首页
社区
课程
招聘
[原创]riijj CrackMe11 算法简析
发表于: 2007-1-17 23:24 6390

[原创]riijj CrackMe11 算法简析

2007-1-17 23:24
6390

【文章标题】: riijj CrackMe11 算法简析
【文章作者】: hawking
【作者邮箱】: rich_hawking@hotmail.com
【软件名称】: riijj crackme service pack 2 (第二修正版)
【软件大小】: 52K
【下载地址】: http://bbs.pediy.com/attachment.php?s=&attachmentid=4074
【加壳方式】: 无
【编写语言】: Microsoft Visual C++ 6.0
【使用工具】: OD
【操作平台】: Win2000 SP4
【作者声明】: 只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!
--------------------------------------------------------------------------------
【详细过程】
  这个CrackMe有一些Anti,直接用OD打开调试的话是跑不起来的。Anti部分绫濑遥(http://bbs.pediy.com/showthread.php?s=&threadid=38125)和Ryosuke分析的已经很清楚了,我就不再赘言。
  
  输入试炼码:
  hawking
  12345678901234567890
  

00401710   .  8B4424 08     [color=#0000D0]mov[/color]     [color=#FF0000]eax[/color], [color=#b000b0]dword[/color] [color=#b000b0]ptr[/color] [[color=#FF0000]esp[/color]+8]
  00401714   .  3D 10010000   [color=#0000D0]cmp[/color]     [color=#FF0000]eax[/color], 110
  00401719   .  75 1C         [color=#0000D0]jnz[/color]     short 00401737
  0040171B   .  8B4424 04     [color=#0000D0]mov[/color]     [color=#FF0000]eax[/color], [color=#b000b0]dword[/color] [color=#b000b0]ptr[/color] [[color=#FF0000]esp[/color]+4]
  0040171F   .  68 E8030000   [color=#0000D0]push[/color]    3E8                              [color=#008000]; /ControlID = 3E8 (1000.)[/color]
  00401724   .  50            [color=#0000D0]push[/color]    [color=#FF0000]eax[/color]                              [color=#008000]; |hWnd[/color]
  00401725   .  FF15 14A14000 [color=#0000D0]call[/color]    [color=#b000b0]dword[/color] [color=#b000b0]ptr[/color] [<&USER32.GetDlgItem>] [color=#008000]; \GetDlgItem[/color]
  0040172B   .  50            [color=#0000D0]push[/color]    [color=#FF0000]eax[/color]                              [color=#008000]; /hWnd[/color]
  0040172C   .  FF15 18A14000 [color=#0000D0]call[/color]    [color=#b000b0]dword[/color] [color=#b000b0]ptr[/color] [<&USER32.SetFocus>]   [color=#008000]; \SetFocus[/color]
  00401732   >  33C0          [color=#0000D0]xor[/color]     [color=#FF0000]eax[/color], [color=#FF0000]eax[/color]
  00401734   .  C2 1000       [color=#0000D0]retn[/color]    10
  00401737   >  3D 11010000   [color=#0000D0]cmp[/color]     [color=#FF0000]eax[/color], 111
  0040173C   .^ 75 F4         [color=#0000D0]jnz[/color]     short 00401732
  0040173E   .  66:817C24 0C >[color=#0000D0]cmp[/color]     [color=#b000b0]word[/color] [color=#b000b0]ptr[/color] [[color=#FF0000]esp[/color]+C], 3EA            [color=#008000];  Register Button Handle[/color]
  00401745   .^ 75 EB         [color=#0000D0]jnz[/color]     short 00401732
  00401747   .  56            [color=#0000D0]push[/color]    [color=#FF0000]esi[/color]
  00401748   .  8B7424 14     [color=#0000D0]mov[/color]     [color=#FF0000]esi[/color], [color=#b000b0]dword[/color] [color=#b000b0]ptr[/color] [[color=#FF0000]esp[/color]+14]
  0040174C   .  57            [color=#0000D0]push[/color]    [color=#FF0000]edi[/color]
  0040174D   .  8B3D 1CA14000 [color=#0000D0]mov[/color]     [color=#FF0000]edi[/color], [color=#b000b0]dword[/color] [color=#b000b0]ptr[/color] [<&USER32.EnableW>[color=#008000];  USER32.EnableWindow[/color]
  00401753   .  6A 00         [color=#0000D0]push[/color]    0                                [color=#008000]; /Enable = FALSE[/color]
  00401755   .  56            [color=#0000D0]push[/color]    [color=#FF0000]esi[/color]                              [color=#008000]; |hWnd[/color]
