标 题: [原创] s3rh47的cm8 算法分析+注册机编写
作 者:kkmylove
时 间:2010年7月5日
链 接:http://bbs.pediy.com/showthread.php?t=116256
【文章标题】: s3rh47的cm8 算法分析+注册机编写
【文章作者】:kkmylove
【软件名称】: KeygenMe.exe
【软件大小】: 183 KB
【下载地址】: 见以下附件
【编写语言】: MASM32 / TASM32
【使用工具】: PEID,OD
【操作平台】: D-Windows XP2
【连接地址】: http://bbs.pediy.com/showthread.php?t=116256
【程序介绍】: 一个简单的cm
上http://www.crackmes.de/ 逛逛 发现了这个CM,便有了这个文章,第一次写破文,不足之处希望各位朋友多多指点。
先试着跑了一下程序,错误的注册码没有任何反应,首先尝试万能断点,没有断下来,不知道是不是万能断点只使用与汇编以外的程序,嘎嘎。
Ctrl+N 找程序读取控件文本的函数
名称位于 KeygenMe, 条目 5
地址=00402040
区段=.rdata
类型=输入 (已知)
名称=user32.GetDlgItemTextA
点右键->在每个参考上设置断点, 运行程序,输入用户名kkmylove,注册码0123456789
单击check Serial 程序段了下来 一直F8 到0040112c处
0040112C > \68 00344000 push KeygenMe.00403400 ; 0123456789
00401131 . 68 70324000 push KeygenMe.00403270 ; kkmylove
00401136 . E8 88000000 call KeygenMe.004011C3
0040113B . 83F8 01 cmp eax,0x1
0040113E . 75 14 jnz short KeygenMe.00401154
00401140 . 6A 30 push 0x30 ; /Style = MB_OK|MB_ICONEXCLAMATION|MB_APPLMODAL
00401142 . 68 8C304000 push KeygenMe.0040308C ; |Super
00401147 . 68 4F304000 push KeygenMe.0040304F ; |Your Registration was successful. Please Make a Keygen now.
0040114C . FF75 08 push dword ptr ss:[ebp+0x8] ; |hOwner
0040114F . E8 88010000 call <jmp.&user32.MessageBoxA> ; \MessageBoxA
00401154 > C9 leave
00401155 . C2 1000 retn 0x10
00401158 > 3D EF030000 cmp eax,0x3EF
0040115D . 75 20 jnz short KeygenMe.0040117F
0040115F . 68 00000900 push 0x90000 ; Case 3EF of switch 004010E7
00401164 . 68 BC020000 push 0x2BC
00401169 . FF75 08 push dword ptr ss:[ebp+0x8]
004011C3 /$ 55 push ebp
004011C4 |. 8BEC mov ebp,esp
004011C6 |. 8D35 48324000 lea esi,dword ptr ds:[0x403248]
004011CC |. 8B7D 08 mov edi,[arg.1]
004011CF |. B9 88130000 mov ecx,0x1388
004011D4 |. DBE3 finit
004011D6 |. D9EE fldz
004011D8 |> 33C0 /xor eax,eax
004011DA |. AC |lods byte ptr ds:[esi]
004011DB |. 85C0 |test eax,eax
004011DD |. 75 08 |jnz short KeygenMe.004011E7
004011DF |. 8D35 48324000 |lea esi,dword ptr ds:[0x403248]
004011E5 |.^ EB F1 |jmp short KeygenMe.004011D8
004011E7 |> 83F8 2D |cmp eax,0x2D
004011EA |. 75 02 |jnz short KeygenMe.004011EE
004011EC |.^ EB EA |jmp short KeygenMe.004011D8
004011EE |> 8BD8 |mov ebx,eax
004011F0 |> 0FB607 |/movzx eax,byte ptr ds:[edi]
004011F3 |. 47 ||inc edi
004011F4 |. 85C0 ||test eax,eax
004011F6 |. 75 05 ||jnz short KeygenMe.004011FD
004011F8 |. 8B7D 08 ||mov edi,[arg.1]
004011FB |.^ EB F3 |\jmp short KeygenMe.004011F0
004011FD |> 33C3 |xor eax,ebx ; eax = reg^key
004011FF |. F7E9 |imul ecx ; eax = ecx * eax
00401201 |. 50 |push eax
00401202 |. DA0424 |fiadd dword ptr ss:[esp] ; st0 = st0 + eax
00401205 |. 81F9 DC050000 |cmp ecx,0x5DC
0040120B |. 74 15 |je short KeygenMe.00401222
0040120D |. 81F9 EE020000 |cmp ecx,0x2EE
00401213 |. 74 0D |je short KeygenMe.00401222
00401215 |. 81F9 45010000 |cmp ecx,0x145
0040121B |. 74 05 |je short KeygenMe.00401222
0040121D |. 83F9 64 |cmp ecx,0x64
00401220 |. 75 0B |jnz short KeygenMe.0040122D
00401222 |> BB 88190000 |mov ebx,0x1988
00401227 |. F7EB |imul ebx
00401229 |. 50 |push eax
0040122A |. DA0424 |fiadd dword ptr ss:[esp]
0040122D |> 51 |push ecx
0040122E |. DA0424 |fiadd dword ptr ss:[esp] ; st0= st0 + ecx
00401231 |.^ E2 A5 \loopd short KeygenMe.004011D8
00401233 |. 33DB xor ebx,ebx
00401235 |. 33C0 xor eax,eax
00401237 |. 8B75 0C mov esi,[arg.2]
0040123A |. 8A1E mov bl,byte ptr ds:[esi]
0040123C |. 46 inc esi
0040123D |> 80EB 30 /sub bl,0x30
00401240 |. 8D0480 |lea eax,dword ptr ds:[eax+eax*4]
00401243 |. 03C0 |add eax,eax
00401245 |. 03C3 |add eax,ebx
00401247 |. 8A1E |mov bl,byte ptr ds:[esi]
00401249 |. 46 |inc esi
0040124A |. 84DB |test bl,bl
0040124C |.^ 75 EF \jnz short KeygenMe.0040123D
0040124E |. 05 E4C5BE00 add eax,0xBEC5E4
00401253 |. 50 push eax
00401254 |. DA2424 fisub dword ptr ss:[esp]
00401257 |. 83EC 08 sub esp,0x8
0040125A |. DF3C24 fistp qword ptr ss:[esp]
0040125D |. 58 pop eax
0040125E |. 5A pop edx
0040125F |. 0BC0 or eax,eax
00401261 |. 75 02 jnz short KeygenMe.00401265
00401263 |. B0 01 mov al,0x1
00401265 |> C9 leave
00401266 \. C2 0800 retn 0x8
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课