppDelegate verifySerial:andName:]進行檢驗。所以真正校驗的方法在 -[PieAppDelegate verifySerial:andName:]。代碼如下。



        ; ================ B E G I N N I N G   O F   P R O C E D U R E ================

        ; Variables:
        ;    var_8: -8
        ;    var_10: -16
        ;    var_18: -24
        ;    var_20: -32
        ;    var_28: -40
        ;    var_38: -56
        ;    var_40: -64
        ;    var_48: -72
        ;    var_50: -80
        ;    var_58: -88
        ;    var_60: -96
        ;    var_70: -112
        ;    var_78: -120
        ;    var_80: -128
        ;    var_88: -136
        ;    var_90: -144
        ;    var_98: -152
        ;    var_A0: -160
        ;    var_A8: -168
        ;    var_B0: -176
        ;    var_B8: -184
        ;    var_C0: -192
        ;    var_C8: -200
        ;    var_D0: -208


                     -[PieAppDelegate verifySerial:andName:]:
0000000100001342         push       rbp                                         ; Objective C Implementation defined at 0x1000025c0 (instance method), DATA XREF=0x1000025c0
0000000100001343         mov        rbp, rsp
0000000100001346         mov        qword [rbp+var_28], rbx
000000010000134a         mov        qword [rbp+var_20], r12
000000010000134e         mov        qword [rbp+var_18], r13
0000000100001352         mov        qword [rbp+var_10], r14
0000000100001356         mov        qword [rbp+var_8], r15
000000010000135a         sub        rsp, 0xd0
0000000100001361         mov        qword [rbp+var_60], rdi
0000000100001365         mov        r13, rdx
0000000100001368         mov        r14, rcx
000000010000136b         mov        rdi, qword [0x100002768]                    ; argument "instance" for method _objc_msgSend_fixup
0000000100001372         mov        edx, 0x4
0000000100001377         lea        rsi, qword [0x1000022b8]                    ; @selector(dataUsingEncoding:), argument "selector" for method _objc_msgSend_fixup
000000010000137e         call       qword [0x1000022b8]                         ; @selector(dataUsingEncoding:),_objc_msgSend_fixup
0000000100001384         mov        r15, rax
0000000100001387         lea        rsi, qword [0x1000022c8]                    ; @selector(length), argument "selector" for method _objc_msgSend_fixup
000000010000138e         mov        rdi, r13                                    ; argument "instance" for method _objc_msgSend_fixup
0000000100001391         call       qword [0x1000022c8]                         ; @selector(length),_objc_msgSend_fixup
0000000100001397         cmp        rax, 0x10
000000010000139b         jne        loc_100001666

