软件: lord_Phoenix's CrackMe
下载: http://www.crackmes.de/users/lesco/a_keygenme/download
工具: peid,od
声明: 只是感兴趣,没有其他目的。第一次写,失误之处敬请诸位大侠赐教!
此文件是用户名运算出一个值放在EBX,在与序列号参与运算出的EAX进行比较来进行注册的
根据错误序列号的提示来到这里
004015D7 . 56 push esi ; /Count
004015D8 . 53 push ebx ; |Buffer
004015D9 . 68 E8030000 push 3E8 ; |ControlID = 3E8 (1000.)
004015DE . 57 push edi ; |hWnd
004015DF . FF15 A8504000 call [<&USER32.GetDlgItemTextA>] ; \GetDlgItemTextA
004015E5 . 6A 00 push 0 ; /lParam = 0
004015E7 . 6A 00 push 0 ; |wParam = 0
004015E9 . 6A 0E push 0E ; |Message = WM_GETTEXTLENGTH
004015EB . 68 E9030000 push 3E9 ; |ControlID = 3E9 (1001.)
004015F0 . 57 push edi ; |hWnd
004015F1 . FF15 B4504000 call [<&USER32.SendDlgItemMessageA>] ; \SendDlgItemMessageA
004015F7 . 8BF0 mov esi, eax
004015F9 . 85F6 test esi, esi
004015FB . 75 1A jnz short 00401617
004015FD . 50 push eax ; /Style
004015FE . 50 push eax ; |Title
004015FF . 68 58614000 push 00406158 ; |no serial entered
00401604 . 57 push edi ; |hOwner
00401605 . FF15 B0504000 call [<&USER32.MessageBoxA>] ; \MessageBoxA
0040160B . 5F pop edi
0040160C . 5E pop esi
0040160D . 5D pop ebp
0040160E . B8 01000000 mov eax, 1
00401613 . 5B pop ebx
00401614 . C2 1000 retn 10
00401617 > 8B0D C0664000 mov ecx, [4066C0]
0040161D . 46 inc esi
0040161E . 56 push esi
0040161F . 6A 08 push 8
00401621 . 51 push ecx
00401622 . FFD5 call ebp
00401624 . 8BE8 mov ebp, eax
00401626 . 56 push esi ; /Count
00401627 . 55 push ebp ; |Buffer
00401628 . 68 E9030000 push 3E9 ; |ControlID = 3E9 (1001.)
0040162D . 57 push edi ; |hWnd
0040162E . FF15 A8504000 call [<&USER32.GetDlgItemTextA>] ; \GetDlgItemTextA
00401634 . 55 push ebp ; 伪码
00401635 . 53 push ebx ; 用户名
00401636 . E8 A5FCFFFF call 004012E0 ; 关键CALL
0040163B . 83C4 08 add esp, 8
0040163E . 84C0 test al, al
00401640 . 74 0E je short 00401650 ;如果AL为0,就结束了
00401642 . 6A 40 push 40
00401644 . 68 50614000 push 00406150 ; great!
00401649 . 68 F4604000 push 004060F4 ; congratulations! you made it! i hope you didn't patch me!\nnow write a keygen and a tutorial
0040164E . EB 0C jmp short 0040165C
00401650 > 6A 10 push 10
00401652 . 68 EC604000 push 004060EC ; wrong
00401657 . 68 CC604000 push 004060CC ; no, that's not it. try again
0040165C > 57 push edi ; |hOwner
0040165D . FF15 B0504000 call [<&USER32.MessageBoxA>] ; \MessageBoxA
004012E0 /$ 81EC 14010000 sub esp, 114 ; ebx=username,ebp=serail
004012E6 |. 53 push ebx
004012E7 |. 55 push ebp
004012E8 |. 56 push esi
004012E9 |. 8D4424 0C lea eax, [esp+C]
004012ED |. 57 push edi
004012EE |. 8D4C24 24 lea ecx, [esp+24]
004012F2 |. 50 push eax ; /pBufCount
004012F3 |. 51 push ecx ; |Buffer
004012F4 |. C74424 18 000>mov dword ptr [esp+18], 100 ; |
004012FC |. FF15 00504000 call [<&ADVAPI32.GetUserNameA>] ; \GetUserNameA
00401302 |. 85C0 test eax, eax
00401304 |. 75 37 jnz short 0040133D
00401306 |. BF A8604000 mov edi, 004060A8 ; your username is definitly too long
0040130B |. 83C9 FF or ecx, FFFFFFFF
0040130E |. F2:AE repne scas byte ptr es:[edi]
00401310 |. F7D1 not ecx
00401312 |. 2BF9 sub edi, ecx
00401314 |. 8D5424 24 lea edx, [esp+24]
00401318 |. 8BC1 mov eax, ecx
0040131A |. 8BF7 mov esi, edi
0040131C |. 8BFA mov edi, edx
0040131E |. C1E9 02 shr ecx, 2
00401321 |. F3:A5 rep movs dword ptr es:[edi], dword ptr [esi]
00401323 |. 8BC8 mov ecx, eax
00401325 |. 33C0 xor eax, eax
00401327 |. 83E1 03 and ecx, 3
0040132A |. F3:A4 rep movs byte ptr es:[edi], byte ptr [esi]
0040132C |. 8D7C24 24 lea edi, [esp+24]
00401330 |. 83C9 FF or ecx, FFFFFFFF
00401333 |. F2:AE repne scas byte ptr es:[edi]
00401335 |. F7D1 not ecx
00401337 |. 894C24 10 mov [esp+10], ecx
0040133B |. EB 04 jmp short 00401341
0040133D |> 8B4C24 10 mov ecx, [esp+10]
00401341 |> 49 dec ecx
00401342 |. 51 push ecx
00401343 |. 8D4C24 28 lea ecx, [esp+28]
00401347 |. 51 push ecx ;Administrator
00401348 |. E8 13040000 call 00401760 ;用Administrator查表换算成一个26位的字符串
0040134D |. 8BAC24 300100>mov ebp, [esp+130] ;例A->ASCII=41; 4和1就是在表中对应的字符
00401354 |. 8BF0 mov esi, eax
00401356 |. 8BFD mov edi, ebp
00401358 |. 83C9 FF or ecx, FFFFFFFF
0040135B |. 33C0 xor eax, eax
0040135D |. F2:AE repne scas byte ptr es:[edi] ;
0040135F |. F7D1 not ecx ;
00401361 |. 49 dec ecx ; 取伪码的长度
00401362 |. 51 push ecx
00401363 |. 55 push ebp ;
00401364 |. E8 F7030000 call 00401760 ;用伪码的一个查表转换,同上面
00401369 |. 894424 28 mov [esp+28], eax ;
0040136D |. 8BF8 mov edi, eax
0040136F |. 83C9 FF or ecx, FFFFFFFF
00401372 |. 33C0 xor eax, eax
00401374 |. 83C4 10 add esp, 10
00401377 |. F2:AE repne scas byte ptr es:[edi]
00401379 |. F7D1 not ecx
0040137B |. 49 dec ecx ; 用户名换算后的长度
0040137C |. 8BFE mov edi, esi
0040137E |. 8BD1 mov edx, ecx
00401380 |. 83C9 FF or ecx, FFFFFFFF
00401383 |. F2:AE repne scas byte ptr es:[edi] ; Administrator换算后的长度
00401385 |. F7D1 not ecx
00401387 |. 49 dec ecx
00401388 |. 03D1 add edx, ecx ; 用户名长度*2+26
0040138A |. 895424 20 mov [esp+20], edx
0040138E |. 52 push edx ; /HeapSize
0040138F |. 8B15 C0664000 mov edx, [4066C0] ; |
00401395 |. 6A 40 push 40 ; |Flags = HEAP_FREE_CHECKING_ENABLED
00401397 |. 52 push edx ; |hHeap => 00140000
00401398 |. FF15 5C504000 call [<&KERNEL32.HeapAlloc>] ; \HeapAlloc
0040139E |. 8BD0 mov edx, eax
004013A0 |. 8BFE mov edi, esi
004013A2 |. 83C9 FF or ecx, FFFFFFFF
004013A5 |. 33C0 xor eax, eax
004013A7 |. 33DB xor ebx, ebx
004013A9 |. 895424 14 mov [esp+14], edx
004013AD |. F2:AE repne scas byte ptr es:[edi]
004013AF |. F7D1 not ecx
004013B1 |. 49 dec ecx ; Administrator*2
004013B2 |. 74 39 je short 004013ED
004013B4 |. 8BFE mov edi, esi
004013B6 |. 8BC2 mov eax, edx
004013B8 |. 2BF8 sub edi, eax
004013BA |. 897C24 1C mov [esp+1C], edi
004013BE |. EB 04 jmp short 004013C4
