【文章标题】: EsperCrackMe1的不完全破解
【文章作者】: scndebuger
【作者邮箱】: seya1@163.com
【软件名称】: EsperCrackMe1
【下载地址】: http://bbs1.pediy.com/showthread.php?t=46216
【作者声明】: 只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!
--------------------------------------------------------------------------------
【详细过程】
od加载:停在入口
00402860 >/$ FF15 00044000 call dword ptr [<&COMCTL32.#17>] ; [(initial cpu selection)
00402866 |. 6A 00 push 0 ; /lParam = NULL
00402868 |. 68 F0234000 push 004023F0 ; |DlgProc = EsperCra.004023F0
0040286D |. 6A 00 push 0 ; |hOwner = NULL
0040286F |. 6A 65 push 65 ; |pTemplate = 65
00402871 |. 6A 00 push 0 ; |hInst = NULL
00402873 |. FF15 74044000 call dword ptr [<&USER32.DialogBoxPar>; \DialogBoxParamA
00402879 |. 6A 00 push 0 ; /ExitCode = 0
0040287B |. FF15 70044000 call dword ptr [<&USER32.PostQuitMess>; \PostQuitMessage
00402881 |. 33C0 xor eax, eax
00402883 \. C3 retn
60秒后自动关闭,所以首先把时间限制搞掉:
超级字串搜索
Address Disassembly Text String
004023F5 push 00402990 感)@
00402783 mov esi, 004004E4 g-r-e-a-t j-o-b!!!!\nu are so pppppowerful!!!!
004027F4 push 004004A8 you have %d seconds to enter your name and serial...
00402860 call dword ptr [<&COMCTL32.#17>] (initial cpu selection)
在“you have %d seconds to enter your name and serial...”这一行上双击来到004027F4:
004027EA > \A1 002E4000 mov eax, dword ptr [402E00] ; Case 113 (WM_TIMER) of switch 0040240E
004027EF . 85C0 test eax, eax
004027F1 . 74 40 je short 00402833
004027F3 . 50 push eax ; /<%d> => 3C (60.)
004027F4 . 68 A8044000 push 004004A8 ; |you have %d seconds to enter your name and serial...
004027F9 . 68 E8354000 push 004035E8 ; |you have 44 seconds to enter your name and serial...
004027FE . FF15 4C044000 call dword ptr [<&USER32.wsprintfA>] ; \wsprintfA
00402804 . 8B45 08 mov eax, dword ptr [ebp+8]
00402807 . 83C4 0C add esp, 0C
0040280A . 68 E8354000 push 004035E8 ; /you have 44 seconds to enter your name and serial...
0040280F . 6A 66 push 66 ; |ControlID = 66 (102.)
00402811 . 50 push eax ; |hWnd
00402812 . FF15 50044000 call dword ptr [<&USER32.SetDlgItemTe>; \SetDlgItemTextA
00402818 . FF0D 002E4000 dec dword ptr [402E00]
0040281E > 33C0 xor eax, eax
00402820 . 8B4D F4 mov ecx, dword ptr [ebp-C]
00402823 . 64:890D 00000>mov dword ptr fs:[0], ecx
0040282A . 5F pop edi
0040282B . 5E pop esi
0040282C . 5B pop ebx
0040282D . 8BE5 mov esp, ebp
0040282F . 5D pop ebp
00402830 . C2 1000 retn 10
往上看:
004027EA > \A1 002E4000 mov eax, dword ptr [402E00]
这一句就是取当前还剩余的时间,改掉:
mov eax, 64
哈哈,这样就永远都有100秒可以用了,你还可以改成好几亿:)
保存新可执行文件 EsperCrackMe1_New.exe,这样我们以后分析就很方便了。
好了,现在开始进入正题:
首先分析一下这个CM的界面:没有CHECK按钮,就是说,每次输入都要检查,直到你输入正确了就可以提示你:g-r-e-a-t j-o-b!!!!\nu are so pppppowerful!!!!,那么怎么下断呢?