  00401756   .  FFD7          [color=#0000D0]call[/color]    [color=#FF0000]edi[/color]                              [color=#008000]; \EnableWindow[/color]
  00401758   .  E8 F3040000   [color=#0000D0]call[/color]    00401C50                         [color=#008000];  get name and key string[/color]
  0040175D   .  6A 01         [color=#0000D0]push[/color]    1
  0040175F   .  56            [color=#0000D0]push[/color]    [color=#FF0000]esi[/color]
  00401760   .  FFD7          [color=#0000D0]call[/color]    [color=#FF0000]edi[/color]
  00401762   .  5F            [color=#0000D0]pop[/color]     [color=#FF0000]edi[/color]
  00401763   .  33C0          [color=#0000D0]xor[/color]     [color=#FF0000]eax[/color], [color=#FF0000]eax[/color]
  00401765   .  5E            [color=#0000D0]pop[/color]     [color=#FF0000]esi[/color]
  00401766   .  C2 1000       [color=#0000D0]retn[/color]    10
  
00401B46  |.  A1 CCDD4000   [color=#0000D0]mov[/color]     [color=#FF0000]eax[/color], [color=#b000b0]dword[/color] [color=#b000b0]ptr[/color] [40DDCC]
  00401B4B  |.  68 101B4000   [color=#0000D0]push[/color]    00401B10                         [color=#008000]; /Timerproc = riijjcm1.00401B10  [/color]
  00401B50  |.  68 F4010000   [color=#0000D0]push[/color]    1F4                              [color=#008000]; |Timeout = 500. ms[/color]
  00401B55  |.  6A 01         [color=#0000D0]push[/color]    1                                [color=#008000]; |TimerID = 1[/color]
  00401B57  |.  50            [color=#0000D0]push[/color]    [color=#FF0000]eax[/color]                              [color=#008000]; |hWnd => 00130752 ('Riijj crackme 11 - 20070115',class='myWindowClass')[/color]
  00401B58  |.  FF15 E0A04000 [color=#0000D0]call[/color]    [color=#b000b0]dword[/color] [color=#b000b0]ptr[/color] [<&USER32.SetTimer>]   [color=#008000]; \SetTimer[/color]
  00401B5E  |.  C705 D4DD4000>[color=#0000D0]mov[/color]     [color=#b000b0]dword[/color] [color=#b000b0]ptr[/color] [40DDD4], 0
  00401B68  |.  C3            [color=#0000D0]retn[/color]
  
00401880  /$  81EC 9C000000 [color=#0000D0]sub[/color]     [color=#FF0000]esp[/color], 9C
  00401886  |.  B0 E9         [color=#0000D0]mov[/color]     [color=#FF0000]al[/color], 0E9
  00401888  |.  C64424 02 B6  [color=#0000D0]mov[/color]     [color=#b000b0]byte[/color] [color=#b000b0]ptr[/color] [[color=#FF0000]esp[/color]+2], 0B6
  0040188D  |.  884424 03     [color=#0000D0]mov[/color]     [color=#b000b0]byte[/color] [color=#b000b0]ptr[/color] [[color=#FF0000]esp[/color]+3], [color=#FF0000]al[/color]
  00401891  |.  884424 01     [color=#0000D0]mov[/color]     [color=#b000b0]byte[/color] [color=#b000b0]ptr[/color] [[color=#FF0000]esp[/color]+1], [color=#FF0000]al[/color]
  00401895  |.  A1 D4DD4000   [color=#0000D0]mov[/color]     [color=#FF0000]eax[/color], [color=#b000b0]dword[/color] [color=#b000b0]ptr[/color] [40DDD4]
  0040189A  |.  C64424 00 BF  [color=#0000D0]mov[/color]     [color=#b000b0]byte[/color] [color=#b000b0]ptr[/color] [[color=#FF0000]esp[/color]], 0BF
  0040189F  |.  85C0          [color=#0000D0]test[/color]    [color=#FF0000]eax[/color], [color=#FF0000]eax[/color]
  004018A1  |.  0F85 F0000000 [color=#0000D0]jnz[/color]     00401997
  004018A7  |.  8D4424 02     [color=#0000D0]lea[/color]     [color=#FF0000]eax[/color], [color=#b000b0]dword[/color] [color=#b000b0]ptr[/color] [[color=#FF0000]esp[/color]+2]
  004018AB  |.  56            [color=#0000D0]push[/color]    [color=#FF0000]esi[/color]
  004018AC  |.  50            [color=#0000D0]push[/color]    [color=#FF0000]eax[/color]
  004018AD  |.  C705 D4DD4000>[color=#0000D0]mov[/color]     [color=#b000b0]dword[/color] [color=#b000b0]ptr[/color] [40DDD4], 1
