-
-
[原创]crackme区0~9级中的level2算法分析破解
-
发表于: 2010-12-26 16:47
-
首先是通过CWnd::UpdateData调用找到关键代码,然后如下:
00401550 /. 55 push ebp
00401551 |. 8BEC mov ebp, esp
00401553 |. 83E4 F8 and esp, FFFFFFF8
00401556 |. 81EC 8C000000 sub esp, 8C
0040155C |. A1 20504000 mov eax, dword ptr [405020]
00401561 |. 53 push ebx
00401562 |. 56 push esi
00401563 |. 57 push edi
00401564 |. 898424 940000>mov dword ptr [esp+94], eax
0040156B |. 8BD9 mov ebx, ecx
0040156D |. 33C0 xor eax, eax
0040156F |. C64424 10 FF mov byte ptr [esp+10], 0FF
00401574 |. B9 1F000000 mov ecx, 1F
00401579 |. 8D7C24 11 lea edi, dword ptr [esp+11]
0040157D |. F3:AB rep stos dword ptr es:[edi]
0040157F |. 66:AB stos word ptr es:[edi]
00401581 |. 6A 01 push 1
00401583 |. 8BCB mov ecx, ebx
00401585 |. AA stos byte ptr es:[edi]
00401586 |. E8 CB030000 call <jmp.&MFC71.#6236_CWnd::UpdateData>
0040158B |. 8D4B 74 lea ecx, dword ptr [ebx+74]
0040158E |. FF15 9C314000 call dword ptr [<&MFC71.#876_ATL::CSimpleSt>; MFC71.#876_ATL::CSimpleStringT<char,1>::operator char const *
00401594 |. 8D5424 10 lea edx, dword ptr [esp+10]
00401598 |> 8A08 /mov cl, byte ptr [eax]
0040159A |. 40 |inc eax
0040159B |. 880A |mov byte ptr [edx], cl
0040159D |. 42 |inc edx
0040159E |. 84C9 |test cl, cl
004015A0 |.^ 75 F6 \jnz short CRECKME_.00401598 ; 将用户名字串放进堆栈中ESP+10
004015A2 |. 8A4424 16 mov al, byte ptr [esp+16] ; al=name[6]
004015A6 |. 84C0 test al, al ; 测试字串第7个字符是否为'\0'
004015A8 |. 75 50 jnz short CRECKME_.004015FA ; 第7个字符不为'\0'就跳,跳走完蛋
004015AA |. 8A5424 15 mov dl, byte ptr [esp+15] ; dl=name[5]
004015AE |. 84D2 test dl, dl ; 测试第6个字符是否为'\0'
004015B0 |. 74 48 je short CRECKME_.004015FA ; 第6个字符为'\0'就跳,跳走完蛋
004015B2 |. 8B43 78 mov eax, dword ptr [ebx+78] ; eax=num (注册码)
004015B5 |. 3D A0860100 cmp eax, 186A0 ; EBX+78注册码数字与100000比较
004015BA |. 7C 3E jl short CRECKME_.004015FA ; 注册码数字小于100000就跳,跳走完蛋
004015BC |. 0FBE7424 12 movsx esi, byte ptr [esp+12] ; 用户名是[esp+10],取用户名第3个字符
004015C1 |. 0FBE4C24 11 movsx ecx, byte ptr [esp+11] ; ecx=name[1]
004015C6 |. 0FBE7C24 14 movsx edi, byte ptr [esp+14] ; edi=name[4]
004015CB |. 03CE add ecx, esi ; ecx=name[1]+[2]
004015CD |. 0FBE7424 10 movsx esi, byte ptr [esp+10] ; esi=name[0]
004015D2 |. 03CE add ecx, esi ; ecx=name[0]+[1]+[2]
004015D4 |. 0FBE7424 13 movsx esi, byte ptr [esp+13] ; esi=name[3]
004015D9 |. 0FBED2 movsx edx, dl ; edx=name[5]
004015DC |. 03F7 add esi, edi ; esi=name[3]+[4]
004015DE |. 03F2 add esi, edx ; esi=name[3]+[4]+[5]
004015E0 |. 99 cdq ; EAX带符号扩展为EDX:EAX
004015E1 |. BF E8030000 mov edi, 3E8 ; edi=1000
004015E6 |. F7FF idiv edi ; num/1000=EAX...EDX
004015E8 |. 3BC8 cmp ecx, eax ; name[0]+[1]+[2]==num/1000 ?
004015EA |. 75 0E jnz short CRECKME_.004015FA ; 不等就完蛋
004015EC |. 3BF2 cmp esi, edx ; name[3]+[4]+[5]==num%1000
004015EE |. 75 0A jnz short CRECKME_.004015FA ; 不等就完蛋
004015F0 |. 8B03 mov eax, dword ptr [ebx]
004015F2 |. 8BCB mov ecx, ebx
004015F4 |. FF90 54010000 call dword ptr [eax+154] ; CDialog::OnOK()
004015FA |> 8B8C24 940000>mov ecx, dword ptr [esp+94]
00401601 |. E8 43040000 call CRECKME_.00401A49
00401606 |. 5F pop edi
00401607 |. 5E pop esi
00401608 |. 5B pop ebx
00401609 |. 8BE5 mov esp, ebp
0040160B |. 5D pop ebp
0040160C \. C3 retn
于是注册算法为:
name长度必须为6个字符
num必须为大于100000的数字
if(
(name[0]+[1]+[2]==num/1000)
&&name[3]+[4]+[5]==num%1000
)
success!
可以使用
name:123456
num:150159
完成注册
00401550 /. 55 push ebp
00401551 |. 8BEC mov ebp, esp
00401553 |. 83E4 F8 and esp, FFFFFFF8
00401556 |. 81EC 8C000000 sub esp, 8C
0040155C |. A1 20504000 mov eax, dword ptr [405020]
00401561 |. 53 push ebx
00401562 |. 56 push esi
00401563 |. 57 push edi
00401564 |. 898424 940000>mov dword ptr [esp+94], eax
0040156B |. 8BD9 mov ebx, ecx
0040156D |. 33C0 xor eax, eax
0040156F |. C64424 10 FF mov byte ptr [esp+10], 0FF
00401574 |. B9 1F000000 mov ecx, 1F
00401579 |. 8D7C24 11 lea edi, dword ptr [esp+11]
0040157D |. F3:AB rep stos dword ptr es:[edi]
0040157F |. 66:AB stos word ptr es:[edi]
00401581 |. 6A 01 push 1
00401583 |. 8BCB mov ecx, ebx
00401585 |. AA stos byte ptr es:[edi]
00401586 |. E8 CB030000 call <jmp.&MFC71.#6236_CWnd::UpdateData>
0040158B |. 8D4B 74 lea ecx, dword ptr [ebx+74]
0040158E |. FF15 9C314000 call dword ptr [<&MFC71.#876_ATL::CSimpleSt>; MFC71.#876_ATL::CSimpleStringT<char,1>::operator char const *
00401594 |. 8D5424 10 lea edx, dword ptr [esp+10]
00401598 |> 8A08 /mov cl, byte ptr [eax]
0040159A |. 40 |inc eax
0040159B |. 880A |mov byte ptr [edx], cl
0040159D |. 42 |inc edx
0040159E |. 84C9 |test cl, cl
004015A0 |.^ 75 F6 \jnz short CRECKME_.00401598 ; 将用户名字串放进堆栈中ESP+10
004015A2 |. 8A4424 16 mov al, byte ptr [esp+16] ; al=name[6]
004015A6 |. 84C0 test al, al ; 测试字串第7个字符是否为'\0'
004015A8 |. 75 50 jnz short CRECKME_.004015FA ; 第7个字符不为'\0'就跳,跳走完蛋
004015AA |. 8A5424 15 mov dl, byte ptr [esp+15] ; dl=name[5]
004015AE |. 84D2 test dl, dl ; 测试第6个字符是否为'\0'
004015B0 |. 74 48 je short CRECKME_.004015FA ; 第6个字符为'\0'就跳,跳走完蛋
004015B2 |. 8B43 78 mov eax, dword ptr [ebx+78] ; eax=num (注册码)
004015B5 |. 3D A0860100 cmp eax, 186A0 ; EBX+78注册码数字与100000比较
004015BA |. 7C 3E jl short CRECKME_.004015FA ; 注册码数字小于100000就跳,跳走完蛋
004015BC |. 0FBE7424 12 movsx esi, byte ptr [esp+12] ; 用户名是[esp+10],取用户名第3个字符
004015C1 |. 0FBE4C24 11 movsx ecx, byte ptr [esp+11] ; ecx=name[1]
004015C6 |. 0FBE7C24 14 movsx edi, byte ptr [esp+14] ; edi=name[4]
004015CB |. 03CE add ecx, esi ; ecx=name[1]+[2]
004015CD |. 0FBE7424 10 movsx esi, byte ptr [esp+10] ; esi=name[0]
004015D2 |. 03CE add ecx, esi ; ecx=name[0]+[1]+[2]
004015D4 |. 0FBE7424 13 movsx esi, byte ptr [esp+13] ; esi=name[3]
004015D9 |. 0FBED2 movsx edx, dl ; edx=name[5]
004015DC |. 03F7 add esi, edi ; esi=name[3]+[4]
004015DE |. 03F2 add esi, edx ; esi=name[3]+[4]+[5]
004015E0 |. 99 cdq ; EAX带符号扩展为EDX:EAX
004015E1 |. BF E8030000 mov edi, 3E8 ; edi=1000
004015E6 |. F7FF idiv edi ; num/1000=EAX...EDX
004015E8 |. 3BC8 cmp ecx, eax ; name[0]+[1]+[2]==num/1000 ?
004015EA |. 75 0E jnz short CRECKME_.004015FA ; 不等就完蛋
004015EC |. 3BF2 cmp esi, edx ; name[3]+[4]+[5]==num%1000
004015EE |. 75 0A jnz short CRECKME_.004015FA ; 不等就完蛋
004015F0 |. 8B03 mov eax, dword ptr [ebx]
004015F2 |. 8BCB mov ecx, ebx
004015F4 |. FF90 54010000 call dword ptr [eax+154] ; CDialog::OnOK()
004015FA |> 8B8C24 940000>mov ecx, dword ptr [esp+94]
00401601 |. E8 43040000 call CRECKME_.00401A49
00401606 |. 5F pop edi
00401607 |. 5E pop esi
00401608 |. 5B pop ebx
00401609 |. 8BE5 mov esp, ebp
0040160B |. 5D pop ebp
0040160C \. C3 retn
于是注册算法为:
name长度必须为6个字符
num必须为大于100000的数字
if(
(name[0]+[1]+[2]==num/1000)
&&name[3]+[4]+[5]==num%1000
)
success!
可以使用
name:123456
num:150159
完成注册
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
|
|
|---|---|
