HappyTowns 31th CrackMe 算法分析及注册机
很早以前就放出来的一个CrackMe,抽空研究了下。
使用了Miracl大数运算库,但是没有大数运算,只是用到其中的两个转换函数。
用得比较多的是tiger哈希函数。
只要能识别出tiger函数调用,基本上就没有多少难度了。所以这个CrackMe难度一般。
用PEiD查壳,显示
Microsoft Visual C++ 6.0
经验证,确实没有加壳。
用PEiD的Krypto ANAlyzer插件检查,结果如下:
TIGER :: 0000C0D4 :: 0040C0D4
用IDA载入,并加载常用的sig。找到注册验证的关键函数,初步分析的结果如下:
.text:00401130 ; int __cdecl OnCheck(HWND hDlg)
.text:00401130 OnCheck proc near ; CODE XREF: DialogFunc+61p
.text:00401130
.text:00401130 var_388 = dword ptr -388h
.text:00401130 var_381 = byte ptr -381h
.text:00401130 hash1 = byte ptr -380h
.text:00401130 var_37E = byte ptr -37Eh
.text:00401130 var_37D = byte ptr -37Dh
.text:00401130 var_37C = byte ptr -37Ch
.text:00401130 var_37B = byte ptr -37Bh
.text:00401130 var_37A = byte ptr -37Ah
.text:00401130 var_379 = byte ptr -379h
.text:00401130 var_378 = byte ptr -378h
.text:00401130 var_377 = byte ptr -377h
.text:00401130 var_376 = byte ptr -376h
.text:00401130 var_375 = byte ptr -375h
.text:00401130 var_374 = byte ptr -374h
.text:00401130 var_373 = byte ptr -373h
.text:00401130 var_372 = byte ptr -372h
.text:00401130 var_371 = byte ptr -371h
.text:00401130 var_370 = byte ptr -370h
.text:00401130 var_36F = byte ptr -36Fh
.text:00401130 var_36E = byte ptr -36Eh
.text:00401130 var_36D = byte ptr -36Dh
.text:00401130 var_36C = byte ptr -36Ch
.text:00401130 var_36B = byte ptr -36Bh
.text:00401130 var_36A = byte ptr -36Ah
.text:00401130 var_369 = byte ptr -369h
.text:00401130 hash2 = byte ptr -368h
.text:00401130 var_366 = byte ptr -366h
.text:00401130 var_365 = byte ptr -365h
.text:00401130 var_364 = byte ptr -364h
.text:00401130 var_363 = byte ptr -363h
.text:00401130 var_362 = byte ptr -362h
.text:00401130 var_361 = byte ptr -361h
.text:00401130 var_360 = byte ptr -360h
.text:00401130 var_35F = byte ptr -35Fh
.text:00401130 var_35E = byte ptr -35Eh
.text:00401130 var_35D = byte ptr -35Dh
.text:00401130 var_35C = byte ptr -35Ch
.text:00401130 var_35B = byte ptr -35Bh
.text:00401130 var_35A = byte ptr -35Ah
.text:00401130 var_359 = byte ptr -359h
.text:00401130 var_358 = byte ptr -358h
.text:00401130 var_357 = byte ptr -357h
.text:00401130 var_356 = byte ptr -356h
.text:00401130 var_355 = byte ptr -355h
.text:00401130 var_354 = byte ptr -354h
.text:00401130 var_353 = byte ptr -353h
.text:00401130 var_352 = byte ptr -352h
.text:00401130 var_351 = byte ptr -351h
.text:00401130 var_350 = dword ptr -350h
.text:00401130 var_34C = dword ptr -34Ch
.text:00401130 var_347 = dword ptr -347h
.text:00401130 var_343 = dword ptr -343h
.text:00401130 var_33F = dword ptr -33Fh
.text:00401130 var_33B = dword ptr -33Bh
.text:00401130 var_337 = word ptr -337h
.text:00401130 var_335 = byte ptr -335h
.text:00401130 var_334 = dword ptr -334h
.text:00401130 var_32F = dword ptr -32Fh
.text:00401130 var_32B = dword ptr -32Bh
.text:00401130 var_327 = dword ptr -327h
.text:00401130 var_323 = dword ptr -323h
.text:00401130 var_31F = word ptr -31Fh
.text:00401130 var_31D = byte ptr -31Dh
.text:00401130 var_31C = dword ptr -31Ch
.text:00401130 var_317 = dword ptr -317h
.text:00401130 var_313 = dword ptr -313h
.text:00401130 var_30F = dword ptr -30Fh
.text:00401130 var_30B = dword ptr -30Bh
.text:00401130 var_307 = word ptr -307h
.text:00401130 var_305 = byte ptr -305h
.text:00401130 var_304 = dword ptr -304h
.text:00401130 var_2FF = dword ptr -2FFh
.text:00401130 var_2FB = dword ptr -2FBh
.text:00401130 var_2F7 = dword ptr -2F7h
.text:00401130 var_2F3 = dword ptr -2F3h
