1)PEID检查:Borland Delphi 2.0,无壳
2)试运行程序,任意输入注册信息后。有错误提示。
3)OD载入程序,用超级字符串查找,找到错误的信息。
超级字串参考+ , 条目 73
地址=0042509A
反汇编=MOV EDX,CrackMe.00425138
文本字串=that isn't it, keep on trying... 来到0042509A后,向上找到计算过程开始的地方。下断。
4)OD重新载入程序,任意输入注册信息后,程序被中断。
00425050 |. 55 PUSH EBP
00425051 |. 68 11514200 PUSH CrackMe.00425111
00425056 |. 64:FF30 PUSH DWORD PTR FS:[EAX]
00425059 |. 64:8920 MOV DWORD PTR FS:[EAX],ESP
0042505C |. 8D55 FC LEA EDX,DWORD PTR SS:[EBP-4]
0042505F |. 8B83 B8010000 MOV EAX,DWORD PTR DS:[EBX+1B8]
00425065 |. E8 96C9FEFF CALL CrackMe.00411A00 ; 取注册名位数
0042506A |. 8D55 F4 LEA EDX,DWORD PTR SS:[EBP-C]
0042506D |. 8B83 BC010000 MOV EAX,DWORD PTR DS:[EBX+1BC]
00425073 |. E8 88C9FEFF CALL CrackMe.00411A00 ; 取假码位数
00425078 |. 8B45 F4 MOV EAX,DWORD PTR SS:[EBP-C] ; EBP-C=假码
0042507B |. 8D55 F8 LEA EDX,DWORD PTR SS:[EBP-8]
0042507E |. E8 71D7FDFF CALL CrackMe.004027F4 ; 计算假码的CALL,跟进
00425083 |. 8BF0 MOV ESI,EAX
00425085 |. 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
00425088 |. E8 13010000 CALL CrackMe.004251A0 ; 计算注册名的CALL,跟进
0042508D |. 8BF8 MOV EDI,EAX
0042508F |. 3BFE CMP EDI,ESI 注册码的计算结果与注册名的计算结果相比
00425091 |. 74 18 JE SHORT CrackMe.004250AB 两者相等就跳向成功
00425093 |. 6A 00 PUSH 0
00425095 |. B9 20514200 MOV ECX,CrackMe.00425120 ; cyt0m!c's crackme #1
0042509A |. BA 38514200 MOV EDX,CrackMe.00425138 ; that isn't it, keep on trying...
0042509F |. A1 28764200 MOV EAX,DWORD PTR DS:[427628]
004250A4 |. E8 23CAFFFF CALL CrackMe.00421ACC
004250A9 |. EB 16 JMP SHORT CrackMe.004250C1
004250AB |> 6A 00 PUSH 0
004250AD |. B9 20514200 MOV ECX,CrackMe.00425120 ; cyt0m!c's crackme #1
004250B2 |. BA 5C514200 MOV EDX,CrackMe.0042515C ; hey, you have done it
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
来到对输入的注册码进行计算的CALL。。。
004027F4 /$ 53 PUSH EBX
004027F5 |. 56 PUSH ESI
004027F6 |. 57 PUSH EDI
004027F7 |. 89C6 MOV ESI,EAX
004027F9 |. 50 PUSH EAX
004027FA |. 85C0 TEST EAX,EAX
004027FC |. 74 51 JE SHORT CrackMe.0040284F
004027FE >|. 31C0 XOR EAX,EAX ; EAX清零
00402800 |. 31DB XOR EBX,EBX ; EBX清零
00402802 |. BF CCCCCC0C MOV EDI,0CCCCCCC ; 给EDI赋值
00402807 |> 8A1E /MOV BL,BYTE PTR DS:[ESI] ; 取假码第一位的HEX值
00402809 |. 46 |INC ESI
0040280A |. 80FB 20 |CMP BL,20
0040280D |.^ 74 F8 \JE SHORT CrackMe.00402807
