-
-
[旧帖] [原创]破解ex1402.rar_582 0.00雪花
-
发表于: 2016-2-22 20:49 1386
-
CrackMe提供者:小虾
原帖:http://bbs.pediy.com/showthread.php?t=9905
工具:od,vc
平台:winxpsp3
一、破
定位验证函数:
004512E8 |. 8B45 E8 mov eax, dword ptr [ebp-18]
004512EB |. E8 D431FBFF call 004044C4
004512F0 |. 8BF0 mov esi, eax
004512F2 |. 8B45 E4 mov eax, dword ptr [ebp-1C]
004512F5 |. E8 CA31FBFF call 004044C4
004512FA |. 3BF0 cmp esi, eax ;比较用户输入注册码和正确注册码的长度
004512FC |. 0F85 96000000 jnz 00451398 ;爆破点
00451302 |. 8B45 E8 mov eax, dword ptr [ebp-18] ;下面是根据算法注册码长度进行注册码逐字符比较
00451305 |. E8 BA31FBFF call 004044C4
0045130A |. 8BF8 mov edi, eax
0045130C |. 85FF test edi, edi
0045130E |. 7E 26 jle short 00451336
00451310 |. BE 01000000 mov esi, 1
00451315 |> 8B45 E8 /mov eax, dword ptr [ebp-18]
00451318 |. 8A4430 FF |mov al, byte ptr [eax+esi-1]
0045131C |. 25 FF000000 |and eax, 0FF
00451321 |. 8B55 E4 |mov edx, dword ptr [ebp-1C]
00451324 |. 8A5432 FF |mov dl, byte ptr [edx+esi-1]
00451328 |. 81E2 FF000000 |and edx, 0FF
0045132E |. 3BD0 |cmp edx, eax
00451330 |. 75 66 |jnz short 00451398
00451332 |. 46 |inc esi
00451333 |. 4F |dec edi
00451334 |.^ 75 DF \jnz short 00451315
00451336 |> 8D45 E0 lea eax, dword ptr [ebp-20] ;此处通过了比较
二、解
00451246 |. 8D55 D0 lea edx, dword ptr [ebp-30]
00451249 |. 8B83 FC020000 mov eax, dword ptr [ebx+2FC]
0045124F |. E8 F0EEFDFF call 00430144 ; 取用户名
00451254 |. 8B45 D0 mov eax, dword ptr [ebp-30]
00451257 |. 8D55 D4 lea edx, dword ptr [ebp-2C]
0045125A |. E8 D5FCFFFF call 00450F34 ;算法函数
该算法较为繁琐,我个人觉得类似md5(我唯一学习实现过的标准算法)。采用5轮运算,获得5个dword,合成为注册码。
具体算法我没有分析透彻,无法用c描述。所以,keygen主要基于汇编语言。
#include "stdafx.h"
int _tmain(int argc, _TCHAR* argv[])
{
char name[256];
char *pname;
long key1,key2,key3,key4,key5;
printf("请输入注册用户名;");
pname = gets_s(name,256);
_asm
{
mov esi,0x01234567
mov edi,0x89abcdef
mov ebx,0xfedcba98
mov [key4],0x76543210
mov [key5],0x12121212
mov eax,1
}
loopsum:
_asm
{
mov edx, dword ptr [pname]
movzx edx, byte ptr [edx+eax-1]
test edx,edx
jz endsum
xor edx, edi
mov ecx, dword ptr [key5]
and ecx, ebx
or edx, ecx
or esi, edx
mov edx, dword ptr [key4]
shl edx, 0x2
mov ecx, dword ptr [key5]
shr ecx, 0x20
xor edx, ecx
add edx, ebx
add esi, edx
mov edx, esi
shl edx, 0x5
mov ecx, ebx
shr ecx, 0x16
xor edx, ecx
add edx, dword ptr [key4]
add ebx, edx
mov edx, ebx
shl edx, 0x3
mov ecx, dword ptr [key5]
shr ecx, 0x20
xor edx, ecx
add edx, esi
add edi, edx
mov edx, dword ptr [key5]
shl edx, 0x6
mov ecx, edi
shr ecx, 0x18
xor edx, ecx
add edx, ebx
add dword ptr [key4], edx
mov edx, dword ptr [key4]
shl edx, 0x4
mov ecx, esi
shr ecx, 0x6
xor edx, ecx
add edx, edi
add dword ptr [key5], edx
mov edx, dword ptr [pname]
movzx edx, byte ptr [edx+eax-1]
xor edx, edi
mov ecx, dword ptr [key4]
and ecx, esi
or edx, ecx
or edi, edx
mov edx, dword ptr [key4]
shl edx, 0x2
