-
-
[原创]易课堂之CrackMe简单算法分析+VB注册机源码
-
发表于: 2007-11-18 12:31 5923
-
【破文标题】易课堂之CrackMe简单算法分析+VB注册机源码
【破解作者】hrbx
【使用工具】OllDbg1.10、Peid
【破解日期】2007-11-17
【下载地址】http://bbs.pediy.com/showthread.php?t=55067
【软件简介】易课堂之CrackMe
-----------------------------------------------------------------------------------------------
【破解声明】我是一只小菜鸟,偶得一点心得,愿与大家分享:)
-----------------------------------------------------------------------------------------------
【破解过程】
1.脱壳。用PEID扫描,显示为:Microsoft Visual C++ 6.0 [Overlay],实际上是易语言的程序,因为调试时可以见到易语言的krnln库。
2.追出算法。OD载入CrackMe,Alt+M打开内存映射,找到.ecode段F2下断:
==========================================================================================
地址 大小(十进制) 物主 区段 类型 访问 初始访问
0040C000 00002000 (8192.) CrackMe0 .ecode Imag R RWE
===========================================================================================
F9运行,输入注册信息:
====================================================
注册名:hrbx
注册码:9876543210
====================================================
点击"进入"按钮,立即中断:
0040C88E 55 push ebp ; F2在.ecode段下断,中断在这里
0040C88F 8BEC mov ebp,esp
0040C891 81EC D0000000 sub esp,0D0
---------------------------------------------------------------------
省略部分代码
---------------------------------------------------------------------
0040CB6B 6A 00 push 0
0040CB6D 8B45 F0 mov eax,dword ptr ss:[ebp-10]
0040CB70 85C0 test eax,eax
0040CB72 75 05 jnz short CrackMe0.0040CB79
0040CB74 B8 D4C04000 mov eax,CrackMe0.0040C0D4 ; 用户名"hrbx"
0040CB79 50 push eax
0040CB7A 68 01000000 push 1
0040CB7F BB 30010000 mov ebx,130
0040CB84 E8 B00B0000 call CrackMe0.0040D739 ; 获取用户名长度
0040CB89 83C4 10 add esp,10
0040CB8C 8945 EC mov dword ptr ss:[ebp-14],eax ; EAX=0x4
0040CB8F 6A FF push -1
0040CB91 6A 08 push 8
0040CB93 68 03000116 push 16010003
0040CB98 68 01000152 push 52010001
0040CB9D E8 A30B0000 call CrackMe0.0040D745 ; 假码"9876543210"
0040CBA2 83C4 10 add esp,10
0040CBA5 8985 7CFFFFFF mov dword ptr ss:[ebp-84],eax
0040CBAB 8B85 7CFFFFFF mov eax,dword ptr ss:[ebp-84]
0040CBB1 50 push eax
0040CBB2 8B5D E8 mov ebx,dword ptr ss:[ebp-18]
0040CBB5 85DB test ebx,ebx
0040CBB7 74 09 je short CrackMe0.0040CBC2
0040CBB9 53 push ebx
0040CBBA E8 740B0000 call CrackMe0.0040D733
0040CBBF 83C4 04 add esp,4
0040CBC2 58 pop eax
0040CBC3 8945 E8 mov dword ptr ss:[ebp-18],eax
0040CBC6 68 04000080 push 80000004
0040CBCB 6A 00 push 0
0040CBCD 8B45 E8 mov eax,dword ptr ss:[ebp-18]
0040CBD0 85C0 test eax,eax
0040CBD2 75 05 jnz short CrackMe0.0040CBD9
0040CBD4 B8 D4C04000 mov eax,CrackMe0.0040C0D4
0040CBD9 50 push eax
0040CBDA 68 01000000 push 1
0040CBDF BB 30010000 mov ebx,130
0040CBE4 E8 500B0000 call CrackMe0.0040D739 ; 获取假码"9876543210"长度
0040CBE9 83C4 10 add esp,10
0040CBEC 8945 E4 mov dword ptr ss:[ebp-1C],eax ; EAX=0xA
0040CBEF DB45 E4 fild dword ptr ss:[ebp-1C] ; 假码长度
0040CBF2 DD9D 78FFFFFF fstp qword ptr ss:[ebp-88] ; st=10.0
0040CBF8 DD85 78FFFFFF fld qword ptr ss:[ebp-88]
0040CBFE DC25 2DC14000 fsub qword ptr ds:[40C12D] ; 假码长度减1,ds:[0040C12D]=1.0
0040CC04 DD9D 70FFFFFF fstp qword ptr ss:[ebp-90] ; st=9.0
0040CC0A DD85 70FFFFFF fld qword ptr ss:[ebp-90]
0040CC10 E8 52FCFFFF call CrackMe0.0040C867
0040CC15 68 01030080 push 80000301
0040CC1A 6A 00 push 0
0040CC1C 50 push eax
0040CC1D 68 04000080 push 80000004
0040CC22 6A 00 push 0
0040CC24 8B45 E8 mov eax,dword ptr ss:[ebp-18]
0040CC27 85C0 test eax,eax
0040CC29 75 05 jnz short CrackMe0.0040CC30
0040CC2B B8 D4C04000 mov eax,CrackMe0.0040C0D4
0040CC30 50 push eax ; 假码"9876543210"
