-
-
[原创]vxin'CrackMe #05 v1.2 算法简析 + 注册机源码
-
发表于: 2007-5-15 11:04
-
|
|
|---|---|
|
|
真的厉害,我的 CM 也比这个简单多了
下次要用 VB 来写才行 
|
|
|
00483918 /$ 55 push ebp
00483919 |. 8BEC mov ebp, esp 0048391B |. 83C4 C4 add esp, -3C 0048391E |. 53 push ebx 0048391F |. 56 push esi 00483920 |. 57 push edi 00483921 |. 33DB xor ebx, ebx 00483923 |. 895D C4 mov dword ptr [ebp-3C], ebx 00483926 |. 895D CC mov dword ptr [ebp-34], ebx 00483929 |. 895D C8 mov dword ptr [ebp-38], ebx 0048392C |. 895D D4 mov dword ptr [ebp-2C], ebx 0048392F |. 895D D0 mov dword ptr [ebp-30], ebx 00483932 |. 895D D8 mov dword ptr [ebp-28], ebx 00483935 |. 895D F0 mov dword ptr [ebp-10], ebx 00483938 |. 8BD9 mov ebx, ecx ; ebx = 0 0048393A |. 8955 F8 mov dword ptr [ebp-8], edx ; key 0048393D |. 8945 FC mov dword ptr [ebp-4], eax ; code 00483940 |. 8B45 FC mov eax, dword ptr [ebp-4] 00483943 |. E8 C00BF8FF call 00404508 00483948 |. 8B45 F8 mov eax, dword ptr [ebp-8] 0048394B |. E8 B80BF8FF call 00404508 00483950 |. 33C0 xor eax, eax 00483952 |. 55 push ebp 00483953 |. 68 2D3B4800 push 00483B2D 00483958 |. 64:FF30 push dword ptr fs:[eax] 0048395B |. 64:8920 mov dword ptr fs:[eax], esp 0048395E |. 8B45 F8 mov eax, dword ptr [ebp-8] ; key 00483961 |. E8 B209F8FF call 00404318 ; key长度 00483966 |. 8945 F4 mov dword ptr [ebp-C], eax 00483969 |. 837D F4 00 cmp dword ptr [ebp-C], 0 0048396D |. 75 0D jnz short 0048397C ; 如果key长度为0的话则设key为UnPack.Cn字符串 由于前面key为空的时候已经跳转 所以下面几句不可能被执行 0048396F |. 8D45 F8 lea eax, dword ptr [ebp-8] 00483972 |. BA 483B4800 mov edx, 00483B48 ; ASCII "UnPack.Cn" 00483977 |. E8 7407F8FF call 004040F0 0048397C |> 33F6 xor esi, esi 0048397E |. BF 00010000 mov edi, 100 00483983 |. 84DB test bl, bl ; 这里肯定等于0 跳转成立 因为传入参数的时候 ecx就是0 00483985 |. 0F84 A4000000 je 00483A2F 0048398B |. E8 D4F0F7FF call 00402A64 00483990 |. 8BC7 mov eax, edi 00483992 |. E8 71F3F7FF call 00402D08 00483997 |. 8BF8 mov edi, eax 00483999 |. 8D45 F0 lea eax, dword ptr [ebp-10] 0048399C |. 50 push eax ; /Arg1 0048399D |. 897D DC mov dword ptr [ebp-24], edi ; | 004839A0 |. C645 E0 00 mov byte ptr [ebp-20], 0 ; | 004839A4 |. 8D55 DC lea edx, dword ptr [ebp-24] ; | 004839A7 |. 33C9 xor ecx, ecx ; | 004839A9 |. B8 5C3B4800 mov eax, 00483B5C ; |ASCII "%1.2x" 004839AE |. E8 A557F8FF call 00409158 ; \CrackMe_.00409158 004839B3 |. 8B45 FC mov eax, dword ptr [ebp-4] 004839B6 |. E8 5D09F8FF call 00404318 004839BB |. 85C0 test eax, eax 004839BD |. 0F8E 2F010000 jle 00483AF2 004839C3 |. 8945 E4 mov dword ptr [ebp-1C], eax 004839C6 |. C745 EC 01000>mov dword ptr [ebp-14], 1 004839CD |> 8B45 FC /mov eax, dword ptr [ebp-4] 004839D0 |. 8B55 EC |mov edx, dword ptr [ebp-14] 004839D3 |. 0FB64410 FF |movzx eax, byte ptr [eax+edx-1] 004839D8 |. 03C7 |add eax, edi 004839DA |. B9 FF000000 |mov ecx, 0FF 004839DF |. 99 |cdq 004839E0 |. F7F9 |idiv ecx 004839E2 |. 8BDA |mov ebx, edx 004839E4 |. 3B75 F4 |cmp esi, dword ptr [ebp-C] 004839E7 |. 7D 03 |jge short 004839EC 004839E9 |. 46 |inc esi 004839EA |. EB 05 |jmp short 004839F1 004839EC |> BE 01000000 |mov esi, 1 004839F1 |> 8B45 F8 |mov eax, dword ptr [ebp-8] 004839F4 |. 0FB64430 FF |movzx eax, byte ptr [eax+esi-1] 004839F9 |. 33D8 |xor ebx, eax 004839FB |. 8D45 D8 |lea eax, dword ptr [ebp-28] 004839FE |. 50 |push eax ; /Arg1 004839FF |. 895D DC |mov dword ptr [ebp-24], ebx ; | 00483A02 |. C645 E0 00 |mov byte ptr [ebp-20], 0 ; | 00483A06 |. 8D55 DC |lea edx, dword ptr [ebp-24] ; | 00483A09 |. 33C9 |xor ecx, ecx ; | 00483A0B |. B8 5C3B4800 |mov eax, 00483B5C ; |ASCII "%1.2x" 00483A10 |. E8 4357F8FF |call 00409158 ; \CrackMe_.00409158 00483A15 |. 8B55 D8 |mov edx, dword ptr [ebp-28] 00483A18 |. 8D45 F0 |lea eax, dword ptr [ebp-10] 00483A1B |. E8 0009F8FF |call 00404320 00483A20 |. 8BFB |mov edi, ebx 00483A22 |. FF45 EC |inc dword ptr [ebp-14] 00483A25 |. FF4D E4 |dec dword ptr [ebp-1C] 00483A28 |.^ 75 A3 \jnz short 004839CD 00483A2A |. E9 C3000000 jmp 00483AF2 00483A2F |> 8D45 D0 lea eax, dword ptr [ebp-30] 00483A32 |. 50 push eax 00483A33 |. B9 02000000 mov ecx, 2 ; 长度 00483A38 |. BA 01000000 mov edx, 1 ; 位置 00483A3D |. 8B45 FC mov eax, dword ptr [ebp-4] 00483A40 |. E8 330BF8FF call 00404578 ; 取code字符串中相应长度和位置的子字符串 00483A45 |. 8B4D D0 mov ecx, dword ptr [ebp-30] 00483A48 |. 8D45 D4 lea eax, dword ptr [ebp-2C] 00483A4B |. BA 6C3B4800 mov edx, 00483B6C 00483A50 |. E8 0F09F8FF call 00404364 00483A55 |. 8B45 D4 mov eax, dword ptr [ebp-2C] 00483A58 |. E8 7F4AF8FF call 004084DC 00483A5D |. 8BF8 mov edi, eax 00483A5F |. C745 EC 03000>mov dword ptr [ebp-14], 3 00483A66 |> 8D45 C8 /lea eax, dword ptr [ebp-38] 00483A69 |. 50 |push eax 00483A6A |. B9 02000000 |mov ecx, 2 00483A6F |. 8B55 EC |mov edx, dword ptr [ebp-14] 00483A72 |. 8B45 FC |mov eax, dword ptr [ebp-4] 00483A75 |. E8 FE0AF8FF |call 00404578 00483A7A |. 8B4D C8 |mov ecx, dword ptr [ebp-38] 00483A7D |. 8D45 CC |lea eax, dword ptr [ebp-34] 00483A80 |. BA 6C3B4800 |mov edx, 00483B6C 00483A85 |. E8 DA08F8FF |call 00404364 00483A8A |. 8B45 CC |mov eax, dword ptr [ebp-34] 00483A8D |. E8 4A4AF8FF |call 004084DC 00483A92 |. 8BD8 |mov ebx, eax 00483A94 |. 3B75 F4 |cmp esi, dword ptr [ebp-C] 00483A97 |. 7D 03 |jge short 00483A9C 00483A99 |. 46 |inc esi 00483A9A |. EB 05 |jmp short 00483AA1 00483A9C |> BE 01000000 |mov esi, 1 00483AA1 |> 8B45 F8 |mov eax, dword ptr [ebp-8] 00483AA4 |. 0FB64430 FF |movzx eax, byte ptr [eax+esi-1] ; key 00483AA9 |. 33C3 |xor eax, ebx ; key ^ code 00483AAB |. 8945 E8 |mov dword ptr [ebp-18], eax 00483AAE |. 3B7D E8 |cmp edi, dword ptr [ebp-18] 00483AB1 |. 7C 0F |jl short 00483AC2 00483AB3 |. 8B45 E8 |mov eax, dword ptr [ebp-18] 00483AB6 |. 05 FF000000 |add eax, 0FF 00483ABB |. 2BC7 |sub eax, edi 00483ABD |. 8945 E8 |mov dword ptr [ebp-18], eax 00483AC0 |. EB 03 |jmp short 00483AC5 00483AC2 |> 297D E8 |sub dword ptr [ebp-18], edi 00483AC5 |> 8D45 C4 |lea eax, dword ptr [ebp-3C] 00483AC8 |. 8B55 E8 |mov edx, dword ptr [ebp-18] 00483ACB |. E8 7007F8FF |call 00404240 00483AD0 |. 8B55 C4 |mov edx, dword ptr [ebp-3C] 00483AD3 |. 8D45 F0 |lea eax, dword ptr [ebp-10] 00483AD6 |. E8 4508F8FF |call 00404320 00483ADB |. 8BFB |mov edi, ebx 00483ADD |. 8345 EC 02 |add dword ptr [ebp-14], 2 00483AE1 |. 8B45 FC |mov eax, dword ptr [ebp-4] 00483AE4 |. E8 2F08F8FF |call 00404318 00483AE9 |. 3B45 EC |cmp eax, dword ptr [ebp-14] 00483AEC |.^ 0F8F 74FFFFFF \jg 00483A66 00483AF2 |> 8B45 08 mov eax, dword ptr [ebp+8] 00483AF5 |. 8B55 F0 mov edx, dword ptr [ebp-10] 00483AF8 |. E8 AF05F8FF call 004040AC 00483AFD |. 33C0 xor eax, eax 00483AFF |. 5A pop edx 00483B00 |. 59 pop ecx 00483B01 |. 59 pop ecx 00483B02 |. 64:8910 mov dword ptr fs:[eax], edx 00483B05 |. 68 343B4800 push 00483B34 00483B0A |> 8D45 C4 lea eax, dword ptr [ebp-3C] 00483B0D |. BA 06000000 mov edx, 6 00483B12 |. E8 6505F8FF call 0040407C 00483B17 |. 8D45 F0 lea eax, dword ptr [ebp-10] 00483B1A |. E8 3905F8FF call 00404058 00483B1F |. 8D45 F8 lea eax, dword ptr [ebp-8] 00483B22 |. BA 02000000 mov edx, 2 00483B27 |. E8 5005F8FF call 0040407C 00483B2C \. C3 retn 上面那段循环不大好描述,还是看看它的伪代码形式吧。 byte[] temp = new byte[codelen/2];
byte[] result = new byte[codelen/2 - 1];
for ( int i = 0 ; i < temp.Length ; i++ )
{
temp[i] = byte.Parse( code.Substring( 2*i,2),System.Globalization.NumberStyles.HexNumber);
}
for ( int i = 1 ; i < temp.Length ; i++ )
{
result[i-1] = (byte)( key[(i-1) % keylen] ^ temp[i] );
if ( temp[i-1] < result[i-1] )
{
result[i-1] = (byte)(result[i-1] - temp[i-1]);
}
else
{
result[i-1] = (byte)(result[i-1] + 0xFF - temp[i-1]) ;
}
}
把我们输入的code两两一组按照十六进制字符串形式转换成数组,然后把这个数组和通过key得到的数组进行运算,得到一个数组作为结果。 00483C3C /$ 55 push ebp 00483C3D |. 8BEC mov ebp, esp 00483C3F |. 83C4 F4 add esp, -0C 00483C42 |. 53 push ebx 00483C43 |. 56 push esi 00483C44 |. 57 push edi 00483C45 |. 33DB xor ebx, ebx 00483C47 |. 895D F4 mov dword ptr [ebp-C], ebx 00483C4A |. 894D FC mov dword ptr [ebp-4], ecx 00483C4D |. 8BF2 mov esi, edx 00483C4F |. 8BF8 mov edi, eax 00483C51 |. 33C0 xor eax, eax 00483C53 |. 55 push ebp 00483C54 |. 68 CA3C4800 push 00483CCA 00483C59 |. 64:FF30 push dword ptr fs:[eax] 00483C5C |. 64:8920 mov dword ptr fs:[eax], esp 00483C5F |. 8B45 08 mov eax, dword ptr [ebp+8] 00483C62 |. E8 F103F8FF call 00404058 00483C67 |. 8BC7 mov eax, edi 00483C69 |. E8 AA06F8FF call 00404318 ; 前一个call处理结果 00483C6E |. 84C0 test al, al ; 结果的数组长度 00483C70 |. 76 42 jbe short 00483CB4 00483C72 |. 8845 FB mov byte ptr [ebp-5], al 00483C75 |. B3 01 mov bl, 1 00483C77 |> 8D45 F4 /lea eax, dword ptr [ebp-C] 00483C7A |. 33D2 |xor edx, edx 00483C7C |. 8AD3 |mov dl, bl 00483C7E |. 8A5417 FF |mov dl, byte ptr [edi+edx-1] 00483C82 |. 8BCE |mov ecx, esi 00483C84 |. C1E9 08 |shr ecx, 8 00483C87 |. 32D1 |xor dl, cl 00483C89 |. E8 B205F8FF |call 00404240 00483C8E |. 8B55 F4 |mov edx, dword ptr [ebp-C] 00483C91 |. 8B45 08 |mov eax, dword ptr [ebp+8] 00483C94 |. E8 8706F8FF |call 00404320 00483C99 |. 8B45 08 |mov eax, dword ptr [ebp+8] 00483C9C |. 33C0 |xor eax, eax 00483C9E |. 8AC3 |mov al, bl 00483CA0 |. 0FB64407 FF |movzx eax, byte ptr [edi+eax-1] 00483CA5 |. 03F0 |add esi, eax 00483CA7 |. 0FAF75 FC |imul esi, dword ptr [ebp-4] 00483CAB |. 0375 0C |add esi, dword ptr [ebp+C] 00483CAE |. 43 |inc ebx 00483CAF |. FE4D FB |dec byte ptr [ebp-5] 00483CB2 |.^ 75 C3 \jnz short 00483C77 00483CB4 |> 33C0 xor eax, eax 00483CB6 |. 5A pop edx 00483CB7 |. 59 pop ecx 00483CB8 |. 59 pop ecx 00483CB9 |. 64:8910 mov dword ptr fs:[eax], edx 00483CBC |. 68 D13C4800 push 00483CD1 00483CC1 |> 8D45 F4 lea eax, dword ptr [ebp-C] 00483CC4 |. E8 8F03F8FF call 00404058 00483CC9 \. C3 retn int key = int.Parse(tbKey.Text);
for ( int i = 0 ,key0 = key; i < result.Length ; i++ )
{
int k = result[i] ;
result[i] = (byte)(result[i] ^ (key0>>8) );
key0 = ( k + key0 ) * key + key ;
}
00483B70 /$ 55 push ebp 00483B71 |. 8BEC mov ebp, esp 00483B73 |. 83C4 F4 add esp, -0C 00483B76 |. 53 push ebx 00483B77 |. 56 push esi 00483B78 |. 57 push edi 00483B79 |. 33C9 xor ecx, ecx 00483B7B |. 894D F4 mov dword ptr [ebp-C], ecx 00483B7E |. 8BF2 mov esi, edx 00483B80 |. 8945 FC mov dword ptr [ebp-4], eax 00483B83 |. 33C0 xor eax, eax 00483B85 |. 55 push ebp 00483B86 |. 68 2A3C4800 push 00483C2A 00483B8B |. 64:FF30 push dword ptr fs:[eax] 00483B8E |. 64:8920 mov dword ptr fs:[eax], esp 00483B91 |. 8BC6 mov eax, esi 00483B93 |. E8 C004F8FF call 00404058 00483B98 |. 8B45 FC mov eax, dword ptr [ebp-4] 00483B9B |. E8 7807F8FF call 00404318 00483BA0 |. 84C0 test al, al 00483BA2 |. 76 70 jbe short 00483C14 00483BA4 |. 8845 FB mov byte ptr [ebp-5], al 00483BA7 |. B3 01 mov bl, 1 00483BA9 |> 8BFB /mov edi, ebx 00483BAB |. 81E7 FF000000 |and edi, 0FF 00483BB1 |. 8B45 FC |mov eax, dword ptr [ebp-4] 00483BB4 |. 0FB64438 FF |movzx eax, byte ptr [eax+edi-1] 00483BB9 |. 33D2 |xor edx, edx 00483BBB |. 52 |push edx 00483BBC |. 50 |push eax 00483BBD |. 8B45 18 |mov eax, dword ptr [ebp+18] 00483BC0 |. 8B55 1C |mov edx, dword ptr [ebp+1C] 00483BC3 |. 0FACD0 08 |shrd eax, edx, 8 00483BC7 |. C1EA 08 |shr edx, 8 00483BCA |. 330424 |xor eax, dword ptr [esp] 00483BCD |. 335424 04 |xor edx, dword ptr [esp+4] 00483BD1 |. 83C4 08 |add esp, 8 00483BD4 |. 8BD0 |mov edx, eax 00483BD6 |. 8D45 F4 |lea eax, dword ptr [ebp-C] 00483BD9 |. E8 6206F8FF |call 00404240 00483BDE |. 8B55 F4 |mov edx, dword ptr [ebp-C] 00483BE1 |. 8BC6 |mov eax, esi 00483BE3 |. E8 3807F8FF |call 00404320 00483BE8 |. FF75 14 |push dword ptr [ebp+14] 00483BEB |. FF75 10 |push dword ptr [ebp+10] 00483BEE |. 8B06 |mov eax, dword ptr [esi] 00483BF0 |. 0FB64438 FF |movzx eax, byte ptr [eax+edi-1] 00483BF5 |. 33D2 |xor edx, edx 00483BF7 |. 0345 18 |add eax, dword ptr [ebp+18] 00483BFA |. 1355 1C |adc edx, dword ptr [ebp+1C] 00483BFD |. E8 8E13F8FF |call 00404F90 00483C02 |. 0345 08 |add eax, dword ptr [ebp+8] 00483C05 |. 1355 0C |adc edx, dword ptr [ebp+C] 00483C08 |. 8945 18 |mov dword ptr [ebp+18], eax 00483C0B |. 8955 1C |mov dword ptr [ebp+1C], edx 00483C0E |. 43 |inc ebx 00483C0F |. FE4D FB |dec byte ptr [ebp-5] 00483C12 |.^ 75 95 \jnz short 00483BA9 00483C14 |> 33C0 xor eax, eax 00483C16 |. 5A pop edx 00483C17 |. 59 pop ecx 00483C18 |. 59 pop ecx 00483C19 |. 64:8910 mov dword ptr fs:[eax], edx 00483C1C |. 68 313C4800 push 00483C31 00483C21 |> 8D45 F4 lea eax, dword ptr [ebp-C] 00483C24 |. E8 2F04F8FF call 00404058 00483C29 \. C3 retn int k = 0x14 ;
for ( int i = 0 ; i < namelen ; i++ )
{
result[i] = (byte)(names[i] ^ (k>>8));
k = ( result[i] + k ) * 0x64 + 0xC8 ;
}
00483C3C /$ 55 push ebp 00483C3D |. 8BEC mov ebp, esp 00483C3F |. 83C4 F4 add esp, -0C 00483C42 |. 53 push ebx 00483C43 |. 56 push esi 00483C44 |. 57 push edi 00483C45 |. 33DB xor ebx, ebx 00483C47 |. 895D F4 mov dword ptr [ebp-C], ebx 00483C4A |. 894D FC mov dword ptr [ebp-4], ecx 00483C4D |. 8BF2 mov esi, edx 00483C4F |. 8BF8 mov edi, eax 00483C51 |. 33C0 xor eax, eax 00483C53 |. 55 push ebp 00483C54 |. 68 CA3C4800 push 00483CCA 00483C59 |. 64:FF30 push dword ptr fs:[eax] 00483C5C |. 64:8920 mov dword ptr fs:[eax], esp 00483C5F |. 8B45 08 mov eax, dword ptr [ebp+8] 00483C62 |. E8 F103F8FF call 00404058 00483C67 |. 8BC7 mov eax, edi 00483C69 |. E8 AA06F8FF call 00404318 ; 前一个call处理结果 00483C6E |. 84C0 test al, al ; 结果的数组长度 00483C70 |. 76 42 jbe short 00483CB4 00483C72 |. 8845 FB mov byte ptr [ebp-5], al 00483C75 |. B3 01 mov bl, 1 00483C77 |> 8D45 F4 /lea eax, dword ptr [ebp-C] 00483C7A |. 33D2 |xor edx, edx 00483C7C |. 8AD3 |mov dl, bl 00483C7E |. 8A5417 FF |mov dl, byte ptr [edi+edx-1] 00483C82 |. 8BCE |mov ecx, esi 00483C84 |. C1E9 08 |shr ecx, 8 00483C87 |. 32D1 |xor dl, cl 00483C89 |. E8 B205F8FF |call 00404240 00483C8E |. 8B55 F4 |mov edx, dword ptr [ebp-C] 00483C91 |. 8B45 08 |mov eax, dword ptr [ebp+8] 00483C94 |. E8 8706F8FF |call 00404320 00483C99 |. 8B45 08 |mov eax, dword ptr [ebp+8] 00483C9C |. 33C0 |xor eax, eax 00483C9E |. 8AC3 |mov al, bl 00483CA0 |. 0FB64407 FF |movzx eax, byte ptr [edi+eax-1] 00483CA5 |. 03F0 |add esi, eax 00483CA7 |. 0FAF75 FC |imul esi, dword ptr [ebp-4] 00483CAB |. 0375 0C |add esi, dword ptr [ebp+C] 00483CAE |. 43 |inc ebx 00483CAF |. FE4D FB |dec byte ptr [ebp-5] 00483CB2 |.^ 75 C3 \jnz short 00483C77 00483CB4 |> 33C0 xor eax, eax 00483CB6 |. 5A pop edx 00483CB7 |. 59 pop ecx 00483CB8 |. 59 pop ecx 00483CB9 |. 64:8910 mov dword ptr fs:[eax], edx 00483CBC |. 68 D13C4800 push 00483CD1 00483CC1 |> 8D45 F4 lea eax, dword ptr [ebp-C] 00483CC4 |. E8 8F03F8FF call 00404058 00483CC9 \. C3 retn int key = 0x14;
for ( int i = 0 ,key0 = key; i < namelen ; i++ )
{
int k = result[i] ;
result[i] = (byte)(result[i] ^ (key0>>8));
key0 = ( k + key0 ) * 0x64 + 0xc8 ;
}
注册机源码 byte[] keys = System.Text.Encoding.Default.GetBytes( tbKey.Text );
int key = int.Parse(tbKey.Text);
byte[] temp = System.Text.Encoding.Default.GetBytes(tbName.Text);
byte[] result = new byte[temp.Length + 1];
for ( int i = 0 , key0 = key ; i < temp.Length ; i++ )
{
temp[i] = (byte)( temp[i] ^ ( key0 >> 8));
key0 = ( temp[i] + key0 ) * key + key ;
}
Random rnd = new Random();
rnd.NextBytes(result);
for ( int i = 1 ; i < result.Length ; i++ )
{
int k = temp[i-1] + result[i-1];
if ( k >= 0xFF )
{
k = k - 0xFF ;
}
temp[i-1] = (byte)k;
result[i] = (byte)(temp[i-1] ^ keys[(i-1)%keys.Length]) ;
}
tbCode.Text = string.Empty;
for ( int i = 0 ; i < result.Length ; i++ )
{
tbCode.Text += result[i].ToString("X2");
}
 通过分析我们知道,code的长度应该是name长度的两倍再加上2 。code的前两位字符可以随机取值,code不同的前两位字符取值会导致后若干位字符的不同。既使key取相同的值,唯一的用户名还是可以对应很多组不同的code. |
|
|
超强``
 `````
|
|
|
学习
|
|
|
牛人。。。。
|
|
|
|
|
|
|
|
|
学习了~
|
|
|
|
|
|
|
