破解 CRKME4
这是我的第一篇破文,写得不好,请不要见笑。这个CrackMe是<加密与解密实战攻略>范例及练习里的,它只是作为动画教学找注册码,没有分析算法,正好拿来练习。
用PEiD查壳,无壳,是用Delphi 3.0编写
bpx hmemcpy 中断后,来到0042B96A,按F12和F10,来到下面,经过检查姓名、序列号有否输入后,来到0042DC0F,它取姓名的第二到第六个字符的ASCII码十进制,把前二个字符的前三位十进制ASCII码化成十六进制,在0042DC1E开始进行一系列的运算,结果保存在地址[0042F758]里,地址[0042F750]的初始值为"FF9765D4"或"364918ED",也经一系列的运算后,与地址[0042F758]的dword值相加即为注册码,注意要化成十进制数。
为什么地址[0042F750]有二个不同的初始值?小弟也搞不懂,请高手们解答一下?
*******************************************************************************************************
* Reference To: kernel32.GetVolumeInformationA, Ord:0000h
|
:0042DB21 E85E75FDFF Call 00405084
:0042DB26 A144F74200 mov eax, dword ptr [0042F744]
:0042DB2B 8B00 mov eax, dword ptr [eax]
:0042DB2D A350F74200 mov dword ptr [0042F750], eax
:0042DB32 8D55FC lea edx, dword ptr [ebp-04]
:0042DB35 8B83E0010000 mov eax, dword ptr [ebx+000001E0]
:0042DB3B E8E8C6FEFF call 0041A228
:0042DB40 837DFC00 cmp dword ptr [ebp-04], 00000000 //检查有否输入名字
:0042DB44 751A jne 0042DB60
:0042DB46 6A00 push 00000000
:0042DB48 668B0D1CDD4200 mov cx, word ptr [0042DD1C]
:0042DB4F B202 mov dl, 02
* Possible StringData Ref from Code Obj ->"Please typ in your name !!"
|
:0042DB51 B828DD4200 mov eax, 0042DD28
:0042DB56 E8E5F2FFFF call 0042CE40
:0042DB5B E990010000 jmp 0042DCF0
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0042DB44(C)
|
:0042DB60 8D55FC lea edx, dword ptr [ebp-04]
:0042DB63 8B83E0010000 mov eax, dword ptr [ebx+000001E0]
:0042DB69 E8BAC6FEFF call 0041A228
:0042DB6E 8B45FC mov eax, dword ptr [ebp-04]
:0042DB71 E84A5CFDFF call 004037C0
:0042DB76 83F806 cmp eax, 00000006 //检查姓名是否大于等于6个字符
:0042DB79 7D1A jge 0042DB95
:0042DB7B 6A00 push 00000000
:0042DB7D 668B0D1CDD4200 mov cx, word ptr [0042DD1C]
:0042DB84 B202 mov dl, 02
* Possible StringData Ref from Code Obj ->"Type at least 6 chars for your "
->"name! !"
|
:0042DB86 B84CDD4200 mov eax, 0042DD4C
:0042DB8B E8B0F2FFFF call 0042CE40
:0042DB90 E95B010000 jmp 0042DCF0
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0042DB79(C)
|
:0042DB95 8D55FC lea edx, dword ptr [ebp-04]
:0042DB98 8B83E4010000 mov eax, dword ptr [ebx+000001E4]
:0042DB9E E885C6FEFF call 0041A228
:0042DBA3 837DFC00 cmp dword ptr [ebp-04], 00000000 //检查是否输入了序列号
:0042DBA7 751A jne 0042DBC3
:0042DBA9 6A00 push 00000000
:0042DBAB 668B0D1CDD4200 mov cx, word ptr [0042DD1C]
:0042DBB2 B202 mov dl, 02
* Possible StringData Ref from Code Obj ->"Please enter your serial !"
|
:0042DBB4 B87CDD4200 mov eax, 0042DD7C
:0042DBB9 E882F2FFFF call 0042CE40
:0042DBBE E92D010000 jmp 0042DCF0
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0042DBA7(C)
|
:0042DBC3 8BC7 mov eax, edi
:0042DBC5 E87A59FDFF call 00403544
:0042DBCA C70602000000 mov dword ptr [esi], 00000002
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0042DBFF(C)
|
:0042DBD0 8D55FC lea edx, dword ptr [ebp-04]
:0042DBD3 8B83E0010000 mov eax, dword ptr [ebx+000001E0]
:0042DBD9 E84AC6FEFF call 0041A228
:0042DBDE 8B45FC mov eax, dword ptr [ebp-04]
:0042DBE1 8B16 mov edx, dword ptr [esi]
:0042DBE3 0FB64410FF movzx eax, byte ptr [eax+edx-01]
:0042DBE8 8D55F8 lea edx, dword ptr [ebp-08]
:0042DBEB E88889FDFF call 00406578
:0042DBF0 8B55F8 mov edx, dword ptr [ebp-08]
:0042DBF3 8BC7 mov eax, edi
:0042DBF5 E8CE5BFDFF call 004037C8
:0042DBFA FF06 inc dword ptr [esi]
:0042DBFC 833E07 cmp dword ptr [esi], 00000007
:0042DBFF 75CF jne 0042DBD0
:0042DC01 8D45F8 lea eax, dword ptr [ebp-08]
:0042DC04 50 push eax
:0042DC05 B903000000 mov ecx, 00000003
:0042DC0A BA01000000 mov edx, 00000001
:0042DC0F 8B07 mov eax, dword ptr [edi] //取姓名的第二到第六个字符的十进制ASCII码
:0042DC11 E8AE5DFDFF call 004039C4 //取前二个字符的三位十进制ASCII码(例:gdszmai为100,因d为100)
:0042DC16 8B45F8 mov eax, dword ptr [ebp-08] //前二个字符的三位十进制ASCII码赋给eax
:0042DC19 E88A89FDFF call 004065A8 //把前二个字符的三位十进制ASCII码化成十六进制
:0042DC1E A358F74200 mov dword ptr [0042F758], eax //把eax的值赋给存注册码的地址[0042F758],开始运算
:0042DC23 8BC7 mov eax, edi
:0042DC25 E81A59FDFF call 00403544
:0042DC2A 8BC3 mov eax, ebx
:0042DC2C E8B3FCFFFF call 0042D8E4 //注册码运算,进入
:0042DC31 A150F74200 mov eax, dword ptr [0042F750]
:0042DC36 A350F74200 mov dword ptr [0042F750], eax
:0042DC3B 8BC3 mov eax, ebx
:0042DC3D E8F2FCFFFF call 0042D934
:0042DC42 A158F74200 mov eax, dword ptr [0042F758]
:0042DC47 A358F74200 mov dword ptr [0042F758], eax
:0042DC4C 8BC3 mov eax, ebx
:0042DC4E E835FDFFFF call 0042D988 //注册码运算,进入
:0042DC53 8BC3 mov eax, ebx
:0042DC55 E87EFDFFFF call 0042D9D8 //注册码运算,进入
:0042DC5A A158F74200 mov eax, dword ptr [0042F758]
:0042DC5F A358F74200 mov dword ptr [0042F758], eax
:0042DC64 8BC3 mov eax, ebx
:0042DC66 E8B1FDFFFF call 0042DA1C
:0042DC6B 8BC3 mov eax, ebx
:0042DC6D E8B6FDFFFF call 0042DA28
:0042DC72 A158F74200 mov eax, dword ptr [0042F758]
:0042DC77 A358F74200 mov dword ptr [0042F758], eax
:0042DC7C 8BC3 mov eax, ebx
:0042DC7E E8B1FDFFFF call 0042DA34 //注册码运算,进入
:0042DC83 8BC3 mov eax, ebx
:0042DC85 E8F2FDFFFF call 0042DA7C //注册码的另一个参数运算,进入
:0042DC8A 8BC3 mov eax, ebx
:0042DC8C E80BFEFFFF call 0042DA9C //注册码运算,进入
:0042DC91 A150F74200 mov eax, dword ptr [0042F750] //[0042F750]为注册码另一个参数的存放地址
:0042DC96 010558F74200 add dword ptr [0042F758], eax //注册码=[0042F758]+[0042F750]
:0042DC9C 8D55FC lea edx, dword ptr [ebp-04]
:0042DC9F 8B83E4010000 mov eax, dword ptr [ebx+000001E4]
:0042DCA5 E87EC5FEFF call 0041A228
:0042DCAA 8B45FC mov eax, dword ptr [ebp-04]
:0042DCAD E8F688FDFF call 004065A8 //取序列号的十六进制
:0042DCB2 A360F74200 mov dword ptr [0042F760], eax
:0042DCB7 A158F74200 mov eax, dword ptr [0042F758]
:0042DCBC 3B0560F74200 cmp eax, dword ptr [0042F760] //关键比较
:0042DCC2 7517 jne 0042DCDB //关键跳转,一跳就错
:0042DCC4 6A00 push 00000000
:0042DCC6 668B0D1CDD4200 mov cx, word ptr [0042DD1C]
:0042DCCD B202 mov dl, 02
* Possible StringData Ref from Code Obj ->"Good Serial, Thanks For trying "
->"this Crackme bY nIabI !"
|
:0042DCCF B8A0DD4200 mov eax, 0042DDA0
:0042DCD4 E867F1FFFF call 0042CE40
:0042DCD9 EB15 jmp 0042DCF0
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0042DCC2(C)
|
:0042DCDB 6A00 push 00000000
:0042DCDD 668B0D1CDD4200 mov cx, word ptr [0042DD1C]
:0042DCE4 B202 mov dl, 02
* Possible StringData Ref from Code Obj ->"Bad Name Or Serial Number !!!!!"
|
:0042DCE6 B8E0DD4200 mov eax, 0042DDE0
:0042DCEB E850F1FFFF call 0042CE40
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:0042DB5B(U), :0042DB90(U), :0042DBBE(U), :0042DCD9(U)
|
:0042DCF0 33C0 xor eax, eax
:0042DCF2 5A pop edx
:0042DCF3 59 pop ecx
:0042DCF4 59 pop ecx
:0042DCF5 648910 mov dword ptr fs:[eax], edx
:0042DCF8 6815DD4200 push 0042DD15
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0042DD13(U)
|
:0042DCFD 8D45F8 lea eax, dword ptr [ebp-08]
:0042DD00 E83F58FDFF call 00403544
*******************************************************************************************************
* Referenced by a CALL at Address:
|:0042DC2C
|
:0042D8E4 53 push ebx
:0042D8E5 56 push esi
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0042D870(C)
|
:0042D8E6 B958F74200 mov ecx, 0042F758
:0042D8EB BB50F74200 mov ebx, 0042F750
:0042D8F0 8B01 mov eax, dword ptr [ecx]
:0042D8F2 03C0 add eax, eax
:0042D8F4 8D0440 lea eax, dword ptr [eax+2*eax]
:0042D8F7 8901 mov dword ptr [ecx], eax
:0042D8F9 8B01 mov eax, dword ptr [ecx]
:0042D8FB BE03000000 mov esi, 00000003
:0042D900 99 cdq
:0042D901 F7FE idiv esi
:0042D903 8901 mov dword ptr [ecx], eax
:0042D905 830110 add dword ptr [ecx], 00000010
:0042D908 8B01 mov eax, dword ptr [ecx]
:0042D90A 03C0 add eax, eax
:0042D90C 8901 mov dword ptr [ecx], eax
:0042D90E 8B01 mov eax, dword ptr [ecx]
:0042D910 8D04C0 lea eax, dword ptr [eax+8*eax]
:0042D913 8901 mov dword ptr [ecx], eax
:0042D915 833105 xor dword ptr [ecx], 00000005
:0042D918 8B03 mov eax, dword ptr [ebx]
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0042D8AB(C)
|
:0042D91A C1E002 shl eax, 02
:0042D91D 8903 mov dword ptr [ebx], eax
:0042D91F 8B03 mov eax, dword ptr [ebx]
:0042D921 B903000000 mov ecx, 00000003
:0042D926 99 cdq
:0042D927 F7F9 idiv ecx
:0042D929 8903 mov dword ptr [ebx], eax
:0042D92B 833303 xor dword ptr [ebx], 00000003
:0042D92E 830340 add dword ptr [ebx], 00000040
:0042D931 5E pop esi
:0042D932 5B pop ebx
:0042D933 C3 ret
*******************************************************************************************************
* Referenced by a CALL at Address:
|:0042DC3D
|
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0042D8C5(C)
|
:0042D934 53 push ebx
:0042D935 B858F74200 mov eax, 0042F758
:0042D93A B950F74200 mov ecx, 0042F750
:0042D93F 8B10 mov edx, dword ptr [eax]
:0042D941 03D2 add edx, edx
:0042D943 8D1452 lea edx, dword ptr [edx+2*edx]
:0042D946 8910 mov dword ptr [eax], edx
:0042D948 8B10 mov edx, dword ptr [eax]
:0042D94A D1FA sar edx, 1
:0042D94C 7903 jns 0042D951
:0042D94E 83D200 adc edx, 00000000
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0042D94C(C)
|
:0042D951 8910 mov dword ptr [eax], edx
:0042D953 83000D add dword ptr [eax], 0000000D
:0042D956 6B1036 imul edx, dword ptr [eax], 00000036
:0042D959 8910 mov dword ptr [eax], edx
:0042D95B 8B10 mov edx, dword ptr [eax]
:0042D95D 8BDA mov ebx, edx
:0042D95F C1E205 shl edx, 05
:0042D962 03D3 add edx, ebx
:0042D964 8910 mov dword ptr [eax], edx
:0042D966 833010 xor dword ptr [eax], 00000010
:0042D969 8B01 mov eax, dword ptr [ecx]
:0042D96B 03C0 add eax, eax
:0042D96D 8D0440 lea eax, dword ptr [eax+2*eax]
:0042D970 8901 mov dword ptr [ecx], eax
:0042D972 8B01 mov eax, dword ptr [ecx]
:0042D974 BB05000000 mov ebx, 00000005
:0042D979 99 cdq
:0042D97A F7FB idiv ebx
:0042D97C 8901 mov dword ptr [ecx], eax
:0042D97E 833125 xor dword ptr [ecx], 00000025
:0042D981 830127 add dword ptr [ecx], 00000027
:0042D984 5B pop ebx
:0042D985 C3 ret
*******************************************************************************************************
* Referenced by a CALL at Address:
|:0042DC4E
|
:0042D988 53 push ebx
:0042D989 56 push esi
:0042D98A B958F74200 mov ecx, 0042F758
:0042D98F BB50F74200 mov ebx, 0042F750
:0042D994 8B01 mov eax, dword ptr [ecx]
:0042D996 03C0 add eax, eax
:0042D998 8D0440 lea eax, dword ptr [eax+2*eax]
:0042D99B 8901 mov dword ptr [ecx], eax
:0042D99D 8B01 mov eax, dword ptr [ecx]
:0042D99F BE03000000 mov esi, 00000003
:0042D9A4 99 cdq
:0042D9A5 F7FE idiv esi
:0042D9A7 8901 mov dword ptr [ecx], eax
:0042D9A9 83010D add dword ptr [ecx], 0000000D
:0042D9AC 8B01 mov eax, dword ptr [ecx]
:0042D9AE 03C0 add eax, eax
:0042D9B0 8D0440 lea eax, dword ptr [eax+2*eax]
:0042D9B3 8901 mov dword ptr [ecx], eax
:0042D9B5 6B0159 imul eax, dword ptr [ecx], 00000059
:0042D9B8 8901 mov dword ptr [ecx], eax
:0042D9BA 833109 xor dword ptr [ecx], 00000009
:0042D9BD 8B03 mov eax, dword ptr [ebx]
:0042D9BF 8D0480 lea eax, dword ptr [eax+4*eax]
:0042D9C2 8903 mov dword ptr [ebx], eax
:0042D9C4 8B03 mov eax, dword ptr [ebx]
:0042D9C6 85C0 test eax, eax
:0042D9C8 C1F800 sar eax, 00
:0042D9CB 8903 mov dword ptr [ebx], eax
:0042D9CD 833322 xor dword ptr [ebx], 00000022
:0042D9D0 830303 add dword ptr [ebx], 00000003
:0042D9D3 5E pop esi
:0042D9D4 5B pop ebx
:0042D9D5 C3 ret
*******************************************************************************************************
* Referenced by a CALL at Address:
|:0042DC55
|
:0042D9D8 53 push ebx
:0042D9D9 B858F74200 mov eax, 0042F758
:0042D9DE B950F74200 mov ecx, 0042F750
:0042D9E3 8B10 mov edx, dword ptr [eax]
:0042D9E5 8910 mov dword ptr [eax], edx
:0042D9E7 8B10 mov edx, dword ptr [eax]
:0042D9E9 D1FA sar edx, 1
:0042D9EB 7903 jns 0042D9F0
:0042D9ED 83D200 adc edx, 00000000
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0042D9EB(C)
|
:0042D9F0 8910 mov dword ptr [eax], edx
:0042D9F2 830010 add dword ptr [eax], 00000010
:0042D9F5 8B10 mov edx, dword ptr [eax]
:0042D9F7 8910 mov dword ptr [eax], edx
:0042D9F9 8B10 mov edx, dword ptr [eax]
:0042D9FB 8D1452 lea edx, dword ptr [edx+2*edx]
:0042D9FE 8910 mov dword ptr [eax], edx
:0042DA00 833006 xor dword ptr [eax], 00000006
:0042DA03 6B012B imul eax, dword ptr [ecx], 0000002B
:0042DA06 8901 mov dword ptr [ecx], eax
:0042DA08 8B01 mov eax, dword ptr [ecx]
:0042DA0A BB03000000 mov ebx, 00000003
:0042DA0F 99 cdq
:0042DA10 F7FB idiv ebx
:0042DA12 8901 mov dword ptr [ecx], eax
:0042DA14 833103 xor dword ptr [ecx], 00000003
:0042DA17 830122 add dword ptr [ecx], 00000022
:0042DA1A 5B pop ebx
:0042DA1B C3 ret
*******************************************************************************************************
* Referenced by a CALL at Address:
|:0042DC7E
|
:0042DA34 B858F74200 mov eax, 0042F758
:0042DA39 BA50F74200 mov edx, 0042F750
:0042DA3E 8B08 mov ecx, dword ptr [eax]
:0042DA40 D1F9 sar ecx, 1
:0042DA42 7903 jns 0042DA47
:0042DA44 83D100 adc ecx, 00000000
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0042DA42(C)
|
:0042DA47 8908 mov dword ptr [eax], ecx
:0042DA49 FF00 inc dword ptr [eax]
:0042DA4B 8B0A mov ecx, dword ptr [edx]
:0042DA4D 8D0C49 lea ecx, dword ptr [ecx+2*ecx]
:0042DA50 890A mov dword ptr [edx], ecx
:0042DA52 8B0A mov ecx, dword ptr [edx]
:0042DA54 85C9 test ecx, ecx
:0042DA56 7903 jns 0042DA5B
:0042DA58 83C103 add ecx, 00000003
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0042DA56(C)
|
:0042DA5B C1F902 sar ecx, 02
:0042DA5E 890A mov dword ptr [edx], ecx
:0042DA60 8B08 mov ecx, dword ptr [eax]
:0042DA62 03C9 add ecx, ecx
:0042DA64 8D0C49 lea ecx, dword ptr [ecx+2*ecx]
:0042DA67 8908 mov dword ptr [eax], ecx
:0042DA69 8B08 mov ecx, dword ptr [eax]
:0042DA6B C1E103 shl ecx, 03
:0042DA6E 8908 mov dword ptr [eax], ecx
:0042DA70 833006 xor dword ptr [eax], 00000006
:0042DA73 833222 xor dword ptr [edx], 00000022
:0042DA76 830204 add dword ptr [edx], 00000004
:0042DA79 C3 ret
*******************************************************************************************************
* Referenced by a CALL at Address:
|:0042DC85
|
:0042DA7C A150F74200 mov eax, dword ptr [0042F750]
:0042DA81 8D0440 lea eax, dword ptr [eax+2*eax]
:0042DA84 A350F74200 mov dword ptr [0042F750], eax
:0042DA89 A150F74200 mov eax, dword ptr [0042F750]
:0042DA8E 85C0 test eax, eax
:0042DA90 C1F800 sar eax, 00
:0042DA93 A350F74200 mov dword ptr [0042F750], eax
:0042DA98 C3 ret
:0042DA99 8D4000 lea eax, dword ptr [eax+00]
* Referenced by a CALL at Address:
|:0042DC8C
|
:0042DA9C B858F74200 mov eax, 0042F758
:0042DAA1 BA50F74200 mov edx, 0042F750
:0042DAA6 833002 xor dword ptr [eax], 00000002
:0042DAA9 8B0A mov ecx, dword ptr [edx]
:0042DAAB 890A mov dword ptr [edx], ecx
:0042DAAD 8B0A mov ecx, dword ptr [edx]
:0042DAAF C1E102 shl ecx, 02
:0042DAB2 890A mov dword ptr [edx], ecx
:0042DAB4 8B08 mov ecx, dword ptr [eax]
:0042DAB6 8908 mov dword ptr [eax], ecx
:0042DAB8 8B08 mov ecx, dword ptr [eax]
:0042DABA 8908 mov dword ptr [eax], ecx
:0042DABC 8B08 mov ecx, dword ptr [eax]
:0042DABE 8908 mov dword ptr [eax], ecx
:0042DAC0 8B0A mov ecx, dword ptr [edx]
:0042DAC2 890A mov dword ptr [edx], ecx
:0042DAC4 830204 add dword ptr [edx], 00000004
:0042DAC7 8B10 mov edx, dword ptr [eax]
:0042DAC9 03D2 add edx, edx
:0042DACB 8D1452 lea edx, dword ptr [edx+2*edx]
:0042DACE 8910 mov dword ptr [eax], edx
:0042DAD0 C3 ret
*******************************************************************************************************
* Referenced by a CALL at Address:
|:0042DC8C
|
:0042DA9C B858F74200 mov eax, 0042F758
:0042DAA1 BA50F74200 mov edx, 0042F750
:0042DAA6 833002 xor dword ptr [eax], 00000002
:0042DAA9 8B0A mov ecx, dword ptr [edx]
:0042DAAB 890A mov dword ptr [edx], ecx
:0042DAAD 8B0A mov ecx, dword ptr [edx]
:0042DAAF C1E102 shl ecx, 02
:0042DAB2 890A mov dword ptr [edx], ecx
:0042DAB4 8B08 mov ecx, dword ptr [eax]
:0042DAB6 8908 mov dword ptr [eax], ecx
:0042DAB8 8B08 mov ecx, dword ptr [eax]
:0042DABA 8908 mov dword ptr [eax], ecx
:0042DABC 8B08 mov ecx, dword ptr [eax]
:0042DABE 8908 mov dword ptr [eax], ecx
:0042DAC0 8B0A mov ecx, dword ptr [edx]
:0042DAC2 890A mov dword ptr [edx], ecx
:0042DAC4 830204 add dword ptr [edx], 00000004
:0042DAC7 8B10 mov edx, dword ptr [eax]
:0042DAC9 03D2 add edx, edx
:0042DACB 8D1452 lea edx, dword ptr [edx+2*edx]
:0042DACE 8910 mov dword ptr [eax], edx
:0042DAD0 C3 ret
*******************************************************************************************************
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0042D870(C)
|
:0042D8E6 B958F74200 mov ecx, 0042F758
:0042D8EB BB50F74200 mov ebx, 0042F750
:0042D8F0 8B01 mov eax, dword ptr [ecx]
:0042D8F2 03C0 add eax, eax
:0042D8F4 8D0440 lea eax, dword ptr [eax+2*eax]
:0042D8F7 8901 mov dword ptr [ecx], eax
:0042D8F9 8B01 mov eax, dword ptr [ecx]
:0042D8FB BE03000000 mov esi, 00000003
:0042D900 99 cdq
:0042D901 F7FE idiv esi
:0042D903 8901 mov dword ptr [ecx], eax
:0042D905 830110 add dword ptr [ecx], 00000010
:0042D908 8B01 mov eax, dword ptr [ecx]
:0042D90A 03C0 add eax, eax
:0042D90C 8901 mov dword ptr [ecx], eax
:0042D90E 8B01 mov eax, dword ptr [ecx]
:0042D910 8D04C0 lea eax, dword ptr [eax+8*eax]
:0042D913 8901 mov dword ptr [ecx], eax
:0042D915 833105 xor dword ptr [ecx], 00000005
:0042D918 8B03 mov eax, dword ptr [ebx]
//开始注册码另一参数的运算,地址为[0042F750]
//[0042F750]初始值为"FF9765D4"或"364918ED"
