OD载入,字符串参考,找到
0040158A |. 68 1CA04200 push crackme1.0042A01C ; /Now make a keygen!
0040158F |. 8B4D 9C mov ecx,[local.25] ; |
00401592 |. 51 push ecx ; |hWnd
00401593 |. FF15 D8024300 call dword ptr ds:[<&USER32.SetWindowTex>; \SetWindowTextA
往上翻,
0040155C |> \6A 0A push 0A
0040155E |. 8D4D E0 lea ecx,[local.8]
00401561 |. 51 push ecx
00401562 |. 8D55 C0 lea edx,[local.16]
00401565 |. 52 push edx
00401566 |. E8 B3FAFFFF call crackme1.0040101E ;关键
0040156B |. 83C4 04 add esp,4
0040156E |. 50 push eax
0040156F |. E8 FC9F0000 call crackme1.0040B570 ;十进制数转化为字符串
00401574 |. 83C4 0C add esp,0C
00401577 |. 50 push eax
00401578 |. 8D45 A0 lea eax,[local.24]
0040157B |. 50 push eax
0040157C |. E8 1F1F0000 call crackme1.004034A0 ;字符串比较函数
00401581 |. 83C4 08 add esp,8
00401584 |. 85C0 test eax,eax
00401586 |. 75 18 jnz short crackme1.004015A0
下面进入40101E的CALL,
0040101E $ /E9 9D010000 jmp crackme1.004011C0
004011C0 /> \55 push ebp
004011C1 |. 8BEC mov ebp,esp
004011C3 |. 83EC 50 sub esp,50
004011C6 |. 53 push ebx
004011C7 |. 56 push esi
004011C8 |. 57 push edi
004011C9 |. 8D7D B0 lea edi,[local.20]
004011CC |. B9 14000000 mov ecx,14
004011D1 |. B8 CCCCCCCC mov eax,CCCCCCCC
004011D6 |. F3:AB rep stos dword ptr es:[edi]
004011D8 |. C745 FC 00000>mov [local.1],0
004011DF |. C745 F8 00000>mov [local.2],0 ;local.2设为s
004011E6 |. C745 F4 00000>mov [local.3],0
004011ED |. 8B45 08 mov eax,[arg.1]
004011F0 |. 50 push eax
004011F1 |. E8 2A220000 call crackme1.00403420
004011F6 |. 83C4 04 add esp,4
004011F9 |. 8945 F0 mov [local.4],eax ;local.4设为n=strlen(name)
004011FC |. 8B4D 08 mov ecx,[arg.1]
004011FF |. 51 push ecx
00401200 |. E8 1B210000 call crackme1.00403320 ;name转化为大写
00401205 |. 83C4 04 add esp,4
00401208 |. C745 FC 00000>mov [local.1],0 ;从这里开始分析,设local1为i
0040120F |. EB 09 jmp short crackme1.0040121A
00401211 |> 8B55 FC /mov edx,[local.1]
00401214 |. 83C2 01 |add edx,1
00401217 |. 8955 FC |mov [local.1],edx ;i++
0040121A |> 8B45 FC mov eax,[local.1]
0040121D |. 3B45 F0 |cmp eax,[local.4]
00401220 |. 7D 3C |jge short crackme1.0040125E ;i<n循环
00401222 |. 8B4D 08 |mov ecx,[arg.1]
00401225 |. 034D FC |add ecx,[local.1] ;ecx指向name+i
00401228 |. 33D2 |xor edx,edx
0040122A |. 8A11 |mov dl,byte ptr ds:[ecx] ;dl=name[i]
0040122C |. 83FA 20 |cmp edx,20
0040122F |. 74 2B |je short crackme1.0040125C ;name[i]==20执行下次循环
00401231 |. 8B45 08 |mov eax,[arg.1]
00401234 |. 0345 FC |add eax,[local.1]
00401237 |. 33C9 |xor ecx,ecx
00401239 |. 8A08 |mov cl,byte ptr ds:[eax]
0040123B |. 894D F4 |mov [local.3],ecx
