能力值:
( LV2,RANK:10 )
|
-
-
26 楼
CrackMe 2007->序列号->逍遥风->AD_CM#4 分析
查找字符串,来到以下地方,
00458159 |. 55 PUSH EBP
0045815A |. 68 90824500 PUSH AD_CM#4_.00458290
0045815F |. 64:FF30 PUSH DWORD PTR FS:[EAX]
00458162 |. 64:8920 MOV DWORD PTR FS:[EAX],ESP
00458165 |. 8D55 F8 LEA EDX,DWORD PTR SS:[EBP-8]
00458168 |. 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
0045816B |. 8B80 D8020000 MOV EAX,DWORD PTR DS:[EAX+2D8]
00458171 |. E8 16BFFCFF CALL AD_CM#4_.0042408C ; 取输入用户名放于【EBP-8】
00458176 |. 8D55 EC LEA EDX,DWORD PTR SS:[EBP-14]
00458179 |. 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
0045817C |. 8B80 D8020000 MOV EAX,DWORD PTR DS:[EAX+2D8]
00458182 |. E8 05BFFCFF CALL AD_CM#4_.0042408C ; 又取用户名,放于【EBP-14】
00458187 |. 837D EC 00 CMP DWORD PTR SS:[EBP-14],0 ; 判断用户名是否为空
0045818B |. 75 0A JNZ SHORT AD_CM#4_.00458197
0045818D |. B8 A8824500 MOV EAX,AD_CM#4_.004582A8 ; Enter you name, pls.
00458192 |. E8 4DC1FEFF CALL AD_CM#4_.004442E4 ; 用户名空则提示错误
00458197 |> 8D55 E8 LEA EDX,DWORD PTR SS:[EBP-18]
0045819A |. 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
0045819D |. 8B80 DC020000 MOV EAX,DWORD PTR DS:[EAX+2DC]
004581A3 |. E8 E4BEFCFF CALL AD_CM#4_.0042408C ; 取输入的注册码放于【EBP-18】
004581A8 |. 837D E8 00 CMP DWORD PTR SS:[EBP-18],0 ; 注册码是否为空,空则提示错误
004581AC |. 75 0A JNZ SHORT AD_CM#4_.004581B8
004581AE |. B8 C8824500 MOV EAX,AD_CM#4_.004582C8 ; Enter the serial, pls.
004581B3 |. E8 2CC1FEFF CALL AD_CM#4_.004442E4
004581B8 |> 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8]
004581BB |. E8 BCB9FAFF CALL AD_CM#4_.00403B7C ; 返回用户名的长度
004581C0 |. 8BF8 MOV EDI,EAX ; 长度存放EDI
004581C2 |. 85FF TEST EDI,EDI
004581C4 |. 7E 50 JLE SHORT AD_CM#4_.00458216
004581C6 |. BB 01000000 MOV EBX,1 ; EBX置初值1
004581CB |> 8B45 F8 /MOV EAX,DWORD PTR SS:[EBP-8] ; 输入的用户名送入EAX
004581CE |. 0FB67418 FF |MOVZX ESI,BYTE PTR DS:[EAX+EBX-1] ; 取出用户名的每一位
004581D3 |. 8BC6 |MOV EAX,ESI
004581D5 |. B9 06000000 |MOV ECX,6
004581DA |. 33D2 |XOR EDX,EDX
004581DC |. F7F1 |DIV ECX
004581DE |. 8B55 F8 |MOV EDX,DWORD PTR SS:[EBP-8]
004581E1 |. 8BD6 |MOV EDX,ESI
004581E3 |. C1EA 02 |SHR EDX,2
004581E6 |. F7EA |IMUL EDX
004581E8 |. 50 |PUSH EAX
004581E9 |. 8B45 F8 |MOV EAX,DWORD PTR SS:[EBP-8]
004581EC |. 8BC6 |MOV EAX,ESI
004581EE |. B9 0A000000 |MOV ECX,0A
004581F3 |. 33D2 |XOR EDX,EDX
004581F5 |. F7F1 |DIV ECX
004581F7 |. 5A |POP EDX
004581F8 |. 92 |XCHG EAX,EDX
004581F9 |. 8BCA |MOV ECX,EDX
004581FB |. 33D2 |XOR EDX,EDX
004581FD |. F7F1 |DIV ECX
004581FF |. 8D55 E4 |LEA EDX,DWORD PTR SS:[EBP-1C]
00458202 |. E8 FDF8FAFF |CALL AD_CM#4_.00407B04 ; 这个call将计算出来的值(EAX中)转换成10进制
00458207 |. 8B55 E4 |MOV EDX,DWORD PTR SS:[EBP-1C]
0045820A |. 8D45 F4 |LEA EAX,DWORD PTR SS:[EBP-C]
0045820D |. E8 72B9FAFF |CALL AD_CM#4_.00403B84 ; 将转换后的十进制逐个合并。
00458212 |. 43 |INC EBX
00458213 |. 4F |DEC EDI
00458214 |.^ 75 B5 \JNZ SHORT AD_CM#4_.004581CB ; 这个循环根据注册名每一位计算出一个值并转换成10进制,
00458216 |> 68 E8824500 PUSH AD_CM#4_.004582E8 ; ADCM4-
0045821B |. FF75 F4 PUSH DWORD PTR SS:[EBP-C]
0045821E |. 68 F8824500 PUSH AD_CM#4_.004582F8 ; -YEAH!
00458223 |. 8D45 F0 LEA EAX,DWORD PTR SS:[EBP-10]
00458226 |. BA 03000000 MOV EDX,3
0045822B |. E8 0CBAFAFF CALL AD_CM#4_.00403C3C ; 将2个字符串和计算出来的字符串合并
00458230 |. 8D55 E0 LEA EDX,DWORD PTR SS:[EBP-20]
00458233 |. 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
00458236 |. 8B80 DC020000 MOV EAX,DWORD PTR DS:[EAX+2DC]
0045823C |. E8 4BBEFCFF CALL AD_CM#4_.0042408C ; 取输入的注册码
00458241 |. 8B55 E0 MOV EDX,DWORD PTR SS:[EBP-20]
00458244 |. 8B45 F0 MOV EAX,DWORD PTR SS:[EBP-10]
00458247 |. E8 40BAFAFF CALL AD_CM#4_.00403C8C ; 两个注册码比较
0045824C |. 75 0A JNZ SHORT AD_CM#4_.00458258 ; 修改此处可以爆破
0045824E |. B8 08834500 MOV EAX,AD_CM#4_.00458308 ; Well done Cracker, You did it!
00458253 |. E8 8CC0FEFF CALL AD_CM#4_.004442E4
算法分析:注册名不能低于5位,根据注册名算出一个值并转换成10进制,之后合并成一个字符串,最后在该字串的前后添加固定的字符串组成真正的注册码。 一组正确的注册码:“123456” “ADCM4-241919202023-YEAH!”。
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
int main()
{
char name[]={"123456"};
//注册名不能低于5位。
int i,namelen;
unsigned int eax,ecx,edx,esi;
unsigned int num1,num2;
namelen=strlen(name);
printf("注册名:%s\n",name);
printf("注册码:ADCM4-");
for (i=0;i<namelen;i++)
{
esi=name[i];
eax=esi;
ecx=0x6;
edx=0;
eax=eax/ecx;
edx=esi;
edx=edx/0x04;
eax=eax*edx;
num1=eax;
eax=esi;
ecx=0x0A;
edx=0;
eax=eax/ecx;
edx=num1;
num2=eax;
eax=edx;
edx=num2;
ecx=edx;
edx=0;
eax=eax/ecx;
printf("%d",eax);
}
printf("-YEAH!\n");
getchar();
return 0;
}
|
能力值:
( LV2,RANK:10 )
|
-
-
27 楼
CrackMe 2007->序列号->逍遥风->BenGaly.CrackMe#1 分析
004012B1 |. 6A 40 PUSH 40 ; /Count = 40 (64.)
004012B3 |. 68 38304000 PUSH Crackme2.00403038 ; |Buffer = Crackme2.00403038
004012B8 |. 6A 6A PUSH 6A ; |ControlID = 6A (106.)
004012BA |. FF75 08 PUSH DWORD PTR SS:[EBP+8] ; |hWnd
004012BD |. E8 08010000 CALL <JMP.&USER32.GetDlgItemTextA> ; \取用户名
004012C2 |. 83F8 00 CMP EAX,0 ; 用户名是否是空
004012C5 |. 74 18 JE SHORT Crackme2.004012DF
004012C7 |. 6A 40 PUSH 40 ; /Count = 40 (64.)
004012C9 |. 68 38314000 PUSH Crackme2.00403138 ; |Buffer = Crackme2.00403138
004012CE |. 6A 6B PUSH 6B ; |ControlID = 6B (107.)
004012D0 |. FF75 08 PUSH DWORD PTR SS:[EBP+8] ; |hWnd
004012D3 |. E8 F2000000 CALL <JMP.&USER32.GetDlgItemTextA> ; \取输入的注册码
004012D8 |. 83F8 00 CMP EAX,0 ; 注册码是否为空
004012DB |. 74 02 JE SHORT Crackme2.004012DF
004012DD |. EB 17 JMP SHORT Crackme2.004012F6
004012DF |> 6A 00 PUSH 0 ; /Style = MB_OK|MB_APPLMODAL
004012E1 |. 68 62344000 PUSH Crackme2.00403462 ; |Key/CrackMe #2
004012E6 |. 68 00304000 PUSH Crackme2.00403000 ; | Please Fill in 1 more Char!!
004012EB |. 6A 00 PUSH 0 ; |hOwner = NULL
004012ED |. E8 FC000000 CALL <JMP.&USER32.MessageBoxA> ; \MessageBoxA
004012F2 |. C9 LEAVE
004012F3 |. C2 1000 RETN 10
004012F6 |> 68 38304000 PUSH Crackme2.00403038 ; /String = "pediy"
004012FB |. E8 30010000 CALL <JMP.&KERNEL32.lstrlenA> ; \取用户名的长度
00401300 |. 33F6 XOR ESI,ESI
00401302 |. 8BC8 MOV ECX,EAX
00401304 |. B8 01000000 MOV EAX,1
00401309 |> 8B15 38304000 /MOV EDX,DWORD PTR DS:[403038]
0040130F |. 8A90 37304000 |MOV DL,BYTE PTR DS:[EAX+403037]
00401315 |. 81E2 FF000000 |AND EDX,0FF ; 取出每位字符送到EDX。
0040131B |. 8BDA |MOV EBX,EDX
0040131D |. 0FAFDA |IMUL EBX,EDX
00401320 |. 03F3 |ADD ESI,EBX
00401322 |. 8BDA |MOV EBX,EDX
00401324 |. D1FB |SAR EBX,1
00401326 |. 03F3 |ADD ESI,EBX
00401328 |. 2BF2 |SUB ESI,EDX
0040132A |. 40 |INC EAX
0040132B |. 49 |DEC ECX
0040132C |.^ 75 DB \JNZ SHORT Crackme2.00401309
0040132E |. 56 PUSH ESI
0040132F |. 68 38314000 PUSH Crackme2.00403138 ; ASCII "123456"
00401334 |. E8 4A000000 CALL Crackme2.00401383 ; 这个call是将输入的注册码转换成10进制。
00401339 |. 5E POP ESI ; 如果输入的全是数字的话跟进call则很容易看明白
0040133A |. 3BC6 CMP EAX,ESI ; 真假注册码比较
0040133C 75 15 JNZ SHORT Crackme2.00401353 ; 修改此处可以爆破
下面是将注册码转换成10进制数字的call
00401383 /$ 55 PUSH EBP
00401384 |. 8BEC MOV EBP,ESP
00401386 |. FF75 08 PUSH DWORD PTR SS:[EBP+8] ; /String
00401389 |. E8 A2000000 CALL <JMP.&KERNEL32.lstrlenA> ; \lstrlenA
0040138E |. 53 PUSH EBX
0040138F |. 33DB XOR EBX,EBX
00401391 |. 8BC8 MOV ECX,EAX
00401393 |. 8B75 08 MOV ESI,DWORD PTR SS:[EBP+8]
00401396 |> 51 /PUSH ECX
00401397 |. 33C0 |XOR EAX,EAX
00401399 |. AC |LODS BYTE PTR DS:[ESI]
0040139A |. 83E8 30 |SUB EAX,30
0040139D |. 49 |DEC ECX
0040139E |. 74 05 |JE SHORT Crackme2.004013A5
004013A0 |> 6BC0 0A |/IMUL EAX,EAX,0A
004013A3 |.^ E2 FB |\LOOPD SHORT Crackme2.004013A0
004013A5 |> 03D8 |ADD EBX,EAX
004013A7 |. 59 |POP ECX
004013A8 |.^ E2 EC \LOOPD SHORT Crackme2.00401396
004013AA |. 8BC3 MOV EAX,EBX
004013AC |. 5B POP EBX
004013AD |. C9 LEAVE
004013AE \. C2 0400 RETN 4
算法:注册码是根据用户名计算出来的,一组正确注册码:pediy 58140
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
int main()
{
char name[]={"123456"};
//注册名,注册码不能为空。
int i,namelen;
unsigned int eax,ecx,edx,esi,ebx;
esi=0;
namelen=strlen(name);
ecx=namelen;
eax=1;
for (i=0;i<namelen;i++)
{
edx=name[i];
edx=edx & 0x0FF;
ebx=edx;
ebx=ebx*edx;
esi=esi+ebx;
ebx=edx;
ebx=ebx/0x2;
esi=esi+ebx;
esi=esi-edx;
}
printf("注册码:%d\n",esi);
getchar();
return 0;
}
|
能力值:
( LV2,RANK:10 )
|
-
-
28 楼
学习一下,谢谢
|