004013C0 |> 8B7C24 1C /mov edi, [esp+1C]
004013C4 |> 8A0C17 mov cl, [edi+edx]
004013C7 |. 33C0 |xor eax, eax
004013C9 |> 3888 C0504000 |/cmp [eax+4050C0], cl
004013CF |. 74 06 ||je short 004013D7
004013D1 |. 40 ||inc eax
004013D2 |. 83F8 10 ||cmp eax, 10
004013D5 |.^ 72 F2 |\jb short 004013C9 ; 新码,在查表码中的位子,Administrator
004013D7 |> 34 23 |xor al, 23
004013D9 |. 43 |inc ebx
004013DA |. 8802 |mov [edx], al ; 位子值xor23,然后写入一个地址
004013DC |. 8BFE |mov edi, esi ;注意他写的位置,等会可以看到他
004013DE |. 83C9 FF |or ecx, FFFFFFFF
004013E1 |. 33C0 |xor eax, eax
004013E3 |. 42 |inc edx
004013E4 |. F2:AE |repne scas byte ptr es:[edi]
004013E6 |. F7D1 |not ecx
004013E8 |. 49 |dec ecx
004013E9 |. 3BD9 |cmp ebx, ecx
004013EB |.^ 72 D3 \jb short 004013C0
004013ED |> 8B7424 18 mov esi, [esp+18]
004013F1 |. 83C9 FF or ecx, FFFFFFFF
004013F4 |. 8BFE mov edi, esi
004013F6 |. 33C0 xor eax, eax
004013F8 |. 33D2 xor edx, edx
004013FA |. F2:AE repne scas byte ptr es:[edi]
004013FC |. F7D1 not ecx
004013FE |. 49 dec ecx
004013FF |. 74 2F je short 00401430
00401401 |. 8B4424 14 mov eax, [esp+14]
00401405 |. 03D8 add ebx, eax
00401407 |> 8A0C32 /mov cl, [edx+esi]
0040140A |. 33C0 |xor eax, eax
0040140C |> 3888 C0504000 |/cmp [eax+4050C0], cl
00401412 |. 74 06 ||je short 0040141A
00401414 |. 40 ||inc eax
00401415 |. 83F8 10 ||cmp eax, 10
00401418 |.^ 72 F2 |\jb short 0040140C
0040141A |> 34 23 |xor al, 23
0040141C |. 8BFE |mov edi, esi
0040141E |. 8803 |mov [ebx], al
00401420 |. 43 |inc ebx ; 同上一段程序,用户名的换算码
00401421 |. 83C9 FF |or ecx, FFFFFFFF
00401424 |. 33C0 |xor eax, eax
00401426 |. 42 |inc edx
00401427 |. F2:AE |repne scas byte ptr es:[edi]
00401429 |. F7D1 |not ecx
0040142B |. 49 |dec ecx
0040142C |. 3BD1 |cmp edx, ecx
0040142E |.^ 72 D7 \jb short 00401407
00401430 |> 8BFD mov edi, ebp
00401432 |. 83C9 FF or ecx, FFFFFFFF
00401435 |. 33C0 xor eax, eax
00401437 |. 33F6 xor esi, esi
00401439 |. F2:AE repne scas byte ptr es:[edi]
0040143B |. F7D1 not ecx
0040143D |. 49 dec ecx
0040143E |. BB EA7D3862 mov ebx, 62387DEA
00401443 |. 74 46 je short 0040148B
00401445 |> 0FBE042E /movsx eax, byte ptr [esi+ebp] ;
00401449 |. 0FAFC0 |imul eax, eax ;
0040144C |. 33D2 |xor edx, edx
0040144E |. BF 07000000 |mov edi, 7
00401453 |. 8D0C40 |lea ecx, [eax+eax*2]
00401456 |. C1E1 03 |shl ecx, 3
00401459 |. 2BC8 |sub ecx, eax
0040145B |. 8BC6 |mov eax, esi
0040145D |. F7F7 |div edi ;
0040145F |. 8BC1 |mov eax, ecx
00401461 |. 8BFD |mov edi, ebp
00401463 |. F7D0 |not eax
00401465 |. 0FAFC1 |imul eax, ecx
00401468 |. C1E0 02 |shl eax, 2
0040146B |. 8B1495 D45040>|mov edx, [edx*4+4050D4]
00401472 |. 03D1 |add edx, ecx
00401474 |. 83C9 FF |or ecx, FFFFFFFF
00401477 |. 33D0 |xor edx, eax
00401479 |. 33C0 |xor eax, eax
0040147B |. 33D3 |xor edx, ebx
0040147D |. 33D6 |xor edx, esi
0040147F |. 46 |inc esi