  004018B7  |.  E8 D4FEFFFF   [color=#0000D0]call[/color]    00401790
  004018BC  |.  8D4C24 08     [color=#0000D0]lea[/color]     [color=#FF0000]ecx[/color], [color=#b000b0]dword[/color] [color=#b000b0]ptr[/color] [[color=#FF0000]esp[/color]+8]
  004018C0  |.  51            [color=#0000D0]push[/color]    [color=#FF0000]ecx[/color]
  004018C1  |.  E8 CAFEFFFF   [color=#0000D0]call[/color]    00401790
  004018C6  |.  A1 D8DD4000   [color=#0000D0]mov[/color]     [color=#FF0000]eax[/color], [color=#b000b0]dword[/color] [color=#b000b0]ptr[/color] [40DDD8]
  004018CB  |.  8D5424 0E     [color=#0000D0]lea[/color]     [color=#FF0000]edx[/color], [color=#b000b0]dword[/color] [color=#b000b0]ptr[/color] [[color=#FF0000]esp[/color]+E]
  004018CF  |.  52            [color=#0000D0]push[/color]    [color=#FF0000]edx[/color]
  004018D0  |.  50            [color=#0000D0]push[/color]    [color=#FF0000]eax[/color]
  004018D1  |.  E8 6AFFFFFF   [color=#0000D0]call[/color]    00401840
  004018D6  |.  8B15 DCDD4000 [color=#0000D0]mov[/color]     [color=#FF0000]edx[/color], [color=#b000b0]dword[/color] [color=#b000b0]ptr[/color] [40DDDC]
  004018DC  |.  8D4C24 14     [color=#0000D0]lea[/color]     [color=#FF0000]ecx[/color], [color=#b000b0]dword[/color] [color=#b000b0]ptr[/color] [[color=#FF0000]esp[/color]+14]
  004018E0  |.  51            [color=#0000D0]push[/color]    [color=#FF0000]ecx[/color]
  004018E1  |.  52            [color=#0000D0]push[/color]    [color=#FF0000]edx[/color]
  004018E2  |.  8BF0          [color=#0000D0]mov[/color]     [color=#FF0000]esi[/color], [color=#FF0000]eax[/color]
  004018E4  |.  E8 57FFFFFF   [color=#0000D0]call[/color]    00401840
  004018E9  |.  83C4 18       [color=#0000D0]add[/color]     [color=#FF0000]esp[/color], 18
  004018EC  |.  8BD0          [color=#0000D0]mov[/color]     [color=#FF0000]edx[/color], [color=#FF0000]eax[/color]
  004018EE  |.  85F6          [color=#0000D0]test[/color]    [color=#FF0000]esi[/color], [color=#FF0000]esi[/color]
  004018F0  |.  74 67         [color=#0000D0]je[/color]      short 00401959
  004018F2  |.  85D2          [color=#0000D0]test[/color]    [color=#FF0000]edx[/color], [color=#FF0000]edx[/color]
  004018F4  |.  74 63         [color=#0000D0]je[/color]      short 00401959
  004018F6  |.  53            [color=#0000D0]push[/color]    [color=#FF0000]ebx[/color]
  004018F7  |.  57            [color=#0000D0]push[/color]    [color=#FF0000]edi[/color]
  004018F8  |.  8D7E 02       [color=#0000D0]lea[/color]     [color=#FF0000]edi[/color], [color=#b000b0]dword[/color] [color=#b000b0]ptr[/color] [[color=#FF0000]esi[/color]+2]
  004018FB  |.  83C9 FF       [color=#0000D0]or[/color]      [color=#FF0000]ecx[/color], FFFFFFFF
  004018FE  |.  33C0          [color=#0000D0]xor[/color]     [color=#FF0000]eax[/color], [color=#FF0000]eax[/color]
  00401900  |.  8D5C24 10     [color=#0000D0]lea[/color]     [color=#FF0000]ebx[/color], [color=#b000b0]dword[/color] [color=#b000b0]ptr[/color] [[color=#FF0000]esp[/color]+10]
  00401904  |.  F2:AE         [color=#0000D0]repne[/color]   [color=#0000D0]scas[/color] [color=#b000b0]byte[/color] [color=#b000b0]ptr[/color] [color=#FF0000]es[/color]:[[color=#FF0000]edi[/color]]
  00401906  |.  F7D1          [color=#0000D0]not[/color]     [color=#FF0000]ecx[/color]
  00401908  |.  2BF9          [color=#0000D0]sub[/color]     [color=#FF0000]edi[/color], [color=#FF0000]ecx[/color]
  0040190A  |.  8BC1          [color=#0000D0]mov[/color]     [color=#FF0000]eax[/color], [color=#FF0000]ecx[/color]
  0040190C  |.  8BF7          [color=#0000D0]mov[/color]     [color=#FF0000]esi[/color], [color=#FF0000]edi[/color]
  0040190E  |.  8BFB          [color=#0000D0]mov[/color]     [color=#FF0000]edi[/color], [color=#FF0000]ebx[/color]
  00401910  |.  C1E9 02       [color=#0000D0]shr[/color]     [color=#FF0000]ecx[/color], 2
  00401913  |.  F3:A5         [color=#0000D0]rep[/color]     [color=#0000D0]movs[/color] [color=#b000b0]dword[/color] [color=#b000b0]ptr[/color] [color=#FF0000]es[/color]:[[color=#FF0000]edi[/color]], [color=#b000b0]dword[/color] p>
  00401915  |.  8BC8          [color=#0000D0]mov[/color]     [color=#FF0000]ecx[/color], [color=#FF0000]eax[/color]
  00401917  |.  33C0          [color=#0000D0]xor[/color]     [color=#FF0000]eax[/color], [color=#FF0000]eax[/color]
  00401919  |.  83E1 03       [color=#0000D0]and[/color]     [color=#FF0000]ecx[/color], 3
  0040191C  |.  F3:A4         [color=#0000D0]rep[/color]     [color=#0000D0]movs[/color] [color=#b000b0]byte[/color] [color=#b000b0]ptr[/color] [color=#FF0000]es[/color]:[[color=#FF0000]edi[/color]], [color=#b000b0]byte[/color] [color=#b000b0]ptr[/color]>
  0040191E  |.  8D7A 02       [color=#0000D0]lea[/color]     [color=#FF0000]edi[/color], [color=#b000b0]dword[/color] [color=#b000b0]ptr[/color] [[color=#FF0000]edx[/color]+2]
  00401921  |.  83C9 FF       [color=#0000D0]or[/color]      [color=#FF0000]ecx[/color], FFFFFFFF
  00401924  |.  F2:AE         [color=#0000D0]repne[/color]   [color=#0000D0]scas[/color] [color=#b000b0]byte[/color] [color=#b000b0]ptr[/color] [color=#FF0000]es[/color]:[[color=#FF0000]edi[/color]]
  00401926  |.  F7D1          [color=#0000D0]not[/color]     [color=#FF0000]ecx[/color]
  00401928  |.  2BF9          [color=#0000D0]sub[/color]     [color=#FF0000]edi[/color], [color=#FF0000]ecx[/color]
  0040192A  |.  8D5424 44     [color=#0000D0]lea[/color]     [color=#FF0000]edx[/color], [color=#b000b0]dword[/color] [color=#b000b0]ptr[/color] [[color=#FF0000]esp[/color]+44]
  0040192E  |.  8BC1          [color=#0000D0]mov[/color]     [color=#FF0000]eax[/color], [color=#FF0000]ecx[/color]
  00401930  |.  8BF7          [color=#0000D0]mov[/color]     [color=#FF0000]esi[/color], [color=#FF0000]edi[/color]
  00401932  |.  8BFA          [color=#0000D0]mov[/color]     [color=#FF0000]edi[/color], [color=#FF0000]edx[/color]
  00401934  |.  C1E9 02       [color=#0000D0]shr[/color]     [color=#FF0000]ecx[/color], 2
  00401937  |.  F3:A5         [color=#0000D0]rep[/color]     [color=#0000D0]movs[/color] [color=#b000b0]dword[/color] [color=#b000b0]ptr[/color] [color=#FF0000]es[/color]:[[color=#FF0000]edi[/color]], [color=#b000b0]dword[/color] p>
  00401939  |.  8BC8          [color=#0000D0]mov[/color]     [color=#FF0000]ecx[/color], [color=#FF0000]eax[/color]
  0040193B  |.  83E1 03       [color=#0000D0]and[/color]     [color=#FF0000]ecx[/color], 3
  0040193E  |.  F3:A4         [color=#0000D0]rep[/color]     [color=#0000D0]movs[/color] [color=#b000b0]byte[/color] [color=#b000b0]ptr[/color] [color=#FF0000]es[/color]:[[color=#FF0000]edi[/color]], [color=#b000b0]byte[/color] [color=#b000b0]ptr[/color]>
  00401940  |.  E8 DB010000   [color=#0000D0]call[/color]    00401B20
  00401945  |.  8D4C24 44     [color=#0000D0]lea[/color]     [color=#FF0000]ecx[/color], [color=#b000b0]dword[/color] [color=#b000b0]ptr[/color] [[color=#FF0000]esp[/color]+44]
  00401949  |.  8D5424 10     [color=#0000D0]lea[/color]     [color=#FF0000]edx[/color], [color=#b000b0]dword[/color] [color=#b000b0]ptr[/color] [[color=#FF0000]esp[/color]+10]
  0040194D  |.  51            [color=#0000D0]push[/color]    [color=#FF0000]ecx[/color]
  0040194E  |.  52            [color=#0000D0]push[/color]    [color=#FF0000]edx[/color]
  0040194F  |.  E8 9CF7FFFF   [color=#0000D0]call[/color]    004010F0                                            [color=#008000];关键Call F7跟进[/color]
  00401954  |.  83C4 08       [color=#0000D0]add[/color]     [color=#FF0000]esp[/color], 8
  00401957  |.  5F            [color=#0000D0]pop[/color]     [color=#FF0000]edi[/color]
  00401958  |.  5B            [color=#0000D0]pop[/color]     [color=#FF0000]ebx[/color]
  00401959  |>  E8 72050000   [color=#0000D0]call[/color]    00401ED0
  0040195E  |.  99            [color=#0000D0]cdq[/color]
  0040195F  |.  B9 84030000   [color=#0000D0]mov[/color]     [color=#FF0000]ecx[/color], 384
  00401964  |.  F7F9          [color=#0000D0]idiv[/color]    [color=#FF0000]ecx[/color]
  00401966  |.  0315 C8DD4000 [color=#0000D0]add[/color]     [color=#FF0000]edx[/color], [color=#b000b0]dword[/color] [color=#b000b0]ptr[/color] [40DDC8]
  0040196C  |.  8915 D8DD4000 [color=#0000D0]mov[/color]     [color=#b000b0]dword[/color] [color=#b000b0]ptr[/color] [40DDD8], [color=#FF0000]edx[/color]
  00401972  |.  E8 59050000   [color=#0000D0]call[/color]    00401ED0
  00401977  |.  99            [color=#0000D0]cdq[/color]
  00401978  |.  B9 84030000   [color=#0000D0]mov[/color]     [color=#FF0000]ecx[/color], 384
  0040197D  |.  C705 D4DD4000>[color=#0000D0]mov[/color]     [color=#b000b0]dword[/color] [color=#b000b0]ptr[/color] [40DDD4], 0
  00401987  |.  F7F9          [color=#0000D0]idiv[/color]    [color=#FF0000]ecx[/color]
  00401989  |.  A1 E4DD4000   [color=#0000D0]mov[/color]     [color=#FF0000]eax[/color], [color=#b000b0]dword[/color] [color=#b000b0]ptr[/color] [40DDE4]
  0040198E  |.  5E            [color=#0000D0]pop[/color]     [color=#FF0000]esi[/color]
  0040198F  |.  03D0          [color=#0000D0]add[/color]     [color=#FF0000]edx[/color], [color=#FF0000]eax[/color]
  00401991  |.  8915 DCDD4000 [color=#0000D0]mov[/color]     [color=#b000b0]dword[/color] [color=#b000b0]ptr[/color] [40DDDC], [color=#FF0000]edx[/color]
  00401997  |>  81C4 9C000000 [color=#0000D0]add[/color]     [color=#FF0000]esp[/color], 9C
  0040199D  \.  C3            [color=#0000D0]retn[/color]
  
  004010F0  /$  83EC 0C       [color=#0000D0]sub[/color]     [color=#FF0000]esp[/color], 0C
  004010F3  |.  8B5424 10     [color=#0000D0]mov[/color]     [color=#FF0000]edx[/color], [color=#b000b0]dword[/color] [color=#b000b0]ptr[/color] [[color=#FF0000]esp[/color]+10]
  004010F7  |.  56            [color=#0000D0]push[/color]    [color=#FF0000]esi[/color]
  004010F8  |.  57            [color=#0000D0]push[/color]    [color=#FF0000]edi[/color]
  004010F9  |.  8BFA          [color=#0000D0]mov[/color]     [color=#FF0000]edi[/color], [color=#FF0000]edx[/color]
  004010FB  |.  83C9 FF       [color=#0000D0]or[/color]      [color=#FF0000]ecx[/color], FFFFFFFF
  004010FE  |.  33C0          [color=#0000D0]xor[/color]     [color=#FF0000]eax[/color], [color=#FF0000]eax[/color]
  00401100  |.  F2:AE         [color=#0000D0]repne[/color]   [color=#0000D0]scas[/color] [color=#b000b0]byte[/color] [color=#b000b0]ptr[/color] [color=#FF0000]es[/color]:[[color=#FF0000]edi[/color]]
  00401102  |.  F7D1          [color=#0000D0]not[/color]     [color=#FF0000]ecx[/color]
  00401104  |.  49            [color=#0000D0]dec[/color]     [color=#FF0000]ecx[/color]
  00401105  |.  8BF1          [color=#0000D0]mov[/color]     [color=#FF0000]esi[/color], [color=#FF0000]ecx[/color]
  00401107  |.  33C9          [color=#0000D0]xor[/color]     [color=#FF0000]ecx[/color], [color=#FF0000]ecx[/color]
  00401109  |.  85F6          [color=#0000D0]test[/color]    [color=#FF0000]esi[/color], [color=#FF0000]esi[/color]
  0040110B  |.  897424 10     [color=#0000D0]mov[/color]     [color=#b000b0]dword[/color] [color=#b000b0]ptr[/color] [[color=#FF0000]esp[/color]+10], [color=#FF0000]esi[/color]
  0040110F  |.  7E 18         [color=#0000D0]jle[/color]     short 00401129
  00401111  |>  8A0411        /[color=#0000D0]mov[/color]     [color=#FF0000]al[/color], [color=#b000b0]byte[/color] [color=#b000b0]ptr[/color] [[color=#FF0000]ecx[/color]+[color=#FF0000]edx[/color]]
  00401114  |.  3C 20         |[color=#0000D0]cmp[/color]     [color=#FF0000]al[/color], 20
  00401116  |.  0F8C AA000000 |[color=#0000D0]jl[/color]      004011C6
  0040111C  |.  3C 7E         |[color=#0000D0]cmp[/color]     [color=#FF0000]al[/color], 7E
  0040111E  |.  0F8F A2000000 |[color=#0000D0]jg[/color]      004011C6
  00401124  |.  41            |[color=#0000D0]inc[/color]     [color=#FF0000]ecx[/color]
  00401125  |.  3BCE          |[color=#0000D0]cmp[/color]     [color=#FF0000]ecx[/color], [color=#FF0000]esi[/color]
  00401127  |.^ 7C E8         \jl      short 00401111                                   [color=#008000];name必须为可见字符[/color]
  00401129  |>  53            [color=#0000D0]push[/color]    [color=#FF0000]ebx[/color]
  0040112A  |.  55            [color=#0000D0]push[/color]    [color=#FF0000]ebp[/color]
  0040112B  |.  8B6C24 24     [color=#0000D0]mov[/color]     [color=#FF0000]ebp[/color], [color=#b000b0]dword[/color] [color=#b000b0]ptr[/color] [[color=#FF0000]esp[/color]+24]
  0040112F  |.  83C9 FF       [color=#0000D0]or[/color]      [color=#FF0000]ecx[/color], FFFFFFFF
  00401132  |.  8BFD          [color=#0000D0]mov[/color]     [color=#FF0000]edi[/color], [color=#FF0000]ebp[/color]
  00401134  |.  33C0          [color=#0000D0]xor[/color]     [color=#FF0000]eax[/color], [color=#FF0000]eax[/color]
  00401136  |.  F2:AE         [color=#0000D0]repne[/color]   [color=#0000D0]scas[/color] [color=#b000b0]byte[/color] [color=#b000b0]ptr[/color] [color=#FF0000]es[/color]:[[color=#FF0000]edi[/color]]
  00401138  |.  F7D1          [color=#0000D0]not[/color]     [color=#FF0000]ecx[/color]
  0040113A  |.  49            [color=#0000D0]dec[/color]     [color=#FF0000]ecx[/color]
  0040113B  |.  6A 20         [color=#0000D0]push[/color]    20
  0040113D  |.  8BD9          [color=#0000D0]mov[/color]     [color=#FF0000]ebx[/color], [color=#FF0000]ecx[/color]
  0040113F  |.  E8 D00C0000   [color=#0000D0]call[/color]    00401E14
  00401144  |.  83C4 04       [color=#0000D0]add[/color]     [color=#FF0000]esp[/color], 4
  00401147  |.  8BF8          [color=#0000D0]mov[/color]     [color=#FF0000]edi[/color], [color=#FF0000]eax[/color]
  00401149  |.  33F6          [color=#0000D0]xor[/color]     [color=#FF0000]esi[/color], [color=#FF0000]esi[/color]
  0040114B  |.  897C24 10     [color=#0000D0]mov[/color]     [color=#b000b0]dword[/color] [color=#b000b0]ptr[/color] [[color=#FF0000]esp[/color]+10], [color=#FF0000]edi[/color]
  0040114F  |.  85DB          [color=#0000D0]test[/color]    [color=#FF0000]ebx[/color], [color=#FF0000]ebx[/color]
  00401151  |.  7E 28         [color=#0000D0]jle[/color]     short 0040117B
  00401153  |>  8D4424 24     /[color=#0000D0]lea[/color]     [color=#FF0000]eax[/color], [color=#b000b0]dword[/color] [color=#b000b0]ptr[/color] [[color=#FF0000]esp[/color]+24]
  00401157  |.  8D0C2E        |[color=#0000D0]lea[/color]     [color=#FF0000]ecx[/color], [color=#b000b0]dword[/color] [color=#b000b0]ptr[/color] [[color=#FF0000]esi[/color]+[color=#FF0000]ebp[/color]]
  0040115A  |.  50            |[color=#0000D0]push[/color]    [color=#FF0000]eax[/color]
  0040115B  |.  68 94B04000   |[color=#0000D0]push[/color]    0040B094                        [color=#008000];  ASCII "%2X"[/color]
  00401160  |.  51            |[color=#0000D0]push[/color]    [color=#FF0000]ecx[/color]
  00401161  |.  E8 7A0C0000   |[color=#0000D0]call[/color]    00401DE0
  00401166  |.  8A5424 30     |[color=#0000D0]mov[/color]     [color=#FF0000]dl[/color], [color=#b000b0]byte[/color] [color=#b000b0]ptr[/color] [[color=#FF0000]esp[/color]+30]
  0040116A  |.  83C4 0C       |[color=#0000D0]add[/color]     [color=#FF0000]esp[/color], 0C
  0040116D  |.  8817          |[color=#0000D0]mov[/color]     [color=#b000b0]byte[/color] [color=#b000b0]ptr[/color] [[color=#FF0000]edi[/color]], [color=#FF0000]dl[/color]
  0040116F  |.  83C6 02       |[color=#0000D0]add[/color]     [color=#FF0000]esi[/color], 2
  00401172  |.  47            |[color=#0000D0]inc[/color]     [color=#FF0000]edi[/color]
  00401173  |.  3BF3          |[color=#0000D0]cmp[/color]     [color=#FF0000]esi[/color], [color=#FF0000]ebx[/color]
  00401175  |.^ 7C DC         \jl      short 00401153                               [color=#008000];把我们输入的key当成Hex字符串进行转换 暂且称之为X[/color]
  00401177  |.  8B7C24 10     [color=#0000D0]mov[/color]     [color=#FF0000]edi[/color], [color=#b000b0]dword[/color] [color=#b000b0]ptr[/color] [[color=#FF0000]esp[/color]+10]
  0040117B  |>  DD05 48A14000 [color=#0000D0]fld[/color]     [color=#b000b0]qword[/color] [color=#b000b0]ptr[/color] [40A148]                            [color=#008000];st(1) = 1.00000000[/color]
  00401181  |.  8B4C24 18     [color=#0000D0]mov[/color]     [color=#FF0000]ecx[/color], [color=#b000b0]dword[/color] [color=#b000b0]ptr[/color] [[color=#FF0000]esp[/color]+18]
  00401185  |.  33C0          [color=#0000D0]xor[/color]     [color=#FF0000]eax[/color], [color=#FF0000]eax[/color]
  00401187  |.  DD5424 10     [color=#0000D0]fst[/color]     [color=#b000b0]qword[/color] [color=#b000b0]ptr[/color] [[color=#FF0000]esp[/color]+10]
  0040118B  |.  5D            [color=#0000D0]pop[/color]     [color=#FF0000]ebp[/color]
  0040118C  |.  5B            [color=#0000D0]pop[/color]     [color=#FF0000]ebx[/color]
  0040118D  |.  85C9          [color=#0000D0]test[/color]    [color=#FF0000]ecx[/color], [color=#FF0000]ecx[/color]                                       [color=#008000];length of name[/color]
  0040118F  |.  7E 3B         [color=#0000D0]jle[/color]     short 004011CC
  00401191  |>  8B5424 18     /[color=#0000D0]mov[/color]     [color=#FF0000]edx[/color], [color=#b000b0]dword[/color] [color=#b000b0]ptr[/color] [[color=#FF0000]esp[/color]+18]                       [color=#008000];name[/color]
  00401195  |.  40            |[color=#0000D0]inc[/color]     [color=#FF0000]eax[/color]                                           [color=#008000];i++[/color]
  00401196  |.  3BC1          |[color=#0000D0]cmp[/color]     [color=#FF0000]eax[/color], [color=#FF0000]ecx[/color]                                      [color=#008000];i<length of name?[/color]
  00401198  |.  0FBE5410 FF   |[color=#0000D0]movsx[/color]   [color=#FF0000]edx[/color], [color=#b000b0]byte[/color] [color=#b000b0]ptr[/color] [[color=#FF0000]eax[/color]+[color=#FF0000]edx[/color]-1]                     [color=#008000];name[i][/color]
  0040119D  |.  895424 10     |[color=#0000D0]mov[/color]     [color=#b000b0]dword[/color] [color=#b000b0]ptr[/color] [[color=#FF0000]esp[/color]+10], [color=#FF0000]edx[/color]                       [color=#008000];st(0) = name[i][/color]
  004011A1  |.  DB4424 10     |[color=#0000D0]fild[/color]    [color=#b000b0]dword[/color] [color=#b000b0]ptr[/color] [[color=#FF0000]esp[/color]+10]
  004011A5  |.  DEC1          |[color=#0000D0]faddp[/color]   [color=#FF0000]st[/color](1), [color=#FF0000]st[/color]                                     [color=#008000];st(1) = st(1) + st(0)[/color]
  004011A7  |.  DC0D 40A14000 |[color=#0000D0]fmul[/color]    [color=#b000b0]qword[/color] [color=#b000b0]ptr[/color] [40A140]                            [color=#008000];st(1) = st(1) * 1.20000000[/color]
  004011AD  |.^ 7C E2         \jl      short 00401191                                [color=#008000];最后的结果作为我们最终验算的一个参数,暂且称之为Y[/color]
  004011AF  |.  DD5C24 08     [color=#0000D0]fstp[/color]    [color=#b000b0]qword[/color] [color=#b000b0]ptr[/color] [[color=#FF0000]esp[/color]+8]
  004011B3  |>  8B4424 0C     [color=#0000D0]mov[/color]     [color=#FF0000]eax[/color], [color=#b000b0]dword[/color] [color=#b000b0]ptr[/color] [[color=#FF0000]esp[/color]+C]
  004011B7  |.  8B4C24 08     [color=#0000D0]mov[/color]     [color=#FF0000]ecx[/color], [color=#b000b0]dword[/color] [color=#b000b0]ptr[/color] [[color=#FF0000]esp[/color]+8]
  004011BB  |.  57            [color=#0000D0]push[/color]    [color=#FF0000]edi[/color]                                             [color=#008000];X地址[/color]
  004011BC  |.  50            [color=#0000D0]push[/color]    [color=#FF0000]eax[/color]                                             [color=#008000];Y值高位[/color]
  004011BD  |.  51            [color=#0000D0]push[/color]    [color=#FF0000]ecx[/color]                                             [color=#008000];Y值低位[/color]
  004011BE  |.  E8 1D010000   [color=#0000D0]call[/color]    004012E0                                        [color=#008000];关键Call F7跟进[/color]
  004011C3  |.  83C4 0C       [color=#0000D0]add[/color]     [color=#FF0000]esp[/color], 0C
  004011C6  |>  5F            [color=#0000D0]pop[/color]     [color=#FF0000]edi[/color]
  004011C7  |.  5E            [color=#0000D0]pop[/color]     [color=#FF0000]esi[/color]
  004011C8  |.  83C4 0C       [color=#0000D0]add[/color]     [color=#FF0000]esp[/color], 0C
  004011CB  |.  C3            [color=#0000D0]retn[/color]
  004011CC  |>  DDD8          [color=#0000D0]fstp[/color]    [color=#FF0000]st[/color]
  004011CE  \.^ EB E3         [color=#0000D0]jmp[/color]     short 004011B3
  

[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)

收藏
免费 7
支持
分享
最新回复 (7)
雪    币: 2319
活跃值: (565)
能力值: (RANK:300 )
在线值:
发帖
回帖
粉丝
2
很清楚  
2007-1-18 00:17
0
雪    币: 191
活跃值: (205)
能力值: ( LV9,RANK:250 )
在线值:
发帖
回帖
粉丝
3
直接解不等式是麻烦了一些,可以换一个思路:从第二个Result<5入手,先根据诸Result=5解出一组根fk1,fk2,fk3,fk4,然后在其中某个或某几个根上加上一个适当小的浮点数即可使不等号满足。

btw:关于解方程组的算法,有很多;我用的是列主元的Gauss消去法。

附件中,为KG代码的关键部分。
上传的附件:
2007-1-18 08:41
0
雪    币: 200
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
4
晕倒,都写得那么详细,我还是看不懂,真是痛苦
2007-1-18 09:10
0
雪    币: 1969
活跃值: (46)
能力值: (RANK:550 )
在线值:
发帖
回帖
粉丝
5
写这篇文章主要是因为自己以前没接触过浮点指令,正好借这个机会学习一下。
我对数据结构及算法了解不多,完全是个门外汉, warshon兄台能不能将您写的注册机代码公布出来,让我们学习一下。
2007-1-18 10:44
0
雪    币: 191
活跃值: (205)
能力值: ( LV9,RANK:250 )
在线值:
发帖
回帖
粉丝
6
最初由 hawking 发布
写这篇文章主要是因为自己以前没接触过浮点指令,正好借这个机会学习一下。
我对数据结构及算法了解不多,完全是个门外汉, warshon兄台能不能将您写的注册机代码公布出来,让我们学习一下。


代码见3楼。+U
2007-1-18 12:06
0
雪    币: 1969
活跃值: (46)
能力值: (RANK:550 )
在线值:
发帖
回帖
粉丝
7
谢谢,学习中。
2007-1-18 12:34
0
雪    币: 297
活跃值: (21)
能力值: ( LV9,RANK:330 )
在线值:
发帖
回帖
粉丝
8
很清楚,支持楼主!
2007-2-6 19:21
0
游客
登录 | 注册 方可回帖
返回
//