-
-
[原创]DaXXoR Crackme-FLTE 算法分析和delphi注册机代码实现
-
2006-7-24 22:24 5712
-
【文章标题】: DaXXoR Crackme-FLTE 算法分析和delphi注册机代码实现
【作 者】: testkey
【邮 箱】: pediytest@sina.com
【主 页】: http://bbs.pediy.com
【软件名称】: DaXXoR Crackme-FLTE
【下载地址】: 本地下载
【加壳方式】: 无
【保护方式】: 注册码
【工 具】: OD
【作者声明】: 仅做分析研究,无商业用途。
--------------------------------------------------------------------------------
【详细过程】
根据错误提示字串,我们可以找注册码比较的核心:
进入注册码计算的核心:
004012AA . 55 push ebp
004012AB . 89E5 mov ebp, esp
004012AD . 57 push edi
004012AE . 56 push esi
004012AF . 53 push ebx
004012B0 . 81EC 0C020000 sub esp, 20C
004012B6 . C785 24FEFFFF 10AC4>mov dword ptr [ebp-1DC], 0041AC10
004012C0 . C785 28FEFFFF 6CDF4>mov dword ptr [ebp-1D8], 0044DF6C
004012CA . 8D85 2CFEFFFF lea eax, [ebp-1D4]
004012D0 . 8D55 E8 lea edx, [ebp-18]
004012D3 . 8910 mov [eax], edx
004012D5 . BA FF144000 mov edx, 004014FF
004012DA . 8950 04 mov [eax+4], edx
004012DD . 8960 08 mov [eax+8], esp
004012E0 . 8D85 0CFEFFFF lea eax, [ebp-1F4]
004012E6 . 890424 mov [esp], eax
004012E9 . E8 42500200 call 00426330
004012EE . C785 64FEFFFF 00000>mov dword ptr [ebp-19C], 0
004012F8 . C785 60FEFFFF 00000>mov dword ptr [ebp-1A0], 0
00401302 . A1 00404500 mov eax, [454000]
00401307 . 890424 mov [esp], eax
0040130A . E8 E1B80200 call 0042CBF0
0040130F . 894424 04 mov [esp+4], eax ; |用户名
00401313 . 8D85 28FFFFFF lea eax, [ebp-D8] ; |
00401319 . 890424 mov [esp], eax ; |
0040131C . E8 5F970200 call <jmp.&msvcrt.strcpy> ; \strcpy
00401321 . A1 04404500 mov eax, [454004]
00401326 . 890424 mov [esp], eax
00401329 . E8 C2B80200 call 0042CBF0
0040132E . 894424 04 mov [esp+4], eax ; ||假码
00401332 . 8D85 68FEFFFF lea eax, [ebp-198] ; ||
00401338 . 890424 mov [esp], eax ; ||
0040133B . E8 40970200 call <jmp.&msvcrt.strcpy> ; |\strcpy
00401340 . 8D85 28FFFFFF lea eax, [ebp-D8] ; |
00401346 . 890424 mov [esp], eax ; |
00401349 . E8 22970200 call <jmp.&msvcrt.strlen> ; \strlen
0040134E . 8985 60FEFFFF mov [ebp-1A0], eax ; 用户名长度为7
00401354 . 83BD 60FEFFFF 06 cmp dword ptr [ebp-1A0], 6
0040135B . 7F 05 jg short 00401362
0040135D . E9 30020000 jmp 00401592
00401362 > 90 nop
00401363 > 8B85 64FEFFFF mov eax, [ebp-19C]
00401369 . 3B85 60FEFFFF cmp eax, [ebp-1A0]
0040136F . 7C 05 jl short 00401376
00401371 . E9 89000000 jmp 004013FF
00401376 > \8D45 E8 lea eax, [ebp-18]
00401379 . 0385 64FEFFFF add eax, [ebp-19C]
0040137F . 8D88 40FFFFFF lea ecx, [eax-C0] ; 用户名 "testkey"
00401385 . 8D45 E8 lea eax, [ebp-18]
00401388 . 0385 64FEFFFF add eax, [ebp-19C]
0040138E . 8D90 40FFFFFF lea edx, [eax-C0] ; 用户名
00401394 . 0FB685 60FEFFFF movzx eax, byte ptr [ebp-1A0] ; 用户名长度7
0040139B . 0202 add al, [edx] ; 7+HEX
0040139D . 2C 04 sub al, 4 ; 结果-4
0040139F . 8801 mov [ecx], al ; w
004013A1 . 8D45 E8 lea eax, [ebp-18]
004013A4 . 0385 64FEFFFF add eax, [ebp-19C]
004013AA . 8D88 40FFFFFF lea ecx, [eax-C0]
004013B0 . 8D45 E8 lea eax, [ebp-18]
004013B3 . 0385 64FEFFFF add eax, [ebp-19C]
004013B9 . 2D C0000000 sub eax, 0C0
004013BE . 0FB695 60FEFFFF movzx edx, byte ptr [ebp-1A0] ; 7
004013C5 . 0FB600 movzx eax, byte ptr [eax] ; 取HEX
004013C8 . 28D0 sub al, dl ; hex-7
004013CA . 2C 02 sub al, 2 ; hex-2
004013CC . 8801 mov [ecx], al
004013CE . 8D45 E8 lea eax, [ebp-18]
004013D1 . 0385 64FEFFFF add eax, [ebp-19C]
004013D7 . 8D90 40FFFFFF lea edx, [eax-C0]
004013DD . 8D45 E8 lea eax, [ebp-18]
004013E0 . 0385 64FEFFFF add eax, [ebp-19C]
004013E6 . 2D C0000000 sub eax, 0C0
004013EB . 0FB600 movzx eax, byte ptr [eax] ; 新hex
004013EE . 04 02 add al, 2 ; HEX+2
004013F0 . 8802 mov [edx], al ; 顺次得到新字符串
004013F2 . 8D85 64FEFFFF lea eax, [ebp-19C]
004013F8 . FF00 inc dword ptr [eax]
004013FA .^ E9 64FFFFFF jmp 00401363
004013FF > C785 64FEFFFF 00000>mov dword ptr [ebp-19C], 0
00401409 . 8D85 48FEFFFF lea eax, [ebp-1B8]
0040140F . 890424 mov [esp], eax
00401412 . E8 85030400 call 0044179C
00401417 . 8D85 38FEFFFF lea eax, [ebp-1C8]
0040141D . 890424 mov [esp], eax
00401420 . E8 77030400 call 0044179C
00401425 . 8D85 28FFFFFF lea eax, [ebp-D8] ; 新字符串paopgau
0040142B . 894424 04 mov [esp+4], eax
0040142F . 8D85 48FEFFFF lea eax, [ebp-1B8]
00401435 . 890424 mov [esp], eax
00401438 . C785 10FEFFFF 01000>mov dword ptr [ebp-1F0], 1
00401442 . E8 F5090400 call 00441E3C
00401447 . C74424 08 90124000 mov dword ptr [esp+8], 00401290
0040144F . C74424 04 03000000 mov dword ptr [esp+4], 3
00401457 . 8D85 48FEFFFF lea eax, [ebp-1B8]
0040145D . 890424 mov [esp], eax
00401460 . E8 57F30300 call 004407BC
00401465 . C74424 08 90124000 mov dword ptr [esp+8], 00401290
0040146D . C74424 04 05000000 mov dword ptr [esp+4], 5
00401475 . 8D85 48FEFFFF lea eax, [ebp-1B8]
0040147B . 890424 mov [esp], eax
0040147E . E8 39F30300 call 004407BC
00401483 . C74424 08 92124000 mov dword ptr [esp+8], 00401292 ; 需要插入的字符串ASCII "axd"
0040148B . C74424 04 06000000 mov dword ptr [esp+4], 6
00401493 . 8D85 48FEFFFF lea eax, [ebp-1B8]
00401499 . 890424 mov [esp], eax
0040149C . E8 1BF30300 call 004407BC
004014A1 . 8D85 68FEFFFF lea eax, [ebp-198]
004014A7 . 894424 04 mov [esp+4], eax
004014AB . 8D85 38FEFFFF lea eax, [ebp-1C8]
004014B1 . 890424 mov [esp], eax
004014B4 . E8 83090400 call 00441E3C
004014B9 . 8D85 48FEFFFF lea eax, [ebp-1B8]
004014BF . 894424 04 mov [esp+4], eax
004014C3 . 8D85 38FEFFFF lea eax, [ebp-1C8]
004014C9 . 890424 mov [esp], eax
004014CC . E8 5BB90400 call 0044CE2C 处理后的字符串"pao-p-axdgau"
004014CC . E8 5BB90400 call 0044CE2C
004014D1 . 84C0 test al, al ; |
004014D3 . 74 61 je short 00401536 ; |
004014D5 . C74424 0C 40000000 mov dword ptr [esp+C], 40 ; |
004014DD . C74424 08 96124000 mov dword ptr [esp+8], 00401296 ; |ASCII "woot"
004014E5 . C74424 04 9B124000 mov dword ptr [esp+4], 0040129B ; |ASCII "You Solved It"
004014ED . A1 08404500 mov eax, [454008] ; |
004014F2 . 890424 mov [esp], eax ; |
004014F5 . E8 F69A0200 call <jmp.&USER32.MessageBoxA> ; \MessageBoxA
004014FA . 83EC 10 sub esp, 10
004014FD . EB 37 jmp short 00401536
==============================================================================================================
上面的算法实际上可以简化为:
1、把用户名的每一位的字符的hex值-4,得到新的字符串。
2、把新的字符串拆开并与字符串'axd' 组成注册码,格式新字符串前3位+'-'+第4位+'-'+'axd'+剩余的字符串
==============================================================================================================
用delphi实现注册代码为:
var
a,i,l:Integer;
name1,sn:String;
begin
l:=length(edit1.text);
if l=0 then exit;
name1:=edit1.text;
sn:='';
a:=0;
for i:=1 to l do
begin
a:=ord(name1[i])-4;
sn:=sn+chr(a);
end;
sn:=copy(sn,1,3)+'-'+copy(sn,4,1)+'-axd'+copy(sn,5,l-4);
edit2.text:=sn;
end;
--------------------------------------------------------------------------------
【总结】
算法简单,适合新手练习。
自己水平不行,转挑软柿子捏,惭愧ing。
--------------------------------------------------------------------------------
【版权声明】: 转载请注明文章出自http://www.pediy.com
本代码的着色效果由xTiNt自动完成
下载xTiNt http://211.90.75.84/web/kanaun/download/xTiNt.rar
【作 者】: testkey
【邮 箱】: pediytest@sina.com
【主 页】: http://bbs.pediy.com
【软件名称】: DaXXoR Crackme-FLTE
【下载地址】: 本地下载
【加壳方式】: 无
【保护方式】: 注册码
【工 具】: OD
【作者声明】: 仅做分析研究,无商业用途。
--------------------------------------------------------------------------------
【详细过程】
根据错误提示字串,我们可以找注册码比较的核心:
进入注册码计算的核心:
004012AA . 55 push ebp
004012AB . 89E5 mov ebp, esp
004012AD . 57 push edi
004012AE . 56 push esi
004012AF . 53 push ebx
004012B0 . 81EC 0C020000 sub esp, 20C
004012B6 . C785 24FEFFFF 10AC4>mov dword ptr [ebp-1DC], 0041AC10
004012C0 . C785 28FEFFFF 6CDF4>mov dword ptr [ebp-1D8], 0044DF6C
004012CA . 8D85 2CFEFFFF lea eax, [ebp-1D4]
004012D0 . 8D55 E8 lea edx, [ebp-18]
004012D3 . 8910 mov [eax], edx
004012D5 . BA FF144000 mov edx, 004014FF
004012DA . 8950 04 mov [eax+4], edx
004012DD . 8960 08 mov [eax+8], esp
004012E0 . 8D85 0CFEFFFF lea eax, [ebp-1F4]
004012E6 . 890424 mov [esp], eax
004012E9 . E8 42500200 call 00426330
004012EE . C785 64FEFFFF 00000>mov dword ptr [ebp-19C], 0
004012F8 . C785 60FEFFFF 00000>mov dword ptr [ebp-1A0], 0
00401302 . A1 00404500 mov eax, [454000]
00401307 . 890424 mov [esp], eax
0040130A . E8 E1B80200 call 0042CBF0
0040130F . 894424 04 mov [esp+4], eax ; |用户名
00401313 . 8D85 28FFFFFF lea eax, [ebp-D8] ; |
00401319 . 890424 mov [esp], eax ; |
0040131C . E8 5F970200 call <jmp.&msvcrt.strcpy> ; \strcpy
00401321 . A1 04404500 mov eax, [454004]
00401326 . 890424 mov [esp], eax
00401329 . E8 C2B80200 call 0042CBF0
0040132E . 894424 04 mov [esp+4], eax ; ||假码
00401332 . 8D85 68FEFFFF lea eax, [ebp-198] ; ||
00401338 . 890424 mov [esp], eax ; ||
0040133B . E8 40970200 call <jmp.&msvcrt.strcpy> ; |\strcpy
00401340 . 8D85 28FFFFFF lea eax, [ebp-D8] ; |
00401346 . 890424 mov [esp], eax ; |
00401349 . E8 22970200 call <jmp.&msvcrt.strlen> ; \strlen
0040134E . 8985 60FEFFFF mov [ebp-1A0], eax ; 用户名长度为7
00401354 . 83BD 60FEFFFF 06 cmp dword ptr [ebp-1A0], 6
0040135B . 7F 05 jg short 00401362
0040135D . E9 30020000 jmp 00401592
00401362 > 90 nop
00401363 > 8B85 64FEFFFF mov eax, [ebp-19C]
00401369 . 3B85 60FEFFFF cmp eax, [ebp-1A0]
0040136F . 7C 05 jl short 00401376
00401371 . E9 89000000 jmp 004013FF
00401376 > \8D45 E8 lea eax, [ebp-18]
00401379 . 0385 64FEFFFF add eax, [ebp-19C]
0040137F . 8D88 40FFFFFF lea ecx, [eax-C0] ; 用户名 "testkey"
00401385 . 8D45 E8 lea eax, [ebp-18]
00401388 . 0385 64FEFFFF add eax, [ebp-19C]
0040138E . 8D90 40FFFFFF lea edx, [eax-C0] ; 用户名
00401394 . 0FB685 60FEFFFF movzx eax, byte ptr [ebp-1A0] ; 用户名长度7
0040139B . 0202 add al, [edx] ; 7+HEX
0040139D . 2C 04 sub al, 4 ; 结果-4
0040139F . 8801 mov [ecx], al ; w
004013A1 . 8D45 E8 lea eax, [ebp-18]
004013A4 . 0385 64FEFFFF add eax, [ebp-19C]
004013AA . 8D88 40FFFFFF lea ecx, [eax-C0]
004013B0 . 8D45 E8 lea eax, [ebp-18]
004013B3 . 0385 64FEFFFF add eax, [ebp-19C]
004013B9 . 2D C0000000 sub eax, 0C0
004013BE . 0FB695 60FEFFFF movzx edx, byte ptr [ebp-1A0] ; 7
004013C5 . 0FB600 movzx eax, byte ptr [eax] ; 取HEX
004013C8 . 28D0 sub al, dl ; hex-7
004013CA . 2C 02 sub al, 2 ; hex-2
004013CC . 8801 mov [ecx], al
004013CE . 8D45 E8 lea eax, [ebp-18]
004013D1 . 0385 64FEFFFF add eax, [ebp-19C]
004013D7 . 8D90 40FFFFFF lea edx, [eax-C0]
004013DD . 8D45 E8 lea eax, [ebp-18]
004013E0 . 0385 64FEFFFF add eax, [ebp-19C]
004013E6 . 2D C0000000 sub eax, 0C0
004013EB . 0FB600 movzx eax, byte ptr [eax] ; 新hex
004013EE . 04 02 add al, 2 ; HEX+2
004013F0 . 8802 mov [edx], al ; 顺次得到新字符串
004013F2 . 8D85 64FEFFFF lea eax, [ebp-19C]
004013F8 . FF00 inc dword ptr [eax]
004013FA .^ E9 64FFFFFF jmp 00401363
004013FF > C785 64FEFFFF 00000>mov dword ptr [ebp-19C], 0
00401409 . 8D85 48FEFFFF lea eax, [ebp-1B8]
0040140F . 890424 mov [esp], eax
00401412 . E8 85030400 call 0044179C
00401417 . 8D85 38FEFFFF lea eax, [ebp-1C8]
0040141D . 890424 mov [esp], eax
00401420 . E8 77030400 call 0044179C
00401425 . 8D85 28FFFFFF lea eax, [ebp-D8] ; 新字符串paopgau
0040142B . 894424 04 mov [esp+4], eax
0040142F . 8D85 48FEFFFF lea eax, [ebp-1B8]
00401435 . 890424 mov [esp], eax
00401438 . C785 10FEFFFF 01000>mov dword ptr [ebp-1F0], 1
00401442 . E8 F5090400 call 00441E3C
00401447 . C74424 08 90124000 mov dword ptr [esp+8], 00401290
0040144F . C74424 04 03000000 mov dword ptr [esp+4], 3
00401457 . 8D85 48FEFFFF lea eax, [ebp-1B8]
