【破文作者】 hbqjxhw[pyg]
【文章题目】 [破]Christmas-KeygenMe#4.Guetta
【软件名称】 Christmas-KeygenMe#4
【下载地址】 http://www.crackmes.de/users/guetta/christmas_keygenme/
----------------------------------------------------------------------------------------------
【破解工具】 OD,RSATool2v110,BigCalc,MD5,BASE64,MD5Crack V3.0
【破解平台】 WinXP SP2
----------------------------------------------------------------------------------------------
----------------------------------------------------------------------------------------------
【破解过程】
1. PEiD查看,无壳,还找到了BASE64、RSA、MD5等加密算法;
2. OD载入;
3. 下BPX GetDlgItemTextA
00401EEA、00401F0C、00401F29、00401F4B保留这四个,F2去掉004029A0,为什么?自己试一试就知道了
然后一步一步去跟踪了:
00401ED5 /$ 55 PUSH EBP ; (Initial CPU selection)
00401ED6 |. 8BEC MOV EBP,ESP
00401ED8 |. 53 PUSH EBX
00401ED9 |. 56 PUSH ESI
00401EDA |. 57 PUSH EDI
00401EDB |. 6A 40 PUSH 40 ; /Count = 40 (64.)
00401EDD |. 68 26814000 PUSH Christma.00408126 ; |Buffer = Christma.00408126
00401EE2 |. 68 94010000 PUSH 194 ; |ControlID = 194 (404.)
00401EE7 |. FF75 08 PUSH DWORD PTR SS:[EBP+8] ; |hWnd
00401EEA |. E8 450F0000 CALL <Christma.GetDlgItemTextA> ; \GetDlgItemTextA
00401EEF |. 83F8 02 CMP EAX,2 ; 判断Name位数是否大于2
00401EF2 |. 0F82 15020000 JB Christma.0040210D
00401EF8 |. A2 89834000 MOV BYTE PTR DS:[408389],AL
00401EFD |. 6A 40 PUSH 40 ; /Count = 40 (64.)
00401EFF |. 68 E6814000 PUSH Christma.004081E6 ; |Invalid registration informations.
00401F04 |. 68 95010000 PUSH 195 ; |ControlID = 195 (405.)
00401F09 |. FF75 08 PUSH DWORD PTR SS:[EBP+8] ; |hWnd
00401F0C |. E8 230F0000 CALL <Christma.GetDlgItemTextA> ; \GetDlgItemTextA
00401F11 |. 83F8 02 CMP EAX,2 ; 判断Serial位数是否大于2
00401F14 |. 0F82 F3010000 JB Christma.0040210D
00401F1A |. 6A 40 PUSH 40 ; /Count = 40 (64.)
00401F1C |. 68 66814000 PUSH Christma.00408166 ; |Buffer = Christma.00408166
00401F21 |. 68 99010000 PUSH 199 ; |ControlID = 199 (409.)
00401F26 |. FF75 08 PUSH DWORD PTR SS:[EBP+8] ; |hWnd
00401F29 |. E8 060F0000 CALL <Christma.GetDlgItemTextA> ; \GetDlgItemTextA
00401F2E |. 83F8 02 CMP EAX,2 ; 判断Group位数是否大于2
00401F31 |. 0F82 D6010000 JB Christma.0040210D
00401F37 |. A2 8B834000 MOV BYTE PTR DS:[40838B],AL
00401F3C |. 6A 40 PUSH 40 ; /Count = 40 (64.)
00401F3E |. 68 A6814000 PUSH Christma.004081A6 ; |Buffer = Christma.004081A6
00401F43 |. 68 9A010000 PUSH 19A ; |ControlID = 19A (410.)
00401F48 |. FF75 08 PUSH DWORD PTR SS:[EBP+8] ; |hWnd
00401F4B |. E8 E40E0000 CALL <Christma.GetDlgItemTextA> ; \GetDlgItemTextA
00401F50 |. 83F8 06 CMP EAX,6 ; 判断E-Mail位数是否大于6
00401F53 |. 0F82 B4010000 JB Christma.0040210D
00401F59 |. A2 8D834000 MOV BYTE PTR DS:[40838D],AL
00401F5E |. 33DB XOR EBX,EBX
00401F60 |. BA A6814000 MOV EDX,Christma.004081A6
00401F65 |> 8A02 /MOV AL,BYTE PTR DS:[EDX]
00401F67 |. 83FB 03 |CMP EBX,3
00401F6A |. 74 19 |JE SHORT Christma.00401F85
00401F6C |. 3C 00 |CMP AL,0
00401F6E |. 0F84 99010000 |JE Christma.0040210D
00401F74 |. 3C 40 |CMP AL,40
00401F76 |. 75 03 |JNZ SHORT Christma.00401F7B
00401F78 |. 83C3 01 |ADD EBX,1
00401F7B |> 3C 2E |CMP AL,2E
00401F7D |. 75 03 |JNZ SHORT Christma.00401F82
00401F7F |. 83C3 02 |ADD EBX,2
00401F82 |> 42 |INC EDX
00401F83 |.^ EB E0 \JMP SHORT Christma.00401F65
00401F85 |> E8 48FBFFFF CALL Christma.00401AD2 ; \关键CALL,KeyFile文件的生成及内容算法
00401F8A |. 3C 01 CMP AL,1
00401F8C |. 74 06 JE SHORT Christma.00401F94
00401F8E |. 0F85 79010000 JNZ Christma.0040210D
00401F94 |> 33C0 XOR EAX,EAX
Name标准的MD5计算并转换为大写取前15位
00401F96 |. A0 89834000 MOV AL,BYTE PTR DS:[408389]
00401F9B |. 68 A4894000 PUSH Christma.004089A4 ; /Arg3 = 004089A4
00401FA0 |. 50 PUSH EAX ; |Arg2
00401FA1 |. 68 26814000 PUSH Christma.00408126 ; |Arg1 = 00408126
00401FA6 |. E8 55F0FFFF CALL Christma.00401000 ; \
00401FAB |. FF35 B0894000 PUSH DWORD PTR DS:[4089B0] ; /<%.8x> = 71EB1925
00401FB1 |. FF35 AC894000 PUSH DWORD PTR DS:[4089AC] ; |<%.8x> = 352217E7
00401FB7 |. FF35 A8894000 PUSH DWORD PTR DS:[4089A8] ; |<%.8x> = 737A9385
00401FBD |. FF35 A4894000 PUSH DWORD PTR DS:[4089A4] ; |<%.8x> = 84CC9A91
00401FC3 |. 68 53804000 PUSH Christma.00408053 ; |%.8x%.8x%.8x%.8x
00401FC8 |. 68 26834000 PUSH Christma.00408326 ; |s = Christma.00408326
00401FCD |. E8 1A0E0000 CALL <Christma.wsprintfA> ; \wsprintfA
00401FD2 |. 83C4 18 ADD ESP,18
00401FD5 |. 68 26834000 PUSH Christma.00408326 ; /StringOrChar = "582C72D779E7F9B"
00401FDA |. E8 190E0000 CALL <Christma.CharUpperA> ; \CharUpperA
