-
-
[原创]riijj CrackMe 14分析
-
发表于: 2010-6-8 15:08
-
【文章标题】: riijj Crackme 14 分析
【文章作者】: patapon
【下载地址】: 自己搜索下载
【保护方式】: SEH 序列号
【使用工具】: PEID OD
【作者声明】: 只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!
--------------------------------------------------------------------------------
【详细过程】
首先PEID查壳,显示为Microsoft Visual C++ 6.0。OD载入,F9运行,出现了异常
00401ADD . 33C0 XOR EAX,EAX
00401ADF . C600 00 MOV BYTE PTR DS:[EAX],0 <=此处出现异常
00401AE2 . C745 FC FFFFF>MOV DWORD PTR SS:[EBP-4],-1
00401AE9 . EB 4C JMP SHORT riijjcra.00401B37
00401AEB . B8 01000000 MOV EAX,1
00401AF0 . C3 RETN
看堆栈:
0012FF24 0012FFB0 Pointer to next SEH record
0012FF28 00401D5C SE handler
0012FF2C 00407148 riijjcra.00407148
在命令行窗口输入D 407148
00407148 FF FF FF FF EB 1A 40 00 F1 1A 40 00 FF FF FF FF ?@.?@.
00407158 06 1B 40 00 0C 1B 40 00 FF FF FF FF 1D 1B 40 00 @..@.@.
这个异常处理之后会到00401AF1这里继续执行,我们在那里下一个断点,shift+F9解除这个异常。shift+F9之后我们来到这里
00401AFB . 33C0 XOR EAX,EAX
00401AFD . 33D2 XOR EDX,EDX
00401AFF . F7F0 DIV EAX <=这里出现异常
00401B01 . 83C8 FF OR EAX,FFFFFFFF
00401B04 . EB 2B JMP SHORT riijjcra.00401B31
00401B06 . B8 01000000 MOV EAX,1
00401B0B . C3 RETN
我们用同样的方法解除这个异常,直到走到这里,发现cm自己结束了
00401B23 . 8B65 E8 MOV ESP,DWORD PTR SS:[EBP-18]
00401B26 . E8 F5FDFFFF CALL riijjcra.00401920 <=走过这个call,cm就自己挂掉了
00401B2B > 83C8 FF OR EAX,FFFFFFFF
00401B2E . 8945 FC MOV DWORD PTR SS:[EBP-4],EAX
00401B31 > 8945 FC MOV DWORD PTR SS:[EBP-4],EAX
00401B34 . 8945 FC MOV DWORD PTR SS:[EBP-4],EAX
00401B37 > 33C0 XOR EAX,EAX
我们F7跟进去看看
00401920 /$ 83EC 4C SUB ESP,4C
00401923 |. 53 PUSH EBX
00401924 |. 55 PUSH EBP
00401925 |. 56 PUSH ESI
00401926 |. 33ED XOR EBP,EBP
00401928 |. 57 PUSH EDI
00401929 |. 55 PUSH EBP ; /pModule => NULL
0040192A |. FF15 04704000 CALL DWORD PTR DS:[<&KERNEL32.GetModuleHandleA>] ; \GetModuleHandleA
00401930 |. 8B3D BC704000 MOV EDI,DWORD PTR DS:[<&USER32.LoadIconA>] ; USER32.LoadIconA
00401936 |. 8BF0 MOV ESI,EAX
00401938 |. 6A 65 PUSH 65 ; /RsrcName = 101.
