本破解练习来自MSJ2009 Challenge#1，下载地址如下：https://reverse.put.as/wp-content/uploads/2010/05/MSJ20091.zip。
破解起来稍显麻烦，主要是Keygen的算法比较晦涩难懂。
打开运行，如下。输入正确的Name及Serial才能注册。

Snip20171021_2.png

Snip20171021_1.png

0x1 代码分析

在Hopper中打开Challenge #1，可以看到关键校验代码如下。

        ; ================ B E G I N N I N G   O F   P R O C E D U R E ================

        ; Variables:
        ;    arg_C: 20
        ;    arg_8: 16
        ;    _cmd: void *12
        ;    self: void *8
        ;    var_1C: -28
        ;    var_20: -32
        ;    var_24: -36
        ;    var_28: -40
        ;    var_2C: -44
        ;    var_30: -48
        ;    var_3C: -60
        ;    var_40: -64
        ;    var_44: -68
        ;    var_48: -72


             -[Level1 validateSerial:forName:]:
00002a9e         push       ebp                                                 ; Objective C Implementation defined at 0x40f4 (instance method)
00002a9f         mov        ebp, esp
00002aa1         push       edi
00002aa2         push       esi
00002aa3         push       ebx
00002aa4         sub        esp, 0x3c
00002aa7         mov        eax, dword [objc_msg_length]                        ; @selector(length)
00002aac         mov        dword [esp+0x48+var_44], eax                        ; argument #2 for method imp___jump_table__objc_msgSend
00002ab0         mov        eax, dword [ebp+arg_8]
00002ab3         mov        dword [esp+0x48+var_48], eax                        ; argument #1 for method imp___jump_table__objc_msgSend
00002ab6         call       imp___jump_table__objc_msgSend
00002abb         cmp        eax, 0x8
00002abe         jne        loc_2c4e

00002ac4         mov        eax, dword [objc_msg_lossyCString]                  ; @selector(lossyCString)
00002ac9         mov        esi, 0x4
00002ace         xor        ebx, ebx
00002ad0         mov        dword [esp+0x48+var_44], eax                        ; argument #2 for method imp___jump_table__objc_msgSend
00002ad4         mov        eax, dword [ebp+arg_C]
00002ad7         mov        dword [esp+0x48+var_48], eax                        ; argument #1 for method imp___jump_table__objc_msgSend
00002ada         call       imp___jump_table__objc_msgSend
00002adf         mov        dword [esp+0x48+var_48], eax                        ; argument #1 for method imp___jump_table__strlen
00002ae2         mov        edi, eax
00002ae4         call       imp___jump_table__strlen
00002ae9         xor        ecx, ecx
00002aeb         mov        dword [ebp+var_30], eax
00002aee         jmp        loc_2b27

             loc_2af0:
00002af0         movsx      eax, byte [edi+ebx]                                 ; CODE XREF=-[Level1 validateSerial:forName:]+140
00002af4         inc        ebx
00002af5         imul       eax, esi
00002af8         add        esi, 0x4
00002afb         mov        edx, eax
00002afd         shl        edx, 0x4
00002b00         sub        edx, eax
00002b02         mov        eax, 0x68db8bad
00002b07         lea        ecx, dword [edx+ecx+0x29a]
00002b0e         imul       ecx
00002b10         mov        eax, ecx
00002b12         sar        eax, 0x1f
00002b15         sar        edx, 0xc
00002b18         sub        edx, eax
00002b1a         mov        eax, ecx
00002b1c         imul       edx, edx, 0x2710
00002b22         sub        eax, edx
00002b24         mov        dword [ebp+var_20], eax

             loc_2b27:
00002b27         cmp        dword [ebp+var_30], ebx                             ; CODE XREF=-[Level1 validateSerial:forName:]+80
00002b2a         ja         loc_2af0

00002b2c         mov        eax, dword [ebp+var_20]
00002b2f         mov        esi, 0x4
00002b34         xor        ebx, ebx
00002b36         mov        dword [esp+0x48+var_40], 0x3078                     ; @"%i"
00002b3e         mov        dword [esp+0x48+var_3C], eax
00002b42         mov        eax, dword [objc_msg_stringWithFormat_]             ; @selector(stringWithFormat:)
00002b47         mov        dword [esp+0x48+var_44], eax                        ; argument #2 for method imp___jump_table__objc_msgSend
00002b4b         mov        eax, dword [cls_NSString]                           ; cls_NSString
00002b50         mov        dword [esp+0x48+var_48], eax                        ; argument #1 for method imp___jump_table__objc_msgSend
00002b53         call       imp___jump_table__objc_msgSend
00002b58         mov        dword [esp+0x48+var_48], edi                        ; argument #1 for method imp___jump_table__strlen
00002b5b         mov        dword [ebp+var_28], eax
00002b5e         call       imp___jump_table__strlen
00002b63         xor        ecx, ecx
00002b65         mov        dword [ebp+var_2C], eax
00002b68         jmp        loc_2b9c

             loc_2b6a:
00002b6a         movsx      eax, byte [edi+ebx]                                 ; CODE XREF=-[Level1 validateSerial:forName:]+257
00002b6e         inc        ebx
00002b6f         imul       eax, esi
00002b72         add        esi, 0x8
00002b75         lea        edx, dword [eax+eax*4]
00002b78         lea        edx, dword [eax+edx*2+0x2d]
00002b7c         mov        eax, 0x68db8bad
00002b81         add        ecx, edx
00002b83         imul       ecx
00002b85         mov        eax, ecx
00002b87         sar        eax, 0x1f
00002b8a         sar        edx, 0xc
00002b8d         sub        edx, eax
00002b8f         mov        eax, ecx
00002b91         imul       edx, edx, 0x2710
00002b97         sub        eax, edx
00002b99         mov        dword [ebp+var_1C], eax

             loc_2b9c:
00002b9c         cmp        ebx, dword [ebp+var_2C]                             ; CODE XREF=-[Level1 validateSerial:forName:]+202
00002b9f         jb         loc_2b6a

00002ba1         mov        eax, dword [ebp+var_1C]
00002ba4         mov        esi, 0x4
00002ba9         xor        ebx, ebx
00002bab         mov        dword [esp+0x48+var_40], 0x3078                     ; @"%i"
00002bb3         mov        edi, 0x4
00002bb8         mov        dword [esp+0x48+var_3C], eax
00002bbc         mov        eax, dword [objc_msg_stringWithFormat_]             ; @selector(stringWithFormat:)
00002bc1         mov        dword [esp+0x48+var_44], eax                        ; argument #2 for method imp___jump_table__objc_msgSend
00002bc5         mov        eax, dword [cls_NSString]                           ; cls_NSString
00002bca         mov        dword [esp+0x48+var_48], eax                        ; argument #1 for method imp___jump_table__objc_msgSend
00002bcd         call       imp___jump_table__objc_msgSend
00002bd2         mov        dword [esp+0x48+var_40], ebx
00002bd6         mov        dword [esp+0x48+var_3C], esi
00002bda         mov        dword [ebp+var_24], eax
00002bdd         mov        eax, dword [objc_msg_substringWithRange_]           ; @selector(substringWithRange:)
00002be2         mov        dword [esp+0x48+var_44], eax                        ; argument #2 for method imp___jump_table__objc_msgSend
00002be6         mov        eax, dword [ebp+arg_8]
00002be9         mov        dword [esp+0x48+var_48], eax                        ; argument #1 for method imp___jump_table__objc_msgSend
00002bec         call       imp___jump_table__objc_msgSend
00002bf1         mov        dword [esp+0x48+var_40], esi
00002bf5         mov        dword [esp+0x48+var_3C], edi
00002bf9         mov        ebx, eax
00002bfb         mov        eax, dword [objc_msg_substringWithRange_]           ; @selector(substringWithRange:)
00002c00         mov        dword [esp+0x48+var_44], eax                        ; argument #2 for method imp___jump_table__objc_msgSend
00002c04         mov        eax, dword [ebp+arg_8]
00002c07         mov        dword [esp+0x48+var_48], eax                        ; argument #1 for method imp___jump_table__objc_msgSend
00002c0a         call       imp___jump_table__objc_msgSend
00002c0f         mov        dword [esp+0x48+var_48], ebx                        ; argument #1 for method imp___jump_table__objc_msgSend
00002c12         mov        esi, eax
00002c14         mov        eax, dword [ebp+var_28]
00002c17         mov        dword [esp+0x48+var_40], eax
00002c1b         mov        eax, dword [objc_msg_isEqual_]                      ; @selector(isEqual:)
00002c20         mov        dword [esp+0x48+var_44], eax                        ; argument #2 for method imp___jump_table__objc_msgSend
00002c24         call       imp___jump_table__objc_msgSend
00002c29         test       al, al
00002c2b         je         loc_2c4e

00002c2d         mov        eax, dword [ebp+var_24]
00002c30         mov        dword [esp+0x48+var_48], esi                        ; argument #1 for method imp___jump_table__objc_msgSend
00002c33         mov        dword [esp+0x48+var_40], eax
00002c37         mov        eax, dword [objc_msg_isEqual_]                      ; @selector(isEqual:)
00002c3c         mov        dword [esp+0x48+var_44], eax                        ; argument #2 for method imp___jump_table__objc_msgSend
00002c40         call       imp___jump_table__objc_msgSend
00002c45         mov        edx, 0x1
00002c4a         test       al, al
00002c4c         jne        loc_2c50

             loc_2c4e:
00002c4e         xor        edx, edx                                            ; CODE XREF=-[Level1 validateSerial:forName:]+32, -[Level1 validateSerial:forName:]+397

             loc_2c50:
00002c50         add        esp, 0x3c                                           ; CODE XREF=-[Level1 validateSerial:forName:]+430
00002c53         mov        eax, edx
00002c55         pop        ebx
00002c56         pop        esi
00002c57         pop        edi
00002c58         leave
00002c59         ret
                        ; endp

首先，判断Serial的长度是否为8位，见下面代码。如不是8位，则失败，如果等于8位则继续下一步。

00002ab6         call       imp___jump_table__objc_msgSend
00002abb         cmp        eax, 0x8
00002abe         jne        loc_2c4e

接着， loc_2af0 代码段为一段循环，遍历输入的Name，取其中每一位字符ASCII码计算，算法见loc_2af0。计算的结果为Serial的第一部分Part1。loc_2b6a代码段为第二个循环，同样遍历输入的Name，取其中每一位字符ASCII码计算，算法见loc_2b6a。计算的结果为Serial的第二部分Part2。

最后一段【00002ba1-00002c4c】代码，分别取输入的Serial的前4位和后4位字符串与上面计算等到的Part1 、Part2比较，相等则验证通过。

0x2 Keygen算法

根据分析，可以得出Keygen算法。具体的实现，使用一个小技巧，就是用高级语言完全复制上述计算Part1、Part2的汇编代码。这里用Objective C示例如下。

- (NSString*)part1ByName:(NSString *)name {
    signed long esi = 0x4;
    signed long ecx = 0;
    signed long edx = 0;
    signed long eax = 0;
    for (int i = 0; i<name.length;i++) {
        eax = [name characterAtIndex:i];
        eax *= esi;
        esi += 0x4;
        edx = eax;
        edx = edx<<0x4;
        edx -= eax;
        eax = 0x68db8bad;
        ecx = edx + ecx + 0x29a;
        eax = ((ecx * 0x68db8bad) & 0x00000000ffffffff)>>32>>0x1f;
        eax = ecx;
        eax = eax>>0x1f;
        edx =((ecx * 0x68db8bad) & 0xffffffff00000000)>>32>>(0xc);
        edx = edx - eax;
        eax = ecx;
        edx *= 0x2710;
        eax = eax - edx;
    }
    return [NSString stringWithFormat:@"%d",eax];
}
- (NSString*)part2ByName:(NSString *)name {
    signed long esi = 0x4;
    signed long ecx = 0;
    signed long edx = 0;
    signed long eax = 0;
    for (int i = 0; i<name.length;i++) {
        eax = [name characterAtIndex:i];
        eax  *= esi;
        esi += 0x8;
        edx = eax + eax*4;
        edx = eax + edx*2 + 0x2d;
        eax = 0x68db8bad;
        ecx += edx;
        eax = ((ecx * 0x68db8bad) & 0x00000000ffffffff)>>32>>0x1f;
        eax = ecx;
        eax = eax>>0x1f;
        edx =((ecx * 0x68db8bad) & 0xffffffff00000000)>>32>>(0xc);
        edx = edx - eax;
        eax = ecx;
        edx *= 0x2710;
        eax = eax - edx;
    }
    return [NSString stringWithFormat:@"%d",eax];
}
- (NSString *)keyGen:(id)sender {
    NSString *name = @"qwer";
    NSString *serial = [NSString stringWithFormat:@"%@%@",
                     [self part1ByName:name],
                     [self part2ByName:name]];
  return serial;
}

0x3 程序验证

设输入的Name为qwer，根据上述Keygen算法得Serial为92648192，代入程序，验证Success，：）！

Snip20171022_3.png

Snip20171022_4.png