-
-
[原创]HappyTown的第16个CrackMe分析+DELPHI内联汇编注册机
-
2006-9-6 14:20
-
原CrackMe链接:
http://bbs.pediy.com/showthread.php?s=&threadid=31578
text:004011F9 movsx eax, [esp+esi+370h+String] ; 逐个取用户名ASCII
.text:00401201 mov [esp+370h+var_364], eax
.text:00401205 lea edx, [esp+370h+var_360]
.text:00401209 fild [esp+370h+var_364] ; 转十进制浮点
.text:0040120D push edx ; double *
.text:0040120E sub esp, 8 ; double
.text:00401211 fptan ;浮点计算:FPTAN
.text:00401213 fstp st
.text:00401215 fmul ds:dbl_4070D0 ;结果乘10,DS:[004070D0]=10.00000000000000
.text:0040121B fstp [esp+37Ch+var_37C]
.text:0040121E call _modf ;取整
.text:00401223 fstp st
.text:00401225 fld [esp+37Ch+var_360]
.text:00401229 add esp, 0Ch
.text:0040122C call __ftol ;FTOL,10进制浮点转16进制整形
.text:00401231 cdq
.text:00401232 xor eax, edx
.text:00401234 sub eax, edx
.text:00401236 cmp eax, 21h ;如果大于等于21H就跳走
.text:00401239 jge short loc_401240
.text:0040123B add eax, 1Fh ;加1F
.text:0040123E jmp short loc_40124F
.text:00401240 ; ---------------------------------------------------------------------------
.text:00401240
.text:00401240 loc_401240:
.text:00401240 cmp eax, 7Eh
.text:00401243 jle short loc_40124F
.text:00401245 cdq
.text:00401246 mov ecx, 7Fh
.text:0040124B idiv ecx
.text:0040124D mov eax, edx
.text:0040124F
.text:0040124F loc_40124F:
.text:0040124F
.text:0040124F mov edx, eax ;结果放入EDX
.text:00401251 and edx, 80000001h ;取高位
.text:00401257 jns short loc_40125E
.text:00401259 dec edx
.text:0040125A or edx, 0FFFFFFFEh
.text:0040125D inc edx
.text:0040125E
.text:0040125E loc_40125E:
.text:0040125E jz short loc_401266
.text:00401260 lea eax, [eax+eax*2+1] ;EAX+EAX*2+1
.text:00401264 jmp short loc_40126B
.text:00401266 ; ---------------------------------------------------------------------------
.text:00401266
.text:00401266 loc_401266:
.text:00401266 cdq
.text:00401267 sub eax, edx
.text:00401269 sar eax, 1
.text:0040126B
.text:0040126B loc_40126B:
.text:0040126B cmp eax, 21h
.text:0040126E jl short loc_40124F
.text:00401270 cmp eax, 7Fh
.text:00401273 jg short loc_40124F
.text:00401275 cmp eax, 21h
.text:00401278 jle short loc_401286
.text:0040127A cmp eax, 7Fh
.text:0040127D jge short loc_401286
.text:0040127F mov byte ptr [esp+esi+370h+var_290], al ;结果放入PTR SS:[ESP+ESI+E0]
.text:00401286
.text:00401286 loc_401286:
.text:00401286
.text:00401286 inc esi
.text:00401287 cmp esi, ebx
.text:00401289 jl loc_4011F9
0040128F >|> \33C0 XOR EAX,EAX ; loc_40128F
00401291 >|> 888404 700200>/MOV BYTE PTR SS:[ESP+EAX+270],AL ; 这个是循环把1-100放入ESP+EAX+270
00401298 |. 40 |INC EAX