0040193A |. 56 PUSH ESI ; |hInst
0040193B |. C74424 34 300>MOV DWORD PTR SS:[ESP+34],30 ; |
00401943 |. 896C24 38 MOV DWORD PTR SS:[ESP+38],EBP ; |
00401947 |. C74424 3C 101>MOV DWORD PTR SS:[ESP+3C],riijjcra.00401810 ; |<=重要,窗口过程地址
0040194F |. 896C24 40 MOV DWORD PTR SS:[ESP+40],EBP ; |
00401953 |. 896C24 44 MOV DWORD PTR SS:[ESP+44],EBP ; |
00401957 |. 897424 48 MOV DWORD PTR SS:[ESP+48],ESI ; |
0040195B |. FFD7 CALL EDI ; \LoadIconA
0040195D |. 68 007F0000 PUSH 7F00 ; /RsrcName = IDC_ARROW
00401962 |. 55 PUSH EBP ; |hInst => NULL
00401963 |. 894424 4C MOV DWORD PTR SS:[ESP+4C],EAX ; |
00401967 |. FF15 C0704000 CALL DWORD PTR DS:[<&USER32.LoadCursorA>] ; \LoadCursorA
0040196D |. 6A 65 PUSH 65 ; /RsrcName = 101.
0040196F |. 56 PUSH ESI ; |hInst
00401970 |. 894424 50 MOV DWORD PTR SS:[ESP+50],EAX ; |
00401974 |. C74424 54 100>MOV DWORD PTR SS:[ESP+54],10 ; |
0040197C |. 896C24 58 MOV DWORD PTR SS:[ESP+58],EBP ; |
00401980 |. C74424 5C 187>MOV DWORD PTR SS:[ESP+5C],riijjcra.00407118 ; |ASCII "myWindowClass"
00401988 |. FFD7 CALL EDI ; \LoadIconA
0040198A |. 894424 58 MOV DWORD PTR SS:[ESP+58],EAX
0040198E |. 8D4424 2C LEA EAX,DWORD PTR SS:[ESP+2C]
00401992 |. 50 PUSH EAX ; /pWndClassEx
00401993 |. C705 30A64000>MOV DWORD PTR DS:[40A630],riijjcra.00401490 ; |
0040199D |. FF15 C4704000 CALL DWORD PTR DS:[<&USER32.RegisterClassExA>] ; \RegisterClassExA
004019A3 |. 8B3D C8704000 MOV EDI,DWORD PTR DS:[<&USER32.GetSystemMetrics>] ; USER32.GetSystemMetrics
004019A9 |. 55 PUSH EBP ; /Index => SM_CXSCREEN
004019AA |. FFD7 CALL EDI ; \GetSystemMetrics
004019AC |. 6A 01 PUSH 1 ; /Index = SM_CYSCREEN
004019AE |. 8BD8 MOV EBX,EAX ; |
004019B0 |. FFD7 CALL EDI ; \GetSystemMetrics
004019B2 |. 99 CDQ
004019B3 |. 55 PUSH EBP ; /lParam => NULL
004019B4 |. 2BC2 SUB EAX,EDX ; |
004019B6 |. 56 PUSH ESI ; |hInst
004019B7 |. 55 PUSH EBP ; |hMenu => NULL
004019B8 |. D1F8 SAR EAX,1 ; |
004019BA |. 55 PUSH EBP ; |hParent => NULL
004019BB |. 68 C8000000 PUSH 0C8 ; |Height = C8 (200.)
004019C0 |. 83E8 64 SUB EAX,64 ; |
004019C3 |. 68 2C010000 PUSH 12C ; |Width = 12C (300.)
