【文章标题】: CrackMe(four)分析
【文章作者】: 坚持到底
【软件名称】: four
【软件大小】: 7.00K
【下载地址】: http://www.crackmes.de
【加壳方式】: 无
【使用工具】: flyodbg,PEID
【操作平台】: WinXPSP2
【作者声明】: 只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!
--------------------------------------------------------------------------------
【详细过程】
在crackmes.de逛的时候下了个这个crackme 就分析了下,群里的朋友叫我写个教程,就顺便写了下....
//////////////////////////////////////////////////////////////////////////////////////////////////////
//第1步:unlock code算法分析
//////////////////////////////////////////////////////////////////////////////////////////////////////
输入unlock code = 123456
004010A3 6A 11 push 11
004010A5 68 68344000 push four.00403468
004010AA 68 F1030000 push 3F1
004010AF FF75 08 push dword ptr ss:[ebp+8]
004010B2 E8 DD030000 call <jmp.&user32.GetDlgItemTextA> //取的unlock
004010B7 83F8 00 cmp eax,0
004010BA 76 70 jbe short four.0040112C
004010BC 68 68344000 push four.00403468
004010C1 FF75 08 push dword ptr ss:[ebp+8]
004010C4 E8 C2020000 call four.0040138B //关键CALL
004010C9 BB A5114000 mov ebx,four.004011A5
004010CE 813B 558BECE8 cmp dword ptr ds:[ebx],E8EC8B55
004010D4 75 1F jnz short four.004010F5
004010D6 817B 04 CA010000 cmp dword ptr ds:[ebx+4],1CA
004010DD 75 16 jnz short four.004010F5
004010DF 817B 08 6A116848 cmp dword ptr ds:[ebx+8],4868116A
004010E6 75 0D jnz short four.004010F5
004010E8 FF75 08 push dword ptr ss:[ebp+8]
004010EB E8 14030000 call four.00401404
004010F0 E9 A2000000 jmp four.00401197
004010F5 6A 30 push 30
004010F7 68 D1334000 push four.004033D1 ; ASCII "-=[ Unlock Code Error"
004010FC 68 E7334000 push four.004033E7 ; ASCII "You have entered an invalid Unlock Code.
Please try again."
0040138B 55 push ebp
0040138C 8BEC mov ebp,esp
0040138E 83EC 04 sub esp,4
00401391 FF75 0C push dword ptr ss:[ebp+C]
00401394 E8 DD000000 call <jmp.&kernel32.lstrlenA>
00401399 8945 FC mov dword ptr ss:[ebp-4],eax
0040139C 837D FC 01 cmp dword ptr ss:[ebp-4],1 //Ulock code 位数大于1
004013A0 77 16 ja short four.004013B8
004013A2 6A 30 push 30
004013A4 68 D1334000 push four.004033D1 ; ASCII "-=[ Unlock Code Error"
004013A9 68 E7334000 push four.004033E7 ; ASCII "You have entered an invalid Unlock Code.
Please try again."
//////////////////////////////////////////////////////////////////////////////////////////////////////
//关键CALL
//////////////////////////////////////////////////////////////////////////////////////////////////////
004013AE FF75 08 push dword ptr ss:[ebp+8]
004013B1 E8 EA000000 call <jmp.&user32.MessageBoxA>
004013B6 EB 48 jmp short four.00401400
004013B8 8B75 0C mov esi,dword ptr ss:[ebp+C]
004013BB 33C0 xor eax,eax
004013BD 33DB xor ebx,ebx
004013BF 8B4D FC mov ecx,dword ptr ss:[ebp-4]
004013C2 8A06 mov al,byte ptr ds:[esi] ; // 取Unlock code 到AL
004013C4 BB 9D2F0000 mov ebx,2F9D //常数2F9D
004013C9 32C3 xor al,bl //al^=0x9d
004013CB 32C7 xor al,bh //al^=0x2f
004013CD 8806 mov byte ptr ds:[esi],al ; //al保存在[esi] 最后在内存中看到 83 80 81 86 87 记为数组code[]
004013CF 46 inc esi
004013D0 49 dec ecx
004013D1 ^ 75 EF jnz short four.004013C2
004013D3 B8 A5114000 mov eax,four.004011A5
004013D8 B9 EC124000 mov ecx,four.004012EC
004013DD 2BC8 sub ecx,eax
004013DF 33DB xor ebx,ebx
004013E1 8A1418 mov dl,byte ptr ds:[eax+ebx] //常量数组第一个元素到dl,设为data[0]
004013E4 50 push eax
004013E5 33C0 xor eax,eax
004013E7 51 push ecx
004013E8 8B4D FC mov ecx,dword ptr ss:[ebp-4] //unlock code 的位数到ecx
004013EB 8B75 0C mov esi,dword ptr ss:[ebp+C] //上面unlock code经过处理后的各位到esi
004013EE 3216 xor dl,byte ptr ds:[esi] //dl^=code[i];
004013F0 46 inc esi
004013F1 49 dec ecx
004013F2 ^ 75 FA jnz short four.004013EE //循环
004013F4 59 pop ecx
004013F5 58 pop eax
004013F6 881418 mov byte ptr ds:[eax+ebx],dl
004013F9 43 inc ebx
004013FA 49 dec ecx
004013FB 83F9 00 cmp ecx,0
004013FE ^ 75 E1 jnz short four.004013E1 //循环
00401400 C9 leave
00401401 C2 0800 retn 8
//////////////////////////////////////////////////////////////////////////////////////////////////////
//用数据格式转换得到data1[] 感谢zhanshen[DFCG][RCT]
//////////////////////////////////////////////////////////////////////////////////////////////////////
data1[]={
0xC3, 0x1D, 0x7A, 0x7E, 0x5C, 0x97, 0x96, 0x96, 0xFC, 0x87,
0xFE, 0xDE, 0xA2, 0xD6, 0x96, 0xFE, 0x7C, 0x95, 0x96, 0x96,
0x69, 0xE3, 0x9E, 0x7E, 0x45, 0x94, 0x96, 0x96, 0x15, 0x6E,
0x97, 0xEB, 0x83, 0xFC, 0x96, 0xFE, 0x95, 0xA6, 0xD6, 0x96,
0xFE, 0x9F, 0xA6, 0xD6, 0x96, 0xFC, 0x96, 0x7E, 0x51, 0x94,
0x96, 0x96, 0x7D, 0xF4, 0x15, 0x6E, 0x86, 0xE8, 0x83, 0xFC,
0x96, 0xFE, 0x95, 0xA6, 0xD6, 0x96, 0xFE, 0x9F, 0xA6, 0xD6,
0x96, 0xFC, 0x96, 0x7E, 0x3B, 0x94, 0x96, 0x96, 0x7D, 0xDE,
0x7E, 0xD1, 0x96, 0x96, 0x96, 0xFE, 0xDE, 0xA2, 0xD6, 0x96,
0x7E, 0xE4, 0x94, 0x96, 0x96, 0xC6, 0x7E, 0x1C, 0x96, 0x96,
0x96, 0xFC, 0x87, 0xFE, 0xAE, 0xA2, 0xD6, 0x96, 0xFE, 0x7D,
0x95, 0x96, 0x96, 0x69, 0xE3, 0x9E, 0x7E, 0xE0, 0x94, 0x96,
0x96, 0x15, 0x6E, 0x97, 0xEB, 0x83, 0xFC, 0x96, 0xFE, 0x95,
0xA6, 0xD6, 0x96, 0xFE, 0xA5, 0xA6, 0xD6, 0x96, 0xFC, 0x96,
0x7E, 0xFC, 0x94, 0x96, 0x96, 0x7D, 0x93, 0x7E, 0x7B, 0x96,
0x96, 0x96, 0x5F, 0x54, 0x92, 0x96, 0x28, 0xDE, 0xA2, 0xD6,
0x96, 0x29, 0xCE, 0xA2, 0xD6, 0x96, 0x2F, 0x86, 0x96, 0x96,
0x96, 0x1D, 0x8B, 0xA2, 0xA2, 0xD6, 0x96, 0x1C, 0x90, 0xAA,
0x96, 0xE3, 0x9F, 0x16, 0x6F, 0x96, 0xE3, 0x94, 0x26, 0xAF,
0x1C, 0x57, 0xA4, 0x55, 0x10, 0x49, 0xA4, 0x55, 0xC6, 0x7E,
0x91, 0x96, 0x96, 0x96, 0x1E, 0x91, 0xD0, 0xD1, 0x74, 0x49,
0x55, 0xC3, 0x1D, 0x7A, 0x1C, 0xD3, 0x9E, 0xA4, 0x93, 0x58,
0xA5, 0xD6, 0x96, 0xA4, 0x93, 0x59, 0xA5, 0xD6, 0x96, 0xA4,
0x93, 0x46, 0xA5, 0xD6, 0x96, 0x5F, 0x54, 0x92, 0x96, 0xC3,
0x1D, 0x7A, 0x15, 0x52, 0x6A, 0x28, 0xDE, 0xA2, 0xD6, 0x96,
0x29, 0xCE, 0xA2, 0xD6, 0x96, 0x2F, 0x86, 0x96, 0x96, 0x96,
0x50, 0xD3, 0x69, 0x96, 0x1C, 0x90, 0xAA, 0x96, 0xE3, 0x94,
0x26, 0xA9, 0x60, 0x77, 0xC7, 0xA5, 0x5F, 0x1D, 0xDB, 0x9E,
0x1C, 0xCA, 0xA7, 0x69, 0xA4, 0x55, 0xDF, 0xE3, 0x61, 0xCF,
0x1C, 0xCB, 0x69, 0x16, 0x6D, 0x97, 0xEA, 0x91, 0xB2, 0x66,
0x56, 0x7E, 0x92, 0x7D, 0x94, 0xB2, 0x99, 0x60, 0x4D, 0x1E,
0xCB, 0x69, 0xAA, 0x9F, 0xE8, 0x94, 0x92, 0x91, 0x92, 0xA6,
0x1E, 0x91, 0xD1, 0xD0, 0x74, 0x54, 0x5F}
//////////////////////////////////////////////////////////////////////////////////////////////////////
//关键call可以用c语言表示如下:
//////////////////////////////////////////////////////////////////////////////////////////////////////
#include<stdio.h>
#include<string.h>
void main()
{
char ulockcode[32]={0};
int code[32]={0};
int data[]={
0xC3, 0x1D, 0x7A, 0x7E, 0x5C, 0x97, 0x96, 0x96, 0xFC, 0x87,
0xFE, 0xDE, 0xA2, 0xD6, 0x96, 0xFE, 0x7C, 0x95, 0x96, 0x96,
0x69, 0xE3, 0x9E, 0x7E, 0x45, 0x94, 0x96, 0x96, 0x15, 0x6E,
0x97, 0xEB, 0x83, 0xFC, 0x96, 0xFE, 0x95, 0xA6, 0xD6, 0x96,
0xFE, 0x9F, 0xA6, 0xD6, 0x96, 0xFC, 0x96, 0x7E, 0x51, 0x94,
0x96, 0x96, 0x7D, 0xF4, 0x15, 0x6E, 0x86, 0xE8, 0x83, 0xFC,
0x96, 0xFE, 0x95, 0xA6, 0xD6, 0x96, 0xFE, 0x9F, 0xA6, 0xD6,
0x96, 0xFC, 0x96, 0x7E, 0x3B, 0x94, 0x96, 0x96, 0x7D, 0xDE,
0x7E, 0xD1, 0x96, 0x96, 0x96, 0xFE, 0xDE, 0xA2, 0xD6, 0x96,
0x7E, 0xE4, 0x94, 0x96, 0x96, 0xC6, 0x7E, 0x1C, 0x96, 0x96,
0x96, 0xFC, 0x87, 0xFE, 0xAE, 0xA2, 0xD6, 0x96, 0xFE, 0x7D,
0x95, 0x96, 0x96, 0x69, 0xE3, 0x9E, 0x7E, 0xE0, 0x94, 0x96,
0x96, 0x15, 0x6E, 0x97, 0xEB, 0x83, 0xFC, 0x96, 0xFE, 0x95,
0xA6, 0xD6, 0x96, 0xFE, 0xA5, 0xA6, 0xD6, 0x96, 0xFC, 0x96,
0x7E, 0xFC, 0x94, 0x96, 0x96, 0x7D, 0x93, 0x7E, 0x7B, 0x96,
0x96, 0x96, 0x5F, 0x54, 0x92, 0x96, 0x28, 0xDE, 0xA2, 0xD6,
0x96, 0x29, 0xCE, 0xA2, 0xD6, 0x96, 0x2F, 0x86, 0x96, 0x96,
0x96, 0x1D, 0x8B, 0xA2, 0xA2, 0xD6, 0x96, 0x1C, 0x90, 0xAA,
0x96, 0xE3, 0x9F, 0x16, 0x6F, 0x96, 0xE3, 0x94, 0x26, 0xAF,
0x1C, 0x57, 0xA4, 0x55, 0x10, 0x49, 0xA4, 0x55, 0xC6, 0x7E,
0x91, 0x96, 0x96, 0x96, 0x1E, 0x91, 0xD0, 0xD1, 0x74, 0x49,
0x55, 0xC3, 0x1D, 0x7A, 0x1C, 0xD3, 0x9E, 0xA4, 0x93, 0x58,
0xA5, 0xD6, 0x96, 0xA4, 0x93, 0x59, 0xA5, 0xD6, 0x96, 0xA4,
0x93, 0x46, 0xA5, 0xD6, 0x96, 0x5F, 0x54, 0x92, 0x96, 0xC3,
0x1D, 0x7A, 0x15, 0x52, 0x6A, 0x28, 0xDE, 0xA2, 0xD6, 0x96,
0x29, 0xCE, 0xA2, 0xD6, 0x96, 0x2F, 0x86, 0x96, 0x96, 0x96,
0x50, 0xD3, 0x69, 0x96, 0x1C, 0x90, 0xAA, 0x96, 0xE3, 0x94,
0x26, 0xA9, 0x60, 0x77, 0xC7, 0xA5, 0x5F, 0x1D, 0xDB, 0x9E,
0x1C, 0xCA, 0xA7, 0x69, 0xA4, 0x55, 0xDF, 0xE3, 0x61, 0xCF,
0x1C, 0xCB, 0x69, 0x16, 0x6D, 0x97, 0xEA, 0x91, 0xB2, 0x66,
0x56, 0x7E, 0x92, 0x7D, 0x94, 0xB2, 0x99, 0x60, 0x4D, 0x1E,
0xCB, 0x69, 0xAA, 0x9F, 0xE8, 0x94, 0x92, 0x91, 0x92, 0xA6,
0x1E, 0x91, 0xD1, 0xD0, 0x74, 0x54, 0x5F};
int i,j,l;
long al,bl,ebx=0x2f9d,eax=0,edx=0;
gets(ulockcode);
l=strlen(ulockcode);
for(i=0;i<l;i++)
{
al=ulockcode[i];
al^=(ebx&0xff);
al^=(ebx/0xff);
code[i]=al;
}
for(i=0;i<0x147;i++)
{ bl=data[i];
for(j=0;j<l;j++)
bl^=code[j];
data[i]=bl;
}
j=0;
for(i=0;i<0x147;i++)
{
printf("%X,",data[i]);
j++;
if(j%0x10==0)
printf("\n");
}
getch();
}
//////////////////////////////////////////////////////////////////////////////////////////////////////
//关键比较
//////////////////////////////////////////////////////////////////////////////////////////////////////
004010C9 BB A5114000 mov ebx,four.004011A5
004010CE 813B 558BECE8 cmp dword ptr ds:[ebx],E8EC8B55
004010D4 75 1F jnz short four.004010F5
004010D6 817B 04 CA010000 cmp dword ptr ds:[ebx+4],1CA
004010DD 75 16 jnz short four.004010F5
004010DF 817B 08 6A116848 cmp dword ptr ds:[ebx+8],4868116A
004010E6 75 0D jnz short four.004010F5
004010E8 FF75 08 push dword ptr ss:[ebp+8]
我输入的unlock code 为 123456
得到新的data2[]如下
123456
C4,1A,7D,79,5B,90,91,91,FB,80,F9,D9,A5,D1,91,F9,
7B,92,91,91,6E,E4,99,79,42,93,91,91,12,69,90,EC,
84,FB,91,F9,92,A1,D1,91,F9,98,A1,D1,91,FB,91,79,
56,93,91,91,7A,F3,12,69,81,EF,84,FB,91,F9,92,A1,
D1,91,F9,98,A1,D1,91,FB,91,79,3C,93,91,91,7A,D9,
79,D6,91,91,91,F9,D9,A5,D1,91,79,E3,93,91,91,C1,
79,1B,91,91,91,FB,80,F9,A9,A5,D1,91,F9,7A,92,91,
91,6E,E4,99,79,E7,93,91,91,12,69,90,EC,84,FB,91,
F9,92,A1,D1,91,F9,A2,A1,D1,91,FB,91,79,FB,93,91,
91,7A,94,79,7C,91,91,91,58,53,95,91,2F,D9,A5,D1,
91,2E,C9,A5,D1,91,28,81,91,91,91,1A,8C,A5,A5,D1,
91,1B,97,AD,91,E4,98,11,68,91,E4,93,21,A8,1B,50,
A3,52,17,4E,A3,52,C1,79,96,91,91,91,19,96,D7,D6,
73,4E,52,C4,1A,7D,1B,D4,99,A3,94,5F,A2,D1,91,A3,
94,5E,A2,D1,91,A3,94,41,A2,D1,91,58,53,95,91,C4,
1A,7D,12,55,6D,2F,D9,A5,D1,91,2E,C9,A5,D1,91,28,
81,91,91,91,57,D4,6E,91,1B,97,AD,91,E4,93,21,AE,
67,70,C0,A2,58,1A,DC,99,1B,CD,A0,6E,A3,52,D8,E4,
66,C8,1B,CC,6E,11,6A,90,ED,96,B5,61,51,79,95,7A,
93,B5,9E,67,4A,19,CC,6E,AD,98,EF,93,95,96,95,A1,
19,96,D6,D7,73,53,58,
验证
data[3]-data[0]组成 797d1ac4 要等于 E8EC8B55
data[7]-data[4]组成 9191905B 要等于 1ca
data[11]-data[8]组成D9F980FB 要等于 4868116A
下面进行简单的求逆
我假设ulock code 就一位设为X(好计算)
只要能使计算后的 data2[3]==E8
就可以通过上面三个验证了
data1[3]^data2[3]=E8
data2[3]=data1[3]^E8
=7E^E8=96
data2[3]^=0x2f;
data2[3]^=0x9d;
得到data2[3]=24;
为 字符 $
就可以得到一位的unlock code
输入 $ 改了 上面判断 unlock code 位数直接跳过 可以验证成功
因为相同的两个数异或等与0
0与任何数异或等于任何数
所以
for(i=0;i<0x147;i++)
{ bl=data[i];
for(j=0;j<l;j++)
bl^=code[j];
data[i]=bl;
}
中循环异或
我在Unlock code 中加入两位相同的数 满足位数的判断
99$
那两位经过
计算之后不影响最后计算结果
我很菜只能用这种办法算出 可以通过的Ulock code
蛮搞笑的 99美元~~~~~~~~~~~~也可以是9999美元哦~~~~
//////////////////////////////////////////////////////////////////////////////////////////////////////
//第2步:注册码分析
//////////////////////////////////////////////////////////////////////////////////////////////////////
004011C1 83F8 01 cmp eax,1
004011C4 7D 15 jge short four.004011DB
004011C6 6A 00 push 0
004011C8 68 03304000 push four.00403003 ; ASCII "Error"
004011CD 68 09304000 push four.00403009 ; ASCII "Your name must be between 1 and 16 bytes!"
004011D2 6A 00 push 0
004011D4 E8 C7020000 call <jmp.&user32.MessageBoxA>
004011D9 EB 62 jmp short four.0040123D
004011DB 83F8 10 cmp eax,10
004011DE 7E 15 jle short four.004011F5
004011E0 6A 00 push 0
004011E2 68 03304000 push four.00403003 ; ASCII "Error"
004011E7 68 09304000 push four.00403009 ; ASCII "Your name must be between 1 and 16 bytes!"
004011EC 6A 00 push 0
004011EE E8 AD020000 call <jmp.&user32.MessageBoxA>
004011F3 EB 48 jmp short four.0040123D
004011F5 E8 47000000 call four.00401241 //关键CALL1
004011FA 68 48344000 push four.00403448 ; ASCII "insist"
004011FF E8 72020000 call <jmp.&kernel32.lstrlenA>
00401204 50 push eax
00401205 E8 8A000000 call four.00401294 //关键CALL2
0040120A 6A 11 push 11
0040120C 68 38344000 push four.00403438
00401211 68 EB030000 push 3EB
00401216 FF75 08 push dword ptr ss:[ebp+8]
00401219 E8 76020000 call <jmp.&user32.GetDlgItemTextA>
0040121E 83F8 01 cmp eax,1
00401221 7D 15 jge short four.00401238
00401223 6A 00 push 0
00401225 68 03304000 push four.00403003 ; ASCII "Error"
0040122A 68 33304000 push four.00403033 ; ASCII "Your serial must be at least one byte!"
0040122F 6A 00 push 0
00401231 E8 6A020000 call <jmp.&user32.MessageBoxA>
00401236 EB 05 jmp short four.0040123D
00401238 E8 ED000000 call four.0040132A
0040123D C9 leave
//////////////////////////////////////////////////////////////////////////////////////////////////////
//关键CALL1
//////////////////////////////////////////////////////////////////////////////////////////////////////
00401241 BE 48344000 mov esi,four.00403448 ; ASCII "insist"
00401246 BF 58344000 mov edi,four.00403458
0040124B B9 10000000 mov ecx,10
00401250 8B1D 34344000 mov ebx,dword ptr ds:[403434] //常数到EBX
00401256 8A06 mov al,byte ptr ds:[esi]
00401258 3C 00 cmp al,0
0040125A 75 09 jnz short four.00401265
0040125C 80F9 00 cmp cl,0
0040125F 75 02 jnz short four.00401263
00401261 B0 39 mov al,39
00401263 8AC1 mov al,cl
00401265 32C3 xor al,bl
00401267 86DF xchg bh,bl
00401269 32C3 xor al,bl
0040126B 50 push eax
0040126C E8 07000000 call four.00401278
00401271 8807 mov byte ptr ds:[edi],al
00401273 46 inc esi
00401274 47 inc edi
00401275 ^ E2 DF loopd short four.00401256
00401277 C3 retn
00401278 55 push ebp
00401279 8BEC mov ebp,esp
0040127B 8A45 08 mov al,byte ptr ss:[ebp+8]
0040127E 3205 CE334000 xor al,byte ptr ds:[4033CE]
00401284 3205 CF334000 xor al,byte ptr ds:[4033CF]
0040128A 3205 D0334000 xor al,byte ptr ds:[4033D0]
00401290 C9 leave
00401291 C2 0400 retn 4
CALL1的算法如下
void main()
{
char data[]={0};
int bl=5,bh=1,temp,l,i,ecx=0x10,al;
gets(data);
l=strlen(data);
for(i=0;i<0x10;i++)
{
al=data[i];
if(i>=l)
al=0;
if(al==0)
{
if(ecx==0)
al=0x39;
al=ecx;
}
al^=bl;
temp=bl;
bl=bh;
bh=temp;
al^=bl;
al^=0x67;//(0xef^0x4f^0xc7);
printf("%x,",al);
ecx--;
}
getch();
}
分析了半天CALL1最后既然与算法没关系....
//////////////////////////////////////////////////////////////////////////////////////////////////////
//关键CALL2
//////////////////////////////////////////////////////////////////////////////////////////////////////
00401294 55 push ebp
00401295 8BEC mov ebp,esp
00401297 83C4 FC add esp,-4
0040129A BE 48344000 mov esi,four.00403448 ; ASCII "insist"
0040129F BF 58344000 mov edi,four.00403458
004012A4 B9 10000000 mov ecx,10
004012A9 C645 FF 00 mov byte ptr ss:[ebp-1],0
004012AD 8A06 mov al,byte ptr ds:[esi]
004012AF 3C 00 cmp al,0
004012B1 75 02 jnz short four.004012B5
004012B3 B0 3F mov al,3F
004012B5 F6E1 mul cl
004012B7 51 push ecx
004012B8 33C9 xor ecx,ecx
004012BA 8B4D 08 mov ecx,dword ptr ss:[ebp+8]
004012BD 8A5C31 FF mov bl,byte ptr ds:[ecx+esi-1]
004012C1 32C3 xor al,bl
004012C3 49 dec ecx
004012C4 ^ 75 F7 jnz short four.004012BD
004012C6 59 pop ecx
004012C7 8A5D FF mov bl,byte ptr ss:[ebp-1]
004012CA 80FB 01 cmp bl,1
004012CD 7C 07 jl short four.004012D6
004012CF 24 F0 and al,0F0
004012D1 C0E8 04 shr al,4
004012D4 EB 02 jmp short four.004012D8
004012D6 24 0F and al,0F
004012D8 F6DB neg bl
004012DA 885D FF mov byte ptr ss:[ebp-1],bl
004012DD 3C 09 cmp al,9
004012DF 7E 02 jle short four.004012E3
004012E1 04 07 add al,7
004012E3 04 30 add al,30
004012E5 8807 mov byte ptr ds:[edi],al
004012E7 47 inc edi
004012E8 46 inc esi
004012E9 ^ E2 C2 loopd short four.004012AD
004012EB C9 leave
004012EC C2 0400 retn 4
真正注册算法在CALL2.............
--------------------------------------------------------------------------------
【经验总结】
keygen代码如下
代码都是CALL2照抄的......
#include<stdio.h>
#include<string.h>
void main()
{
char data[20]={0};
int al,ecx=0x10,i,l,ebp=0,j,k=16,cl;
gets(data);
l=strlen(data);
cl=l;
//用户名大于6位小于16位
for(i=0;i<0x10;i++)
{
al=data[i];
if(al==0)
al=0x3f;
al*=ecx;
al&=0xff;
for(j=cl-1;j>=cl-l;j--)
al^=data[j];
cl++;
if(ebp>=1)
{
al&=0xf0;
al>>=4;
}
else
al&=0xf;
if(al>9)
al+=7;
al+=0x30;
data[k++]=al;
printf("%c",al);
ecx--;
}
getch();
}
测试了几个基本可以通过....
如果有失误的地方请大家指出.........谢谢......
分析的蛮久的,最可怜的是今天要上9节课.........只能在课间努力....呵呵.......
--------------------------------------------------------------------------------
【版权声明】: 本文原创于看雪技术论坛, 转载请注明作者并保持文章的完整, 谢谢!
2007年04月14日 17:18:03
[培训]《安卓高级研修班(网课)》月薪三万计划,掌握调试、分析还原ollvm、vmp的方法,定制art虚拟机自动化脱壳的方法