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0042D8AB(C)
|
:0042D91A C1E002 shl eax, 02
:0042D91D 8903 mov dword ptr [ebx], eax
:0042D91F 8B03 mov eax, dword ptr [ebx]
:0042D921 B903000000 mov ecx, 00000003
:0042D926 99 cdq
:0042D927 F7F9 idiv ecx
:0042D929 8903 mov dword ptr [ebx], eax
:0042D92B 833303 xor dword ptr [ebx], 00000003
:0042D92E 830340 add dword ptr [ebx], 00000040
:0042D931 5E pop esi
:0042D932 5B pop ebx
:0042D933 C3 ret
* Referenced by a CALL at Address:
|:0042DC3D
|
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0042D8C5(C)
|
:0042D934 53 push ebx
:0042D935 B858F74200 mov eax, 0042F758
*******************************************************************************************************
结论:
姓名不少于6个字符,注册码只与姓名的第二第三位有关,取姓名第二第三位的前三位十进制数,化成十六进制后,经一系列运算,并与"FF9765D4"或"364918ED"经一系列运算后,相加即得,最后化成十进制数。(C语言源程序有详细的运算步骤)
例如: name: gdszmai
serial: 1869909096 或 -338789660
*******************************************************************************************************
/*破解 CRKME4 C语言源程序 */
#include <stdio.h>
#include <string.h>
#include <math.h>
main()
{
int a,b,c,len,serial1,serial2;
char name[16];
printf("*******************************\n");
printf("CRKME4 Key Generator\n");
printf("Press 'q' to exit.\n");
printf("*******************************\n\n\n");
aa: printf("Please input the name: ");
gets(name);/*输入姓名*/
len=strlen(name);/*取姓名长度*/
if (strcmp(name,"q")==0) goto bb;/*按"q"退出*/
if (len<6) {
printf("The name least 6 letter,input again.\n\n");
goto aa;
}
a=name[1];
if (a<100) {
b=name[2];/*如果a只有二位,则再取姓名的第三位*/
if (b<100) b=b/10;
else b=b/100;
a=a*10+b;/*与姓名的第三位合成一个三位数*/
}
a=a+a;/*开始一系列运算*/
a=a*3;
a=a/3;
a=a+0x10;
a=a+a;
a=a*9;
a=a^5;
a=a+a;
a=a*3;
a=a>>1;
a=a+0xd;
a=a*0x36;
b=a;
a=a<<5;
a=a+b;
a=a^0x10;
a=a+a;
a=a*3;
a=a/3;
a=a+0xd;
a=a+a;
a=a*3;
a=a*0x59;
a=a^9;
b=a;
b=b&1;
a=a>>1;
if (a<0&&b==1) a=a+1;
a=a+0x10;
a=a*3;
a=a^6;
b=a;
b=b&1;
a=a>>1;
if (a<0&&b==1) a=a+1;
a=a+1;
a=a+a;
a=a*3;
a=a<<3;
a=a^6;
a=a^2;
a=a*2;
a=a*3;
c=a;
b=0xff9765d4;/*初始值为“FF9765D4”的数开始一系列运算*/
b=b<<2;
b=b/3;
b=b^3;
b=b+0x40;
b=b+b;
b=b*3;
b=b/5;
b=b^0x25;
b=b+0x27;
b=b*5;
b=b^0x22;
b=b+3;
b=b*0x2b;
b=b/3;
b=b^3;
b=b+0x22;
b=b*3;
if (b<0) b=b+3;
b=b>>2;
b=b^0x22;
b=b+4;
b=b*3;
b=b<<2;
b=b+4;
c=c+b;/*相加后的十进制数即为序列号*/
serial1=c;/*序列号1*/
b=0x364918ed;/*初始值为“364918ed”的数开始一系列运算*/
b=b<<2;
b=b/3;
b=b^3;
b=b+0x40;
b=b+b;
b=b*3;
b=b/5;
b=b^0x25;
b=b+0x27;
b=b*5;
b=b^0x22;
b=b+3;
b=b*0x2b;
b=b/3;
b=b^3;
b=b+0x22;
b=b*3;
if (b<0) b=b+3;
b=b>>2;
b=b^0x22;
b=b+4;
b=b*3;
b=b<<2;
b=b+4;
a=a+b;/*相加后的十进制数即为序列号*/
serial2=a;/*序列号2*/
printf("The serial is: %d\tor\t%d\n\n",serial1,serial2);
goto aa;
bb:
;
}
*******************************************************************************************************
[培训]二进制漏洞攻防(第3期);满10人开班;模糊测试与工具使用二次开发;网络协议漏洞挖掘;Linux内核漏洞挖掘与利用;AOSP漏洞挖掘与利用;代码审计。