004019C8 |. 50 PUSH EAX ; |Y
004019C9 |. 8BC3 MOV EAX,EBX ; |
004019CB |. 99 CDQ ; |
004019CC |. 2BC2 SUB EAX,EDX ; |
004019CE |. D1F8 SAR EAX,1 ; |
004019D0 |. 2D 96000000 SUB EAX,96 ; |
004019D5 |. 50 PUSH EAX ; |X
004019D6 |. 68 00008A00 PUSH 8A0000 ; |Style =
WS_OVERLAPPED|WS_MINIMIZEBOX|WS_SYSMENU|WS_BORDER
004019DB |. 68 60804000 PUSH riijjcra.00408060 ; |WindowName = "Riijj crackme 14 -
20071101"
004019E0 |. 68 18714000 PUSH riijjcra.00407118 ; |Class = "myWindowClass"
004019E5 |. 55 PUSH EBP ; |ExtStyle => 0
004019E6 |. FF15 CC704000 CALL DWORD PTR DS:[<&USER32.CreateWindowExA>] ; \CreateWindowExA
我们发现CreateWindowExA函数调用之后,cm就挂掉了。我们怀疑窗口过程这里可能有猫腻,过去看看吧~
00401810 . 56 PUSH ESI
00401811 . 8B7424 0C MOV ESI,DWORD PTR SS:[ESP+C]
00401815 . 8BC6 MOV EAX,ESI
00401817 . 83E8 02 SUB EAX,2 ; Switch (cases 2..10)
0040181A . 74 35 JE SHORT riijjcra.00401851
0040181C . 83E8 0E SUB EAX,0E
0040181F . 74 1F JE SHORT riijjcra.00401840
00401821 E8 CAFAFFFF CALL riijjcra.004012F0 ; Default case of switch 00401817
00401826 . 8B4424 14 MOV EAX,DWORD PTR SS:[ESP+14]
0040182A . 8B4C24 10 MOV ECX,DWORD PTR SS:[ESP+10]
0040182E . 8B5424 08 MOV EDX,DWORD PTR SS:[ESP+8]
00401832 . 50 PUSH EAX ; /lParam
00401833 . 51 PUSH ECX ; |wParam
00401834 . 56 PUSH ESI ; |Message
00401835 . 52 PUSH EDX ; |hWnd
00401836 . FF15 FC704000 CALL DWORD PTR DS:[<&USER32.DefWindowProcA>] ; \DefWindowProcA
0040183C . 5E POP ESI
0040183D . C2 1000 RETN 10
00401840 > 8B4424 08 MOV EAX,DWORD PTR SS:[ESP+8] ; Case 10 of switch 00401817
00401844 . 50 PUSH EAX ; /hWnd
00401845 . FF15 00714000 CALL DWORD PTR DS:[<&USER32.DestroyWindow>] ; \DestroyWindow
0040184B . 33C0 XOR EAX,EAX
0040184D . 5E POP ESI
0040184E . C2 1000 RETN 10
00401851 > 6A 00 PUSH 0 ; /ExitCode = 0; Case 2 of switch
00401817
00401853 . FF15 04714000 CALL DWORD PTR DS:[<&USER32.PostQuitMessage>] ; \PostQuitMessage
00401859 . 33C0 XOR EAX,EAX
0040185B . 5E POP ESI
0040185C . C2 1000 RETN 10
把401821的CALL nop掉之后,cm就可以正常跑起来了。原理么,大家去看看吧,我也没搞懂, O(∩_∩)O哈哈~
004012F0 $ 8B0D 40A64000 MOV ECX,DWORD PTR DS:[40A640]
004012F6 . 56 PUSH ESI
004012F7 . 8BC1 MOV EAX,ECX
004012F9 . 33D2 XOR EDX,EDX
004012FB . BE E8030000 MOV ESI,3E8
00401300 . F7F6 DIV ESI
00401302 . 41 INC ECX
00401303 . 5E POP ESI
00401304 . 890D 40A64000 MOV DWORD PTR DS:[40A640],ECX
0040130A . 85D2 TEST EDX,EDX
0040130C . 75 05 JNZ SHORT riijjcra.00401313
