-
-
[原创]vxin'CrackMe #05 v1.2 算法简析 + 注册机源码
-
2007-5-15 11:04
-
【文章标题】: vxin'CrackMe #05 v1.2 算法简析
【文章作者】: hawking
【作者邮箱】: [EMAIL="rich_hawking@hotmail.com"]rich_hawking@hotmail.com[/EMAIL]
【下载地址】: 自己搜索下载
【作者声明】: 只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!
--------------------------------------------------------------------------------
【详细过程】
关于这个CrackMe的其它部分就不多说了,我们直接分析其算法部分
。
00483CDC /$ 55 push ebp ; GetKey按钮处理例程
00483CDD |. 8BEC mov ebp, esp
00483CDF |. 83C4 F0 add esp, -10
00483CE2 |. 53 push ebx
00483CE3 |. 56 push esi
00483CE4 |. 57 push edi
00483CE5 |. 33C0 xor eax, eax
00483CE7 |. 8945 F0 mov dword ptr [ebp-10], eax
00483CEA |. 8945 F4 mov dword ptr [ebp-C], eax
00483CED |. BF F0824800 mov edi, 004882F0
00483CF2 |. 33C0 xor eax, eax
00483CF4 |. 55 push ebp
00483CF5 |. 68 9E3D4800 push 00483D9E
00483CFA |. 64:FF30 push dword ptr fs:[eax]
00483CFD |. 64:8920 mov dword ptr fs:[eax], esp
00483D00 |. 8B07 mov eax, dword ptr [edi]
00483D02 |. E8 31B0FBFF call 0043ED38
00483D07 |. 50 push eax ; /hWnd
00483D08 |. E8 7F2BF8FF call <jmp.&user32.GetDC> ; \GetDC
00483D0D |. 8945 F8 mov dword ptr [ebp-8], eax
00483D10 |. 66:B8 C8AF mov ax, 0AFC8
00483D14 |. E8 DFF9FFFF call 004836F8 ; 生成随机数
00483D19 |. 0FB7F0 movzx esi, ax
00483D1C |. 85F6 test esi, esi
00483D1E |. 7C 41 jl short 00483D61
00483D20 |. 46 inc esi ; 刚刚生成的随机数再加1 这就是最终显示出来的key值了
00483D21 |> 8D55 F4 /lea edx, dword ptr [ebp-C]
00483D24 |. 8B07 |mov eax, dword ptr [edi]
00483D26 |. 8B80 08030000 |mov eax, dword ptr [eax+308]
00483D2C |. E8 1F48FBFF |call 00438550
00483D31 |. 8B45 F4 |mov eax, dword ptr [ebp-C]
00483D34 |. E8 A347F8FF |call 004084DC
00483D39 |. 8BD8 |mov ebx, eax
00483D3B |. 43 |inc ebx ; 递增key值 通过这个循环造成key递增显示的效果
00483D3C |. 8D55 F0 |lea edx, dword ptr [ebp-10]
00483D3F |. 8BC3 |mov eax, ebx
00483D41 |. E8 2A46F8FF |call 00408370
00483D46 |. 8B55 F0 |mov edx, dword ptr [ebp-10]
00483D49 |. 8B07 |mov eax, dword ptr [edi]
00483D4B |. 8B80 08030000 |mov eax, dword ptr [eax+308]
00483D51 |. E8 2A48FBFF |call 00438580
00483D56 |. 8B07 |mov eax, dword ptr [edi]
00483D58 |. 8998 30030000 |mov dword ptr [eax+330], ebx ; 注意这里 这个地址保存了key最终的值
00483D5E |. 4E |dec esi
00483D5F |.^ 75 C0 \jnz short 00483D21
00483D61 |> 8B07 mov eax, dword ptr [edi]
00483D63 |. 8B80 2C030000 mov eax, dword ptr [eax+32C]
00483D69 |. 50 push eax ; /hEvent
00483D6A |. E8 8D26F8FF call <jmp.&kernel32.SetEvent> ; \SetEvent
00483D6F |. 8B45 F8 mov eax, dword ptr [ebp-8]
00483D72 |. 50 push eax
00483D73 |. 8B07 mov eax, dword ptr [edi]
00483D75 |. E8 BEAFFBFF call 0043ED38
00483D7A |. 50 push eax ; |hWnd
00483D7B |. E8 8C2DF8FF call <jmp.&user32.ReleaseDC> ; \ReleaseDC
00483D80 |. 33C0 xor eax, eax
00483D82 |. 5A pop edx
00483D83 |. 59 pop ecx
00483D84 |. 59 pop ecx
00483D85 |. 64:8910 mov dword ptr fs:[eax], edx
00483D88 |. 68 A53D4800 push 00483DA5
00483D8D |> 8D45 F0 lea eax, dword ptr [ebp-10]
00483D90 |. E8 C302F8FF call 00404058
00483D95 |. 8D45 F4 lea eax, dword ptr [ebp-C]
00483D98 |. E8 BB02F8FF call 00404058
00483D9D \. C3 retn
00483DC3 . 53 push ebx ; Check按钮例程
00483DC4 . 56 push esi
00483DC5 . 57 push edi
00483DC6 . 8BD8 mov ebx, eax
00483DC8 . 33C0 xor eax, eax
00483DCA . 55 push ebp
00483DCB . 68 A13F4800 push 00483FA1
00483DD0 . 64:FF30 push dword ptr fs:[eax]
00483DD3 . 64:8920 mov dword ptr fs:[eax], esp
00483DD6 . 33C0 xor eax, eax
00483DD8 . 55 push ebp
00483DD9 . 68 2B3F4800 push 00483F2B
00483DDE . 64:FF30 push dword ptr fs:[eax]
00483DE1 . 64:8920 mov dword ptr fs:[eax], esp
00483DE4 . 8D55 FC lea edx, dword ptr [ebp-4]
00483DE7 . 8B83 FC020000 mov eax, dword ptr [ebx+2FC]
00483DED . E8 5E47FBFF call 00438550 ; 取name字符串
00483DF2 . 8B45 FC mov eax, dword ptr [ebp-4]
00483DF5 . E8 1E05F8FF call 00404318 ; name长度
00483DFA . 83F8 03 cmp eax, 3
00483DFD . 0F8E 1E010000 jle 00483F21 ; 不能小于等于3
00483E03 . 8D55 F8 lea edx, dword ptr [ebp-8]
00483E06 . 8B83 08030000 mov eax, dword ptr [ebx+308]
00483E0C . E8 3F47FBFF call 00438550 ; 取key字符串
00483E11 . 837D F8 00 cmp dword ptr [ebp-8], 0
00483E15 . 0F84 06010000 je 00483F21 ; 不能为空
00483E1B . A1 F0824800 mov eax, dword ptr [4882F0]
00483E20 . 8BB0 30030000 mov esi, dword ptr [eax+330] ; 还记得吗 这个地址保存的是key的数值
00483E26 . 56 push esi
00483E27 . 8D45 F4 lea eax, dword ptr [ebp-C]
00483E2A . 50 push eax
00483E2B . 8D45 F0 lea eax, dword ptr [ebp-10]
00483E2E . 50 push eax
00483E2F . 8D55 EC lea edx, dword ptr [ebp-14] ; 下面call结果指向的地址
00483E32 . 8B83 08030000 mov eax, dword ptr [ebx+308]
00483E38 . E8 1347FBFF call 00438550 ; 取key字符串
00483E3D . 8B45 EC mov eax, dword ptr [ebp-14]
00483E40 . 50 push eax
00483E41 . 8D55 E8 lea edx, dword ptr [ebp-18]
00483E44 . 8B83 F8020000 mov eax, dword ptr [ebx+2F8]
00483E4A . E8 0147FBFF call 00438550 ; 取输入的code字符串
00483E4F . 8B45 E8 mov eax, dword ptr [ebp-18] ; code
00483E52 . 33C9 xor ecx, ecx ; 0
00483E54 . 5A pop edx ; key
00483E55 . E8 BEFAFFFF call 00483918 ; 对key和code作运算
00483E5A . 8B45 F0 mov eax, dword ptr [ebp-10]
00483E5D . 8BCE mov ecx, esi ; key值
00483E5F . 8BD6 mov edx, esi ; key值
00483E61 . E8 D6FDFFFF call 00483C3C ; 对刚刚得到的结果继续进行运算
00483E66 . 8B45 F4 mov eax, dword ptr [ebp-C]
00483E69 . 50 push eax
00483E6A . 68 C8000000 push 0C8
00483E6F . 8D45 E4 lea eax, dword ptr [ebp-1C]
00483E72 . 50 push eax
00483E73 . 6A 00 push 0
00483E75 . 6A 14 push 14
00483E77 . 6A 00 push 0
00483E79 . 6A 64 push 64
00483E7B . 6A 00 push 0
00483E7D . 68 C8000000 push 0C8
00483E82 . 8D55 DC lea edx, dword ptr [ebp-24]
00483E85 . 8B83 FC020000 mov eax, dword ptr [ebx+2FC]
00483E8B . E8 C046FBFF call 00438550 ; 取name字符串
00483E90 . 8B45 DC mov eax, dword ptr [ebp-24]
00483E93 . 8D55 E0 lea edx, dword ptr [ebp-20]
00483E96 . E8 D5FCFFFF call 00483B70 ; 对name进行运算
00483E9B . 8B45 E0 mov eax, dword ptr [ebp-20]
00483E9E . B9 64000000 mov ecx, 64
00483EA3 . BA 14000000 mov edx, 14
00483EA8 . E8 8FFDFFFF call 00483C3C ; 对刚刚得到的结果继续进行运算
00483EAD . 8B55 E4 mov edx, dword ptr [ebp-1C]
00483EB0 . 58 pop eax
00483EB1 . E8 AE05F8FF call 00404464 ; 比较两次运算的结果
00483EB6 . 75 69 jnz short 00483F21 ; 结果相同则成功 跳转的话则失败 爆破点
00483EB8 . 8B83 10030000 mov eax, dword ptr [ebx+310]
00483EBE . 33D2 xor edx, edx
00483EC0 . 8B08 mov ecx, dword ptr [eax]
00483EC2 . FF51 64 call dword ptr [ecx+64]
00483EC5 . 8D55 D4 lea edx, dword ptr [ebp-2C]
00483EC8 . A1 D4604800 mov eax, dword ptr [4860D4]
00483ECD . E8 5AF8FFFF call 0048372C
00483ED2 . FF75 D4 push dword ptr [ebp-2C]
00483ED5 . 8D55 D0 lea edx, dword ptr [ebp-30]
00483ED8 . 8B83 FC020000 mov eax, dword ptr [ebx+2FC]
00483EDE . E8 6D46FBFF call 00438550
00483EE3 . FF75 D0 push dword ptr [ebp-30]
00483EE6 . 8D55 CC lea edx, dword ptr [ebp-34]
00483EE9 . A1 DC604800 mov eax, dword ptr [4860DC]
00483EEE . E8 39F8FFFF call 0048372C
00483EF3 . FF75 CC push dword ptr [ebp-34]
00483EF6 . 8D55 C8 lea edx, dword ptr [ebp-38]
00483EF9 . A1 D8604800 mov eax, dword ptr [4860D8]
00483EFE . E8 29F8FFFF call 0048372C
00483F03 . FF75 C8 push dword ptr [ebp-38]
00483F06 . 8D45 D8 lea eax, dword ptr [ebp-28]
00483F09 . BA 04000000 mov edx, 4
00483F0E . E8 C504F8FF call 004043D8
00483F13 . 8B55 D8 mov edx, dword ptr [ebp-28]
00483F16 . 8B83 1C030000 mov eax, dword ptr [ebx+31C]
00483F1C . E8 5F46FBFF call 00438580
00483F21 > 33C0 xor eax, eax
00483F23 . 5A pop edx
00483F24 . 59 pop ecx
00483F25 . 59 pop ecx
00483F26 . 64:8910 mov dword ptr fs:[eax], edx
【文章作者】: hawking
【作者邮箱】: [EMAIL="rich_hawking@hotmail.com"]rich_hawking@hotmail.com[/EMAIL]
【下载地址】: 自己搜索下载
【作者声明】: 只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!
--------------------------------------------------------------------------------
【详细过程】
关于这个CrackMe的其它部分就不多说了,我们直接分析其算法部分
。00483CDC /$ 55 push ebp ; GetKey按钮处理例程
00483CDD |. 8BEC mov ebp, esp
00483CDF |. 83C4 F0 add esp, -10
00483CE2 |. 53 push ebx
00483CE3 |. 56 push esi
00483CE4 |. 57 push edi
00483CE5 |. 33C0 xor eax, eax
00483CE7 |. 8945 F0 mov dword ptr [ebp-10], eax
00483CEA |. 8945 F4 mov dword ptr [ebp-C], eax
00483CED |. BF F0824800 mov edi, 004882F0
00483CF2 |. 33C0 xor eax, eax
00483CF4 |. 55 push ebp
00483CF5 |. 68 9E3D4800 push 00483D9E
00483CFA |. 64:FF30 push dword ptr fs:[eax]
00483CFD |. 64:8920 mov dword ptr fs:[eax], esp
00483D00 |. 8B07 mov eax, dword ptr [edi]
00483D02 |. E8 31B0FBFF call 0043ED38
00483D07 |. 50 push eax ; /hWnd
00483D08 |. E8 7F2BF8FF call <jmp.&user32.GetDC> ; \GetDC
00483D0D |. 8945 F8 mov dword ptr [ebp-8], eax
00483D10 |. 66:B8 C8AF mov ax, 0AFC8
00483D14 |. E8 DFF9FFFF call 004836F8 ; 生成随机数
00483D19 |. 0FB7F0 movzx esi, ax
00483D1C |. 85F6 test esi, esi
00483D1E |. 7C 41 jl short 00483D61
00483D20 |. 46 inc esi ; 刚刚生成的随机数再加1 这就是最终显示出来的key值了
00483D21 |> 8D55 F4 /lea edx, dword ptr [ebp-C]
00483D24 |. 8B07 |mov eax, dword ptr [edi]
00483D26 |. 8B80 08030000 |mov eax, dword ptr [eax+308]
00483D2C |. E8 1F48FBFF |call 00438550
00483D31 |. 8B45 F4 |mov eax, dword ptr [ebp-C]
00483D34 |. E8 A347F8FF |call 004084DC
00483D39 |. 8BD8 |mov ebx, eax
00483D3B |. 43 |inc ebx ; 递增key值 通过这个循环造成key递增显示的效果
00483D3C |. 8D55 F0 |lea edx, dword ptr [ebp-10]
00483D3F |. 8BC3 |mov eax, ebx
00483D41 |. E8 2A46F8FF |call 00408370
00483D46 |. 8B55 F0 |mov edx, dword ptr [ebp-10]
00483D49 |. 8B07 |mov eax, dword ptr [edi]
00483D4B |. 8B80 08030000 |mov eax, dword ptr [eax+308]
00483D51 |. E8 2A48FBFF |call 00438580
00483D56 |. 8B07 |mov eax, dword ptr [edi]
00483D58 |. 8998 30030000 |mov dword ptr [eax+330], ebx ; 注意这里 这个地址保存了key最终的值
00483D5E |. 4E |dec esi
00483D5F |.^ 75 C0 \jnz short 00483D21
00483D61 |> 8B07 mov eax, dword ptr [edi]
00483D63 |. 8B80 2C030000 mov eax, dword ptr [eax+32C]
00483D69 |. 50 push eax ; /hEvent
00483D6A |. E8 8D26F8FF call <jmp.&kernel32.SetEvent> ; \SetEvent
00483D6F |. 8B45 F8 mov eax, dword ptr [ebp-8]
00483D72 |. 50 push eax
00483D73 |. 8B07 mov eax, dword ptr [edi]
00483D75 |. E8 BEAFFBFF call 0043ED38
00483D7A |. 50 push eax ; |hWnd
00483D7B |. E8 8C2DF8FF call <jmp.&user32.ReleaseDC> ; \ReleaseDC
00483D80 |. 33C0 xor eax, eax
00483D82 |. 5A pop edx
00483D83 |. 59 pop ecx
00483D84 |. 59 pop ecx
00483D85 |. 64:8910 mov dword ptr fs:[eax], edx
00483D88 |. 68 A53D4800 push 00483DA5
00483D8D |> 8D45 F0 lea eax, dword ptr [ebp-10]
00483D90 |. E8 C302F8FF call 00404058
00483D95 |. 8D45 F4 lea eax, dword ptr [ebp-C]
00483D98 |. E8 BB02F8FF call 00404058
00483D9D \. C3 retn
00483DC3 . 53 push ebx ; Check按钮例程
00483DC4 . 56 push esi
00483DC5 . 57 push edi
00483DC6 . 8BD8 mov ebx, eax
00483DC8 . 33C0 xor eax, eax
00483DCA . 55 push ebp
00483DCB . 68 A13F4800 push 00483FA1
00483DD0 . 64:FF30 push dword ptr fs:[eax]
00483DD3 . 64:8920 mov dword ptr fs:[eax], esp
00483DD6 . 33C0 xor eax, eax
00483DD8 . 55 push ebp
00483DD9 . 68 2B3F4800 push 00483F2B
00483DDE . 64:FF30 push dword ptr fs:[eax]
00483DE1 . 64:8920 mov dword ptr fs:[eax], esp
00483DE4 . 8D55 FC lea edx, dword ptr [ebp-4]
00483DE7 . 8B83 FC020000 mov eax, dword ptr [ebx+2FC]
00483DED . E8 5E47FBFF call 00438550 ; 取name字符串
00483DF2 . 8B45 FC mov eax, dword ptr [ebp-4]
00483DF5 . E8 1E05F8FF call 00404318 ; name长度
00483DFA . 83F8 03 cmp eax, 3
00483DFD . 0F8E 1E010000 jle 00483F21 ; 不能小于等于3
00483E03 . 8D55 F8 lea edx, dword ptr [ebp-8]
00483E06 . 8B83 08030000 mov eax, dword ptr [ebx+308]
00483E0C . E8 3F47FBFF call 00438550 ; 取key字符串
00483E11 . 837D F8 00 cmp dword ptr [ebp-8], 0
00483E15 . 0F84 06010000 je 00483F21 ; 不能为空
00483E1B . A1 F0824800 mov eax, dword ptr [4882F0]
00483E20 . 8BB0 30030000 mov esi, dword ptr [eax+330] ; 还记得吗 这个地址保存的是key的数值
00483E26 . 56 push esi
00483E27 . 8D45 F4 lea eax, dword ptr [ebp-C]
00483E2A . 50 push eax
00483E2B . 8D45 F0 lea eax, dword ptr [ebp-10]
00483E2E . 50 push eax
00483E2F . 8D55 EC lea edx, dword ptr [ebp-14] ; 下面call结果指向的地址
00483E32 . 8B83 08030000 mov eax, dword ptr [ebx+308]
00483E38 . E8 1347FBFF call 00438550 ; 取key字符串
00483E3D . 8B45 EC mov eax, dword ptr [ebp-14]
00483E40 . 50 push eax
00483E41 . 8D55 E8 lea edx, dword ptr [ebp-18]
00483E44 . 8B83 F8020000 mov eax, dword ptr [ebx+2F8]
00483E4A . E8 0147FBFF call 00438550 ; 取输入的code字符串
00483E4F . 8B45 E8 mov eax, dword ptr [ebp-18] ; code
00483E52 . 33C9 xor ecx, ecx ; 0
00483E54 . 5A pop edx ; key
00483E55 . E8 BEFAFFFF call 00483918 ; 对key和code作运算
00483E5A . 8B45 F0 mov eax, dword ptr [ebp-10]
00483E5D . 8BCE mov ecx, esi ; key值
00483E5F . 8BD6 mov edx, esi ; key值
00483E61 . E8 D6FDFFFF call 00483C3C ; 对刚刚得到的结果继续进行运算
00483E66 . 8B45 F4 mov eax, dword ptr [ebp-C]
00483E69 . 50 push eax
00483E6A . 68 C8000000 push 0C8
00483E6F . 8D45 E4 lea eax, dword ptr [ebp-1C]
00483E72 . 50 push eax
00483E73 . 6A 00 push 0
00483E75 . 6A 14 push 14
00483E77 . 6A 00 push 0
00483E79 . 6A 64 push 64
00483E7B . 6A 00 push 0
00483E7D . 68 C8000000 push 0C8
00483E82 . 8D55 DC lea edx, dword ptr [ebp-24]
00483E85 . 8B83 FC020000 mov eax, dword ptr [ebx+2FC]
00483E8B . E8 C046FBFF call 00438550 ; 取name字符串
00483E90 . 8B45 DC mov eax, dword ptr [ebp-24]
00483E93 . 8D55 E0 lea edx, dword ptr [ebp-20]
00483E96 . E8 D5FCFFFF call 00483B70 ; 对name进行运算
00483E9B . 8B45 E0 mov eax, dword ptr [ebp-20]
00483E9E . B9 64000000 mov ecx, 64
00483EA3 . BA 14000000 mov edx, 14
00483EA8 . E8 8FFDFFFF call 00483C3C ; 对刚刚得到的结果继续进行运算
00483EAD . 8B55 E4 mov edx, dword ptr [ebp-1C]
00483EB0 . 58 pop eax
00483EB1 . E8 AE05F8FF call 00404464 ; 比较两次运算的结果
00483EB6 . 75 69 jnz short 00483F21 ; 结果相同则成功 跳转的话则失败 爆破点
00483EB8 . 8B83 10030000 mov eax, dword ptr [ebx+310]
00483EBE . 33D2 xor edx, edx
00483EC0 . 8B08 mov ecx, dword ptr [eax]
00483EC2 . FF51 64 call dword ptr [ecx+64]
00483EC5 . 8D55 D4 lea edx, dword ptr [ebp-2C]
00483EC8 . A1 D4604800 mov eax, dword ptr [4860D4]
00483ECD . E8 5AF8FFFF call 0048372C
00483ED2 . FF75 D4 push dword ptr [ebp-2C]
00483ED5 . 8D55 D0 lea edx, dword ptr [ebp-30]
00483ED8 . 8B83 FC020000 mov eax, dword ptr [ebx+2FC]
00483EDE . E8 6D46FBFF call 00438550
00483EE3 . FF75 D0 push dword ptr [ebp-30]
00483EE6 . 8D55 CC lea edx, dword ptr [ebp-34]
00483EE9 . A1 DC604800 mov eax, dword ptr [4860DC]
00483EEE . E8 39F8FFFF call 0048372C
00483EF3 . FF75 CC push dword ptr [ebp-34]
00483EF6 . 8D55 C8 lea edx, dword ptr [ebp-38]
00483EF9 . A1 D8604800 mov eax, dword ptr [4860D8]
00483EFE . E8 29F8FFFF call 0048372C
00483F03 . FF75 C8 push dword ptr [ebp-38]
00483F06 . 8D45 D8 lea eax, dword ptr [ebp-28]
00483F09 . BA 04000000 mov edx, 4
00483F0E . E8 C504F8FF call 004043D8
00483F13 . 8B55 D8 mov edx, dword ptr [ebp-28]
00483F16 . 8B83 1C030000 mov eax, dword ptr [ebx+31C]
00483F1C . E8 5F46FBFF call 00438580
00483F21 > 33C0 xor eax, eax
00483F23 . 5A pop edx
00483F24 . 59 pop ecx
00483F25 . 59 pop ecx
00483F26 . 64:8910 mov dword ptr fs:[eax], edx
[培训]《安卓高级研修班(网课)》月薪三万计划,掌握调试、分析还原ollvm、vmp的方法,定制art虚拟机自动化脱壳的方法
|
|
|---|---|
|
|
真的厉害,我的 CM 也比这个简单多了
下次要用 VB 来写才行
|
|
|
00483918 /$ 55 push ebp
00483919 |. 8BEC mov ebp, esp 0048391B |. 83C4 C4 add esp, -3C 0048391E |. 53 push ebx 0048391F |. 56 push esi 00483920 |. 57 push edi 00483921 |. 33DB xor ebx, ebx 00483923 |. 895D C4 mov dword ptr [ebp-3C], ebx 00483926 |. 895D CC mov dword ptr [ebp-34], ebx 00483929 |. 895D C8 mov dword ptr [ebp-38], ebx 0048392C |. 895D D4 mov dword ptr [ebp-2C], ebx 0048392F |. 895D D0 mov dword ptr [ebp-30], ebx 00483932 |. 895D D8 mov dword ptr [ebp-28], ebx 00483935 |. 895D F0 mov dword ptr [ebp-10], ebx 00483938 |. 8BD9 mov ebx, ecx ; ebx = 0 0048393A |. 8955 F8 mov dword ptr [ebp-8], edx ; key 0048393D |. 8945 FC mov dword ptr [ebp-4], eax ; code 00483940 |. 8B45 FC mov eax, dword ptr [ebp-4] 00483943 |. E8 C00BF8FF call 00404508 00483948 |. 8B45 F8 mov eax, dword ptr [ebp-8] 0048394B |. E8 B80BF8FF call 00404508 00483950 |. 33C0 xor eax, eax 00483952 |. 55 push ebp 00483953 |. 68 2D3B4800 push 00483B2D 00483958 |. 64:FF30 push dword ptr fs:[eax] 0048395B |. 64:8920 mov dword ptr fs:[eax], esp 0048395E |. 8B45 F8 mov eax, dword ptr [ebp-8] ; key 00483961 |. E8 B209F8FF call 00404318 ; key长度 00483966 |. 8945 F4 mov dword ptr [ebp-C], eax 00483969 |. 837D F4 00 cmp dword ptr [ebp-C], 0 0048396D |. 75 0D jnz short 0048397C ; 如果key长度为0的话则设key为UnPack.Cn字符串 由于前面key为空的时候已经跳转 所以下面几句不可能被执行 0048396F |. 8D45 F8 lea eax, dword ptr [ebp-8] 00483972 |. BA 483B4800 mov edx, 00483B48 ; ASCII "UnPack.Cn" 00483977 |. E8 7407F8FF call 004040F0 0048397C |> 33F6 xor esi, esi 0048397E |. BF 00010000 mov edi, 100 00483983 |. 84DB test bl, bl ; 这里肯定等于0 跳转成立 因为传入参数的时候 ecx就是0 00483985 |. 0F84 A4000000 je 00483A2F 0048398B |. E8 D4F0F7FF call 00402A64 00483990 |. 8BC7 mov eax, edi 00483992 |. E8 71F3F7FF call 00402D08 00483997 |. 8BF8 mov edi, eax 00483999 |. 8D45 F0 lea eax, dword ptr [ebp-10] 0048399C |. 50 push eax ; /Arg1 0048399D |. 897D DC mov dword ptr [ebp-24], edi ; | 004839A0 |. C645 E0 00 mov byte ptr [ebp-20], 0 ; | 004839A4 |. 8D55 DC lea edx, dword ptr [ebp-24] ; | 004839A7 |. 33C9 xor ecx, ecx ; | 004839A9 |. B8 5C3B4800 mov eax, 00483B5C ; |ASCII "%1.2x" 004839AE |. E8 A557F8FF call 00409158 ; \CrackMe_.00409158 004839B3 |. 8B45 FC mov eax, dword ptr [ebp-4] 004839B6 |. E8 5D09F8FF call 00404318 004839BB |. 85C0 test eax, eax 004839BD |. 0F8E 2F010000 jle 00483AF2 004839C3 |. 8945 E4 mov dword ptr [ebp-1C], eax 004839C6 |. C745 EC 01000>mov dword ptr [ebp-14], 1 004839CD |> 8B45 FC /mov eax, dword ptr [ebp-4] 004839D0 |. 8B55 EC |mov edx, dword ptr [ebp-14] 004839D3 |. 0FB64410 FF |movzx eax, byte ptr [eax+edx-1] 004839D8 |. 03C7 |add eax, edi 004839DA |. B9 FF000000 |mov ecx, 0FF 004839DF |. 99 |cdq 004839E0 |. F7F9 |idiv ecx 004839E2 |. 8BDA |mov ebx, edx 004839E4 |. 3B75 F4 |cmp esi, dword ptr [ebp-C] 004839E7 |. 7D 03 |jge short 004839EC 004839E9 |. 46 |inc esi 004839EA |. EB 05 |jmp short 004839F1 004839EC |> BE 01000000 |mov esi, 1 004839F1 |> 8B45 F8 |mov eax, dword ptr [ebp-8] 004839F4 |. 0FB64430 FF |movzx eax, byte ptr [eax+esi-1] 004839F9 |. 33D8 |xor ebx, eax 004839FB |. 8D45 D8 |lea eax, dword ptr [ebp-28] 004839FE |. 50 |push eax ; /Arg1 004839FF |. 895D DC |mov dword ptr [ebp-24], ebx ; | 00483A02 |. C645 E0 00 |mov byte ptr [ebp-20], 0 ; | 00483A06 |. 8D55 DC |lea edx, dword ptr [ebp-24] ; | 00483A09 |. 33C9 |xor ecx, ecx ; | 00483A0B |. B8 5C3B4800 |mov eax, 00483B5C ; |ASCII "%1.2x" 00483A10 |. E8 4357F8FF |call 00409158 ; \CrackMe_.00409158 00483A15 |. 8B55 D8 |mov edx, dword ptr [ebp-28] 00483A18 |. 8D45 F0 |lea eax, dword ptr [ebp-10] 00483A1B |. E8 0009F8FF |call 00404320 00483A20 |. 8BFB |mov edi, ebx 00483A22 |. FF45 EC |inc dword ptr [ebp-14] 00483A25 |. FF4D E4 |dec dword ptr [ebp-1C] 00483A28 |.^ 75 A3 \jnz short 004839CD 00483A2A |. E9 C3000000 jmp 00483AF2 00483A2F |> 8D45 D0 lea eax, dword ptr [ebp-30] 00483A32 |. 50 push eax 00483A33 |. B9 02000000 mov ecx, 2 ; 长度 00483A38 |. BA 01000000 mov edx, 1 ; 位置 00483A3D |. 8B45 FC mov eax, dword ptr [ebp-4] 00483A40 |. E8 330BF8FF call 00404578 ; 取code字符串中相应长度和位置的子字符串 00483A45 |. 8B4D D0 mov ecx, dword ptr [ebp-30] 00483A48 |. 8D45 D4 lea eax, dword ptr [ebp-2C] 00483A4B |. BA 6C3B4800 mov edx, 00483B6C 00483A50 |. E8 0F09F8FF call 00404364 00483A55 |. 8B45 D4 mov eax, dword ptr [ebp-2C] 00483A58 |. E8 7F4AF8FF call 004084DC 00483A5D |. 8BF8 mov edi, eax 00483A5F |. C745 EC 03000>mov dword ptr [ebp-14], 3 00483A66 |> 8D45 C8 /lea eax, dword ptr [ebp-38] 00483A69 |. 50 |push eax 00483A6A |. B9 02000000 |mov ecx, 2 00483A6F |. 8B55 EC |mov edx, dword ptr [ebp-14] 00483A72 |. 8B45 FC |mov eax, dword ptr [ebp-4] 00483A75 |. E8 FE0AF8FF |call 00404578 00483A7A |. 8B4D C8 |mov ecx, dword ptr [ebp-38] 00483A7D |. 8D45 CC |lea eax, dword ptr [ebp-34] 00483A80 |. BA 6C3B4800 |mov edx, 00483B6C 00483A85 |. E8 DA08F8FF |call 00404364 00483A8A |. 8B45 CC |mov eax, dword ptr [ebp-34] 00483A8D |. E8 4A4AF8FF |call 004084DC 00483A92 |. 8BD8 |mov ebx, eax 00483A94 |. 3B75 F4 |cmp esi, dword ptr [ebp-C] 00483A97 |. 7D 03 |jge short 00483A9C 00483A99 |. 46 |inc esi 00483A9A |. EB 05 |jmp short 00483AA1 00483A9C |> BE 01000000 |mov esi, 1 00483AA1 |> 8B45 F8 |mov eax, dword ptr [ebp-8] 00483AA4 |. 0FB64430 FF |movzx eax, byte ptr [eax+esi-1] ; key 00483AA9 |. 33C3 |xor eax, ebx ; key ^ code 00483AAB |. 8945 E8 |mov dword ptr [ebp-18], eax 00483AAE |. 3B7D E8 |cmp edi, dword ptr [ebp-18] 00483AB1 |. 7C 0F |jl short 00483AC2 00483AB3 |. 8B45 E8 |mov eax, dword ptr [ebp-18] 00483AB6 |. 05 FF000000 |add eax, 0FF 00483ABB |. 2BC7 |sub eax, edi 00483ABD |. 8945 E8 |mov dword ptr [ebp-18], eax 00483AC0 |. EB 03 |jmp short 00483AC5 00483AC2 |> 297D E8 |sub dword ptr [ebp-18], edi 00483AC5 |> 8D45 C4 |lea eax, dword ptr [ebp-3C] 00483AC8 |. 8B55 E8 |mov edx, dword ptr [ebp-18] 00483ACB |. E8 7007F8FF |call 00404240 00483AD0 |. 8B55 C4 |mov edx, dword ptr [ebp-3C] 00483AD3 |. 8D45 F0 |lea eax, dword ptr [ebp-10] 00483AD6 |. E8 4508F8FF |call 00404320 00483ADB |. 8BFB |mov edi, ebx 00483ADD |. 8345 EC 02 |add dword ptr [ebp-14], 2 00483AE1 |. 8B45 FC |mov eax, dword ptr [ebp-4] 00483AE4 |. E8 2F08F8FF |call 00404318 00483AE9 |. 3B45 EC |cmp eax, dword ptr [ebp-14] 00483AEC |.^ 0F8F 74FFFFFF \jg 00483A66 00483AF2 |> 8B45 08 mov eax, dword ptr [ebp+8] 00483AF5 |. 8B55 F0 mov edx, dword ptr [ebp-10] 00483AF8 |. E8 AF05F8FF call 004040AC 00483AFD |. 33C0 xor eax, eax 00483AFF |. 5A pop edx 00483B00 |. 59 pop ecx 00483B01 |. 59 pop ecx 00483B02 |. 64:8910 mov dword ptr fs:[eax], edx 00483B05 |. 68 343B4800 push 00483B34 00483B0A |> 8D45 C4 lea eax, dword ptr [ebp-3C] 00483B0D |. BA 06000000 mov edx, 6 00483B12 |. E8 6505F8FF call 0040407C 00483B17 |. 8D45 F0 lea eax, dword ptr [ebp-10] 00483B1A |. E8 3905F8FF call 00404058 00483B1F |. 8D45 F8 lea eax, dword ptr [ebp-8] 00483B22 |. BA 02000000 mov edx, 2 00483B27 |. E8 5005F8FF call 0040407C 00483B2C \. C3 retn 上面那段循环不大好描述,还是看看它的伪代码形式吧。 byte[] temp = new byte[codelen/2];
byte[] result = new byte[codelen/2 - 1];
for ( int i = 0 ; i < temp.Length ; i++ )
{
temp[i] = byte.Parse( code.Substring( 2*i,2),System.Globalization.NumberStyles.HexNumber);
}
for ( int i = 1 ; i < temp.Length ; i++ )
{
result[i-1] = (byte)( key[(i-1) % keylen] ^ temp[i] );
if ( temp[i-1] < result[i-1] )
{
result[i-1] = (byte)(result[i-1] - temp[i-1]);
}
else
{
result[i-1] = (byte)(result[i-1] + 0xFF - temp[i-1]) ;
}
}
把我们输入的code两两一组按照十六进制字符串形式转换成数组,然后把这个数组和通过key得到的数组进行运算,得到一个数组作为结果。 00483C3C /$ 55 push ebp 00483C3D |. 8BEC mov ebp, esp 00483C3F |. 83C4 F4 add esp, -0C 00483C42 |. 53 push ebx 00483C43 |. 56 push esi 00483C44 |. 57 push edi 00483C45 |. 33DB xor ebx, ebx 00483C47 |. 895D F4 mov dword ptr [ebp-C], ebx 00483C4A |. 894D FC mov dword ptr [ebp-4], ecx 00483C4D |. 8BF2 mov esi, edx 00483C4F |. 8BF8 mov edi, eax 00483C51 |. 33C0 xor eax, eax 00483C53 |. 55 push ebp 00483C54 |. 68 CA3C4800 push 00483CCA 00483C59 |. 64:FF30 push dword ptr fs:[eax] 00483C5C |. 64:8920 mov dword ptr fs:[eax], esp 00483C5F |. 8B45 08 mov eax, dword ptr [ebp+8] 00483C62 |. E8 F103F8FF call 00404058 00483C67 |. 8BC7 mov eax, edi 00483C69 |. E8 AA06F8FF call 00404318 ; 前一个call处理结果 00483C6E |. 84C0 test al, al ; 结果的数组长度 00483C70 |. 76 42 jbe short 00483CB4 00483C72 |. 8845 FB mov byte ptr [ebp-5], al 00483C75 |. B3 01 mov bl, 1 00483C77 |> 8D45 F4 /lea eax, dword ptr [ebp-C] 00483C7A |. 33D2 |xor edx, edx 00483C7C |. 8AD3 |mov dl, bl 00483C7E |. 8A5417 FF |mov dl, byte ptr [edi+edx-1] 00483C82 |. 8BCE |mov ecx, esi 00483C84 |. C1E9 08 |shr ecx, 8 00483C87 |. 32D1 |xor dl, cl 00483C89 |. E8 B205F8FF |call 00404240 00483C8E |. 8B55 F4 |mov edx, dword ptr [ebp-C] 00483C91 |. 8B45 08 |mov eax, dword ptr [ebp+8] 00483C94 |. E8 8706F8FF |call 00404320 00483C99 |. 8B45 08 |mov eax, dword ptr [ebp+8] 00483C9C |. 33C0 |xor eax, eax 00483C9E |. 8AC3 |mov al, bl 00483CA0 |. 0FB64407 FF |movzx eax, byte ptr [edi+eax-1] 00483CA5 |. 03F0 |add esi, eax 00483CA7 |. 0FAF75 FC |imul esi, dword ptr [ebp-4] 00483CAB |. 0375 0C |add esi, dword ptr [ebp+C] 00483CAE |. 43 |inc ebx 00483CAF |. FE4D FB |dec byte ptr [ebp-5] 00483CB2 |.^ 75 C3 \jnz short 00483C77 00483CB4 |> 33C0 xor eax, eax 00483CB6 |. 5A pop edx 00483CB7 |. 59 pop ecx 00483CB8 |. 59 pop ecx 00483CB9 |. 64:8910 mov dword ptr fs:[eax], edx 00483CBC |. 68 D13C4800 push 00483CD1 00483CC1 |> 8D45 F4 lea eax, dword ptr [ebp-C] 00483CC4 |. E8 8F03F8FF call 00404058 00483CC9 \. C3 retn int key = int.Parse(tbKey.Text);
for ( int i = 0 ,key0 = key; i < result.Length ; i++ )
{
int k = result[i] ;
result[i] = (byte)(result[i] ^ (key0>>8) );
key0 = ( k + key0 ) * key + key ;
}
00483B70 /$ 55 push ebp 00483B71 |. 8BEC mov ebp, esp 00483B73 |. 83C4 F4 add esp, -0C 00483B76 |. 53 push ebx 00483B77 |. 56 push esi 00483B78 |. 57 push edi 00483B79 |. 33C9 xor ecx, ecx 00483B7B |. 894D F4 mov dword ptr [ebp-C], ecx 00483B7E |. 8BF2 mov esi, edx 00483B80 |. 8945 FC mov dword ptr [ebp-4], eax 00483B83 |. 33C0 xor eax, eax 00483B85 |. 55 push ebp 00483B86 |. 68 2A3C4800 push 00483C2A 00483B8B |. 64:FF30 push dword ptr fs:[eax] 00483B8E |. 64:8920 mov dword ptr fs:[eax], esp 00483B91 |. 8BC6 mov eax, esi 00483B93 |. E8 C004F8FF call 00404058 00483B98 |. 8B45 FC mov eax, dword ptr [ebp-4] 00483B9B |. E8 7807F8FF call 00404318 00483BA0 |. 84C0 test al, al 00483BA2 |. 76 70 jbe short 00483C14 00483BA4 |. 8845 FB mov byte ptr [ebp-5], al 00483BA7 |. B3 01 mov bl, 1 00483BA9 |> 8BFB /mov edi, ebx 00483BAB |. 81E7 FF000000 |and edi, 0FF 00483BB1 |. 8B45 FC |mov eax, dword ptr [ebp-4] 00483BB4 |. 0FB64438 FF |movzx eax, byte ptr [eax+edi-1] 00483BB9 |. 33D2 |xor edx, edx 00483BBB |. 52 |push edx 00483BBC |. 50 |push eax 00483BBD |. 8B45 18 |mov eax, dword ptr [ebp+18] 00483BC0 |. 8B55 1C |mov edx, dword ptr [ebp+1C] 00483BC3 |. 0FACD0 08 |shrd eax, edx, 8 00483BC7 |. C1EA 08 |shr edx, 8 00483BCA |. 330424 |xor eax, dword ptr [esp] 00483BCD |. 335424 04 |xor edx, dword ptr [esp+4] 00483BD1 |. 83C4 08 |add esp, 8 00483BD4 |. 8BD0 |mov edx, eax 00483BD6 |. 8D45 F4 |lea eax, dword ptr [ebp-C] 00483BD9 |. E8 6206F8FF |call 00404240 00483BDE |. 8B55 F4 |mov edx, dword ptr [ebp-C] 00483BE1 |. 8BC6 |mov eax, esi 00483BE3 |. E8 3807F8FF |call 00404320 00483BE8 |. FF75 14 |push dword ptr [ebp+14] 00483BEB |. FF75 10 |push dword ptr [ebp+10] 00483BEE |. 8B06 |mov eax, dword ptr [esi] 00483BF0 |. 0FB64438 FF |movzx eax, byte ptr [eax+edi-1] 00483BF5 |. 33D2 |xor edx, edx 00483BF7 |. 0345 18 |add eax, dword ptr [ebp+18] 00483BFA |. 1355 1C |adc edx, dword ptr [ebp+1C] 00483BFD |. E8 8E13F8FF |call 00404F90 00483C02 |. 0345 08 |add eax, dword ptr [ebp+8] 00483C05 |. 1355 0C |adc edx, dword ptr [ebp+C] 00483C08 |. 8945 18 |mov dword ptr [ebp+18], eax 00483C0B |. 8955 1C |mov dword ptr [ebp+1C], edx 00483C0E |. 43 |inc ebx 00483C0F |. FE4D FB |dec byte ptr [ebp-5] 00483C12 |.^ 75 95 \jnz short 00483BA9 00483C14 |> 33C0 xor eax, eax 00483C16 |. 5A pop edx 00483C17 |. 59 pop ecx 00483C18 |. 59 pop ecx 00483C19 |. 64:8910 mov dword ptr fs:[eax], edx 00483C1C |. 68 313C4800 push 00483C31 00483C21 |> 8D45 F4 lea eax, dword ptr [ebp-C] 00483C24 |. E8 2F04F8FF call 00404058 00483C29 \. C3 retn int k = 0x14 ;
for ( int i = 0 ; i < namelen ; i++ )
{
result[i] = (byte)(names[i] ^ (k>>8));
k = ( result[i] + k ) * 0x64 + 0xC8 ;
}
00483C3C /$ 55 push ebp 00483C3D |. 8BEC mov ebp, esp 00483C3F |. 83C4 F4 add esp, -0C 00483C42 |. 53 push ebx 00483C43 |. 56 push esi 00483C44 |. 57 push edi 00483C45 |. 33DB xor ebx, ebx 00483C47 |. 895D F4 mov dword ptr [ebp-C], ebx 00483C4A |. 894D FC mov dword ptr [ebp-4], ecx 00483C4D |. 8BF2 mov esi, edx 00483C4F |. 8BF8 mov edi, eax 00483C51 |. 33C0 xor eax, eax 00483C53 |. 55 push ebp 00483C54 |. 68 CA3C4800 push 00483CCA 00483C59 |. 64:FF30 push dword ptr fs:[eax] 00483C5C |. 64:8920 mov dword ptr fs:[eax], esp 00483C5F |. 8B45 08 mov eax, dword ptr [ebp+8] 00483C62 |. E8 F103F8FF call 00404058 00483C67 |. 8BC7 mov eax, edi 00483C69 |. E8 AA06F8FF call 00404318 ; 前一个call处理结果 00483C6E |. 84C0 test al, al ; 结果的数组长度 00483C70 |. 76 42 jbe short 00483CB4 00483C72 |. 8845 FB mov byte ptr [ebp-5], al 00483C75 |. B3 01 mov bl, 1 00483C77 |> 8D45 F4 /lea eax, dword ptr [ebp-C] 00483C7A |. 33D2 |xor edx, edx 00483C7C |. 8AD3 |mov dl, bl 00483C7E |. 8A5417 FF |mov dl, byte ptr [edi+edx-1] 00483C82 |. 8BCE |mov ecx, esi 00483C84 |. C1E9 08 |shr ecx, 8 00483C87 |. 32D1 |xor dl, cl 00483C89 |. E8 B205F8FF |call 00404240 00483C8E |. 8B55 F4 |mov edx, dword ptr [ebp-C] 00483C91 |. 8B45 08 |mov eax, dword ptr [ebp+8] 00483C94 |. E8 8706F8FF |call 00404320 00483C99 |. 8B45 08 |mov eax, dword ptr [ebp+8] 00483C9C |. 33C0 |xor eax, eax 00483C9E |. 8AC3 |mov al, bl 00483CA0 |. 0FB64407 FF |movzx eax, byte ptr [edi+eax-1] 00483CA5 |. 03F0 |add esi, eax 00483CA7 |. 0FAF75 FC |imul esi, dword ptr [ebp-4] 00483CAB |. 0375 0C |add esi, dword ptr [ebp+C] 00483CAE |. 43 |inc ebx 00483CAF |. FE4D FB |dec byte ptr [ebp-5] 00483CB2 |.^ 75 C3 \jnz short 00483C77 00483CB4 |> 33C0 xor eax, eax 00483CB6 |. 5A pop edx 00483CB7 |. 59 pop ecx 00483CB8 |. 59 pop ecx 00483CB9 |. 64:8910 mov dword ptr fs:[eax], edx 00483CBC |. 68 D13C4800 push 00483CD1 00483CC1 |> 8D45 F4 lea eax, dword ptr [ebp-C] 00483CC4 |. E8 8F03F8FF call 00404058 00483CC9 \. C3 retn int key = 0x14;
for ( int i = 0 ,key0 = key; i < namelen ; i++ )
{
int k = result[i] ;
result[i] = (byte)(result[i] ^ (key0>>8));
key0 = ( k + key0 ) * 0x64 + 0xc8 ;
}
注册机源码 byte[] keys = System.Text.Encoding.Default.GetBytes( tbKey.Text );
int key = int.Parse(tbKey.Text);
byte[] temp = System.Text.Encoding.Default.GetBytes(tbName.Text);
byte[] result = new byte[temp.Length + 1];
for ( int i = 0 , key0 = key ; i < temp.Length ; i++ )
{
temp[i] = (byte)( temp[i] ^ ( key0 >> 8));
key0 = ( temp[i] + key0 ) * key + key ;
}
Random rnd = new Random();
rnd.NextBytes(result);
for ( int i = 1 ; i < result.Length ; i++ )
{
int k = temp[i-1] + result[i-1];
if ( k >= 0xFF )
{
k = k - 0xFF ;
}
temp[i-1] = (byte)k;
result[i] = (byte)(temp[i-1] ^ keys[(i-1)%keys.Length]) ;
}
tbCode.Text = string.Empty;
for ( int i = 0 ; i < result.Length ; i++ )
{
tbCode.Text += result[i].ToString("X2");
}
 通过分析我们知道,code的长度应该是name长度的两倍再加上2 。code的前两位字符可以随机取值,code不同的前两位字符取值会导致后若干位字符的不同。既使key取相同的值,唯一的用户名还是可以对应很多组不同的code. |
|
|
超强``
 `````
|
|
|
学习
|
|
|
牛人。。。。
|
|
|
|
|
|
|
|
|
学习了~
|
|
|
|
|
|
|