00401FDF |. C605 35834000>MOV BYTE PTR DS:[408335],0
00401FE6 |. 33C0 XOR EAX,EAX
Group标准的MD5计算并转换为大写取前15位
00401FE8 |. A0 8B834000 MOV AL,BYTE PTR DS:[40838B]
00401FED |. 68 A4894000 PUSH Christma.004089A4 ; /Arg3 = 004089A4
00401FF2 |. 50 PUSH EAX ; |Arg2
00401FF3 |. 68 66814000 PUSH Christma.00408166 ; |Arg1 = 00408166
00401FF8 |. E8 03F0FFFF CALL Christma.00401000 ; \
00401FFD |. FF35 B0894000 PUSH DWORD PTR DS:[4089B0] ; /<%.8x> = 71EB1925
00402003 |. FF35 AC894000 PUSH DWORD PTR DS:[4089AC] ; |<%.8x> = 352217E7
00402009 |. FF35 A8894000 PUSH DWORD PTR DS:[4089A8] ; |<%.8x> = 737A9385
0040200F |. FF35 A4894000 PUSH DWORD PTR DS:[4089A4] ; |<%.8x> = 84CC9A91
00402015 |. 68 53804000 PUSH Christma.00408053 ; |%.8x%.8x%.8x%.8x
0040201A |. 68 47834000 PUSH Christma.00408347 ; |s = Christma.00408347
0040201F |. E8 C80D0000 CALL <Christma.wsprintfA> ; \wsprintfA
00402024 |. 83C4 18 ADD ESP,18
00402027 |. 68 47834000 PUSH Christma.00408347 ; /StringOrChar = "81393C93EE1717E"
0040202C |. E8 C70D0000 CALL <Christma.CharUpperA> ; \CharUpperA
00402031 |. C605 56834000>MOV BYTE PTR DS:[408356],0
00402038 |. 33C0 XOR EAX,EAX
E-Mail标准的MD5计算并转换为大写取前15位
0040203A |. A0 8D834000 MOV AL,BYTE PTR DS:[40838D]
0040203F |. 68 A4894000 PUSH Christma.004089A4 ; /Arg3 = 004089A4
00402044 |. 50 PUSH EAX ; |Arg2
00402045 |. 68 A6814000 PUSH Christma.004081A6 ; |Arg1 = 004081A6
0040204A |. E8 B1EFFFFF CALL Christma.00401000 ; \
0040204F |. FF35 B0894000 PUSH DWORD PTR DS:[4089B0] ; /<%.8x> = 71EB1925
00402055 |. FF35 AC894000 PUSH DWORD PTR DS:[4089AC] ; |<%.8x> = 352217E7
0040205B |. FF35 A8894000 PUSH DWORD PTR DS:[4089A8] ; |<%.8x> = 737A9385
00402061 |. FF35 A4894000 PUSH DWORD PTR DS:[4089A4] ; |<%.8x> = 84CC9A91
00402067 |. 68 53804000 PUSH Christma.00408053 ; |%.8x%.8x%.8x%.8x
0040206C |. 68 68834000 PUSH Christma.00408368 ; |s = Christma.00408368
00402071 |. E8 760D0000 CALL <Christma.wsprintfA> ; \wsprintfA
00402076 |. 83C4 18 ADD ESP,18
00402079 |. 68 68834000 PUSH Christma.00408368 ; /StringOrChar = "84CC9A91737A938"
0040207E |. E8 750D0000 CALL <Christma.CharUpperA> ; \CharUpperA
00402083 |. C605 77834000>MOV BYTE PTR DS:[408377],0
0040208A |. 33DB XOR EBX,EBX
0040208C |. BA E6814000 MOV EDX,Christma.004081E6 ; Serial赋给EDX
00402091 |> 8A02 /MOV AL,BYTE PTR DS:[EDX] ; Serial的格式检验
00402093 |. 83FB 04 |CMP EBX,4 ; Serial的格式为SN1-SN2-SN3
00402096 |. 74 2E |JE SHORT Christma.004020C6
00402098 |. 3C 00 |CMP AL,0
0040209A |. 74 71 |JE SHORT Christma.0040210D
0040209C |. 3C 2D |CMP AL,2D
0040209E |. 75 23 |JNZ SHORT Christma.004020C3
004020A0 |. 83C3 02 |ADD EBX,2 ; 分支 (案例 2..2)
004020A3 |. 83FB 02 |CMP EBX,2
004020A6 |. 74 05 |JE SHORT Christma.004020AD
004020A8 |. 83FB 04 |CMP EBX,4
004020AB |. 74 0B |JE SHORT Christma.004020B8
004020AD |> 8915 8F834000 |MOV DWORD PTR DS:[40838F],EDX ; 分支 004020A0 默认案例
004020B3 |. C602 00 |MOV BYTE PTR DS:[EDX],0
004020B6 |. EB 0B |JMP SHORT Christma.004020C3
004020B8 |> 8915 94834000 |MOV DWORD PTR DS:[408394],EDX ; 案例 2 --> 分支 004020A0
004020BE |. C602 00 |MOV BYTE PTR DS:[EDX],0
004020C1 |. EB 00 |JMP SHORT Christma.004020C3
004020C3 |> 42 |INC EDX
004020C4 |.^ EB CB \JMP SHORT Christma.00402091
004020C6 |> E8 7C010000 CALL Christma.00402247 ; 重要CALL,第1个SN1的RSA计算
004020CB |. E8 B5020000 CALL Christma.00402385 ; 重要CALL,第2个SN2的RSA计算
004020D0 |. E8 F2030000 CALL Christma.004024C7 ; 重要CALL,第3个SN3的RSA计算
004020D5 |. 68 26834000 PUSH Christma.00408326 ; /String2 = "582C72D779E7F9B"
004020DA |. 68 66824000 PUSH Christma.00408266 ; |String1 = "582C72D779E7F9B"
004020DF |. E8 EC0D0000 CALL <Christma.lstrcmpA> ; \lstrcmpA
004020E4 |. 75 27 JNZ SHORT Christma.0040210D ; Name的MD5前15位是否等于第1个SN1的RSA计算的值
004020E6 |. 68 47834000 PUSH Christma.00408347 ; /String2 = "81393C93EE1717E"
004020EB |. 68 A6824000 PUSH Christma.004082A6 ; |String1 = "81393C93EE1717E"
004020F0 |. E8 DB0D0000 CALL <Christma.lstrcmpA> ; \lstrcmpA
004020F5 |. 75 16 JNZ SHORT Christma.0040210D ; Group的MD5前15位是否等于第2个SN2的RSA计算的值
004020F7 |. 68 68834000 PUSH Christma.00408368 ; /String2 = "84CC9A91737A938"
004020FC |. 68 E6824000 PUSH Christma.004082E6 ; |String1 = "CDC180E6C4ECD06"
00402101 |. E8 CA0D0000 CALL <Christma.lstrcmpA> ; \lstrcmpA
00402106 |. 75 05 JNZ SHORT Christma.0040210D ; E-Mail的MD5前15位是否等于第3个SN3的RSA计算的值
00402108 |. E9 9B000000 JMP Christma.004021A8
0040210D |> 68 3C854000 PUSH Christma.0040853C ; /Invalid registration informations.