0040130E .^ E9 DDFEFFFF JMP riijjcra.004011F0
00401313 > C3 RETN
jmp到这里
004011F0 > /55 PUSH EBP
004011F1 . |8BEC MOV EBP,ESP
004011F3 . |6A FF PUSH -1
004011F5 . |68 28714000 PUSH riijjcra.00407128
004011FA . |68 5C1D4000 PUSH riijjcra.00401D5C ; SE handler installation
004011FF . |64:A1 0000000>MOV EAX,DWORD PTR FS:[0]
00401205 . |50 PUSH EAX
00401206 . |64:8925 00000>MOV DWORD PTR FS:[0],ESP
0040120D . |83EC 08 SUB ESP,8
00401210 . |53 PUSH EBX
00401211 . |56 PUSH ESI
00401212 . |57 PUSH EDI
00401213 . |8965 E8 MOV DWORD PTR SS:[EBP-18],ESP
00401216 . |C745 FC 00000>MOV DWORD PTR SS:[EBP-4],0
0040121D . |6A 01 PUSH 1 ; /hObject = 00000001
0040121F . |FF15 08704000 CALL DWORD PTR DS:[<&KERNEL32.CloseHandle>] ; \CloseHandle
00401225 . |EB 0E JMP SHORT riijjcra.00401235
00401227 . |B8 01000000 MOV EAX,1
0040122C . |C3 RETN
0040122D . |8B65 E8 MOV ESP,DWORD PTR SS:[EBP-18]
00401230 . |E8 ABFFFFFF CALL riijjcra.004011E0
00401235 > |C745 FC FFFFF>MOV DWORD PTR SS:[EBP-4],-1
0040123C . |8B4D F0 MOV ECX,DWORD PTR SS:[EBP-10]
0040123F . |64:890D 00000>MOV DWORD PTR FS:[0],ECX
00401246 . |5F POP EDI
00401247 . |5E POP ESI
00401248 . |5B POP EBX
00401249 . |8BE5 MOV ESP,EBP
0040124B . |5D POP EBP
0040124C . |C3 RETN
我们把那个call nop掉之后,cm就可以正常跑起来了。我们输入name:pediy,code:123456,点击register之后,发现cm
好像假死了一样,不动了,看来还是有暗桩啊,我们接着看看 O(∩_∩)O~
在CreateWindowExA函数下面,有两个SetTimer函数
004019EC |. 8B3D D0704000 MOV EDI,DWORD PTR DS:[<&USER32.SetTimer>>; USER32.SetTimer
004019F2 |. 68 A0184000 PUSH riijjcra.004018A0 ; /Timerproc = riijjcra.004018A0
004019F7 |. 6A 64 PUSH 64 ; |Timeout = 100. ms
004019F9 |. 6A 01 PUSH 1 ; |TimerID = 1
004019FB |. 50 PUSH EAX ; |hWnd
004019FC |. A3 38A64000 MOV DWORD PTR DS:[40A638],EAX ; |
00401A01 |. FFD7 CALL EDI ; \SetTimer
00401A03 |. 8B0D 38A64000 MOV ECX,DWORD PTR DS:[40A638]
00401A09 |. 68 F0174000 PUSH riijjcra.004017F0 ; /Timerproc = riijjcra.004017F0
00401A0E |. 68 E8030000 PUSH 3E8 ; |Timeout = 1000. ms
00401A13 |. 6A 02 PUSH 2 ; |TimerID = 2
00401A15 |. 51 PUSH ECX ; |hWnd => 001403C8 ('Riijj crackme 14 -
20071101',class='myWindowClass')
00401A16 |. FFD7 CALL EDI ; \SetTimer
我们到第二个Timer的function这里去看看
004017F0 E8 6BFAFFFF CALL riijjcra.00401260 <=进这里看看
004017F5 . 84C0 TEST AL,AL
004017F7 . C705 30A64000>MOV DWORD PTR DS:[40A630],riijjcra.00401>
00401801 . 74 0A JE SHORT riijjcra.0040180D
