一个控制台的CrackMe算法分析(需要耐心)-CTF对抗-看雪-安全社区|安全招聘|kanxue.com

一个控制台的CrackMe算法分析(需要耐心)

发表于: 2006-4-9 09:30 5921

一个控制台的CrackMe算法分析(需要耐心)

jhlqb

2006-4-9 09:30

5921

这是一个控制台的验证程序，需要有足够的耐心才能得到真正的注册码啊！！！
注册过程已经给出在注释里了，有兴趣的可以验证了。
用PEID查看为，Dev-C++ 4.9.9.2 -> Bloodshed Software [覆盖]
00401320  /$  55          PUSH EBP                         ;  注册码运算过程
00401321  |.  89E5       MOV EBP,ESP
00401323  |.  83EC 08    SUB ESP,8
00401326  |.  C74424 04 002>MOV DWORD PTR SS:[ESP+4],keyme2.0>; |
0040132E  |.  C70424 104040>MOV DWORD PTR SS:[ESP],keyme2.004>; |ASCII "jujumao"
00401335  |.  E8 76090000 CALL <JMP.&ADVAPI32.GetUserNameA> ; \GetUserNameA
0040133A  |.  83EC 08    SUB ESP,8
0040133D  |.  C74424 04 042>MOV DWORD PTR SS:[ESP+4],keyme2.0>; |
00401345  |.  C70424 114140>MOV DWORD PTR SS:[ESP],keyme2.004>; |ASCII "WWW-E4B0D8B933B"
0040134C  |.  E8 1F090000 CALL <JMP.&KERNEL32.GetComputerNa>; \GetComputerNameA
00401351  |.  83EC 08    SUB ESP,8
00401354  |.  C70424 104040>MOV DWORD PTR SS:[ESP],keyme2.004>; ||ASCII "jujumao"
0040135B  |.  E8 80080000 CALL <JMP.&msvcrt.strlen>       ; |\strlen
00401360  |.  A3 44414000 MOV DWORD PTR DS:[404144],EAX    ; |
00401365  |.  C70424 114140>MOV DWORD PTR SS:[ESP],keyme2.004>; |ASCII "WWW-E4B0D8B933B"
0040136C  |.  E8 6F080000 CALL <JMP.&msvcrt.strlen>       ; \strlen
00401371  |.  A3 48414000 MOV DWORD PTR DS:[404148],EAX    ;  计算机名的长度，设为b
00401376  |.  A1 44414000 MOV EAX,DWORD PTR DS:[404144]    ;  用户名的长度,设为a
0040137B  |.  0FAF05 484140>IMUL EAX,DWORD PTR DS:[404148] ;  相乘得a*b
00401382  |.  A3 28414000 MOV DWORD PTR DS:[404128],EAX    ;  a*b保存到单元 404128,设为c
00401387  |.  A1 28414000 MOV EAX,DWORD PTR DS:[404128]
0040138C  |.  0305 28414000 ADD EAX,DWORD PTR DS:[404128]    ;  2*c=d
00401392  |.  A3 2C414000 MOV DWORD PTR DS:[40412C],EAX    ;  d
00401397  |.  A1 28414000 MOV EAX,DWORD PTR DS:[404128]    ;  c
0040139C  |.  0305 2C414000 ADD EAX,DWORD PTR DS:[40412C]    ;  d+c
004013A2  |.  A3 30414000 MOV DWORD PTR DS:[404130],EAX    ;  相当于3*c
004013A7  |.  A1 28414000 MOV EAX,DWORD PTR DS:[404128]
004013AC  |.  0305 30414000 ADD EAX,DWORD PTR DS:[404130]
004013B2  |.  A3 34414000 MOV DWORD PTR DS:[404134],EAX    ;  相当于4*c
004013B7  |.  8B15 34414000 MOV EDX,DWORD PTR DS:[404134]
004013BD  |.  89D0       MOV EAX,EDX
004013BF  |.  01C0       ADD EAX,EAX                      ;  相当于8*c
004013C1  |.  01D0       ADD EAX,EDX
004013C3  |.  A3 38414000 MOV DWORD PTR DS:[404138],EAX    ;  相当于12*c
004013C8  |.  A1 38414000 MOV EAX,DWORD PTR DS:[404138]
004013CD  |.  0FAF05 384140>IMUL EAX,DWORD PTR DS:[404138]
004013D4  |.  A3 3C414000 MOV DWORD PTR DS:[40413C],EAX    ;  相当于144*c*c
004013D9  |.  A1 28414000 MOV EAX,DWORD PTR DS:[404128]
004013DE  |.  0305 3C414000 ADD EAX,DWORD PTR DS:[40413C]    ;  相当于144*c*c+c
004013E4  |.  A3 40414000 MOV DWORD PTR DS:[404140],EAX
004013E9  |.  8B15 28414000 MOV EDX,DWORD PTR DS:[404128]    ;  c
004013EF  |.  A1 40414000 MOV EAX,DWORD PTR DS:[404140]
004013F4  |.  29D0       SUB EAX,EDX
004013F6  |.  A3 4C414000 MOV DWORD PTR DS:[40414C],EAX    ;  相当于144*c*c
004013FB  |.  A1 4C414000 MOV EAX,DWORD PTR DS:[40414C]
00401400  |.  0FAF05 444140>IMUL EAX,DWORD PTR DS:[404144] ;  144*c*c*a
00401407  |.  A3 54414000 MOV DWORD PTR DS:[404154],EAX
0040140C  |.  C705 58414000>MOV DWORD PTR DS:[404158],0
00401416  |.  A1 58414000 MOV EAX,DWORD PTR DS:[404158]
0040141B  |.  0305 54414000 ADD EAX,DWORD PTR DS:[404154]
00401421  |.  A3 5C414000 MOV DWORD PTR DS:[40415C],EAX
00401426  |.  A1 5C414000 MOV EAX,DWORD PTR DS:[40415C]
0040142B  |.  0FAF05 584140>IMUL EAX,DWORD PTR DS:[404158] ;  结果为0
00401432  |.  A3 60414000 MOV DWORD PTR DS:[404160],EAX
00401437  |.  A1 54414000 MOV EAX,DWORD PTR DS:[404154]
0040143C  |.  0FAF05 584140>IMUL EAX,DWORD PTR DS:[404158]
00401443  |.  A3 64414000 MOV DWORD PTR DS:[404164],EAX    ;  结果还是0
00401448  |.  A1 5C414000 MOV EAX,DWORD PTR DS:[40415C]
0040144D  |.  0FAF05 604140>IMUL EAX,DWORD PTR DS:[404160]
00401454  |.  A3 68414000 MOV DWORD PTR DS:[404168],EAX    ;  结果还是0
00401459  |.  8B15 68414000 MOV EDX,DWORD PTR DS:[404168]
0040145F  |.  A1 64414000 MOV EAX,DWORD PTR DS:[404164]
00401464  |.  29D0       SUB EAX,EDX
00401466  |.  A3 6C414000 MOV DWORD PTR DS:[40416C],EAX    ;  结果还是0
0040146B  |.  A1 6C414000 MOV EAX,DWORD PTR DS:[40416C]
00401470  |.  0FAF05 644140>IMUL EAX,DWORD PTR DS:[404164]
00401477  |.  A3 70414000 MOV DWORD PTR DS:[404170],EAX    ;  结果还是0
0040147C  |.  A1 68414000 MOV EAX,DWORD PTR DS:[404168]
00401481  |.  0FAF05 6C4140>IMUL EAX,DWORD PTR DS:[40416C]
00401488  |.  A3 74414000 MOV DWORD PTR DS:[404174],EAX
0040148D  |.  A1 74414000 MOV EAX,DWORD PTR DS:[404174]
00401492  |.  0FAF05 604140>IMUL EAX,DWORD PTR DS:[404160] ;  结果还是0
00401499  |.  A3 78414000 MOV DWORD PTR DS:[404178],EAX
0040149E  |.  A1 44414000 MOV EAX,DWORD PTR DS:[404144]    ;  a
004014A3  |.  0305 78414000 ADD EAX,DWORD PTR DS:[404178]    ;  0
004014A9  |.  A3 7C414000 MOV DWORD PTR DS:[40417C],EAX    ;  a
004014AE  |.  A1 7C414000 MOV EAX,DWORD PTR DS:[40417C]
004014B3  |.  0FAF05 484140>IMUL EAX,DWORD PTR DS:[404148] ;  a*b
004014BA  |.  A3 80414000 MOV DWORD PTR DS:[404180],EAX    ;  c=a*b
004014BF  |.  A1 4C414000 MOV EAX,DWORD PTR DS:[40414C]    ;  144*c*c
004014C4  |.  0305 80414000 ADD EAX,DWORD PTR DS:[404180]
004014CA  |.  A3 84414000 MOV DWORD PTR DS:[404184],EAX    ;  144*c*c+c
004014CF  |.  A1 84414000 MOV EAX,DWORD PTR DS:[404184]
004014D4  |.  0FAF05 844140>IMUL EAX,DWORD PTR DS:[404184] ;  eax=(144*c*c+c)^2
004014DB  |.  A3 88414000 MOV DWORD PTR DS:[404188],EAX
004014E0  |.  A1 88414000 MOV EAX,DWORD PTR DS:[404188]
004014E5  |.  40          INC EAX
004014E6  |.  A3 24414000 MOV DWORD PTR DS:[404124],EAX    ;  eax=eax+1=(144*c*c+c)^2+1;上面的计算对于注册码来说没有用！！
004014EB  |.  A1 44414000 MOV EAX,DWORD PTR DS:[404144]    ;  a;这里是注册码运算的具体过程开始部分
004014F0  |.  83C0 64    ADD EAX,64                      ;  a+64h
004014F3  |.  A3 28414000 MOV DWORD PTR DS:[404128],EAX
004014F8  |.  A1 48414000 MOV EAX,DWORD PTR DS:[404148]    ;  b
004014FD  |.  05 C8000000 ADD EAX,0C8                      ;  b+0c8h
00401502  |.  A3 2C414000 MOV DWORD PTR DS:[40412C],EAX
00401507  |.  A1 2C414000 MOV EAX,DWORD PTR DS:[40412C]
0040150C  |.  0FAF05 284140>IMUL EAX,DWORD PTR DS:[404128] ;  (a+64h)*(b+0c8h)
00401513  |.  A3 30414000 MOV DWORD PTR DS:[404130],EAX
00401518  |.  A1 28414000 MOV EAX,DWORD PTR DS:[404128]    ;  (a+64h)
0040151D  |.  0FAF05 2C4140>IMUL EAX,DWORD PTR DS:[40412C] ;  (a+64h)*(b+0c8h)
00401524  |.  0305 30414000 ADD EAX,DWORD PTR DS:[404130]    ;  相当于2*(a+64h)*(b+0c8h)
0040152A  |.  A3 34414000 MOV DWORD PTR DS:[404134],EAX
0040152F  |.  8B15 28414000 MOV EDX,DWORD PTR DS:[404128]    ;  a+64h
00401535  |.  A1 34414000 MOV EAX,DWORD PTR DS:[404134]    ;  2*(a+64h)*(b+0c8h)
0040153A  |.  29D0       SUB EAX,EDX                      ;  2*(a+64h)*(b+0c8h)-(a+64h)
0040153C  |.  A3 38414000 MOV DWORD PTR DS:[404138],EAX
00401541  |.  A1 34414000 MOV EAX,DWORD PTR DS:[404134]    ;  2*(a+64h)*(b+0c8h)
00401546  |.  0305 38414000 ADD EAX,DWORD PTR DS:[404138]    ;  相当于4*(a+64h)*(b+0c8h)-(a+64h)
0040154C  |.  2B05 30414000 SUB EAX,DWORD PTR DS:[404130]    ;  相当于2*(a+64h)*(b+0c8h)-(a+64h)
00401552  |.  0305 28414000 ADD EAX,DWORD PTR DS:[404128]    ;  相当于2*(a+64h)*(b+0c8h)
00401558  |.  2B05 2C414000 SUB EAX,DWORD PTR DS:[40412C]    ;  相当于2*(a+64h)*(b+0c8h)-(b+0c8h)
0040155E  |.  A3 3C414000 MOV DWORD PTR DS:[40413C],EAX
00401563  |.  8B15 3C414000 MOV EDX,DWORD PTR DS:[40413C]
00401569  |.  89D0       MOV EAX,EDX
0040156B  |.  C1F8 1F    SAR EAX,1F                      ;  算术右移31位
0040156E  |.  C1E8 1F    SHR EAX,1F                      ;  逻辑右移31位
00401571  |.  8D0402       LEA EAX,DWORD PTR DS:[EDX+EAX] ;  重新加载2*(a+64h)*(b+0c8h)-(b+0c8h)
00401574  |.  D1F8       SAR EAX,1                      ;  除2
00401576  |.  A3 40414000 MOV DWORD PTR DS:[404140],EAX    ;  [2*(a+64h)*(b+0c8h)-(b+0c8h)]/2
0040157B  |.  A1 3C414000 MOV EAX,DWORD PTR DS:[40413C]
00401580  |.  0FAF05 404140>IMUL EAX,DWORD PTR DS:[404140] ;  [2*(a+64h)*(b+0c8h)-(b+0c8h)]^2/2
00401587  |.  0FAF05 3C4140>IMUL EAX,DWORD PTR DS:[40413C] ;  [2*(a+64h)*(b+0c8h)-(b+0c8h)]^3/2
0040158E  |.  0FAF05 384140>IMUL EAX,DWORD PTR DS:[404138] ;  ([2*(a+64h)*(b+0c8h)-(b+0c8h)]^3/2)*[2*(a+64h)*(b+0c8h)-(a+64h)]
00401595  |.  0FAF05 344140>IMUL EAX,DWORD PTR DS:[404134] ;  ([2*(a+64h)*(b+0c8h)-(b+0c8h)]^3/2)*[2*(a+64h)*(b+0c8h)-(a+64h)]*[2*(a+64h)*(b+0c8h)]
0040159C  |.  0FAF05 304140>IMUL EAX,DWORD PTR DS:[404130] ;  ([2*(a+64h)*(b+0c8h)-(b+0c8h)]^3/2)*[2*(a+64h)*(b+0c8h)-(a+64h)]^2*[2*(a+64h)*(b+0c8h)]
004015A3  |.  0FAF05 2C4140>IMUL EAX,DWORD PTR DS:[40412C] ;  ([2*(a+64h)*(b+0c8h)-(b+0c8h)]^3/2)*[2*(a+64h)*(b+0c8h)-(a+64h)]^2*[2*(a+64h)*(b+0c8h)]*(b+0c8h)
004015AA  |.  89C2       MOV EDX,EAX
004015AC  |.  0FAF15 284140>IMUL EDX,DWORD PTR DS:[404128] ;  ([2*(a+64h)*(b+0c8h)-(b+0c8h)]^3/2)*[2*(a+64h)*(b+0c8h)-(a+64h)]^2*[2*(a+64h)*(b+0c8h)]*(b+0c8h)*(a+64h)
004015B3  |.  89D0       MOV EAX,EDX
004015B5  |.  C1F8 1F    SAR EAX,1F
004015B8  |.  C1E8 1F    SHR EAX,1F
004015BB  |.  8D0402       LEA EAX,DWORD PTR DS:[EDX+EAX]
004015BE  |.  D1F8       SAR EAX,1                      ;  除2
004015C0  |.  A3 54414000 MOV DWORD PTR DS:[404154],EAX    ;  ([2*(a+64h)*(b+0c8h)-(b+0c8h)]^3/2)*[2*(a+64h)*(b+0c8h)-(a+64h)]^2*[(a+64h)*(b+0c8h)]^2
004015C5  |.  A1 54414000 MOV EAX,DWORD PTR DS:[404154]    ;  设a+64h=m;b+0c8h=n则下面的计算为：
004015CA  |.  0FAF05 404140>IMUL EAX,DWORD PTR DS:[404140] ;  [(2mn-n)^3/2](2mn-m)^2*(mn)^2*[(2mn-n)^2/2]=[(2mn-n)^5/4](2mn-m)^2*(mn)^2
004015D1  |.  0FAF05 344140>IMUL EAX,DWORD PTR DS:[404134] ;  化简后为：(2mn-n)^8(2mn-m)^3(mn)^3/4
004015D8  |.  0FAF05 3C4140>IMUL EAX,DWORD PTR DS:[40413C] ;  化简后为：(2mn-n)^11(2mn-m)^3(mn)^3/8
004015DF  |.  69C0 BB010000 IMUL EAX,EAX,1BB                ;  化简后为：[(2mn-n)^11(2mn-m)^3(mn)^3/8]^2*1bbh
004015E5  |.  A3 24414000 MOV DWORD PTR DS:[404124],EAX    ;  结果就是注册码:a=7;b=f时，结果为3758096384(无符号数）
004015EA  |.  C9          LEAVE
004015EB  \.  C3          RETN
004015EC  /$  55          PUSH EBP                         ;  这里是入口地址
004015ED  |.  89E5       MOV EBP,ESP
004015EF  |.  83EC 18    SUB ESP,18
004015F2  |.  83E4 F0    AND ESP,FFFFFFF0
004015F5  |.  B8 00000000 MOV EAX,0
004015FA  |.  83C0 0F    ADD EAX,0F
004015FD  |.  83C0 0F    ADD EAX,0F
00401600  |.  C1E8 04    SHR EAX,4
00401603  |.  C1E0 04    SHL EAX,4
00401606  |.  8945 F8    MOV DWORD PTR SS:[EBP-8],EAX
00401609  |.  8B45 F8    MOV EAX,DWORD PTR SS:[EBP-8]
0040160C  |.  E8 AF040000 CALL keyme2.00401AC0
00401611  |.  E8 4A010000 CALL keyme2.00401760
00401616  |.  E8 05FDFFFF CALL keyme2.00401320             ;  这里是注册码的计算函数
0040161B  |.  C70424 003040>MOV DWORD PTR SS:[ESP],keyme2.004>; |||ASCII "moofy's keyme #2
Very simple :)

Enter: "
00401622  |.  E8 A9050000 CALL <JMP.&msvcrt.printf>       ; ||\printf
00401627  |.  8D45 FC    LEA EAX,DWORD PTR SS:[EBP-4]    ; ||
0040162A  |.  894424 04    MOV DWORD PTR SS:[ESP+4],EAX    ; ||
0040162E  |.  C70424 293040>MOV DWORD PTR SS:[ESP],keyme2.004>; ||ASCII "%d"
00401635  |.  E8 86050000 CALL <JMP.&msvcrt.scanf>       ; |\scanf
0040163A  |.  8B45 FC    MOV EAX,DWORD PTR SS:[EBP-4]    ; |
0040163D  |.  3B05 24414000 CMP EAX,DWORD PTR DS:[404124]    ; |
00401643  |.  75 0E       JNZ SHORT keyme2.00401653       ; |
00401645  |.  C70424 2C3040>MOV DWORD PTR SS:[ESP],keyme2.004>; |ASCII "
Correct :) Write a keygen and tutorial and submit it to crackmes.de
"
0040164C  |.  E8 7F050000 CALL <JMP.&msvcrt.printf>       ; \printf
00401651  |.  EB 0C       JMP SHORT keyme2.0040165F
00401653  |>  C70424 723040>MOV DWORD PTR SS:[ESP],keyme2.004>; |ASCII 0A,"Try again!"
0040165A  |.  E8 71050000 CALL <JMP.&msvcrt.printf>       ; \printf
0040165F  |>  C70424 7F3040>MOV DWORD PTR SS:[ESP],keyme2.004>; |ASCII "PAUSE"
00401666  |.  E8 45050000 CALL <JMP.&msvcrt.system>       ; \system
0040166B  |.  B8 00000000 MOV EAX,0
00401670  |.  C9          LEAVE
00401671  \.  C3          RETN

登录后可查看完整内容

[培训]内核驱动高级班，冲击BAT一流互联网大厂工作，每周日13:00-18:00直播授课

上传的附件：

km2.zip （5.79kb，9次下载）

收藏・0

免费・7

支持

最新回复 (4)
thinkSJ 雪币： 196 活跃值： (135) 能力值： ( LV10，RANK：170 ) 在线值：发帖 9 回帖 611 粉丝 1 关注私信	thinkSJ 4 2 楼支持一下，楼主辛苦了 2006-4-9 19:01 0
zhaoocn 雪币： 50 活跃值： (145) 能力值： ( LV12，RANK：290 ) 在线值：发帖 9 回帖 348 粉丝 0 关注私信	zhaoocn 7 3 楼运算这么复杂 2006-4-9 20:52 0
WAKU 雪币： 179 活跃值： (131) 能力值： ( LV12，RANK：290 ) 在线值：发帖 32 回帖 501 粉丝 0 关注私信	WAKU 7 4 楼 thinkSJ 五笔 2006-4-9 22:19 0
thinkSJ 雪币： 196 活跃值： (135) 能力值： ( LV10，RANK：170 ) 在线值：发帖 9 回帖 611 粉丝 1 关注私信	thinkSJ 4 5 楼最初由 WAKU* 发布* thinkSJ 五笔老兄见笑了，已改过， 2006-4-9 22:38 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复

jhlqb

发帖

回帖

420

RANK

关注

私信

他的文章

关于我们

联系我们

企业服务

看雪公众号

最新回复 (4)
thinkSJ 雪币： 196 活跃值： (135) 能力值： ( LV10，RANK：170 ) 在线值：发帖 9 回帖 611 粉丝 1 关注私信	thinkSJ 4 2 楼支持一下，楼主辛苦了 2006-4-9 19:01 0
zhaoocn 雪币： 50 活跃值： (145) 能力值： ( LV12，RANK：290 ) 在线值：发帖 9 回帖 348 粉丝 0 关注私信	zhaoocn 7 3 楼运算这么复杂 2006-4-9 20:52 0
WAKU 雪币： 179 活跃值： (131) 能力值： ( LV12，RANK：290 ) 在线值：发帖 32 回帖 501 粉丝 0 关注私信	WAKU 7 4 楼 thinkSJ 五笔 2006-4-9 22:19 0
thinkSJ 雪币： 196 活跃值： (135) 能力值： ( LV10，RANK：170 ) 在线值：发帖 9 回帖 611 粉丝 1 关注私信	thinkSJ 4 5 楼最初由 WAKU* 发布* thinkSJ 五笔老兄见笑了，已改过， 2006-4-9 22:38 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复