00401480 |. F2:AE |repne scas byte ptr es:[edi]
00401482 |. F7D1 |not ecx
00401484 |. 49 |dec ecx
00401485 |. 8BDA |mov ebx, edx
00401487 |. 3BF1 |cmp esi, ecx
00401489 |.^ 72 BA \jb short 00401445
0040148B |> 8B4C24 10 mov ecx, [esp+10]
0040148F |. 33F6 xor esi, esi
00401491 |. 8D41 FF lea eax, [ecx-1]
00401494 |. 85C0 test eax, eax
00401496 |. 894424 18 mov [esp+18], eax
0040149A |. 76 46 jbe short 004014E2 ;这里才是重点
0040149C |. EB 07 jmp short 004014A5
0040149E |> 8BAC24 280100>/mov ebp, [esp+128] ; 用户名+00+AB,补齐13位
004014A5 |> 0FBE0C2E movsx ecx, byte ptr [esi+ebp]
004014A9 |. 8D7E 42 |lea edi, [esi+42] ;
004014AC |. 8BC6 |mov eax, esi
004014AE |. 33D2 |xor edx, edx
004014B0 |. BD 07000000 |mov ebp, 7
004014B5 |. F7F5 |div ebp ;定位用表中的哪一个值
004014B7 |. 0FAFC9 |imul ecx, ecx
004014BA |. 0FAFC9 |imul ecx, ecx ;
004014BD |. C1E1 03 |shl ecx, 3
004014C0 |. 8BC1 |mov eax, ecx ;
004014C2 |. F7D0 |not eax
004014C4 |. 0FAFC1 |imul eax, ecx ;
004014C7 |. 8B1495 D45040>|mov edx, [edx*4+4050D4] ; 又一个表
004014CE |. 03D1 |add edx, ecx ;
004014D0 |. C1E0 02 |shl eax, 2 ;
004014D3 |. 33D0 |xor edx, eax ;
004014D5 |. 8B4424 18 |mov eax, [esp+18]
004014D9 |. 33D7 |xor edx, edi ;
004014DB |. 33DA |xor ebx, edx ;
004014DD |. 46 |inc esi ;
004014DE |. 3BF0 |cmp esi, eax
004014E0 |.^ 72 BC \jb short 0040149E ;这个循环就是计算EBX的
004014E2 |> 8B8C24 2C0100>mov ecx, [esp+12C] ;
004014E9 |. 6A 10 push 10 ;
004014EB |. 6A 00 push 0
004014ED |. 51 push ecx
004014EE |. E8 D5040000 call 004019C8
004014F3 |. 8B5424 2C mov edx, [esp+2C] ; |
004014F7 |. 50 push eax ; |Arg3
004014F8 |. 8B4424 24 mov eax, [esp+24] ; |
004014FC |. 52 push edx ; |Arg2
004014FD |. 50 push eax ; |Arg1
004014FE |. E8 FDFAFFFF call 00401000 ; \kgme.00401000 这个过程里面是计算EAX
00401503 |. 83C4 18 add esp, 18
00401506 |. 3BC3 cmp eax, ebx ;这里就是比较的关键位置
00401508 |. 0F94C0 sete al 破点 ;ebx是由用户名计算,eax是用序列号计算
0040150B |. 5F pop edi
0040150C |. 5E pop esi
0040150D |. 5D pop ebp
0040150E |. 5B pop ebx
0040150F |. 81C4 14010000 add esp, 114
00401515 \. C3 retn
00401760 /$ 55 push ebp
00401761 |. 8B6C24 0C mov ebp, [esp+C]
00401765 |. 56 push esi
00401766 |. 8D442D 01 lea eax, [ebp+ebp+1]
0040176A |. 50 push eax
0040176B |. E8 1D030000 call 00401A8D
00401770 |. 83C4 04 add esp, 4
00401773 |. 33C9 xor ecx, ecx
00401775 |. 33D2 xor edx, edx
00401777 |. 8BF0 mov esi, eax
00401779 |. 85ED test ebp, ebp
0040177B |. 76 3A jbe short 004017B7
0040177D |. 57 push edi
0040177E |. 8B7C24 10 mov edi, [esp+10]
00401782 |> 8A0439 /mov al, [ecx+edi]
00401785 |. 83C2 02 |add edx, 2
00401788 |. C1F8 04 |sar eax, 4
0040178B |. 83E0 0F |and eax, 0F
0040178E |. 8A80 F0504000 |mov al, [eax+4050F0]
00401794 |. 884416 FE |mov [esi+edx-2], al
00401798 |. 8A0439 |mov al, [ecx+edi]
0040179B |. 83E0 0F |and eax, 0F
0040179E |. 41 |inc ecx
0040179F |. 3BCD |cmp ecx, ebp
004017A1 |. 8A80 F0504000 |mov al, [eax+4050F0]
004017A7 |. 884416 FF |mov [esi+edx-1], al
004017AB |.^ 72 D5 \jb short 00401782
004017AD |. C60432 00 mov byte ptr [edx+esi], 0
004017B1 |. 8BC6 mov eax, esi
004017B3 |. 5F pop edi
004017B4 |. 5E pop esi
004017B5 |. 5D pop ebp
004017B6 |. C3 retn
004017B7 |> C60432 00 mov byte ptr [edx+esi], 0
004017BB |. 8BC6 mov eax, esi
004017BD |. 5E pop esi
004017BE |. 5D pop ebp
004017BF \. C3 retn
00401000 /$ 55 push ebp
00401001 |. 8BEC mov ebp, esp
00401003 |. 83EC 08 sub esp, 8
00401006 |. 8B0D C0664000 mov ecx, [4066C0]
0040100C |. 53 push ebx
0040100D |. 8B5D 0C mov ebx, [ebp+C]
00401010 |. 56 push esi
00401011 |. 57 push edi
00401012 |. 8D449B 01 lea eax, [ebx+ebx*4+1]
00401016 |. 50 push eax ; /HeapSize
00401017 |. 6A 40 push 40 ; |Flags = HEAP_FREE_CHECKING_ENABLED
00401019 |. 51 push ecx ; |hHeap => 00140000
0040101A |. FF15 5C504000 call [<&KERNEL32.HeapAlloc>] ; \HeapAlloc
00401020 |. 8B55 10 mov edx, [ebp+10]
00401023 |. 33FF xor edi, edi
00401025 |. 8955 0C mov [ebp+C], edx
00401028 |. 33D2 xor edx, edx
0040102A |. 85DB test ebx, ebx
0040102C |. 8945 FC mov [ebp-4], eax
0040102F |. 0F86 43020000 jbe 00401278
00401035 |. 8BC8 mov ecx, eax
00401037 |> 8B45 08 /mov eax, [ebp+8]
0040103A |. 0FBE3407 |movsx esi, byte ptr [edi+eax] ;注意看这里取出的是004013DA那里写入的
0040103E |. 83F6 23 |xor esi, 23 ;注意2次XOR23是什么结果
00401041 |. 83FE 0F |cmp esi, 0F ; Switch (cases 0..F)
00401044 |. 0F87 1C020000 |ja 00401266
0040104A |. FF24B5 941240>|jmp [esi*4+401294]
00401051 |> 8B35 A0604000 |mov esi, [4060A0] ; Case 0 of switch 00401041
00401057 |. 8BC1 |mov eax, ecx
00401059 |. 83C2 05 |add edx, 5
0040105C |. 8930 |mov [eax], esi
0040105E |. 8BF1 |mov esi, ecx
00401060 |. 8945 F8 |mov [ebp-8], eax
00401063 |. A0 A4604000 |mov al, [4060A4]
00401068 |. 8846 04 |mov [esi+4], al
0040106B |. 83C1 05 |add ecx, 5
0040106E |. E9 F9010000 |jmp 0040126C
00401073 |> 8B35 98604000 |mov esi, [406098] ; Case 1 of switch 00401041
00401079 |. 8BC1 |mov eax, ecx ;
0040107B |. 83C2 05 |add edx, 5
0040107E |. 8930 |mov [eax], esi
00401080 |. 8BF1 |mov esi, ecx
00401082 |. 8945 F8 |mov [ebp-8], eax
00401085 |. A0 9C604000 |mov al, [40609C]
0040108A |. 8846 04 |mov [esi+4], al
0040108D |. 83C1 05 |add ecx, 5
00401090 |. E9 D7010000 |jmp 0040126C ; 往151DFA写入000D743D05
00401095 |> 8B35 90604000 |mov esi, [406090] ; Case 2 of switch 00401041
0040109B |. 8BC1 |mov eax, ecx
0040109D |. 83C2 05 |add edx, 5
004010A0 |. 8930 |mov [eax], esi
004010A2 |. 8BF1 |mov esi, ecx
004010A4 |. 8945 F8 |mov [ebp-8], eax
004010A7 |. A0 94604000 |mov al, [406094]
004010AC |. 8846 04 |mov [esi+4], al
004010AF |. 83C1 05 |add ecx, 5
004010B2 |. E9 B5010000 |jmp 0040126C
004010B7 |> 66:8B35 8C604>|mov si, [40608C] ; Case 3 of switch 00401041
004010BE |. 8BC1 |mov eax, ecx
004010C0 |. 83C2 03 |add edx, 3
004010C3 |. 66:8930 |mov [eax], si
004010C6 |. 8BF1 |mov esi, ecx
004010C8 |. 8945 F8 |mov [ebp-8], eax
004010CB |. A0 8E604000 |mov al, [40608E]
004010D0 |. 8846 02 |mov [esi+2], al
004010D3 |. 83C1 03 |add ecx, 3
004010D6 |. E9 91010000 |jmp 0040126C
004010DB |> 66:A1 8860400>|mov ax, [406088] ; Case 4 of switch 00401041
004010E1 |. 83C2 02 |add edx, 2
004010E4 |. 66:8901 |mov [ecx], ax
004010E7 |. 83C1 02 |add ecx, 2
004010EA |. E9 7D010000 |jmp 0040126C ; 往151DF8写入D0F7
004010EF |> 8B35 80604000 |mov esi, [406080] ; Case 5 of switch 00401041
004010F5 |. 8BC1 |mov eax, ecx
004010F7 |. 83C2 05 |add edx, 5
004010FA |. 8930 |mov [eax], esi
004010FC |. 8BF1 |mov esi, ecx
004010FE |. 8945 F8 |mov [ebp-8], eax
00401101 |. A0 84604000 |mov al, [406084]
00401106 |. 8846 04 |mov [esi+4], al
00401109 |. 83C1 05 |add ecx, 5
0040110C |. E9 5B010000 |jmp 0040126C
00401111 |> 8B35 78604000 |mov esi, [406078] ; Case 6 of switch 00401041
00401117 |. 8BC1 |mov eax, ecx
00401119 |. 83C2 05 |add edx, 5
0040111C |. 8930 |mov [eax], esi
0040111E |. 8BF1 |mov esi, ecx
00401120 |. 8945 F8 |mov [ebp-8], eax
00401123 |. A0 7C604000 |mov al, [40607C]
00401128 |. 8846 04 |mov [esi+4], al
0040112B |. 83C1 05 |add ecx, 5
0040112E |. E9 39010000 |jmp 0040126C ; 往151DFF写入0085545435
00401133 |> 8B45 0C |mov eax, [ebp+C] ; Case 7 of switch 00401041
00401136 |. 8B35 70604000 |mov esi, [406070]
0040113C |. 35 DFED0D00 |xor eax, 0DEDDF
00401141 |. 83C2 05 |add edx, 5
00401144 |. 8945 0C |mov [ebp+C], eax
00401147 |. 8BC1 |mov eax, ecx
00401149 |. 8930 |mov [eax], esi
0040114B |. 8BF1 |mov esi, ecx
0040114D |. 8945 F8 |mov [ebp-8], eax
00401150 |. A0 74604000 |mov al, [406074]
00401155 |. 8846 04 |mov [esi+4], al
00401158 |. 83C1 05 |add ecx, 5
0040115B |. E9 0C010000 |jmp 0040126C
00401160 |> 8B35 68604000 |mov esi, [406068] ; Case 8 of switch 00401041
00401166 |. 8BC1 |mov eax, ecx
00401168 |. 83C2 05 |add edx, 5
0040116B |. 8930 |mov [eax], esi
0040116D |. 8BF1 |mov esi, ecx
0040116F |. 8945 F8 |mov [ebp-8], eax
00401172 |. A0 6C604000 |mov al, [40606C]
00401177 |. 8846 04 |mov [esi+4], al
0040117A |. 83C1 05 |add ecx, 5
0040117D |. E9 EA000000 |jmp 0040126C
00401182 |> 66:8B35 64604>|mov si, [406064] ; Case 9 of switch 00401041
00401189 |. 8BC1 |mov eax, ecx
0040118B |. 83C2 03 |add edx, 3
0040118E |. 66:8930 |mov [eax], si
00401191 |. 8BF1 |mov esi, ecx
00401193 |. 8945 F8 |mov [ebp-8], eax
00401196 |. A0 66604000 |mov al, [406066]
0040119B |. 8846 02 |mov [esi+2], al
0040119E |. 83C1 03 |add ecx, 3
004011A1 |. E9 C6000000 |jmp 0040126C
004011A6 |> 8B35 5C604000 |mov esi, [40605C] ; Case A of switch 00401041
004011AC |. 8BC1 |mov eax, ecx
004011AE |. 83C2 05 |add edx, 5
004011B1 |. 8930 |mov [eax], esi
004011B3 |. 8BF1 |mov esi, ecx
004011B5 |. 8945 F8 |mov [ebp-8], eax
004011B8 |. A0 60604000 |mov al, [406060]
004011BD |. 8846 04 |mov [esi+4], al
004011C0 |. 83C1 05 |add ecx, 5
004011C3 |. E9 A4000000 |jmp 0040126C
004011C8 |> 8B35 54604000 |mov esi, [406054] ; Case B of switch 00401041
004011CE |. 8BC1 |mov eax, ecx
004011D0 |. 83C2 05 |add edx, 5
004011D3 |. 8930 |mov [eax], esi
004011D5 |. 8BF1 |mov esi, ecx
004011D7 |. 8945 F8 |mov [ebp-8], eax
004011DA |. A0 58604000 |mov al, [406058]
004011DF |. 8846 04 |mov [esi+4], al
004011E2 |. 83C1 05 |add ecx, 5
004011E5 |. E9 82000000 |jmp 0040126C
004011EA |> 8B35 4C604000 |mov esi, [40604C] ; Case C of switch 00401041
004011F0 |. 8BC1 |mov eax, ecx
004011F2 |. 83C2 05 |add edx, 5
004011F5 |. 8930 |mov [eax], esi
004011F7 |. 8BF1 |mov esi, ecx
004011F9 |. 8945 F8 |mov [ebp-8], eax
004011FC |. A0 50604000 |mov al, [406050]
00401201 |. 8846 04 |mov [esi+4], al
00401204 |. 83C1 05 |add ecx, 5
00401207 |. EB 63 |jmp short 0040126C
00401209 |> 8B35 44604000 |mov esi, [406044] ; Case D of switch 00401041
0040120F |. 8BC1 |mov eax, ecx
00401211 |. 83C2 05 |add edx, 5
00401214 |. 8930 |mov [eax], esi
00401216 |. 8BF1 |mov esi, ecx
00401218 |. 8945 F8 |mov [ebp-8], eax
0040121B |. A0 48604000 |mov al, [406048]
00401220 |. 8846 04 |mov [esi+4], al
00401223 |. 83C1 05 |add ecx, 5
00401226 |. EB 44 |jmp short 0040126C
00401228 |> 8B35 3C604000 |mov esi, [40603C] ; Case E of switch 00401041
0040122E |. 8BC1 |mov eax, ecx
00401230 |. 83C2 05 |add edx, 5
00401233 |. 8930 |mov [eax], esi
00401235 |. 8BF1 |mov esi, ecx
00401237 |. 8945 F8 |mov [ebp-8], eax
0040123A |. A0 40604000 |mov al, [406040]
0040123F |. 8846 04 |mov [esi+4], al
00401242 |. 83C1 05 |add ecx, 5
00401245 |. EB 25 |jmp short 0040126C
00401247 |> 8B35 34604000 |mov esi, [406034] ; Case F of switch 00401041
0040124D |. 8BC1 |mov eax, ecx
0040124F |. 83C2 05 |add edx, 5
00401252 |. 8930 |mov [eax], esi
00401254 |. 8BF1 |mov esi, ecx
00401256 |. 8945 F8 |mov [ebp-8], eax
00401259 |. A0 38604000 |mov al, [406038]
0040125E |. 8846 04 |mov [esi+4], al
00401261 |. 83C1 05 |add ecx, 5
00401264 |. EB 06 |jmp short 0040126C
00401266 |> 68 3284FF0F |push 0FFF8432 ; Default case of switch 00401041
0040126B |. C3 |retn
0040126C |> 47 |inc edi
0040126D |. 3BFB |cmp edi, ebx
0040126F |.^ 0F82 C2FDFFFF \jb 00401037 这里下个断点,你执行3次后,把他写在那里的
00401275 |. 8B45 FC mov eax, [ebp-4] 数据反汇编看看,就名白了,在看看他执行的次数
00401278 |> 8A0D 30604000 mov cl, [406030] 正好是26次,正好是Administrator换算后的长度
0040127E |. 880C02 mov [edx+eax], cl 当时他后面放的正好是用户名算出来的,但他没用
00401281 |. 8B45 10 mov eax, [ebp+10]
00401284 |. FF55 FC call [ebp-4] ,]ebp-4]-->00151DF8
00401287 |. 8945 0C mov [ebp+C], eax
0040128A |. 8B45 0C mov eax, [ebp+C]
0040128D |. 5F pop edi
0040128E |. 5E pop esi
0040128F |. 5B pop ebx
00401290 |. 8BE5 mov esp, ebp
00401292 |. 5D pop ebp
00401293 \. C3 retn
写面我们来看看刚刚写的(也就是序列号参与运算后的EAX的算法
00151DF8 F7D0 not eax
00151DFA 05 3D740D0>add eax, 0D743D
00151DFF 35 5454850>xor eax, 855454
00151E04 F7D0 not eax
00151E06 35 5454850>xor eax, 855454
00151E0B 05 34FEDE0>add eax, 0DEFE34
00151E10 35 5454850>xor eax, 855454
00151E15 C1C8 23 ror eax, 23
00151E18 35 5454850>xor eax, 855454
00151E1D 35 FD85040>xor eax, 485FD
00151E22 35 5454850>xor eax, 855454
00151E27 C1C8 23 ror eax, 23
00151E2A 35 DFED0D0>xor eax, 0DEDDF
00151E2F C1C0 13 rol eax, 13
00151E32 35 DFED0D0>xor eax, 0DEDDF
00151E37 F7D0 not eax
00151E39 35 DFED0D0>xor eax, 0DEDDF
00151E3E 35 FFFFDEC>xor eax, C0DEFFFF
00151E43 35 5454850>xor eax, 855454
00151E48 05 3D740D0>add eax, 0D743D
00151E4D 35 DFED0D0>xor eax, 0DEDDF
00151E52 F7D0 not eax
00151E54 35 5454850>xor eax, 855454
00151E59 2D FA6F230>sub eax, 236FFA
00151E5E 35 DFED0D0>xor eax, 0DEDDF
00151E63 35 FFFFDEC>xor eax, C0DEFFFF
00151E68 35 5454850>xor eax, 855454
00151E6D 05 3D740D0>add eax, 0D743D
00151E72 35 5454850>xor eax, 855454
00151E77 35 FD85040>xor eax, 485FD
00151E7C 35 5454850>xor eax, 855454
00151E81 35 DFED0D0>xor eax, 0DEDDF
00151E86 35 5454850>xor eax, 855454
00151E8B 2D FA6F230>sub eax, 236FFA
00151E90 35 DFED0D0>xor eax, 0DEDDF
00151E95 35 FFFFDEC>xor eax, C0DEFFFF
00151E9A 35 5454850>xor eax, 855454
00151E9F 05 3D740D0>add eax, 0D743D
这段代码写的比较乱,本来不准备放的,但想到看程序的方便还是放上来了
UpdateData(true);
unsigned long int i,n,temp1,temp2,temp3;
unsigned long int O,m;
char baseKey[17] = "6Ghd3iHRaSkL,;-Z";
char szUserName[255]={0};
long int aaa[7]={0x43275,0xaed2384,0xd377ae7,0xd54837d,0xfe53743,0x3472389,0x23488};
const char baseUser[14] = "Administrator";
unsigned char bResult[255],bResult1[255];
n=sizeof(baseUser)-1;
这就是00401760那段代码完成的功能
for (i=0;i<n;i++)
{
m=(baseUser[i] & 0xF0) >> 4 ;
bResult[2*i]=baseKey[m];
bResult[2*i+1]=baseKey[baseUser[i] & 0xF];
}
n = m_EditUserName.GetLength ();
strcpy(szUserName,m_EditUserName);
for (i=0 ; i<n;i++)
{
m=(szUserName[i] & 0xF0) >> 4 ;
bResult1[2*i]=baseKey[m];
bResult1[2*i+1]=baseKey[szUserName[i] & 0xF];
}
下面就是用户名参与计算EBX值的算法
temp1=0;
temp2=0;
temp3=0;
O=0X62387DEA;
n = m_EditUserName.GetLength ();
for (i=0;i<n;i++)
{
m=szUserName[i];
m=m*m;
temp1=m*3;
temp1<<=3;
temp1=temp1-m;
m=i;
temp3=m%7;//余数
m=temp1;
m=~m;
m=m*temp1;
m<<=2;
temp3=aaa[temp3];
temp3=temp3+temp1;
temp1=temp1 || 0XFFFFFFFF;
temp3=temp3 ^ m;
m = m || m;
temp3=temp3 ^ O;
temp3=temp3 ^ i;
O=temp3;
}
n = m_EditUserName.GetLength ();
for (i=0;i<13;i++)
{
temp1=i;
if (i==n)
m=0;
else
if (i>n)
m=4294967211;
else
m=szUserName[i];
temp3=i+0x42;
temp1=temp1%7;
m=m*m*m*m;
m<<=3;
temp2=m;
temp2=~temp2;
temp2=temp2*m;
temp1=aaa[temp1];
temp1=temp1+m;
temp2<<=2;
temp1=temp1 ^ temp2;
temp2=13;
temp1=temp1 ^ temp3;
O=O ^ temp1;
}
EAX的值的算法反推,那几个循环左右移,反不回去,希望达人指点
[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!