00401803 . C705 30A64000>MOV DWORD PTR DS:[40A630],riijjcra.00401>
0040180D > C2 1000 RETN 10
00401810 . 56 PUSH ESI
00401811 . 8B7424 0C MOV ESI,DWORD PTR SS:[ESP+C]
00401815 . 8BC6 MOV EAX,ESI
00401817 . 83E8 02 SUB EAX,2 ; Switch (cases 2..10)
0040181A . 74 35 JE SHORT riijjcra.00401851
0040181C . 83E8 0E SUB EAX,0E
0040181F . 74 1F JE SHORT riijjcra.00401840
00401260 $ 55 PUSH EBP
00401261 . 8BEC MOV EBP,ESP
00401263 . 6A FF PUSH -1
00401265 . 68 38714000 PUSH riijjcra.00407138
0040126A . 68 5C1D4000 PUSH riijjcra.00401D5C ; SE handler installation
0040126F . 64:A1 0000000>MOV EAX,DWORD PTR FS:[0]
00401275 . 50 PUSH EAX
00401276 . 64:8925 00000>MOV DWORD PTR FS:[0],ESP
0040127D . 83EC 10 SUB ESP,10
00401280 . 53 PUSH EBX
00401281 . 56 PUSH ESI
00401282 . 57 PUSH EDI
00401283 . 8965 E8 MOV DWORD PTR SS:[EBP-18],ESP
00401286 . 64:A1 3000000>MOV EAX,DWORD PTR FS:[30]
0040128C . 8B40 18 MOV EAX,DWORD PTR DS:[EAX+18]
0040128F . 8B40 10 MOV EAX,DWORD PTR DS:[EAX+10]
00401292 . 8945 E0 MOV DWORD PTR SS:[EBP-20],EAX
00401295 . BE 01000000 MOV ESI,1
0040129A . C745 FC 00000>MOV DWORD PTR SS:[EBP-4],0
004012A1 . CD 2D INT 2D
004012A3 . 90 NOP
004012A4 . 90 NOP
004012A5 . EB 10 JMP SHORT riijjcra.004012B7
004012A7 . B8 01000000 MOV EAX,1
004012AC . C3 RETN
这里看来也没干什么好事啊,把这个CALL也nop掉吧,原理么,还是不懂啊 O(∩_∩)O 保存之后,再次输入,这下
cm运行正常了 O(∩_∩)O~。运行正常了之后,我们就要开始分析分析算法了啊。刚才那两个Timer Func我们还有一个
没看呢,过去看看吧~~
004018A0 . A1 34A64000 MOV EAX,DWORD PTR DS:[40A634]
004018A5 . 85C0 TEST EAX,EAX
004018A7 . 74 11 JE SHORT riijjcra.004018BA
004018A9 . C705 34A64000>MOV DWORD PTR DS:[40A634],0 <=这里下个断点
004018B3 . A1 30A64000 MOV EAX,DWORD PTR DS:[40A630]
004018B8 . FFD0 CALL EAX 这里跟进就来到算法处了
004018BA > C2 1000 RETN 10
简单的算法分析 O(∩_∩)O~
00401060 /. 55 PUSH EBP
00401061 |. 8BEC MOV EBP,ESP
00401063 |. 81EC 0C010000 SUB ESP,10C
00401069 |. 56 PUSH ESI
0040106A |. 57 PUSH EDI
0040106B |. B9 06000000 MOV ECX,6
00401070 |. BE 44804000 MOV ESI,riijjcra.00408044 ; ASCII "Uhjlvwudwlrq#vxffhvvixo1"
00401075 |. 8D7D BC LEA EDI,DWORD PTR SS:[EBP-44]
00401078 |. A1 30804000 MOV EAX,DWORD PTR DS:[408030]
0040107D |. F3:A5 REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS:[ESI]
0040107F |. 8B0D 34804000 MOV ECX,DWORD PTR DS:[408034]
00401085 |. 8945 EC MOV DWORD PTR SS:[EBP-14],EAX
00401088 |. A1 3C804000 MOV EAX,DWORD PTR DS:[40803C]
0040108D |. 894D F0 MOV DWORD PTR SS:[EBP-10],ECX
00401090 |. 8A0D 40804000 MOV CL,BYTE PTR DS:[408040]
00401096 |. 8945 F8 MOV DWORD PTR SS:[EBP-8],EAX
00401099 |. A4 MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[ESI]
0040109A |. 884D FC MOV BYTE PTR SS:[EBP-4],CL
0040109D |. 8D7D BC LEA EDI,DWORD PTR SS:[EBP-44]
004010A0 |. 83C9 FF OR ECX,FFFFFFFF
004010A3 |. 33C0 XOR EAX,EAX
004010A5 |. F2:AE REPNE SCAS BYTE PTR ES:[EDI]
004010A7 |. 8B15 38804000 MOV EDX,DWORD PTR DS:[408038]
004010AD |. F7D1 NOT ECX
004010AF |. 49 DEC ECX
004010B0 |. 8955 F4 MOV DWORD PTR SS:[EBP-C],EDX
004010B3 |. 85C9 TEST ECX,ECX
004010B5 |. 7E 10 JLE SHORT riijjcra.004010C7
004010B7 |> 8A5405 BC /MOV DL,BYTE PTR SS:[EBP+EAX-44]
004010BB |. 80C2 FD |ADD DL,0FD
004010BE |. 885405 BC |MOV BYTE PTR SS:[EBP+EAX-44],DL
004010C2 |. 40 |INC EAX
004010C3 |. 3BC1 |CMP EAX,ECX
004010C5 |.^ 7C F0 \JL SHORT riijjcra.004010B7 ; 解码字符串Registration successful
004010C7 |> 8D7D EC LEA EDI,DWORD PTR SS:[EBP-14]
004010CA |. 83C9 FF OR ECX,FFFFFFFF
004010CD |. 33C0 XOR EAX,EAX
004010CF |. F2:AE REPNE SCAS BYTE PTR ES:[EDI]
004010D1 |. F7D1 NOT ECX
004010D3 |. 49 DEC ECX
004010D4 |. 85C9 TEST ECX,ECX
004010D6 |. 7E 10 JLE SHORT riijjcra.004010E8
004010D8 |> 8A5405 EC /MOV DL,BYTE PTR SS:[EBP+EAX-14]
004010DC |. 80C2 FD |ADD DL,0FD
004010DF |. 885405 EC |MOV BYTE PTR SS:[EBP+EAX-14],DL
004010E3 |. 40 |INC EAX
004010E4 |. 3BC1 |CMP EAX,ECX
004010E6 |.^ 7C F0 \JL SHORT riijjcra.004010D8 ; 解码字符串Riijj Crackme 14
004010E8 |> 8D95 F4FEFFFF LEA EDX,DWORD PTR SS:[EBP-10C]
004010EE |. 8D45 D8 LEA EAX,DWORD PTR SS:[EBP-28]
004010F1 |. 52 PUSH EDX
004010F2 |. 50 PUSH EAX
004010F3 |. E8 68070000 CALL riijjcra.00401860
004010F8 |. 8D7D D8 LEA EDI,DWORD PTR SS:[EBP-28]
004010FB |. 83C9 FF OR ECX,FFFFFFFF
004010FE |. 33C0 XOR EAX,EAX
00401100 |. 83C4 08 ADD ESP,8
00401103 |. F2:AE REPNE SCAS BYTE PTR ES:[EDI]
00401105 |. F7D1 NOT ECX
00401107 |. 49 DEC ECX
00401108 |. 33F6 XOR ESI,ESI
0040110A |. 85C9 TEST ECX,ECX ; 判断是否输入了name
0040110C |. 7E 14 JLE SHORT riijjcra.00401122
0040110E |> 0FBE5405 D8 /MOVSX EDX,BYTE PTR SS:[EBP+EAX-28]
00401113 |. 8BFA |MOV EDI,EDX
00401115 |. C1E7 05 |SHL EDI,5 ; name[i]*32
00401118 |. 03FE |ADD EDI,ESI ; sum = sum + name[i]*32
0040111A |. 40 |INC EAX
0040111B |. 3BC1 |CMP EAX,ECX
0040111D |. 8D3417 |LEA ESI,DWORD PTR DS:[EDI+EDX] ; sum = sum + name[i]
