-
-
[原创]Crackme 算法分析
-
2007-6-21 18:37 4655
-
【破文標題】PYG 5.4Cracker
【破文作者】史克威爾
【作者郵箱】squeare20012001@yafoo.com.tw
【破解工具】peid,W32Dasm,od
【破解平臺】winxp
【軟體名稱】Crackme
【保護方式】無
【軟體簡介】Crackme
------------------------------------------------------------------------
一、運行程式,找到註冊視窗進行註冊,輸入錯誤的註冊資訊按確定進行檢測,沒有任何反應
看來是必須輸入正確的註冊碼才會啟動,書住正確的註冊碼會 “跳出恭喜你註冊
二、OD載入用插件超級字串找到恭喜你註冊碼正確 點兩下跳到代碼:
00408E6D |. 68 B88F4000 PUSH CodeFant.00408FB8 恭喜您,註冊碼正確!
往上找在00408DDC下中斷點
三、輸入用戶名chuan 註冊碼123456789點確定程式被斷下
00408C70 /. 55 PUSH EBP-------程式入口
00408C71 |. 8BEC MOV EBP,ESP
00408C73 |. 83C4 A8 ADD ESP,-58
00408C76 |. 53 PUSH EBX
00408C77 |. 33C0 XOR EAX,EAX
00408C79 |. 8945 B0 MOV [LOCAL.20],EAX
00408C7C |. 8945 A8 MOV [LOCAL.22],EAX
00408C7F |. 8945 AC MOV [LOCAL.21],EAX
00408C82 |. 8945 B4 MOV [LOCAL.19],EAX
00408C85 |. 33C0 XOR EAX,EAX
00408C87 |. 55 PUSH EBP
00408C88 |. 68 648F4000 PUSH CodeFant.00408F64
00408C8D |. 64:FF30 PUSH DWORD PTR FS:[EAX]
00408C90 |. 64:8920 MOV DWORD PTR FS:[EAX],ESP
00408C93 |. 8B45 0C MOV EAX,[ARG.2]
00408C96 |. 3D 11010000 CMP EAX,111 ; Switch (cases 2..201)
00408C9B |. 7F 2D JG SHORT CodeFant.00408CCA
00408C9D |. 0F84 15010000 JE CodeFant.00408DB8
00408CA3 |. 83E8 02 SUB EAX,2
00408CA6 |. 0F84 84020000 JE CodeFant.00408F30
00408CAC |. 83E8 0D SUB EAX,0D
00408CAF |. 0F84 C5000000 JE CodeFant.00408D7A
00408CB5 |. 83E8 1C SUB EAX,1C
00408CB8 |. 0F84 F7010000 JE CodeFant.00408EB5
00408CBE |. 2D E5000000 SUB EAX,0E5
00408CC3 |. 74 2E JE SHORT CodeFant.00408CF3
00408CC5 |. E9 7D020000 JMP CodeFant.00408F47
00408CCA |> 2D 13010000 SUB EAX,113
00408CCF |. 0F84 EF010000 JE CodeFant.00408EC4
00408CD5 |. 83E8 23 SUB EAX,23
00408CD8 |. 0F84 16020000 JE CodeFant.00408EF4
00408CDE |. 83E8 02 SUB EAX,2
00408CE1 |. 0F84 2B020000 JE CodeFant.00408F12
00408CE7 |. 2D C9000000 SUB EAX,0C9
00408CEC |. 74 48 JE SHORT CodeFant.00408D36
00408CEE |. E9 54020000 JMP CodeFant.00408F47
00408CF3 |> 8B45 08 MOV EAX,[ARG.1] ; Case 110 (WM_INITDIALOG) of switch 00408C96
00408CF6 |. A3 ACB74000 MOV DWORD PTR DS:[40B7AC],EAX
00408CFB |. 68 C8A44000 PUSH CodeFant.0040A4C8 ; /pRect = CodeFant.0040A4C8
00408D00 |. 8B45 08 MOV EAX,[ARG.1] ; |
00408D03 |. 50 PUSH EAX ; |hWnd
00408D04 |. E8 43BAFFFF CALL <JMP.&user32.GetClientRect> ; \GetClientRect
00408D09 |. A1 CCA44000 MOV EAX,DWORD PTR DS:[40A4CC]
00408D0E |. 83C0 14 ADD EAX,14
00408D11 |. A3 D4A44000 MOV DWORD PTR DS:[40A4D4],EAX
00408D16 |. 68 748F4000 PUSH CodeFant.00408F74 ; /codefantasy系列crackme1
00408D1B |. 8B45 08 MOV EAX,[ARG.1] ; |
00408D1E |. 50 PUSH EAX ; |hWnd
00408D1F |. E8 B8BAFFFF CALL <JMP.&user32.SetWindowTextA> ; \SetWindowTextA
00408D24 |. 8B45 08 MOV EAX,[ARG.1]
00408D27 |. E8 40F3FFFF CALL CodeFant.0040806C
00408D2C |. BB 01000000 MOV EBX,1
00408D31 |. E9 13020000 JMP CodeFant.00408F49
00408D36 |> 0FB745 14 MOVZX EAX,WORD PTR SS:[EBP+14] ; Case 201 (WM_LBUTTONDOWN) of switch 00408C96
00408D3A |. 8945 F8 MOV [LOCAL.2],EAX
00408D3D |. 8B45 14 MOV EAX,[ARG.4]
00408D40 |. E8 AFBAFFFF CALL CodeFant.004047F4
00408D45 |. 0FB7C0 MOVZX EAX,AX
00408D48 |. 8945 FC MOV [LOCAL.1],EAX
00408D4B |. FF75 FC PUSH [LOCAL.1] ; /Point.Y
00408D4E |. FF75 F8 PUSH [LOCAL.2] ; |Point.X
00408D51 |. 68 C8A44000 PUSH CodeFant.0040A4C8 ; |pRect = 0040A4C8 {0.,0.,306.,20.}
00408D56 |. E8 51BAFFFF CALL <JMP.&user32.PtInRect> ; \PtInRect
00408D5B |. 85C0 TEST EAX,EAX
00408D5D |. 0F84 E6010000 JE CodeFant.00408F49
00408D63 |. 6A 00 PUSH 0 ; /lParam = 0
00408D65 |. 6A 02 PUSH 2 ; |wParam = 2
00408D67 |. 68 A1000000 PUSH 0A1 ; |Message = WM_NCLBUTTONDOWN
00408D6C |. 8B45 08 MOV EAX,[ARG.1] ; |
00408D6F |. 50 PUSH EAX ; |hWnd
00408D70 |. E8 27BAFFFF CALL <JMP.&user32.PostMessageA> ; \PostMessageA
00408D75 |. E9 CF010000 JMP CodeFant.00408F49
00408D7A |> 8D45 B8 LEA EAX,[LOCAL.18] ; Case F (WM_PAINT) of switch 00408C96
00408D7D |. 50 PUSH EAX ; /pPaintstruct
00408D7E |. 8B45 08 MOV EAX,[ARG.1] ; |
00408D81 |. 50 PUSH EAX ; |hWnd
00408D82 |. E8 6DB9FFFF CALL <JMP.&user32.BeginPaint> ; \BeginPaint
00408D87 |. 68 C8A44000 PUSH CodeFant.0040A4C8 ; /Arg3 = 0040A4C8
00408D8C |. 68 40D9FE00 PUSH 0FED940 ; |Arg2 = 00FED940
00408D91 |. 68 0B198B00 PUSH 8B190B ; |Arg1 = 008B190B
00408D96 |. B9 948F4000 MOV ECX,CodeFant.00408F94 ; |codefantasy系列crackme1
00408D9B |. 8B15 A8B74000 MOV EDX,DWORD PTR DS:[40B7A8] ; |
00408DA1 |. E8 8AF3FFFF CALL CodeFant.00408130 ; \CodeFant.00408130
00408DA6 |. 8D45 B8 LEA EAX,[LOCAL.18]
00408DA9 |. 50 PUSH EAX ; /pPaintstruct
00408DAA |. 8B45 08 MOV EAX,[ARG.1] ; |
00408DAD |. 50 PUSH EAX ; |hWnd
00408DAE |. E8 81B9FFFF CALL <JMP.&user32.EndPaint> ; \EndPaint
00408DB3 |. E9 91010000 JMP CodeFant.00408F49
00408DB8 |> 8B45 10 MOV EAX,[ARG.3] ; Case 111 (WM_COMMAND) of switch 00408C96
00408DBB |. 2D E9030000 SUB EAX,3E9 ; Switch (cases 3E9..3EC)
00408DC0 |. 0F84 B7000000 JE CodeFant.00408E7D
00408DC6 |. 48 DEC EAX
00408DC7 |. 74 13 JE SHORT CodeFant.00408DDC
00408DC9 |. 48 DEC EAX
00408DCA |. 0F84 C6000000 JE CodeFant.00408E96
00408DD0 |. 48 DEC EAX
00408DD1 |. 0F84 CC000000 JE CodeFant.00408EA3
00408DD7 |. E9 D2000000 JMP CodeFant.00408EAE
00408DDC |> 68 FF000000 PUSH 0FF ; /Count = FF (255.); Case 3EA of switch 00408DBB-------下中斷點
00408DE1 |. 68 9CA24000 PUSH CodeFant.0040A29C ; |Buffer = CodeFant.0040A29C
00408DE6 |. 68 F2030000 PUSH 3F2 ; |ControlID = 3F2 (1010.)
00408DEB |. 8B45 08 MOV EAX,[ARG.1] ; |
00408DEE |. 50 PUSH EAX ; |hWnd
00408DEF |. E8 68B9FFFF CALL <JMP.&user32.GetDlgItemTextA> ; \GetDlgItemTextA
00408DF4 |. 8D45 B4 LEA EAX,[LOCAL.19]
00408DF7 |. BA 9CA24000 MOV EDX,CodeFant.0040A29C -------取用戶名
00408DFC |. B9 FF000000 MOV ECX,0FF
00408E01 |. E8 6AAAFFFF CALL CodeFant.00403870
00408E06 |. 837D B4 00 CMP [LOCAL.19],0 ----比較用戶是否為空
00408E0A |. 0F84 9E000000 JE CodeFant.00408EAE-----如果沒有輸入遊戲就結束了
00408E10 |. 68 FF000000 PUSH 0FF ; /Count = FF (255.)
00408E15 |. 68 9CA34000 PUSH CodeFant.0040A39C ; |Buffer = CodeFant.0040A39C
00408E1A |. 68 F3030000 PUSH 3F3 ; |ControlID = 3F3 (1011.)
00408E1F |. 8B45 08 MOV EAX,[ARG.1] ; |
00408E22 |. 50 PUSH EAX ; |hWnd
00408E23 |. E8 34B9FFFF CALL <JMP.&user32.GetDlgItemTextA> ; \GetDlgItemTextA
00408E28 |. 8D45 AC LEA EAX,[LOCAL.21]
00408E2B |. BA 9CA24000 MOV EDX,CodeFant.0040A29C
00408E30 |. B9 FF000000 MOV ECX,0FF
00408E35 |. E8 36AAFFFF CALL CodeFant.00403870
00408E3A |. 8B45 AC MOV EAX,[LOCAL.21]
00408E3D |. 8D55 B0 LEA EDX,[LOCAL.20]
00408E40 |. E8 23FCFFFF CALL CodeFant.00408A68----------演算法(逐一取用戶名
00408E45 |. 8B45 B0 MOV EAX,[LOCAL.20]
00408E48 |. 50 PUSH EAX
00408E49 |. 8D45 A8 LEA EAX,[LOCAL.22]
00408E4C |. BA 9CA34000 MOV EDX,CodeFant.0040A39C
00408E51 |. B9 FF000000 MOV ECX,0FF
00408E56 |. E8 15AAFFFF CALL CodeFant.00403870
00408E5B |. 8B55 A8 MOV EDX,[LOCAL.22]
00408E5E |. 58 POP EAX
00408E5F |. E8 84ABFFFF CALL CodeFant.004039E8
00408E64 |. 75 48 JNZ SHORT CodeFant.00408EAE-------關鍵朓轉(爆破點)
00408E66 |. 6A 40 PUSH 40 ; /Style = MB_OK|MB_ICONASTERISK|MB_APPLMODAL
00408E68 |. 68 AC8F4000 PUSH CodeFant.00408FAC ; |註冊提示
00408E6D |. 68 B88F4000 PUSH CodeFant.00408FB8 ; |恭喜您,註冊碼正確!
00408E72 |. 8B45 08 MOV EAX,[ARG.1] ; |
00408E75 |. 50 PUSH EAX ; |hOwner
00408E76 |. E8 19B9FFFF CALL <JMP.&user32.MessageBoxA> ; \MessageBoxA
進入此call 00408E40 |. E8 23FCFFFF CALL CodeFant.00408A68
00408A68 /$ 55 PUSH EBP
00408A69 |. 8BEC MOV EBP,ESP
00408A6B |. B9 07000000 MOV ECX,7
00408A70 |> 6A 00 /PUSH 0
00408A72 |. 6A 00 |PUSH 0
00408A74 |. 49 |DEC ECX
00408A75 |.^ 75 F9 \JNZ SHORT CodeFant.00408A70
00408A77 |. 51 PUSH ECX
00408A78 |. 53 PUSH EBX
00408A79 |. 56 PUSH ESI
00408A7A |. 57 PUSH EDI
00408A7B |. 8955 F8 MOV [LOCAL.2],EDX
00408A7E |. 8945 FC MOV [LOCAL.1],EAX
00408A81 |. 8B45 FC MOV EAX,[LOCAL.1]
00408A84 |. E8 03B0FFFF CALL CodeFant.00403A8C
00408A89 |. 33C0 XOR EAX,EAX
00408A8B |. 55 PUSH EBP
00408A8C |. 68 498C4000 PUSH CodeFant.00408C49
00408A91 |. 64:FF30 PUSH DWORD PTR FS:[EAX]
00408A94 |. 64:8920 MOV DWORD PTR FS:[EAX],ESP
00408A97 |. 8D45 F4 LEA EAX,[LOCAL.3]
00408A9A |. E8 89ABFFFF CALL CodeFant.00403628
00408A9F |. 8B45 FC MOV EAX,[LOCAL.1]
00408AA2 |. E8 F5ADFFFF CALL CodeFant.0040389C
00408AA7 |. 8BF8 MOV EDI,EAX
00408AA9 |. 85FF TEST EDI,EDI
00408AAB |. 7E 28 JLE SHORT CodeFant.00408AD5
00408AAD |. BE 01000000 MOV ESI,1
00408AB2 |> 8B45 FC /MOV EAX,[LOCAL.1]
00408AB5 |. 33DB |XOR EBX,EBX
00408AB7 |. 8A5C30 FF |MOV BL,BYTE PTR DS:[EAX+ESI-1]--- 逐一取用戶名
00408ABB |. 43 |INC EBX
00408ABC |. 8D45 D8 |LEA EAX,[LOCAL.10] ;用戶名給eax
00408ABF |. 8BD3 |MOV EDX,EBX
00408AC1 |. E8 2EADFFFF |CALL CodeFant.004037F4
00408AC6 |. 8B55 D8 |MOV EDX,[LOCAL.10]
00408AC9 |. 8D45 F4 |LEA EAX,[LOCAL.3]
00408ACC |. E8 D3ADFFFF |CALL CodeFant.004038A4
00408AD1 |. 46 |INC ESI
00408AD2 |. 4F |DEC EDI
00408AD3 |.^ 75 DD \JNZ SHORT CodeFant.00408AB2
00408AD5 |> 8D45 F0 LEA EAX,[LOCAL.4]
00408AD8 |. 8B55 F4 MOV EDX,[LOCAL.3]
00408ADB |. E8 E0ABFFFF CALL CodeFant.004036C0 ;運算後淂divbo
00408AE0 |. 8D45 F4 LEA EAX,[LOCAL.3]
00408AE3 |. E8 40ABFFFF CALL CodeFant.00403628
00408AE8 |. 8B45 F0 MOV EAX,[LOCAL.4]
00408AEB |. E8 ACADFFFF CALL CodeFant.0040389C
00408AF0 |. 8BF8 MOV EDI,EAX
00408AF2 |. 85FF TEST EDI,EDI
00408AF4 |. 7E 2A JLE SHORT CodeFant.00408B20
00408AF6 |. BE 01000000 MOV ESI,1
00408AFB |> 8B45 F0 /MOV EAX,[LOCAL.4]
00408AFE |. 33DB |XOR EBX,EBX
00408B00 |. 8A5C30 FF |MOV BL,BYTE PTR DS:[EAX+ESI-1] 取用戶名運算後所得之divbo運算
00408B04 |. 83C3 02 |ADD EBX,2
00408B07 |. 8D45 D4 |LEA EAX,[LOCAL.11]
00408B0A |. 8BD3 |MOV EDX,EBX
00408B0C |. E8 E3ACFFFF |CALL CodeFant.004037F4
00408B11 |. 8B55 D4 |MOV EDX,[LOCAL.11]
00408B14 |. 8D45 F4 |LEA EAX,[LOCAL.3]
00408B17 |. E8 88ADFFFF |CALL CodeFant.004038A4
00408B1C |. 46 |INC ESI
00408B1D |. 4F |DEC EDI
00408B1E |.^ 75 DB \JNZ SHORT CodeFant.00408AFB
00408B20 |> 8D45 EC LEA EAX,[LOCAL.5]
00408B23 |. 8B55 F4 MOV EDX,[LOCAL.3]--------:divbo運算得到fkxdq
00408B26 |. E8 95ABFFFF CALL CodeFant.004036C0
00408B2B |. 8D45 F4 LEA EAX,[LOCAL.3]
00408B2E |. E8 F5AAFFFF CALL CodeFant.00403628
00408B33 |. 8B45 EC MOV EAX,[LOCAL.5]
00408B36 |. E8 61ADFFFF CALL CodeFant.0040389C
00408B3B |. 8BF8 MOV EDI,EAX
00408B3D |. 85FF TEST EDI,EDI
00408B3F |. 7E 2A JLE SHORT CodeFant.00408B6B
00408B41 |. BE 01000000 MOV ESI,1
00408B46 |> 8B45 EC /MOV EAX,[LOCAL.5]
00408B49 |. 33DB |XOR EBX,EBX
00408B4B |. 8A5C30 FF |MOV BL,BYTE PTR DS:[EAX+ESI-1]
00408B4F |. 83C3 03 |ADD EBX,3 --------------;再取fkxdq運算
00408B52 |. 8D45 D0 |LEA EAX,[LOCAL.12]
00408B55 |. 8BD3 |MOV EDX,EBX
00408B57 |. E8 98ACFFFF |CALL CodeFant.004037F4
00408B5C |. 8B55 D0 |MOV EDX,[LOCAL.12]
00408B5F |. 8D45 F4 |LEA EAX,[LOCAL.3]
00408B62 |. E8 3DADFFFF |CALL CodeFant.004038A4
00408B67 |. 46 |INC ESI
00408B68 |. 4F |DEC EDI
00408B69 |.^ 75 DB \JNZ SHORT CodeFant.00408B46
00408B6B |> 8D45 E8 LEA EAX,[LOCAL.6]
00408B6E |. 8B55 F4 MOV EDX,[LOCAL.3]-----------; 運算後得到(ASCII "in{gt")
00408B71 |. E8 4AABFFFF CALL CodeFant.004036C0
00408B76 |. 8D45 F4 LEA EAX,[LOCAL.3]
00408B79 |. E8 AAAAFFFF CALL CodeFant.00403628
00408B7E |. 8B45 E8 MOV EAX,[LOCAL.6]
00408B81 |. E8 16ADFFFF CALL CodeFant.0040389C
00408B86 |. 8BF8 MOV EDI,EAX
00408B88 |. 85FF TEST EDI,EDI
00408B8A |. 7E 2A JLE SHORT CodeFant.00408BB6
00408B8C |. BE 01000000 MOV ESI,1
00408B91 |> 8B45 E8 /MOV EAX,[LOCAL.6]
00408B94 |. 33DB |XOR EBX,EBX
00408B96 |. 8A5C30 FF |MOV BL,BYTE PTR DS:[EAX+ESI-1]-------; in{gt再運算
00408B9A |. 83C3 04 |ADD EBX,4
00408B9D |. 8D45 CC |LEA EAX,[LOCAL.13]
00408BA0 |. 8BD3 |MOV EDX,EBX
00408BA2 |. E8 4DACFFFF |CALL CodeFant.004037F4
00408BA7 |. 8B55 CC |MOV EDX,[LOCAL.13]
00408BAA |. 8D45 F4 |LEA EAX,[LOCAL.3]
00408BAD |. E8 F2ACFFFF |CALL CodeFant.004038A4
00408BB2 |. 46 |INC ESI
00408BB3 |. 4F |DEC EDI
00408BB4 |.^ 75 DB \JNZ SHORT CodeFant.00408B91
00408BB6 |> 8D45 E4 LEA EAX,[LOCAL.7]
00408BB9 |. E8 6AAAFFFF CALL CodeFant.00403628
00408BBE |. 8B45 F4 MOV EAX,[LOCAL.3]
00408BC1 |. E8 D6ACFFFF CALL CodeFant.0040389C
00408BC6 |. 8BF8 MOV EDI,EAX
00408BC8 |. 4F DEC EDI
00408BC9 |. 85FF TEST EDI,EDI
00408BCB |. 7C 4E JL SHORT CodeFant.00408C1B
00408BCD |. 47 INC EDI
00408BCE |. 33F6 XOR ESI,ESI
00408BD0 |> 8D45 DC /LEA EAX,[LOCAL.9]
00408BD3 |. 50 |PUSH EAX ; /Arg1
00408BD4 |. 8B45 F4 |MOV EAX,[LOCAL.3] ; |
00408BD7 |. 0FB60430 |MOVZX EAX,BYTE PTR DS:[EAX+ESI] ; |
00408BDB |. 8945 C4 |MOV [LOCAL.15],EAX ; |
00408BDE |. C645 C8 00 |MOV BYTE PTR SS:[EBP-38],0 ; |
00408BE2 |. 8D55 C4 |LEA EDX,[LOCAL.15] ; |
00408BE5 |. 33C9 |XOR ECX,ECX ; |
00408BE7 |. B8 608C4000 |MOV EAX,CodeFant.00408C60 ; |ASCII "%x"
00408BEC |. E8 1FD1FFFF |CALL CodeFant.00405D10 ; \CodeFant.00405D10
00408BF1 |. 8B45 DC |MOV EAX,[LOCAL.9]
00408BF4 |. E8 A3ACFFFF |CALL CodeFant.0040389C
00408BF9 |. 48 |DEC EAX
00408BFA |. 75 10 |JNZ SHORT CodeFant.00408C0C
00408BFC |. 8D45 DC |LEA EAX,[LOCAL.9]
00408BFF |. 8B4D DC |MOV ECX,[LOCAL.9]
00408C02 |. BA 6C8C4000 |MOV EDX,CodeFant.00408C6C
00408C07 |. E8 DCACFFFF |CALL CodeFant.004038E8
00408C0C |> 8D45 E0 |LEA EAX,[LOCAL.8]
00408C0F |. 8B55 DC |MOV EDX,[LOCAL.9]
00408C12 |. E8 8DACFFFF |CALL CodeFant.004038A4
00408C17 |. 46 |INC ESI
00408C18 |. 4F |DEC EDI
00408C19 |.^ 75 B5 \JNZ SHORT CodeFant.00408BD0
00408C1B |> 8B45 F8 MOV EAX,[LOCAL.2]
00408C1E |. 8B55 E0 MOV EDX,[LOCAL.8]
00408C21 |. E8 56AAFFFF CALL CodeFant.0040367C------------記憶體註冊機
00408C26 |. 33C0 XOR EAX,EAX
00408C28 |. 5A POP EDX
00408C29 |. 59 POP ECX
00408C2A |. 59 POP ECX
00408C2B |. 64:8910 MOV DWORD PTR FS:[EAX],EDX
00408C2E |. 68 508C4000 PUSH CodeFant.00408C50
00408C33 |> 8D45 CC LEA EAX,[LOCAL.13]
00408C36 |. BA 0B000000 MOV EDX,0B
00408C3B |. E8 0CAAFFFF CALL CodeFant.0040364C
00408C40 |. 8D45 FC LEA EAX,[LOCAL.1]
00408C43 |. E8 E0A9FFFF CALL CodeFant.00403628
00408C48 \. C3 RETN
00408C49 .^\E9 02A4FFFF JMP CodeFant.00403050
00408C4E .^ EB E3 JMP SHORT CodeFant.00408C33
00408C50 . 5F POP EDI
00408C51 . 5E POP ESI
00408C52 . 5B POP EBX
00408C53 . 8BE5 MOV ESP,EBP
00408C55 . 5D POP EBP
00408C56 . C3 RETN
00408C57 00 DB 00
00408C58 . FFFFFFFF DD FFFFFFFF
00408C5C . 02000000 DD 00000002
00408C60 . 25 78 00 ASCII "%x",0
00408C63 00 DB 00
00408C64 . FFFFFFFF DD FFFFFFFF
00408C68 . 01000000 DD 00000001
00408C6C . 30 00 ASCII "0",0
00408C6E 00 DB 00
00408C6F 00 DB 00
00408C70 /. 55 PUSH EBP
00408C71 |. 8BEC MOV EBP,ESP
00408C73 |. 83C4 A8 ADD ESP,-58
00408C76 |. 53 PUSH EBX
00408C77 |. 33C0 XOR EAX,EAX
00408C79 |. 8945 B0 MOV [LOCAL.20],EAX
00408C7C |. 8945 A8 MOV [LOCAL.22],EAX
00408C7F |. 8945 AC MOV [LOCAL.21],EAX
00408C82 |. 8945 B4 MOV [LOCAL.19],EAX
00408C85 |. 33C0 XOR EAX,EAX
00408C87 |. 55 PUSH EBP
00408C88 |. 68 648F4000 PUSH CodeFant.00408F64
00408C8D |. 64:FF30 PUSH DWORD PTR FS:[EAX]
00408C90 |. 64:8920 MOV DWORD PTR FS:[EAX],ESP
00408C93 |. 8B45 0C MOV EAX,[ARG.2]
00408C96 |. 3D 11010000 CMP EAX,111 ; Switch (cases 2..201)
00408C9B |. 7F 2D JG SHORT CodeFant.00408CCA
00408C9D |. 0F84 15010000 JE CodeFant.00408DB8
00408CA3 |. 83E8 02 SUB EAX,2
00408CA6 |. 0F84 84020000 JE CodeFant.00408F30
00408CAC |. 83E8 0D SUB EAX,0D
00408CAF |. 0F84 C5000000 JE CodeFant.00408D7A
00408CB5 |. 83E8 1C SUB EAX,1C
00408CB8 |. 0F84 F7010000 JE CodeFant.00408EB5
00408CBE |. 2D E5000000 SUB EAX,0E5
00408CC3 |. 74 2E JE SHORT CodeFant.00408CF3
00408CC5 |. E9 7D020000 JMP CodeFant.00408F47
00408CCA |> 2D 13010000 SUB EAX,113
00408CCF |. 0F84 EF010000 JE CodeFant.00408EC4
00408CD5 |. 83E8 23 SUB EAX,23
00408CD8 |. 0F84 16020000 JE CodeFant.00408EF4
00408CDE |. 83E8 02 SUB EAX,2
00408CE1 |. 0F84 2B020000 JE CodeFant.00408F12
00408CE7 |. 2D C9000000 SUB EAX,0C9
00408CEC |. 74 48 JE SHORT CodeFant.00408D36
00408CEE |. E9 54020000 JMP CodeFant.00408F47
00408CF3 |> 8B45 08 MOV EAX,[ARG.1] ; Case 110 (WM_INITDIALOG) of switch 00408C96
00408CF6 |. A3 ACB74000 MOV DWORD PTR DS:[40B7AC],EAX
00408CFB |. 68 C8A44000 PUSH CodeFant.0040A4C8 ; /pRect = CodeFant.0040A4C8
00408D00 |. 8B45 08 MOV EAX,[ARG.1] ; |
00408D03 |. 50 PUSH EAX ; |hWnd
00408D04 |. E8 43BAFFFF CALL <JMP.&user32.GetClientRect> ; \GetClientRect
00408D09 |. A1 CCA44000 MOV EAX,DWORD PTR DS:[40A4CC]
00408D0E |. 83C0 14 ADD EAX,14
00408D11 |. A3 D4A44000 MOV DWORD PTR DS:[40A4D4],EAX
00408D16 |. 68 748F4000 PUSH CodeFant.00408F74 ; /Text = "CodeFantasy炵蹈CrackMe1"
00408D1B |. 8B45 08 MOV EAX,[ARG.1] ; |
00408D1E |. 50 PUSH EAX ; |hWnd
00408D1F |. E8 B8BAFFFF CALL <JMP.&user32.SetWindowTextA> ; \SetWindowTextA
00408D24 |. 8B45 08 MOV EAX,[ARG.1]
00408D27 |. E8 40F3FFFF CALL CodeFant.0040806C
00408D2C |. BB 01000000 MOV EBX,1
00408D31 |. E9 13020000 JMP CodeFant.00408F49
00408D36 |> 0FB745 14 MOVZX EAX,WORD PTR SS:[EBP+14] ; Case 201 (WM_LBUTTONDOWN) of switch 00408C96
00408D3A |. 8945 F8 MOV [LOCAL.2],EAX
00408D3D |. 8B45 14 MOV EAX,[ARG.4]
00408D40 |. E8 AFBAFFFF CALL CodeFant.004047F4
00408D45 |. 0FB7C0 MOVZX EAX,AX
00408D48 |. 8945 FC MOV [LOCAL.1],EAX
00408D4B |. FF75 FC PUSH [LOCAL.1] ; /Point.Y
00408D4E |. FF75 F8 PUSH [LOCAL.2] ; |Point.X
00408D51 |. 68 C8A44000 PUSH CodeFant.0040A4C8 ; |pRect = 0040A4C8 {0.,0.,306.,20.}
00408D56 |. E8 51BAFFFF CALL <JMP.&user32.PtInRect> ; \PtInRect
00408D5B |. 85C0 TEST EAX,EAX
00408D5D |. 0F84 E6010000 JE CodeFant.00408F49
00408D63 |. 6A 00 PUSH 0 ; /lParam = 0
00408D65 |. 6A 02 PUSH 2 ; |wParam = 2
00408D67 |. 68 A1000000 PUSH 0A1 ; |Message = WM_NCLBUTTONDOWN
00408D6C |. 8B45 08 MOV EAX,[ARG.1] ; |
00408D6F |. 50 PUSH EAX ; |hWnd
00408D70 |. E8 27BAFFFF CALL <JMP.&user32.PostMessageA> ; \PostMessageA
00408D75 |. E9 CF010000 JMP CodeFant.00408F49
00408D7A |> 8D45 B8 LEA EAX,[LOCAL.18] ; Case F (WM_PAINT) of switch 00408C96
00408D7D |. 50 PUSH EAX ; /pPaintstruct
00408D7E |. 8B45 08 MOV EAX,[ARG.1] ; |
00408D81 |. 50 PUSH EAX ; |hWnd
00408D82 |. E8 6DB9FFFF CALL <JMP.&user32.BeginPaint> ; \BeginPaint
00408D87 |. 68 C8A44000 PUSH CodeFant.0040A4C8 ; /Arg3 = 0040A4C8
00408D8C |. 68 40D9FE00 PUSH 0FED940 ; |Arg2 = 00FED940
00408D91 |. 68 0B198B00 PUSH 8B190B ; |Arg1 = 008B190B
00408D96 |. B9 948F4000 MOV ECX,CodeFant.00408F94 ; |
00408D9B |. 8B15 A8B74000 MOV EDX,DWORD PTR DS:[40B7A8] ; |
00408DA1 |. E8 8AF3FFFF CALL CodeFant.00408130 ; \CodeFant.00408130
00408DA6 |. 8D45 B8 LEA EAX,[LOCAL.18]
00408DA9 |. 50 PUSH EAX ; /pPaintstruct
00408DAA |. 8B45 08 MOV EAX,[ARG.1] ; |
00408DAD |. 50 PUSH EAX ; |hWnd
00408DAE |. E8 81B9FFFF CALL <JMP.&user32.EndPaint> ; \EndPaint
00408DB3 |. E9 91010000 JMP CodeFant.00408F49
00408DB8 |> 8B45 10 MOV EAX,[ARG.3] ; Case 111 (WM_COMMAND) of switch 00408C96
00408DBB |. 2D E9030000 SUB EAX,3E9 ; Switch (cases 3E9..3EC)
00408DC0 |. 0F84 B7000000 JE CodeFant.00408E7D
00408DC6 |. 48 DEC EAX
00408DC7 |. 74 13 JE SHORT CodeFant.00408DDC
00408DC9 |. 48 DEC EAX
00408DCA |. 0F84 C6000000 JE CodeFant.00408E96
00408DD0 |. 48 DEC EAX
00408DD1 |. 0F84 CC000000 JE CodeFant.00408EA3
00408DD7 |. E9 D2000000 JMP CodeFant.00408EAE
00408DDC |> 68 FF000000 PUSH 0FF ; /Count = FF (255.); Case 3EA of switch 00408DBB
00408DE1 |. 68 9CA24000 PUSH CodeFant.0040A29C ; |Buffer = CodeFant.0040A29C
00408DE6 |. 68 F2030000 PUSH 3F2 ; |ControlID = 3F2 (1010.)
00408DEB |. 8B45 08 MOV EAX,[ARG.1] ; |
00408DEE |. 50 PUSH EAX ; |hWnd
00408DEF |. E8 68B9FFFF CALL <JMP.&user32.GetDlgItemTextA> ; \GetDlgItemTextA
00408DF4 |. 8D45 B4 LEA EAX,[LOCAL.19]
00408F0A |. 8B1D A0B74000 MOV EBX,DWORD PTR DS:[40B7A0]
00408F10 |. EB 37 JMP SHORT CodeFant.00408F49
00408F12 |> 6A 00 PUSH 0 ; /Color = <BLACK>; Case 138 (WM_CTLCOLORSTATIC) of switch 00408C96
00408F14 |. 8B45 10 MOV EAX,[ARG.3] ; |
00408F17 |. 50 PUSH EAX ; |hDC
00408F18 |. E8 CFB7FFFF CALL <JMP.&gdi32.SetTextColor> ; \SetTextColor
00408F1D |. 6A 01 PUSH 1 ; /BkMode = TRANSPARENT
00408F1F |. 8B45 10 MOV EAX,[ARG.3] ; |
00408F22 |. 50 PUSH EAX ; |hDC
00408F23 |. E8 BCB7FFFF CALL <JMP.&gdi32.SetBkMode> ; \SetBkMode
00408F28 |. 8B1D A0B74000 MOV EBX,DWORD PTR DS:[40B7A0]
00408F2E |. EB 19 JMP SHORT CodeFant.00408F49
00408F30 |> 68 A9000000 PUSH 0A9 ; /TimerID = A9 (169.); Case 2 (WM_DESTROY) of switch 00408C96
00408F35 |. 8B45 08 MOV EAX,[ARG.1] ; |
00408F38 |. 50 PUSH EAX ; |hWnd
00408F39 |. E8 3EB8FFFF CALL <JMP.&user32.KillTimer> ; \KillTimer
00408F3E |. 6A 00 PUSH 0 ; /ExitCode = 0
00408F40 |. E8 5FB8FFFF CALL <JMP.&user32.PostQuitMessage> ; \PostQuitMessage
00408F45 |. EB 02 JMP SHORT CodeFant.00408F49
00408F47 |> 33DB XOR EBX,EBX ; Default case of switch 00408C96
00408F49 |> 33C0 XOR EAX,EAX
00408F4B |. 5A POP EDX
00408F4C |. 59 POP ECX
00408F4D |. 59 POP ECX
00408F4E |. 64:8910 MOV DWORD PTR FS:[EAX],EDX
00408F51 |. 68 6B8F4000 PUSH CodeFant.00408F6B
00408F56 |> 8D45 A8 LEA EAX,[LOCAL.22]
00408F59 |. BA 04000000 MOV EDX,4
00408F5E |. E8 E9A6FFFF CALL CodeFant.0040364C
00408F63 \. C3 RETN
00408F64 .^ E9 E7A0FFFF JMP CodeFant.00403050
00408F69 .^ EB EB JMP SHORT CodeFant.00408F56
00408F6B . 8BC3 MOV EAX,EBX
00408F6D . 5B POP EBX
00408F6E . 8BE5 MOV ESP,EBP
00408F70 . 5D POP EBP
00408F71 . C2 1000 RETN 10
演算法總結:
ㄧ、逐位取用戶名運算後得divbo在運算後再得fkxdq載運算得in{gt
最後算出6D727F6B78
用戶名: chuan
註冊碼: 6D727F6B78
註冊成功
菜鳥初學破解,演算法分析的不周全請多予指導。
附上檔案及註冊機
【破文作者】史克威爾
【作者郵箱】squeare20012001@yafoo.com.tw
【破解工具】peid,W32Dasm,od
【破解平臺】winxp
【軟體名稱】Crackme
【保護方式】無
【軟體簡介】Crackme
------------------------------------------------------------------------
一、運行程式,找到註冊視窗進行註冊,輸入錯誤的註冊資訊按確定進行檢測,沒有任何反應
看來是必須輸入正確的註冊碼才會啟動,書住正確的註冊碼會 “跳出恭喜你註冊
二、OD載入用插件超級字串找到恭喜你註冊碼正確 點兩下跳到代碼:
00408E6D |. 68 B88F4000 PUSH CodeFant.00408FB8 恭喜您,註冊碼正確!
往上找在00408DDC下中斷點
三、輸入用戶名chuan 註冊碼123456789點確定程式被斷下
00408C70 /. 55 PUSH EBP-------程式入口
00408C71 |. 8BEC MOV EBP,ESP
00408C73 |. 83C4 A8 ADD ESP,-58
00408C76 |. 53 PUSH EBX
00408C77 |. 33C0 XOR EAX,EAX
00408C79 |. 8945 B0 MOV [LOCAL.20],EAX
00408C7C |. 8945 A8 MOV [LOCAL.22],EAX
00408C7F |. 8945 AC MOV [LOCAL.21],EAX
00408C82 |. 8945 B4 MOV [LOCAL.19],EAX
00408C85 |. 33C0 XOR EAX,EAX
00408C87 |. 55 PUSH EBP
00408C88 |. 68 648F4000 PUSH CodeFant.00408F64
00408C8D |. 64:FF30 PUSH DWORD PTR FS:[EAX]
00408C90 |. 64:8920 MOV DWORD PTR FS:[EAX],ESP
00408C93 |. 8B45 0C MOV EAX,[ARG.2]
00408C96 |. 3D 11010000 CMP EAX,111 ; Switch (cases 2..201)
00408C9B |. 7F 2D JG SHORT CodeFant.00408CCA
00408C9D |. 0F84 15010000 JE CodeFant.00408DB8
00408CA3 |. 83E8 02 SUB EAX,2
00408CA6 |. 0F84 84020000 JE CodeFant.00408F30
00408CAC |. 83E8 0D SUB EAX,0D
00408CAF |. 0F84 C5000000 JE CodeFant.00408D7A
00408CB5 |. 83E8 1C SUB EAX,1C
00408CB8 |. 0F84 F7010000 JE CodeFant.00408EB5
00408CBE |. 2D E5000000 SUB EAX,0E5
00408CC3 |. 74 2E JE SHORT CodeFant.00408CF3
00408CC5 |. E9 7D020000 JMP CodeFant.00408F47
00408CCA |> 2D 13010000 SUB EAX,113
00408CCF |. 0F84 EF010000 JE CodeFant.00408EC4
00408CD5 |. 83E8 23 SUB EAX,23
00408CD8 |. 0F84 16020000 JE CodeFant.00408EF4
00408CDE |. 83E8 02 SUB EAX,2
00408CE1 |. 0F84 2B020000 JE CodeFant.00408F12
00408CE7 |. 2D C9000000 SUB EAX,0C9
00408CEC |. 74 48 JE SHORT CodeFant.00408D36
00408CEE |. E9 54020000 JMP CodeFant.00408F47
00408CF3 |> 8B45 08 MOV EAX,[ARG.1] ; Case 110 (WM_INITDIALOG) of switch 00408C96
00408CF6 |. A3 ACB74000 MOV DWORD PTR DS:[40B7AC],EAX
00408CFB |. 68 C8A44000 PUSH CodeFant.0040A4C8 ; /pRect = CodeFant.0040A4C8
00408D00 |. 8B45 08 MOV EAX,[ARG.1] ; |
00408D03 |. 50 PUSH EAX ; |hWnd
00408D04 |. E8 43BAFFFF CALL <JMP.&user32.GetClientRect> ; \GetClientRect
00408D09 |. A1 CCA44000 MOV EAX,DWORD PTR DS:[40A4CC]
00408D0E |. 83C0 14 ADD EAX,14
00408D11 |. A3 D4A44000 MOV DWORD PTR DS:[40A4D4],EAX
00408D16 |. 68 748F4000 PUSH CodeFant.00408F74 ; /codefantasy系列crackme1
00408D1B |. 8B45 08 MOV EAX,[ARG.1] ; |
00408D1E |. 50 PUSH EAX ; |hWnd
00408D1F |. E8 B8BAFFFF CALL <JMP.&user32.SetWindowTextA> ; \SetWindowTextA
00408D24 |. 8B45 08 MOV EAX,[ARG.1]
00408D27 |. E8 40F3FFFF CALL CodeFant.0040806C
00408D2C |. BB 01000000 MOV EBX,1
00408D31 |. E9 13020000 JMP CodeFant.00408F49
00408D36 |> 0FB745 14 MOVZX EAX,WORD PTR SS:[EBP+14] ; Case 201 (WM_LBUTTONDOWN) of switch 00408C96
00408D3A |. 8945 F8 MOV [LOCAL.2],EAX
00408D3D |. 8B45 14 MOV EAX,[ARG.4]
00408D40 |. E8 AFBAFFFF CALL CodeFant.004047F4
00408D45 |. 0FB7C0 MOVZX EAX,AX
00408D48 |. 8945 FC MOV [LOCAL.1],EAX
00408D4B |. FF75 FC PUSH [LOCAL.1] ; /Point.Y
00408D4E |. FF75 F8 PUSH [LOCAL.2] ; |Point.X
00408D51 |. 68 C8A44000 PUSH CodeFant.0040A4C8 ; |pRect = 0040A4C8 {0.,0.,306.,20.}
00408D56 |. E8 51BAFFFF CALL <JMP.&user32.PtInRect> ; \PtInRect
00408D5B |. 85C0 TEST EAX,EAX
00408D5D |. 0F84 E6010000 JE CodeFant.00408F49
00408D63 |. 6A 00 PUSH 0 ; /lParam = 0
00408D65 |. 6A 02 PUSH 2 ; |wParam = 2
00408D67 |. 68 A1000000 PUSH 0A1 ; |Message = WM_NCLBUTTONDOWN
00408D6C |. 8B45 08 MOV EAX,[ARG.1] ; |
00408D6F |. 50 PUSH EAX ; |hWnd
00408D70 |. E8 27BAFFFF CALL <JMP.&user32.PostMessageA> ; \PostMessageA
00408D75 |. E9 CF010000 JMP CodeFant.00408F49
00408D7A |> 8D45 B8 LEA EAX,[LOCAL.18] ; Case F (WM_PAINT) of switch 00408C96
00408D7D |. 50 PUSH EAX ; /pPaintstruct
00408D7E |. 8B45 08 MOV EAX,[ARG.1] ; |
00408D81 |. 50 PUSH EAX ; |hWnd
00408D82 |. E8 6DB9FFFF CALL <JMP.&user32.BeginPaint> ; \BeginPaint
00408D87 |. 68 C8A44000 PUSH CodeFant.0040A4C8 ; /Arg3 = 0040A4C8
00408D8C |. 68 40D9FE00 PUSH 0FED940 ; |Arg2 = 00FED940
00408D91 |. 68 0B198B00 PUSH 8B190B ; |Arg1 = 008B190B
00408D96 |. B9 948F4000 MOV ECX,CodeFant.00408F94 ; |codefantasy系列crackme1
00408D9B |. 8B15 A8B74000 MOV EDX,DWORD PTR DS:[40B7A8] ; |
00408DA1 |. E8 8AF3FFFF CALL CodeFant.00408130 ; \CodeFant.00408130
00408DA6 |. 8D45 B8 LEA EAX,[LOCAL.18]
00408DA9 |. 50 PUSH EAX ; /pPaintstruct
00408DAA |. 8B45 08 MOV EAX,[ARG.1] ; |
00408DAD |. 50 PUSH EAX ; |hWnd
00408DAE |. E8 81B9FFFF CALL <JMP.&user32.EndPaint> ; \EndPaint
00408DB3 |. E9 91010000 JMP CodeFant.00408F49
00408DB8 |> 8B45 10 MOV EAX,[ARG.3] ; Case 111 (WM_COMMAND) of switch 00408C96
00408DBB |. 2D E9030000 SUB EAX,3E9 ; Switch (cases 3E9..3EC)
00408DC0 |. 0F84 B7000000 JE CodeFant.00408E7D
00408DC6 |. 48 DEC EAX
00408DC7 |. 74 13 JE SHORT CodeFant.00408DDC
00408DC9 |. 48 DEC EAX
00408DCA |. 0F84 C6000000 JE CodeFant.00408E96
00408DD0 |. 48 DEC EAX
00408DD1 |. 0F84 CC000000 JE CodeFant.00408EA3
00408DD7 |. E9 D2000000 JMP CodeFant.00408EAE
00408DDC |> 68 FF000000 PUSH 0FF ; /Count = FF (255.); Case 3EA of switch 00408DBB-------下中斷點
00408DE1 |. 68 9CA24000 PUSH CodeFant.0040A29C ; |Buffer = CodeFant.0040A29C
00408DE6 |. 68 F2030000 PUSH 3F2 ; |ControlID = 3F2 (1010.)
00408DEB |. 8B45 08 MOV EAX,[ARG.1] ; |
00408DEE |. 50 PUSH EAX ; |hWnd
00408DEF |. E8 68B9FFFF CALL <JMP.&user32.GetDlgItemTextA> ; \GetDlgItemTextA
00408DF4 |. 8D45 B4 LEA EAX,[LOCAL.19]
00408DF7 |. BA 9CA24000 MOV EDX,CodeFant.0040A29C -------取用戶名
00408DFC |. B9 FF000000 MOV ECX,0FF
00408E01 |. E8 6AAAFFFF CALL CodeFant.00403870
00408E06 |. 837D B4 00 CMP [LOCAL.19],0 ----比較用戶是否為空
00408E0A |. 0F84 9E000000 JE CodeFant.00408EAE-----如果沒有輸入遊戲就結束了
00408E10 |. 68 FF000000 PUSH 0FF ; /Count = FF (255.)
00408E15 |. 68 9CA34000 PUSH CodeFant.0040A39C ; |Buffer = CodeFant.0040A39C
00408E1A |. 68 F3030000 PUSH 3F3 ; |ControlID = 3F3 (1011.)
00408E1F |. 8B45 08 MOV EAX,[ARG.1] ; |
00408E22 |. 50 PUSH EAX ; |hWnd
00408E23 |. E8 34B9FFFF CALL <JMP.&user32.GetDlgItemTextA> ; \GetDlgItemTextA
00408E28 |. 8D45 AC LEA EAX,[LOCAL.21]
00408E2B |. BA 9CA24000 MOV EDX,CodeFant.0040A29C
00408E30 |. B9 FF000000 MOV ECX,0FF
00408E35 |. E8 36AAFFFF CALL CodeFant.00403870
00408E3A |. 8B45 AC MOV EAX,[LOCAL.21]
00408E3D |. 8D55 B0 LEA EDX,[LOCAL.20]
00408E40 |. E8 23FCFFFF CALL CodeFant.00408A68----------演算法(逐一取用戶名
00408E45 |. 8B45 B0 MOV EAX,[LOCAL.20]
00408E48 |. 50 PUSH EAX
00408E49 |. 8D45 A8 LEA EAX,[LOCAL.22]
00408E4C |. BA 9CA34000 MOV EDX,CodeFant.0040A39C
00408E51 |. B9 FF000000 MOV ECX,0FF
00408E56 |. E8 15AAFFFF CALL CodeFant.00403870
00408E5B |. 8B55 A8 MOV EDX,[LOCAL.22]
00408E5E |. 58 POP EAX
00408E5F |. E8 84ABFFFF CALL CodeFant.004039E8
00408E64 |. 75 48 JNZ SHORT CodeFant.00408EAE-------關鍵朓轉(爆破點)
00408E66 |. 6A 40 PUSH 40 ; /Style = MB_OK|MB_ICONASTERISK|MB_APPLMODAL
00408E68 |. 68 AC8F4000 PUSH CodeFant.00408FAC ; |註冊提示
00408E6D |. 68 B88F4000 PUSH CodeFant.00408FB8 ; |恭喜您,註冊碼正確!
00408E72 |. 8B45 08 MOV EAX,[ARG.1] ; |
00408E75 |. 50 PUSH EAX ; |hOwner
00408E76 |. E8 19B9FFFF CALL <JMP.&user32.MessageBoxA> ; \MessageBoxA
進入此call 00408E40 |. E8 23FCFFFF CALL CodeFant.00408A68
00408A68 /$ 55 PUSH EBP
00408A69 |. 8BEC MOV EBP,ESP
00408A6B |. B9 07000000 MOV ECX,7
00408A70 |> 6A 00 /PUSH 0
00408A72 |. 6A 00 |PUSH 0
00408A74 |. 49 |DEC ECX
00408A75 |.^ 75 F9 \JNZ SHORT CodeFant.00408A70
00408A77 |. 51 PUSH ECX
00408A78 |. 53 PUSH EBX
00408A79 |. 56 PUSH ESI
00408A7A |. 57 PUSH EDI
00408A7B |. 8955 F8 MOV [LOCAL.2],EDX
00408A7E |. 8945 FC MOV [LOCAL.1],EAX
00408A81 |. 8B45 FC MOV EAX,[LOCAL.1]
00408A84 |. E8 03B0FFFF CALL CodeFant.00403A8C
00408A89 |. 33C0 XOR EAX,EAX
00408A8B |. 55 PUSH EBP
00408A8C |. 68 498C4000 PUSH CodeFant.00408C49
00408A91 |. 64:FF30 PUSH DWORD PTR FS:[EAX]
00408A94 |. 64:8920 MOV DWORD PTR FS:[EAX],ESP
00408A97 |. 8D45 F4 LEA EAX,[LOCAL.3]
00408A9A |. E8 89ABFFFF CALL CodeFant.00403628
00408A9F |. 8B45 FC MOV EAX,[LOCAL.1]
00408AA2 |. E8 F5ADFFFF CALL CodeFant.0040389C
00408AA7 |. 8BF8 MOV EDI,EAX
00408AA9 |. 85FF TEST EDI,EDI
00408AAB |. 7E 28 JLE SHORT CodeFant.00408AD5
00408AAD |. BE 01000000 MOV ESI,1
00408AB2 |> 8B45 FC /MOV EAX,[LOCAL.1]
00408AB5 |. 33DB |XOR EBX,EBX
00408AB7 |. 8A5C30 FF |MOV BL,BYTE PTR DS:[EAX+ESI-1]--- 逐一取用戶名
00408ABB |. 43 |INC EBX
00408ABC |. 8D45 D8 |LEA EAX,[LOCAL.10] ;用戶名給eax
00408ABF |. 8BD3 |MOV EDX,EBX
00408AC1 |. E8 2EADFFFF |CALL CodeFant.004037F4
00408AC6 |. 8B55 D8 |MOV EDX,[LOCAL.10]
00408AC9 |. 8D45 F4 |LEA EAX,[LOCAL.3]
00408ACC |. E8 D3ADFFFF |CALL CodeFant.004038A4
00408AD1 |. 46 |INC ESI
00408AD2 |. 4F |DEC EDI
00408AD3 |.^ 75 DD \JNZ SHORT CodeFant.00408AB2
00408AD5 |> 8D45 F0 LEA EAX,[LOCAL.4]
00408AD8 |. 8B55 F4 MOV EDX,[LOCAL.3]
00408ADB |. E8 E0ABFFFF CALL CodeFant.004036C0 ;運算後淂divbo
00408AE0 |. 8D45 F4 LEA EAX,[LOCAL.3]
00408AE3 |. E8 40ABFFFF CALL CodeFant.00403628
00408AE8 |. 8B45 F0 MOV EAX,[LOCAL.4]
00408AEB |. E8 ACADFFFF CALL CodeFant.0040389C
00408AF0 |. 8BF8 MOV EDI,EAX
00408AF2 |. 85FF TEST EDI,EDI
00408AF4 |. 7E 2A JLE SHORT CodeFant.00408B20
00408AF6 |. BE 01000000 MOV ESI,1
00408AFB |> 8B45 F0 /MOV EAX,[LOCAL.4]
00408AFE |. 33DB |XOR EBX,EBX
00408B00 |. 8A5C30 FF |MOV BL,BYTE PTR DS:[EAX+ESI-1] 取用戶名運算後所得之divbo運算
00408B04 |. 83C3 02 |ADD EBX,2
00408B07 |. 8D45 D4 |LEA EAX,[LOCAL.11]
00408B0A |. 8BD3 |MOV EDX,EBX
00408B0C |. E8 E3ACFFFF |CALL CodeFant.004037F4
00408B11 |. 8B55 D4 |MOV EDX,[LOCAL.11]
00408B14 |. 8D45 F4 |LEA EAX,[LOCAL.3]
00408B17 |. E8 88ADFFFF |CALL CodeFant.004038A4
00408B1C |. 46 |INC ESI
00408B1D |. 4F |DEC EDI
00408B1E |.^ 75 DB \JNZ SHORT CodeFant.00408AFB
00408B20 |> 8D45 EC LEA EAX,[LOCAL.5]
00408B23 |. 8B55 F4 MOV EDX,[LOCAL.3]--------:divbo運算得到fkxdq
00408B26 |. E8 95ABFFFF CALL CodeFant.004036C0
00408B2B |. 8D45 F4 LEA EAX,[LOCAL.3]
00408B2E |. E8 F5AAFFFF CALL CodeFant.00403628
00408B33 |. 8B45 EC MOV EAX,[LOCAL.5]
00408B36 |. E8 61ADFFFF CALL CodeFant.0040389C
00408B3B |. 8BF8 MOV EDI,EAX
00408B3D |. 85FF TEST EDI,EDI
00408B3F |. 7E 2A JLE SHORT CodeFant.00408B6B
00408B41 |. BE 01000000 MOV ESI,1
00408B46 |> 8B45 EC /MOV EAX,[LOCAL.5]
00408B49 |. 33DB |XOR EBX,EBX
00408B4B |. 8A5C30 FF |MOV BL,BYTE PTR DS:[EAX+ESI-1]
00408B4F |. 83C3 03 |ADD EBX,3 --------------;再取fkxdq運算
00408B52 |. 8D45 D0 |LEA EAX,[LOCAL.12]
00408B55 |. 8BD3 |MOV EDX,EBX
00408B57 |. E8 98ACFFFF |CALL CodeFant.004037F4
00408B5C |. 8B55 D0 |MOV EDX,[LOCAL.12]
00408B5F |. 8D45 F4 |LEA EAX,[LOCAL.3]
00408B62 |. E8 3DADFFFF |CALL CodeFant.004038A4
00408B67 |. 46 |INC ESI
00408B68 |. 4F |DEC EDI
00408B69 |.^ 75 DB \JNZ SHORT CodeFant.00408B46
00408B6B |> 8D45 E8 LEA EAX,[LOCAL.6]
00408B6E |. 8B55 F4 MOV EDX,[LOCAL.3]-----------; 運算後得到(ASCII "in{gt")
00408B71 |. E8 4AABFFFF CALL CodeFant.004036C0
00408B76 |. 8D45 F4 LEA EAX,[LOCAL.3]
00408B79 |. E8 AAAAFFFF CALL CodeFant.00403628
00408B7E |. 8B45 E8 MOV EAX,[LOCAL.6]
00408B81 |. E8 16ADFFFF CALL CodeFant.0040389C
00408B86 |. 8BF8 MOV EDI,EAX
00408B88 |. 85FF TEST EDI,EDI
00408B8A |. 7E 2A JLE SHORT CodeFant.00408BB6
00408B8C |. BE 01000000 MOV ESI,1
00408B91 |> 8B45 E8 /MOV EAX,[LOCAL.6]
00408B94 |. 33DB |XOR EBX,EBX
00408B96 |. 8A5C30 FF |MOV BL,BYTE PTR DS:[EAX+ESI-1]-------; in{gt再運算
00408B9A |. 83C3 04 |ADD EBX,4
00408B9D |. 8D45 CC |LEA EAX,[LOCAL.13]
00408BA0 |. 8BD3 |MOV EDX,EBX
00408BA2 |. E8 4DACFFFF |CALL CodeFant.004037F4
00408BA7 |. 8B55 CC |MOV EDX,[LOCAL.13]
00408BAA |. 8D45 F4 |LEA EAX,[LOCAL.3]
00408BAD |. E8 F2ACFFFF |CALL CodeFant.004038A4
00408BB2 |. 46 |INC ESI
00408BB3 |. 4F |DEC EDI
00408BB4 |.^ 75 DB \JNZ SHORT CodeFant.00408B91
00408BB6 |> 8D45 E4 LEA EAX,[LOCAL.7]
00408BB9 |. E8 6AAAFFFF CALL CodeFant.00403628
00408BBE |. 8B45 F4 MOV EAX,[LOCAL.3]
00408BC1 |. E8 D6ACFFFF CALL CodeFant.0040389C
00408BC6 |. 8BF8 MOV EDI,EAX
00408BC8 |. 4F DEC EDI
00408BC9 |. 85FF TEST EDI,EDI
00408BCB |. 7C 4E JL SHORT CodeFant.00408C1B
00408BCD |. 47 INC EDI
00408BCE |. 33F6 XOR ESI,ESI
00408BD0 |> 8D45 DC /LEA EAX,[LOCAL.9]
00408BD3 |. 50 |PUSH EAX ; /Arg1
00408BD4 |. 8B45 F4 |MOV EAX,[LOCAL.3] ; |
00408BD7 |. 0FB60430 |MOVZX EAX,BYTE PTR DS:[EAX+ESI] ; |
00408BDB |. 8945 C4 |MOV [LOCAL.15],EAX ; |
00408BDE |. C645 C8 00 |MOV BYTE PTR SS:[EBP-38],0 ; |
00408BE2 |. 8D55 C4 |LEA EDX,[LOCAL.15] ; |
00408BE5 |. 33C9 |XOR ECX,ECX ; |
00408BE7 |. B8 608C4000 |MOV EAX,CodeFant.00408C60 ; |ASCII "%x"
00408BEC |. E8 1FD1FFFF |CALL CodeFant.00405D10 ; \CodeFant.00405D10
00408BF1 |. 8B45 DC |MOV EAX,[LOCAL.9]
00408BF4 |. E8 A3ACFFFF |CALL CodeFant.0040389C
00408BF9 |. 48 |DEC EAX
00408BFA |. 75 10 |JNZ SHORT CodeFant.00408C0C
00408BFC |. 8D45 DC |LEA EAX,[LOCAL.9]
00408BFF |. 8B4D DC |MOV ECX,[LOCAL.9]
00408C02 |. BA 6C8C4000 |MOV EDX,CodeFant.00408C6C
00408C07 |. E8 DCACFFFF |CALL CodeFant.004038E8
00408C0C |> 8D45 E0 |LEA EAX,[LOCAL.8]
00408C0F |. 8B55 DC |MOV EDX,[LOCAL.9]
00408C12 |. E8 8DACFFFF |CALL CodeFant.004038A4
00408C17 |. 46 |INC ESI
00408C18 |. 4F |DEC EDI
00408C19 |.^ 75 B5 \JNZ SHORT CodeFant.00408BD0
00408C1B |> 8B45 F8 MOV EAX,[LOCAL.2]
00408C1E |. 8B55 E0 MOV EDX,[LOCAL.8]
00408C21 |. E8 56AAFFFF CALL CodeFant.0040367C------------記憶體註冊機
00408C26 |. 33C0 XOR EAX,EAX
00408C28 |. 5A POP EDX
00408C29 |. 59 POP ECX
00408C2A |. 59 POP ECX
00408C2B |. 64:8910 MOV DWORD PTR FS:[EAX],EDX
00408C2E |. 68 508C4000 PUSH CodeFant.00408C50
00408C33 |> 8D45 CC LEA EAX,[LOCAL.13]
00408C36 |. BA 0B000000 MOV EDX,0B
00408C3B |. E8 0CAAFFFF CALL CodeFant.0040364C
00408C40 |. 8D45 FC LEA EAX,[LOCAL.1]
00408C43 |. E8 E0A9FFFF CALL CodeFant.00403628
00408C48 \. C3 RETN
00408C49 .^\E9 02A4FFFF JMP CodeFant.00403050
00408C4E .^ EB E3 JMP SHORT CodeFant.00408C33
00408C50 . 5F POP EDI
00408C51 . 5E POP ESI
00408C52 . 5B POP EBX
00408C53 . 8BE5 MOV ESP,EBP
00408C55 . 5D POP EBP
00408C56 . C3 RETN
00408C57 00 DB 00
00408C58 . FFFFFFFF DD FFFFFFFF
00408C5C . 02000000 DD 00000002
00408C60 . 25 78 00 ASCII "%x",0
00408C63 00 DB 00
00408C64 . FFFFFFFF DD FFFFFFFF
00408C68 . 01000000 DD 00000001
00408C6C . 30 00 ASCII "0",0
00408C6E 00 DB 00
00408C6F 00 DB 00
00408C70 /. 55 PUSH EBP
00408C71 |. 8BEC MOV EBP,ESP
00408C73 |. 83C4 A8 ADD ESP,-58
00408C76 |. 53 PUSH EBX
00408C77 |. 33C0 XOR EAX,EAX
00408C79 |. 8945 B0 MOV [LOCAL.20],EAX
00408C7C |. 8945 A8 MOV [LOCAL.22],EAX
00408C7F |. 8945 AC MOV [LOCAL.21],EAX
00408C82 |. 8945 B4 MOV [LOCAL.19],EAX
00408C85 |. 33C0 XOR EAX,EAX
00408C87 |. 55 PUSH EBP
00408C88 |. 68 648F4000 PUSH CodeFant.00408F64
00408C8D |. 64:FF30 PUSH DWORD PTR FS:[EAX]
00408C90 |. 64:8920 MOV DWORD PTR FS:[EAX],ESP
00408C93 |. 8B45 0C MOV EAX,[ARG.2]
00408C96 |. 3D 11010000 CMP EAX,111 ; Switch (cases 2..201)
00408C9B |. 7F 2D JG SHORT CodeFant.00408CCA
00408C9D |. 0F84 15010000 JE CodeFant.00408DB8
00408CA3 |. 83E8 02 SUB EAX,2
00408CA6 |. 0F84 84020000 JE CodeFant.00408F30
00408CAC |. 83E8 0D SUB EAX,0D
00408CAF |. 0F84 C5000000 JE CodeFant.00408D7A
00408CB5 |. 83E8 1C SUB EAX,1C
00408CB8 |. 0F84 F7010000 JE CodeFant.00408EB5
00408CBE |. 2D E5000000 SUB EAX,0E5
00408CC3 |. 74 2E JE SHORT CodeFant.00408CF3
00408CC5 |. E9 7D020000 JMP CodeFant.00408F47
00408CCA |> 2D 13010000 SUB EAX,113
00408CCF |. 0F84 EF010000 JE CodeFant.00408EC4
00408CD5 |. 83E8 23 SUB EAX,23
00408CD8 |. 0F84 16020000 JE CodeFant.00408EF4
00408CDE |. 83E8 02 SUB EAX,2
00408CE1 |. 0F84 2B020000 JE CodeFant.00408F12
00408CE7 |. 2D C9000000 SUB EAX,0C9
00408CEC |. 74 48 JE SHORT CodeFant.00408D36
00408CEE |. E9 54020000 JMP CodeFant.00408F47
00408CF3 |> 8B45 08 MOV EAX,[ARG.1] ; Case 110 (WM_INITDIALOG) of switch 00408C96
00408CF6 |. A3 ACB74000 MOV DWORD PTR DS:[40B7AC],EAX
00408CFB |. 68 C8A44000 PUSH CodeFant.0040A4C8 ; /pRect = CodeFant.0040A4C8
00408D00 |. 8B45 08 MOV EAX,[ARG.1] ; |
00408D03 |. 50 PUSH EAX ; |hWnd
00408D04 |. E8 43BAFFFF CALL <JMP.&user32.GetClientRect> ; \GetClientRect
00408D09 |. A1 CCA44000 MOV EAX,DWORD PTR DS:[40A4CC]
00408D0E |. 83C0 14 ADD EAX,14
00408D11 |. A3 D4A44000 MOV DWORD PTR DS:[40A4D4],EAX
00408D16 |. 68 748F4000 PUSH CodeFant.00408F74 ; /Text = "CodeFantasy炵蹈CrackMe1"
00408D1B |. 8B45 08 MOV EAX,[ARG.1] ; |
00408D1E |. 50 PUSH EAX ; |hWnd
00408D1F |. E8 B8BAFFFF CALL <JMP.&user32.SetWindowTextA> ; \SetWindowTextA
00408D24 |. 8B45 08 MOV EAX,[ARG.1]
00408D27 |. E8 40F3FFFF CALL CodeFant.0040806C
00408D2C |. BB 01000000 MOV EBX,1
00408D31 |. E9 13020000 JMP CodeFant.00408F49
00408D36 |> 0FB745 14 MOVZX EAX,WORD PTR SS:[EBP+14] ; Case 201 (WM_LBUTTONDOWN) of switch 00408C96
00408D3A |. 8945 F8 MOV [LOCAL.2],EAX
00408D3D |. 8B45 14 MOV EAX,[ARG.4]
00408D40 |. E8 AFBAFFFF CALL CodeFant.004047F4
00408D45 |. 0FB7C0 MOVZX EAX,AX
00408D48 |. 8945 FC MOV [LOCAL.1],EAX
00408D4B |. FF75 FC PUSH [LOCAL.1] ; /Point.Y
00408D4E |. FF75 F8 PUSH [LOCAL.2] ; |Point.X
00408D51 |. 68 C8A44000 PUSH CodeFant.0040A4C8 ; |pRect = 0040A4C8 {0.,0.,306.,20.}
00408D56 |. E8 51BAFFFF CALL <JMP.&user32.PtInRect> ; \PtInRect
00408D5B |. 85C0 TEST EAX,EAX
00408D5D |. 0F84 E6010000 JE CodeFant.00408F49
00408D63 |. 6A 00 PUSH 0 ; /lParam = 0
00408D65 |. 6A 02 PUSH 2 ; |wParam = 2
00408D67 |. 68 A1000000 PUSH 0A1 ; |Message = WM_NCLBUTTONDOWN
00408D6C |. 8B45 08 MOV EAX,[ARG.1] ; |
00408D6F |. 50 PUSH EAX ; |hWnd
00408D70 |. E8 27BAFFFF CALL <JMP.&user32.PostMessageA> ; \PostMessageA
00408D75 |. E9 CF010000 JMP CodeFant.00408F49
00408D7A |> 8D45 B8 LEA EAX,[LOCAL.18] ; Case F (WM_PAINT) of switch 00408C96
00408D7D |. 50 PUSH EAX ; /pPaintstruct
00408D7E |. 8B45 08 MOV EAX,[ARG.1] ; |
00408D81 |. 50 PUSH EAX ; |hWnd
00408D82 |. E8 6DB9FFFF CALL <JMP.&user32.BeginPaint> ; \BeginPaint
00408D87 |. 68 C8A44000 PUSH CodeFant.0040A4C8 ; /Arg3 = 0040A4C8
00408D8C |. 68 40D9FE00 PUSH 0FED940 ; |Arg2 = 00FED940
00408D91 |. 68 0B198B00 PUSH 8B190B ; |Arg1 = 008B190B
00408D96 |. B9 948F4000 MOV ECX,CodeFant.00408F94 ; |
00408D9B |. 8B15 A8B74000 MOV EDX,DWORD PTR DS:[40B7A8] ; |
00408DA1 |. E8 8AF3FFFF CALL CodeFant.00408130 ; \CodeFant.00408130
00408DA6 |. 8D45 B8 LEA EAX,[LOCAL.18]
00408DA9 |. 50 PUSH EAX ; /pPaintstruct
00408DAA |. 8B45 08 MOV EAX,[ARG.1] ; |
00408DAD |. 50 PUSH EAX ; |hWnd
00408DAE |. E8 81B9FFFF CALL <JMP.&user32.EndPaint> ; \EndPaint
00408DB3 |. E9 91010000 JMP CodeFant.00408F49
00408DB8 |> 8B45 10 MOV EAX,[ARG.3] ; Case 111 (WM_COMMAND) of switch 00408C96
00408DBB |. 2D E9030000 SUB EAX,3E9 ; Switch (cases 3E9..3EC)
00408DC0 |. 0F84 B7000000 JE CodeFant.00408E7D
00408DC6 |. 48 DEC EAX
00408DC7 |. 74 13 JE SHORT CodeFant.00408DDC
00408DC9 |. 48 DEC EAX
00408DCA |. 0F84 C6000000 JE CodeFant.00408E96
00408DD0 |. 48 DEC EAX
00408DD1 |. 0F84 CC000000 JE CodeFant.00408EA3
00408DD7 |. E9 D2000000 JMP CodeFant.00408EAE
00408DDC |> 68 FF000000 PUSH 0FF ; /Count = FF (255.); Case 3EA of switch 00408DBB
00408DE1 |. 68 9CA24000 PUSH CodeFant.0040A29C ; |Buffer = CodeFant.0040A29C
00408DE6 |. 68 F2030000 PUSH 3F2 ; |ControlID = 3F2 (1010.)
00408DEB |. 8B45 08 MOV EAX,[ARG.1] ; |
00408DEE |. 50 PUSH EAX ; |hWnd
00408DEF |. E8 68B9FFFF CALL <JMP.&user32.GetDlgItemTextA> ; \GetDlgItemTextA
00408DF4 |. 8D45 B4 LEA EAX,[LOCAL.19]
00408F0A |. 8B1D A0B74000 MOV EBX,DWORD PTR DS:[40B7A0]
00408F10 |. EB 37 JMP SHORT CodeFant.00408F49
00408F12 |> 6A 00 PUSH 0 ; /Color = <BLACK>; Case 138 (WM_CTLCOLORSTATIC) of switch 00408C96
00408F14 |. 8B45 10 MOV EAX,[ARG.3] ; |
00408F17 |. 50 PUSH EAX ; |hDC
00408F18 |. E8 CFB7FFFF CALL <JMP.&gdi32.SetTextColor> ; \SetTextColor
00408F1D |. 6A 01 PUSH 1 ; /BkMode = TRANSPARENT
00408F1F |. 8B45 10 MOV EAX,[ARG.3] ; |
00408F22 |. 50 PUSH EAX ; |hDC
00408F23 |. E8 BCB7FFFF CALL <JMP.&gdi32.SetBkMode> ; \SetBkMode
00408F28 |. 8B1D A0B74000 MOV EBX,DWORD PTR DS:[40B7A0]
00408F2E |. EB 19 JMP SHORT CodeFant.00408F49
00408F30 |> 68 A9000000 PUSH 0A9 ; /TimerID = A9 (169.); Case 2 (WM_DESTROY) of switch 00408C96
00408F35 |. 8B45 08 MOV EAX,[ARG.1] ; |
00408F38 |. 50 PUSH EAX ; |hWnd
00408F39 |. E8 3EB8FFFF CALL <JMP.&user32.KillTimer> ; \KillTimer
00408F3E |. 6A 00 PUSH 0 ; /ExitCode = 0
00408F40 |. E8 5FB8FFFF CALL <JMP.&user32.PostQuitMessage> ; \PostQuitMessage
00408F45 |. EB 02 JMP SHORT CodeFant.00408F49
00408F47 |> 33DB XOR EBX,EBX ; Default case of switch 00408C96
00408F49 |> 33C0 XOR EAX,EAX
00408F4B |. 5A POP EDX
00408F4C |. 59 POP ECX
00408F4D |. 59 POP ECX
00408F4E |. 64:8910 MOV DWORD PTR FS:[EAX],EDX
00408F51 |. 68 6B8F4000 PUSH CodeFant.00408F6B
00408F56 |> 8D45 A8 LEA EAX,[LOCAL.22]
00408F59 |. BA 04000000 MOV EDX,4
00408F5E |. E8 E9A6FFFF CALL CodeFant.0040364C
00408F63 \. C3 RETN
00408F64 .^ E9 E7A0FFFF JMP CodeFant.00403050
00408F69 .^ EB EB JMP SHORT CodeFant.00408F56
00408F6B . 8BC3 MOV EAX,EBX
00408F6D . 5B POP EBX
00408F6E . 8BE5 MOV ESP,EBP
00408F70 . 5D POP EBP
00408F71 . C2 1000 RETN 10
演算法總結:
ㄧ、逐位取用戶名運算後得divbo在運算後再得fkxdq載運算得in{gt
最後算出6D727F6B78
用戶名: chuan
註冊碼: 6D727F6B78
註冊成功
菜鳥初學破解,演算法分析的不周全請多予指導。
附上檔案及註冊機
[培训]科锐软件逆向50期预科班报名即将截止,速来!!! 50期正式班报名火爆招生中!!!
赞赏
|
|
|---|---|
|
|
他的文章
算法思路 值得大家讨论研究
1632
[分享] 幸運66軟體算法分析
5937
[求助]无按鈕触发無訊息提示軟件如何破解
5241
無按鈕觸發 無訊息提示如何分析
3465
[求助]要如何寫註冊機
3164
赞赏
雪币:
留言:
