【文章标题】: riijj CrackMe11 算法简析
【文章作者】: hawking
【作者邮箱】: rich_hawking@hotmail.com
【软件名称】: riijj crackme service pack 2 (第二修正版)
【软件大小】: 52K
【下载地址】: http://bbs.pediy.com/attachment.php?s=&attachmentid=4074
【加壳方式】: 无
【编写语言】: Microsoft Visual C++ 6.0
【使用工具】: OD
【操作平台】: Win2000 SP4
【作者声明】: 只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!
--------------------------------------------------------------------------------
【详细过程】
这个CrackMe有一些Anti,直接用OD打开调试的话是跑不起来的。Anti部分绫濑遥(http://bbs.pediy.com/showthread.php?s=&threadid=38125)和Ryosuke分析的已经很清楚了,我就不再赘言。
输入试炼码:
hawking
12345678901234567890
00401710 . 8B4424 08 [color=#0000D0]mov[/color] [color=#FF0000]eax[/color], [color=#b000b0]dword[/color] [color=#b000b0]ptr[/color] [[color=#FF0000]esp[/color]+8]
00401714 . 3D 10010000 [color=#0000D0]cmp[/color] [color=#FF0000]eax[/color], 110
00401719 . 75 1C [color=#0000D0]jnz[/color] short 00401737
0040171B . 8B4424 04 [color=#0000D0]mov[/color] [color=#FF0000]eax[/color], [color=#b000b0]dword[/color] [color=#b000b0]ptr[/color] [[color=#FF0000]esp[/color]+4]
0040171F . 68 E8030000 [color=#0000D0]push[/color] 3E8 [color=#008000]; /ControlID = 3E8 (1000.)[/color]
00401724 . 50 [color=#0000D0]push[/color] [color=#FF0000]eax[/color] [color=#008000]; |hWnd[/color]
00401725 . FF15 14A14000 [color=#0000D0]call[/color] [color=#b000b0]dword[/color] [color=#b000b0]ptr[/color] [<&USER32.GetDlgItem>] [color=#008000]; \GetDlgItem[/color]
0040172B . 50 [color=#0000D0]push[/color] [color=#FF0000]eax[/color] [color=#008000]; /hWnd[/color]
0040172C . FF15 18A14000 [color=#0000D0]call[/color] [color=#b000b0]dword[/color] [color=#b000b0]ptr[/color] [<&USER32.SetFocus>] [color=#008000]; \SetFocus[/color]
00401732 > 33C0 [color=#0000D0]xor[/color] [color=#FF0000]eax[/color], [color=#FF0000]eax[/color]
00401734 . C2 1000 [color=#0000D0]retn[/color] 10
00401737 > 3D 11010000 [color=#0000D0]cmp[/color] [color=#FF0000]eax[/color], 111
0040173C .^ 75 F4 [color=#0000D0]jnz[/color] short 00401732
0040173E . 66:817C24 0C >[color=#0000D0]cmp[/color] [color=#b000b0]word[/color] [color=#b000b0]ptr[/color] [[color=#FF0000]esp[/color]+C], 3EA [color=#008000]; Register Button Handle[/color]
00401745 .^ 75 EB [color=#0000D0]jnz[/color] short 00401732
00401747 . 56 [color=#0000D0]push[/color] [color=#FF0000]esi[/color]
00401748 . 8B7424 14 [color=#0000D0]mov[/color] [color=#FF0000]esi[/color], [color=#b000b0]dword[/color] [color=#b000b0]ptr[/color] [[color=#FF0000]esp[/color]+14]
0040174C . 57 [color=#0000D0]push[/color] [color=#FF0000]edi[/color]
0040174D . 8B3D 1CA14000 [color=#0000D0]mov[/color] [color=#FF0000]edi[/color], [color=#b000b0]dword[/color] [color=#b000b0]ptr[/color] [<&USER32.EnableW>[color=#008000]; USER32.EnableWindow[/color]
00401753 . 6A 00 [color=#0000D0]push[/color] 0 [color=#008000]; /Enable = FALSE[/color]
00401755 . 56 [color=#0000D0]push[/color] [color=#FF0000]esi[/color] [color=#008000]; |hWnd[/color]
00401756 . FFD7 [color=#0000D0]call[/color] [color=#FF0000]edi[/color] [color=#008000]; \EnableWindow[/color]
00401758 . E8 F3040000 [color=#0000D0]call[/color] 00401C50 [color=#008000]; get name and key string[/color]
0040175D . 6A 01 [color=#0000D0]push[/color] 1
0040175F . 56 [color=#0000D0]push[/color] [color=#FF0000]esi[/color]
00401760 . FFD7 [color=#0000D0]call[/color] [color=#FF0000]edi[/color]
00401762 . 5F [color=#0000D0]pop[/color] [color=#FF0000]edi[/color]
00401763 . 33C0 [color=#0000D0]xor[/color] [color=#FF0000]eax[/color], [color=#FF0000]eax[/color]
00401765 . 5E [color=#0000D0]pop[/color] [color=#FF0000]esi[/color]
00401766 . C2 1000 [color=#0000D0]retn[/color] 10
具体怎样定位一个按钮的click事件,请参考http://bbs.pediy.com/showthread.php?s=&threadid=20078及CCDebuger的OD入门系列文章。
这里程序只是通过call 00401C50取得了name及key的文本框内容并复制到先前作者通过VirtualAlloc分配的空间就结束了,并没有对name及key作相关的运算及判断。这样的话程序又是怎样验证我们的输入的呢?