0040CC31 68 02000000 push 2
0040CC36 BB 38010000 mov ebx,138
0040CC3B E8 F90A0000 call CrackMe0.0040D739 ; 取去掉假码第一位的字符串
0040CC40 83C4 1C add esp,1C
0040CC43 8985 6CFFFFFF mov dword ptr ss:[ebp-94],eax ; "876543210"
0040CC49 8B85 6CFFFFFF mov eax,dword ptr ss:[ebp-94]
0040CC4F 50 push eax
0040CC50 8B5D E0 mov ebx,dword ptr ss:[ebp-20]
0040CC53 85DB test ebx,ebx
0040CC55 74 09 je short CrackMe0.0040CC60
0040CC57 53 push ebx
0040CC58 E8 D60A0000 call CrackMe0.0040D733
0040CC5D 83C4 04 add esp,4
0040CC60 58 pop eax
0040CC61 8945 E0 mov dword ptr ss:[ebp-20],eax
0040CC64 837D EC 01 cmp dword ptr ss:[ebp-14],1
0040CC68 0F8C AB090000 jl CrackMe0.0040D619
0040CC6E 8B45 EC mov eax,dword ptr ss:[ebp-14]
0040CC71 3945 DC cmp dword ptr ss:[ebp-24],eax
0040CC74 0F8F 7E000000 jg CrackMe0.0040CCF8
0040CC7A 68 01030080 push 80000301
0040CC7F 6A 00 push 0
0040CC81 FF75 DC push dword ptr ss:[ebp-24]
0040CC84 68 04000080 push 80000004
0040CC89 6A 00 push 0
0040CC8B 8B45 F0 mov eax,dword ptr ss:[ebp-10]
0040CC8E 85C0 test eax,eax
0040CC90 75 05 jnz short CrackMe0.0040CC97
0040CC92 B8 D4C04000 mov eax,CrackMe0.0040C0D4
0040CC97 50 push eax ; 用户名"hrbx"
0040CC98 68 02000000 push 2
0040CC9D BB 44010000 mov ebx,144
0040CCA2 E8 920A0000 call CrackMe0.0040D739 ; 依次取用户名每一位字符的ASCII值
0040CCA7 83C4 1C add esp,1C
0040CCAA 8845 D8 mov byte ptr ss:[ebp-28],al ; al=68 ('h')
0040CCAD DB45 D4 fild dword ptr ss:[ebp-2C]
0040CCB0 DD9D 78FFFFFF fstp qword ptr ss:[ebp-88]
0040CCB6 DD85 78FFFFFF fld qword ptr ss:[ebp-88]
0040CCBC 8B45 D8 mov eax,dword ptr ss:[ebp-28]
0040CCBF 25 FF000000 and eax,0FF
0040CCC4 8985 70FFFFFF mov dword ptr ss:[ebp-90],eax
0040CCCA DB85 70FFFFFF fild dword ptr ss:[ebp-90]
0040CCD0 DD9D 70FFFFFF fstp qword ptr ss:[ebp-90]
0040CCD6 DC85 70FFFFFF fadd qword ptr ss:[ebp-90] ; 用户名每一位字符的ASCII值累加,记为Sum
0040CCDC DD9D 68FFFFFF fstp qword ptr ss:[ebp-98] ; Sum=436.0
0040CCE2 DD85 68FFFFFF fld qword ptr ss:[ebp-98]
0040CCE8 E8 7AFBFFFF call CrackMe0.0040C867
0040CCED 8945 D4 mov dword ptr ss:[ebp-2C],eax
0040CCF0 FF45 DC inc dword ptr ss:[ebp-24]
0040CCF3 ^ E9 76FFFFFF jmp CrackMe0.0040CC6E
0040CCF8 DB45 EC fild dword ptr ss:[ebp-14]
0040CCFB DD9D 78FFFFFF fstp qword ptr ss:[ebp-88]
0040CD01 DD85 78FFFFFF fld qword ptr ss:[ebp-88]
0040CD07 DC25 2DC14000 fsub qword ptr ds:[40C12D]
0040CD0D DD9D 70FFFFFF fstp qword ptr ss:[ebp-90]
0040CD13 DB45 D0 fild dword ptr ss:[ebp-30]
0040CD16 DD9D 68FFFFFF fstp qword ptr ss:[ebp-98]
0040CD1C DD85 68FFFFFF fld qword ptr ss:[ebp-98]
0040CD22 DCA5 70FFFFFF fsub qword ptr ss:[ebp-90]
0040CD28 DC1D 35C14000 fcomp qword ptr ds:[40C135]
0040CD2E DFE0 fstsw ax
0040CD30 F6C4 41 test ah,41
0040CD33 0F84 54040000 je CrackMe0.0040D18D
0040CD39 DB45 D0 fild dword ptr ss:[ebp-30]
0040CD3C DD9D 78FFFFFF fstp qword ptr ss:[ebp-88]
0040CD42 DD85 78FFFFFF fld qword ptr ss:[ebp-88]
0040CD48 DC05 2DC14000 fadd qword ptr ds:[40C12D]
0040CD4E DD9D 70FFFFFF fstp qword ptr ss:[ebp-90]
0040CD54 DD85 70FFFFFF fld qword ptr ss:[ebp-90]
0040CD5A E8 08FBFFFF call CrackMe0.0040C867
0040CD5F 68 01030080 push 80000301
0040CD64 6A 00 push 0
0040CD66 50 push eax
0040CD67 68 04000080 push 80000004
0040CD6C 6A 00 push 0
0040CD6E 8B45 F0 mov eax,dword ptr ss:[ebp-10]
0040CD71 85C0 test eax,eax
0040CD73 75 05 jnz short CrackMe0.0040CD7A
0040CD75 B8 D4C04000 mov eax,CrackMe0.0040C0D4
0040CD7A 50 push eax
0040CD7B 68 02000000 push 2
0040CD80 BB 44010000 mov ebx,144
0040CD85 E8 AF090000 call CrackMe0.0040D739 ; 依次取用户名每一位字符的ASCII值,记为Num1
0040CD8A 83C4 1C add esp,1C ; 设N为每一位字符在用户名中的位置
0040CD8D 8845 CC mov byte ptr ss:[ebp-34],al
0040CD90 DB45 D0 fild dword ptr ss:[ebp-30]
0040CD93 DD9D 78FFFFFF fstp qword ptr ss:[ebp-88]
0040CD99 DD85 78FFFFFF fld qword ptr ss:[ebp-88]
0040CD9F DC0D 3DC14000 fmul qword ptr ds:[40C13D] ; (N-1)*3.0,ds:[0040C13D]=3.0
0040CDA5 DD9D 70FFFFFF fstp qword ptr ss:[ebp-90]
0040CDAB DD85 70FFFFFF fld qword ptr ss:[ebp-90]
0040CDB1 E8 B1FAFFFF call CrackMe0.0040C867 ; 根据(N-1)*3.0乘积结果在固定字符串中取字符
0040CDB6 68 01030080 push 80000301
0040CDBB 6A 00 push 0
0040CDBD 50 push eax ; 固定字符串"ABCDEFGHIJKLMNOPQRSTUVWXYZ"
0040CDBE 68 04000080 push 80000004
0040CDC3 6A 00 push 0
0040CDC5 8B45 F4 mov eax,dword ptr ss:[ebp-C]
0040CDC8 85C0 test eax,eax
0040CDCA 75 05 jnz short CrackMe0.0040CDD1
0040CDCC B8 D4C04000 mov eax,CrackMe0.0040C0D4
0040CDD1 50 push eax
0040CDD2 68 02000000 push 2
0040CDD7 BB 44010000 mov ebx,144
0040CDDC E8 58090000 call CrackMe0.0040D739 ; 取出的字符的ASCII值,记为Num2
0040CDE1 83C4 1C add esp,1C ; 当(N-1)=0时,Num2=0
0040CDE4 8845 C8 mov byte ptr ss:[ebp-38],al
0040CDE7 8B45 C8 mov eax,dword ptr ss:[ebp-38]
0040CDEA 25 FF000000 and eax,0FF
0040CDEF 68 01030080 push 80000301
0040CDF4 6A 00 push 0
0040CDF6 50 push eax
0040CDF7 8B45 CC mov eax,dword ptr ss:[ebp-34]
0040CDFA 25 FF000000 and eax,0FF
0040CDFF 68 01030080 push 80000301
0040CE04 6A 00 push 0
0040CE06 50 push eax
0040CE07 68 02000000 push 2
0040CE0C BB CC000000 mov ebx,0CC
0040CE11 E8 23090000 call CrackMe0.0040D739 ; Num1 Xor Num2,结果记为Num3
0040CE16 83C4 1C add esp,1C
0040CE19 99 cdq
0040CE1A 8945 C0 mov dword ptr ss:[ebp-40],eax
0040CE1D 8955 C4 mov dword ptr ss:[ebp-3C],edx
0040CE20 DB45 D0 fild dword ptr ss:[ebp-30]
0040CE23 DD9D 78FFFFFF fstp qword ptr ss:[ebp-88]
0040CE29 DD85 78FFFFFF fld qword ptr ss:[ebp-88]
0040CE2F DC25 2DC14000 fsub qword ptr ds:[40C12D] ; (N-1-1.0),ds:[0040C12D]=1.0
0040CE35 DD9D 70FFFFFF fstp qword ptr ss:[ebp-90]
0040CE3B DB45 D4 fild dword ptr ss:[ebp-2C]
0040CE3E DD9D 68FFFFFF fstp qword ptr ss:[ebp-98] ; 用户名所有字符的ASCII值累加之和,Sum
0040CE44 DD85 68FFFFFF fld qword ptr ss:[ebp-98]
0040CE4A DC8D 70FFFFFF fmul qword ptr ss:[ebp-90] ; Sum*(N-1-1.0)
0040CE50 DD9D 60FFFFFF fstp qword ptr ss:[ebp-A0]
0040CE56 68 01030080 push 80000301
0040CE5B 6A 00 push 0
0040CE5D 68 FFFFFFFF push -1
0040CE62 DD85 60FFFFFF fld qword ptr ss:[ebp-A0]
0040CE68 E8 FAF9FFFF call CrackMe0.0040C867 ; 转为16进制数
0040CE6D 68 01030080 push 80000301
0040CE72 6A 00 push 0
0040CE74 50 push eax
0040CE75 68 02000000 push 2
0040CE7A BB CC000000 mov ebx,0CC
0040CE7F E8 B5080000 call CrackMe0.0040D739 ; 取反,Not(Sum*(N-1-1.0))
0040CE84 83C4 1C add esp,1C
0040CE87 99 cdq
0040CE88 8945 B8 mov dword ptr ss:[ebp-48],eax
0040CE8B 8955 BC mov dword ptr ss:[ebp-44],edx
0040CE8E DB45 D0 fild dword ptr ss:[ebp-30]
0040CE91 DD9D 78FFFFFF fstp qword ptr ss:[ebp-88]
0040CE97 DD85 78FFFFFF fld qword ptr ss:[ebp-88]
0040CE9D DC05 3DC14000 fadd qword ptr ds:[40C13D] ; (N-1+3.0),ds:[0040C13D]=3.0
0040CEA3 DD9D 70FFFFFF fstp qword ptr ss:[ebp-90]
0040CEA9 DB45 EC fild dword ptr ss:[ebp-14] ; 用户名长度Len
0040CEAC DD9D 68FFFFFF fstp qword ptr ss:[ebp-98]
0040CEB2 DD85 68FFFFFF fld qword ptr ss:[ebp-98]
0040CEB8 DC8D 70FFFFFF fmul qword ptr ss:[ebp-90] ; (N-1+3.0)*Len
0040CEBE 8B45 CC mov eax,dword ptr ss:[ebp-34] ; 用户名每一位字符的ASCII值,Num1
0040CEC1 25 FF000000 and eax,0FF
0040CEC6 8985 60FFFFFF mov dword ptr ss:[ebp-A0],eax