0040145D . 890424 mov [esp], eax
00401460 . E8 57F30300 call 004407BC
00401465 . C74424 08 90124000 mov dword ptr [esp+8], 00401290
0040146D . C74424 04 05000000 mov dword ptr [esp+4], 5
00401475 . 8D85 48FEFFFF lea eax, [ebp-1B8]
0040147B . 890424 mov [esp], eax
0040147E . E8 39F30300 call 004407BC
00401483 . C74424 08 92124000 mov dword ptr [esp+8], 00401292 ; 需要插入的字符串ASCII "axd"
0040148B . C74424 04 06000000 mov dword ptr [esp+4], 6
00401493 . 8D85 48FEFFFF lea eax, [ebp-1B8]
00401499 . 890424 mov [esp], eax
0040149C . E8 1BF30300 call 004407BC
004014A1 . 8D85 68FEFFFF lea eax, [ebp-198]
004014A7 . 894424 04 mov [esp+4], eax
004014AB . 8D85 38FEFFFF lea eax, [ebp-1C8]
004014B1 . 890424 mov [esp], eax
004014B4 . E8 83090400 call 00441E3C
004014B9 . 8D85 48FEFFFF lea eax, [ebp-1B8]
004014BF . 894424 04 mov [esp+4], eax
004014C3 . 8D85 38FEFFFF lea eax, [ebp-1C8]
004014C9 . 890424 mov [esp], eax
004014CC . E8 5BB90400 call 0044CE2C 处理后的字符串"pao-p-axdgau"
004014CC . E8 5BB90400 call 0044CE2C
004014D1 . 84C0 test al, al ; |
004014D3 . 74 61 je short 00401536 ; |
004014D5 . C74424 0C 40000000 mov dword ptr [esp+C], 40 ; |
004014DD . C74424 08 96124000 mov dword ptr [esp+8], 00401296 ; |ASCII "woot"
004014E5 . C74424 04 9B124000 mov dword ptr [esp+4], 0040129B ; |ASCII "You Solved It"
004014ED . A1 08404500 mov eax, [454008] ; |
004014F2 . 890424 mov [esp], eax ; |
004014F5 . E8 F69A0200 call <jmp.&USER32.MessageBoxA> ; \MessageBoxA
004014FA . 83EC 10 sub esp, 10
004014FD . EB 37 jmp short 00401536
==============================================================================================================
上面的算法实际上可以简化为:
1、把用户名的每一位的字符的hex值-4,得到新的字符串。
2、把新的字符串拆开并与字符串'axd' 组成注册码,格式新字符串前3位+'-'+第4位+'-'+'axd'+剩余的字符串
==============================================================================================================
用delphi实现注册代码为:
var
a,i,l:Integer;
name1,sn:String;
begin
l:=length(edit1.text);
if l=0 then exit;
name1:=edit1.text;
sn:='';
a:=0;
for i:=1 to l do
begin
a:=ord(name1[i])-4;
sn:=sn+chr(a);
end;
sn:=copy(sn,1,3)+'-'+copy(sn,4,1)+'-axd'+copy(sn,5,l-4);
edit2.text:=sn;
end;
--------------------------------------------------------------------------------
【总结】
算法简单,适合新手练习。
自己水平不行,转挑软柿子捏,惭愧ing。
--------------------------------------------------------------------------------
【版权声明】: 转载请注明文章出自http://www.pediy.com
本代码的着色效果由xTiNt自动完成
下载xTiNt http://211.90.75.84/web/kanaun/download/xTiNt.rar
[培训]《安卓高级研修班(网课)》月薪三万计划,掌握调试、分析还原ollvm、vmp的方法,定制art虚拟机自动化脱壳的方法
赞赏记录
参与人
雪币
留言
时间
Youlor
为你点赞~
2023-9-16 00:13
伟叔叔
为你点赞~
2023-6-14 01:14
一笑人间万事
为你点赞~
2023-5-12 01:30
心游尘世外
为你点赞~
2023-4-20 02:02
飘零丶
为你点赞~
2023-4-19 00:10
QinBeast
为你点赞~
2023-4-6 04:35
shinratensei
为你点赞~
2023-4-5 04:11
赞赏
|
|
|---|---|
|
|
他的文章
赞赏
雪币:
留言:
