[原创]破解 CRKME4-CTF对抗-看雪-安全社区|安全招聘|kanxue.com

[原创]破解 CRKME4

发表于: 2006-2-20 00:35 6833

[原创]破解 CRKME4

gdszmai

2006-2-20 00:35

6833

破解　CRKME4

这是我的第一篇破文，写得不好，请不要见笑。这个CrackMe是＜加密与解密实战攻略＞范例及练习里的，它只是作为动画教学找注册码，没有分析算法，正好拿来练习。

用PEiD查壳，无壳,是用Delphi 3.0编写

bpx hmemcpy 中断后，来到0042B96A,按F12和F10，来到下面,经过检查姓名、序列号有否输入后，来到0042DC0F，它取姓名的第二到第六个字符的ASCII码十进制，把前二个字符的前三位十进制ASCII码化成十六进制，在0042DC1E开始进行一系列的运算，结果保存在地址[0042F758]里，地址[0042F750]的初始值为"FF9765D4"或"364918ED"，也经一系列的运算后，与地址[0042F758]的dword值相加即为注册码，注意要化成十进制数。

　为什么地址[0042F750]有二个不同的初始值？小弟也搞不懂，请高手们解答一下？

*******************************************************************************************************

* Reference To: kernel32.GetVolumeInformationA, Ord:0000h
                              |
:0042DB21 E85E75FDFF             Call 00405084
:0042DB26 A144F74200             mov eax, dword ptr [0042F744]
:0042DB2B 8B00                   mov eax, dword ptr [eax]
:0042DB2D A350F74200             mov dword ptr [0042F750], eax
:0042DB32 8D55FC                lea edx, dword ptr [ebp-04]
:0042DB35 8B83E0010000          mov eax, dword ptr [ebx+000001E0]
:0042DB3B E8E8C6FEFF             call 0041A228
:0042DB40 837DFC00             cmp dword ptr [ebp-04], 00000000    //检查有否输入名字
:0042DB44 751A                   jne 0042DB60
:0042DB46 6A00                   push 00000000
:0042DB48 668B0D1CDD4200       mov cx, word ptr [0042DD1C]
:0042DB4F B202                   mov dl, 02

* Possible StringData Ref from Code Obj ->"Please typ in your name !!"
                              |
:0042DB51 B828DD4200             mov eax, 0042DD28
:0042DB56 E8E5F2FFFF             call 0042CE40
:0042DB5B E990010000             jmp 0042DCF0

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0042DB44(C)
|
:0042DB60 8D55FC                lea edx, dword ptr [ebp-04]
:0042DB63 8B83E0010000          mov eax, dword ptr [ebx+000001E0]
:0042DB69 E8BAC6FEFF             call 0041A228
:0042DB6E 8B45FC                mov eax, dword ptr [ebp-04]
:0042DB71 E84A5CFDFF             call 004037C0
:0042DB76 83F806                cmp eax, 00000006　　　　　　　　　//检查姓名是否大于等于6个字符
:0042DB79 7D1A                   jge 0042DB95
:0042DB7B 6A00                   push 00000000
:0042DB7D 668B0D1CDD4200       mov cx, word ptr [0042DD1C]
:0042DB84 B202                   mov dl, 02

* Possible StringData Ref from Code Obj ->"Type at least 6 chars for your "
                                    ->"name! !"
                              |
:0042DB86 B84CDD4200             mov eax, 0042DD4C
:0042DB8B E8B0F2FFFF             call 0042CE40
:0042DB90 E95B010000             jmp 0042DCF0

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0042DB79(C)
|
:0042DB95 8D55FC                lea edx, dword ptr [ebp-04]
:0042DB98 8B83E4010000          mov eax, dword ptr [ebx+000001E4]
:0042DB9E E885C6FEFF             call 0041A228
:0042DBA3 837DFC00             cmp dword ptr [ebp-04], 00000000　　　//检查是否输入了序列号
:0042DBA7 751A                   jne 0042DBC3
:0042DBA9 6A00                   push 00000000
:0042DBAB 668B0D1CDD4200       mov cx, word ptr [0042DD1C]
:0042DBB2 B202                   mov dl, 02

* Possible StringData Ref from Code Obj ->"Please enter your serial !"
                              |
:0042DBB4 B87CDD4200             mov eax, 0042DD7C
:0042DBB9 E882F2FFFF             call 0042CE40
:0042DBBE E92D010000             jmp 0042DCF0

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0042DBA7(C)
|
:0042DBC3 8BC7                   mov eax, edi
:0042DBC5 E87A59FDFF             call 00403544
:0042DBCA C70602000000          mov dword ptr [esi], 00000002

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0042DBFF(C)
|
:0042DBD0 8D55FC                lea edx, dword ptr [ebp-04]
:0042DBD3 8B83E0010000          mov eax, dword ptr [ebx+000001E0]
:0042DBD9 E84AC6FEFF             call 0041A228
:0042DBDE 8B45FC                mov eax, dword ptr [ebp-04]
:0042DBE1 8B16                   mov edx, dword ptr [esi]
:0042DBE3 0FB64410FF             movzx eax, byte ptr [eax+edx-01]
:0042DBE8 8D55F8                lea edx, dword ptr [ebp-08]
:0042DBEB E88889FDFF             call 00406578
:0042DBF0 8B55F8                mov edx, dword ptr [ebp-08]
:0042DBF3 8BC7                   mov eax, edi
:0042DBF5 E8CE5BFDFF             call 004037C8
:0042DBFA FF06                   inc dword ptr [esi]
:0042DBFC 833E07                cmp dword ptr [esi], 00000007
:0042DBFF 75CF                   jne 0042DBD0
:0042DC01 8D45F8                lea eax, dword ptr [ebp-08]
:0042DC04 50                   push eax
:0042DC05 B903000000             mov ecx, 00000003
:0042DC0A BA01000000             mov edx, 00000001
:0042DC0F 8B07                   mov eax, dword ptr [edi]　　　//取姓名的第二到第六个字符的十进制ASCII码
:0042DC11 E8AE5DFDFF             call 004039C4　　　　　　//取前二个字符的三位十进制ASCII码（例：gdszmai为100，因d为100）
:0042DC16 8B45F8                mov eax, dword ptr [ebp-08]  //前二个字符的三位十进制ASCII码赋给eax
:0042DC19 E88A89FDFF             call 004065A8 //把前二个字符的三位十进制ASCII码化成十六进制
:0042DC1E A358F74200             mov dword ptr [0042F758], eax　//把eax的值赋给存注册码的地址[0042F758],开始运算
:0042DC23 8BC7                   mov eax, edi
:0042DC25 E81A59FDFF             call 00403544
:0042DC2A 8BC3                   mov eax, ebx
:0042DC2C E8B3FCFFFF             call 0042D8E4 //注册码运算，进入
:0042DC31 A150F74200             mov eax, dword ptr [0042F750]
:0042DC36 A350F74200             mov dword ptr [0042F750], eax
:0042DC3B 8BC3                   mov eax, ebx
:0042DC3D E8F2FCFFFF             call 0042D934
:0042DC42 A158F74200             mov eax, dword ptr [0042F758]
:0042DC47 A358F74200             mov dword ptr [0042F758], eax
:0042DC4C 8BC3                   mov eax, ebx
:0042DC4E E835FDFFFF             call 0042D988　　//注册码运算，进入
:0042DC53 8BC3                   mov eax, ebx
:0042DC55 E87EFDFFFF             call 0042D9D8　　　//注册码运算，进入
:0042DC5A A158F74200             mov eax, dword ptr [0042F758]
:0042DC5F A358F74200             mov dword ptr [0042F758], eax
:0042DC64 8BC3                   mov eax, ebx
:0042DC66 E8B1FDFFFF             call 0042DA1C
:0042DC6B 8BC3                   mov eax, ebx
:0042DC6D E8B6FDFFFF             call 0042DA28
:0042DC72 A158F74200             mov eax, dword ptr [0042F758]
:0042DC77 A358F74200             mov dword ptr [0042F758], eax
:0042DC7C 8BC3                   mov eax, ebx
:0042DC7E E8B1FDFFFF             call 0042DA34　　　　//注册码运算，进入
:0042DC83 8BC3                   mov eax, ebx
:0042DC85 E8F2FDFFFF             call 0042DA7C //注册码的另一个参数运算，进入
:0042DC8A 8BC3                   mov eax, ebx
:0042DC8C E80BFEFFFF             call 0042DA9C             //注册码运算，进入
:0042DC91 A150F74200             mov eax, dword ptr [0042F750]  //[0042F750]为注册码另一个参数的存放地址
:0042DC96 010558F74200          add dword ptr [0042F758], eax //注册码=[0042F758]+[0042F750]
:0042DC9C 8D55FC                lea edx, dword ptr [ebp-04]
:0042DC9F 8B83E4010000          mov eax, dword ptr [ebx+000001E4]
:0042DCA5 E87EC5FEFF             call 0041A228
:0042DCAA 8B45FC                mov eax, dword ptr [ebp-04]
:0042DCAD E8F688FDFF             call 004065A8　　　　　　　　//取序列号的十六进制
:0042DCB2 A360F74200             mov dword ptr [0042F760], eax
:0042DCB7 A158F74200             mov eax, dword ptr [0042F758]
:0042DCBC 3B0560F74200          cmp eax, dword ptr [0042F760]  //关键比较
:0042DCC2 7517                   jne 0042DCDB　　　//关键跳转，一跳就错
:0042DCC4 6A00                   push 00000000
:0042DCC6 668B0D1CDD4200       mov cx, word ptr [0042DD1C]
:0042DCCD B202                   mov dl, 02

* Possible StringData Ref from Code Obj ->"Good Serial, Thanks For trying "
                                    ->"this Crackme bY nIabI !"
                              |
:0042DCCF B8A0DD4200             mov eax, 0042DDA0
:0042DCD4 E867F1FFFF             call 0042CE40
:0042DCD9 EB15                   jmp 0042DCF0

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0042DCC2(C)
|
:0042DCDB 6A00                   push 00000000
:0042DCDD 668B0D1CDD4200       mov cx, word ptr [0042DD1C]
:0042DCE4 B202                   mov dl, 02

* Possible StringData Ref from Code Obj ->"Bad Name Or Serial Number !!!!!"
                              |
:0042DCE6 B8E0DD4200             mov eax, 0042DDE0
:0042DCEB E850F1FFFF             call 0042CE40

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:0042DB5B(U), :0042DB90(U), :0042DBBE(U), :0042DCD9(U)
|
:0042DCF0 33C0                   xor eax, eax
:0042DCF2 5A                   pop edx
:0042DCF3 59                   pop ecx
:0042DCF4 59                   pop ecx
:0042DCF5 648910                mov dword ptr fs:[eax], edx
:0042DCF8 6815DD4200             push 0042DD15

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0042DD13(U)
|
:0042DCFD 8D45F8                lea eax, dword ptr [ebp-08]
:0042DD00 E83F58FDFF             call 00403544

*******************************************************************************************************

* Referenced by a CALL at Address:
|:0042DC2C
|
:0042D8E4 53                   push ebx
:0042D8E5 56                   push esi

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0042D870(C)
|
:0042D8E6 B958F74200             mov ecx, 0042F758
:0042D8EB BB50F74200             mov ebx, 0042F750
:0042D8F0 8B01                   mov eax, dword ptr [ecx]
:0042D8F2 03C0                   add eax, eax
:0042D8F4 8D0440                lea eax, dword ptr [eax+2*eax]
:0042D8F7 8901                   mov dword ptr [ecx], eax
:0042D8F9 8B01                   mov eax, dword ptr [ecx]
:0042D8FB BE03000000             mov esi, 00000003
:0042D900 99                   cdq
:0042D901 F7FE                   idiv esi
:0042D903 8901                   mov dword ptr [ecx], eax
:0042D905 830110                add dword ptr [ecx], 00000010
:0042D908 8B01                   mov eax, dword ptr [ecx]
:0042D90A 03C0                   add eax, eax
:0042D90C 8901                   mov dword ptr [ecx], eax
:0042D90E 8B01                   mov eax, dword ptr [ecx]
:0042D910 8D04C0                lea eax, dword ptr [eax+8*eax]
:0042D913 8901                   mov dword ptr [ecx], eax
:0042D915 833105                xor dword ptr [ecx], 00000005
:0042D918 8B03                   mov eax, dword ptr [ebx]

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0042D8AB(C)
|
:0042D91A C1E002                shl eax, 02
:0042D91D 8903                   mov dword ptr [ebx], eax
:0042D91F 8B03                   mov eax, dword ptr [ebx]
:0042D921 B903000000             mov ecx, 00000003
:0042D926 99                   cdq
:0042D927 F7F9                   idiv ecx
:0042D929 8903                   mov dword ptr [ebx], eax
:0042D92B 833303                xor dword ptr [ebx], 00000003
:0042D92E 830340                add dword ptr [ebx], 00000040
:0042D931 5E                   pop esi
:0042D932 5B                   pop ebx
:0042D933 C3                   ret

*******************************************************************************************************

* Referenced by a CALL at Address:
|:0042DC3D
|

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0042D8C5(C)
|
:0042D934 53                   push ebx
:0042D935 B858F74200             mov eax, 0042F758
:0042D93A B950F74200             mov ecx, 0042F750
:0042D93F 8B10                   mov edx, dword ptr [eax]
:0042D941 03D2                   add edx, edx
:0042D943 8D1452                lea edx, dword ptr [edx+2*edx]
:0042D946 8910                   mov dword ptr [eax], edx
:0042D948 8B10                   mov edx, dword ptr [eax]
:0042D94A D1FA                   sar edx, 1
:0042D94C 7903                   jns 0042D951
:0042D94E 83D200                adc edx, 00000000

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0042D94C(C)
|
:0042D951 8910                   mov dword ptr [eax], edx
:0042D953 83000D                add dword ptr [eax], 0000000D
:0042D956 6B1036                imul edx, dword ptr [eax], 00000036
:0042D959 8910                   mov dword ptr [eax], edx
:0042D95B 8B10                   mov edx, dword ptr [eax]
:0042D95D 8BDA                   mov ebx, edx
:0042D95F C1E205                shl edx, 05
:0042D962 03D3                   add edx, ebx
:0042D964 8910                   mov dword ptr [eax], edx
:0042D966 833010                xor dword ptr [eax], 00000010
:0042D969 8B01                   mov eax, dword ptr [ecx]
:0042D96B 03C0                   add eax, eax
:0042D96D 8D0440                lea eax, dword ptr [eax+2*eax]
:0042D970 8901                   mov dword ptr [ecx], eax
:0042D972 8B01                   mov eax, dword ptr [ecx]
:0042D974 BB05000000             mov ebx, 00000005
:0042D979 99                   cdq
:0042D97A F7FB                   idiv ebx
:0042D97C 8901                   mov dword ptr [ecx], eax
:0042D97E 833125                xor dword ptr [ecx], 00000025
:0042D981 830127                add dword ptr [ecx], 00000027
:0042D984 5B                   pop ebx
:0042D985 C3                   ret

*******************************************************************************************************

* Referenced by a CALL at Address:
|:0042DC4E
|
:0042D988 53                   push ebx
:0042D989 56                   push esi
:0042D98A B958F74200             mov ecx, 0042F758
:0042D98F BB50F74200             mov ebx, 0042F750
:0042D994 8B01                   mov eax, dword ptr [ecx]
:0042D996 03C0                   add eax, eax
:0042D998 8D0440                lea eax, dword ptr [eax+2*eax]
:0042D99B 8901                   mov dword ptr [ecx], eax
:0042D99D 8B01                   mov eax, dword ptr [ecx]
:0042D99F BE03000000             mov esi, 00000003
:0042D9A4 99                   cdq
:0042D9A5 F7FE                   idiv esi
:0042D9A7 8901                   mov dword ptr [ecx], eax
:0042D9A9 83010D                add dword ptr [ecx], 0000000D
:0042D9AC 8B01                   mov eax, dword ptr [ecx]
:0042D9AE 03C0                   add eax, eax
:0042D9B0 8D0440                lea eax, dword ptr [eax+2*eax]
:0042D9B3 8901                   mov dword ptr [ecx], eax
:0042D9B5 6B0159                imul eax, dword ptr [ecx], 00000059
:0042D9B8 8901                   mov dword ptr [ecx], eax
:0042D9BA 833109                xor dword ptr [ecx], 00000009
:0042D9BD 8B03                   mov eax, dword ptr [ebx]
:0042D9BF 8D0480                lea eax, dword ptr [eax+4*eax]
:0042D9C2 8903                   mov dword ptr [ebx], eax
:0042D9C4 8B03                   mov eax, dword ptr [ebx]
:0042D9C6 85C0                   test eax, eax
:0042D9C8 C1F800                sar eax, 00
:0042D9CB 8903                   mov dword ptr [ebx], eax
:0042D9CD 833322                xor dword ptr [ebx], 00000022
:0042D9D0 830303                add dword ptr [ebx], 00000003
:0042D9D3 5E                   pop esi
:0042D9D4 5B                   pop ebx
:0042D9D5 C3                   ret

*******************************************************************************************************

* Referenced by a CALL at Address:
|:0042DC55
|
:0042D9D8 53                   push ebx
:0042D9D9 B858F74200             mov eax, 0042F758
:0042D9DE B950F74200             mov ecx, 0042F750
:0042D9E3 8B10                   mov edx, dword ptr [eax]
:0042D9E5 8910                   mov dword ptr [eax], edx
:0042D9E7 8B10                   mov edx, dword ptr [eax]
:0042D9E9 D1FA                   sar edx, 1
:0042D9EB 7903                   jns 0042D9F0
:0042D9ED 83D200                adc edx, 00000000

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0042D9EB(C)
|
:0042D9F0 8910                   mov dword ptr [eax], edx
:0042D9F2 830010                add dword ptr [eax], 00000010
:0042D9F5 8B10                   mov edx, dword ptr [eax]
:0042D9F7 8910                   mov dword ptr [eax], edx
:0042D9F9 8B10                   mov edx, dword ptr [eax]
:0042D9FB 8D1452                lea edx, dword ptr [edx+2*edx]
:0042D9FE 8910                   mov dword ptr [eax], edx
:0042DA00 833006                xor dword ptr [eax], 00000006
:0042DA03 6B012B                imul eax, dword ptr [ecx], 0000002B
:0042DA06 8901                   mov dword ptr [ecx], eax
:0042DA08 8B01                   mov eax, dword ptr [ecx]
:0042DA0A BB03000000             mov ebx, 00000003
:0042DA0F 99                   cdq
:0042DA10 F7FB                   idiv ebx
:0042DA12 8901                   mov dword ptr [ecx], eax
:0042DA14 833103                xor dword ptr [ecx], 00000003
:0042DA17 830122                add dword ptr [ecx], 00000022
:0042DA1A 5B                   pop ebx
:0042DA1B C3                   ret

*******************************************************************************************************

* Referenced by a CALL at Address:
|:0042DC7E
|
:0042DA34 B858F74200             mov eax, 0042F758
:0042DA39 BA50F74200             mov edx, 0042F750
:0042DA3E 8B08                   mov ecx, dword ptr [eax]
:0042DA40 D1F9                   sar ecx, 1
:0042DA42 7903                   jns 0042DA47
:0042DA44 83D100                adc ecx, 00000000

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0042DA42(C)
|
:0042DA47 8908                   mov dword ptr [eax], ecx
:0042DA49 FF00                   inc dword ptr [eax]
:0042DA4B 8B0A                   mov ecx, dword ptr [edx]
:0042DA4D 8D0C49                lea ecx, dword ptr [ecx+2*ecx]
:0042DA50 890A                   mov dword ptr [edx], ecx
:0042DA52 8B0A                   mov ecx, dword ptr [edx]
:0042DA54 85C9                   test ecx, ecx
:0042DA56 7903                   jns 0042DA5B
:0042DA58 83C103                add ecx, 00000003

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0042DA56(C)
|
:0042DA5B C1F902                sar ecx, 02
:0042DA5E 890A                   mov dword ptr [edx], ecx
:0042DA60 8B08                   mov ecx, dword ptr [eax]
:0042DA62 03C9                   add ecx, ecx
:0042DA64 8D0C49                lea ecx, dword ptr [ecx+2*ecx]
:0042DA67 8908                   mov dword ptr [eax], ecx
:0042DA69 8B08                   mov ecx, dword ptr [eax]
:0042DA6B C1E103                shl ecx, 03
:0042DA6E 8908                   mov dword ptr [eax], ecx
:0042DA70 833006                xor dword ptr [eax], 00000006
:0042DA73 833222                xor dword ptr [edx], 00000022
:0042DA76 830204                add dword ptr [edx], 00000004
:0042DA79 C3                   ret

*******************************************************************************************************
* Referenced by a CALL at Address:
|:0042DC85
|
:0042DA7C A150F74200             mov eax, dword ptr [0042F750]
:0042DA81 8D0440                lea eax, dword ptr [eax+2*eax]
:0042DA84 A350F74200             mov dword ptr [0042F750], eax
:0042DA89 A150F74200             mov eax, dword ptr [0042F750]
:0042DA8E 85C0                   test eax, eax
:0042DA90 C1F800                sar eax, 00
:0042DA93 A350F74200             mov dword ptr [0042F750], eax
:0042DA98 C3                   ret

:0042DA99 8D4000                lea eax, dword ptr [eax+00]

* Referenced by a CALL at Address:
|:0042DC8C
|
:0042DA9C B858F74200             mov eax, 0042F758
:0042DAA1 BA50F74200             mov edx, 0042F750
:0042DAA6 833002                xor dword ptr [eax], 00000002
:0042DAA9 8B0A                   mov ecx, dword ptr [edx]
:0042DAAB 890A                   mov dword ptr [edx], ecx
:0042DAAD 8B0A                   mov ecx, dword ptr [edx]
:0042DAAF C1E102                shl ecx, 02
:0042DAB2 890A                   mov dword ptr [edx], ecx
:0042DAB4 8B08                   mov ecx, dword ptr [eax]
:0042DAB6 8908                   mov dword ptr [eax], ecx
:0042DAB8 8B08                   mov ecx, dword ptr [eax]
:0042DABA 8908                   mov dword ptr [eax], ecx
:0042DABC 8B08                   mov ecx, dword ptr [eax]
:0042DABE 8908                   mov dword ptr [eax], ecx
:0042DAC0 8B0A                   mov ecx, dword ptr [edx]
:0042DAC2 890A                   mov dword ptr [edx], ecx
:0042DAC4 830204                add dword ptr [edx], 00000004
:0042DAC7 8B10                   mov edx, dword ptr [eax]
:0042DAC9 03D2                   add edx, edx
:0042DACB 8D1452                lea edx, dword ptr [edx+2*edx]
:0042DACE 8910                   mov dword ptr [eax], edx
:0042DAD0 C3                   ret

*******************************************************************************************************

* Referenced by a CALL at Address:
|:0042DC8C
|
:0042DA9C B858F74200             mov eax, 0042F758
:0042DAA1 BA50F74200             mov edx, 0042F750
:0042DAA6 833002                xor dword ptr [eax], 00000002
:0042DAA9 8B0A                   mov ecx, dword ptr [edx]
:0042DAAB 890A                   mov dword ptr [edx], ecx
:0042DAAD 8B0A                   mov ecx, dword ptr [edx]
:0042DAAF C1E102                shl ecx, 02
:0042DAB2 890A                   mov dword ptr [edx], ecx
:0042DAB4 8B08                   mov ecx, dword ptr [eax]
:0042DAB6 8908                   mov dword ptr [eax], ecx
:0042DAB8 8B08                   mov ecx, dword ptr [eax]
:0042DABA 8908                   mov dword ptr [eax], ecx
:0042DABC 8B08                   mov ecx, dword ptr [eax]
:0042DABE 8908                   mov dword ptr [eax], ecx
:0042DAC0 8B0A                   mov ecx, dword ptr [edx]
:0042DAC2 890A                   mov dword ptr [edx], ecx
:0042DAC4 830204                add dword ptr [edx], 00000004
:0042DAC7 8B10                   mov edx, dword ptr [eax]
:0042DAC9 03D2                   add edx, edx
:0042DACB 8D1452                lea edx, dword ptr [edx+2*edx]
:0042DACE 8910                   mov dword ptr [eax], edx
:0042DAD0 C3                   ret

*******************************************************************************************************

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0042D870(C)
|
:0042D8E6 B958F74200             mov ecx, 0042F758
:0042D8EB BB50F74200             mov ebx, 0042F750
:0042D8F0 8B01                   mov eax, dword ptr [ecx]
:0042D8F2 03C0                   add eax, eax
:0042D8F4 8D0440                lea eax, dword ptr [eax+2*eax]
:0042D8F7 8901                   mov dword ptr [ecx], eax
:0042D8F9 8B01                   mov eax, dword ptr [ecx]
:0042D8FB BE03000000             mov esi, 00000003
:0042D900 99                   cdq
:0042D901 F7FE                   idiv esi
:0042D903 8901                   mov dword ptr [ecx], eax
:0042D905 830110                add dword ptr [ecx], 00000010
:0042D908 8B01                   mov eax, dword ptr [ecx]
:0042D90A 03C0                   add eax, eax
:0042D90C 8901                   mov dword ptr [ecx], eax
:0042D90E 8B01                   mov eax, dword ptr [ecx]
:0042D910 8D04C0                lea eax, dword ptr [eax+8*eax]
:0042D913 8901                   mov dword ptr [ecx], eax
:0042D915 833105                xor dword ptr [ecx], 00000005
:0042D918 8B03                   mov eax, dword ptr [ebx]
                     //开始注册码另一参数的运算，地址为[0042F750]
　　　　　　　　　　　　　//[0042F750]初始值为"FF9765D4"或"364918ED"

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0042D8AB(C)
|
:0042D91A C1E002                shl eax, 02
:0042D91D 8903                   mov dword ptr [ebx], eax
:0042D91F 8B03                   mov eax, dword ptr [ebx]
:0042D921 B903000000             mov ecx, 00000003
:0042D926 99                   cdq
:0042D927 F7F9                   idiv ecx
:0042D929 8903                   mov dword ptr [ebx], eax
:0042D92B 833303                xor dword ptr [ebx], 00000003
:0042D92E 830340                add dword ptr [ebx], 00000040
:0042D931 5E                   pop esi
:0042D932 5B                   pop ebx
:0042D933 C3                   ret

* Referenced by a CALL at Address:
|:0042DC3D
|

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0042D8C5(C)
|
:0042D934 53                   push ebx
:0042D935 B858F74200             mov eax, 0042F758

*******************************************************************************************************

结论：

　　姓名不少于6个字符，注册码只与姓名的第二第三位有关，取姓名第二第三位的前三位十进制数，化成十六进制后，经一系列运算，并与"FF9765D4"或"364918ED"经一系列运算后，相加即得，最后化成十进制数。(C语言源程序有详细的运算步骤)

例如：　name: gdszmai
   serial: 1869909096　　或　　-338789660

*******************************************************************************************************
/*破解　CRKME4  C语言源程序 */

#include <stdio.h>
#include <string.h>
#include <math.h>
main()
{
int a,b,c,len,serial1,serial2;
char name[16];
printf("*******************************\n");
printf("CRKME4  Key Generator\n");
printf("Press 'q' to exit.\n");
printf("*******************************\n\n\n");
aa: printf("Please input the name: ");
gets(name);/*输入姓名*/
len=strlen(name);/*取姓名长度*/
if (strcmp(name,"q")==0) goto bb;/*按"q"退出*/
if (len<6) {
printf("The name least 6 letter,input again.\n\n");
goto aa;
}
a=name[1];
if (a<100) {
b=name[2];/*如果a只有二位，则再取姓名的第三位*/
if (b<100) b=b/10;
else b=b/100;
a=a*10+b;/*与姓名的第三位合成一个三位数*/
}
a=a+a;/*开始一系列运算*/
a=a*3;
a=a/3;
a=a+0x10;
a=a+a;
a=a*9;
a=a^5;
a=a+a;
a=a*3;
a=a>>1;
a=a+0xd;
a=a*0x36;
b=a;
a=a<<5;
a=a+b;
a=a^0x10;
a=a+a;
a=a*3;
a=a/3;
a=a+0xd;
a=a+a;
a=a*3;
a=a*0x59;
a=a^9;
b=a;
b=b&1;
a=a>>1;
if (a<0&&b==1) a=a+1;
a=a+0x10;
a=a*3;
a=a^6;
b=a;
b=b&1;
a=a>>1;
if (a<0&&b==1) a=a+1;
a=a+1;
a=a+a;
a=a*3;
a=a<<3;
a=a^6;
a=a^2;
a=a*2;
a=a*3;
c=a;

b=0xff9765d4;/*初始值为“FF9765D4”的数开始一系列运算*/
b=b<<2;
b=b/3;
b=b^3;
b=b+0x40;
b=b+b;
b=b*3;
b=b/5;
b=b^0x25;
b=b+0x27;
b=b*5;
b=b^0x22;
b=b+3;
b=b*0x2b;
b=b/3;
b=b^3;
b=b+0x22;
b=b*3;
if (b<0) b=b+3;
b=b>>2;
b=b^0x22;
b=b+4;
b=b*3;
b=b<<2;
b=b+4;

c=c+b;/*相加后的十进制数即为序列号*/
serial1=c;/*序列号1*/

b=0x364918ed;/*初始值为“364918ed”的数开始一系列运算*/
b=b<<2;
b=b/3;
b=b^3;
b=b+0x40;
b=b+b;
b=b*3;
b=b/5;
b=b^0x25;
b=b+0x27;
b=b*5;
b=b^0x22;
b=b+3;
b=b*0x2b;
b=b/3;
b=b^3;
b=b+0x22;
b=b*3;
if (b<0) b=b+3;
b=b>>2;
b=b^0x22;
b=b+4;
b=b*3;
b=b<<2;
b=b+4;

a=a+b;/*相加后的十进制数即为序列号*/
serial2=a;/*序列号2*/

printf("The serial is: %d\tor\t%d\n\n",serial1,serial2);

goto aa;

bb:
;
}

*******************************************************************************************************

登录后可查看完整内容

[培训]内核驱动高级班，冲击BAT一流互联网大厂工作，每周日13:00-18:00直播授课

收藏・0

免费・7

支持

最新回复 (3)
scihkimo 雪币： 3136 活跃值： (21) 能力值： ( LV2，RANK：10 ) 在线值：发帖 0 回帖 11 粉丝 0 关注私信	scihkimo 2 楼能否上传crackme? 谢谢^^ 2006-2-20 01:32 0
gdszmai 雪币： 424 活跃值： (3353) 能力值： ( LV6，RANK：90 ) 在线值：发帖 2 回帖 81 粉丝 0 关注私信	gdszmai 2 3 楼权限不够，无法上传CrackMe. 2006-2-20 08:00 0
gdszmai 雪币： 424 活跃值： (3353) 能力值： ( LV6，RANK：90 ) 在线值：发帖 2 回帖 81 粉丝 0 关注私信	gdszmai 2 4 楼呀！可以上传附件了。爽！上传的附件： crkme4.rar （122.63kb，22次下载） 2006-2-24 22:08 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复

gdszmai

发帖

回帖

RANK

关注

私信

他的文章

[原创]破解crackme5.1(逆推注册码) 12058
[原创]破解 CRKME4 6834

关于我们

联系我们

企业服务

看雪公众号

最新回复 (3)
scihkimo 雪币： 3136 活跃值： (21) 能力值： ( LV2，RANK：10 ) 在线值：发帖 0 回帖 11 粉丝 0 关注私信	scihkimo 2 楼能否上传crackme? 谢谢^^ 2006-2-20 01:32 0
gdszmai 雪币： 424 活跃值： (3353) 能力值： ( LV6，RANK：90 ) 在线值：发帖 2 回帖 81 粉丝 0 关注私信	gdszmai 2 3 楼权限不够，无法上传CrackMe. 2006-2-20 08:00 0
gdszmai 雪币： 424 活跃值： (3353) 能力值： ( LV6，RANK：90 ) 在线值：发帖 2 回帖 81 粉丝 0 关注私信	gdszmai 2 4 楼呀！可以上传附件了。爽！上传的附件： crkme4.rar （122.63kb，22次下载） 2006-2-24 22:08 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复