00401299 |. 3D 00010000 |CMP EAX,100
0040129E |.^ 7C F1 \JL SHORT <CrackMe_.loc_401291>
004012A0 |. 33C0 XOR EAX,EAX
004012A2 |. 85FF TEST EDI,EDI
004012A4 |. 7E 16 JLE SHORT <CrackMe_.loc_4012BC>
004012A6 >|> 8A8C04 700200>/MOV CL,BYTE PTR SS:[ESP+EAX+270] ; 1-100
004012AD |. 8A5C04 18 |MOV BL,BYTE PTR SS:[ESP+EAX+18] ; 逐个取注册码
004012B1 |. 32D9 |XOR BL,CL ; 异或
004012B3 |. 885C04 18 |MOV BYTE PTR SS:[ESP+EAX+18],BL ; 结果放入SS:[ESP+EAX+18]
004012B7 |. 40 |INC EAX ; 取下位注册码
004012B8 |. 3BC7 |CMP EAX,EDI ; 是否取完
004012BA |.^ 7C EA \JL SHORT <CrackMe_.loc_4012A6>
004012BC >|> 8DB424 E00000>LEA ESI,DWORD PTR SS:[ESP+E0] ; 用户名的结果
004012C3 |. 8D4424 18 LEA EAX,DWORD PTR SS:[ESP+18] ; 注册码的结果
004012C7 >|> 8A10 /MOV DL,BYTE PTR DS:[EAX] ; 用户名计算结果第一位
004012C9 |. 8A1E |MOV BL,BYTE PTR DS:[ESI] ; 注册码计算结果第一位
004012CB |. 8ACA |MOV CL,DL
004012CD |. 3AD3 |CMP DL,BL
004012CF 75 2C JNZ SHORT <CrackMe_.loc_4012FD> ; 爆破点1
004012D1 |. 84C9 |TEST CL,CL ; CL是否为0
004012D3 |. 74 16 |JE SHORT <CrackMe_.loc_4012EB>
004012D5 |. 8A50 01 |MOV DL,BYTE PTR DS:[EAX+1] ; 用户名计算结果第二位
004012D8 |. 8A5E 01 |MOV BL,BYTE PTR DS:[ESI+1] ; 注册码计算结果第二位
004012DB |. 8ACA |MOV CL,DL
004012DD |. 3AD3 |CMP DL,BL
004012DF 75 1C JNZ SHORT <CrackMe_.loc_4012FD> ; 爆破点2
004012E1 |. 83C0 02 |ADD EAX,2
004012E4 |. 83C6 02 |ADD ESI,2
004012E7 |. 84C9 |TEST CL,CL
004012E9 |.^ 75 DC \JNZ SHORT <CrackMe_.loc_4012C7>
004012EB >|> 33C0 XOR EAX,EAX ; loc_4012EB
直接用原来的代码做成注册机:
function cacl(eax: integer):integer;
var
code:integer;
ebx,ecx:double;
begin
ebx:=Sin(eax) / Cos(eax);
ecx:=ebx* 10;
code:=Trunc(ecx);
Result:=code;
end;
procedure TForm1.Button1Click(Sender: TObject);
var
name,temp,SN,CODE:string;
i,LEN:INTEGER;
szCaption,szTitle:string;
begin
szTitle:='提示!';
szCaption:='注册码格式有误.';
name:=edit1.text;
LEN:=LENGTH(NAME);
asm
MOV ESI, [name]
JE @ERROR
XOR EDI,EDI
@003:
MOVSX EAX,BYTE PTR SS:[ESI+EDI]
TEST AL,AL
JE @EXIT
CALL cacl
CDQ
XOR EAX,EDX
SUB EAX,EDX
CMP EAX,$21
JGE @025
ADD EAX,$1F
JMP @031
@025:
CMP EAX,$7E
JLE @031
CDQ
MOV ECX,$7F
IDIV ECX
MOV EAX,EDX
@031:
MOV EDX,EAX
AND EDX,$80000001
JNS @037
DEC EDX
OR EDX,$FFFFFFFE
INC EDX
@037:
JE @040
LEA EAX,DWORD PTR DS:[EAX+EAX*2+1]
JMP @043
@040:
CDQ
SUB EAX,EDX
SAR EAX,$01
@043:
CMP EAX,$21
JL @031
CMP EAX,$7F
JG @031
CMP EAX,$21
JLE @ERROR
CMP EAX,$7F
JGE @ERROR
XOR EAX,EDI
MOV DWORD PTR SS:[ESP+EDI],EAX //地址
@052:
INC EDI
CMP EDI,LEN
JL @003
MOV TEMP,ESP
JMP @EXIT
@ERROR:
PUSH MB_OK+MB_ICONINFORMATION
PUSH szTitle
PUSH szCaption
PUSH 0
CALL MessageBox
@EXIT:
end;
edit2.text:=temp;
end;
end.
程序有个BUG,对i和o敏感。附注册机。
http://bbs.pediy.com/showthread.php?s=&threadid=31578
text:004011F9 movsx eax, [esp+esi+370h+String] ; 逐个取用户名ASCII
.text:00401201 mov [esp+370h+var_364], eax
.text:00401205 lea edx, [esp+370h+var_360]
.text:00401209 fild [esp+370h+var_364] ; 转十进制浮点
.text:0040120D push edx ; double *
.text:0040120E sub esp, 8 ; double
.text:00401211 fptan ;浮点计算:FPTAN
.text:00401213 fstp st
.text:00401215 fmul ds:dbl_4070D0 ;结果乘10,DS:[004070D0]=10.00000000000000
.text:0040121B fstp [esp+37Ch+var_37C]
.text:0040121E call _modf ;取整
.text:00401223 fstp st
.text:00401225 fld [esp+37Ch+var_360]
.text:00401229 add esp, 0Ch
.text:0040122C call __ftol ;FTOL,10进制浮点转16进制整形
.text:00401231 cdq
.text:00401232 xor eax, edx
.text:00401234 sub eax, edx
.text:00401236 cmp eax, 21h ;如果大于等于21H就跳走
.text:00401239 jge short loc_401240
.text:0040123B add eax, 1Fh ;加1F
.text:0040123E jmp short loc_40124F
.text:00401240 ; ---------------------------------------------------------------------------
.text:00401240
.text:00401240 loc_401240:
.text:00401240 cmp eax, 7Eh
.text:00401243 jle short loc_40124F
.text:00401245 cdq
.text:00401246 mov ecx, 7Fh
.text:0040124B idiv ecx
.text:0040124D mov eax, edx
.text:0040124F
.text:0040124F loc_40124F:
.text:0040124F
.text:0040124F mov edx, eax ;结果放入EDX
.text:00401251 and edx, 80000001h ;取高位
.text:00401257 jns short loc_40125E
.text:00401259 dec edx
.text:0040125A or edx, 0FFFFFFFEh
.text:0040125D inc edx
.text:0040125E
.text:0040125E loc_40125E:
.text:0040125E jz short loc_401266
.text:00401260 lea eax, [eax+eax*2+1] ;EAX+EAX*2+1
.text:00401264 jmp short loc_40126B
.text:00401266 ; ---------------------------------------------------------------------------
.text:00401266
.text:00401266 loc_401266:
.text:00401266 cdq
.text:00401267 sub eax, edx
.text:00401269 sar eax, 1
.text:0040126B
.text:0040126B loc_40126B:
.text:0040126B cmp eax, 21h
.text:0040126E jl short loc_40124F
.text:00401270 cmp eax, 7Fh
.text:00401273 jg short loc_40124F
.text:00401275 cmp eax, 21h
.text:00401278 jle short loc_401286
.text:0040127A cmp eax, 7Fh
.text:0040127D jge short loc_401286
.text:0040127F mov byte ptr [esp+esi+370h+var_290], al ;结果放入PTR SS:[ESP+ESI+E0]
.text:00401286
.text:00401286 loc_401286:
.text:00401286
.text:00401286 inc esi
.text:00401287 cmp esi, ebx
.text:00401289 jl loc_4011F9
0040128F >|> \33C0 XOR EAX,EAX ; loc_40128F
00401291 >|> 888404 700200>/MOV BYTE PTR SS:[ESP+EAX+270],AL ; 这个是循环把1-100放入ESP+EAX+270
00401298 |. 40 |INC EAX
00401299 |. 3D 00010000 |CMP EAX,100
0040129E |.^ 7C F1 \JL SHORT <CrackMe_.loc_401291>
004012A0 |. 33C0 XOR EAX,EAX
004012A2 |. 85FF TEST EDI,EDI
004012A4 |. 7E 16 JLE SHORT <CrackMe_.loc_4012BC>
004012A6 >|> 8A8C04 700200>/MOV CL,BYTE PTR SS:[ESP+EAX+270] ; 1-100
004012AD |. 8A5C04 18 |MOV BL,BYTE PTR SS:[ESP+EAX+18] ; 逐个取注册码
004012B1 |. 32D9 |XOR BL,CL ; 异或
004012B3 |. 885C04 18 |MOV BYTE PTR SS:[ESP+EAX+18],BL ; 结果放入SS:[ESP+EAX+18]
004012B7 |. 40 |INC EAX ; 取下位注册码
004012B8 |. 3BC7 |CMP EAX,EDI ; 是否取完
004012BA |.^ 7C EA \JL SHORT <CrackMe_.loc_4012A6>
004012BC >|> 8DB424 E00000>LEA ESI,DWORD PTR SS:[ESP+E0] ; 用户名的结果
004012C3 |. 8D4424 18 LEA EAX,DWORD PTR SS:[ESP+18] ; 注册码的结果
004012C7 >|> 8A10 /MOV DL,BYTE PTR DS:[EAX] ; 用户名计算结果第一位
004012C9 |. 8A1E |MOV BL,BYTE PTR DS:[ESI] ; 注册码计算结果第一位
004012CB |. 8ACA |MOV CL,DL
004012CD |. 3AD3 |CMP DL,BL
004012CF 75 2C JNZ SHORT <CrackMe_.loc_4012FD> ; 爆破点1
004012D1 |. 84C9 |TEST CL,CL ; CL是否为0
004012D3 |. 74 16 |JE SHORT <CrackMe_.loc_4012EB>
004012D5 |. 8A50 01 |MOV DL,BYTE PTR DS:[EAX+1] ; 用户名计算结果第二位
004012D8 |. 8A5E 01 |MOV BL,BYTE PTR DS:[ESI+1] ; 注册码计算结果第二位
004012DB |. 8ACA |MOV CL,DL
004012DD |. 3AD3 |CMP DL,BL
004012DF 75 1C JNZ SHORT <CrackMe_.loc_4012FD> ; 爆破点2
004012E1 |. 83C0 02 |ADD EAX,2
004012E4 |. 83C6 02 |ADD ESI,2
004012E7 |. 84C9 |TEST CL,CL
004012E9 |.^ 75 DC \JNZ SHORT <CrackMe_.loc_4012C7>
004012EB >|> 33C0 XOR EAX,EAX ; loc_4012EB
直接用原来的代码做成注册机:
function cacl(eax: integer):integer;
var
code:integer;
ebx,ecx:double;
begin
ebx:=Sin(eax) / Cos(eax);
ecx:=ebx* 10;
code:=Trunc(ecx);
Result:=code;
end;
procedure TForm1.Button1Click(Sender: TObject);
var
name,temp,SN,CODE:string;
i,LEN:INTEGER;
szCaption,szTitle:string;
begin
szTitle:='提示!';
szCaption:='注册码格式有误.';
name:=edit1.text;
LEN:=LENGTH(NAME);
asm
MOV ESI, [name]
JE @ERROR
XOR EDI,EDI
@003:
MOVSX EAX,BYTE PTR SS:[ESI+EDI]
TEST AL,AL
JE @EXIT
CALL cacl
CDQ
XOR EAX,EDX
SUB EAX,EDX
CMP EAX,$21
JGE @025
ADD EAX,$1F
JMP @031
@025:
CMP EAX,$7E
JLE @031
CDQ
MOV ECX,$7F
IDIV ECX
MOV EAX,EDX
@031:
MOV EDX,EAX
AND EDX,$80000001
JNS @037
DEC EDX
OR EDX,$FFFFFFFE
INC EDX
@037:
JE @040
LEA EAX,DWORD PTR DS:[EAX+EAX*2+1]
JMP @043
@040:
CDQ
SUB EAX,EDX
SAR EAX,$01
@043:
CMP EAX,$21
JL @031
CMP EAX,$7F
JG @031
CMP EAX,$21
JLE @ERROR
CMP EAX,$7F
JGE @ERROR
XOR EAX,EDI
MOV DWORD PTR SS:[ESP+EDI],EAX //地址
@052:
INC EDI
CMP EDI,LEN
JL @003
MOV TEMP,ESP
JMP @EXIT
@ERROR:
PUSH MB_OK+MB_ICONINFORMATION
PUSH szTitle
PUSH szCaption
PUSH 0
CALL MessageBox
@EXIT:
end;
edit2.text:=temp;
end;
end.
程序有个BUG,对i和o敏感。附注册机。
[培训]《安卓高级研修班(网课)》月薪三万计划,掌握调试、分析还原ollvm、vmp的方法,定制art虚拟机自动化脱壳的方法
|
|
|---|---|
|
|
|
|
|
|
|
|
|