0040CECC DB85 60FFFFFF fild dword ptr ss:[ebp-A0]
0040CED2 DD9D 60FFFFFF fstp qword ptr ss:[ebp-A0]
0040CED8 DC8D 60FFFFFF fmul qword ptr ss:[ebp-A0] ; (N-1+3.0)*Len*Num1
0040CEDE DD9D 58FFFFFF fstp qword ptr ss:[ebp-A8]
0040CEE4 DF6D C0 fild qword ptr ss:[ebp-40]
0040CEE7 DD9D 50FFFFFF fstp qword ptr ss:[ebp-B0]
0040CEED DD85 50FFFFFF fld qword ptr ss:[ebp-B0]
0040CEF3 DF6D B8 fild qword ptr ss:[ebp-48]
0040CEF6 DD9D 48FFFFFF fstp qword ptr ss:[ebp-B8]
0040CEFC DC85 48FFFFFF fadd qword ptr ss:[ebp-B8] ; Num3+Not((Sum*(N-1-1.0)))
0040CF02 DC85 58FFFFFF fadd qword ptr ss:[ebp-A8] ; Num3+Not((Sum*(N-1-1.0)))+(N-1+3.0)*Len*Num1
0040CF08 DC05 45C14000 fadd qword ptr ds:[40C145] ; Num3+Not((Sum*(N-1-1.0)))+(N-1+3.0)*Len*Num1+333.0
0040CF0E DD9D 40FFFFFF fstp qword ptr ss:[ebp-C0] ; ds:[40C145]=333.0
0040CF14 68 01060080 push 80000601 ; 上面运算结果记为TmpNum
0040CF19 68 00002440 push 40240000
0040CF1E 68 00000000 push 0
0040CF23 68 01060080 push 80000601
0040CF28 FFB5 44FFFFFF push dword ptr ss:[ebp-BC]
0040CF2E FFB5 40FFFFFF push dword ptr ss:[ebp-C0]
0040CF34 68 02000000 push 2
0040CF39 BB 48000000 mov ebx,48
0040CF3E E8 F6070000 call CrackMe0.0040D739 ; TmpNum Mod 10.0
0040CF43 83C4 1C add esp,1C
0040CF46 8985 38FFFFFF mov dword ptr ss:[ebp-C8],eax
0040CF4C 8995 3CFFFFFF mov dword ptr ss:[ebp-C4],edx
0040CF52 DD85 38FFFFFF fld qword ptr ss:[ebp-C8]
0040CF58 DC05 4DC14000 fadd qword ptr ds:[40C14D]
0040CF5E DD9D 30FFFFFF fstp qword ptr ss:[ebp-D0]
0040CF64 DD85 30FFFFFF fld qword ptr ss:[ebp-D0]
0040CF6A E8 F8F8FFFF call CrackMe0.0040C867 ; 取Mod 结果的ASCII值
0040CF6F 8845 B4 mov byte ptr ss:[ebp-4C],al ; ASC(TmpNum Mod 10.0)
0040CF72 68 01030080 push 80000301
0040CF77 6A 00 push 0
0040CF79 68 ACAD0000 push 0ADAC
0040CF7E 8B45 B4 mov eax,dword ptr ss:[ebp-4C]
0040CF81 25 FF000000 and eax,0FF
0040CF86 68 01030080 push 80000301
0040CF8B 6A 00 push 0
0040CF8D 50 push eax
0040CF8E 68 02000000 push 2
0040CF93 BB CC000000 mov ebx,0CC
0040CF98 E8 9C070000 call CrackMe0.0040D739 ; ASC(TmpNum Mod 10.0) Xor 0xADAC
0040CF9D 83C4 1C add esp,1C
0040CFA0 8985 7CFFFFFF mov dword ptr ss:[ebp-84],eax
0040CFA6 DB45 D0 fild dword ptr ss:[ebp-30]
0040CFA9 DD9D 74FFFFFF fstp qword ptr ss:[ebp-8C]
0040CFAF DD85 74FFFFFF fld qword ptr ss:[ebp-8C] ; 每一位字符在用户名中的位置N
0040CFB5 DC05 55C14000 fadd qword ptr ds:[40C155] ; (N+2.0),ds:[40C155]=2.0
0040CFBB DD9D 6CFFFFFF fstp qword ptr ss:[ebp-94]
0040CFC1 DB85 7CFFFFFF fild dword ptr ss:[ebp-84]
0040CFC7 DD9D 64FFFFFF fstp qword ptr ss:[ebp-9C]
0040CFCD DD85 64FFFFFF fld qword ptr ss:[ebp-9C]
0040CFD3 DC8D 6CFFFFFF fmul qword ptr ss:[ebp-94] ; (ASC(TmpNum Mod 10.0) Xor 0xADAC)*(N-1+2.0)
0040CFD9 DD9D 5CFFFFFF fstp qword ptr ss:[ebp-A4]
0040CFDF 68 01060080 push 80000601
0040CFE4 68 00002440 push 40240000
0040CFE9 68 00000000 push 0
0040CFEE 68 01060080 push 80000601
0040CFF3 FFB5 60FFFFFF push dword ptr ss:[ebp-A0]
0040CFF9 FFB5 5CFFFFFF push dword ptr ss:[ebp-A4]
0040CFFF 68 02000000 push 2
0040D004 BB 48000000 mov ebx,48
0040D009 E8 2B070000 call CrackMe0.0040D739 ; ((ASC(TmpNum Mod 10.0) Xor 0xADAC)*(N-1+2.0))Mod 10.0
0040D00E 83C4 1C add esp,1C
0040D011 8985 54FFFFFF mov dword ptr ss:[ebp-AC],eax
0040D017 8995 58FFFFFF mov dword ptr ss:[ebp-A8],edx
0040D01D DD85 54FFFFFF fld qword ptr ss:[ebp-AC]
0040D023 DC05 4DC14000 fadd qword ptr ds:[40C14D]
0040D029 DD9D 4CFFFFFF fstp qword ptr ss:[ebp-B4]
0040D02F DD85 4CFFFFFF fld qword ptr ss:[ebp-B4]
0040D035 E8 2DF8FFFF call CrackMe0.0040C867 ; 取Mod 结果的ASCII值,即数字转为字符
0040D03A 8945 B0 mov dword ptr ss:[ebp-50],eax ; ASC((ASC(TmpNum Mod 10.0) Xor 0xADAC)*(N-1+2.0))Mod 10.0)
0040D03D 68 01030080 push 80000301 ; 0x8--->"8"
0040D042 6A 00 push 0
0040D044 FF75 B0 push dword ptr ss:[ebp-50]
0040D047 68 01000000 push 1
0040D04C BB D4010000 mov ebx,1D4
0040D051 E8 E3060000 call CrackMe0.0040D739
0040D056 83C4 10 add esp,10
0040D059 8985 7CFFFFFF mov dword ptr ss:[ebp-84],eax
0040D05F 8B85 7CFFFFFF mov eax,dword ptr ss:[ebp-84]
0040D065 50 push eax
0040D066 8B5D AC mov ebx,dword ptr ss:[ebp-54]
0040D069 85DB test ebx,ebx
0040D06B 74 09 je short CrackMe0.0040D076
0040D06D 53 push ebx
0040D06E E8 C0060000 call CrackMe0.0040D733
0040D073 83C4 04 add esp,4
0040D076 58 pop eax
0040D077 8945 AC mov dword ptr ss:[ebp-54],eax
0040D07A 68 01030080 push 80000301
0040D07F 6A 00 push 0
0040D081 68 01000000 push 1
0040D086 68 04000080 push 80000004
0040D08B 6A 00 push 0
0040D08D 8B45 AC mov eax,dword ptr ss:[ebp-54]
0040D090 85C0 test eax,eax
0040D092 75 05 jnz short CrackMe0.0040D099
0040D094 B8 D4C04000 mov eax,CrackMe0.0040C0D4
0040D099 50 push eax
0040D09A 68 02000000 push 2
0040D09F BB 38010000 mov ebx,138
0040D0A4 E8 90060000 call CrackMe0.0040D739
0040D0A9 83C4 1C add esp,1C
0040D0AC 8985 7CFFFFFF mov dword ptr ss:[ebp-84],eax
0040D0B2 8B85 7CFFFFFF mov eax,dword ptr ss:[ebp-84]
0040D0B8 50 push eax
0040D0B9 8B5D A8 mov ebx,dword ptr ss:[ebp-58]
0040D0BC 85DB test ebx,ebx
0040D0BE 74 09 je short CrackMe0.0040D0C9
0040D0C0 53 push ebx
0040D0C1 E8 6D060000 call CrackMe0.0040D733
0040D0C6 83C4 04 add esp,4
0040D0C9 58 pop eax
0040D0CA 8945 A8 mov dword ptr ss:[ebp-58],eax
0040D0CD 68 04000080 push 80000004
0040D0D2 6A 00 push 0
0040D0D4 8B45 A4 mov eax,dword ptr ss:[ebp-5C]
0040D0D7 85C0 test eax,eax
0040D0D9 75 05 jnz short CrackMe0.0040D0E0
0040D0DB B8 D4C04000 mov eax,CrackMe0.0040C0D4
0040D0E0 50 push eax
0040D0E1 68 01000000 push 1
0040D0E6 BB 68010000 mov ebx,168
0040D0EB E8 49060000 call CrackMe0.0040D739
0040D0F0 83C4 10 add esp,10
0040D0F3 8985 7CFFFFFF mov dword ptr ss:[ebp-84],eax
0040D0F9 68 04000080 push 80000004
0040D0FE 6A 00 push 0
0040D100 8B45 A8 mov eax,dword ptr ss:[ebp-58]
0040D103 85C0 test eax,eax
0040D105 75 05 jnz short CrackMe0.0040D10C
0040D107 B8 D4C04000 mov eax,CrackMe0.0040C0D4
0040D10C 50 push eax
0040D10D 68 01000000 push 1
0040D112 BB 68010000 mov ebx,168
0040D117 E8 1D060000 call CrackMe0.0040D739
0040D11C 83C4 10 add esp,10
0040D11F 8985 78FFFFFF mov dword ptr ss:[ebp-88],eax
0040D125 FFB5 78FFFFFF push dword ptr ss:[ebp-88]
0040D12B FFB5 7CFFFFFF push dword ptr ss:[ebp-84]
0040D131 B9 02000000 mov ecx,2
0040D136 E8 D0F6FFFF call CrackMe0.0040C80B ; 依次连接每次得到的字符
0040D13B 83C4 08 add esp,8 ; 得到的字符串1,"8345"
0040D13E 8985 74FFFFFF mov dword ptr ss:[ebp-8C],eax
0040D144 8B9D 7CFFFFFF mov ebx,dword ptr ss:[ebp-84]
0040D14A 85DB test ebx,ebx
0040D14C 74 09 je short CrackMe0.0040D157
0040D14E 53 push ebx
0040D14F E8 DF050000 call CrackMe0.0040D733
0040D154 83C4 04 add esp,4
0040D157 8B9D 78FFFFFF mov ebx,dword ptr ss:[ebp-88]
0040D15D 85DB test ebx,ebx
0040D15F 74 09 je short CrackMe0.0040D16A
0040D161 53 push ebx
0040D162 E8 CC050000 call CrackMe0.0040D733
0040D167 83C4 04 add esp,4
0040D16A 8B85 74FFFFFF mov eax,dword ptr ss:[ebp-8C]
0040D170 50 push eax
0040D171 8B5D A4 mov ebx,dword ptr ss:[ebp-5C]
0040D174 85DB test ebx,ebx
0040D176 74 09 je short CrackMe0.0040D181
0040D178 53 push ebx
0040D179 E8 B5050000 call CrackMe0.0040D733
0040D17E 83C4 04 add esp,4
0040D181 58 pop eax
0040D182 8945 A4 mov dword ptr ss:[ebp-5C],eax
0040D185 FF45 D0 inc dword ptr ss:[ebp-30]
0040D188 ^ E9 6BFBFFFF jmp CrackMe0.0040CCF8
0040D18D DB45 D4 fild dword ptr ss:[ebp-2C] ; 用户名所有字符的ASCII值累加之和,Sum
0040D190 DD9D 78FFFFFF fstp qword ptr ss:[ebp-88]
0040D196 DD85 78FFFFFF fld qword ptr ss:[ebp-88]
0040D19C DB45 EC fild dword ptr ss:[ebp-14]
0040D19F DD9D 70FFFFFF fstp qword ptr ss:[ebp-90] ; 用户名长度Len
0040D1A5 DC8D 70FFFFFF fmul qword ptr ss:[ebp-90] ; Sum*Len
0040D1AB DD9D 68FFFFFF fstp qword ptr ss:[ebp-98]
0040D1B1 68 01060080 push 80000601
0040D1B6 68 00005940 push 40590000
0040D1BB 68 00000000 push 0
0040D1C0 68 01060080 push 80000601
0040D1C5 FFB5 6CFFFFFF push dword ptr ss:[ebp-94]
0040D1CB FFB5 68FFFFFF push dword ptr ss:[ebp-98]
0040D1D1 68 02000000 push 2
0040D1D6 BB 48000000 mov ebx,48
0040D1DB E8 59050000 call CrackMe0.0040D739 ; (Sum*Len) Mod 100.0
0040D1E0 83C4 1C add esp,1C
0040D1E3 8985 60FFFFFF mov dword ptr ss:[ebp-A0],eax
0040D1E9 8995 64FFFFFF mov dword ptr ss:[ebp-9C],edx
0040D1EF DD85 60FFFFFF fld qword ptr ss:[ebp-A0]
0040D1F5 DC05 4DC14000 fadd qword ptr ds:[40C14D] ; (Sum*Len) Mod 100.0+48.0,ds:[0040C14D]=48.0
0040D1FB DD9D 58FFFFFF fstp qword ptr ss:[ebp-A8]
0040D201 DD85 58FFFFFF fld qword ptr ss:[ebp-A8]
0040D207 E8 5BF6FFFF call CrackMe0.0040C867
0040D20C 8945 A0 mov dword ptr ss:[ebp-60],eax
0040D20F 68 04000080 push 80000004
0040D214 6A 00 push 0
0040D216 8B45 A4 mov eax,dword ptr ss:[ebp-5C]
0040D219 85C0 test eax,eax
0040D21B 75 05 jnz short CrackMe0.0040D222
0040D21D B8 D4C04000 mov eax,CrackMe0.0040C0D4
0040D222 50 push eax
0040D223 68 01000000 push 1
0040D228 BB 68010000 mov ebx,168
0040D22D E8 07050000 call CrackMe0.0040D739 ; 字符串1,"8345"
0040D232 83C4 10 add esp,10
0040D235 8985 7CFFFFFF mov dword ptr ss:[ebp-84],eax
0040D23B 68 01030080 push 80000301
0040D240 6A 00 push 0
0040D242 FF75 A0 push dword ptr ss:[ebp-60]
0040D245 68 01000000 push 1
0040D24A BB 68010000 mov ebx,168
0040D24F E8 E5040000 call CrackMe0.0040D739 ; (Sum*Len) Mod 100.0+48.0转为字符串
0040D254 83C4 10 add esp,10 ; 得到的字符串2,"92"
0040D257 8985 78FFFFFF mov dword ptr ss:[ebp-88],eax
0040D25D FFB5 78FFFFFF push dword ptr ss:[ebp-88]
0040D263 68 5DC14000 push CrackMe0.0040C15D
0040D268 FFB5 7CFFFFFF push dword ptr ss:[ebp-84]
0040D26E B9 03000000 mov ecx,3
0040D273 E8 93F5FFFF call CrackMe0.0040C80B ; 用"-"连接字符串1,字符串2
0040D278 83C4 0C add esp,0C
0040D27B 8985 74FFFFFF mov dword ptr ss:[ebp-8C],eax ; 得到的新字符串3,"8345-92"
0040D281 8B9D 7CFFFFFF mov ebx,dword ptr ss:[ebp-84]
0040D287 85DB test ebx,ebx
0040D289 74 09 je short CrackMe0.0040D294
0040D28B 53 push ebx
0040D28C E8 A2040000 call CrackMe0.0040D733
0040D291 83C4 04 add esp,4
0040D294 8B9D 78FFFFFF mov ebx,dword ptr ss:[ebp-88]
0040D29A 85DB test ebx,ebx
0040D29C 74 09 je short CrackMe0.0040D2A7
0040D29E 53 push ebx
0040D29F E8 8F040000 call CrackMe0.0040D733
0040D2A4 83C4 04 add esp,4
0040D2A7 8B85 74FFFFFF mov eax,dword ptr ss:[ebp-8C]
0040D2AD 50 push eax
0040D2AE 8B5D 9C mov ebx,dword ptr ss:[ebp-64]
0040D2B1 85DB test ebx,ebx
0040D2B3 74 09 je short CrackMe0.0040D2BE
0040D2B5 53 push ebx
0040D2B6 E8 78040000 call CrackMe0.0040D733
0040D2BB 83C4 04 add esp,4
0040D2BE 58 pop eax
0040D2BF 8945 9C mov dword ptr ss:[ebp-64],eax
0040D2C2 68 04000080 push 80000004
0040D2C7 6A 00 push 0
0040D2C9 8B45 9C mov eax,dword ptr ss:[ebp-64]
