-
-
[原创]关于一个CrackMe的算法分析以及注册机的代码
-
发表于: 2011-3-9 21:51
-
大家好这是比较间单的CrackMe,我在一个论坛看到就下来玩玩~~~~~~~~~~~~找出算法最后写出了注册机~~~~~
0045993D 51 PUSH ECX
0045993E 51 PUSH ECX
0045993F 51 PUSH ECX
00459940 51 PUSH ECX
00459941 51 PUSH ECX
00459942 51 PUSH ECX
00459943 51 PUSH ECX
00459944 53 PUSH EBX
00459945 56 PUSH ESI
00459946 8945 FC MOV DWORD PTR SS:[EBP-4],EAX
00459949 33C0 XOR EAX,EAX
0045994B 55 PUSH EBP
0045994C 68 8E9A4500 PUSH CrackMe.00459A8E
00459951 64:FF30 PUSH DWORD PTR FS:[EAX]
00459954 64:8920 MOV DWORD PTR FS:[EAX],ESP
00459957 8D55 EC LEA EDX,DWORD PTR SS:[EBP-14]
0045995A 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
0045995D 8B80 00030000 MOV EAX,DWORD PTR DS:[EAX+300]
00459963 E8 FCEFFDFF CALL CrackMe.00438964
00459968 8B45 EC MOV EAX,DWORD PTR SS:[EBP-14]
0045996B E8 FCABFAFF CALL CrackMe.0040456C
00459970 8BF0 MOV ESI,EAX
00459972 33DB XOR EBX,EBX ; EBX清0
00459974 8BC6 MOV EAX,ESI
00459976 85C0 TEST EAX,EAX
00459978 7E 21 JLE SHORT CrackMe.0045999B
0045997A BA 01000000 MOV EDX,1 ; --------------------->
0045997F 69CE 8E91C621 /IMUL ECX,ESI,21C6918E ; ESI存放的是用户名的位数它*0X21C6918E的结果给ECX
00459985 03D9 |ADD EBX,ECX ; 把EBX加ECX的结果给EBX
00459987 8B4D EC |MOV ECX,DWORD PTR SS:[EBP-14] ; 堆栈 SS:[0012F618]=00A121D0, (ASCII "wangwei")
0045998A 0FB64C11 FF |MOVZX ECX,BYTE PTR DS:[ECX+EDX-1] ; 取出逐位字符的ACSSII给ECX
0045998F 69C9 CE020000 |IMUL ECX,ECX,2CE ; 把ACSSII*0X2CE的值给ECX
00459995 03D9 |ADD EBX,ECX
00459997 42 |INC EDX
00459998 48 |DEC EAX ; EAX存放的是用户名的位数它用作了计数器的参数
00459999 ^ 75 E4 \JNZ SHORT CrackMe.0045997F ; <--------------------
0045999B 8BC3 MOV EAX,EBX
0045999D 99 CDQ
0045999E 33C2 XOR EAX,EDX
004599A0 2BC2 SUB EAX,EDX
004599A2 8D55 F8 LEA EDX,DWORD PTR SS:[EBP-8]
004599A5 E8 9AEBFAFF CALL CrackMe.00408544
004599AA 8BC6 MOV EAX,ESI
004599AC 85C0 TEST EAX,EAX
004599AE 7E 21 JLE SHORT CrackMe.004599D1
004599B0 BA 01000000 MOV EDX,1
004599B5 8B4D EC /MOV ECX,DWORD PTR SS:[EBP-14] ; --------------->堆栈 SS:[0012F618]=00A121D0, (ASCII "wangwei")
004599B8 0FB64C11 FF |MOVZX ECX,BYTE PTR DS:[ECX+EDX-1] ; 取出逐位字符的ACSSII给ECX
004599BD 69C9 8E91C621 |IMUL ECX,ECX,21C6918E ; 把字符ACSSII的值*0X21C6918E的值给ECX
004599C3 69C9 BC070000 |IMUL ECX,ECX,7BC ; 在把ECX*0X7BC的值给ECX
004599C9 03D9 |ADD EBX,ECX ; EBX=EBX+ECX
004599CB 2BDE |SUB EBX,ESI ; EBX=EBX-ESI存放的是用户名的位数
004599CD 42 |INC EDX
004599CE 48 |DEC EAX ; EAX存放的是用户名的位数它用作了计数器的参数
004599CF ^ 75 E4 \JNZ SHORT CrackMe.004599B5 ; <-------------------
004599D1 8BC3 MOV EAX,EBX
004599D3 99 CDQ
004599D4 33C2 XOR EAX,EDX
004599D6 2BC2 SUB EAX,EDX
004599D8 8D55 F4 LEA EDX,DWORD PTR SS:[EBP-C]
004599DB E8 64EBFAFF CALL CrackMe.00408544
004599E0 8BC6 MOV EAX,ESI
004599E2 85C0 TEST EAX,EAX
004599E4 7E 1E JLE SHORT CrackMe.00459A04
004599E6 BA 01000000 MOV EDX,1
004599EB 8B4D EC /MOV ECX,DWORD PTR SS:[EBP-14] ; --------------->堆栈 SS:[0012F618]=00A121D0, (ASCII "wangwei")
004599EE 0FB64C11 FF |MOVZX ECX,BYTE PTR DS:[ECX+EDX-1] ; 把字符ACSSII的值*0X21C6918E的值给ECX
004599F3 0FAFCE |IMUL ECX,ESI ; 把字符ACSSII的值*ESI存放的是用户名的位数给ECX
004599F6 69C9 C6040000 |IMUL ECX,ECX,4C6 ; 在把ECX*0X4C6的值给ECX
004599FC 03D9 |ADD EBX,ECX ; EBX=EBX+ECX
004599FE 03DE |ADD EBX,ESI ; EBX=EBX+ESI存放的是用户名的位数
00459A00 42 |INC EDX
00459A01 48 |DEC EAX ; EAX存放的是用户名的位数它用作了计数器的参数
00459A02 ^ 75 E7 \JNZ SHORT CrackMe.004599EB
00459A04 81C3 8E91C621 ADD EBX,21C6918E ; EBX=EBX+21C6918E<------------------------
00459A0A 8BC3 MOV EAX,EBX
00459A0C 99 CDQ
00459A0D 33C2 XOR EAX,EDX
00459A0F 2BC2 SUB EAX,EDX
00459A11 8D55 F0 LEA EDX,DWORD PTR SS:[EBP-10]
00459A14 E8 2BEBFAFF CALL CrackMe.00408544
00459A19 8D55 E8 LEA EDX,DWORD PTR SS:[EBP-18]
00459A1C 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
00459A1F 8B80 04030000 MOV EAX,DWORD PTR DS:[EAX+304]
00459A25 E8 3AEFFDFF CALL CrackMe.00438964 ; 把16进的数转化为10进制数
00459A2A 8B45 E8 MOV EAX,DWORD PTR SS:[EBP-18]
00459A2D 50 PUSH EAX
00459A2E FF75 F8 PUSH DWORD PTR SS:[EBP-8]
00459A31 68 A49A4500 PUSH CrackMe.00459AA4
00459A36 FF75 F4 PUSH DWORD PTR SS:[EBP-C]
00459A39 68 A49A4500 PUSH CrackMe.00459AA4
00459A3E FF75 F0 PUSH DWORD PTR SS:[EBP-10]
00459A41 8D45 E4 LEA EAX,DWORD PTR SS:[EBP-1C]
00459A44 BA 05000000 MOV EDX,5
00459A49 E8 DEABFAFF CALL CrackMe.0040462C ; 把3个字符串联接起来
00459A4E 8B55 E4 MOV EDX,DWORD PTR SS:[EBP-1C]
00459A51 58 POP EAX
00459A52 E8 59ACFAFF CALL CrackMe.004046B0 ; 比较CALL
00459A57 75 0A JNZ SHORT CrackMe.00459A63 ; 关键
00459A59 B8 B09A4500 MOV EAX,CrackMe.00459AB0
00459A5E E8 E18CFDFF CALL CrackMe.00432744
00459A63 33C0 XOR EAX,EAX
00459A65 5A POP EDX
00459A66 59 POP ECX
00459A67 59 POP ECX
00459A68 64:8910 MOV DWORD PTR FS:[EAX],EDX
00459A6B 68 959A4500 PUSH CrackMe.00459A95
00459A70 8D45 E4 LEA EAX,DWORD PTR SS:[EBP-1C]
00459A73 E8 3CA8FAFF CALL CrackMe.004042B4
00459A78 8D45 E8 LEA EAX,DWORD PTR SS:[EBP-18]
00459A7B E8 34A8FAFF CALL CrackMe.004042B4
00459A80 8D45 EC LEA EAX,DWORD PTR SS:[EBP-14]
00459A83 BA 04000000 MOV EDX,4
00459A88 E8 4BA8FAFF CALL CrackMe.004042D8
00459A8D C3 RETN
00459A8E ^ E9 49A2FAFF JMP CrackMe.00403CDC
00459A93 ^ EB DB JMP SHORT CrackMe.00459A70
00459A95 5E POP ESI
00459A96 5B POP EBX
00459A97 8BE5 MOV ESP,EBP
00459A99 5D POP EBP
00459A9A C3 RETN
1.这个CrackMe主要通过用户名的位数以及用户名的字符串和一常用量0X21C6918E 0X4C6 0X7BC 0X2CE进行的运算得到的16进制数在转化为10进制数~~~
*************************************************************
这是注机的代码~~~~~~~~~~~~`我是用C++写的!!!!!