如果看过riijj先前的另一个CrackMe3的话(http://bbs.pediy.com/showthread.php?threadid=8155),这里的情况就比较类似了。程序只是在这里取得用户的输入并设置相关的标志,然后通过一个定时器不断地在幕后对这里得到的数据进行相关运算及验证。
00401B46 |. A1 CCDD4000 [color=#0000D0]mov[/color] [color=#FF0000]eax[/color], [color=#b000b0]dword[/color] [color=#b000b0]ptr[/color] [40DDCC]
00401B4B |. 68 101B4000 [color=#0000D0]push[/color] 00401B10 [color=#008000]; /Timerproc = riijjcm1.00401B10 [/color]
00401B50 |. 68 F4010000 [color=#0000D0]push[/color] 1F4 [color=#008000]; |Timeout = 500. ms[/color]
00401B55 |. 6A 01 [color=#0000D0]push[/color] 1 [color=#008000]; |TimerID = 1[/color]
00401B57 |. 50 [color=#0000D0]push[/color] [color=#FF0000]eax[/color] [color=#008000]; |hWnd => 00130752 ('Riijj crackme 11 - 20070115',class='myWindowClass')[/color]
00401B58 |. FF15 E0A04000 [color=#0000D0]call[/color] [color=#b000b0]dword[/color] [color=#b000b0]ptr[/color] [<&USER32.SetTimer>] [color=#008000]; \SetTimer[/color]
00401B5E |. C705 D4DD4000>[color=#0000D0]mov[/color] [color=#b000b0]dword[/color] [color=#b000b0]ptr[/color] [40DDD4], 0
00401B68 |. C3 [color=#0000D0]retn[/color]
00401880 /$ 81EC 9C000000 [color=#0000D0]sub[/color] [color=#FF0000]esp[/color], 9C
00401886 |. B0 E9 [color=#0000D0]mov[/color] [color=#FF0000]al[/color], 0E9
00401888 |. C64424 02 B6 [color=#0000D0]mov[/color] [color=#b000b0]byte[/color] [color=#b000b0]ptr[/color] [[color=#FF0000]esp[/color]+2], 0B6
0040188D |. 884424 03 [color=#0000D0]mov[/color] [color=#b000b0]byte[/color] [color=#b000b0]ptr[/color] [[color=#FF0000]esp[/color]+3], [color=#FF0000]al[/color]
00401891 |. 884424 01 [color=#0000D0]mov[/color] [color=#b000b0]byte[/color] [color=#b000b0]ptr[/color] [[color=#FF0000]esp[/color]+1], [color=#FF0000]al[/color]
00401895 |. A1 D4DD4000 [color=#0000D0]mov[/color] [color=#FF0000]eax[/color], [color=#b000b0]dword[/color] [color=#b000b0]ptr[/color] [40DDD4]
0040189A |. C64424 00 BF [color=#0000D0]mov[/color] [color=#b000b0]byte[/color] [color=#b000b0]ptr[/color] [[color=#FF0000]esp[/color]], 0BF
0040189F |. 85C0 [color=#0000D0]test[/color] [color=#FF0000]eax[/color], [color=#FF0000]eax[/color]
004018A1 |. 0F85 F0000000 [color=#0000D0]jnz[/color] 00401997
004018A7 |. 8D4424 02 [color=#0000D0]lea[/color] [color=#FF0000]eax[/color], [color=#b000b0]dword[/color] [color=#b000b0]ptr[/color] [[color=#FF0000]esp[/color]+2]
004018AB |. 56 [color=#0000D0]push[/color] [color=#FF0000]esi[/color]
004018AC |. 50 [color=#0000D0]push[/color] [color=#FF0000]eax[/color]
004018AD |. C705 D4DD4000>[color=#0000D0]mov[/color] [color=#b000b0]dword[/color] [color=#b000b0]ptr[/color] [40DDD4], 1
004018B7 |. E8 D4FEFFFF [color=#0000D0]call[/color] 00401790
004018BC |. 8D4C24 08 [color=#0000D0]lea[/color] [color=#FF0000]ecx[/color], [color=#b000b0]dword[/color] [color=#b000b0]ptr[/color] [[color=#FF0000]esp[/color]+8]
004018C0 |. 51 [color=#0000D0]push[/color] [color=#FF0000]ecx[/color]
004018C1 |. E8 CAFEFFFF [color=#0000D0]call[/color] 00401790
004018C6 |. A1 D8DD4000 [color=#0000D0]mov[/color] [color=#FF0000]eax[/color], [color=#b000b0]dword[/color] [color=#b000b0]ptr[/color] [40DDD8]
004018CB |. 8D5424 0E [color=#0000D0]lea[/color] [color=#FF0000]edx[/color], [color=#b000b0]dword[/color] [color=#b000b0]ptr[/color] [[color=#FF0000]esp[/color]+E]
004018CF |. 52 [color=#0000D0]push[/color] [color=#FF0000]edx[/color]
004018D0 |. 50 [color=#0000D0]push[/color] [color=#FF0000]eax[/color]
004018D1 |. E8 6AFFFFFF [color=#0000D0]call[/color] 00401840
004018D6 |. 8B15 DCDD4000 [color=#0000D0]mov[/color] [color=#FF0000]edx[/color], [color=#b000b0]dword[/color] [color=#b000b0]ptr[/color] [40DDDC]
004018DC |. 8D4C24 14 [color=#0000D0]lea[/color] [color=#FF0000]ecx[/color], [color=#b000b0]dword[/color] [color=#b000b0]ptr[/color] [[color=#FF0000]esp[/color]+14]
004018E0 |. 51 [color=#0000D0]push[/color] [color=#FF0000]ecx[/color]
004018E1 |. 52 [color=#0000D0]push[/color] [color=#FF0000]edx[/color]
004018E2 |. 8BF0 [color=#0000D0]mov[/color] [color=#FF0000]esi[/color], [color=#FF0000]eax[/color]
004018E4 |. E8 57FFFFFF [color=#0000D0]call[/color] 00401840
004018E9 |. 83C4 18 [color=#0000D0]add[/color] [color=#FF0000]esp[/color], 18
004018EC |. 8BD0 [color=#0000D0]mov[/color] [color=#FF0000]edx[/color], [color=#FF0000]eax[/color]
004018EE |. 85F6 [color=#0000D0]test[/color] [color=#FF0000]esi[/color], [color=#FF0000]esi[/color]
004018F0 |. 74 67 [color=#0000D0]je[/color] short 00401959
004018F2 |. 85D2 [color=#0000D0]test[/color] [color=#FF0000]edx[/color], [color=#FF0000]edx[/color]
004018F4 |. 74 63 [color=#0000D0]je[/color] short 00401959
004018F6 |. 53 [color=#0000D0]push[/color] [color=#FF0000]ebx[/color]
004018F7 |. 57 [color=#0000D0]push[/color] [color=#FF0000]edi[/color]
004018F8 |. 8D7E 02 [color=#0000D0]lea[/color] [color=#FF0000]edi[/color], [color=#b000b0]dword[/color] [color=#b000b0]ptr[/color] [[color=#FF0000]esi[/color]+2]
004018FB |. 83C9 FF [color=#0000D0]or[/color] [color=#FF0000]ecx[/color], FFFFFFFF
004018FE |. 33C0 [color=#0000D0]xor[/color] [color=#FF0000]eax[/color], [color=#FF0000]eax[/color]
00401900 |. 8D5C24 10 [color=#0000D0]lea[/color] [color=#FF0000]ebx[/color], [color=#b000b0]dword[/color] [color=#b000b0]ptr[/color] [[color=#FF0000]esp[/color]+10]
00401904 |. F2:AE [color=#0000D0]repne[/color] [color=#0000D0]scas[/color] [color=#b000b0]byte[/color] [color=#b000b0]ptr[/color] [color=#FF0000]es[/color]:[[color=#FF0000]edi[/color]]
00401906 |. F7D1 [color=#0000D0]not[/color] [color=#FF0000]ecx[/color]
00401908 |. 2BF9 [color=#0000D0]sub[/color] [color=#FF0000]edi[/color], [color=#FF0000]ecx[/color]
0040190A |. 8BC1 [color=#0000D0]mov[/color] [color=#FF0000]eax[/color], [color=#FF0000]ecx[/color]
0040190C |. 8BF7 [color=#0000D0]mov[/color] [color=#FF0000]esi[/color], [color=#FF0000]edi[/color]
0040190E |. 8BFB [color=#0000D0]mov[/color] [color=#FF0000]edi[/color], [color=#FF0000]ebx[/color]
00401910 |. C1E9 02 [color=#0000D0]shr[/color] [color=#FF0000]ecx[/color], 2
00401913 |. F3:A5 [color=#0000D0]rep[/color] [color=#0000D0]movs[/color] [color=#b000b0]dword[/color] [color=#b000b0]ptr[/color] [color=#FF0000]es[/color]:[[color=#FF0000]edi[/color]], [color=#b000b0]dword[/color] p>
00401915 |. 8BC8 [color=#0000D0]mov[/color] [color=#FF0000]ecx[/color], [color=#FF0000]eax[/color]
00401917 |. 33C0 [color=#0000D0]xor[/color] [color=#FF0000]eax[/color], [color=#FF0000]eax[/color]
00401919 |. 83E1 03 [color=#0000D0]and[/color] [color=#FF0000]ecx[/color], 3
0040191C |. F3:A4 [color=#0000D0]rep[/color] [color=#0000D0]movs[/color] [color=#b000b0]byte[/color] [color=#b000b0]ptr[/color] [color=#FF0000]es[/color]:[[color=#FF0000]edi[/color]], [color=#b000b0]byte[/color] [color=#b000b0]ptr[/color]>
0040191E |. 8D7A 02 [color=#0000D0]lea[/color] [color=#FF0000]edi[/color], [color=#b000b0]dword[/color] [color=#b000b0]ptr[/color] [[color=#FF0000]edx[/color]+2]
00401921 |. 83C9 FF [color=#0000D0]or[/color] [color=#FF0000]ecx[/color], FFFFFFFF
00401924 |. F2:AE [color=#0000D0]repne[/color] [color=#0000D0]scas[/color] [color=#b000b0]byte[/color] [color=#b000b0]ptr[/color] [color=#FF0000]es[/color]:[[color=#FF0000]edi[/color]]
00401926 |. F7D1 [color=#0000D0]not[/color] [color=#FF0000]ecx[/color]
00401928 |. 2BF9 [color=#0000D0]sub[/color] [color=#FF0000]edi[/color], [color=#FF0000]ecx[/color]
0040192A |. 8D5424 44 [color=#0000D0]lea[/color] [color=#FF0000]edx[/color], [color=#b000b0]dword[/color] [color=#b000b0]ptr[/color] [[color=#FF0000]esp[/color]+44]
0040192E |. 8BC1 [color=#0000D0]mov[/color] [color=#FF0000]eax[/color], [color=#FF0000]ecx[/color]
00401930 |. 8BF7 [color=#0000D0]mov[/color] [color=#FF0000]esi[/color], [color=#FF0000]edi[/color]
00401932 |. 8BFA [color=#0000D0]mov[/color] [color=#FF0000]edi[/color], [color=#FF0000]edx[/color]
00401934 |. C1E9 02 [color=#0000D0]shr[/color] [color=#FF0000]ecx[/color], 2
00401937 |. F3:A5 [color=#0000D0]rep[/color] [color=#0000D0]movs[/color] [color=#b000b0]dword[/color] [color=#b000b0]ptr[/color] [color=#FF0000]es[/color]:[[color=#FF0000]edi[/color]], [color=#b000b0]dword[/color] p>
00401939 |. 8BC8 [color=#0000D0]mov[/color] [color=#FF0000]ecx[/color], [color=#FF0000]eax[/color]
0040193B |. 83E1 03 [color=#0000D0]and[/color] [color=#FF0000]ecx[/color], 3
0040193E |. F3:A4 [color=#0000D0]rep[/color] [color=#0000D0]movs[/color] [color=#b000b0]byte[/color] [color=#b000b0]ptr[/color] [color=#FF0000]es[/color]:[[color=#FF0000]edi[/color]], [color=#b000b0]byte[/color] [color=#b000b0]ptr[/color]>
00401940 |. E8 DB010000 [color=#0000D0]call[/color] 00401B20
00401945 |. 8D4C24 44 [color=#0000D0]lea[/color] [color=#FF0000]ecx[/color], [color=#b000b0]dword[/color] [color=#b000b0]ptr[/color] [[color=#FF0000]esp[/color]+44]
00401949 |. 8D5424 10 [color=#0000D0]lea[/color] [color=#FF0000]edx[/color], [color=#b000b0]dword[/color] [color=#b000b0]ptr[/color] [[color=#FF0000]esp[/color]+10]
0040194D |. 51 [color=#0000D0]push[/color] [color=#FF0000]ecx[/color]
0040194E |. 52 [color=#0000D0]push[/color] [color=#FF0000]edx[/color]
0040194F |. E8 9CF7FFFF [color=#0000D0]call[/color] 004010F0 [color=#008000];关键Call F7跟进[/color]
00401954 |. 83C4 08 [color=#0000D0]add[/color] [color=#FF0000]esp[/color], 8
00401957 |. 5F [color=#0000D0]pop[/color] [color=#FF0000]edi[/color]
00401958 |. 5B [color=#0000D0]pop[/color] [color=#FF0000]ebx[/color]
00401959 |> E8 72050000 [color=#0000D0]call[/color] 00401ED0
0040195E |. 99 [color=#0000D0]cdq[/color]
0040195F |. B9 84030000 [color=#0000D0]mov[/color] [color=#FF0000]ecx[/color], 384
00401964 |. F7F9 [color=#0000D0]idiv[/color] [color=#FF0000]ecx[/color]
00401966 |. 0315 C8DD4000 [color=#0000D0]add[/color] [color=#FF0000]edx[/color], [color=#b000b0]dword[/color] [color=#b000b0]ptr[/color] [40DDC8]
0040196C |. 8915 D8DD4000 [color=#0000D0]mov[/color] [color=#b000b0]dword[/color] [color=#b000b0]ptr[/color] [40DDD8], [color=#FF0000]edx[/color]
00401972 |. E8 59050000 [color=#0000D0]call[/color] 00401ED0
00401977 |. 99 [color=#0000D0]cdq[/color]
00401978 |. B9 84030000 [color=#0000D0]mov[/color] [color=#FF0000]ecx[/color], 384
0040197D |. C705 D4DD4000>[color=#0000D0]mov[/color] [color=#b000b0]dword[/color] [color=#b000b0]ptr[/color] [40DDD4], 0
00401987 |. F7F9 [color=#0000D0]idiv[/color] [color=#FF0000]ecx[/color]
00401989 |. A1 E4DD4000 [color=#0000D0]mov[/color] [color=#FF0000]eax[/color], [color=#b000b0]dword[/color] [color=#b000b0]ptr[/color] [40DDE4]
0040198E |. 5E [color=#0000D0]pop[/color] [color=#FF0000]esi[/color]
0040198F |. 03D0 [color=#0000D0]add[/color] [color=#FF0000]edx[/color], [color=#FF0000]eax[/color]
00401991 |. 8915 DCDD4000 [color=#0000D0]mov[/color] [color=#b000b0]dword[/color] [color=#b000b0]ptr[/color] [40DDDC], [color=#FF0000]edx[/color]
00401997 |> 81C4 9C000000 [color=#0000D0]add[/color] [color=#FF0000]esp[/color], 9C
0040199D \. C3 [color=#0000D0]retn[/color]
004010F0 /$ 83EC 0C [color=#0000D0]sub[/color] [color=#FF0000]esp[/color], 0C
004010F3 |. 8B5424 10 [color=#0000D0]mov[/color] [color=#FF0000]edx[/color], [color=#b000b0]dword[/color] [color=#b000b0]ptr[/color] [[color=#FF0000]esp[/color]+10]
004010F7 |. 56 [color=#0000D0]push[/color] [color=#FF0000]esi[/color]
004010F8 |. 57 [color=#0000D0]push[/color] [color=#FF0000]edi[/color]
004010F9 |. 8BFA [color=#0000D0]mov[/color] [color=#FF0000]edi[/color], [color=#FF0000]edx[/color]
004010FB |. 83C9 FF [color=#0000D0]or[/color] [color=#FF0000]ecx[/color], FFFFFFFF
004010FE |. 33C0 [color=#0000D0]xor[/color] [color=#FF0000]eax[/color], [color=#FF0000]eax[/color]
00401100 |. F2:AE [color=#0000D0]repne[/color] [color=#0000D0]scas[/color] [color=#b000b0]byte[/color] [color=#b000b0]ptr[/color] [color=#FF0000]es[/color]:[[color=#FF0000]edi[/color]]
00401102 |. F7D1 [color=#0000D0]not[/color] [color=#FF0000]ecx[/color]
00401104 |. 49 [color=#0000D0]dec[/color] [color=#FF0000]ecx[/color]
00401105 |. 8BF1 [color=#0000D0]mov[/color] [color=#FF0000]esi[/color], [color=#FF0000]ecx[/color]
00401107 |. 33C9 [color=#0000D0]xor[/color] [color=#FF0000]ecx[/color], [color=#FF0000]ecx[/color]
00401109 |. 85F6 [color=#0000D0]test[/color] [color=#FF0000]esi[/color], [color=#FF0000]esi[/color]
0040110B |. 897424 10 [color=#0000D0]mov[/color] [color=#b000b0]dword[/color] [color=#b000b0]ptr[/color] [[color=#FF0000]esp[/color]+10], [color=#FF0000]esi[/color]
0040110F |. 7E 18 [color=#0000D0]jle[/color] short 00401129
00401111 |> 8A0411 /[color=#0000D0]mov[/color] [color=#FF0000]al[/color], [color=#b000b0]byte[/color] [color=#b000b0]ptr[/color] [[color=#FF0000]ecx[/color]+[color=#FF0000]edx[/color]]
00401114 |. 3C 20 |[color=#0000D0]cmp[/color] [color=#FF0000]al[/color], 20
00401116 |. 0F8C AA000000 |[color=#0000D0]jl[/color] 004011C6
0040111C |. 3C 7E |[color=#0000D0]cmp[/color] [color=#FF0000]al[/color], 7E
0040111E |. 0F8F A2000000 |[color=#0000D0]jg[/color] 004011C6
00401124 |. 41 |[color=#0000D0]inc[/color] [color=#FF0000]ecx[/color]
00401125 |. 3BCE |[color=#0000D0]cmp[/color] [color=#FF0000]ecx[/color], [color=#FF0000]esi[/color]
00401127 |.^ 7C E8 \jl short 00401111 [color=#008000];name必须为可见字符[/color]
00401129 |> 53 [color=#0000D0]push[/color] [color=#FF0000]ebx[/color]
0040112A |. 55 [color=#0000D0]push[/color] [color=#FF0000]ebp[/color]
0040112B |. 8B6C24 24 [color=#0000D0]mov[/color] [color=#FF0000]ebp[/color], [color=#b000b0]dword[/color] [color=#b000b0]ptr[/color] [[color=#FF0000]esp[/color]+24]
0040112F |. 83C9 FF [color=#0000D0]or[/color] [color=#FF0000]ecx[/color], FFFFFFFF
00401132 |. 8BFD [color=#0000D0]mov[/color] [color=#FF0000]edi[/color], [color=#FF0000]ebp[/color]
00401134 |. 33C0 [color=#0000D0]xor[/color] [color=#FF0000]eax[/color], [color=#FF0000]eax[/color]
00401136 |. F2:AE [color=#0000D0]repne[/color] [color=#0000D0]scas[/color] [color=#b000b0]byte[/color] [color=#b000b0]ptr[/color] [color=#FF0000]es[/color]:[[color=#FF0000]edi[/color]]
00401138 |. F7D1 [color=#0000D0]not[/color] [color=#FF0000]ecx[/color]
0040113A |. 49 [color=#0000D0]dec[/color] [color=#FF0000]ecx[/color]
0040113B |. 6A 20 [color=#0000D0]push[/color] 20
0040113D |. 8BD9 [color=#0000D0]mov[/color] [color=#FF0000]ebx[/color], [color=#FF0000]ecx[/color]
0040113F |. E8 D00C0000 [color=#0000D0]call[/color] 00401E14
00401144 |. 83C4 04 [color=#0000D0]add[/color] [color=#FF0000]esp[/color], 4
00401147 |. 8BF8 [color=#0000D0]mov[/color] [color=#FF0000]edi[/color], [color=#FF0000]eax[/color]
00401149 |. 33F6 [color=#0000D0]xor[/color] [color=#FF0000]esi[/color], [color=#FF0000]esi[/color]
0040114B |. 897C24 10 [color=#0000D0]mov[/color] [color=#b000b0]dword[/color] [color=#b000b0]ptr[/color] [[color=#FF0000]esp[/color]+10], [color=#FF0000]edi[/color]
0040114F |. 85DB [color=#0000D0]test[/color] [color=#FF0000]ebx[/color], [color=#FF0000]ebx[/color]
00401151 |. 7E 28 [color=#0000D0]jle[/color] short 0040117B
00401153 |> 8D4424 24 /[color=#0000D0]lea[/color] [color=#FF0000]eax[/color], [color=#b000b0]dword[/color] [color=#b000b0]ptr[/color] [[color=#FF0000]esp[/color]+24]
00401157 |. 8D0C2E |[color=#0000D0]lea[/color] [color=#FF0000]ecx[/color], [color=#b000b0]dword[/color] [color=#b000b0]ptr[/color] [[color=#FF0000]esi[/color]+[color=#FF0000]ebp[/color]]
0040115A |. 50 |[color=#0000D0]push[/color] [color=#FF0000]eax[/color]
0040115B |. 68 94B04000 |[color=#0000D0]push[/color] 0040B094 [color=#008000]; ASCII "%2X"[/color]
00401160 |. 51 |[color=#0000D0]push[/color] [color=#FF0000]ecx[/color]
00401161 |. E8 7A0C0000 |[color=#0000D0]call[/color] 00401DE0
00401166 |. 8A5424 30 |[color=#0000D0]mov[/color] [color=#FF0000]dl[/color], [color=#b000b0]byte[/color] [color=#b000b0]ptr[/color] [[color=#FF0000]esp[/color]+30]
0040116A |. 83C4 0C |[color=#0000D0]add[/color] [color=#FF0000]esp[/color], 0C
0040116D |. 8817 |[color=#0000D0]mov[/color] [color=#b000b0]byte[/color] [color=#b000b0]ptr[/color] [[color=#FF0000]edi[/color]], [color=#FF0000]dl[/color]
0040116F |. 83C6 02 |[color=#0000D0]add[/color] [color=#FF0000]esi[/color], 2
00401172 |. 47 |[color=#0000D0]inc[/color] [color=#FF0000]edi[/color]
00401173 |. 3BF3 |[color=#0000D0]cmp[/color] [color=#FF0000]esi[/color], [color=#FF0000]ebx[/color]
00401175 |.^ 7C DC \jl short 00401153 [color=#008000];把我们输入的key当成Hex字符串进行转换 暂且称之为X[/color]
00401177 |. 8B7C24 10 [color=#0000D0]mov[/color] [color=#FF0000]edi[/color], [color=#b000b0]dword[/color] [color=#b000b0]ptr[/color] [[color=#FF0000]esp[/color]+10]
0040117B |> DD05 48A14000 [color=#0000D0]fld[/color] [color=#b000b0]qword[/color] [color=#b000b0]ptr[/color] [40A148] [color=#008000];st(1) = 1.00000000[/color]
00401181 |. 8B4C24 18 [color=#0000D0]mov[/color] [color=#FF0000]ecx[/color], [color=#b000b0]dword[/color] [color=#b000b0]ptr[/color] [[color=#FF0000]esp[/color]+18]
00401185 |. 33C0 [color=#0000D0]xor[/color] [color=#FF0000]eax[/color], [color=#FF0000]eax[/color]
00401187 |. DD5424 10 [color=#0000D0]fst[/color] [color=#b000b0]qword[/color] [color=#b000b0]ptr[/color] [[color=#FF0000]esp[/color]+10]
0040118B |. 5D [color=#0000D0]pop[/color] [color=#FF0000]ebp[/color]
0040118C |. 5B [color=#0000D0]pop[/color] [color=#FF0000]ebx[/color]
0040118D |. 85C9 [color=#0000D0]test[/color] [color=#FF0000]ecx[/color], [color=#FF0000]ecx[/color] [color=#008000];length of name[/color]
0040118F |. 7E 3B [color=#0000D0]jle[/color] short 004011CC
00401191 |> 8B5424 18 /[color=#0000D0]mov[/color] [color=#FF0000]edx[/color], [color=#b000b0]dword[/color] [color=#b000b0]ptr[/color] [[color=#FF0000]esp[/color]+18] [color=#008000];name[/color]
00401195 |. 40 |[color=#0000D0]inc[/color] [color=#FF0000]eax[/color] [color=#008000];i++[/color]
00401196 |. 3BC1 |[color=#0000D0]cmp[/color] [color=#FF0000]eax[/color], [color=#FF0000]ecx[/color] [color=#008000];i<length of name?[/color]
00401198 |. 0FBE5410 FF |[color=#0000D0]movsx[/color] [color=#FF0000]edx[/color], [color=#b000b0]byte[/color] [color=#b000b0]ptr[/color] [[color=#FF0000]eax[/color]+[color=#FF0000]edx[/color]-1] [color=#008000];name[i][/color]
0040119D |. 895424 10 |[color=#0000D0]mov[/color] [color=#b000b0]dword[/color] [color=#b000b0]ptr[/color] [[color=#FF0000]esp[/color]+10], [color=#FF0000]edx[/color] [color=#008000];st(0) = name[i][/color]
004011A1 |. DB4424 10 |[color=#0000D0]fild[/color] [color=#b000b0]dword[/color] [color=#b000b0]ptr[/color] [[color=#FF0000]esp[/color]+10]
004011A5 |. DEC1 |[color=#0000D0]faddp[/color] [color=#FF0000]st[/color](1), [color=#FF0000]st[/color] [color=#008000];st(1) = st(1) + st(0)[/color]
004011A7 |. DC0D 40A14000 |[color=#0000D0]fmul[/color] [color=#b000b0]qword[/color] [color=#b000b0]ptr[/color] [40A140] [color=#008000];st(1) = st(1) * 1.20000000[/color]
004011AD |.^ 7C E2 \jl short 00401191 [color=#008000];最后的结果作为我们最终验算的一个参数,暂且称之为Y[/color]
004011AF |. DD5C24 08 [color=#0000D0]fstp[/color] [color=#b000b0]qword[/color] [color=#b000b0]ptr[/color] [[color=#FF0000]esp[/color]+8]
004011B3 |> 8B4424 0C [color=#0000D0]mov[/color] [color=#FF0000]eax[/color], [color=#b000b0]dword[/color] [color=#b000b0]ptr[/color] [[color=#FF0000]esp[/color]+C]
004011B7 |. 8B4C24 08 [color=#0000D0]mov[/color] [color=#FF0000]ecx[/color], [color=#b000b0]dword[/color] [color=#b000b0]ptr[/color] [[color=#FF0000]esp[/color]+8]
004011BB |. 57 [color=#0000D0]push[/color] [color=#FF0000]edi[/color] [color=#008000];X地址[/color]
004011BC |. 50 [color=#0000D0]push[/color] [color=#FF0000]eax[/color] [color=#008000];Y值高位[/color]
004011BD |. 51 [color=#0000D0]push[/color] [color=#FF0000]ecx[/color] [color=#008000];Y值低位[/color]
004011BE |. E8 1D010000 [color=#0000D0]call[/color] 004012E0 [color=#008000];关键Call F7跟进[/color]
004011C3 |. 83C4 0C [color=#0000D0]add[/color] [color=#FF0000]esp[/color], 0C
004011C6 |> 5F [color=#0000D0]pop[/color] [color=#FF0000]edi[/color]
004011C7 |. 5E [color=#0000D0]pop[/color] [color=#FF0000]esi[/color]
004011C8 |. 83C4 0C [color=#0000D0]add[/color] [color=#FF0000]esp[/color], 0C
004011CB |. C3 [color=#0000D0]retn[/color]
004011CC |> DDD8 [color=#0000D0]fstp[/color] [color=#FF0000]st[/color]
004011CE \.^ EB E3 [color=#0000D0]jmp[/color] short 004011B3
004012E0 /$ 51 [color=#0000D0]push[/color] [color=#FF0000]ecx[/color]
004012E1 |. 53 [color=#0000D0]push[/color] [color=#FF0000]ebx[/color]
004012E2 |. 55 [color=#0000D0]push[/color] [color=#FF0000]ebp[/color]
004012E3 |. 56 [color=#0000D0]push[/color] [color=#FF0000]esi[/color]
004012E4 |. 8B7424 1C [color=#0000D0]mov[/color] [color=#FF0000]esi[/color], [color=#b000b0]dword[/color] [color=#b000b0]ptr[/color] [[color=#FF0000]esp[/color]+1C]
004012E8 |. 57 [color=#0000D0]push[/color] [color=#FF0000]edi[/color]
004012E9 |. 33ED [color=#0000D0]xor[/color] [color=#FF0000]ebp[/color], [color=#FF0000]ebp[/color]
004012EB |. DD46 08 [color=#0000D0]fld[/color] [color=#b000b0]qword[/color] [color=#b000b0]ptr[/color] [[color=#FF0000]esi[/color]+8] [color=#008000];X每8Byte作为一个浮点数参与运算 这里是X2[/color]
004012EE |. DC0D 00A24000 [color=#0000D0]fmul[/color] [color=#b000b0]qword[/color] [color=#b000b0]ptr[/color] [40A200] [color=#008000];X2 * 37[/color]
004012F4 |. DD06 [color=#0000D0]fld[/color] [color=#b000b0]qword[/color] [color=#b000b0]ptr[/color] [[color=#FF0000]esi[/color]]
004012F6 |. DC0D F8A14000 [color=#0000D0]fmul[/color] [color=#b000b0]qword[/color] [color=#b000b0]ptr[/color] [40A1F8] [color=#008000];X1 * 112[/color]
004012FC |. 83EC 08 [color=#0000D0]sub[/color] [color=#FF0000]esp[/color], 8
004012FF |. 33FF [color=#0000D0]xor[/color] [color=#FF0000]edi[/color], [color=#FF0000]edi[/color]
00401301 |. 33DB [color=#0000D0]xor[/color] [color=#FF0000]ebx[/color], [color=#FF0000]ebx[/color]
00401303 |. 896C24 18 [color=#0000D0]mov[/color] [color=#b000b0]dword[/color] [color=#b000b0]ptr[/color] [[color=#FF0000]esp[/color]+18], [color=#FF0000]ebp[/color]
00401307 |. DEC1 [color=#0000D0]faddp[/color] [color=#FF0000]st[/color](1), [color=#FF0000]st[/color]
00401309 |. DD4424 20 [color=#0000D0]fld[/color] [color=#b000b0]qword[/color] [color=#b000b0]ptr[/color] [[color=#FF0000]esp[/color]+20]
0040130D |. DC0D F0A14000 [color=#0000D0]fmul[/color] [color=#b000b0]qword[/color] [color=#b000b0]ptr[/color] [40A1F0] [color=#008000];Y * 7[/color]
00401313 |. DEC1 [color=#0000D0]faddp[/color] [color=#FF0000]st[/color](1), [color=#FF0000]st[/color]
00401315 |. DD46 18 [color=#0000D0]fld[/color] [color=#b000b0]qword[/color] [color=#b000b0]ptr[/color] [[color=#FF0000]esi[/color]+18]
00401318 |. DC0D 38A14000 [color=#0000D0]fmul[/color] [color=#b000b0]qword[/color] [color=#b000b0]ptr[/color] [40A138] [color=#008000];X4 * 5[/color]
0040131E |. DEC1 [color=#0000D0]faddp[/color] [color=#FF0000]st[/color](1), [color=#FF0000]st[/color]
00401320 |. DD46 10 [color=#0000D0]fld[/color] [color=#b000b0]qword[/color] [color=#b000b0]ptr[/color] [[color=#FF0000]esi[/color]+10]
00401323 |. DC0D E8A14000 [color=#0000D0]fmul[/color] [color=#b000b0]qword[/color] [color=#b000b0]ptr[/color] [40A1E8] [color=#008000];X3 * 60[/color]
00401329 |. DEC1 [color=#0000D0]faddp[/color] [color=#FF0000]st[/color](1), [color=#FF0000]st[/color]
0040132B |. DC25 E0A14000 [color=#0000D0]fsub[/color] [color=#b000b0]qword[/color] [color=#b000b0]ptr[/color] [40A1E0] [color=#008000];100[/color]
00401331 |. DD1C24 [color=#0000D0]fstp[/color] [color=#b000b0]qword[/color] [color=#b000b0]ptr[/color] [[color=#FF0000]esp[/color]] [color=#008000];Result = X2*37+X1*112+Y*7+X4*5+X3*60-100[/color]
00401334 |. E8 C7FCFFFF [color=#0000D0]call[/color] 00401000 [color=#008000];验证成功则返回1[/color]
00401339 |. 83C4 08 [color=#0000D0]add[/color] [color=#FF0000]esp[/color], 8
0040133C |. 85C0 [color=#0000D0]test[/color] [color=#FF0000]eax[/color], [color=#FF0000]eax[/color]
0040133E |. 74 05 [color=#0000D0]je[/color] short 00401345
00401340 |. BF 01000000 [color=#0000D0]mov[/color] [color=#FF0000]edi[/color], 1 [color=#008000];成功则置标志[/color]
00401345 |> DD46 08 [color=#0000D0]fld[/color] [color=#b000b0]qword[/color] [color=#b000b0]ptr[/color] [[color=#FF0000]esi[/color]+8]
00401348 |. DC0D D8A14000 [color=#0000D0]fmul[/color] [color=#b000b0]qword[/color] [color=#b000b0]ptr[/color] [40A1D8] [color=#008000];X2 * 39[/color]
0040134E |. DD06 [color=#0000D0]fld[/color] [color=#b000b0]qword[/color] [color=#b000b0]ptr[/color] [[color=#FF0000]esi[/color]]
00401350 |. DC0D D0A14000 [color=#0000D0]fmul[/color] [color=#b000b0]qword[/color] [color=#b000b0]ptr[/color] [40A1D0] [color=#008000];X1 * 67[/color]
00401356 |. 83EC 08 [color=#0000D0]sub[/color] [color=#FF0000]esp[/color], 8
00401359 |. DEC1 [color=#0000D0]faddp[/color] [color=#FF0000]st[/color](1), [color=#FF0000]st[/color]
0040135B |. DD4424 20 [color=#0000D0]fld[/color] [color=#b000b0]qword[/color] [color=#b000b0]ptr[/color] [[color=#FF0000]esp[/color]+20]
0040135F |. DC0D C8A14000 [color=#0000D0]fmul[/color] [color=#b000b0]qword[/color] [color=#b000b0]ptr[/color] [40A1C8] [color=#008000];Y * 12[/color]
00401365 |. DEC1 [color=#0000D0]faddp[/color] [color=#FF0000]st[/color](1), [color=#FF0000]st[/color]
00401367 |. DD46 18 [color=#0000D0]fld[/color] [color=#b000b0]qword[/color] [color=#b000b0]ptr[/color] [[color=#FF0000]esi[/color]+18]
0040136A |. DC0D C0A14000 [color=#0000D0]fmul[/color] [color=#b000b0]qword[/color] [color=#b000b0]ptr[/color] [40A1C0] [color=#008000];X4 * 50[/color]
00401370 |. DEC1 [color=#0000D0]faddp[/color] [color=#FF0000]st[/color](1), [color=#FF0000]st[/color]
00401372 |. DD46 10 [color=#0000D0]fld[/color] [color=#b000b0]qword[/color] [color=#b000b0]ptr[/color] [[color=#FF0000]esi[/color]+10]
00401375 |. DC0D B8A14000 [color=#0000D0]fmul[/color] [color=#b000b0]qword[/color] [color=#b000b0]ptr[/color] [40A1B8] [color=#008000];X3 * 30[/color]
0040137B |. DEC1 [color=#0000D0]faddp[/color] [color=#FF0000]st[/color](1), [color=#FF0000]st[/color]
0040137D |. DC25 B0A14000 [color=#0000D0]fsub[/color] [color=#b000b0]qword[/color] [color=#b000b0]ptr[/color] [40A1B0] [color=#008000];80[/color]
00401383 |. DD1C24 [color=#0000D0]fstp[/color] [color=#b000b0]qword[/color] [color=#b000b0]ptr[/color] [[color=#FF0000]esp[/color]] [color=#008000];Result = X2*39+X1*67+Y*12+X4*50+X3*30-80[/color]
00401386 |. E8 75FCFFFF [color=#0000D0]call[/color] 00401000
0040138B |. 83C4 08 [color=#0000D0]add[/color] [color=#FF0000]esp[/color], 8
0040138E |. 85C0 [color=#0000D0]test[/color] [color=#FF0000]eax[/color], [color=#FF0000]eax[/color]
00401390 |. 74 05 [color=#0000D0]je[/color] short 00401397
00401392 |. BB 01000000 [color=#0000D0]mov[/color] [color=#FF0000]ebx[/color], 1 [color=#008000];成功则置标志[/color]
00401397 |> DD46 08 [color=#0000D0]fld[/color] [color=#b000b0]qword[/color] [color=#b000b0]ptr[/color] [[color=#FF0000]esi[/color]+8]
0040139A |. DC0D A8A14000 [color=#0000D0]fmul[/color] [color=#b000b0]qword[/color] [color=#b000b0]ptr[/color] [40A1A8]
004013A0 |. DD06 [color=#0000D0]fld[/color] [color=#b000b0]qword[/color] [color=#b000b0]ptr[/color] [[color=#FF0000]esi[/color]]
004013A2 |. DC0D A0A14000 [color=#0000D0]fmul[/color] [color=#b000b0]qword[/color] [color=#b000b0]ptr[/color] [40A1A0]
004013A8 |. 83EC 08 [color=#0000D0]sub[/color] [color=#FF0000]esp[/color], 8
004013AB |. DEC1 [color=#0000D0]faddp[/color] [color=#FF0000]st[/color](1), [color=#FF0000]st[/color]
004013AD |. DD4424 20 [color=#0000D0]fld[/color] [color=#b000b0]qword[/color] [color=#b000b0]ptr[/color] [[color=#FF0000]esp[/color]+20]
004013B1 |. DC0D 98A14000 [color=#0000D0]fmul[/color] [color=#b000b0]qword[/color] [color=#b000b0]ptr[/color] [40A198]
004013B7 |. DEC1 [color=#0000D0]faddp[/color] [color=#FF0000]st[/color](1), [color=#FF0000]st[/color]
004013B9 |. DD46 18 [color=#0000D0]fld[/color] [color=#b000b0]qword[/color] [color=#b000b0]ptr[/color] [[color=#FF0000]esi[/color]+18]
004013BC |. DC0D 90A14000 [color=#0000D0]fmul[/color] [color=#b000b0]qword[/color] [color=#b000b0]ptr[/color] [40A190]
004013C2 |. DEC1 [color=#0000D0]faddp[/color] [color=#FF0000]st[/color](1), [color=#FF0000]st[/color]
004013C4 |. DD46 10 [color=#0000D0]fld[/color] [color=#b000b0]qword[/color] [color=#b000b0]ptr[/color] [[color=#FF0000]esi[/color]+10]
004013C7 |. DC0D 88A14000 [color=#0000D0]fmul[/color] [color=#b000b0]qword[/color] [color=#b000b0]ptr[/color] [40A188]
004013CD |. DEC1 [color=#0000D0]faddp[/color] [color=#FF0000]st[/color](1), [color=#FF0000]st[/color]
004013CF |. DC25 80A14000 [color=#0000D0]fsub[/color] [color=#b000b0]qword[/color] [color=#b000b0]ptr[/color] [40A180]
004013D5 |. DD1C24 [color=#0000D0]fstp[/color] [color=#b000b0]qword[/color] [color=#b000b0]ptr[/color] [[color=#FF0000]esp[/color]] [color=#008000];Result = X2*54+X1*72+Y*15+X4*28+X3*33-92[/color]
004013D8 |. E8 23FCFFFF [color=#0000D0]call[/color] 00401000
004013DD |. 83C4 08 [color=#0000D0]add[/color] [color=#FF0000]esp[/color], 8
004013E0 |. 85C0 [color=#0000D0]test[/color] [color=#FF0000]eax[/color], [color=#FF0000]eax[/color]
004013E2 |. 74 05 [color=#0000D0]je[/color] short 004013E9
004013E4 |. BD 01000000 [color=#0000D0]mov[/color] [color=#FF0000]ebp[/color], 1 [color=#008000];成功则置标志[/color]
004013E9 |> DD46 08 [color=#0000D0]fld[/color] [color=#b000b0]qword[/color] [color=#b000b0]ptr[/color] [[color=#FF0000]esi[/color]+8]
004013EC |. DC0D E8A14000 [color=#0000D0]fmul[/color] [color=#b000b0]qword[/color] [color=#b000b0]ptr[/color] [40A1E8]
004013F2 |. DD06 [color=#0000D0]fld[/color] [color=#b000b0]qword[/color] [color=#b000b0]ptr[/color] [[color=#FF0000]esi[/color]]
004013F4 |. DC0D B0A14000 [color=#0000D0]fmul[/color] [color=#b000b0]qword[/color] [color=#b000b0]ptr[/color] [40A1B0]
004013FA |. 83EC 08 [color=#0000D0]sub[/color] [color=#FF0000]esp[/color], 8
004013FD |. DEC1 [color=#0000D0]faddp[/color] [color=#FF0000]st[/color](1), [color=#FF0000]st[/color]
004013FF |. DD4424 20 [color=#0000D0]fld[/color] [color=#b000b0]qword[/color] [color=#b000b0]ptr[/color] [[color=#FF0000]esp[/color]+20]
00401403 |. DC0D 78A14000 [color=#0000D0]fmul[/color] [color=#b000b0]qword[/color] [color=#b000b0]ptr[/color] [40A178]
00401409 |. DEC1 [color=#0000D0]faddp[/color] [color=#FF0000]st[/color](1), [color=#FF0000]st[/color]
0040140B |. DD46 18 [color=#0000D0]fld[/color] [color=#b000b0]qword[/color] [color=#b000b0]ptr[/color] [[color=#FF0000]esi[/color]+18]
0040140E |. DC0D 70A14000 [color=#0000D0]fmul[/color] [color=#b000b0]qword[/color] [color=#b000b0]ptr[/color] [40A170]
00401414 |. DEC1 [color=#0000D0]faddp[/color] [color=#FF0000]st[/color](1), [color=#FF0000]st[/color]
00401416 |. DD46 10 [color=#0000D0]fld[/color] [color=#b000b0]qword[/color] [color=#b000b0]ptr[/color] [[color=#FF0000]esi[/color]+10]
00401419 |. DC0D 68A14000 [color=#0000D0]fmul[/color] [color=#b000b0]qword[/color] [color=#b000b0]ptr[/color] [40A168]
0040141F |. DEC1 [color=#0000D0]faddp[/color] [color=#FF0000]st[/color](1), [color=#FF0000]st[/color]
00401421 |. DC25 60A14000 [color=#0000D0]fsub[/color] [color=#b000b0]qword[/color] [color=#b000b0]ptr[/color] [40A160]
00401427 |. DD1C24 [color=#0000D0]fstp[/color] [color=#b000b0]qword[/color] [color=#b000b0]ptr[/color] [[color=#FF0000]esp[/color]] [color=#008000];Result = X2*60+X1*80+Y*21+X4*20+X3*42-105[/color]
0040142A |. E8 D1FBFFFF [color=#0000D0]call[/color] 00401000
0040142F |. 83C4 08 [color=#0000D0]add[/color] [color=#FF0000]esp[/color], 8
00401432 |. 85C0 [color=#0000D0]test[/color] [color=#FF0000]eax[/color], [color=#FF0000]eax[/color]
00401434 |. B8 01000000 [color=#0000D0]mov[/color] [color=#FF0000]eax[/color], 1 [color=#008000];成功则置标志[/color]
00401439 |. 75 04 [color=#0000D0]jnz[/color] short 0040143F
0040143B |. 8B4424 10 [color=#0000D0]mov[/color] [color=#FF0000]eax[/color], [color=#b000b0]dword[/color] [color=#b000b0]ptr[/color] [[color=#FF0000]esp[/color]+10]
0040143F |> 85FF [color=#0000D0]test[/color] [color=#FF0000]edi[/color], [color=#FF0000]edi[/color]
00401441 |. 74 11 [color=#0000D0]je[/color] short 00401454
00401443 |. 85DB [color=#0000D0]test[/color] [color=#FF0000]ebx[/color], [color=#FF0000]ebx[/color]
00401445 |. 74 0D [color=#0000D0]je[/color] short 00401454
00401447 |. 85ED [color=#0000D0]test[/color] [color=#FF0000]ebp[/color], [color=#FF0000]ebp[/color]
00401449 |. 74 09 [color=#0000D0]je[/color] short 00401454
0040144B |. 85C0 [color=#0000D0]test[/color] [color=#FF0000]eax[/color], [color=#FF0000]eax[/color]
0040144D |. 74 05 [color=#0000D0]je[/color] short 00401454
0040144F |. E8 DCFBFFFF [color=#0000D0]call[/color] 00401030 [color=#008000];这个Call显示注册成功信息[/color]
00401454 |> 5F [color=#0000D0]pop[/color] [color=#FF0000]edi[/color]
00401455 |. 5E [color=#0000D0]pop[/color] [color=#FF0000]esi[/color]
00401456 |. 5D [color=#0000D0]pop[/color] [color=#FF0000]ebp[/color]
00401457 |. 5B [color=#0000D0]pop[/color] [color=#FF0000]ebx[/color]
00401458 |. 59 [color=#0000D0]pop[/color] [color=#FF0000]ecx[/color]
00401459 \. C3 [color=#0000D0]retn[/color]
00401000 /$ DD4424 04 [color=#0000D0]fld[/color] [color=#b000b0]qword[/color] [color=#b000b0]ptr[/color] [[color=#FF0000]esp[/color]+4] [color=#008000];Result[/color]
00401004 |. DC1D 38A14000 [color=#0000D0]fcomp[/color] [color=#b000b0]qword[/color] [color=#b000b0]ptr[/color] [40A138] [color=#008000];5.00000000[/color]
0040100A |. DFE0 [color=#0000D0]fstsw[/color] [color=#FF0000]ax[/color]
0040100C |. F6C4 01 [color=#0000D0]test[/color] [color=#FF0000]ah[/color], 1
0040100F |. 74 17 [color=#0000D0]je[/color] short 00401028 [color=#008000];如果Result<5.00000000则return 1[/color]
00401011 |. DD4424 04 [color=#0000D0]fld[/color] [color=#b000b0]qword[/color] [color=#b000b0]ptr[/color] [[color=#FF0000]esp[/color]+4] [color=#008000];Result[/color]
00401015 |. DC1D 30A14000 [color=#0000D0]fcomp[/color] [color=#b000b0]qword[/color] [color=#b000b0]ptr[/color] [40A130] [color=#008000];-5.00000000[/color]
0040101B |. DFE0 [color=#0000D0]fstsw[/color] [color=#FF0000]ax[/color]
0040101D |. F6C4 41 [color=#0000D0]test[/color] [color=#FF0000]ah[/color], 41
00401020 |. 75 06 [color=#0000D0]jnz[/color] short 00401028 [color=#008000];如果Result>-5.00000000则return 1[/color]
00401022 |. B8 01000000 [color=#0000D0]mov[/color] [color=#FF0000]eax[/color], 1
00401027 |. C3 [color=#0000D0]retn[/color]
00401028 |> 33C0 [color=#0000D0]xor[/color] [color=#FF0000]eax[/color], [color=#FF0000]eax[/color]
0040102A \. C3 [color=#0000D0]retn[/color]
至此,整个算法就跟完了。程序将用户输入的name进行运算后得到Y,将key进行运算后得到X1、X2、X3、X4,只要以下方程式成立,则注册成功。
-5 < X2*37+X1*112+Y*7+X4*5+X3*60-100 < 5
-5 < X2*39+X1*67+Y*12+X4*50+X3*30-80 < 5
-5 < X2*54+X1*72+Y*15+X4*28+X3*33-92 < 5
-5 < X2*60+X1*80+Y*21+X4*20+X3*42-105 < 5
由于用户名是我们自行输入的,这里Y己知,只要联立上述方程,代入我们自己的Y,就可以求出各个X的值了。这里X理论上应该有无数组解,所以这里的用户名和注册码是一对多的,而且注册码只是前64位字符起作用。
这里附上一组可用的注册码:
haw
008BD375CC1C7440217B1EA657D468C02F4268FF726580C084FA2BA733C851C0
hawking
B850BEFC46DA9140B68FCB818B1F86C084E702195B269DC0A21C10126DAA6FC0
注册机由于不会编程解方程,搞不定,还请哪位兄弟不吝赐教。
--------------------------------------------------------------------------------
【版权声明】: 本文原创于看雪技术论坛, 转载请注明作者并保持文章的完整, 谢谢!
2007年01月17日 23:27:58
[培训]科锐软件逆向50期预科班报名即将截止,速来!!! 50期正式班报名火爆招生中!!!