0040D2CC 85C0 test eax,eax
0040D2CE 75 05 jnz short CrackMe0.0040D2D5
0040D2D0 B8 D4C04000 mov eax,CrackMe0.0040C0D4
0040D2D5 50 push eax ; 字符串3,"8345-92"
0040D2D6 68 01000000 push 1
0040D2DB BB 30010000 mov ebx,130
0040D2E0 E8 54040000 call CrackMe0.0040D739 ; 获取字符串3长度
0040D2E5 83C4 10 add esp,10
0040D2E8 8945 98 mov dword ptr ss:[ebp-68],eax
0040D2EB 8B45 98 mov eax,dword ptr ss:[ebp-68]
0040D2EE 3945 94 cmp dword ptr ss:[ebp-6C],eax
0040D2F1 0F8D 77010000 jge CrackMe0.0040D46E
0040D2F7 FF45 94 inc dword ptr ss:[ebp-6C]
0040D2FA 68 01030080 push 80000301
0040D2FF 6A 00 push 0
0040D301 FF75 94 push dword ptr ss:[ebp-6C]
0040D304 68 04000080 push 80000004
0040D309 6A 00 push 0
0040D30B 8B45 9C mov eax,dword ptr ss:[ebp-64]
0040D30E 85C0 test eax,eax
0040D310 75 05 jnz short CrackMe0.0040D317
0040D312 B8 D4C04000 mov eax,CrackMe0.0040C0D4
0040D317 50 push eax
0040D318 68 02000000 push 2
0040D31D BB 44010000 mov ebx,144
0040D322 E8 12040000 call CrackMe0.0040D739 ; 依次取字符串3每一位字符的ASCII值
0040D327 83C4 1C add esp,1C
0040D32A 8845 B4 mov byte ptr ss:[ebp-4C],al
0040D32D 68 01030080 push 80000301
0040D332 6A 00 push 0
0040D334 68 20000000 push 20 ; 常数,0x20
0040D339 8B45 B4 mov eax,dword ptr ss:[ebp-4C]
0040D33C 25 FF000000 and eax,0FF
0040D341 68 01030080 push 80000301
0040D346 6A 00 push 0
0040D348 50 push eax
0040D349 68 02000000 push 2
0040D34E BB CC000000 mov ebx,0CC
0040D353 E8 E1030000 call CrackMe0.0040D739 ; 字符串3每一位字符的ASCII值减去0x20
0040D358 83C4 1C add esp,1C
0040D35B 8985 7CFFFFFF mov dword ptr ss:[ebp-84],eax
0040D361 68 01060080 push 80000601
0040D366 68 00002440 push 40240000
0040D36B 68 00000000 push 0
0040D370 DB85 7CFFFFFF fild dword ptr ss:[ebp-84]
0040D376 DD9D 74FFFFFF fstp qword ptr ss:[ebp-8C]
0040D37C 68 01060080 push 80000601
0040D381 FFB5 78FFFFFF push dword ptr ss:[ebp-88]
0040D387 FFB5 74FFFFFF push dword ptr ss:[ebp-8C]
0040D38D 68 02000000 push 2
0040D392 BB 48000000 mov ebx,48
0040D397 E8 9D030000 call CrackMe0.0040D739 ; (字符串3每一位字符的ASCII值减去0x20) Mod 10.0
0040D39C 83C4 1C add esp,1C
0040D39F 8985 6CFFFFFF mov dword ptr ss:[ebp-94],eax
0040D3A5 8995 70FFFFFF mov dword ptr ss:[ebp-90],edx
0040D3AB DD85 6CFFFFFF fld qword ptr ss:[ebp-94]
0040D3B1 DC05 4DC14000 fadd qword ptr ds:[40C14D]
0040D3B7 DD9D 64FFFFFF fstp qword ptr ss:[ebp-9C]
0040D3BD DD85 64FFFFFF fld qword ptr ss:[ebp-9C]
0040D3C3 E8 9FF4FFFF call CrackMe0.0040C867 ; 取Mod 结果的ASCII值
0040D3C8 8945 8C mov dword ptr ss:[ebp-74],eax
0040D3CB 8955 90 mov dword ptr ss:[ebp-70],edx
0040D3CE 68 01030080 push 80000301
0040D3D3 6A 00 push 0
0040D3D5 FF75 94 push dword ptr ss:[ebp-6C]
0040D3D8 68 04000080 push 80000004
0040D3DD 6A 00 push 0
0040D3DF 8B45 E0 mov eax,dword ptr ss:[ebp-20]
0040D3E2 85C0 test eax,eax
0040D3E4 75 05 jnz short CrackMe0.0040D3EB
0040D3E6 B8 D4C04000 mov eax,CrackMe0.0040C0D4
0040D3EB 50 push eax ; 假码"9876543210"
0040D3EC 68 02000000 push 2
0040D3F1 BB 44010000 mov ebx,144
0040D3F6 E8 3E030000 call CrackMe0.0040D739 ; 依次取假码每一位字符的ASCII值
0040D3FB 83C4 1C add esp,1C
0040D3FE 68 01030080 push 80000301
0040D403 6A 00 push 0
0040D405 50 push eax
0040D406 68 01000000 push 1
0040D40B BB 64010000 mov ebx,164
0040D410 E8 24030000 call CrackMe0.0040D739
0040D415 83C4 10 add esp,10
0040D418 8985 6CFFFFFF mov dword ptr ss:[ebp-94],eax
0040D41E 8995 70FFFFFF mov dword ptr ss:[ebp-90],edx
0040D424 DD85 6CFFFFFF fld qword ptr ss:[ebp-94]
0040D42A E8 38F4FFFF call CrackMe0.0040C867
0040D42F 8945 88 mov dword ptr ss:[ebp-78],eax
0040D432 8B45 88 mov eax,dword ptr ss:[ebp-78]
0040D435 99 cdq
0040D436 8985 78FFFFFF mov dword ptr ss:[ebp-88],eax
0040D43C 8995 7CFFFFFF mov dword ptr ss:[ebp-84],edx
0040D442 8B55 90 mov edx,dword ptr ss:[ebp-70]
0040D445 8B45 8C mov eax,dword ptr ss:[ebp-74]
0040D448 3985 78FFFFFF cmp dword ptr ss:[ebp-88],eax ; 两者比较,在这里可找出明码
0040D44E 75 06 jnz short CrackMe0.0040D456 ; 不等则Over,暴破点,Nop掉
0040D450 3995 7CFFFFFF cmp dword ptr ss:[ebp-84],edx
0040D456 0F85 08000000 jnz CrackMe0.0040D464
0040D45C FF45 84 inc dword ptr ss:[ebp-7C]
0040D45F E9 05000000 jmp CrackMe0.0040D469
0040D464 E9 05000000 jmp CrackMe0.0040D46E
0040D469 ^ E9 7DFEFFFF jmp CrackMe0.0040D2EB
0040D46E 8B45 98 mov eax,dword ptr ss:[ebp-68]
0040D471 3945 84 cmp dword ptr ss:[ebp-7C],eax
0040D474 0F85 9A010000 jnz CrackMe0.0040D614
0040D47A 68 04000080 push 80000004
0040D47F 6A 00 push 0
0040D481 68 5FC14000 push CrackMe0.0040C15F
0040D486 68 01030080 push 80000301
0040D48B 6A 00 push 0
0040D48D 68 00000000 push 0
0040D492 68 04000080 push 80000004
0040D497 6A 00 push 0
0040D499 68 68C14000 push CrackMe0.0040C168 ; 成功提示"O!!!Good Lucky"
0040D49E 68 03000000 push 3
-----------------------------------------------------------------------------------------------
【破解总结】
1.设用户名长度为Len,依次取用户名每一位字符的ASCII值累加,累加结果记为Sum。
2.依次取用户名每一位字符的ASCII值,记为Num1,取出的字符在用户名中的位置记为N。
3.计算(N-1)*3.0,并根据计算结果在固定字符串"ABCDEFGHIJKLMNOPQRSTUVWXYZ"取相应字符的ASCII值,记为Num2。
若N=1,则Num2=0。
4.进行计算Num1 Xor Num2,结果记为Num3。
5.进行计算TmpNum=Num3+Not((Sum*(N-1-1.0)))+(N-1+3.0)*Len*Num1+333.0。
6.进行计算((ASC(TmpNum Mod 10.0) Xor 0xADAC)*(N-1+2.0))Mod 10.0。
7.取经过第4、5、6步运算结果的数值转为字符依次连接,记为字符串str1。
8.进行计算(Sum*Len) Mod 100.0+48.0,运算结果的数值转为字符串,记为字符串str2。
9.用"-"连接字符串str1,字符串str2,记为字符串str3。
10. (依次取str3每一位字符的ASCII值减去0x20) Mod 10.0,运算结果的数值转为字符串即为真码,记为str4。
11.注册码去掉第1位字符,依次取每一位字符与字符串str4比较,相等则注册成功。
一组可用注册信息:
====================================================
注册名:hrbx
注册码:04901358
====================================================
暴破更改以下位置:
0040D44E jnz short CrackMe0.0040D456 ; jnz====>Nop
-----------------------------------------------------------------------------------------------
【VB注册机源码】
Private Sub Generate_Click()
Dim UserName As String
Dim Serial As String
Dim TmpStr As String
Dim Str1 As String
Dim Str2 As String
Dim Str3 As String
Dim TmpNum As Double
Dim Length As Long
Dim Sum As Long
Dim Num As Integer
Dim N As Integer
Dim i As Integer
TmpStr = "ABCDEFGHIJKLMNOPQRSTUVWXYZ"
On Error Resume Next
If Text1.Text = "" Then
Text2.Text = "请输入用户名!"
Else
UserName = Trim(Text1.Text)
Length = Len(UserName)
For i = 1 To Length
Sum = Sum + Asc(Mid(UserName, i, 1))
Next i
For i = 1 To Length
N = (i - 1) * 3
If N = 0 Then
Num = Asc(Mid(UserName, 1, 1))
Else
Num = Asc(Mid(UserName, i, 1)) Xor Asc(Mid(TmpStr, N, 1))
End If
TmpNum = Not (Sum * (i - 1 - 1))
TmpNum = Num + TmpNum + (i - 1 + 3) * Length * Asc(Mid(UserName, i, 1)) + 333
TmpNum = (Asc(TmpNum Mod 10) Xor &HADAC + 65536) * (i - 1 + 2)
TmpNum = TmpNum Mod 10
Str1 = Str1 & CStr(TmpNum)
Next i
Str2 = (Sum * Length) Mod 100 + 48
Str3 = Str1 & "-" & Str2
Length = Len(Str3)
For i = 1 To Length
Serial = Serial & (Asc(Mid(Str3, i, 1)) - &H20) Mod 10
Next i
Randomize
Serial = Int(10 * Rnd) & Serial
Text2 = Serial
End If
End Sub
-----------------------------------------------------------------------------------------------
【版权声明】本文纯属技术交流, 转载请注明作者并保持文章的完整, 谢谢!
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)