这是前些天从这里下的一个Crackme,今天没事,看了看,也不知道是谁的了,也不知道有没有给出结果,就这样帖了,请作者谅解了!!!
OD载入,字符串查找,看看在下面下断点!
004014E5 |> /8D4D A0 /LEA ECX,DWORD PTR SS:[EBP-60] ;这是从下面上来的回调
004014E8 |. |E8 43ED0100 |CALL CrackMe3.00420230
004014ED |. |8A45 EF |MOV AL,BYTE PTR SS:[EBP-11]
004014F0 |. |6A 00 |PUSH 0 ; 在这里下断点
004014F2 |. |8D4D CC |LEA ECX,DWORD PTR SS:[EBP-34]
004014F5 |. |8845 CC |MOV BYTE PTR SS:[EBP-34],AL
004014F8 |. |E8 A3050000 |CALL CrackMe3.00401AA0
004014FD |. |8A4D EF |MOV CL,BYTE PTR SS:[EBP-11]
00401500 |. |6A 00 |PUSH 0
00401502 |. |884D DC |MOV BYTE PTR SS:[EBP-24],CL
00401505 |. |8D4D DC |LEA ECX,DWORD PTR SS:[EBP-24]
00401508 |. |C645 FC 18 |MOV BYTE PTR SS:[EBP-4],18
0040150C |. |E8 8F050000 |CALL CrackMe3.00401AA0
00401511 |. |8D4D A0 |LEA ECX,DWORD PTR SS:[EBP-60]
00401514 |. |C645 FC 19 |MOV BYTE PTR SS:[EBP-4],19
00401518 |. |E8 237B0100 |CALL CrackMe3.00419040
0040151D |. |85C0 |TEST EAX,EAX
0040151F |. |0F85 5B030000 |JNZ CrackMe3.00401880
00401525 |. |8B5D C4 |MOV EBX,DWORD PTR SS:[EBP-3C]
00401528 |. |8BCB |MOV ECX,EBX
0040152A |. |E8 51710200 |CALL CrackMe3.00428680
0040152F |. |8378 08 02 |CMP DWORD PTR DS:[EAX+8],2 ; 注册码的长度要大于2
00401533 |. |0F87 A6000000 |JA CrackMe3.004015DF
00401539 |. |8B4D C8 |MOV ECX,DWORD PTR SS:[EBP-38]
0040153C |. |E8 3F710200 |CALL CrackMe3.00428680
00401541 |. |8B70 08 |MOV ESI,DWORD PTR DS:[EAX+8]
00401544 |. |8BCB |MOV ECX,EBX
00401546 |. |E8 35710200 |CALL CrackMe3.00428680
0040154B |. |3B70 08 |CMP ESI,DWORD PTR DS:[EAX+8]
0040154E |. |0F87 8B000000 |JA CrackMe3.004015DF
00401554 |. |BF B0464D00 |MOV EDI,CrackMe3.004D46B0 ; ASCII "Sorry"
00401559 |. |83C9 FF |OR ECX,FFFFFFFF
0040155C |. |33C0 |XOR EAX,EAX
0040155E |. |6A 01 |PUSH 1
00401560 |. |F2:AE |REPNE SCAS BYTE PTR ES:[EDI]
00401562 |. |F7D1 |NOT ECX
00401564 |. |49 |DEC ECX
00401565 |. |8BD9 |MOV EBX,ECX
00401567 |. |8D4D CC |LEA ECX,DWORD PTR SS:[EBP-34]
0040156A |. |53 |PUSH EBX
0040156B |. |E8 F0050000 |CALL CrackMe3.00401B60
00401570 |. |84C0 |TEST AL,AL
00401572 |. |74 21 |JE SHORT CrackMe3.00401595
00401574 |. |8B7D D0 |MOV EDI,DWORD PTR SS:[EBP-30]
00401577 |. |8BCB |MOV ECX,EBX
00401579 |. |8BD1 |MOV EDX,ECX
0040157B |. |BE B0464D00 |MOV ESI,CrackMe3.004D46B0 ; ASCII "Sorry"
00401580 |. |C1E9 02 |SHR ECX,2
00401583 |. |F3:A5 |REP MOVS DWORD PTR ES:[EDI],DWO>
00401585 |. |8BCA |MOV ECX,EDX
00401587 |. |53 |PUSH EBX
00401588 |. |83E1 03 |AND ECX,3
0040158B |. |F3:A4 |REP MOVS BYTE PTR ES:[EDI],BYTE>
0040158D |. |8D4D CC |LEA ECX,DWORD PTR SS:[EBP-34]
00401590 |. |E8 AB050000 |CALL CrackMe3.00401B40
00401595 |> |BF 9C464D00 |MOV EDI,CrackMe3.004D469C ; ASCII "Register Failed!"
0040159A |. |83C9 FF |OR ECX,FFFFFFFF
0040159D |. |33C0 |XOR EAX,EAX
0040159F |. |6A 01 |PUSH 1
004015A1 |. |F2:AE |REPNE SCAS BYTE PTR ES:[EDI]
004015A3 |. |F7D1 |NOT ECX
004015A5 |. |49 |DEC ECX
004015A6 |. |8BD9 |MOV EBX,ECX
004015A8 |. |8D4D DC |LEA ECX,DWORD PTR SS:[EBP-24]
004015AB |. |53 |PUSH EBX
004015AC |. |E8 AF050000 |CALL CrackMe3.00401B60
004015B1 |. |84C0 |TEST AL,AL
004015B3 |. |0F84 B1020000 |JE CrackMe3.0040186A
004015B9 |. |8B7D E0 |MOV EDI,DWORD PTR SS:[EBP-20]
004015BC |. |8BCB |MOV ECX,EBX
004015BE |. |8BC1 |MOV EAX,ECX
004015C0 |. |BE 9C464D00 |MOV ESI,CrackMe3.004D469C ; ASCII "Register Failed!"
004015C5 |. |C1E9 02 |SHR ECX,2
004015C8 |. |F3:A5 |REP MOVS DWORD PTR ES:[EDI],DWO>
004015CA |. |8BC8 |MOV ECX,EAX
004015CC |. |53 |PUSH EBX
004015CD |. |83E1 03 |AND ECX,3
004015D0 |. |F3:A4 |REP MOVS BYTE PTR ES:[EDI],BYTE>
004015D2 |. |8D4D DC |LEA ECX,DWORD PTR SS:[EBP-24]
004015D5 |. |E8 66050000 |CALL CrackMe3.00401B40
004015DA |. |E9 8B020000 |JMP CrackMe3.0040186A
004015DF |> |8B7D C8 |MOV EDI,DWORD PTR SS:[EBP-38]
004015E2 |. |33F6 |XOR ESI,ESI
004015E4 |> |8BCF |/MOV ECX,EDI ; 下面的函数过程是判断用户名
是否全是字符
004015E6 |. |E8 95700200 ||CALL CrackMe3.00428680
004015EB |. |3B70 08 ||CMP ESI,DWORD PTR DS:[EAX+8] ; 用户名的位数在[EAX+8]中,
是否为0
004015EE |. |73 53 ||JNB SHORT CrackMe3.00401643 ; 在这里跳出循环
004015F0 |. |8BCF ||MOV ECX,EDI
004015F2 |. |E8 89700200 ||CALL CrackMe3.00428680
004015F7 |. |8B40 04 ||MOV EAX,DWORD PTR DS:[EAX+4] ; 去取用户名的地址
004015FA |. |85C0 ||TEST EAX,EAX
004015FC |. |75 07 ||JNZ SHORT CrackMe3.00401605
004015FE |. |B8 C8A74B00 ||MOV EAX,CrackMe3.004BA7C8
00401603 |. |EB 02 ||JMP SHORT CrackMe3.00401607
00401605 |> |03C6 ||ADD EAX,ESI ; 向后移动指针
00401607 |> |0FBE08 ||MOVSX ECX,BYTE PTR DS:[EAX] ; 取用户名的第一位
0040160A |. |51 ||PUSH ECX
0040160B |. |E8 99130900 ||CALL CrackMe3.004929A9 ; 判定第一位是否是大写字符
00401610 |. |83C4 04 ||ADD ESP,4
00401613 |. |83F8 61 ||CMP EAX,61 ; 与字符"a"的ASCII码比较
00401616 |. |7C 2B ||JL SHORT CrackMe3.00401643
00401618 |. |8BCF ||MOV ECX,EDI
0040161A |. |E8 61700200 ||CALL CrackMe3.00428680
0040161F |. |8B40 04 ||MOV EAX,DWORD PTR DS:[EAX+4]
00401622 |. |85C0 ||TEST EAX,EAX
00401624 |. |75 07 ||JNZ SHORT CrackMe3.0040162D
00401626 |. |B8 C8A74B00 ||MOV EAX,CrackMe3.004BA7C8
0040162B |. |EB 02 ||JMP SHORT CrackMe3.0040162F
0040162D |> |03C6 ||ADD EAX,ESI
0040162F |> |0FBE10 ||MOVSX EDX,BYTE PTR DS:[EAX]
00401632 |. |52 ||PUSH EDX
00401633 |. |E8 71130900 ||CALL CrackMe3.004929A9
00401638 |. |83C4 04 ||ADD ESP,4
0040163B |. |83F8 7A ||CMP EAX,7A ; 与字符"z"的ASCII码比较
0040163E |. |7F 03 ||JG SHORT CrackMe3.00401643
00401640 |. |46 ||INC ESI
00401641 |.^|EB A1 |\JMP SHORT CrackMe3.004015E4
00401643 |> |8BCF |MOV ECX,EDI
00401645 |. |E8 36700200 |CALL CrackMe3.00428680
0040164A |. |3B70 08 |CMP ESI,DWORD PTR DS:[EAX+8]
0040164D |. |0F83 8B000000 |JNB CrackMe3.004016DE
00401653 |> |33C0 |XOR EAX,EAX
00401655 |. |BF B0464D00 |MOV EDI,CrackMe3.004D46B0 ; ASCII "Sorry"
0040165A |. |83C9 FF |OR ECX,FFFFFFFF
0040165D |. |6A 01 |PUSH 1
0040165F |. |F2:AE |REPNE SCAS BYTE PTR ES:[EDI]
00401661 |. |F7D1 |NOT ECX
00401663 |. |49 |DEC ECX
00401664 |. |8BD9 |MOV EBX,ECX
00401666 |. |8D4D CC |LEA ECX,DWORD PTR SS:[EBP-34]
00401669 |. |53 |PUSH EBX
0040166A |. |E8 F1040000 |CALL CrackMe3.00401B60
0040166F |. |84C0 |TEST AL,AL
00401671 |. |74 21 |JE SHORT CrackMe3.00401694
00401673 |. |8B7D D0 |MOV EDI,DWORD PTR SS:[EBP-30]
00401676 |. |8BCB |MOV ECX,EBX
00401678 |. |8BC1 |MOV EAX,ECX
0040167A |. |BE B0464D00 |MOV ESI,CrackMe3.004D46B0 ; ASCII "Sorry"
0040167F |. |C1E9 02 |SHR ECX,2
00401682 |. |F3:A5 |REP MOVS DWORD PTR ES:[EDI],DWO>
00401684 |. |8BC8 |MOV ECX,EAX
00401686 |. |53 |PUSH EBX
00401687 |. |83E1 03 |AND ECX,3
0040168A |. |F3:A4 |REP MOVS BYTE PTR ES:[EDI],BYTE>
0040168C |. |8D4D CC |LEA ECX,DWORD PTR SS:[EBP-34]
0040168F |. |E8 AC040000 |CALL CrackMe3.00401B40
00401694 |> |BF 9C464D00 |MOV EDI,CrackMe3.004D469C ; ASCII "Register Failed!"
00401699 |. |83C9 FF |OR ECX,FFFFFFFF
0040169C |. |33C0 |XOR EAX,EAX
0040169E |. |6A 01 |PUSH 1
004016A0 |. |F2:AE |REPNE SCAS BYTE PTR ES:[EDI]
004016A2 |. |F7D1 |NOT ECX
004016A4 |. |49 |DEC ECX
004016A5 |. |8BD9 |MOV EBX,ECX
004016A7 |. |8D4D DC |LEA ECX,DWORD PTR SS:[EBP-24]
004016AA |. |53 |PUSH EBX
004016AB |. |E8 B0040000 |CALL CrackMe3.00401B60
004016B0 |. |84C0 |TEST AL,AL
004016B2 |. |0F84 B2010000 |JE CrackMe3.0040186A
004016B8 |. |8B7D E0 |MOV EDI,DWORD PTR SS:[EBP-20]
004016BB |. |8BCB |MOV ECX,EBX
004016BD |. |8BD1 |MOV EDX,ECX
004016BF |. |BE 9C464D00 |MOV ESI,CrackMe3.004D469C ; ASCII "Register Failed!"
004016C4 |. |C1E9 02 |SHR ECX,2
004016C7 |. |F3:A5 |REP MOVS DWORD PTR ES:[EDI],DWO>
004016C9 |. |8BCA |MOV ECX,EDX
004016CB |. |53 |PUSH EBX
004016CC |. |83E1 03 |AND ECX,3
004016CF |. |F3:A4 |REP MOVS BYTE PTR ES:[EDI],BYTE>
004016D1 |. |8D4D DC |LEA ECX,DWORD PTR SS:[EBP-24]
004016D4 |. |E8 67040000 |CALL CrackMe3.00401B40
004016D9 |. |E9 8C010000 |JMP CrackMe3.0040186A
004016DE |> |8BCB |MOV ECX,EBX
004016E0 |. |E8 9B6F0200 |CALL CrackMe3.00428680 ; 取注册码的地址
004016E5 |. |8B40 04 |MOV EAX,DWORD PTR DS:[EAX+4]
004016E8 |. |85C0 |TEST EAX,EAX
004016EA |. |75 05 |JNZ SHORT CrackMe3.004016F1
004016EC |. |B8 C8A74B00 |MOV EAX,CrackMe3.004BA7C8
004016F1 |> |50 |PUSH EAX
004016F2 |. |E8 A7120900 |CALL CrackMe3.0049299E ; 这个函数将注册码的ASCII码
的字符串转换成数值
004016F7 |. |50 |PUSH EAX ; eax中为输入的注册码的数值
004016F8 |. |E8 03F9FFFF |CALL CrackMe3.00401000 ; 关键函数;函数代码在后面
004016FD |. |83C4 08 |ADD ESP,8
00401700 |. |84C0 |TEST AL,AL
00401702 |.^|0F84 4BFFFFFF |JE CrackMe3.00401653 ; 回跳,退出
00401708 |. |8BCB |MOV ECX,EBX
0040170A |. |E8 716F0200 |CALL CrackMe3.00428680
0040170F |. |8B40 08 |MOV EAX,DWORD PTR DS:[EAX+8] ; 注册码的位数
00401712 |. |33DB |XOR EBX,EBX
00401714 |. |8D78 FF |LEA EDI,DWORD PTR DS:[EAX-1]
00401717 |> |3BDF |/CMP EBX,EDI ; 下面的循环实现了判断是否注
册码为对称值的判断,不是就退出
00401719 |. |0F8F C7000000 ||JG CrackMe3.004017E6 ; 跳,就注册成功
0040171F |. |8B4D C4 ||MOV ECX,DWORD PTR SS:[EBP-3C]
00401722 |. |E8 596F0200 ||CALL CrackMe3.00428680
00401727 |. |8B40 04 ||MOV EAX,DWORD PTR DS:[EAX+4]
0040172A |. |BE C8A74B00 ||MOV ESI,CrackMe3.004BA7C8
0040172F |. |85C0 ||TEST EAX,EAX
00401731 |. |74 03 ||JE SHORT CrackMe3.00401736
00401733 |. |8D3418 ||LEA ESI,DWORD PTR DS:[EAX+EBX]
00401736 |> |8B4D C4 ||MOV ECX,DWORD PTR SS:[EBP-3C]
00401739 |. |E8 426F0200 ||CALL CrackMe3.00428680
0040173E |. |8B40 04 ||MOV EAX,DWORD PTR DS:[EAX+4]
00401741 |. |85C0 ||TEST EAX,EAX
00401743 |. |75 07 ||JNZ SHORT CrackMe3.0040174C
00401745 |. |B8 C8A74B00 ||MOV EAX,CrackMe3.004BA7C8
0040174A |. |EB 02 ||JMP SHORT CrackMe3.0040174E
0040174C |> |03C7 ||ADD EAX,EDI
0040174E |> |8A0E ||MOV CL,BYTE PTR DS:[ESI]
00401750 |. |8A10 ||MOV DL,BYTE PTR DS:[EAX]
00401752 |. |3ACA ||CMP CL,DL ; 第一位和最后一位是否相等
00401754 |. |75 04 ||JNZ SHORT CrackMe3.0040175A ; 跳,就OVER
00401756 |. |4F ||DEC EDI
00401757 |. |43 ||INC EBX
00401758 |.^|EB BD |\JMP SHORT CrackMe3.00401717
0040175A |> |BF B0464D00 |MOV EDI,CrackMe3.004D46B0 ; ASCII "Sorry"
0040175F |. |83C9 FF |OR ECX,FFFFFFFF
00401762 |. |33C0 |XOR EAX,EAX
00401764 |. |6A 01 |PUSH 1
00401766 |. |F2:AE |REPNE SCAS BYTE PTR ES:[EDI]
00401768 |. |F7D1 |NOT ECX
0040176A |. |49 |DEC ECX
0040176B |. |8BD9 |MOV EBX,ECX
0040176D |. |8D4D CC |LEA ECX,DWORD PTR SS:[EBP-34]
00401770 |. |53 |PUSH EBX
00401771 |. |E8 EA030000 |CALL CrackMe3.00401B60
00401776 |. |84C0 |TEST AL,AL
00401778 |. |74 21 |JE SHORT CrackMe3.0040179B
0040177A |. |8B7D D0 |MOV EDI,DWORD PTR SS:[EBP-30]
0040177D |. |8BCB |MOV ECX,EBX
0040177F |. |8BD1 |MOV EDX,ECX
00401781 |. |BE B0464D00 |MOV ESI,CrackMe3.004D46B0 ; ASCII "Sorry"
00401786 |. |C1E9 02 |SHR ECX,2
00401789 |. |F3:A5 |REP MOVS DWORD PTR ES:[EDI],DWO>
0040178B |. |8BCA |MOV ECX,EDX
0040178D |. |53 |PUSH EBX
0040178E |. |83E1 03 |AND ECX,3
00401791 |. |F3:A4 |REP MOVS BYTE PTR ES:[EDI],BYTE>
00401793 |. |8D4D CC |LEA ECX,DWORD PTR SS:[EBP-34]
00401796 |. |E8 A5030000 |CALL CrackMe3.00401B40
0040179B |> |BF 9C464D00 |MOV EDI,CrackMe3.004D469C ; ASCII "Register Failed!"
004017A0 |. |83C9 FF |OR ECX,FFFFFFFF
004017A3 |. |33C0 |XOR EAX,EAX
004017A5 |. |6A 01 |PUSH 1
004017A7 |. |F2:AE |REPNE SCAS BYTE PTR ES:[EDI]
004017A9 |. |F7D1 |NOT ECX
004017AB |. |49 |DEC ECX
004017AC |. |8BD9 |MOV EBX,ECX
004017AE |. |8D4D DC |LEA ECX,DWORD PTR SS:[EBP-24]
004017B1 |. |53 |PUSH EBX
004017B2 |. |E8 A9030000 |CALL CrackMe3.00401B60
004017B7 |. |84C0 |TEST AL,AL
004017B9 |. |0F84 AB000000 |JE CrackMe3.0040186A
004017BF |. |8B7D E0 |MOV EDI,DWORD PTR SS:[EBP-20]
004017C2 |. |8BCB |MOV ECX,EBX
004017C4 |. |8BC1 |MOV EAX,ECX
004017C6 |. |BE 9C464D00 |MOV ESI,CrackMe3.004D469C ; ASCII "Register Failed!"
