【文章标题】: Buzz'm_Frog's Crackme #2 算法简单分析
【文章作者】: 网络断魂
【软件名称】: Buzz'm_Frog's Crackme #2
【下载地址】: 自己搜吧,朋友给偶的
【加壳方式】: 无壳
【保护方式】: 用户名+注册码
【编写语言】: Borland C++
【使用工具】: OD
【操作平台】: winxp2
【作者声明】: 也不知道分析的对不对,大家别笑话偶
下消息断点,找到算法关键处:
00401400 /. 55 push ebp
00401401 |. 8BEC mov ebp, esp
00401403 |. 83C4 90 add esp, -70
00401406 |. 53 push ebx
00401407 |. 8955 A8 mov dword ptr [ebp-58], edx
0040140A |. 8945 AC mov dword ptr [ebp-54], eax
0040140D |. B8 BC234300 mov eax, 004323BC
00401412 |. E8 4D8A0200 call 00429E64
00401417 |. 66:C745 C0 08>mov word ptr [ebp-40], 8
0040141D |. 8D45 FC lea eax, dword ptr [ebp-4]
00401420 |. E8 C3040000 call 004018E8
00401425 |. FF45 CC inc dword ptr [ebp-34]
00401428 |. 66:C745 C0 14>mov word ptr [ebp-40], 14
0040142E |. 66:C745 C0 20>mov word ptr [ebp-40], 20
00401434 |. 8D45 F8 lea eax, dword ptr [ebp-8]
00401437 |. E8 AC040000 call 004018E8
0040143C |. FF45 CC inc dword ptr [ebp-34]
0040143F |. 66:C745 C0 14>mov word ptr [ebp-40], 14
00401445 |. 66:C745 C0 2C>mov word ptr [ebp-40], 2C
0040144B |. 8D45 F4 lea eax, dword ptr [ebp-C]
0040144E |. E8 95040000 call 004018E8
00401453 |. FF45 CC inc dword ptr [ebp-34]
00401456 |. 66:C745 C0 14>mov word ptr [ebp-40], 14
0040145C |. C645 A7 00 mov byte ptr [ebp-59], 0
00401460 |. 66:C745 C0 38>mov word ptr [ebp-40], 38
00401466 |. 8D45 F0 lea eax, dword ptr [ebp-10]
00401469 |. E8 7A040000 call 004018E8
0040146E |. 8BD0 mov edx, eax
00401470 |. FF45 CC inc dword ptr [ebp-34]
00401473 |. 8B4D AC mov ecx, dword ptr [ebp-54]
00401476 |. 8B81 C8010000 mov eax, dword ptr [ecx+1C8]
0040147C |. E8 BF920000 call 0040A740
00401481 |. 8D55 F0 lea edx, dword ptr [ebp-10]
00401484 |. 8D45 FC lea eax, dword ptr [ebp-4]
00401487 |. E8 3FE00000 call 0040F4CB
0040148C |. FF4D CC dec dword ptr [ebp-34]
0040148F |. 8D45 F0 lea eax, dword ptr [ebp-10]
00401492 |. BA 02000000 mov edx, 2
00401497 |. E8 00E00000 call 0040F49C ; //取有户名,存在EDX中,
0040149C |. 66:C745 C0 44>mov word ptr [ebp-40], 44
004014A2 |. 8D45 EC lea eax, dword ptr [ebp-14]
004014A5 |. E8 3E040000 call 004018E8
004014AA |. 8BD0 mov edx, eax
004014AC |. FF45 CC inc dword ptr [ebp-34]
004014AF |. 8B4D AC mov ecx, dword ptr [ebp-54]
004014B2 |. 8B81 CC010000 mov eax, dword ptr [ecx+1CC]
004014B8 |. E8 83920000 call 0040A740 ; //计算用户名长度,存在EAX中,
004014BD |. 8D55 EC lea edx, dword ptr [ebp-14]
004014C0 |. 8D45 F8 lea eax, dword ptr [ebp-8]
004014C3 |. E8 03E00000 call 0040F4CB
004014C8 |. FF4D CC dec dword ptr [ebp-34]
004014CB |. 8D45 EC lea eax, dword ptr [ebp-14]
