第一次发主题贴,请多批评。
[ncrackme.exe注册算法分析]
1. 用用户名(不得少于3字节,输入的前15字节有效,以00结束串)前3字节计算结果,初始化内存004050AC的数据(全局变量maz,将用于计算真码):
maz=0xFFFFFFFF/((a%b)*c+1)
2. 先循环15次sub():反复用004050AC的数据做相同计算再存回(表面上生成15字符码,虽存放在真码地址,但此时是假码;真正用意应是改变了maz)
3. 再循环取用户名字串每一字节(汉字两字节),做如下计算:
w=a>>5; w=(w+(w+w*4)*8)+(w+(w+w*4)*8)*2; while(w>0){sub();w--;}
然后计算出对应这一字节的注册码字符
res=(sub()%26)+41;虽然子函数总是返回值,但只有这里用它的返回值(前面都是用来改变maz)
注册码是大写英文字母,长度等于用户名字节数
子函数sub(){ r=(maz*0x343FD+269EC3); maz=r; r=0x7FFF&(r>>16); return r;}
[注册机程序]
#include "windows.h"
#define IDD_CRACKER 101
#define IDC_EDIT1 1000
#define IDC_EDIT2 1001
#define IDC_STATIC -1
char zcm[16];
long maz;
LRESULT CALLBACK Cracker(HWND, UINT, WPARAM, LPARAM);
char* crack_fun();
long call_fun();
int APIENTRY WinMain(HINSTANCE hInstance,HINSTANCE hPrevInstance,LPSTR lpCmdLine,int nCmdShow)
{
memset(zcm,0,16);
DialogBox(hInstance, (LPCTSTR)IDD_CRACKER, NULL, (DLGPROC)Cracker);
PostQuitMessage(0);
return 0;
}
LRESULT CALLBACK Cracker(HWND hDlg, UINT message, WPARAM wParam, LPARAM lParam)
{
switch (message)
{
case WM_INITDIALOG:
HWND hdesk;
RECT rc,rt;
hdesk=GetDesktopWindow();
GetClientRect(hdesk,&rc);
rc.right-=rc.left;
rc.bottom-=rc.top;
GetWindowRect(hDlg,&rt);
rt.right-=rt.left;
rt.bottom-=rt.top;
MoveWindow(hDlg,(rc.right-rt.right)/2,(rc.bottom-rt.bottom)/2,rt.right,rt.bottom,TRUE);
return TRUE;
case WM_COMMAND:
if (LOWORD(wParam) == IDOK)
{
GetDlgItemText(hDlg,IDC_EDIT1,zcm,16);
SetDlgItemText(hDlg,IDC_EDIT2,crack_fun());
return TRUE;
}
else if (LOWORD(wParam) == IDCANCEL)
{
EndDialog(hDlg, LOWORD(wParam));
return TRUE;
}
break;
}
return FALSE;
}
char* crack_fun(){
char name[16];
long a,b,c,w,xx;
int i,len;
maz=0;
strcpy(name,zcm);
memset(zcm,0,16);
len=strlen(name);
if(len<=3)return zcm;
a=(long)name[0];
b=(long)name[1];
c=(long)name[2];
maz=0xFFFFFFFF/((a%b)*c+1); //初始化maz
for(i=0;i<15;i++)call_fun(); //循环15次,计算maz
for(i=0;i<len;i++){ //循环用户名字串每字节,配合maz计算注册码zcm
a=(long)name[i];
w=a>>5;
w=(w+(w+w*4)*8)+(w+(w+w*4)*8)*2;
while(w>0){
call_fun();
w--;
}
xx=call_fun();
zcm[i]=(char)((xx%26)+0x41);
}
return zcm;
}
long call_fun(){
long t;
t=maz*0x343FD;
t=t+0x269EC3;
maz=t;
t=0x7FFF & (t>>16);
return t;
}
[资源文件cracker.rc]
#define IDD_CRACKER 101
#define IDC_EDIT1 1000
#define IDC_EDIT2 1001
#define IDC_STATIC -1
#define APSTUDIO_READONLY_SYMBOLS
#define APSTUDIO_HIDDEN_SYMBOLS
#include "windows.h"
#undef APSTUDIO_HIDDEN_SYMBOLS
#undef APSTUDIO_READONLY_SYMBOLS
#if !defined(AFX_RESOURCE_DLL) || defined(AFX_TARG_CHS)
#ifdef _WIN32
LANGUAGE LANG_CHINESE, SUBLANG_CHINESE_SIMPLIFIED
#pragma code_page(936)
#endif //_WIN32
IDD_CRACKER DIALOG DISCARDABLE 0, 0, 155, 59
STYLE DS_MODALFRAME | WS_CAPTION | WS_SYSMENU
CAPTION "Cracker for ncrackme.exe"
FONT 9, "宋体"
BEGIN
DEFPUSHBUTTON "计算注册码",IDOK,48,39,60,13,WS_GROUP
LTEXT "用户名:",IDC_STATIC,3,6,29,8
EDITTEXT IDC_EDIT1,37,4,113,12,ES_AUTOHSCROLL
LTEXT "注册码:",IDC_STATIC,3,21,29,8
EDITTEXT IDC_EDIT2,37,19,113,12,ES_AUTOHSCROLL | ES_READONLY
END
#endif // Chinese (P.R.C.) resources
[VC++编译命令]
rc %yourpath%\cracker.rc
cl /O1 /GA %yourpath%\cracker.cpp /link user32.lib %yourpath%\cracker.res
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