00401120 |.^ 7C EC \JL SHORT riijjcra.0040110E
00401122 |> 33C9 XOR ECX,ECX
00401124 |> 8D14F5 000000>/LEA EDX,DWORD PTR DS:[ESI*8] ; tmp = sum * 8
0040112B |. BF 1A000000 |MOV EDI,1A
00401130 |. 2BD6 |SUB EDX,ESI ; tmp - sum
00401132 |. 83C2 0D |ADD EDX,0D
00401135 |. 8BF2 |MOV ESI,EDX ; sum = (tmp - sum) + 13
00401137 |. 33D2 |XOR EDX,EDX
00401139 |. 8BC6 |MOV EAX,ESI
0040113B |. F7F7 |DIV EDI ; (((tmp - sum)+13) % 26) + 0x41
0040113D |. 80C2 41 |ADD DL,41
00401140 |. 88940D 58FFFF>|MOV BYTE PTR SS:[EBP+ECX-A8],DL
00401147 |. 41 |INC ECX
00401148 |. 83F9 14 |CMP ECX,14 ; 循环20次
0040114B |.^ 7C D7 \JL SHORT riijjcra.00401124
0040114D |. 8D85 58FFFFFF LEA EAX,DWORD PTR SS:[EBP-A8] ; 真码出现
00401153 |. 8D8D F4FEFFFF LEA ECX,DWORD PTR SS:[EBP-10C]
00401159 |. 50 PUSH EAX
0040115A |. 51 PUSH ECX
0040115B |. C685 6CFFFFFF>MOV BYTE PTR SS:[EBP-94],0
00401162 |. E8 F9540000 CALL riijjcra.00406660
00401167 |. 83C4 08 ADD ESP,8
0040116A |. 85C0 TEST EAX,EAX
0040116C |. 75 22 JNZ SHORT riijjcra.00401190
0040116E |. 6A 00 PUSH 0
00401170 |. 8D85 ECFFFFFF LEA EAX,DWORD PTR SS:[EBP-14]
00401176 |. 50 PUSH EAX
00401177 |. 8D85 BCFFFFFF LEA EAX,DWORD PTR SS:[EBP-44]
0040117D |. 50 PUSH EAX
0040117E |. A1 38A64000 MOV EAX,DWORD PTR DS:[40A638]
00401183 |. 50 PUSH EAX
00401184 |. B8 01714000 MOV EAX,riijjcra.00407101
00401189 |. 83C0 0B ADD EAX,0B
0040118C |. 8B00 MOV EAX,DWORD PTR DS:[EAX]
0040118E |. FFD0 CALL EAX
00401190 |> 5F POP EDI
00401191 |. 5E POP ESI
00401192 |. 8BE5 MOV ESP,EBP
00401194 |. 5D POP EBP
00401195 \. C3 RETN
分析到这里,算法也很清楚了,不是特别难,我就偷懒不给大家总结了,大家可以自己跟跟看看 O(∩_∩)O~ 。最后送上python
注册机源代码
name = raw_input("请输入name:")
Sum = 0
tmp = 0
sn = ''
namelen = len(name)
for i in range (namelen):
Sum = Sum + ord(name[i]) + ord(name[i])*32
for j in range(20):
tmp = Sum * 8
Sum = (tmp - Sum) + 13
if (Sum>0xFFFFFFFF):
Sum = Sum & 0x0FFFFFFFF
sn = sn + chr((int(Sum) % 26) + 65)
print '您的code为:', sn
--------------------------------------------------------------------------------
【经验总结】
这个cm算法可谓非常简单,不过菜菜我还是学到了一些SEH的小知识
~~
--------------------------------------------------------------------------------
【版权声明】: 本文原创于看雪技术论坛, 转载请注明作者并保持文章的完整, 谢谢!
2010年06月08日 14:53:16
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
|
|
|---|---|
|
|
|
|
|
 楼主分析的很详细 ,辛苦
|
|
|
|
|
|
|
|
|
不错,顶个
|
|
|
谢谢楼主的耐心指点。
哎,突然发现在CreateWindowExA设一个断点,直接F9就能到。 那之前的那几个异常,不知道是如何就不产生了。 
|