00000001000013a1         mov        edx, 0x6
00000001000013a6         lea        rsi, qword [0x1000022d8]                    ; @selector(substringToIndex:), argument "selector" for method _objc_msgSend_fixup
00000001000013ad         mov        rdi, r13                                    ; argument "instance" for method _objc_msgSend_fixup
00000001000013b0         call       qword [0x1000022d8]                         ; @selector(substringToIndex:),_objc_msgSend_fixup
00000001000013b6         mov        rdi, rax                                    ; argument "instance" for method _objc_msgSend_fixup
00000001000013b9         mov        edx, 0x4
00000001000013be         lea        rsi, qword [0x1000022b8]                    ; @selector(dataUsingEncoding:), argument "selector" for method _objc_msgSend_fixup
00000001000013c5         call       qword [0x1000022b8]                         ; @selector(dataUsingEncoding:),_objc_msgSend_fixup
00000001000013cb         mov        rbx, rax
00000001000013ce         lea        rsi, qword [0x1000022c8]                    ; @selector(length), argument "selector" for method _objc_msgSend_fixup
00000001000013d5         mov        rdi, rax                                    ; argument "instance" for method _objc_msgSend_fixup
00000001000013d8         call       qword [0x1000022c8]                         ; @selector(length),_objc_msgSend_fixup
00000001000013de         mov        r12, rax
00000001000013e1         lea        rsi, qword [0x1000022e8]                    ; @selector(bytes), argument "selector" for method _objc_msgSend_fixup
00000001000013e8         mov        rdi, rbx                                    ; argument "instance" for method _objc_msgSend_fixup
00000001000013eb         call       qword [0x1000022e8]                         ; @selector(bytes),_objc_msgSend_fixup
00000001000013f1         mov        rdi, rax                                    ; argument "d" for method imp___symbol_stub1__MD5
00000001000013f4         xor        edx, edx                                    ; argument "md" for method imp___symbol_stub1__MD5
00000001000013f6         mov        rsi, r12                                    ; argument "n" for method imp___symbol_stub1__MD5
00000001000013f9         call       imp___symbol_stub1__MD5
00000001000013fe         mov        rdx, qword [objc_cls_ref_NSString]
0000000100001405         mov        qword [rbp+var_58], rdx
0000000100001409         movzx      r9d, byte [rax+2]
000000010000140e         movzx      r8d, byte [rax+1]
0000000100001413         movzx      ecx, byte [rax]
0000000100001416         movzx      edx, byte [rax+0xf]
000000010000141a         mov        dword [rsp+0xd0+var_70], edx
000000010000141e         movzx      edx, byte [rax+0xe]
0000000100001422         mov        dword [rsp+0xd0+var_78], edx
0000000100001426         movzx      edx, byte [rax+0xd]
000000010000142a         mov        dword [rsp+0xd0+var_80], edx
000000010000142e         movzx      edx, byte [rax+0xc]
0000000100001432         mov        dword [rsp+0xd0+var_88], edx
0000000100001436         movzx      edx, byte [rax+0xb]
000000010000143a         mov        dword [rsp+0xd0+var_90], edx
000000010000143e         movzx      edx, byte [rax+0xa]
0000000100001442         mov        dword [rsp+0xd0+var_98], edx
0000000100001446         movzx      edx, byte [rax+9]
000000010000144a         mov        dword [rsp+0xd0+var_A0], edx
000000010000144e         movzx      edx, byte [rax+8]
0000000100001452         mov        dword [rsp+0xd0+var_A8], edx
0000000100001456         movzx      edx, byte [rax+7]
000000010000145a         mov        dword [rsp+0xd0+var_B0], edx
000000010000145e         movzx      edx, byte [rax+6]
0000000100001462         mov        dword [rsp+0xd0+var_B8], edx
0000000100001466         movzx      edx, byte [rax+5]
000000010000146a         mov        dword [rsp+0xd0+var_C0], edx
000000010000146e         movzx      edx, byte [rax+4]
0000000100001472         mov        dword [rsp+0xd0+var_C8], edx
0000000100001476         movzx      eax, byte [rax+3]
000000010000147a         mov        dword [rsp+0xd0+var_D0], eax
000000010000147d         lea        rdx, qword [cfstring__02X_02X_02X_02X_02X_02X_02X_02X_02X_02X_02X_02X_02X_02X_02X_02X] ; @"%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X"
0000000100001484         lea        rsi, qword [0x1000022f8]                    ; @selector(stringWithFormat:), argument "selector" for method _objc_msgSend_fixup
000000010000148b         mov        rdi, qword [rbp+var_58]                     ; argument "instance" for method _objc_msgSend_fixup
000000010000148f         xor        eax, eax
0000000100001491         call       qword [0x1000022f8]                         ; @selector(stringWithFormat:),_objc_msgSend_fixup
0000000100001497         mov        rdi, rax                                    ; argument "instance" for method _objc_msgSend_fixup
000000010000149a         mov        rdx, qword [0x100002770]
00000001000014a1         lea        rsi, qword [0x100002308]                    ; @selector(isEqualToString:), argument "selector" for method _objc_msgSend_fixup
00000001000014a8         call       qword [0x100002308]                         ; @selector(isEqualToString:),_objc_msgSend_fixup
00000001000014ae         test       al, al
00000001000014b0         je         loc_100001666

00000001000014b6         mov        edx, 0xd
00000001000014bb         lea        rsi, qword [0x100002318]                    ; @selector(characterAtIndex:), argument "selector" for method _objc_msgSend_fixup
00000001000014c2         mov        rdi, r13                                    ; argument "instance" for method _objc_msgSend_fixup
00000001000014c5         call       qword [0x100002318]                         ; @selector(characterAtIndex:),_objc_msgSend_fixup
00000001000014cb         cmp        ax, 0x46
00000001000014cf         jne        loc_100001666

00000001000014d5         mov        edx, 0x4
00000001000014da         lea        rsi, qword [0x1000022b8]                    ; @selector(dataUsingEncoding:), argument "selector" for method _objc_msgSend_fixup
00000001000014e1         mov        rdi, r14                                    ; argument "instance" for method _objc_msgSend_fixup
00000001000014e4         call       qword [0x1000022b8]                         ; @selector(dataUsingEncoding:),_objc_msgSend_fixup
00000001000014ea         mov        rbx, rax
00000001000014ed         lea        rsi, qword [0x1000022c8]                    ; @selector(length), argument "selector" for method _objc_msgSend_fixup
00000001000014f4         mov        rdi, rax                                    ; argument "instance" for method _objc_msgSend_fixup
00000001000014f7         call       qword [0x1000022c8]                         ; @selector(length),_objc_msgSend_fixup
00000001000014fd         mov        r12, rax
0000000100001500         lea        rsi, qword [0x1000022e8]                    ; @selector(bytes), argument "selector" for method _objc_msgSend_fixup
0000000100001507         mov        rdi, rbx                                    ; argument "instance" for method _objc_msgSend_fixup
000000010000150a         call       qword [0x1000022e8]                         ; @selector(bytes),_objc_msgSend_fixup
0000000100001510         mov        rdi, rax                                    ; argument "d" for method imp___symbol_stub1__MD5
0000000100001513         xor        edx, edx                                    ; argument "md" for method imp___symbol_stub1__MD5
0000000100001515         mov        rsi, r12                                    ; argument "n" for method imp___symbol_stub1__MD5
0000000100001518         call       imp___symbol_stub1__MD5
000000010000151d         movzx      r9d, byte [rax+2]
0000000100001522         movzx      r8d, byte [rax+1]
0000000100001527         movzx      ecx, byte [rax]
000000010000152a         movzx      edx, byte [rax+7]
000000010000152e         mov        dword [rsp+0xd0+var_B0], edx
0000000100001532         movzx      edx, byte [rax+6]
0000000100001536         mov        dword [rsp+0xd0+var_B8], edx
000000010000153a         movzx      edx, byte [rax+5]
000000010000153e         mov        dword [rsp+0xd0+var_C0], edx
0000000100001542         movzx      edx, byte [rax+4]
0000000100001546         mov        dword [rsp+0xd0+var_C8], edx
000000010000154a         movzx      eax, byte [rax+3]
000000010000154e         mov        dword [rsp+0xd0+var_D0], eax
0000000100001551         lea        rdx, qword [cfstring__02X_02X_02X_02X_02X_02X_02X] ; @"%02X%02X%02X%02X%02X%02X%02X"
0000000100001558         lea        rsi, qword [0x1000022f8]                    ; @selector(stringWithFormat:), argument "selector" for method _objc_msgSend_fixup
000000010000155f         mov        rdi, qword [rbp+var_58]                     ; argument "instance" for method _objc_msgSend_fixup
0000000100001563         xor        eax, eax
0000000100001565         call       qword [0x1000022f8]                         ; @selector(stringWithFormat:),_objc_msgSend_fixup
000000010000156b         mov        rdi, rax                                    ; argument "instance" for method _objc_msgSend_fixup
000000010000156e         mov        edx, 0x7
0000000100001573         lea        rsi, qword [0x1000022d8]                    ; @selector(substringToIndex:), argument "selector" for method _objc_msgSend_fixup
000000010000157a         call       qword [0x1000022d8]                         ; @selector(substringToIndex:),_objc_msgSend_fixup
0000000100001580         mov        rbx, rax
0000000100001583         mov        qword [rbp+var_38], 0x7
000000010000158b         mov        qword [rbp+var_40], 0x6
0000000100001593         mov        edx, 0x6
0000000100001598         mov        ecx, 0x7
000000010000159d         lea        rsi, qword [0x100002328]                    ; @selector(substringWithRange:), argument "selector" for method _objc_msgSend_fixup
00000001000015a4         mov        rdi, r13                                    ; argument "instance" for method _objc_msgSend_fixup
00000001000015a7         call       qword [0x100002328]                         ; @selector(substringWithRange:),_objc_msgSend_fixup
00000001000015ad         mov        rdi, rax                                    ; argument "instance" for method _objc_msgSend_fixup
00000001000015b0         mov        rdx, rbx
00000001000015b3         lea        rsi, qword [0x100002308]                    ; @selector(isEqualToString:), argument "selector" for method _objc_msgSend_fixup
00000001000015ba         call       qword [0x100002308]                         ; @selector(isEqualToString:),_objc_msgSend_fixup
00000001000015c0         test       al, al
00000001000015c2         je         loc_100001666

00000001000015c8         mov        qword [rbp+var_48], 0x2
00000001000015d0         mov        qword [rbp+var_50], 0xe
00000001000015d8         mov        edx, 0xe
00000001000015dd         mov        ecx, 0x2
00000001000015e2         lea        rsi, qword [0x100002328]                    ; @selector(substringWithRange:), argument "selector" for method _objc_msgSend_fixup
00000001000015e9         mov        rdi, r13                                    ; argument "instance" for method _objc_msgSend_fixup
00000001000015ec         call       qword [0x100002328]                         ; @selector(substringWithRange:),_objc_msgSend_fixup
00000001000015f2         mov        rdi, rax                                    ; argument "instance" for method _objc_msgSend_fixup
00000001000015f5         mov        edx, 0x4
00000001000015fa         lea        rsi, qword [0x1000022b8]                    ; @selector(dataUsingEncoding:), argument "selector" for method _objc_msgSend_fixup
0000000100001601         call       qword [0x1000022b8]                         ; @selector(dataUsingEncoding:),_objc_msgSend_fixup
0000000100001607         mov        rdi, rax                                    ; argument "instance" for method _objc_msgSend_fixup
000000010000160a         mov        rdx, r15
000000010000160d         lea        rsi, qword [0x100002338]                    ; @selector(isEqualToData:), argument "selector" for method _objc_msgSend_fixup
0000000100001614         call       qword [0x100002338]                         ; @selector(isEqualToData:),_objc_msgSend_fixup
000000010000161a         test       al, al
000000010000161c         je         loc_100001666

000000010000161e         mov        rdi, qword [objc_cls_ref_NSNotificationCenter] ; argument "instance" for method _objc_msgSend_fixup
0000000100001625         lea        rsi, qword [0x100002238]                    ; @selector(defaultCenter), argument "selector" for method _objc_msgSend_fixup
000000010000162c         call       qword [0x100002238]                         ; @selector(defaultCenter),_objc_msgSend_fixup
0000000100001632         mov        rdi, rax                                    ; argument "instance" for method _objc_msgSend_fixup
0000000100001635         mov        rcx, qword [rbp+var_60]
0000000100001639         lea        rdx, qword [cfstring_Registered]            ; @"Registered"
0000000100001640         lea        rsi, qword [0x100002348]                    ; @selector(postNotificationName:object:), argument "selector" for method _objc_msgSend_fixup
0000000100001647         mov        r11, qword [0x100002348]                    ; @selector(postNotificationName:object:)
000000010000164e         mov        rbx, qword [rbp+var_28]
0000000100001652         mov        r12, qword [rbp+var_20]
0000000100001656         mov        r13, qword [rbp+var_18]
000000010000165a         mov        r14, qword [rbp+var_10]
000000010000165e         mov        r15, qword [rbp+var_8]
0000000100001662         leave
0000000100001663         jmp        r11                                         ; _objc_msgSend_fixup
                        ; endp

                     loc_100001666:
0000000100001666         mov        rbx, qword [rbp+var_28]                     ; CODE XREF=-[PieAppDelegate verifySerial:andName:]+89, -[PieAppDelegate verifySerial:andName:]+366, -[PieAppDelegate verifySerial:andName:]+397, -[PieAppDelegate verifySerial:andName:]+640, -[PieAppDelegate verifySerial:andName:]+730
000000010000166a         mov        r12, qword [rbp+var_20]
000000010000166e         mov        r13, qword [rbp+var_18]
0000000100001672         mov        r14, qword [rbp+var_10]
0000000100001676         mov        r15, qword [rbp+var_8]
000000010000167a         leave
000000010000167b         ret
                        ; endp

在此方法中還引用了兩個常量字符@"BC",@"66EAD6FE7CBE7987B7C4B1A1EED0E5A5"。如下。

0000000100002767         db  0x00 ; '.'
0000000100002768         dq         0x0000000100002168                          ; @"BC", DATA XREF=-[PieAppDelegate verifySerial:andName:]+41
0000000100002770         dq         0x0000000100002188                          ; @"66EAD6FE7CBE7987B7C4B1A1EED0E5A5", DATA XREF=-[PieAppDelegate verifySerial:andName:]+344
0000000100002778         db  0x00 ; '.'

其中,此方法開頭有如下引用。得知@“BC”存入了r15。

000000010000136b         mov        rdi, qword [0x100002768]                    ; argument "instance" for method _objc_msgSend_fixup
0000000100001372         mov        edx, 0x4
0000000100001377         lea        rsi, qword [0x1000022b8]
0000000100001384         mov        r15, rax

首先,判斷Serial的length長度是否是16(0x10)位,如果不是,則失敗。如果長度符合,則取Serial前6位進行MD5加密,加密后的字符串截取前7位,和@"66EAD6FE7CBE7987B7C4B1A1EED0E5A5"比較,如果不相等,失敗。如果相等,則繼續(xù)。關(guān)鍵跳轉(zhuǎn)如下。

000000010000149a         mov        rdx, qword [0x100002770]
00000001000014a1         lea        rsi, qword [0x100002308]                    ; @selector(isEqualToString:), argument "selector" for method _objc_msgSend_fixup
00000001000014a8         call       qword [0x100002308]                         ; @selector(isEqualToString:),_objc_msgSend_fixup
00000001000014ae         test       al, al
00000001000014b0         je         loc_100001666

所以,@"66EAD6FE7CBE7987B7C4B1A1EED0E5A5"反向MD5就得出Serial的前六位。即:KRACK- 。
接下來如下代碼,比較Serial的第14位是否與F相等,不相等,則失敗。

00000001000014b6         mov        edx, 0xd
00000001000014bb         lea        rsi, qword [0x100002318]                    ; @selector(characterAtIndex:), argument "selector" for method _objc_msgSend_fixup
00000001000014c2         mov        rdi, r13                                    ; argument "instance" for method _objc_msgSend_fixup
00000001000014c5         call       qword [0x100002318]                         ; @selector(characterAtIndex:),_objc_msgSend_fixup
00000001000014cb         cmp        ax, 0x46
00000001000014cf         jne        loc_100001666

后面一大段,將Name進行MD5加密,截取前7位(大寫),和Serial的7-13位比較,不相等,則失敗。如果相等,最后校驗Serial最后的15-16位。
代碼如下。

000000010000160a         mov        rdx, r15
000000010000160d         lea        rsi, qword [0x100002338]                    ; @selector(isEqualToData:), argument "selector" for method _objc_msgSend_fixup
0000000100001614         call       qword [0x100002338]                         ; @selector(isEqualToData:),_objc_msgSend_fixup
000000010000161a         test       al, al
000000010000161c         je         loc_100001666

此段代碼將Serial的后兩位與r15相比較。如果相等,則通過。根據(jù)上面的分析,r15為BC。所以得出Serial的最后兩位為BC。

0x2 Keygen算法

根據(jù)上述分析(動態(tài)分析過程略),得出Keygen算法如下。

 Serial ="KRACK-"+ MD5(Name).upCase().subStringWithRange(0,7)+"FBC"

設(shè)Name 為MyTest。則MD5(Name).upCase().subStringWithRange(0,7)為:1A1220A,所以得出Serial為:KRACK-1A1220AFBC。

程序驗證,Success。:)!

Snip20171015_5.png
Snip20171015_4.png
最后編輯于
?著作權(quán)歸作者所有,轉(zhuǎn)載或內(nèi)容合作請聯(lián)系作者
【社區(qū)內(nèi)容提示】社區(qū)部分內(nèi)容疑似由AI輔助生成,瀏覽時請結(jié)合常識與多方信息審慎甄別。
平臺聲明:文章內(nèi)容(如有圖片或視頻亦包括在內(nèi))由作者上傳并發(fā)布,文章內(nèi)容僅代表作者本人觀點,簡書系信息發(fā)布平臺,僅提供信息存儲服務(wù)。

相關(guān)閱讀更多精彩內(nèi)容

  • 本練習(xí)破解的CrackMe可以在此處下載:https://reverse.put.as/wp-content/up...
    Mr_Xiao閱讀 548評論 0 0
  • 本破解練習(xí)來自MSJ2009 Challenge#1,下載地址如下:https://reverse.put.as/...
    Mr_Xiao閱讀 554評論 0 1
  • Android 自定義View的各種姿勢1 Activity的顯示之ViewRootImpl詳解 Activity...
    passiontim閱讀 179,057評論 25 709
  • 今天又和李宇航生氣了,我給他買的數(shù)學(xué)試卷又錯了好幾個題,明明很簡單,可是就是錯,脾氣不好的我越說聲音越大,讓我敲了...
    李宇航媽媽閱讀 161評論 0 0
  • 今天閱讀了一位同事分享的關(guān)于稻盛和夫的阿米巴經(jīng)營的簡介--《實學(xué):經(jīng)營與會計》。內(nèi)容大約是劃小核算單元,透過經(jīng)營會...
    向日小葵123閱讀 478評論 0 2

友情鏈接更多精彩內(nèi)容