mov ecx, dword ptr [key5]
shr ecx, 0x20
xor edx, ecx
add edx, ebx
add esi, edx
mov edx, esi
shl edx, 0x5
mov ecx, ebx
shr ecx, 0x16
xor edx, ecx
add edx, dword ptr [key4]
add ebx, edx
mov edx, ebx
shl edx, 0x2
mov ecx, dword ptr [key5]
shr ecx, 0x20
xor edx, ecx
add edx, esi
add edi, edx
mov edx, dword ptr [key5]
shl edx, 0x6
mov ecx, edi
shr ecx, 0x18
xor edx, ecx
add edx, ebx
add dword ptr [key4], edx
mov edx, dword ptr [key4]
shl edx, 0x4
mov ecx, esi
shr ecx, 0x6
xor edx, ecx
add edx, edi
add dword ptr [key5], edx
mov edx, dword ptr [pname]
movzx edx, byte ptr [edx+eax-1]
xor edx, edi
mov ecx, dword ptr [key5]
and ecx, edi
or edx, ecx
or ebx, edx
mov edx, dword ptr [key4]
shl edx, 0x2
mov ecx, dword ptr [key5]
shr ecx, 0x20
xor edx, ecx
add edx, ebx
add esi, edx
mov edx, esi
shl edx, 0x5
mov ecx, ebx
shr ecx, 0x16
xor edx, ecx
add edx, dword ptr [key4]
add ebx, edx
mov edx, ebx
shl edx, 0x5
mov ecx, dword ptr [key5]
shr ecx, 0x20
xor edx, ecx
add edx, esi
add edi, edx
mov edx, dword ptr [key5]
shl edx, 0x6
mov ecx, edi
shr ecx, 0x18
xor edx, ecx
add edx, ebx
add dword ptr [key4], edx
mov edx, dword ptr [key4]
shl edx, 0x3
mov ecx, esi
shr ecx, 0x6
xor edx, ecx
add edx, edi
add dword ptr [key5], edx
mov edx, dword ptr [pname]
movzx edx, byte ptr [edx+eax-1]
xor edx, edi
mov ecx, ebx
and ecx, esi
or edx, ecx
or dword ptr [key4], edx
mov edx, dword ptr [key4]
shl edx, 0x2
mov ecx, dword ptr [key5]
shr ecx, 0x20
xor edx, ecx
add edx, ebx
add esi, edx
mov edx, esi
shl edx, 0x5
mov ecx, ebx
shr ecx, 0x16
xor edx, ecx
add edx, dword ptr [key4]
add ebx, edx
mov edx, ebx
shl edx, 0x6
mov ecx, dword ptr [key5]
shr ecx, 0x20
xor edx, ecx
add edx, esi
add edi, edx
mov edx, dword ptr [key5]
shl edx, 0x6
mov ecx, edi
shr ecx, 0x18
xor edx, ecx
add edx, ebx
add dword ptr [key4], edx
mov edx, dword ptr [key4]
shl edx, 0x4
mov ecx, esi
shr ecx, 0x20
xor edx, ecx
add edx, edi
add dword ptr [key5], edx
mov edx, dword ptr [pname]
movzx edx, byte ptr [edx+eax-1]
xor edx, edi
mov ecx, dword ptr [key4]
and ecx, edi
or edx, ecx
or dword ptr [key5], edx
mov edx, dword ptr [key4]
shl edx, 0x2
mov ecx, dword ptr [key5]
shr ecx, 0x20
xor edx, ecx
add edx, ebx
add esi, edx
mov edx, esi
shl edx, 0x5
mov ecx, ebx
shr ecx, 0x16
xor edx, ecx
add edx, dword ptr [key4]
add ebx, edx
mov edx, ebx
shl edx, 0x3
mov ecx, dword ptr [key5]
shr ecx, 0x20
xor edx, ecx
add edx, esi
add edi, edx
mov edx, dword ptr [key5]
shl edx, 0x6
mov ecx, edi
shr ecx, 0x18
xor edx, ecx
add edx, ebx
add dword ptr [key4], edx
mov edx, dword ptr [key4]
shl edx, 0x5
mov ecx, esi
shr ecx, 0x6
xor edx, ecx
add edx, edi
add dword ptr [key5], edx
inc eax
jmp loopsum
}
endsum:
_asm
{
mov [key1],esi
mov [key2],edi
mov [key3],ebx
}
printf("注册码:%X%X%X%X%X\n",key1,key2,key3,key4,key5);
getchar(); //暂
停
return 0;
}