.text:00401130 var_2EF = word ptr -2EFh
.text:00401130 var_2ED = byte ptr -2EDh
.text:00401130 var_2EC = dword ptr -2ECh
.text:00401130 var_2E7 = dword ptr -2E7h
.text:00401130 var_2E3 = dword ptr -2E3h
.text:00401130 var_2DF = dword ptr -2DFh
.text:00401130 var_2DB = dword ptr -2DBh
.text:00401130 var_2D7 = word ptr -2D7h
.text:00401130 var_2D5 = byte ptr -2D5h
.text:00401130 var_2D4 = dword ptr -2D4h
.text:00401130 var_2CF = dword ptr -2CFh
.text:00401130 var_2CB = dword ptr -2CBh
.text:00401130 var_2C7 = dword ptr -2C7h
.text:00401130 var_2C3 = dword ptr -2C3h
.text:00401130 var_2BF = word ptr -2BFh
.text:00401130 var_2BD = byte ptr -2BDh
.text:00401130 var_2BC = dword ptr -2BCh
.text:00401130 szSerial = dword ptr -258h
.text:00401130 var_254 = dword ptr -254h
.text:00401130 var_250 = dword ptr -250h
.text:00401130 var_24B = dword ptr -24Bh
.text:00401130 var_246 = dword ptr -246h
.text:00401130 var_242 = dword ptr -242h
.text:00401130 var_23D = dword ptr -23Dh
.text:00401130 var_239 = dword ptr -239h
.text:00401130 szName = byte ptr -1F4h
.text:00401130 var_190 = dword ptr -190h
.text:00401130 var_18C = dword ptr -18Ch
.text:00401130 var_12C = dword ptr -12Ch
.text:00401130 var_C8 = dword ptr -0C8h
.text:00401130 var_C4 = dword ptr -0C4h
.text:00401130 var_64 = dword ptr -64h
.text:00401130 var_60 = dword ptr -60h
.text:00401130 hDlg = dword ptr 4
.text:00401130
.text:00401130 sub esp, 388h
.text:00401136 push ebx
.text:00401137 push ebp
.text:00401138 push esi
.text:00401139 push edi
.text:0040113A xor ebx, ebx
.text:0040113C mov ecx, 24
.text:00401141 xor eax, eax
.text:00401143 lea edi, [esp+1A5h]
.text:0040114A mov [esp+398h+szName], bl ; 这些是初始化数组变量
.text:00401151 mov byte ptr [esp+398h+szSerial], bl
.text:00401158 rep stosd
.text:0040115A stosw
.text:0040115C stosb
.text:0040115D mov ecx, 24
.text:00401162 xor eax, eax
.text:00401164 lea edi, [esp+398h+szSerial+1] ; 这些是初始化数组变量
.text:0040116B mov byte ptr [esp+398h+var_190], bl
.text:00401172 rep stosd
.text:00401174 stosw
.text:00401176 stosb
.text:00401177 mov ecx, 24
.text:0040117C xor eax, eax
.text:0040117E lea edi, [esp+398h+var_190+1] ; 这些是初始化数组变量
.text:00401185 mov byte ptr [esp+398h+var_C8], bl
.text:0040118C rep stosd
.text:0040118E stosw
.text:00401190 stosb
.text:00401191 mov ecx, 24
.text:00401196 xor eax, eax
.text:00401198 lea edi, [esp+398h+var_C8+1] ; 这些是初始化数组变量
.text:0040119F mov byte ptr [esp+398h+var_12C], bl
.text:004011A6 rep stosd
.text:004011A8 stosw
.text:004011AA stosb
.text:004011AB mov ecx, 24
.text:004011B0 xor eax, eax
.text:004011B2 lea edi, [esp+398h+var_12C+1] ; 这些是初始化数组变量
.text:004011B9 mov byte ptr [esp+398h+var_64], bl
.text:004011C0 rep stosd
.text:004011C2 stosw
.text:004011C4 stosb
.text:004011C5 mov ecx, 24
.text:004011CA xor eax, eax
.text:004011CC lea edi, [esp+398h+var_64+1] ; 这些是初始化数组变量
.text:004011D3 mov byte ptr [esp+398h+var_2BC], bl
.text:004011DA rep stosd
.text:004011DC stosw
.text:004011DE stosb
.text:004011DF mov ecx, 24
.text:004011E4 xor eax, eax
.text:004011E6 lea edi, [esp+398h+var_2BC+1] ; 这些是初始化数组变量
.text:004011ED mov byte ptr [esp+398h+var_2D4], bl
.text:004011F4 rep stosd
.text:004011F6 stosw
.text:004011F8 stosb
.text:004011F9 xor eax, eax
.text:004011FB xor ecx, ecx
.text:004011FD xor edx, edx
.text:004011FF mov [esp+398h+var_2D4+1], eax ; 这些是初始化数组变量
.text:00401206 mov [esp+398h+var_2EC+1], ecx
.text:0040120D mov [esp+398h+var_334+1], edx
.text:00401211 mov [esp+398h+var_2CF], eax
.text:00401218 mov [esp+398h+var_2E7], ecx
.text:0040121F mov [esp+398h+var_32F], edx
.text:00401223 mov [esp+398h+var_2CB], eax
.text:0040122A mov [esp+398h+var_2E3], ecx
.text:00401231 mov [esp+398h+var_32B], edx
.text:00401235 mov [esp+398h+var_2C7], eax
.text:0040123C mov [esp+398h+var_2DF], ecx
.text:00401243 mov [esp+398h+var_327], edx
.text:00401247 mov [esp+398h+var_2C3], eax
.text:0040124E mov [esp+398h+var_2DB], ecx
.text:00401255 mov [esp+398h+var_323], edx
.text:00401259 mov [esp+398h+var_2BF], ax
.text:00401261 mov [esp+398h+var_2D7], cx
.text:00401269 mov [esp+398h+var_31F], dx
.text:0040126E mov [esp+398h+var_2BD], al
.text:00401275 mov byte ptr [esp+398h+var_2EC], bl
.text:0040127C mov [esp+398h+var_2D5], cl
.text:00401283 mov byte ptr [esp+398h+var_334], bl
.text:00401287 mov [esp+398h+var_31D], dl
.text:0040128B mov [esp+398h+var_31C+1], eax
.text:0040128F mov [esp+398h+var_304+1], ecx
.text:00401296 mov [esp+398h+var_317], eax
.text:0040129D mov [esp+398h+var_2FF], ecx
.text:004012A4 mov [esp+398h+var_313], eax
.text:004012AB mov [esp+398h+var_2FB], ecx
.text:004012B2 mov [esp+398h+var_30F], eax
.text:004012B9 mov [esp+398h+var_2F7], ecx
.text:004012C0 mov [esp+398h+var_34C+1], edx
.text:004012C4 mov [esp+398h+var_30B], eax
.text:004012CB mov [esp+398h+var_2F3], ecx
.text:004012D2 mov [esp+398h+var_347], edx
.text:004012D6 mov [esp+398h+var_307], ax
.text:004012DE mov [esp+398h+var_2EF], cx
.text:004012E6 mov [esp+398h+var_343], edx
.text:004012EA mov [esp+398h+var_305], al
.text:004012F1 mov [esp+398h+var_2ED], cl
.text:004012F8 mov [esp+398h+var_33F], edx
.text:004012FC mov cl, 0F2h
.text:004012FE mov al, 1Ch
.text:00401300 mov [esp+398h+var_33B], edx
.text:00401304 mov [esp+398h+var_37C], cl
.text:00401308 mov [esp+398h+var_375], al
.text:0040130C mov [esp+398h+var_361], al
.text:00401310 mov [esp+398h+var_35C], cl
.text:00401314 mov [esp+398h+var_337], dx
.text:00401319 mov cl, 4Fh
.text:0040131B mov al, 0DCh
.text:0040131D push 10h
.text:0040131F push 320h
.text:00401324 mov byte ptr [esp+3A0h+var_31C], bl
.text:0040132B mov byte ptr [esp+3A0h+var_304], bl
.text:00401332 mov byte ptr [esp+3A0h+var_34C], bl
.text:00401336 mov [esp+3A0h+var_335], dl
.text:0040133A mov [esp+3A0h+hash1], 0B8h ; 这些是初始化数组变量
.text:0040133F mov byte ptr [esp+21h], 89h
.text:00401344 mov [esp+3A0h+var_37E], 7Fh
.text:00401349 mov [esp+3A0h+var_37D], 0B2h
.text:0040134E mov [esp+3A0h+var_37B], 0Ah
.text:00401353 mov [esp+3A0h+var_37A], 0B9h
.text:00401358 mov [esp+3A0h+var_379], 0D7h
.text:0040135D mov [esp+3A0h+var_378], 2Ch
.text:00401362 mov [esp+3A0h+var_377], 0D1h
.text:00401367 mov [esp+3A0h+var_376], 43h
.text:0040136C mov [esp+3A0h+var_374], 9Eh
.text:00401371 mov [esp+3A0h+var_373], 0B6h
.text:00401376 mov [esp+3A0h+var_372], 56h
.text:0040137B mov [esp+3A0h+var_371], 0BAh
.text:00401380 mov [esp+3A0h+var_370], 73h
.text:00401385 mov [esp+3A0h+var_36F], 0B1h
.text:0040138A mov [esp+3A0h+var_36E], 71h
.text:0040138F mov [esp+3A0h+var_36D], 9Ah
.text:00401394 mov [esp+3A0h+var_36C], 3Ah
.text:00401399 mov [esp+3A0h+var_36B], 0F7h
.text:0040139E mov [esp+3A0h+var_36A], 20h
.text:004013A3 mov [esp+3A0h+var_369], 0Ch
.text:004013A8 mov [esp+3A0h+hash2], 0AEh
.text:004013AD mov byte ptr [esp+39h], 4
.text:004013B2 mov [esp+3A0h+var_366], 0D0h
.text:004013B7 mov [esp+3A0h+var_365], 62h
.text:004013BC mov [esp+3A0h+var_364], 0C2h
.text:004013C1 mov [esp+3A0h+var_363], 48h
.text:004013C6 mov [esp+3A0h+var_362], 3Fh
.text:004013CB mov [esp+3A0h+var_360], 0Eh
.text:004013D0 mov [esp+3A0h+var_35F], 0E2h
.text:004013D5 mov [esp+3A0h+var_35E], 0CAh
.text:004013DA mov [esp+3A0h+var_35D], 1Eh
.text:004013DF mov [esp+3A0h+var_35B], 0AAh
.text:004013E4 mov [esp+3A0h+var_35A], cl
.text:004013E8 mov [esp+3A0h+var_359], al
.text:004013EC mov [esp+3A0h+var_358], al
.text:004013F0 mov [esp+3A0h+var_357], 0FFh
.text:004013F5 mov [esp+3A0h+var_356], 0F5h
.text:004013FA mov [esp+3A0h+var_355], 5Eh
.text:004013FF mov [esp+3A0h+var_354], cl
.text:00401403 mov [esp+3A0h+var_353], 22h
.text:00401408 mov [esp+3A0h+var_352], 4Bh
.text:0040140D mov [esp+3A0h+var_351], 0CBh
.text:00401412 call _mirsys ; mirsys( 0x320, 0x10 )
.text:00401417 mov dword ptr [eax+234h], 16
.text:00401421 push ebx
.text:00401422 call _mirvar ;声明一个大数,只用了这一个
.text:00401427 mov esi, [esp+3A4h+hDlg]
.text:0040142E add esp, 0Ch
.text:00401431 mov ebp, eax
.text:00401433 lea eax, [esp+398h+szName]
.text:0040143A push 101 ; nMaxCount
.text:0040143C push eax ; lpString
.text:0040143D push 1000 ; nIDDlgItem
.text:00401442 push esi ; hDlg
.text:00401443 call ds:GetDlgItemTextA ;读入用户名,最大长度100字符
.text:00401449 cmp eax, 3 ;用户名不能少于3各字符
.text:0040144C jnb short loc_40145B
.text:0040144E pop edi
.text:0040144F pop esi
.text:00401450 pop ebp
.text:00401451 xor eax, eax
.text:00401453 pop ebx
.text:00401454 add esp, 388h
.text:0040145A retn
.text:0040145B ; ---------------------------------------------------------------------------
.text:0040145B
.text:0040145B loc_40145B: ; CODE XREF: OnCheck+31Cj
.text:0040145B lea ecx, [esp+398h+var_334]
.text:0040145F lea edx, [esp+398h+szName]
.text:00401466 push ecx
.text:00401467 push 1
.text:00401469 push edx
.text:0040146A call tiger ;对用户名的第1个字符进行tiger运算
.text:0040146F lea eax, [esp+3A4h+var_31C]
.text:00401476 lea ecx, [esp+1B1h]
.text:0040147D push eax
.text:0040147E push 1
.text:00401480 push ecx
.text:00401481 call tiger ;对用户名的第2个字符进行tiger运算
.text:00401486 lea edx, [esp+3B0h+var_304]
.text:0040148D lea eax, [esp+1BEh]
.text:00401494 push edx
.text:00401495 push 1
.text:00401497 push eax
.text:00401498 call tiger ;对用户名的第3个字符进行tiger运算
.text:0040149D lea ecx, [esp+3BCh+var_34C]
.text:004014A1 lea edi, [esp+3BCh+szName]
.text:004014A8 push ecx
.text:004014A9 or ecx, 0FFFFFFFFh
.text:004014AC xor eax, eax
.text:004014AE lea edx, [esp+3C0h+szName]
.text:004014B5 repne scasb
.text:004014B7 not ecx
.text:004014B9 dec ecx
.text:004014BA push ecx
.text:004014BB push edx
.text:004014BC call tiger ;对整个用户名进行tiger运算
.text:004014C1 add esp, 30h
.text:004014C4 lea eax, [esp+398h+szSerial]
.text:004014CB push 101 ; nMaxCount
.text:004014CD push eax ; lpString
.text:004014CE push 1001 ; nIDDlgItem
.text:004014D3 push esi ; hDlg
.text:004014D4 call ds:GetDlgItemTextA ;取注册码,最大长度100个字符
.text:004014DA lea ecx, [esp+398h+var_2EC]
.text:004014E1 lea edx, [esp+17h]
.text:004014E5 push ecx
.text:004014E6 push 1
.text:004014E8 push edx
.text:004014E9 mov [esp+3A4h+var_381], al ;注册码长度
.text:004014ED call tiger ;对注册码长度的值进行tiger运算
.text:004014F2 add esp, 0Ch
.text:004014F5 mov ecx, 6
.text:004014FA lea edi, [esp+398h+hash1]
.text:004014FE lea esi, [esp+398h+var_2EC]
.text:00401505 xor eax, eax
.text:00401507 repe cmpsd
.text:00401509 jz short loc_401518
.text:0040150B
.text:0040150B loc_40150B: ; CODE XREF: OnCheck+422j
.text:0040150B ; OnCheck+591j ...
.text:0040150B pop edi
.text:0040150C pop esi
.text:0040150D pop ebp
.text:0040150E xor eax, eax
.text:00401510 pop ebx
.text:00401511 add esp, 388h
.text:00401517 retn
.text:00401518 ; ---------------------------------------------------------------------------
.text:00401518
.text:00401518 loc_401518: ; CODE XREF: OnCheck+3D9j
.text:00401518 lea ecx, [esp+398h+var_250]
.text:0040151F mov [esp+398h+var_388], ebx
.text:00401523 mov [esp+398h+var_350], ecx
.text:00401527
.text:00401527 loc_401527: ; CODE XREF: OnCheck+43Bj
.text:00401527 mov eax, [esp+398h+var_350]
.text:0040152B lea edx, [esp+398h+var_2D4]
.text:00401532 push edx
.text:00401533 push 1
.text:00401535 push eax
.text:00401536 call tiger ;对注册码的第9、18、27个字符进行tiger运算
.text:0040153B add esp, 0Ch
.text:0040153E mov ecx, 6
.text:00401543 lea edi, [esp+398h+hash2]
.text:00401547 lea esi, [esp+398h+var_2D4]
.text:0040154E xor edx, edx
.text:00401550 repe cmpsd
.text:00401552 jnz short loc_40150B
.text:00401554 mov eax, [esp+398h+var_388]
.text:00401558 mov edx, [esp+398h+var_350]
.text:0040155C inc eax
.text:0040155D add edx, 9
.text:00401560 cmp eax, 3
.text:00401563 mov [esp+398h+var_388], eax
.text:00401567 mov [esp+398h+var_350], edx
.text:0040156B jb short loc_401527
.text:0040156D mov edx, [esp+398h+var_250+1]
.text:00401574 mov eax, [esp+398h+szSerial]
.text:0040157B mov ecx, [esp+398h+var_254]
.text:00401582 mov [esp+398h+var_C8], edx
.text:00401589 mov edx, [esp+398h+var_242]
.text:00401590 mov [esp+398h+var_190], eax
.text:00401597 mov eax, [esp+398h+var_24B]
.text:0040159E mov [esp+398h+var_18C], ecx
.text:004015A5 mov ecx, [esp+398h+var_246]
.text:004015AC mov [esp+270h], edx
.text:004015B3 lea edx, [esp+398h+var_334]
.text:004015B7 mov [esp+398h+var_C4], eax
.text:004015BE mov eax, [esp+398h+var_23D]
.text:004015C5 mov [esp+398h+var_12C], ecx
.text:004015CC mov ecx, [esp+398h+var_239]
.text:004015D3 push ebp
.text:004015D4 push edx
.text:004015D5 push 4
.text:004015D7 mov [esp+3A4h+var_64], eax
.text:004015DE mov [esp+3A4h+var_60], ecx
.text:004015E5 call _bytes_to_big
.text:004015EA mov ecx, 6
.text:004015EF xor eax, eax
.text:004015F1 lea edi, [esp+3A4h+var_334]
.text:004015F5 rep stosd
.text:004015F7 lea eax, [esp+3A4h+var_334]
.text:004015FB push eax
.text:004015FC push ebp
.text:004015FD call _cotstr
.text:00401602 lea edi, [esp+3ACh+var_334]
.text:00401606 or ecx, 0FFFFFFFFh
.text:00401609 xor eax, eax
.text:0040160B add esp, 14h
.text:0040160E repne scasb
.text:00401610 not ecx
.text:00401612 dec ecx
.text:00401613 mov edx, 8
.text:00401618 sub edx, ecx
.text:0040161A jz loc_4016B2
.text:00401620 lea edi, [esp+398h+var_334]
.text:00401624 or ecx, 0FFFFFFFFh
.text:00401627 repne scasb
.text:00401629 not ecx
.text:0040162B lea esi, [esp+398h+var_2BC]
.text:00401632 sub edi, ecx
.text:00401634 mov eax, ecx
.text:00401636 mov [esp+398h+var_388], esi
.text:0040163A mov esi, edi
.text:0040163C mov edi, [esp+398h+var_388]
.text:00401640 shr ecx, 2
.text:00401643 rep movsd
.text:00401645 mov ecx, eax
.text:00401647 xor eax, eax
.text:00401649 and ecx, 3
.text:0040164C cmp edx, ebx
.text:0040164E rep movsb
.text:00401650 mov ecx, 6
.text:00401655 lea edi, [esp+398h+var_334]
.text:00401659 rep stosd
.text:0040165B jbe short loc_401674
.text:0040165D mov ecx, edx
.text:0040165F mov eax, '0000'
.text:00401664 lea edi, [esp+398h+var_334]
.text:00401668 shr ecx, 2
.text:0040166B rep stosd
.text:0040166D mov ecx, edx
.text:0040166F and ecx, 3
.text:00401672 rep stosb
.text:00401674
.text:00401674 loc_401674: ; CODE XREF: OnCheck+52Bj
.text:00401674 lea edi, [esp+398h+var_2BC]
.text:0040167B or ecx, 0FFFFFFFFh
.text:0040167E xor eax, eax
.text:00401680 lea edx, [esp+398h+var_334]
.text:00401684 repne scasb
.text:00401686 not ecx
.text:00401688 sub edi, ecx
.text:0040168A mov esi, edi
.text:0040168C mov edi, edx
.text:0040168E mov edx, ecx
.text:00401690 or ecx, 0FFFFFFFFh
.text:00401693 repne scasb
.text:00401695 mov ecx, edx
.text:00401697 dec edi
.text:00401698 shr ecx, 2
.text:0040169B rep movsd
.text:0040169D mov ecx, edx
.text:0040169F and ecx, 3
.text:004016A2 rep movsb
.text:004016A4 mov ecx, 19h
.text:004016A9 lea edi, [esp+398h+var_2BC]
.text:004016B0 rep stosd
.text:004016B2
.text:004016B2 loc_4016B2: ; CODE XREF: OnCheck+4EAj
.text:004016B2 xor eax, eax
.text:004016B4
.text:004016B4 loc_4016B4: ; CODE XREF: OnCheck+59Bj
.text:004016B4 mov cl, byte ptr [esp+eax+398h+var_334]
.text:004016B8 mov dl, byte ptr [esp+eax+398h+var_190]
.text:004016BF xor cl, dl
.text:004016C1 jnz loc_40150B
.text:004016C7 inc eax
.text:004016C8 cmp eax, 8
.text:004016CB jb short loc_4016B4
.text:004016CD lea edx, [esp+398h+var_31C]
.text:004016D1 push ebp
.text:004016D2 push edx
.text:004016D3 push 4
.text:004016D5 call _bytes_to_big
.text:004016DA mov ecx, 6
.text:004016DF xor eax, eax
.text:004016E1 lea edi, [esp+3A4h+var_31C]
.text:004016E8 rep stosd
.text:004016EA lea eax, [esp+3A4h+var_31C]
.text:004016F1 push eax
.text:004016F2 push ebp
.text:004016F3 call _cotstr
.text:004016F8 lea edi, [esp+3ACh+var_31C]
.text:004016FF or ecx, 0FFFFFFFFh
.text:00401702 xor eax, eax
.text:00401704 add esp, 14h
.text:00401707 repne scasb
.text:00401709 not ecx
.text:0040170B dec ecx
.text:0040170C mov edx, 8
.text:00401711 sub edx, ecx
.text:00401713 jz loc_4017AB
.text:00401719 lea edi, [esp+398h+var_31C]
.text:0040171D or ecx, 0FFFFFFFFh
.text:00401720 repne scasb
.text:00401722 not ecx
.text:00401724 lea esi, [esp+398h+var_2BC]
.text:0040172B sub edi, ecx
.text:0040172D mov eax, ecx
.text:0040172F mov [esp+398h+var_388], esi
.text:00401733 mov esi, edi
.text:00401735 mov edi, [esp+398h+var_388]
.text:00401739 shr ecx, 2
.text:0040173C rep movsd
.text:0040173E mov ecx, eax
.text:00401740 xor eax, eax
.text:00401742 and ecx, 3
.text:00401745 cmp edx, ebx
.text:00401747 rep movsb
.text:00401749 mov ecx, 6
.text:0040174E lea edi, [esp+398h+var_31C]
.text:00401752 rep stosd
.text:00401754 jbe short loc_40176D
.text:00401756 mov ecx, edx
.text:00401758 mov eax, '0000'
.text:0040175D lea edi, [esp+398h+var_31C]
.text:00401761 shr ecx, 2
.text:00401764 rep stosd
.text:00401766 mov ecx, edx
.text:00401768 and ecx, 3
.text:0040176B rep stosb
.text:0040176D
.text:0040176D loc_40176D: ; CODE XREF: OnCheck+624j
.text:0040176D lea edi, [esp+398h+var_2BC]
.text:00401774 or ecx, 0FFFFFFFFh
.text:00401777 xor eax, eax
.text:00401779 lea edx, [esp+398h+var_31C]
.text:0040177D repne scasb
.text:0040177F not ecx
.text:00401781 sub edi, ecx
.text:00401783 mov esi, edi
.text:00401785 mov edi, edx
.text:00401787 mov edx, ecx
.text:00401789 or ecx, 0FFFFFFFFh
.text:0040178C repne scasb
.text:0040178E mov ecx, edx
.text:00401790 dec edi
.text:00401791 shr ecx, 2
.text:00401794 rep movsd
.text:00401796 mov ecx, edx
.text:00401798 and ecx, 3
.text:0040179B rep movsb
.text:0040179D mov ecx, 19h
.text:004017A2 lea edi, [esp+398h+var_2BC]
.text:004017A9 rep stosd
.text:004017AB
.text:004017AB loc_4017AB: ; CODE XREF: OnCheck+5E3j
.text:004017AB xor eax, eax
.text:004017AD
.text:004017AD loc_4017AD: ; CODE XREF: OnCheck+694j
.text:004017AD mov cl, byte ptr [esp+eax+398h+var_31C]
.text:004017B1 mov dl, byte ptr [esp+eax+398h+var_C8]
.text:004017B8 xor cl, dl
.text:004017BA jnz loc_40150B
.text:004017C0 inc eax
.text:004017C1 cmp eax, 8
.text:004017C4 jb short loc_4017AD
.text:004017C6 lea edx, [esp+398h+var_304]
.text:004017CD push ebp
.text:004017CE push edx
.text:004017CF push 4
.text:004017D1 call _bytes_to_big
.text:004017D6 mov ecx, 6
.text:004017DB xor eax, eax
.text:004017DD lea edi, [esp+3A4h+var_304]
.text:004017E4 rep stosd
.text:004017E6 lea eax, [esp+3A4h+var_304]
.text:004017ED push eax
.text:004017EE push ebp
.text:004017EF call _cotstr
.text:004017F4 lea edi, [esp+3ACh+var_304]
.text:004017FB or ecx, 0FFFFFFFFh
.text:004017FE xor eax, eax
.text:00401800 add esp, 14h
.text:00401803 repne scasb
.text:00401805 not ecx
.text:00401807 dec ecx
.text:00401808 mov edx, 8
.text:0040180D sub edx, ecx
.text:0040180F jz loc_4018B3
.text:00401815 lea edi, [esp+398h+var_304]
.text:0040181C or ecx, 0FFFFFFFFh
.text:0040181F repne scasb
.text:00401821 not ecx
.text:00401823 lea esi, [esp+398h+var_2BC]
.text:0040182A sub edi, ecx
.text:0040182C mov eax, ecx
.text:0040182E mov [esp+398h+var_388], esi
.text:00401832 mov esi, edi
.text:00401834 mov edi, [esp+398h+var_388]
.text:00401838 shr ecx, 2
.text:0040183B rep movsd
.text:0040183D mov ecx, eax
.text:0040183F xor eax, eax
.text:00401841 and ecx, 3
.text:00401844 cmp edx, ebx
.text:00401846 rep movsb
.text:00401848 mov ecx, 6
.text:0040184D lea edi, [esp+398h+var_304]
.text:00401854 rep stosd
.text:00401856 jbe short loc_401872
.text:00401858 mov ecx, edx
.text:0040185A mov eax, '0000'
.text:0040185F lea edi, [esp+398h+var_304]
.text:00401866 shr ecx, 2
.text:00401869 rep stosd
.text:0040186B mov ecx, edx
.text:0040186D and ecx, 3
.text:00401870 rep stosb
.text:00401872
.text:00401872 loc_401872: ; CODE XREF: OnCheck+726j
.text:00401872 lea edi, [esp+398h+var_2BC]
.text:00401879 or ecx, 0FFFFFFFFh
.text:0040187C xor eax, eax
.text:0040187E lea edx, [esp+398h+var_304]
.text:00401885 repne scasb
.text:00401887 not ecx
.text:00401889 sub edi, ecx
.text:0040188B mov esi, edi
.text:0040188D mov edi, edx
.text:0040188F mov edx, ecx
.text:00401891 or ecx, 0FFFFFFFFh
.text:00401894 repne scasb
.text:00401896 mov ecx, edx
.text:00401898 dec edi
.text:00401899 shr ecx, 2
.text:0040189C rep movsd
.text:0040189E mov ecx, edx
.text:004018A0 and ecx, 3
.text:004018A3 rep movsb
.text:004018A5 mov ecx, 19h
.text:004018AA lea edi, [esp+398h+var_2BC]
.text:004018B1 rep stosd
.text:004018B3
.text:004018B3 loc_4018B3: ; CODE XREF: OnCheck+6DFj
.text:004018B3 xor eax, eax
.text:004018B5
.text:004018B5 loc_4018B5: ; CODE XREF: OnCheck+79Fj
.text:004018B5 mov cl, byte ptr [esp+eax+398h+var_304]
.text:004018BC mov dl, byte ptr [esp+eax+398h+var_12C]
.text:004018C3 xor cl, dl
.text:004018C5 jnz loc_40150B
.text:004018CB inc eax
.text:004018CC cmp eax, 8
.text:004018CF jb short loc_4018B5
.text:004018D1 lea edx, [esp+398h+var_34C]
.text:004018D5 push ebp
.text:004018D6 push edx
.text:004018D7 push 4
.text:004018D9 call _bytes_to_big
.text:004018DE mov ecx, 6
.text:004018E3 xor eax, eax
.text:004018E5 lea edi, [esp+3A4h+var_34C]
.text:004018E9 rep stosd
.text:004018EB lea eax, [esp+3A4h+var_34C]
.text:004018EF push eax
.text:004018F0 push ebp
.text:004018F1 call _cotstr
.text:004018F6 lea edi, [esp+3ACh+var_34C]
.text:004018FA or ecx, 0FFFFFFFFh
.text:004018FD xor eax, eax
.text:004018FF add esp, 14h
.text:00401902 repne scasb
.text:00401904 not ecx
.text:00401906 dec ecx
.text:00401907 mov edx, 8
.text:0040190C sub edx, ecx
.text:0040190E jz short loc_40198E
.text:00401910 lea edi, [esp+398h+var_34C]
.text:00401914 or ecx, 0FFFFFFFFh
.text:00401917 repne scasb
.text:00401919 not ecx
.text:0040191B sub edi, ecx
.text:0040191D lea ebp, [esp+398h+var_2BC]
.text:00401924 mov eax, ecx
.text:00401926 mov esi, edi
.text:00401928 mov edi, ebp
.text:0040192A shr ecx, 2
.text:0040192D rep movsd
.text:0040192F mov ecx, eax
.text:00401931 xor eax, eax
.text:00401933 and ecx, 3
.text:00401936 cmp edx, ebx
.text:00401938 rep movsb
.text:0040193A mov ecx, 6
.text:0040193F lea edi, [esp+398h+var_34C]
.text:00401943 rep stosd
.text:00401945 jbe short loc_40195E
.text:00401947 mov ecx, edx
.text:00401949 mov eax, '0000'
.text:0040194E lea edi, [esp+398h+var_34C]
.text:00401952 shr ecx, 2
.text:00401955 rep stosd
.text:00401957 mov ecx, edx
.text:00401959 and ecx, 3
.text:0040195C rep stosb
.text:0040195E
.text:0040195E loc_40195E: ; CODE XREF: OnCheck+815j
.text:0040195E lea edi, [esp+398h+var_2BC]
.text:00401965 or ecx, 0FFFFFFFFh
.text:00401968 xor eax, eax
.text:0040196A lea edx, [esp+398h+var_34C]
.text:0040196E repne scasb
.text:00401970 not ecx
.text:00401972 sub edi, ecx
.text:00401974 mov esi, edi
.text:00401976 mov ebp, ecx
.text:00401978 mov edi, edx
.text:0040197A or ecx, 0FFFFFFFFh
.text:0040197D repne scasb
.text:0040197F mov ecx, ebp
.text:00401981 dec edi
.text:00401982 shr ecx, 2
.text:00401985 rep movsd
.text:00401987 mov ecx, ebp
.text:00401989 and ecx, 3
.text:0040198C rep movsb
.text:0040198E
.text:0040198E loc_40198E: ; CODE XREF: OnCheck+7DEj
.text:0040198E ; OnCheck+875j
.text:0040198E mov al, byte ptr [esp+ebx+398h+var_34C]
.text:00401992 mov cl, byte ptr [esp+ebx+398h+var_64]
.text:00401999 xor al, cl
.text:0040199B jnz loc_40150B
.text:004019A1 inc ebx
.text:004019A2 cmp ebx, 8
.text:004019A5 jb short loc_40198E
.text:004019A7 pop edi
.text:004019A8 pop esi
.text:004019A9 pop ebp
.text:004019AA mov eax, 1
.text:004019AF pop ebx
.text:004019B0 add esp, 388h
.text:004019B6 retn
.text:004019B6 OnCheck endp
注册验证过程:
1、取用户名,不能少于3个字符。分别对用户名的第1、2、3个字符以及整个用户名进行tiger哈希运算,
得到四个哈希串h1、h2、h3、h4,即
h1 = tiger(用户名的第1个字符);
h2 = tiger(用户名的第2个字符);
h3 = tiger(用户名的第3个字符);
h4 = tiger(用户名);
2、取注册码。对注册码长度进行tiger哈希运算,得到的哈希串应该与给定的24字节数组相同,否则失败。
对注册码中第9、18、27个字符进行tiger哈希运算,得到的哈希串应该与给定的另一个24字节数组相同,否则失败。
3、分别取h1、h2、h3、h4的前4个字节,然后转化为大数,再输出为大数的16进制字符串s1、s2、s3、s4。
如果得到的字符串长度不足8个字符,则左边补0,直到为8个字符长度为止。
4、将字符串s1、s2、s3、s4分别与注册码中以第9、18、27个字符隔开的四段进行比较,都相同则注册成功,
否则失败。
由于对注册码长度以及其中的3个字符进行tiger哈希运算的结果在初始化变量的时候已经给出,那么通过
穷举试探法可以求出它们。
我求出来注册码的长度应该是35个字符,注册码中第9、18、27个字符应该是'-'。
即注册码的格式应该是:xxxxxxxx-xxxxxxxx-xxxxxxxx-xxxxxxxx
那么生成注册码的过程:
1、输入用户名,长度不能少于3个字符。分别对用户名的第1、2、3个字符以及整个用户名进行tiger哈希运算,
得到四个哈希串h1、h2、h3、h4,即
h1 = tiger(用户名的第1个字符);
h2 = tiger(用户名的第2个字符);
h3 = tiger(用户名的第3个字符);
h4 = tiger(用户名);
2、分别取h1、h2、h3、h4的前4个字节,转化为大数,再输出大数的16进制字符串表示s1、s2、s3、s4。
如果得到的字符串长度不足8个字符,则左边补0,直到为8个字符长度为止。
3、将字符串s1、s2、s3、s4用字符'-'连接起来,即为所求的注册码。
keygen及源码见附件。
just for fun!
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)