0040280F |. B5 00 MOV CH,0
00402811 |. 80FB 2D CMP BL,2D
00402814 |. 74 45 JE SHORT CrackMe.0040285B
00402816 |. 80FB 2B CMP BL,2B
00402819 |. 74 42 JE SHORT CrackMe.0040285D
0040281B |. 80FB 24 CMP BL,24
0040281E |. 74 42 JE SHORT CrackMe.00402862
00402820 |> 84DB TEST BL,BL
00402822 |. 74 32 JE SHORT CrackMe.00402856 ; 以上代码检验假码的第一位是否是符号
00402824 |> 80EB 30 /SUB BL,30 ; 假码的HEX值减30
00402827 |. 80FB 09 |CMP BL,9
0040282A |. 77 2A |JA SHORT CrackMe.00402856
0040282C |. 39F8 |CMP EAX,EDI
0040282E |. 77 26 |JA SHORT CrackMe.00402856
00402830 |. 8D0480 |LEA EAX,DWORD PTR DS:[EAX+EAX*4] ; EAX=EAX+EAX*4
00402833 |. 01C0 |ADD EAX,EAX ; EAX=EAX+EAX
00402835 |. 01D8 |ADD EAX,EBX ; EAX=EAX+EBX
00402837 |. 8A1E |MOV BL,BYTE PTR DS:[ESI] ; 取假码下一位的HEX值
00402839 |. 46 |INC ESI ; ESI+1
0040283A |. 84DB |TEST BL,BL
0040283C |.^ 75 E6 \JNZ SHORT CrackMe.00402824
0040283E |. FECD DEC CH
00402840 |. 74 10 JE SHORT CrackMe.00402852
00402842 |. 85C0 TEST EAX,EAX
00402844 |. 7C 10 JL SHORT CrackMe.00402856
00402846 |> 59 POP ECX
00402847 |. 31F6 XOR ESI,ESI
00402849 |> 8932 MOV DWORD PTR DS:[EDX],ESI
0040284B |. 5F POP EDI
0040284C |. 5E POP ESI
0040284D |. 5B POP EBX
0040284E |. C3 RETN 计算完毕就返回
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
来到对输入的注册名进行计算的CALL。。。
004251A0 /$ 53 PUSH EBX
004251A1 |. 89C3 MOV EBX,EAX ; EAX=EBX=输入的注册名
004251A3 |. 83FB 00 CMP EBX,0 ; 输入注册名了吗,没有输入就跳走
004251A6 |. 74 13 JE SHORT CrackMe.004251BB
004251A8 |. B8 01000000 MOV EAX,1 ; 使EAX=1
004251AD |. 31C9 XOR ECX,ECX ; ECX清零
004251AF |> 8A0B /MOV CL,BYTE PTR DS:[EBX] ; 取注册名每一位的HEX值,放进ECX
004251B1 |. 80F9 00 |CMP CL,0
004251B4 |. 74 05 |JE SHORT CrackMe.004251BB ; 计算完了吗,计算完毕就跳走
004251B6 |. F7E1 |MUL ECX ; EAX=EAX*EAC
004251B8 |. 43 |INC EBX ; 每计算一次EBX+1
004251B9 |.^ EB F4 \JMP SHORT CrackMe.004251AF
004251BB |> 25 FFFFFF0F AND EAX,0FFFFFFF
004251C0 |. 5B POP EBX
004251C1 \. C3 RETN ; 输出结果,并返回
------------------------------------------------------------------------BY 逍遥风
算法总结:
程序采用的是F`(注册名)=F'(注册码)的方式,对注册码进行验证的
1)对注册码的算法是:
注册码第一位的HEX值减去30,设为A1。最终的计算结果设为B(n+1)
则 B(n+1)=An +2*(Bn+4*Bn) 其中B1=0,n=输入的注册码的位数
输出结果B(n+1)。即就是把输入的注册码转换成相应的十六进制数。
2)对注册名的算法是:
取注册名每一位的HEX值相乘。
输出结果Cn
3)比较B(n+1)与Cn
找出一对符合以上算法的数字:
注册名:tcxb
注册码:135051840
[注意]APP应用上架合规检测服务,协助应用顺利上架!