00402112 |. 68 95010000 PUSH 195 ; |ControlID = 195 (405.)
00402117 |. FF75 08 PUSH DWORD PTR SS:[EBP+8] ; |hWnd
0040211A |. E8 510D0000 CALL <Christma.SetDlgItemTextA> ; \SetDlgItemTextA
0040211F |. 6A 40 PUSH 40 ; /Length = 40 (64.)
00402121 |. 68 26814000 PUSH Christma.00408126 ; |Destination = Christma.00408126
00402126 |. E8 990D0000 CALL <Christma.RtlZeroMemory> ; \RtlZeroMemory
0040212B |. 6A 40 PUSH 40 ; /Length = 40 (64.)
0040212D |. 68 66814000 PUSH Christma.00408166 ; |Destination = Christma.00408166
00402132 |. E8 8D0D0000 CALL <Christma.RtlZeroMemory> ; \RtlZeroMemory
00402137 |. 6A 40 PUSH 40 ; /Length = 40 (64.)
00402139 |. 68 A6814000 PUSH Christma.004081A6 ; |Destination = Christma.004081A6
0040213E |. E8 810D0000 CALL <Christma.RtlZeroMemory> ; \RtlZeroMemory
00402143 |. 6A 40 PUSH 40 ; /Length = 40 (64.)
00402145 |. 68 66824000 PUSH Christma.00408266 ; |Destination = Christma.00408266
0040214A |. E8 750D0000 CALL <Christma.RtlZeroMemory> ; \RtlZeroMemory
0040214F |. 6A 40 PUSH 40 ; /Length = 40 (64.)
00402151 |. 68 A6824000 PUSH Christma.004082A6 ; |Destination = Christma.004082A6
00402156 |. E8 690D0000 CALL <Christma.RtlZeroMemory> ; \RtlZeroMemory
0040215B |. 6A 40 PUSH 40 ; /Length = 40 (64.)
0040215D |. 68 E6824000 PUSH Christma.004082E6 ; |Destination = Christma.004082E6
00402162 |. E8 5D0D0000 CALL <Christma.RtlZeroMemory> ; \RtlZeroMemory
00402167 |. 6A 40 PUSH 40 ; /Length = 40 (64.)
00402169 |. 68 26834000 PUSH Christma.00408326 ; |Destination = Christma.00408326
0040216E |. E8 510D0000 CALL <Christma.RtlZeroMemory> ; \RtlZeroMemory
00402173 |. 6A 40 PUSH 40 ; /Length = 40 (64.)
00402175 |. 68 47834000 PUSH Christma.00408347 ; |Destination = Christma.00408347
0040217A |. E8 450D0000 CALL <Christma.RtlZeroMemory> ; \RtlZeroMemory
0040217F |. 6A 40 PUSH 40 ; /Length = 40 (64.)
00402181 |. 68 68834000 PUSH Christma.00408368 ; |Destination = Christma.00408368
00402186 |. E8 390D0000 CALL <Christma.RtlZeroMemory> ; \RtlZeroMemory
0040218B |. 6A 40 PUSH 40 ; /Length = 40 (64.)
0040218D |. 68 26824000 PUSH Christma.00408226 ; |Destination = Christma.00408226
00402192 |. E8 2D0D0000 CALL <Christma.RtlZeroMemory> ; \RtlZeroMemory
00402197 |. 6A 27 PUSH 27 ; /Length = 27 (39.)
00402199 |. 68 A4894000 PUSH Christma.004089A4 ; |Destination = Christma.004089A4
0040219E |. E8 210D0000 CALL <Christma.RtlZeroMemory> ; \RtlZeroMemory
004021A3 |. E9 98000000 JMP Christma.00402240
004021A8 |> 68 36804000 PUSH Christma.00408036 ; /Merry christmas my friend =)
004021AD |. 68 95010000 PUSH 195 ; |ControlID = 195 (405.)
004021B2 |. FF75 08 PUSH DWORD PTR SS:[EBP+8] ; |hWnd
004021B5 |. E8 B60C0000 CALL <Christma.SetDlgItemTextA> ; \SetDlgItemTextA
004021BA |. 6A 40 PUSH 40 ; /Length = 40 (64.)
004021BC |. 68 26814000 PUSH Christma.00408126 ; |Destination = Christma.00408126
004021C1 |. E8 FE0C0000 CALL <Christma.RtlZeroMemory> ; \RtlZeroMemory
004021C6 |. 6A 40 PUSH 40 ; /Length = 40 (64.)
004021C8 |. 68 66814000 PUSH Christma.00408166 ; |Destination = Christma.00408166
004021CD |. E8 F20C0000 CALL <Christma.RtlZeroMemory> ; \RtlZeroMemory
004021D2 |. 6A 40 PUSH 40 ; /Length = 40 (64.)
004021D4 |. 68 A6814000 PUSH Christma.004081A6 ; |Destination = Christma.004081A6
004021D9 |. E8 E60C0000 CALL <Christma.RtlZeroMemory> ; \RtlZeroMemory
004021DE |. 6A 40 PUSH 40 ; /Length = 40 (64.)
004021E0 |. 68 66824000 PUSH Christma.00408266 ; |Destination = Christma.00408266
004021E5 |. E8 DA0C0000 CALL <Christma.RtlZeroMemory> ; \RtlZeroMemory
004021EA |. 6A 40 PUSH 40 ; /Length = 40 (64.)
004021EC |. 68 A6824000 PUSH Christma.004082A6 ; |Destination = Christma.004082A6
004021F1 |. E8 CE0C0000 CALL <Christma.RtlZeroMemory> ; \RtlZeroMemory
004021F6 |. 6A 40 PUSH 40 ; /Length = 40 (64.)
004021F8 |. 68 E6824000 PUSH Christma.004082E6 ; |Destination = Christma.004082E6
004021FD |. E8 C20C0000 CALL <Christma.RtlZeroMemory> ; \RtlZeroMemory
00402202 |. 6A 40 PUSH 40 ; /Length = 40 (64.)
00402204 |. 68 26834000 PUSH Christma.00408326 ; |Destination = Christma.00408326
00402209 |. E8 B60C0000 CALL <Christma.RtlZeroMemory> ; \RtlZeroMemory
0040220E |. 6A 40 PUSH 40 ; /Length = 40 (64.)
00402210 |. 68 47834000 PUSH Christma.00408347 ; |Destination = Christma.00408347
00402215 |. E8 AA0C0000 CALL <Christma.RtlZeroMemory> ; \RtlZeroMemory
0040221A |. 6A 40 PUSH 40 ; /Length = 40 (64.)
0040221C |. 68 68834000 PUSH Christma.00408368 ; |Destination = Christma.00408368
00402221 |. E8 9E0C0000 CALL <Christma.RtlZeroMemory> ; \RtlZeroMemory
00402226 |. 6A 40 PUSH 40 ; /Length = 40 (64.)
00402228 |. 68 26824000 PUSH Christma.00408226 ; |Destination = Christma.00408226
0040222D |. E8 920C0000 CALL <Christma.RtlZeroMemory> ; \RtlZeroMemory
00402232 |. 6A 27 PUSH 27 ; /Length = 27 (39.)
00402234 |. 68 A4894000 PUSH Christma.004089A4 ; |Destination = Christma.004089A4
00402239 |. E8 860C0000 CALL <Christma.RtlZeroMemory> ; \RtlZeroMemory
0040223E |. EB 00 JMP SHORT Christma.00402240
00402240 |> 5F POP EDI
00402241 |. 5E POP ESI
00402242 |. 5B POP EBX
00402243 |. C9 LEAVE
00402244 \. C2 0400 RETN 4
------------------------CALL Christma.00401AD2-------------------------
00401AD2 /$ 55 PUSH EBP ; KeyFile文件的生成及内容算法
00401AD3 |. 8BEC MOV EBP,ESP
00401AD5 |. 83C4 FC ADD ESP,-4
00401AD8 |. 53 PUSH EBX
00401AD9 |. 56 PUSH ESI
00401ADA |. 57 PUSH EDI
00401ADB |. 6A 00 PUSH 0 ; /hTemplateFile = NULL
00401ADD |. 6A 00 PUSH 0 ; |Attributes = 0
00401ADF |. 6A 03 PUSH 3 ; |Mode = OPEN_EXISTING
00401AE1 |. 6A 00 PUSH 0 ; |pSecurity = NULL
00401AE3 |. 6A 01 PUSH 1 ; |ShareMode = FILE_SHARE_READ
00401AE5 |. 68 00000080 PUSH 80000000 ; |Access = GENERIC_READ
00401AEA |. 68 73844000 PUSH Christma.00408473 ; |merryREchristmas
00401AEF |. E8 9A130000 CALL <Christma.CreateFileA> ; \CreateFileA
00401AF4 |. 83F8 FF CMP EAX,-1 ; 创建名为merryREchristmas这样一个文件
00401AF7 |. 75 05 JNZ SHORT Christma.00401AFE
00401AF9 |. E9 A4020000 JMP Christma.00401DA2
00401AFE |> 6A 00 PUSH 0 ; /pOverlapped = NULL
00401B00 |. 68 CB844000 PUSH Christma.004084CB ; |pBytesRead = Christma.004084CB
00401B05 |. 6A 46 PUSH 46 ; |BytesToRead = 46 (70.)
00401B07 |. 68 84844000 PUSH Christma.00408484 ; |Buffer = Christma.00408484
00401B0C |. 50 PUSH EAX ; |hFile
00401B0D |. E8 AC130000 CALL <Christma.ReadFile> ; \ReadFile
00401B12 |. 85C0 TEST EAX,EAX ; 读出文件内容
00401B14 |. 75 05 JNZ SHORT Christma.00401B1B
00401B16 |. E9 87020000 JMP Christma.00401DA2
00401B1B |> A1 84844000 MOV EAX,DWORD PTR DS:[408484]
00401B20 |. A3 F0844000 MOV DWORD PTR DS:[4084F0],EAX
00401B25 |. C605 F3844000>MOV BYTE PTR DS:[4084F3],0
00401B2C |. B8 03000000 MOV EAX,3 ; 这几行应该是想取前3个字符
00401B31 |. 68 A4894000 PUSH Christma.004089A4 ; /Arg3 = 004089A4
00401B36 |. 50 PUSH EAX ; |Arg2 => 00000003
00401B37 |. 68 F0844000 PUSH Christma.004084F0 ; |Arg1 = 004084F0
00401B3C |. E8 BFF4FFFF CALL Christma.00401000 ; \前3个字符标准的MD5计算
00401B41 |. FF35 B0894000 PUSH DWORD PTR DS:[4089B0] ; /<%.8x> = 71EB1925
00401B47 |. FF35 AC894000 PUSH DWORD PTR DS:[4089AC] ; |<%.8x> = 352217E7
00401B4D |. FF35 A8894000 PUSH DWORD PTR DS:[4089A8] ; |<%.8x> = 737A9385
00401B53 |. FF35 A4894000 PUSH DWORD PTR DS:[4089A4] ; |<%.8x> = 84CC9A91
00401B59 |. 68 53804000 PUSH Christma.00408053 ; |%.8x%.8x%.8x%.8x
00401B5E |. 68 26834000 PUSH Christma.00408326 ; |s = Christma.00408326
00401B63 |. E8 84120000 CALL <Christma.wsprintfA> ; \wsprintfA
00401B68 |. 83C4 18 ADD ESP,18
00401B6B |. 68 CF844000 PUSH Christma.004084CF ; /3c6e0b8a9c15224a8228b9a98ca1531d
00401B70 |. 68 26834000 PUSH Christma.00408326 ; |String1 = "582C72D779E7F9B"
00401B75 |. E8 56130000 CALL <Christma.lstrcmpA> ; \lstrcmpA
00401B7A |. 74 05 JE SHORT Christma.00401B81 ; 前3个字符标准的MD5计算与3c6e0b8a9c15224a8228b9a98ca1531d是否相等
00401B7C |. E9 21020000 JMP Christma.00401DA2 ; 根据3c6e0b8a9c15224a8228b9a98ca1531d用MD5Crack V3.0很快计算出为key
00401B81 |> 803D 87844000>CMP BYTE PTR DS:[408487],0 ; 判断merryREchristmas文件的第4位HEX码是否为0
00401B88 |. 0F85 14020000 JNZ Christma.00401DA2
00401B8E |. 803D 88844000>CMP BYTE PTR DS:[408488],0 ; 判断merryREchristmas文件的第5位HEX码是否为0
00401B95 |. 0F85 07020000 JNZ Christma.00401DA2
00401B9B |. 803D 99844000>CMP BYTE PTR DS:[408499],0 ; 判断merryREchristmas文件的第22位HEX码是否为0
00401BA2 |. 0F85 FA010000 JNZ Christma.00401DA2
00401BA8 |. 803D 9A844000>CMP BYTE PTR DS:[40849A],0 ; 判断merryREchristmas文件的第23位HEX码是否为0
00401BAF |. 0F85 ED010000 JNZ Christma.00401DA2
00401BB5 |. 803D AB844000>CMP BYTE PTR DS:[4084AB],0 ; 判断merryREchristmas文件的第40位HEX码是否为0
00401BBC |. 0F85 E0010000 JNZ Christma.00401DA2
00401BC2 |. 803D AC844000>CMP BYTE PTR DS:[4084AC],0 ; 判断merryREchristmas文件的第41位HEX码是否为0
00401BC9 |. 0F85 D3010000 JNZ Christma.00401DA2
00401BCF |. 803D BD844000>CMP BYTE PTR DS:[4084BD],0 ; 判断merryREchristmas文件的第58位HEX码是否为0
00401BD6 |. 0F85 C6010000 JNZ Christma.00401DA2
00401BDC |. 803D BE844000>CMP BYTE PTR DS:[4084BE],0 ; 判断merryREchristmas文件的第59位HEX码是否为0
00401BE3 |. 0F85 B9010000 JNZ Christma.00401DA2
00401BE9 |. 68 89844000 PUSH Christma.00408489 ; /String = "C2D6D2FFA7BA10D9"
00401BEE |. E8 E3120000 CALL <Christma.lstrlenA> ; \lstrlenA
00401BF3 |. 8945 FC MOV DWORD PTR SS:[EBP-4],EAX
00401BF6 |. BE 89844000 MOV ESI,Christma.00408489 ; ASCII "C2D6D2FFA7BA10D9"
00401BFB |. BF E6804000 MOV EDI,Christma.004080E6 ; ASCII "OTU2QTRBNkU5NzcyNTFEMQ=="
00401C00 |> 33C0 /XOR EAX,EAX
00401C02 |. 837D FC 01 |CMP DWORD PTR SS:[EBP-4],1
00401C06 |. 75 10 |JNZ SHORT Christma.00401C18
00401C08 |. AC |LODS BYTE PTR DS:[ESI]
00401C09 |. B9 02000000 |MOV ECX,2
00401C0E |. BA 3D3D0000 |MOV EDX,3D3D
00401C13 |. FF4D FC |DEC DWORD PTR SS:[EBP-4]
00401C16 |. EB 25 |JMP SHORT Christma.00401C3D
00401C18 |> 837D FC 02 |CMP DWORD PTR SS:[EBP-4],2
00401C1C |. 75 12 |JNZ SHORT Christma.00401C30
00401C1E |. 66:AD |LODS WORD PTR DS:[ESI]
00401C20 |. B9 03000000 |MOV ECX,3
00401C25 |. BA 3D000000 |MOV EDX,3D
00401C2A |. 836D FC 02 |SUB DWORD PTR SS:[EBP-4],2
00401C2E |. EB 0D |JMP SHORT Christma.00401C3D
00401C30 |> AD |LODS DWORD PTR DS:[ESI]
00401C31 |. B9 04000000 |MOV ECX,4
00401C36 |. 33D2 |XOR EDX,EDX
00401C38 |. 4E |DEC ESI
00401C39 |. 836D FC 03 |SUB DWORD PTR SS:[EBP-4],3
00401C3D |> 86C4 |XCHG AH,AL
00401C3F |. C1C0 10 |ROL EAX,10
00401C42 |. 86C4 |XCHG AH,AL
00401C44 |> 50 |/PUSH EAX
00401C45 |. 25 000000FC ||AND EAX,FC000000
00401C4A |. C1C0 06 ||ROL EAX,6
00401C4D |. 8A80 64804000 ||MOV AL,BYTE PTR DS:[EAX+40806>
00401C53 |. AA ||STOS BYTE PTR ES:[EDI]
00401C54 |. 58 ||POP EAX
00401C55 |. C1E0 06 ||SHL EAX,6
00401C58 |. 49 ||DEC ECX
00401C59 |.^ 75 E9 |\JNZ SHORT Christma.00401C44
00401C5B |. 837D FC 00 |CMP DWORD PTR SS:[EBP-4],0
00401C5F |.^ 75 9F \JNZ SHORT Christma.00401C00
00401C61 |. 8BC2 MOV EAX,EDX ; 取merryREchristmas文件的第6位到第21位字符串并计算出它的BASE64
00401C63 |. AB STOS DWORD PTR ES:[EDI]
00401C64 |. 68 28844000 PUSH Christma.00408428 ; /QzJENkQyRkZBN0JBMTBEOQ==
00401C69 |. 68 E6804000 PUSH Christma.004080E6 ; |String1 = "OTU2QTRBNkU5NzcyNTFEMQ=="
00401C6E |. E8 5D120000 CALL <Christma.lstrcmpA> ; \lstrcmpA
00401C73 |. 74 05 JE SHORT Christma.00401C7A ; 判断上面计算的值是否等于QzJENkQyRkZBN0JBMTBEOQ==
00401C75 |. E9 28010000 JMP Christma.00401DA2
00401C7A |> 68 9B844000 PUSH Christma.0040849B ; /String = "DC8058C0540D1B89"
00401C7F |. E8 52120000 CALL <Christma.lstrlenA> ; \lstrlenA
00401C84 |. 8945 FC MOV DWORD PTR SS:[EBP-4],EAX
00401C87 |. BE 9B844000 MOV ESI,Christma.0040849B ; ASCII "DC8058C0540D1B89"
00401C8C |. BF E6804000 MOV EDI,Christma.004080E6 ; ASCII "OTU2QTRBNkU5NzcyNTFEMQ=="
00401C91 |> 33C0 /XOR EAX,EAX
00401C93 |. 837D FC 01 |CMP DWORD PTR SS:[EBP-4],1
00401C97 |. 75 10 |JNZ SHORT Christma.00401CA9
00401C99 |. AC |LODS BYTE PTR DS:[ESI]
00401C9A |. B9 02000000 |MOV ECX,2
00401C9F |. BA 3D3D0000 |MOV EDX,3D3D
00401CA4 |. FF4D FC |DEC DWORD PTR SS:[EBP-4]
00401CA7 |. EB 25 |JMP SHORT Christma.00401CCE
00401CA9 |> 837D FC 02 |CMP DWORD PTR SS:[EBP-4],2
00401CAD |. 75 12 |JNZ SHORT Christma.00401CC1
00401CAF |. 66:AD |LODS WORD PTR DS:[ESI]
00401CB1 |. B9 03000000 |MOV ECX,3
00401CB6 |. BA 3D000000 |MOV EDX,3D
00401CBB |. 836D FC 02 |SUB DWORD PTR SS:[EBP-4],2
00401CBF |. EB 0D |JMP SHORT Christma.00401CCE
00401CC1 |> AD |LODS DWORD PTR DS:[ESI]
00401CC2 |. B9 04000000 |MOV ECX,4
00401CC7 |. 33D2 |XOR EDX,EDX
00401CC9 |. 4E |DEC ESI
00401CCA |. 836D FC 03 |SUB DWORD PTR SS:[EBP-4],3
00401CCE |> 86C4 |XCHG AH,AL
00401CD0 |. C1C0 10 |ROL EAX,10
00401CD3 |. 86C4 |XCHG AH,AL
00401CD5 |> 50 |/PUSH EAX
00401CD6 |. 25 000000FC ||AND EAX,FC000000
00401CDB |. C1C0 06 ||ROL EAX,6
00401CDE |. 8A80 64804000 ||MOV AL,BYTE PTR DS:[EAX+40806>
00401CE4 |. AA ||STOS BYTE PTR ES:[EDI]
00401CE5 |. 58 ||POP EAX
00401CE6 |. C1E0 06 ||SHL EAX,6
00401CE9 |. 49 ||DEC ECX
00401CEA |.^ 75 E9 |\JNZ SHORT Christma.00401CD5
00401CEC |. 837D FC 00 |CMP DWORD PTR SS:[EBP-4],0
00401CF0 |.^ 75 9F \JNZ SHORT Christma.00401C91
00401CF2 |. 8BC2 MOV EAX,EDX ; 取merryREchristmas文件的第24位到第39位字符串并计算出它的BASE64
00401CF4 |. AB STOS DWORD PTR ES:[EDI]
00401CF5 |. 68 41844000 PUSH Christma.00408441 ; /REM4MDU4QzA1NDBEMUI4OQ==
00401CFA |. 68 E6804000 PUSH Christma.004080E6 ; |String1 = "OTU2QTRBNkU5NzcyNTFEMQ=="
00401CFF |. E8 CC110000 CALL <Christma.lstrcmpA> ; \lstrcmpA
00401D04 |. 74 05 JE SHORT Christma.00401D0B ; 判断上面计算的值是否等于REM4MDU4QzA1NDBEMUI4OQ==
00401D06 |. E9 97000000 JMP Christma.00401DA2
00401D0B |> 68 AD844000 PUSH Christma.004084AD ; /String = "956A4A6E977251D1"
00401D10 |. E8 C1110000 CALL <Christma.lstrlenA> ; \lstrlenA
00401D15 |. 8945 FC MOV DWORD PTR SS:[EBP-4],EAX
00401D18 |. BE AD844000 MOV ESI,Christma.004084AD ; ASCII "956A4A6E977251D1"
00401D1D |. BF E6804000 MOV EDI,Christma.004080E6 ; ASCII "OTU2QTRBNkU5NzcyNTFEMQ=="
00401D22 |> 33C0 /XOR EAX,EAX
00401D24 |. 837D FC 01 |CMP DWORD PTR SS:[EBP-4],1
00401D28 |. 75 10 |JNZ SHORT Christma.00401D3A
00401D2A |. AC |LODS BYTE PTR DS:[ESI]
00401D2B |. B9 02000000 |MOV ECX,2
00401D30 |. BA 3D3D0000 |MOV EDX,3D3D
00401D35 |. FF4D FC |DEC DWORD PTR SS:[EBP-4]
00401D38 |. EB 25 |JMP SHORT Christma.00401D5F
00401D3A |> 837D FC 02 |CMP DWORD PTR SS:[EBP-4],2
00401D3E |. 75 12 |JNZ SHORT Christma.00401D52
00401D40 |. 66:AD |LODS WORD PTR DS:[ESI]
00401D42 |. B9 03000000 |MOV ECX,3
00401D47 |. BA 3D000000 |MOV EDX,3D
00401D4C |. 836D FC 02 |SUB DWORD PTR SS:[EBP-4],2
00401D50 |. EB 0D |JMP SHORT Christma.00401D5F
00401D52 |> AD |LODS DWORD PTR DS:[ESI]
00401D53 |. B9 04000000 |MOV ECX,4
00401D58 |. 33D2 |XOR EDX,EDX
00401D5A |. 4E |DEC ESI
00401D5B |. 836D FC 03 |SUB DWORD PTR SS:[EBP-4],3
00401D5F |> 86C4 |XCHG AH,AL
00401D61 |. C1C0 10 |ROL EAX,10
00401D64 |. 86C4 |XCHG AH,AL
00401D66 |> 50 |/PUSH EAX
00401D67 |. 25 000000FC ||AND EAX,FC000000
00401D6C |. C1C0 06 ||ROL EAX,6
00401D6F |. 8A80 64804000 ||MOV AL,BYTE PTR DS:[EAX+40806>
00401D75 |. AA ||STOS BYTE PTR ES:[EDI]
00401D76 |. 58 ||POP EAX
00401D77 |. C1E0 06 ||SHL EAX,6
00401D7A |. 49 ||DEC ECX
00401D7B |.^ 75 E9 |\JNZ SHORT Christma.00401D66
00401D7D |. 837D FC 00 |CMP DWORD PTR SS:[EBP-4],0
00401D81 |.^ 75 9F \JNZ SHORT Christma.00401D22
00401D83 |. 8BC2 MOV EAX,EDX ; 取merryREchristmas文件的第42位到第57位字符串并计算出它的BASE64
00401D85 |. AB STOS DWORD PTR ES:[EDI]
00401D86 |. 68 5A844000 PUSH Christma.0040845A ; /OTU2QTRBNkU5NzcyNTFEMQ==
00401D8B |. 68 E6804000 PUSH Christma.004080E6 ; |String1 = "OTU2QTRBNkU5NzcyNTFEMQ=="
00401D90 |. E8 3B110000 CALL <Christma.lstrcmpA> ; \lstrcmpA
00401D95 |. 74 02 JE SHORT Christma.00401D99 ; 判断上面计算的值是否等于OTU2QTRBNkU5NzcyNTFEMQ==
00401D97 |. EB 09 JMP SHORT Christma.00401DA2
00401D99 |> B0 01 MOV AL,1
00401D9B |. 5F POP EDI
00401D9C |. 5E POP ESI
00401D9D |. 5B POP EBX
00401D9E |. C9 LEAVE
00401D9F |. C2 0400 RETN 4
00401DA2 |> B0 00 MOV AL,0
00401DA4 |. 5F POP EDI
00401DA5 |. 5E POP ESI
00401DA6 |. 5B POP EBX
00401DA7 |. C9 LEAVE
00401DA8 \. C2 0400 RETN 4
进入CALL Christma.00401000之后很快就会找到,MD5的四个标准常数
00401054 |. C706 01234567 MOV DWORD PTR DS:[ESI],67452301
0040105A |. C746 04 89ABC>MOV DWORD PTR DS:[ESI+4],EFCDAB89
00401061 |. C746 08 FEDCB>MOV DWORD PTR DS:[ESI+8],98BADCFE
00401068 |. C746 0C 76543>MOV DWORD PTR DS:[ESI+C],10325476
----------------------------------------------------------------------------------------------
第1个SN1的RSA计算
------------------CALL Christma.00402247------------------
00402247 /$ 55 PUSH EBP
00402248 |. 8BEC MOV EBP,ESP
0040224A |. 83C4 F0 ADD ESP,-10
0040224D |. 60 PUSHAD
0040224E |. 6A 00 PUSH 0
00402250 |. E8 DB0C0000 CALL <Christma.__BigCreate@4>
00402255 |. 8945 F0 MOV DWORD PTR SS:[EBP-10],EAX
00402258 |. 6A 00 PUSH 0
0040225A |. E8 D10C0000 CALL <Christma.__BigCreate@4>
0040225F |. 8945 FC MOV DWORD PTR SS:[EBP-4],EAX
00402262 |. 6A 00 PUSH 0
00402264 |. E8 C70C0000 CALL <Christma.__BigCreate@4>
00402269 |. 8945 F8 MOV DWORD PTR SS:[EBP-8],EAX
0040226C |. 6A 00 PUSH 0
0040226E |. E8 BD0C0000 CALL <Christma.__BigCreate@4>
00402273 |. 8945 F4 MOV DWORD PTR SS:[EBP-C],EAX
00402276 |. FF75 F0 PUSH DWORD PTR SS:[EBP-10] ; /Arg3
00402279 |. 6A 10 PUSH 10 ; |Arg2 = 00000010
0040227B |. 68 E6814000 PUSH Christma.004081E6 ; |Invalid registration informations.
00402280 |. E8 4E0E0000 CALL <Christma.__BigIn@12> ; \Christma.004030D3
00402285 |. FF75 FC PUSH DWORD PTR SS:[EBP-4] ; /Arg3
00402288 |. 6A 10 PUSH 10 ; |Arg2 = 00000010
0040228A |. 68 89844000 PUSH Christma.00408489 ; |Arg1 = 00408489 N="C2D6D2FFA7BA10D9"
0040228F |. E8 3F0E0000 CALL <Christma.__BigIn@12> ; \Christma.004030D3
00402294 |. FF75 F8 PUSH DWORD PTR SS:[EBP-8] ; /Arg3
00402297 |. 6A 10 PUSH 10 ; |Arg2 = 00000010
00402299 |. 68 DE834000 PUSH Christma.004083DE ; |E="10001"
0040229E |. E8 300E0000 CALL <Christma.__BigIn@12> ; \Christma.004030D3
004022A3 |. FF75 F4 PUSH DWORD PTR SS:[EBP-C]
004022A6 |. FF75 FC PUSH DWORD PTR SS:[EBP-4]
004022A9 |. FF75 F8 PUSH DWORD PTR SS:[EBP-8]
004022AC |. FF75 F0 PUSH DWORD PTR SS:[EBP-10]
004022AF |. E8 301C0000 CALL <Christma.__BigPowMod@16>
004022B4 |. 68 66824000 PUSH Christma.00408266 ; /Arg3 = 00408266 ASCII "582C72D779E7F9B"
004022B9 |. 6A 10 PUSH 10 ; |Arg2 = 00000010
004022BB |. FF75 F4 PUSH DWORD PTR SS:[EBP-C] ; |Arg1
004022BE |. E8 F2100000 CALL <Christma.__BigOut@12> ; \Christma.004033B5
004022C3 |. FF75 FC PUSH DWORD PTR SS:[EBP-4]
004022C6 |. E8 920C0000 CALL <Christma.__BigDestroy@4>
004022CB |. FF75 F8 PUSH DWORD PTR SS:[EBP-8]
004022CE |. E8 8A0C0000 CALL <Christma.__BigDestroy@4>
004022D3 |. FF75 F4 PUSH DWORD PTR SS:[EBP-C]
004022D6 |. E8 820C0000 CALL <Christma.__BigDestroy@4>
004022DB |. FF75 F0 PUSH DWORD PTR SS:[EBP-10]
004022DE |. E8 7A0C0000 CALL <Christma.__BigDestroy@4>
004022E3 |. 61 POPAD
004022E4 |. C9 LEAVE
004022E5 \. C3 RETN
P=E3A6B0C3
Q=DB1A1E33
N=C2D6D2FFA7BA10D9
D=E1FE2B5D380D65D
E=10001
第2个RSA计算
------------------CALL Christma.00402385------------------
00402385 /$ 55 PUSH EBP
00402386 |. 8BEC MOV EBP,ESP
00402388 |. 83C4 F0 ADD ESP,-10
0040238B |. 60 PUSHAD
0040238C |. 6A 00 PUSH 0
0040238E |. E8 9D0B0000 CALL <Christma.__BigCreate@4>
00402393 |. 8945 F0 MOV DWORD PTR SS:[EBP-10],EAX
00402396 |. 6A 00 PUSH 0
00402398 |. E8 930B0000 CALL <Christma.__BigCreate@4>
0040239D |. 8945 FC MOV DWORD PTR SS:[EBP-4],EAX
004023A0 |. 6A 00 PUSH 0
004023A2 |. E8 890B0000 CALL <Christma.__BigCreate@4>
004023A7 |. 8945 F8 MOV DWORD PTR SS:[EBP-8],EAX
004023AA |. 6A 00 PUSH 0
004023AC |. E8 7F0B0000 CALL <Christma.__BigCreate@4>
004023B1 |. 8945 F4 MOV DWORD PTR SS:[EBP-C],EAX
004023B4 |. A1 8F834000 MOV EAX,DWORD PTR DS:[40838F]
004023B9 |. 83C0 01 ADD EAX,1
004023BC |. FF75 F0 PUSH DWORD PTR SS:[EBP-10] ; /Arg3
004023BF |. 6A 10 PUSH 10 ; |Arg2 = 00000010
004023C1 |. 50 PUSH EAX ; |Arg1
004023C2 |. E8 0C0D0000 CALL <Christma.__BigIn@12> ; \Christma.004030D3
004023C7 |. FF75 FC PUSH DWORD PTR SS:[EBP-4] ; /Arg3
004023CA |. 6A 10 PUSH 10 ; |Arg2 = 00000010
004023CC |. 68 9B844000 PUSH Christma.0040849B ; |Arg1 = 0040849B N="DC8058C0540D1B89"
004023D1 |. E8 FD0C0000 CALL <Christma.__BigIn@12> ; \Christma.004030D3
004023D6 |. FF75 F8 PUSH DWORD PTR SS:[EBP-8] ; /Arg3
004023D9 |. 6A 10 PUSH 10 ; |Arg2 = 00000010
004023DB |. 68 DE834000 PUSH Christma.004083DE ; |E="10001"
004023E0 |. E8 EE0C0000 CALL <Christma.__BigIn@12> ; \Christma.004030D3
004023E5 |. FF75 F4 PUSH DWORD PTR SS:[EBP-C]
004023E8 |. FF75 FC PUSH DWORD PTR SS:[EBP-4]
004023EB |. FF75 F8 PUSH DWORD PTR SS:[EBP-8]
004023EE |. FF75 F0 PUSH DWORD PTR SS:[EBP-10]
004023F1 |. E8 EE1A0000 CALL <Christma.__BigPowMod@16>
004023F6 |. 68 A6824000 PUSH Christma.004082A6 ; /Arg3 = 004082A6 ASCII "81393C93EE1717E"
004023FB |. 6A 10 PUSH 10 ; |Arg2 = 00000010
004023FD |. FF75 F4 PUSH DWORD PTR SS:[EBP-C] ; |Arg1
00402400 |. E8 B00F0000 CALL <Christma.__BigOut@12> ; \Christma.004033B5
00402405 |. FF75 FC PUSH DWORD PTR SS:[EBP-4]
00402408 |. E8 500B0000 CALL <Christma.__BigDestroy@4>
0040240D |. FF75 F8 PUSH DWORD PTR SS:[EBP-8]
00402410 |. E8 480B0000 CALL <Christma.__BigDestroy@4>
00402415 |. FF75 F4 PUSH DWORD PTR SS:[EBP-C]
00402418 |. E8 400B0000 CALL <Christma.__BigDestroy@4>
0040241D |. FF75 F0 PUSH DWORD PTR SS:[EBP-10]
00402420 |. E8 380B0000 CALL <Christma.__BigDestroy@4>
00402425 |. 61 POPAD
00402426 |. C9 LEAVE
00402427 \. C3 RETN
P=E96E7F93
Q=F1D1D1F3
N=DC8058C0540D1B89
D=9678D396AFB2F8CD
E=10001
第3个RSA计算
------------------CALL Christma.004024C7------------------
004024C7 /$ 55 PUSH EBP
004024C8 |. 8BEC MOV EBP,ESP
004024CA |. 83C4 F0 ADD ESP,-10
004024CD |. 60 PUSHAD
004024CE |. 6A 00 PUSH 0
004024D0 |. E8 5B0A0000 CALL <Christma.__BigCreate@4>
004024D5 |. 8945 F0 MOV DWORD PTR SS:[EBP-10],EAX
004024D8 |. 6A 00 PUSH 0
004024DA |. E8 510A0000 CALL <Christma.__BigCreate@4>
004024DF |. 8945 FC MOV DWORD PTR SS:[EBP-4],EAX
004024E2 |. 6A 00 PUSH 0
004024E4 |. E8 470A0000 CALL <Christma.__BigCreate@4>
004024E9 |. 8945 F8 MOV DWORD PTR SS:[EBP-8],EAX
004024EC |. 6A 00 PUSH 0
004024EE |. E8 3D0A0000 CALL <Christma.__BigCreate@4>
004024F3 |. 8945 F4 MOV DWORD PTR SS:[EBP-C],EAX
004024F6 |. A1 94834000 MOV EAX,DWORD PTR DS:[408394]
004024FB |. 83C0 01 ADD EAX,1
004024FE |. FF75 F0 PUSH DWORD PTR SS:[EBP-10] ; /Arg3
00402501 |. 6A 10 PUSH 10 ; |Arg2 = 00000010
00402503 |. 50 PUSH EAX ; |Arg1
00402504 |. E8 CA0B0000 CALL <Christma.__BigIn@12> ; \Christma.004030D3
00402509 |. FF75 FC PUSH DWORD PTR SS:[EBP-4] ; /Arg3
0040250C |. 6A 10 PUSH 10 ; |Arg2 = 00000010
0040250E |. 68 AD844000 PUSH Christma.004084AD ; |Arg1 = 004084AD N="956A4A6E977251D1"
00402513 |. E8 BB0B0000 CALL <Christma.__BigIn@12> ; \Christma.004030D3
00402518 |. FF75 F8 PUSH DWORD PTR SS:[EBP-8] ; /Arg3
0040251B |. 6A 10 PUSH 10 ; |Arg2 = 00000010
0040251D |. 68 DE834000 PUSH Christma.004083DE ; |E="10001"
00402522 |. E8 AC0B0000 CALL <Christma.__BigIn@12> ; \Christma.004030D3
00402527 |. FF75 F4 PUSH DWORD PTR SS:[EBP-C]
0040252A |. FF75 FC PUSH DWORD PTR SS:[EBP-4]
0040252D |. FF75 F8 PUSH DWORD PTR SS:[EBP-8]
00402530 |. FF75 F0 PUSH DWORD PTR SS:[EBP-10]
00402533 |. E8 AC190000 CALL <Christma.__BigPowMod@16>
00402538 |. 68 E6824000 PUSH Christma.004082E6 ; /Arg3 = 004082E6 ASCII "CDC180E6C4ECD06"
0040253D |. 6A 10 PUSH 10 ; |Arg2 = 00000010
0040253F |. FF75 F4 PUSH DWORD PTR SS:[EBP-C] ; |Arg1
00402542 |. E8 6E0E0000 CALL <Christma.__BigOut@12> ; \Christma.004033B5
00402547 |. FF75 FC PUSH DWORD PTR SS:[EBP-4]
0040254A |. E8 0E0A0000 CALL <Christma.__BigDestroy@4>
0040254F |. FF75 F8 PUSH DWORD PTR SS:[EBP-8]
00402552 |. E8 060A0000 CALL <Christma.__BigDestroy@4>
00402557 |. FF75 F4 PUSH DWORD PTR SS:[EBP-C]
0040255A |. E8 FE090000 CALL <Christma.__BigDestroy@4>
0040255F |. FF75 F0 PUSH DWORD PTR SS:[EBP-10]
00402562 |. E8 F6090000 CALL <Christma.__BigDestroy@4>
00402567 |. 61 POPAD
00402568 |. C9 LEAVE
00402569 \. C3 RETN
P=A3074563
Q=EA9F9C3B
N=956A4A6E977251D1
D=6C668806A1B389FD
E=10001
RSA用到的三个N,就是merryREchristmas内的三个数也就是:
QzJENkQyRkZBN0JBMTBEOQ== 这个解密之后为 C2D6D2FFA7BA10D9
REM4MDU4QzA1NDBEMUI4OQ== 这个解密之后为 DC8058C0540D1B89
OTU2QTRBNkU5NzcyNTFEMQ== 这个解密之后为 956A4A6E977251D1
----------------------------------------------------------------------------------------------
【破解总结】
1、建立merryREchristmas文件及内容。
2、第1个RSA(MD5(Name)并转换为大写取前15位)=SN1
3、第2个RSA(MD5(Group)并转换为大写取前15位)=SN2
4、第3个RSA(MD5(E-Mail)并转换为大写取前15位)=SN3
5、组合为:SN1-SN2-SN3
----------------------------------------------------------------------------------------------
【破解声明】 我是一只小菜鸟,偶得一点心得,愿与大家分享:)
【版权声明】 本文纯属技术交流, 转载请注明作者并保持文章的完整, 谢谢!
----------------------------------------------------------------------------------------------
文章写于2007-1-27 23:20:12
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课