我就GetDlgItemTextA好了,在查找-当前模块的标签里找到这个(确认他用的是这个函数),然后下断bp GetDlgItemTextA;f9运行,断下后禁止断点,点图表M在代码段400400下断,f9运行,然后断下后就来到了:
00402525 FF15 54044000 call dword ptr [<&USER32.GetDlgItemTe>; USER32.GetDlgItemTextA这里
现在开始跟踪分析:
004024FA \8B45 10 mov eax, dword ptr [ebp+10] ; Case 111 (WM_COMMAND) of switch 0040240E
004024FD 66:3D E803 cmp ax, 3E8
00402501 0F85 DA000000 jnz 004025E1
00402507 C1E8 10 shr eax, 10
0040250A 3D 00030000 cmp eax, 300
0040250F 0F85 09030000 jnz 0040281E
00402515 8B45 08 mov eax, dword ptr [ebp+8]
00402518 6A 40 push 40
0040251A 68 98354000 push 00403598
0040251F 68 E8030000 push 3E8
00402524 50 push eax
00402525 FF15 54044000 call dword ptr [<&USER32.GetDlgItemTe>; USER32.GetDlgItemTextA
0040252B B8 98354000 mov eax, 00403598 ; 用户名
00402530 8D50 01 lea edx, dword ptr [eax+1]
00402533 8A08 mov cl, byte ptr [eax]
00402535 40 inc eax
00402536 84C9 test cl, cl
00402538 ^ 75 F9 jnz short 00402533
0040253A 2BC2 sub eax, edx ; 计算名字长度
0040253C 83F8 02 cmp eax, 2 ; 名字长度必须不少于2位
0040253F 0F82 D9020000 jb 0040281E
00402545 A1 68364000 mov eax, dword ptr [403668]
0040254A 85C0 test eax, eax
0040254C 0F85 CC020000 jnz 0040281E
00402552 B8 28364000 mov eax, 00403628
00402557 8D50 01 lea edx, dword ptr [eax+1]
0040255A 8D9B 00000000 lea ebx, dword ptr [ebx]
00402560 8A08 mov cl, byte ptr [eax]
00402562 40 inc eax
00402563 84C9 test cl, cl
00402565 ^ 75 F9 jnz short 00402560
00402567 2BC2 sub eax, edx ; 计算注册码长度
00402569 83F8 10 cmp eax, 10 ; 序列号长度必须不少于16位
0040256C 0F82 AC020000 jb 0040281E
00402572 C705 68364000 0>mov dword ptr [403668], 4
0040257C 33DB xor ebx, ebx
0040257E BE 88354000 mov esi, 00403588
00402583 6A 48 push 48
00402585 E8 EE030000 call <jmp.&MSVCR71.operator new> ; 分配空间
0040258A 8B4D 08 mov ecx, dword ptr [ebp+8]
0040258D 8908 mov dword ptr [eax], ecx
0040258F B9 98354000 mov ecx, 00403598
00402594 8BD0 mov edx, eax
00402596 83C4 04 add esp, 4
00402599 2BD1 sub edx, ecx ; 名字所在地址-新空间地址
0040259B 8D7A 04 lea edi, dword ptr [edx+4]
0040259E 8BFF mov edi, edi
004025A0 8A11 mov dl, byte ptr [ecx] ; 取名字
004025A2 88140F mov byte ptr [edi+ecx], dl ; 放到新空间
004025A5 41 inc ecx ; 这个应该是为下面要创建的线程准备要传递的参数
004025A6 84D2 test dl, dl
004025A8 ^ 75 F6 jnz short 004025A0
004025AA 56 push esi
004025AB 6A 00 push 0
004025AD 50 push eax
004025AE 68 A0224000 push 004022A0
004025B3 6A 00 push 0
004025B5 6A 00 push 0
004025B7 8958 44 mov dword ptr [eax+44], ebx ; 注意 4022A0 这个函数是处理用户名的关键
004025BA FF15 10044000 call dword ptr [<&KERNEL32.CreateThre>; kernel32.CreateThread
004025C0 83C6 04 add esi, 4
004025C3 43 inc ebx
004025C4 81FE 98354000 cmp esi, 00403598
004025CA ^ 7C B7 jl short 00402583 ; 弄出4个新线程来,哎,头痛
004025CC 33C0 xor eax, eax
004025CE 8B4D F4 mov ecx, dword ptr [ebp-C]
004025D1 64:890D 0000000>mov dword ptr fs:[0], ecx
004025D8 5F pop edi
004025D9 5E pop esi
004025DA 5B pop ebx
004025DB 8BE5 mov esp, ebp
004025DD 5D pop ebp
004025DE C2 1000 retn 10
004025E1 66:3D E903 cmp ax, 3E9
004025E5 75 23 jnz short 0040260A
004025E7 C1E8 10 shr eax, 10
004025EA 3D 00030000 cmp eax, 300
004025EF 0F85 29020000 jnz 0040281E
004025F5 8B55 08 mov edx, dword ptr [ebp+8]
004025F8 6A 40 push 40
004025FA 68 28364000 push 00403628
004025FF 68 E9030000 push 3E9
00402604 52 push edx
00402605 ^ E9 1BFFFFFF jmp 00402525 ; 上去取注册码去
0040260A 66:3D 0200 cmp ax, 2
0040260E 0F85 0A020000 jnz 0040281E
00402614 8B45 08 mov eax, dword ptr [ebp+8]
00402617 6A 02 push 2
00402619 50 push eax
0040261A E9 1D020000 jmp 0040283C
0040261F 3D 13010000 cmp eax, 113
00402624 0F84 C0010000 je 004027EA
0040262A 0FB70D 98354000 movzx ecx, word ptr [403598] ; Default case of switch 0040240E
00402631 81C1 00140000 add ecx, 1400
00402637 3BC1 cmp eax, ecx
00402639 0F85 DF010000 jnz 0040281E
0040263F 8B7D 14 mov edi, dword ptr [ebp+14]
00402642 0FB7D7 movzx edx, di
00402645 8955 0C mov dword ptr [ebp+C], edx
00402648 A1 68364000 mov eax, dword ptr [403668]
0040264D DB45 0C fild dword ptr [ebp+C] ; 装入用户名生成的4组数据
00402650 8B5D 10 mov ebx, dword ptr [ebp+10]
00402653 33F6 xor esi, esi
00402655 3BC6 cmp eax, esi
00402657 D95D 0C fstp dword ptr [ebp+C]
0040265A 8975 FC mov dword ptr [ebp-4], esi
0040265D D945 0C fld dword ptr [ebp+C]
00402660 D835 30054000 fdiv dword ptr [400530] ; /65535
00402666 D835 2C054000 fdiv dword ptr [40052C] ; /2
0040266C D805 28054000 fadd dword ptr [400528] ; +0.5
00402672 D91C9D D8354000 fstp dword ptr [ebx*4+4035D8] ; y(i);依次放入4035d8开始的空间里
00402679 0F85 9F010000 jnz 0040281E
0040267F B8 28364000 mov eax, 00403628 ; 注册码指针
00402684 8D50 01 lea edx, dword ptr [eax+1]
00402687 8A08 mov cl, byte ptr [eax]
00402689 40 inc eax
0040268A 84C9 test cl, cl
0040268C ^ 75 F9 jnz short 00402687 ; 小小循环,计算注册码长度
0040268E 2BC2 sub eax, edx
00402690 83F8 10 cmp eax, 10 ; 是16位么?
00402693 0F82 85010000 jb 0040281E ; 不是他就闪了
00402699 A1 20054000 mov eax, dword ptr [400520] ; 66667830
0040269E 66:8B0D 2405400>mov cx, word ptr [400524] ; 6666
004026A5 8A15 26054000 mov dl, byte ptr [400526] ; 00
004026AB 8945 E8 mov dword ptr [ebp-18], eax
004026AE 66:894D EC mov word ptr [ebp-14], cx
004026B2 8855 EE mov byte ptr [ebp-12], dl
004026B5 83FE 04 cmp esi, 4 ; 4次;现在是0
004026B8 7D 62 jge short 0040271C ; 4次后去下一步骤
004026BA 8A0CB5 29364000 mov cl, byte ptr [esi*4+403629] ; 取注册码第si*4+2位
004026C1 8A14B5 2A364000 mov dl, byte ptr [esi*4+40362A] ; 取注册码第si*4+3位
004026C8 8A04B5 28364000 mov al, byte ptr [esi*4+403628] ; 取注册码第si*4+1位
004026CF 884D EB mov byte ptr [ebp-15], cl
004026D2 6A 10 push 10
004026D4 8D4D 0C lea ecx, dword ptr [ebp+C]
004026D7 8855 EC mov byte ptr [ebp-14], dl
004026DA 8845 EA mov byte ptr [ebp-16], al
004026DD 8A04B5 2B364000 mov al, byte ptr [esi*4+40362B] ; 取注册码第si*4+4位
004026E4 51 push ecx
004026E5 8D55 E8 lea edx, dword ptr [ebp-18]
004026E8 52 push edx
004026E9 8845 ED mov byte ptr [ebp-13], al ; 12fc4e-51/1-4
004026EC E8 81020000 call <jmp.&MSVCR71.strtol> ; 组合注册码si*4+1到si*4+4位为x(i);16进制数
004026F1 8945 10 mov dword ptr [ebp+10], eax
004026F4 DB45 10 fild dword ptr [ebp+10] ; 装入x(i),
004026F7 83C4 0C add esp, 0C ; 以下在浮点运算中,为方便,数值用10进制表示,下同
004026FA 46 inc esi
004026FB D95D 10 fstp dword ptr [ebp+10]
004026FE D945 10 fld dword ptr [ebp+10]
00402701 D835 30054000 fdiv dword ptr [400530] ; /65536
00402707 D835 2C054000 fdiv dword ptr [40052C] ; /2
0040270D DC05 18054000 fadd qword ptr [400518] ; +0.5
00402713 D91CB5 5C354000 fstp dword ptr [esi*4+40355C] ; q(i)=o(i)/65536/2+0.5;保存在403560开始的4*4
0040271A ^ EB 99 jmp short 004026B5
0040271C 33F6 xor esi, esi ; 开始关键运算了;esi=0
0040271E 8BFF mov edi, edi
00402720 83FE 04 cmp esi, 4 ; 4次
00402723 0F8D 8B000000 jge 004027B4 ; 都通过就通向幸福
00402729 D904B5 D8354000 fld dword ptr [esi*4+4035D8] ; 装入y(i)
00402730 51 push ecx
00402731 D80CB5 60354000 fmul dword ptr [esi*4+403560] ; z(i)=y(i)*q(i)
00402738 D91C24 fstp dword ptr [esp] ; 保存z(i)
0040273B E8 50010000 call 00402890 ; 关键,必须去看看
00402740 D95D 10 fstp dword ptr [ebp+10] ; s(i)
00402743 83C4 04 add esp, 4
00402746 D945 10 fld dword ptr [ebp+10]
00402749 83EC 08 sub esp, 8
0040274C D824B5 60354000 fsub dword ptr [esi*4+403560] ; s(i)-q(i)
00402753 D95D 10 fstp dword ptr [ebp+10]
00402756 D945 10 fld dword ptr [ebp+10]
00402759 DD1C24 fstp qword ptr [esp]
0040275C E8 F5010000 call <jmp.&MSVCR71.fabs> ; 取绝对值
00402761 D95D 10 fstp dword ptr [ebp+10]
00402764 83C4 08 add esp, 8
00402767 D945 10 fld dword ptr [ebp+10]
0040276A D81D 14054000 fcomp dword ptr [400514] ; 和1.5258e-5比较;0.00001525879
00402770 DFE0 fstsw ax ; 标志位出栈
00402772 F6C4 01 test ah, 1 ; 看看刚才比较的结果
00402775 0F84 A3000000 je 0040281E ; 跳了就完
0040277B 46 inc esi
0040277C ^ EB A2 jmp short 00402720 ; 下一次
0040277E B9 0B000000 mov ecx, 0B
00402783 BE E4044000 mov esi, 004004E4 ; g-r-e-a-t j-o-b!!!!\nu are so pppppowerful!!!!
00402788 BF E8354000 mov edi, 004035E8 ; you have 100 seconds to enter your name and serial...
0040278D F3:A5 rep movs dword ptr es:[edi], dword p>
0040278F 68 E8354000 push 004035E8 ; you have 100 seconds to enter your name and serial...
00402794 66:A5 movs word ptr es:[edi], word ptr [esi>
00402796 8B75 08 mov esi, dword ptr [ebp+8]
00402799 6A 66 push 66
0040279B 56 push esi
0040279C FF15 50044000 call dword ptr [<&USER32.SetDlgItemTe>; USER32.SetDlgItemTextA
004027A2 68 EA030000 push 3EA
004027A7 56 push esi
004027A8 FF15 58044000 call dword ptr [<&USER32.KillTimer>] ; USER32.KillTimer
004027AE B8 1E284000 mov eax, 0040281E
004027B3 C3 retn
004027B4 33D2 xor edx, edx
004027B6 8BC7 mov eax, edi
004027B8 F735 68364000 div dword ptr [403668]
004027BE 85C0 test eax, eax
004027C0 8945 08 mov dword ptr [ebp+8], eax
004027C3 DB45 08 fild dword ptr [ebp+8]
004027C6 7D 06 jge short 004027CE
004027C8 D805 E0044000 fadd dword ptr [4004E0]
004027CE D91C9D D8354000 fstp dword ptr [ebx*4+4035D8]
004027D5 33C0 xor eax, eax
004027D7 8B4D F4 mov ecx, dword ptr [ebp-C]
004027DA 64:890D 0000000>mov dword ptr fs:[0], ecx
004027E1 5F pop edi
004027E2 5E pop esi
004027E3 5B pop ebx
004027E4 8BE5 mov esp, ebp
004027E6 5D pop ebp
004027E7 C2 1000 retn 10
0040273B 的 call 00402890在这里:
00402890 55 push ebp
00402891 8BEC mov ebp, esp
00402893 51 push ecx
00402894 F3:0F1045 08 movss xmm0, dword ptr [ebp+8] ; z(i)
00402899 F3:0F100D 70054>movss xmm1, dword ptr [400570] ; 7fffffff
004028A1 0F54C1 andps xmm0, xmm1 ; z(i) and 7fffffff
004028A4 F3:0F5805 50054>addss xmm0, dword ptr [400550] ; +1.570796(常数d)
004028AC F3:0F5905 60054>mulss xmm0, dword ptr [400560] ; *0.6366197(常数e);r(i)=((z(i) and 0x7fffffff)+d)*e
004028B4 F3:0F2CC8 cvttss2si ecx, xmm0 ; 取整1;h(i)=int(r(i))
004028B8 F3:0F102D 40054>movss xmm5, dword ptr [400540] ; 1.000000;常数1
004028C0 8BD1 mov edx, ecx
004028C2 C1E2 1E shl edx, 1E
004028C5 F3:0F2AC9 cvtsi2ss xmm1, ecx ; ECX=h(i);转换为浮点数送XMM1
004028C9 81E2 00000080 and edx, 80000000
004028CF 83E1 01 and ecx, 1 ; ecx=1
004028D2 F3:0F5CC1 subss xmm0, xmm1 ; j(i)=r(i)-int(r(i))
004028D6 F3:0F10348D C00>movss xmm6, dword ptr [ecx*4+4005C0] ; cx一般总为1,所以,xx6=ffffffff
004028DF F3:0F5DC5 minss xmm0, xmm5 ; min(j(i),1)
004028E3 F3:0F100D B0054>movss xmm1, dword ptr [4005B0] ; 0.004681754常数a
004028EB F3:0F5CE8 subss xmm5, xmm0 ; 1-(min(j(i),1))
004028EF 0F54EE andps xmm5, xmm6 ; n= 1-(min(j(i),1)) and ffffffff
004028F2 F3:0F103D A0054>movss xmm7, dword ptr [4005A0] ; 0.07969262;常数b
004028FA 0F55F0 andnps xmm6, xmm0 ; not(ffffffff) and min(j(i),1)=0
004028FD 8955 FC mov dword ptr [ebp-4], edx ; 0
00402900 0F56EE orps xmm5, xmm6 ; n or 0x0 ; 不变
00402903 F3:0F10C5 movss xmm0, xmm5 ; n
00402907 F3:0F59ED mulss xmm5, xmm5 ; m=n^2
0040290B F3:0F1025 90054>movss xmm4, dword ptr [400590] ; -0.6459641;常数c
00402913 F3:0F10D5 movss xmm2, xmm5 ; m
00402917 F3:0F59E9 mulss xmm5, xmm1 ; a*m
0040291B F3:0F100D 80054>movss xmm1, dword ptr [400580] ; 1.570796;常数d
00402923 F3:0F58EF addss xmm5, xmm7 ; a*m+b
00402927 F3:0F59EA mulss xmm5, xmm2 ; (a*m+b)*m
0040292B F3:0F105D FC movss xmm3, dword ptr [ebp-4] ; 0
00402930 F3:0F58EC addss xmm5, xmm4 ; (a*m+b)*m+c
00402934 F3:0F59EA mulss xmm5, xmm2 ; ((a*m+b)*m+c)*m
00402938 0F56C3 orps xmm0, xmm3 ; n or 0x0=n
0040293B F3:0F58E9 addss xmm5, xmm1 ; ((a*m+b)*m+c)*m+d
0040293F F3:0F59C5 mulss xmm0, xmm5 ; s(i)=(((a*m+b)*m+c)*m+d)*n
00402943 F3:0F1145 08 movss dword ptr [ebp+8], xmm0 ; 保存结果
00402948 D945 08 fld dword ptr [ebp+8]
0040294B 8BE5 mov esp, ebp
0040294D 5D pop ebp
0040294E C3 retn
分析如下:
用户名生成的4个双字(以seya为例)
0000A467 (decimal 42087.)
00001103 (decimal 4355.)
0000B2C6 (decimal 45766.)
00009CF1 (decimal 40177.)
分别/65536/2+0.5,放在4035D8开始的4组空间里
ds:[004035D8]=0.8210983276367187500
ds:[004035DC]=0.5332260131835937500
ds:[004035E0]=0.8491668701171875000
ds:[004035E4]=0.8065261840820312500
设为y(i)
y(1)=0.8210983276367187500
y(2)=0.5332260131835937500
y(3)=0.8491668701171875000
y(4)=0.8065261840820312500
把16位序列号拆成4个4位16进制数设为x(i)
则x(i)相对应得10进制数分别为o(i)
q(i)=o(i)/65536/2+0.5
存放在403560开始的4组双字空间里
z(i)=y(i)*q(i)
r(i)=((z(i) and 0x7fffffff)+d)*e
h(i)=int(r(i)) (取整数部分)
j(i)=r(i)-int(r(i)) (取小数部分)
n= 1-(min(j(i),1)) and ffffffff
j(i)总是小于1,所以可以认为
n=1-j(i) and ffffffff
m=n^2 (n的平方哦,不是异或。下同)
a-e为常数
e=0.6366197
d=1.570796
c=-0.6459641
b=0.07969262
a=-0.004681754
s(i)=(((a*m+b)*m+c)*m+d)*n
判断:
|s(i)-q(i)|<=0.000015288
的话,就通过,进行下一组.
那么逆运算可以如下进行:
由于进行XOR操作后操作数皆无变化(经验,未验证),所以忽略,int(r(i))=1(经验,未验证),可以进行如下变换:
z=r/e-d
j=1-n
r=j+int(r(i))=j+1
z=(j+1)/e-d=(1-n+1)/e-d=(2-n)/e-d
q=z/y=((2-n)/e-d)/y
将m=n^2以及q=((2-n)/e-d)/y带入如上不等式可得到
|(((a*n^2+b)*n^2+c)*n^2+d)*n-((2-n)/e-d)/y|<=0.000015288
整理得:
|a*n^7+b*n^5+c*n^3+(d+(1/(e*y)))*n+d/y-2/(e*y)|<=0.000015288
即
a*n^7+b*n^5+c*n^3+(d+(1/(e*y)))*n+d/y-2/(e*y)<=0.000015288
a*n^7+b*n^5+c*n^3+(d+(1/(e*y)))*n+d/y-2/(e*y)>=-0.000015288
a*n^7+b*n^5+c*n^3+(d+(1/(e*y)))*n+d/y-2/(e*y)-0.000015288<=0
a*n^7+b*n^5+c*n^3+(d+(1/(e*y)))*n+d/y-2/(e*y)+0.000015288>=0
解集为两不等式解集的交集
不等式我不会解
不过可以通过解下列方程确定解集的边界:
a*n^7+b*n^5+c*n^3+(d+(1/(e*y)))*n+d/y-2/(e*y)-0.000015288=0
a*n^7+b*n^5+c*n^3+(d+(1/(e*y)))*n+d/y-2/(e*y)+0.000015288=0
解这两个方程可用迭代法取近似值.
把a b c d e y带入上述方程可解得n
然后
q=((2-n)/e-d)/y
o=(q-0.5)*2*65536
ps:当然你也可以先把o=(((2-n)/e-d)/y-0.5)*2*65536带入上述方程得到一个关于o的方程,直接解o :)
把得到的o(i)四舍五入然后转换成16进制数,依序排列即可得到注册码!
可惜,直到现在也没跟出y的算法,因此这个CM的破解还不算完成。
昨天发的方程有问题!
为了计算简便,舍了项,结果不精确!
好了,跟踪这个CM花了我2天,注册码分析那一部分一个晚上就搞定了,SSE和浮点以前没搞过,都是边上网查资料,边单步跟,在这里我想起台湾有个crack先驱似乎说过,如果SICE能边上网边听音乐边破解(如果有那个闲心的话)就好了,大意如此,现在OD已经把这个变成了现实,这真的是很不错!
由于用户名这里始终没搞定,本来想完全搞定了一次发,现在看来我已经没办法做到这点了,所以先把弄好的部分发出来,其余部分期待高手们继续!
这一篇还是面向和我一样的新手的,写的尽可能详细了,尤其关于SSE和浮点那部分,因为很多人跟我一样对SSE和浮点接触的比较少,所以希望写的这个东西有一点点参考价值,我就很开心了:)
最后祝大家端午节快乐!
--------------------------------------------------------------------------------
【版权声明】: 本文原创于看雪技术论坛, 转载请注明作者并保持文章的完整, 谢谢!
2007年06月19日 14:49:22
[招生]系统0day安全班,企业级设备固件漏洞挖掘,Linux平台漏洞挖掘!