原帖:http://bbs.pediy.com/showthread.php?t=9905
工具:od,vc
平台:winxpsp3
一、破
定位验证函数:
004512E8 |. 8B45 E8 mov eax, dword ptr [ebp-18]
004512EB |. E8 D431FBFF call 004044C4
004512F0 |. 8BF0 mov esi, eax
004512F2 |. 8B45 E4 mov eax, dword ptr [ebp-1C]
004512F5 |. E8 CA31FBFF call 004044C4
004512FA |. 3BF0 cmp esi, eax ;比较用户输入注册码和正确注册码的长度
004512FC |. 0F85 96000000 jnz 00451398 ;爆破点
00451302 |. 8B45 E8 mov eax, dword ptr [ebp-18] ;下面是根据算法注册码长度进行注册码逐字符比较
00451305 |. E8 BA31FBFF call 004044C4
0045130A |. 8BF8 mov edi, eax
0045130C |. 85FF test edi, edi
0045130E |. 7E 26 jle short 00451336
00451310 |. BE 01000000 mov esi, 1
00451315 |> 8B45 E8 /mov eax, dword ptr [ebp-18]
00451318 |. 8A4430 FF |mov al, byte ptr [eax+esi-1]
0045131C |. 25 FF000000 |and eax, 0FF
00451321 |. 8B55 E4 |mov edx, dword ptr [ebp-1C]
00451324 |. 8A5432 FF |mov dl, byte ptr [edx+esi-1]
00451328 |. 81E2 FF000000 |and edx, 0FF
0045132E |. 3BD0 |cmp edx, eax
00451330 |. 75 66 |jnz short 00451398
00451332 |. 46 |inc esi
00451333 |. 4F |dec edi
00451334 |.^ 75 DF \jnz short 00451315
00451336 |> 8D45 E0 lea eax, dword ptr [ebp-20] ;此处通过了比较
二、解
00451246 |. 8D55 D0 lea edx, dword ptr [ebp-30]
00451249 |. 8B83 FC020000 mov eax, dword ptr [ebx+2FC]
0045124F |. E8 F0EEFDFF call 00430144 ; 取用户名
00451254 |. 8B45 D0 mov eax, dword ptr [ebp-30]
00451257 |. 8D55 D4 lea edx, dword ptr [ebp-2C]
0045125A |. E8 D5FCFFFF call 00450F34 ;算法函数
该算法较为繁琐,我个人觉得类似md5(我唯一学习实现过的标准算法)。采用5轮运算,获得5个dword,合成为注册码。
具体算法我没有分析透彻,无法用c描述。所以,keygen主要基于汇编语言。
#include "stdafx.h"
int _tmain(int argc, _TCHAR* argv[])
{
char name[256];
char *pname;
long key1,key2,key3,key4,key5;
printf("请输入注册用户名;");
pname = gets_s(name,256);
_asm
{
mov esi,0x01234567
mov edi,0x89abcdef
mov ebx,0xfedcba98
mov [key4],0x76543210
mov [key5],0x12121212
mov eax,1
}
loopsum:
_asm
{
mov edx, dword ptr [pname]
movzx edx, byte ptr [edx+eax-1]
test edx,edx
jz endsum
xor edx, edi
mov ecx, dword ptr [key5]
and ecx, ebx
or edx, ecx
or esi, edx
mov edx, dword ptr [key4]
shl edx, 0x2
mov ecx, dword ptr [key5]
shr ecx, 0x20
xor edx, ecx
add edx, ebx
add esi, edx
mov edx, esi
shl edx, 0x5
mov ecx, ebx
shr ecx, 0x16
xor edx, ecx
add edx, dword ptr [key4]
add ebx, edx
mov edx, ebx
shl edx, 0x3
mov ecx, dword ptr [key5]
shr ecx, 0x20
xor edx, ecx
add edx, esi
add edi, edx
mov edx, dword ptr [key5]
shl edx, 0x6
mov ecx, edi
shr ecx, 0x18
xor edx, ecx
add edx, ebx
add dword ptr [key4], edx
mov edx, dword ptr [key4]
shl edx, 0x4
mov ecx, esi
shr ecx, 0x6
xor edx, ecx
add edx, edi
add dword ptr [key5], edx
mov edx, dword ptr [pname]
movzx edx, byte ptr [edx+eax-1]
xor edx, edi
mov ecx, dword ptr [key4]
and ecx, esi
or edx, ecx
or edi, edx
mov edx, dword ptr [key4]
shl edx, 0x2
mov ecx, dword ptr [key5]
shr ecx, 0x20
xor edx, ecx
add edx, ebx
add esi, edx
mov edx, esi
shl edx, 0x5
mov ecx, ebx
shr ecx, 0x16
xor edx, ecx
add edx, dword ptr [key4]
add ebx, edx
mov edx, ebx
shl edx, 0x2
mov ecx, dword ptr [key5]
shr ecx, 0x20
xor edx, ecx
add edx, esi
add edi, edx
mov edx, dword ptr [key5]
shl edx, 0x6
mov ecx, edi
shr ecx, 0x18
xor edx, ecx
add edx, ebx
add dword ptr [key4], edx
mov edx, dword ptr [key4]
shl edx, 0x4
mov ecx, esi
shr ecx, 0x6
xor edx, ecx
add edx, edi
add dword ptr [key5], edx
mov edx, dword ptr [pname]
movzx edx, byte ptr [edx+eax-1]
xor edx, edi
mov ecx, dword ptr [key5]
and ecx, edi
or edx, ecx
or ebx, edx
mov edx, dword ptr [key4]
shl edx, 0x2
mov ecx, dword ptr [key5]
shr ecx, 0x20
xor edx, ecx
add edx, ebx
add esi, edx
mov edx, esi
shl edx, 0x5
mov ecx, ebx
shr ecx, 0x16
xor edx, ecx
add edx, dword ptr [key4]
add ebx, edx
mov edx, ebx
shl edx, 0x5
mov ecx, dword ptr [key5]
shr ecx, 0x20
xor edx, ecx
add edx, esi
add edi, edx
mov edx, dword ptr [key5]
shl edx, 0x6
mov ecx, edi
shr ecx, 0x18
xor edx, ecx
add edx, ebx
add dword ptr [key4], edx
mov edx, dword ptr [key4]
shl edx, 0x3
mov ecx, esi
shr ecx, 0x6
xor edx, ecx
add edx, edi
add dword ptr [key5], edx
mov edx, dword ptr [pname]
movzx edx, byte ptr [edx+eax-1]
xor edx, edi
mov ecx, ebx
and ecx, esi
or edx, ecx
or dword ptr [key4], edx
mov edx, dword ptr [key4]
shl edx, 0x2
mov ecx, dword ptr [key5]
shr ecx, 0x20
xor edx, ecx
add edx, ebx
add esi, edx
mov edx, esi
shl edx, 0x5
mov ecx, ebx
shr ecx, 0x16
xor edx, ecx
add edx, dword ptr [key4]
add ebx, edx
mov edx, ebx
shl edx, 0x6
mov ecx, dword ptr [key5]
shr ecx, 0x20
xor edx, ecx
add edx, esi
add edi, edx
mov edx, dword ptr [key5]
shl edx, 0x6
mov ecx, edi
shr ecx, 0x18
xor edx, ecx
add edx, ebx
add dword ptr [key4], edx
mov edx, dword ptr [key4]
shl edx, 0x4
mov ecx, esi
shr ecx, 0x20
xor edx, ecx
add edx, edi
add dword ptr [key5], edx
mov edx, dword ptr [pname]
movzx edx, byte ptr [edx+eax-1]
xor edx, edi
mov ecx, dword ptr [key4]
and ecx, edi
or edx, ecx
or dword ptr [key5], edx
mov edx, dword ptr [key4]
shl edx, 0x2
mov ecx, dword ptr [key5]
shr ecx, 0x20
xor edx, ecx
add edx, ebx
add esi, edx
mov edx, esi
shl edx, 0x5
mov ecx, ebx
shr ecx, 0x16
xor edx, ecx
add edx, dword ptr [key4]
add ebx, edx
mov edx, ebx
shl edx, 0x3
mov ecx, dword ptr [key5]
shr ecx, 0x20
xor edx, ecx
add edx, esi
add edi, edx
mov edx, dword ptr [key5]
shl edx, 0x6
mov ecx, edi
shr ecx, 0x18
xor edx, ecx
add edx, ebx
add dword ptr [key4], edx
mov edx, dword ptr [key4]
shl edx, 0x5
mov ecx, esi
shr ecx, 0x6
xor edx, ecx
add edx, edi
add dword ptr [key5], edx
inc eax
jmp loopsum
}
endsum:
_asm
{
mov [key1],esi
mov [key2],edi
mov [key3],ebx
}
printf("注册码:%X%X%X%X%X\n",key1,key2,key3,key4,key5);
getchar(); //暂
停
return 0;
}
[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!
赞赏
|
|
|---|---|
|
|
赞赏
雪币:
留言:
