教菜鸟写注册机――高级篇（注意我这里说的高级只是对偶辈菜鸟来说是难一些）

HEYA，我又来灌喽！还是那个系列的第3位CRACKME。下载：
http://opencrackmes.crackmes.de/opencrackmes/Collections/keygenning4newbies/Crackmes/k4n3.zip

用W32DASM来反，（可以先看后面说明）

:004011BF 6A45                    push 00000045
:004011C1 50                      push eax
:004011C2 A4                      movsb

* Reference To: USER32.GetDlgItemTextA, Ord:0104h
                                  |
:004011C3 8B3DA8404000            mov edi, dword ptr [004040A8]	;注意这里把地址放在EDI

* Possible Reference to Dialog: DialogID_0065, CONTROL_ID:03E8, ""
                                  |
:004011C9 68E8030000              push 000003E8
:004011CE 51                      push ecx
:004011CF FFD7                    call edi		;实际是CALL GetDlgItemTextA,得到用户名
:004011D1 8BF0                    mov esi, eax
:004011D3 85F6                    test esi, esi
:004011D5 0F844B010000            je 00401326
:004011DB 83FE40                  cmp esi, 00000040
:004011DE 0F8742010000            ja 00401326
:004011E4 8B4508                  mov eax, dword ptr [ebp+08]
:004011E7 8D5594                  lea edx, dword ptr [ebp-6C]
:004011EA 6A13                    push 00000013
:004011EC 52                      push edx

* Possible Reference to Dialog: DialogID_0065, CONTROL_ID:03E9, ""
                                  |
:004011ED 68E9030000              push 000003E9
:004011F2 50                      push eax
:004011F3 FFD7                    call edi		;再次调用GetDlgItemText,得到注册码
:004011F5 6BC003                  imul eax, 00000003	;EAX是注册码的长度
:004011F8 C1E002                  shl eax, 02		;左移二位
:004011FB 05CD000000              add eax, 000000CD	;加上0CD
:00401200 8945FC                  mov dword ptr [ebp-04], eax
:00401203 817DFCA5010000          cmp dword ptr [ebp-04], 000001A5;看看计算结果是不是1A5
:0040120A 0F85BC000000            jne 004012CC		;不是就死,可以逆算出(1A5-0CD)>>2=12
:00401210 33C0                    xor eax, eax		;即注册码不能小于12h位
:00401212 8A4594                  mov al, byte ptr [ebp-6C]
:00401215 84C0                    test al, al
:00401217 7413                    je 0040122C
:00401219 8D4D94                  lea ecx, dword ptr [ebp-6C]

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040122A(C)
|
:0040121C 3C30                    cmp al, 30
:0040121E 0F82C6000000            jb 004012EA		;注册码每位不能小于30h,即'0'
:00401224 8A4101                  mov al, byte ptr [ecx+01]
:00401227 41                      inc ecx
:00401228 84C0                    test al, al
:0040122A 75F0                    jne 0040121C

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00401217(C)
|
:0040122C E8CFFDFFFF              call 00401000		;这是什么呀?好像很重要哟,进去看看!:D
:00401231 8D852CFFFFFF            lea eax, dword ptr [ebp+FFFFFF2C]
:00401237 50                      push eax
:00401238 E843FEFFFF              call 00401080		;转换过程一，跟进
:0040123D 8945FC                  mov dword ptr [ebp-04], eax
:00401240 E8BBFDFFFF              call 00401000		;还进去不?呀....别打我!
:00401245 8D8D2CFFFFFF            lea ecx, dword ptr [ebp+FFFFFF2C]
:0040124B 56                      push esi
:0040124C 51                      push ecx
:0040124D E8BEFDFFFF              call 00401010
:00401252 83C40C                  add esp, 0000000C
:00401255 33C9                    xor ecx, ecx

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00401284(C)
|
:00401257 8B45FC                  mov eax, dword ptr [ebp-04] \
:0040125A 33D2                    xor edx, edx                |
:0040125C BE1A000000              mov esi, 0000001A           |
:00401261 F7F6                    div esi                     |
:00401263 8A941510FFFFFF          mov dl, byte ptr [ebp+edx-000000F0]
:0040126A 88540DC8                mov byte ptr [ebp+ecx-38], dl|
:0040126E 8B45FC                  mov eax, dword ptr [ebp-04] |
:00401271 C1E003                  shl eax, 03                 |---转换过程二
:00401274 BA45230100              mov edx, 00012345           |
:00401279 F7E8                    imul eax	                   |
:0040127B 03C2                    add eax, edx                |
:0040127D 8945FC                  mov dword ptr [ebp-04], eax |
:00401280 41                      inc ecx                     |
:00401281 83F912                  cmp ecx, 00000012           |
:00401284 72D1                    jb 00401257                 /
:00401286 E875FDFFFF              call 00401000			
:0040128B 33C0                    xor eax, eax

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004012A2(C)
|
:0040128D 8A4C0594                mov cl, byte ptr [ebp+eax-6C] \
:00401291 8A5405C8                mov dl, byte ptr [ebp+eax-38] |
:00401295 80E930                  sub cl, 30                    |
:00401298 32D1                    xor dl, cl                    |---转换过程三
:0040129A 885405C8                mov byte ptr [ebp+eax-38], dl |
:0040129E 40                      inc eax                       |
:0040129F 83F812                  cmp eax, 00000012             |
:004012A2 72E9                    jb 0040128D                   /
:004012A4 E857FDFFFF              call 00401000
:004012A9 8D55C8                  lea edx, dword ptr [ebp-38]
:004012AC 52                      push edx
:004012AD E85EFEFFFF              call 00401110		;转换过程四
:004012B2 E849FDFFFF              call 00401000		
:004012B7 8D45C8                  lea eax, dword ptr [ebp-38]

* Possible StringData Ref from Data Obj ->"KEYGENNING4NEWBIES"
                                  |
:004012BA 6814514000              push 00405114		;固定字串"KEYGENNING4NEWBIES"
:004012BF 50                      push eax		;上面转换而来的字串
:004012C0 E86BFEFFFF              call 00401130		;进行比较
:004012C5 83C40C                  add esp, 0000000C
:004012C8 85C0                    test eax, eax
:004012CA 753C                    jne 00401308		;关键跳转

* Referenced by a CALL at Address:
|:00401238   
|
:00401080 55                      push ebp
:00401081 8BEC                    mov ebp, esp
:00401083 51                      push ecx
:00401084 53                      push ebx
:00401085 56                      push esi
:00401086 57                      push edi

* Possible StringData Ref from Data Obj ->"eheh"
                                  |
:00401087 6880504000              push 00405080
:0040108C 6A00                    push 00000000
:0040108E E8ADFFFFFF              call 00401040		;这个CALL有问题
:00401093 83C408                  add esp, 00000008
:00401096 8BD8                    mov ebx, eax
:00401098 E863FFFFFF              call 00401000

* Possible StringData Ref from Data Obj ->" is a whore."
                                  |
:0040109D BF70504000              mov edi, 00405070
:004010A2 83C9FF                  or ecx, FFFFFFFF
:004010A5 33C0                    xor eax, eax
:004010A7 F2                      repnz
:004010A8 AE                      scasb
:004010A9 F7D1                    not ecx
:004010AB 2BF9                    sub edi, ecx
:004010AD 8BF7                    mov esi, edi
:004010AF 8B7D08                  mov edi, dword ptr [ebp+08]
:004010B2 8BD1                    mov edx, ecx
:004010B4 83C9FF                  or ecx, FFFFFFFF
:004010B7 F2                      repnz
:004010B8 AE                      scasb
:004010B9 8BCA                    mov ecx, edx
:004010BB 4F                      dec edi
:004010BC C1E902                  shr ecx, 02
:004010BF F3                      repz
:004010C0 A5                      movsd
:004010C1 8BCA                    mov ecx, edx
:004010C3 83E103                  and ecx, 00000003
:004010C6 F3                      repz
:004010C7 A4                      movsb
:004010C8 33FF                    xor edi, edi
:004010CA 33F6                    xor esi, esi		;上面这一段是不是有点晕,没关系,只看结果

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004010F6(C)
|
:004010CC 8B4508                  mov eax, dword ptr [ebp+08]
:004010CF 50                      push eax		;在这里D eax看看是什么,RoBa is a whore.
:004010D0 56                      push esi		;ESI每次加4，从第ESI个字符开始取值
:004010D1 E86AFFFFFF              call 00401040		;还是上面的CALL
:004010D6 8B8E30504000            mov ecx, dword ptr [esi+00405030];这也是一个表，从里面取值
:004010DC 83C408                  add esp, 00000008
:004010DF 33CF                    xor ecx, edi
:004010E1 03C1                    add eax, ecx
:004010E3 8945FC                  mov dword ptr [ebp-04], eax
:004010E6 C145FC07                rol dword ptr [ebp-04], 07	;ROL是一个“滚动”移位
:004010EA 8B45FC                  mov eax, dword ptr [ebp-04]
:004010ED 83C604                  add esi, 00000004
:004010F0 33D8                    xor ebx, eax		;进行一些运算，EBX最初是"eheh"=68656865
:004010F2 47                      inc edi
:004010F3 83FE40                  cmp esi, 00000040	;ESI每次加4，所以这是计算10H=16次
:004010F6 7CD4                    jl 004010CC		;这里是循环计算
:004010F8 5F                      pop edi
:004010F9 8BC3                    mov eax, ebx
:004010FB 5E                      pop esi
:004010FC 5B                      pop ebx
:004010FD 8BE5                    mov esp, ebp
:004010FF 5D                      pop ebp
:00401100 C3                      ret

:00401257 8B45FC                  mov eax, dword ptr [ebp-04]	;最初这里是上面过程一的结果
:0040125A 33D2                    xor edx, edx			
:0040125C BE1A000000              mov esi, 0000001A		
:00401261 F7F6                    div esi			;除以1Ah=26
:00401263 8A941510FFFFFF          mov dl, byte ptr [ebp+edx-000000F0];根据余数从表中取值
:0040126A 88540DC8                mov byte ptr [ebp+ecx-38], dl	;把取得的值组成一个字串
:0040126E 8B45FC                  mov eax, dword ptr [ebp-04]	
:00401271 C1E003                  shl eax, 03			
:00401274 BA45230100              mov edx, 00012345		
:00401279 F7E8                    imul eax			
:0040127B 03C2                    add eax, edx			;进行一些计算，准备下次再取
:0040127D 8945FC                  mov dword ptr [ebp-04], eax	
:00401280 41                      inc ecx			;ECX是循环变量
:00401281 83F912                  cmp ecx, 00000012		;共计算12h=18次
:00401284 72D1                    jb 00401257			

[招生]科锐逆向工程师培训(2024年11月15日实地，远程教学同时开班, 第51期)