做的不好请多指教~因为刚学C++不久写得可能不好~
#include <iostream>
using namespace std;
void main()
{
char a[10];
int i=1;
long int b=1,y,z=0,w,h,l;
int c;
cout <<"请输入用户名"<<endl;
cin>>a;
c=strlen(a); //把取的的用户名的位数给C
for(i=0;i<c;i++) //把用户名的位数做为计算器的参数控程序的运行
{
b=c*0X21C6918E; //用户名位数*0X21C6918E给b
z=z+b; //
y=a[i]*0X2CE; //输入用户名的ACSII*16进制0X2CE
z=z+y; //把上面z的结果加y
}
w=z; //把z的值给W用作下面程序的参数
for(i=0;i<c;i++)
{
b=a[i]*0X21C6918E*0X7BC; //输入用户名的ACSII*16进制0X2CE
w=w+b; //
w=w-c; //W减去用户名的位数
}
h=w; //把W的值人h,w做为参数加入到下面代码的运算
for(i=0;i<c;i++)
{
b=a[i]*c*0X4C6; //输入用户名的ACSII*16进制0X4C6
w=w+b; //
w=w+c; //W加用户名的位数
}
w=w+0X21C6918E; //W加上0X21C6918E
if(z<0) //经过测试发现z>0,w,h要<0.因此有了下面的代码检测!!!!!!!
{
z=-z;
}else z=z;
if(h>0){h=-h;}else h=h;
if(w>0){w=-w;}else w=w;
cout<<z<<h<<w<<endl;
}
0045993D 51 PUSH ECX
0045993E 51 PUSH ECX
0045993F 51 PUSH ECX
00459940 51 PUSH ECX
00459941 51 PUSH ECX
00459942 51 PUSH ECX
00459943 51 PUSH ECX
00459944 53 PUSH EBX
00459945 56 PUSH ESI
00459946 8945 FC MOV DWORD PTR SS:[EBP-4],EAX
00459949 33C0 XOR EAX,EAX
0045994B 55 PUSH EBP
0045994C 68 8E9A4500 PUSH CrackMe.00459A8E
00459951 64:FF30 PUSH DWORD PTR FS:[EAX]
00459954 64:8920 MOV DWORD PTR FS:[EAX],ESP
00459957 8D55 EC LEA EDX,DWORD PTR SS:[EBP-14]
0045995A 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
0045995D 8B80 00030000 MOV EAX,DWORD PTR DS:[EAX+300]
00459963 E8 FCEFFDFF CALL CrackMe.00438964
00459968 8B45 EC MOV EAX,DWORD PTR SS:[EBP-14]
0045996B E8 FCABFAFF CALL CrackMe.0040456C
00459970 8BF0 MOV ESI,EAX
00459972 33DB XOR EBX,EBX ; EBX清0
00459974 8BC6 MOV EAX,ESI
00459976 85C0 TEST EAX,EAX
00459978 7E 21 JLE SHORT CrackMe.0045999B
0045997A BA 01000000 MOV EDX,1 ; --------------------->
0045997F 69CE 8E91C621 /IMUL ECX,ESI,21C6918E ; ESI存放的是用户名的位数它*0X21C6918E的结果给ECX
00459985 03D9 |ADD EBX,ECX ; 把EBX加ECX的结果给EBX
00459987 8B4D EC |MOV ECX,DWORD PTR SS:[EBP-14] ; 堆栈 SS:[0012F618]=00A121D0, (ASCII "wangwei")
0045998A 0FB64C11 FF |MOVZX ECX,BYTE PTR DS:[ECX+EDX-1] ; 取出逐位字符的ACSSII给ECX
0045998F 69C9 CE020000 |IMUL ECX,ECX,2CE ; 把ACSSII*0X2CE的值给ECX
00459995 03D9 |ADD EBX,ECX
00459997 42 |INC EDX
00459998 48 |DEC EAX ; EAX存放的是用户名的位数它用作了计数器的参数
00459999 ^ 75 E4 \JNZ SHORT CrackMe.0045997F ; <--------------------
0045999B 8BC3 MOV EAX,EBX
0045999D 99 CDQ
0045999E 33C2 XOR EAX,EDX
004599A0 2BC2 SUB EAX,EDX
004599A2 8D55 F8 LEA EDX,DWORD PTR SS:[EBP-8]
004599A5 E8 9AEBFAFF CALL CrackMe.00408544
004599AA 8BC6 MOV EAX,ESI
004599AC 85C0 TEST EAX,EAX
004599AE 7E 21 JLE SHORT CrackMe.004599D1
004599B0 BA 01000000 MOV EDX,1
004599B5 8B4D EC /MOV ECX,DWORD PTR SS:[EBP-14] ; --------------->堆栈 SS:[0012F618]=00A121D0, (ASCII "wangwei")
004599B8 0FB64C11 FF |MOVZX ECX,BYTE PTR DS:[ECX+EDX-1] ; 取出逐位字符的ACSSII给ECX
004599BD 69C9 8E91C621 |IMUL ECX,ECX,21C6918E ; 把字符ACSSII的值*0X21C6918E的值给ECX
004599C3 69C9 BC070000 |IMUL ECX,ECX,7BC ; 在把ECX*0X7BC的值给ECX
004599C9 03D9 |ADD EBX,ECX ; EBX=EBX+ECX
004599CB 2BDE |SUB EBX,ESI ; EBX=EBX-ESI存放的是用户名的位数
004599CD 42 |INC EDX
004599CE 48 |DEC EAX ; EAX存放的是用户名的位数它用作了计数器的参数
004599CF ^ 75 E4 \JNZ SHORT CrackMe.004599B5 ; <-------------------
004599D1 8BC3 MOV EAX,EBX
004599D3 99 CDQ
004599D4 33C2 XOR EAX,EDX
004599D6 2BC2 SUB EAX,EDX
004599D8 8D55 F4 LEA EDX,DWORD PTR SS:[EBP-C]
004599DB E8 64EBFAFF CALL CrackMe.00408544
004599E0 8BC6 MOV EAX,ESI
004599E2 85C0 TEST EAX,EAX
004599E4 7E 1E JLE SHORT CrackMe.00459A04
004599E6 BA 01000000 MOV EDX,1
004599EB 8B4D EC /MOV ECX,DWORD PTR SS:[EBP-14] ; --------------->堆栈 SS:[0012F618]=00A121D0, (ASCII "wangwei")
004599EE 0FB64C11 FF |MOVZX ECX,BYTE PTR DS:[ECX+EDX-1] ; 把字符ACSSII的值*0X21C6918E的值给ECX
004599F3 0FAFCE |IMUL ECX,ESI ; 把字符ACSSII的值*ESI存放的是用户名的位数给ECX
004599F6 69C9 C6040000 |IMUL ECX,ECX,4C6 ; 在把ECX*0X4C6的值给ECX
004599FC 03D9 |ADD EBX,ECX ; EBX=EBX+ECX
004599FE 03DE |ADD EBX,ESI ; EBX=EBX+ESI存放的是用户名的位数
00459A00 42 |INC EDX
00459A01 48 |DEC EAX ; EAX存放的是用户名的位数它用作了计数器的参数
00459A02 ^ 75 E7 \JNZ SHORT CrackMe.004599EB
00459A04 81C3 8E91C621 ADD EBX,21C6918E ; EBX=EBX+21C6918E<------------------------
00459A0A 8BC3 MOV EAX,EBX
00459A0C 99 CDQ
00459A0D 33C2 XOR EAX,EDX
00459A0F 2BC2 SUB EAX,EDX
00459A11 8D55 F0 LEA EDX,DWORD PTR SS:[EBP-10]
00459A14 E8 2BEBFAFF CALL CrackMe.00408544
00459A19 8D55 E8 LEA EDX,DWORD PTR SS:[EBP-18]
00459A1C 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
00459A1F 8B80 04030000 MOV EAX,DWORD PTR DS:[EAX+304]
00459A25 E8 3AEFFDFF CALL CrackMe.00438964 ; 把16进的数转化为10进制数
00459A2A 8B45 E8 MOV EAX,DWORD PTR SS:[EBP-18]
00459A2D 50 PUSH EAX
00459A2E FF75 F8 PUSH DWORD PTR SS:[EBP-8]