0040123E |. 8B55 F4 |mov edx,[local.3]
00401241 |. 69D2 7A150000 |imul edx,edx,157A
00401247 |. 8955 F4 |mov [local.3],edx
0040124A |. 8B45 F4 |mov eax,[local.3]
0040124D |. 83E8 01 |sub eax,1
00401250 |. 8945 F4 |mov [local.3],eax ;local.3=name[i]*0x157a-1
00401253 |. 8B4D F8 |mov ecx,[local.2]
00401256 |. 034D F4 |add ecx,[local.3]
00401259 |. 894D F8 |mov [local.2],ecx ;s+=name[i]*0x157a-1
0040125C |>^ EB B3 \jmp short crackme1.00401211
0040125E |> 8B75 F8 mov esi,[local.2]
00401261 |. 6BF6 0A imul esi,esi,0A ;esi=10*s,以后会用到
00401264 |. 8B55 F8 mov edx,[local.2]
00401267 |. 52 push edx
00401268 |. E8 98FDFFFF call crackme1.00401005 ;从这里进去
0040126D |. 83C4 04 add esp,4
00401270 |. 03C6 add eax,esi ;eax+=10*s
00401272 |. 5F pop edi
00401273 |. 5E pop esi
00401274 |. 5B pop ebx
00401275 |. 83C4 50 add esp,50
00401278 |. 3BEC cmp ebp,esp
0040127A |. E8 41200000 call crackme1.004032C0
0040127F |. 8BE5 mov esp,ebp
00401281 |. 5D pop ebp
00401282 \. C3 retn
由以上写出,
char a[50];
scanf("%s",a);
int n=strlen(a);
unsigned int s=0;
for (int i=0;i<n;i++)
{
a[i]=toupper(a[i]);
if(a[i]!=0x20)
s+=a[i]*0x157a-1;
}
401005:
00401005 $ /E9 D6000000 jmp crackme1.004010E0
004010E0 /> \55 push ebp
004010E1 |. 8BEC mov ebp,esp
004010E3 |. 83EC 58 sub esp,58
004010E6 |. 53 push ebx
004010E7 |. 56 push esi
004010E8 |. 57 push edi
004010E9 |. 8D7D A8 lea edi,[local.22]
004010EC |. B9 16000000 mov ecx,16
004010F1 |. B8 CCCCCCCC mov eax,CCCCCCCC
004010F6 |. F3:AB rep stos dword ptr es:[edi]
004010F8 |. C745 FC 00000>mov [local.1],0
004010FF |. C745 F8 01000>mov [local.2],1 ;local.2设为d
00401106 |. C745 F4 00000>mov [local.3],0 ;local.3设为_s
0040110D |. C745 FC 0A000>mov [local.1],0A ;local.1设为i
00401114 |. EB 09 jmp short crackme1.0040111F
00401116 |> 8B45 FC /mov eax,[local.1]
00401119 |. 83E8 01 |sub eax,1
0040111C |. 8945 FC |mov [local.1],eax ;i--
0040111F |> 837D FC 00 cmp [local.1],0
00401123 |. 7C 4F |jl short crackme1.00401174 ;i>=0循环
00401125 |. DB45 08 |fild [arg.1]
00401128 |. DD5D E8 |fstp qword ptr ss:[ebp-18] ;[ebp-18]=c=s
0040112B |. DB45 FC |fild [local.1] ;ST=i
0040112E |. 83EC 08 |sub esp,8
00401131 |. DD1C24 |fstp qword ptr ss:[esp] ;[esp-8]=i
00401134 |. 68 00002440 |push 40240000
00401139 |. 6A 00 |push 0
0040113B |. E8 C91E0000 |call crackme1.00403009 ;ST=10^i
00401140 |. 83C4 10 |add esp,10
00401143 |. DC7D E8 |fdivr qword ptr ss:[ebp-18] ;ST=c/10^i
00401146 |. E8 AD210000 |call crackme1.004032F8 ;eax=(int)(c/10^i)
0040114B |. 8945 F0 |mov [local.4],eax
0040114E |. 837D F0 00 |cmp [local.4],0
00401152 |. 7E 0F |jle short crackme1.00401163 ;(int)(c/10^i)<=0跳转
00401154 |. 8B4D F8 |mov ecx,[local.2]
00401157 |. 51 |push ecx
00401158 |. E8 DAFEFFFF |call crackme1.00401037
{
00401037 $ /E9 44000000 jmp crackme1.00401080
00401080 /> \55 push ebp
00401081 |. 8BEC mov ebp,esp
00401083 |. 83EC 44 sub esp,44
00401086 |. 53 push ebx
00401087 |. 56 push esi
00401088 |. 57 push edi
00401089 |. 8D7D BC lea edi,[local.17]
0040108C |. B9 11000000 mov ecx,11
00401091 |. B8 CCCCCCCC mov eax,CCCCCCCC
00401096 |. F3:AB rep stos dword ptr es:[edi]
00401098 |. C745 FC 07000>mov [local.1],7 ;其他返回7
0040109F |. 837D 08 07 cmp [arg.1],7 ;arg.1==7返回3
004010A3 |. 75 07 jnz short crackme1.004010AC
004010A5 |. C745 FC 03000>mov [local.1],3 ;arg.1==3返回1
004010AC |> 837D 08 03 cmp [arg.1],3
004010B0 |. 75 07 jnz short crackme1.004010B9
004010B2 |. C745 FC 01000>mov [local.1],1
004010B9 |> 8B45 FC mov eax,[local.1]
004010BC |. 5F pop edi
004010BD |. 5E pop esi
004010BE |. 5B pop ebx
004010BF |. 8BE5 mov esp,ebp
004010C1 |. 5D pop ebp
004010C2 \. C3 retn
}
0040115D |. 83C4 04 |add esp,4
00401160 |. 8945 F8 |mov [local.2],eax
00401163 |> 8B55 F0 |mov edx,[local.4] ;edx=(int)(c/10^i)
00401166 |. 0FAF55 F8 |imul edx,[local.2]
0040116A |. 8B45 F4 |mov eax,[local.3]
0040116D |. 03C2 |add eax,edx
0040116F |. 8945 F4 |mov [local.3],eax ;_s+=(int)(c/10^i)*d
00401172 |.^ EB A2 \jmp short crackme1.00401116
00401174 |> 8B45 F4 mov eax,[local.3]
00401177 |. 99 cdq
00401178 |. B9 0A000000 mov ecx,0A
0040117D |. F7F9 idiv ecx
0040117F |. 8BC2 mov eax,edx ;eax=_s%10
00401181 |. 5F pop edi
00401182 |. 5E pop esi
00401183 |. 5B pop ebx
00401184 |. 83C4 58 add esp,58
00401187 |. 3BEC cmp ebp,esp
00401189 |. E8 32210000 call crackme1.004032C0
0040118E |. 8BE5 mov esp,ebp
00401190 |. 5D pop ebp
00401191 \. C3 retn
由以上写出
float c=s;
unsigned int d=1;
float e;
unsigned int _s=0;
char buf[50]={0};
for (i=10;i>=0;i--)
{
e=c/pow(10,i);
if((int)e>0)
{
if(d==7)d=3;
else if(d==3)d=1;
else d=7;
}
_s+=(int)e*d;
}
注册机:
void main()
{
char a[50];
scanf("%s",a);
int n=strlen(a);
unsigned int s=0;
for (int i=0;i<n;i++)
{
a[i]=toupper(a[i]);
if(a[i]!=0x20)
s+=a[i]*0x157a-1;
}
float c=s;
unsigned int d=1;
float e;
unsigned int _s=0;
char buf[50]={0};
for (i=10;i>=0;i--)
{
e=c/pow(10,i);
if((int)e>0)
{
if(d==7)d=3;
else if(d==3)d=1;
else d=7;
}
_s+=(int)e*d;
}
itoa(_s%10+s*10,buf,10);
printf("%s",buf);
}
[培训]二进制漏洞攻防(第3期);满10人开班;模糊测试与工具使用二次开发;网络协议漏洞挖掘;Linux内核漏洞挖掘与利用;AOSP漏洞挖掘与利用;代码审计。