004017CB |. |C1E9 02 |SHR ECX,2
004017CE |. |F3:A5 |REP MOVS DWORD PTR ES:[EDI],DWO>
004017D0 |. |8BC8 |MOV ECX,EAX
004017D2 |. |83E1 03 |AND ECX,3
004017D5 |. |F3:A4 |REP MOVS BYTE PTR ES:[EDI],BYTE>
004017D7 |. |8B4D E0 |MOV ECX,DWORD PTR SS:[EBP-20]
004017DA |. |895D E4 |MOV DWORD PTR SS:[EBP-1C],EBX
004017DD |. |C60419 00 |MOV BYTE PTR DS:[ECX+EBX],0
004017E1 |. |E9 84000000 |JMP CrackMe3.0040186A
004017E6 |> |BF 8C464D00 |MOV EDI,CrackMe3.004D468C ; ASCII "Congratulate"
004017EB |. |83C9 FF |OR ECX,FFFFFFFF
004017EE |. |33C0 |XOR EAX,EAX
004017F0 |. |6A 01 |PUSH 1
004017F2 |. |F2:AE |REPNE SCAS BYTE PTR ES:[EDI] ; 扫描字符"C",得到字符串
Congratulate的长度
004017F4 |. |F7D1 |NOT ECX
004017F6 |. |49 |DEC ECX
004017F7 |. |8BD9 |MOV EBX,ECX
004017F9 |. |8D4D CC |LEA ECX,DWORD PTR SS:[EBP-34]
004017FC |. |53 |PUSH EBX
004017FD |. |E8 5E030000 |CALL CrackMe3.00401B60
00401802 |. |84C0 |TEST AL,AL
00401804 |. |74 22 |JE SHORT CrackMe3.00401828 ; 跳,就成功
00401806 |. |8B7D D0 |MOV EDI,DWORD PTR SS:[EBP-30]
00401809 |. |8BCB |MOV ECX,EBX
0040180B |. |8BD1 |MOV EDX,ECX
0040180D |. |BE 8C464D00 |MOV ESI,CrackMe3.004D468C ; ASCII "Congratulate"
00401812 |. |C1E9 02 |SHR ECX,2
00401815 |. |F3:A5 |REP MOVS DWORD PTR ES:[EDI],DWO>
00401817 |. |8BCA |MOV ECX,EDX
00401819 |. |83E1 03 |AND ECX,3
0040181C |. |F3:A4 |REP MOVS BYTE PTR ES:[EDI],BYTE>
0040181E |. |8B45 D0 |MOV EAX,DWORD PTR SS:[EBP-30]
00401821 |. |895D D4 |MOV DWORD PTR SS:[EBP-2C],EBX
00401824 |. |C60418 00 |MOV BYTE PTR DS:[EAX+EBX],0
00401828 |> |BF 78464D00 |MOV EDI,CrackMe3.004D4678 ; ASCII "Register Succeed!"
0040182D |. |83C9 FF |OR ECX,FFFFFFFF
00401830 |. |33C0 |XOR EAX,EAX
00401832 |. |6A 01 |PUSH 1
00401834 |. |F2:AE |REPNE SCAS BYTE PTR ES:[EDI]
00401836 |. |F7D1 |NOT ECX
00401838 |. |49 |DEC ECX
00401839 |. |8BD9 |MOV EBX,ECX
0040183B |. |8D4D DC |LEA ECX,DWORD PTR SS:[EBP-24]
0040183E |. |53 |PUSH EBX
0040183F |. |E8 1C030000 |CALL CrackMe3.00401B60
00401844 |. |84C0 |TEST AL,AL
00401846 |. |74 22 |JE SHORT CrackMe3.0040186A
00401848 |. |8B7D E0 |MOV EDI,DWORD PTR SS:[EBP-20]
0040184B |. |8BCB |MOV ECX,EBX
0040184D |. |8BD1 |MOV EDX,ECX
0040184F |. |BE 78464D00 |MOV ESI,CrackMe3.004D4678 ; ASCII "Register Succeed!"
00401854 |. |C1E9 02 |SHR ECX,2
00401857 |. |F3:A5 |REP MOVS DWORD PTR ES:[EDI],DWO>
00401859 |. |8BCA |MOV ECX,EDX
0040185B |. |83E1 03 |AND ECX,3
0040185E |. |F3:A4 |REP MOVS BYTE PTR ES:[EDI],BYTE>
00401860 |. |8B45 E0 |MOV EAX,DWORD PTR SS:[EBP-20]
00401863 |. |895D E4 |MOV DWORD PTR SS:[EBP-1C],EBX
00401866 |. |C60418 00 |MOV BYTE PTR DS:[EAX+EBX],0
0040186A |> |8D4D 94 |LEA ECX,DWORD PTR SS:[EBP-6C]
0040186D |. |6A 00 |PUSH 0
0040186F |. |8D55 DC |LEA EDX,DWORD PTR SS:[EBP-24]
00401872 |. |51 |PUSH ECX
00401873 |. |8D45 CC |LEA EAX,DWORD PTR SS:[EBP-34]
00401876 |. |52 |PUSH EDX
00401877 |. |50 |PUSH EAX
00401878 |. |E8 C3CE0100 |CALL CrackMe3.0041E740
0040187D |. |83C4 10 |ADD ESP,10
00401880 |> |6A 01 |PUSH 1
00401882 |. |8D4D DC |LEA ECX,DWORD PTR SS:[EBP-24]
00401885 |. |C645 FC 18 |MOV BYTE PTR SS:[EBP-4],18
00401889 |. |E8 12020000 |CALL CrackMe3.00401AA0
0040188E |. |6A 01 |PUSH 1
00401890 |. |8D4D CC |LEA ECX,DWORD PTR SS:[EBP-34]
00401893 |. |C645 FC 10 |MOV BYTE PTR SS:[EBP-4],10
00401897 |. |E8 04020000 |CALL CrackMe3.00401AA0
0040189C |. |8D4D A0 |LEA ECX,DWORD PTR SS:[EBP-60]
0040189F |. |E8 9C770100 |CALL CrackMe3.00419040
004018A4 |. |83F8 01 |CMP EAX,1
004018A7 |.^\0F85 38FCFFFF \JNZ CrackMe3.004014E5
004018AD |. E8 FE4C0800 CALL CrackMe3.004865B0
这是关键函数的代码:
00401000 /$ 56 PUSH ESI
00401001 |. 8B7424 08 MOV ESI,DWORD PTR SS:[ESP+8]
00401005 |. 83FE 02 CMP ESI,2 ; 注册码为2就退出
00401008 |. 75 04 JNZ SHORT CrackMe3.0040100E
0040100A |. B0 01 MOV AL,1
0040100C |. 5E POP ESI
0040100D |. C3 RETN
0040100E |> 85F6 TEST ESI,ESI
00401010 |. 74 42 JE SHORT CrackMe3.00401054
00401012 |. 83FE 01 CMP ESI,1
00401015 |. 74 3D JE SHORT CrackMe3.00401054 ; 跳就OVER
00401017 |. 8BC6 MOV EAX,ESI
00401019 |. 25 01000080 AND EAX,80000001 ; 最高位和最低位是否为1,其余
位清零
0040101E |. 79 05 JNS SHORT CrackMe3.00401025
00401020 |. 48 DEC EAX
00401021 |. 83C8 FE OR EAX,FFFFFFFE
00401024 |. 40 INC EAX
00401025 |> 74 2D JE SHORT CrackMe3.00401054 ; 跳就OVER
00401027 |. DB4424 08 FILD DWORD PTR SS:[ESP+8]
0040102B |. D9FA FSQRT ; 对注册码的数值进行开方
0040102D |. E8 B6170900 CALL CrackMe3.004927E8 ; 取整注册码的开方值
00401032 |. 8BC8 MOV ECX,EAX
00401034 |. 83F9 03 CMP ECX,3
00401037 |. 7C 11 JL SHORT CrackMe3.0040104A ; 小于3,就退出
00401039 |> 8BC6 /MOV EAX,ESI ; 若注册码为s,则这里计算s/
([sqr(s)]-2)的余数,余数为0或者([sqr(s)]-2)<=3退出循环
0040103B |. 99 |CDQ
0040103C |. F7F9 |IDIV ECX
0040103E |. 85D2 |TEST EDX,EDX
00401040 |. 74 08 |JE SHORT CrackMe3.0040104A
00401042 |. 83E9 02 |SUB ECX,2
00401045 |. 83F9 03 |CMP ECX,3
00401048 |.^ 7D EF \JGE SHORT CrackMe3.00401039
0040104A |> 33C0 XOR EAX,EAX
0040104C |. 83F9 03 CMP ECX,3
0040104F |. 0F9CC0 SETL AL ; 标志位sf与of值异或的结果
00401052 |. 5E POP ESI
00401053 |. C3 RETN
00401054 |> 32C0 XOR AL,AL
00401056 |. 5E POP ESI
00401057 \. C3 RETN
分析总结:
(1)要求注册的用户名必须是字母,并且不能是零长
(2)注册码有以下限制:
①必须是整数
②回文(即第一位和最后位相同,第二位与倒数第二位相同,依次类推)
③从注册码的开方值取整后开始以步长为2来寻找第一个能被注册码整除的数,并且这个数要小
于等于3,也就是说这个数应该为质数
综合以上分析,这里的注册码应该是质数中的回文.
注册函数VC++编译通过如下:
#include "stdafx.h"
#include "iostream.h"
void main()
{int i;
for(i=10;i<500;i++)
{
if (((i<100) &&((i/10)==(i%10)) && (i%2!=0))||(((i>100) && (i/100)==(i%10) && (i%
2)!=0)))
cout<<"The Number "<<i<<" is one of the Code!"<<endl;
}
}
[招生]系统0day安全班,企业级设备固件漏洞挖掘,Linux平台漏洞挖掘!