00459A31 68 A49A4500 PUSH CrackMe.00459AA4
00459A36 FF75 F4 PUSH DWORD PTR SS:[EBP-C]
00459A39 68 A49A4500 PUSH CrackMe.00459AA4
00459A3E FF75 F0 PUSH DWORD PTR SS:[EBP-10]
00459A41 8D45 E4 LEA EAX,DWORD PTR SS:[EBP-1C]
00459A44 BA 05000000 MOV EDX,5
00459A49 E8 DEABFAFF CALL CrackMe.0040462C ; 把3个字符串联接起来
00459A4E 8B55 E4 MOV EDX,DWORD PTR SS:[EBP-1C]
00459A51 58 POP EAX
00459A52 E8 59ACFAFF CALL CrackMe.004046B0 ; 比较CALL
00459A57 75 0A JNZ SHORT CrackMe.00459A63 ; 关键
00459A59 B8 B09A4500 MOV EAX,CrackMe.00459AB0
00459A5E E8 E18CFDFF CALL CrackMe.00432744
00459A63 33C0 XOR EAX,EAX
00459A65 5A POP EDX
00459A66 59 POP ECX
00459A67 59 POP ECX
00459A68 64:8910 MOV DWORD PTR FS:[EAX],EDX
00459A6B 68 959A4500 PUSH CrackMe.00459A95
00459A70 8D45 E4 LEA EAX,DWORD PTR SS:[EBP-1C]
00459A73 E8 3CA8FAFF CALL CrackMe.004042B4
00459A78 8D45 E8 LEA EAX,DWORD PTR SS:[EBP-18]
00459A7B E8 34A8FAFF CALL CrackMe.004042B4
00459A80 8D45 EC LEA EAX,DWORD PTR SS:[EBP-14]
00459A83 BA 04000000 MOV EDX,4
00459A88 E8 4BA8FAFF CALL CrackMe.004042D8
00459A8D C3 RETN
00459A8E ^ E9 49A2FAFF JMP CrackMe.00403CDC
00459A93 ^ EB DB JMP SHORT CrackMe.00459A70
00459A95 5E POP ESI
00459A96 5B POP EBX
00459A97 8BE5 MOV ESP,EBP
00459A99 5D POP EBP
00459A9A C3 RETN
1.这个CrackMe主要通过用户名的位数以及用户名的字符串和一常用量0X21C6918E 0X4C6 0X7BC 0X2CE进行的运算得到的16进制数在转化为10进制数~~~
*************************************************************
这是注机的代码~~~~~~~~~~~~`我是用C++写的!!!!!
做的不好请多指教~因为刚学C++不久写得可能不好~
#include <iostream>
using namespace std;
void main()
{
char a[10];
int i=1;
long int b=1,y,z=0,w,h,l;
int c;
cout <<"请输入用户名"<<endl;
cin>>a;
c=strlen(a); //把取的的用户名的位数给C
for(i=0;i<c;i++) //把用户名的位数做为计算器的参数控程序的运行
{
b=c*0X21C6918E; //用户名位数*0X21C6918E给b
z=z+b; //
y=a[i]*0X2CE; //输入用户名的ACSII*16进制0X2CE
z=z+y; //把上面z的结果加y
}
w=z; //把z的值给W用作下面程序的参数
for(i=0;i<c;i++)
{
b=a[i]*0X21C6918E*0X7BC; //输入用户名的ACSII*16进制0X2CE
w=w+b; //
w=w-c; //W减去用户名的位数
}
h=w; //把W的值人h,w做为参数加入到下面代码的运算
for(i=0;i<c;i++)
{
b=a[i]*c*0X4C6; //输入用户名的ACSII*16进制0X4C6
w=w+b; //
w=w+c; //W加用户名的位数
}
w=w+0X21C6918E; //W加上0X21C6918E
if(z<0) //经过测试发现z>0,w,h要<0.因此有了下面的代码检测!!!!!!!
{
z=-z;
}else z=z;
if(h>0){h=-h;}else h=h;
if(w>0){w=-w;}else w=w;
cout<<z<<h<<w<<endl;
}
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
|
|
|---|---|