004014CE |. BA 02000000 mov edx, 2
004014D3 |. E8 C4DF0000 call 0040F49C ; //取假码,存在EDX中,
004014D8 |. 33C9 xor ecx, ecx ; //ECX清零
004014DA |. 894D A0 mov dword ptr [ebp-60], ecx
004014DD |. 66:C745 C0 14>mov word ptr [ebp-40], 14
004014E3 |. C745 9C 01000>mov dword ptr [ebp-64], 1
004014EA |. 8D45 F8 lea eax, dword ptr [ebp-8]
004014ED |. E8 B2EA0000 call 0040FFA4 ; //假码转换为16进制,结果存EAX中,
004014F2 |. 8945 98 mov dword ptr [ebp-68], eax ; //存结果
004014F5 |. 33D2 xor edx, edx ; //EDX清零
004014F7 |. 8955 94 mov dword ptr [ebp-6C], edx
004014FA |. EB 15 jmp short 00401511
004014FC |> 8D45 FC /lea eax, dword ptr [ebp-4] ; //用户名堆栈地址送给EAX
004014FF |. E8 14040000 |call 00401918
00401504 |. 8B55 94 |mov edx, dword ptr [ebp-6C] ; //送取位标志给EDX,用于取下一位,
00401507 |. 0FBE0C10 |movsx ecx, byte ptr [eax+edx] ; //逐位送用户名的ASCII值给ECX,带符号
0040150B |. 014D A0 |add dword ptr [ebp-60], ecx ; //ASCII值累加,存结果,
0040150E |. FF45 94 |inc dword ptr [ebp-6C] ; //取位标志+1,取下一位,
00401511 |> 8D45 FC lea eax, dword ptr [ebp-4] ; //用户名堆栈地址给EAX
00401514 |. E8 DDE10000 |call 0040F6F6 ; //取用户名长度,
00401519 |. 3B45 94 |cmp eax, dword ptr [ebp-6C] ; //较验用户名是否为空
0040151C |.^ 7F DE \jg short 004014FC
0040151E |. 6955 A0 32130>imul edx, dword ptr [ebp-60], 1332 ; //累加结果与1332进行带符号乘法,结果存EDX
00401525 |. 8955 A0 mov dword ptr [ebp-60], edx ; //存结果,
00401528 |. 694D A0 32130>imul ecx, dword ptr [ebp-60], 1332 ; //再次与1332进行带符号乘法,结果存ECX
0040152F |. 894D A0 mov dword ptr [ebp-60], ecx ; //存结果
00401532 |. 6945 A0 32130>imul eax, dword ptr [ebp-60], 1332 ; //再次与1332进行带符号乘法,结果存EAX
00401539 |. 8945 A0 mov dword ptr [ebp-60], eax ; //存结果
0040153C |. 8145 A0 4A0F0>add dword ptr [ebp-60], 0F4A ; //三次相乘后的结果+OF4A
00401543 |. 8B55 98 mov edx, dword ptr [ebp-68] ; //假码十六进制值送给EDX
00401546 |. 3B55 A0 cmp edx, dword ptr [ebp-60] ; //假码十六进制值与前面三次相乘再想加的结果比
较,
00401549 0F85 71010000 jnz 004016C0 ; //不等则挂,不能跳。先NOP一下,往下跟踪
0040154F |. 66:C745 C0 50>mov word ptr [ebp-40], 50
00401555 |. 8D45 E8 lea eax, dword ptr [ebp-18]
00401558 |. 8B55 A0 mov edx, dword ptr [ebp-60] ; //运算结果送EDX
0040155B |. E8 69DE0000 call 0040F3C9 ; //转换为有符号十进制数作为最终注册码!(以下跟进的CALL是转换函数的,可以不看)
00401560 |. FF45 CC inc dword ptr [ebp-34]
00401563 |. 8D55 E8 lea edx, dword ptr [ebp-18]
00401566 |. 8D45 F4 lea eax, dword ptr [ebp-C]
00401569 |. E8 5DDF0000 call 0040F4CB
0040156E |. FF4D CC dec dword ptr [ebp-34]
00401571 |. 8D45 E8 lea eax, dword ptr [ebp-18]
00401574 |. BA 02000000 mov edx, 2
00401579 |. E8 1EDF0000 call 0040F49C
0040157E |. 8D45 F8 lea eax, dword ptr [ebp-8]
00401581 |. E8 70E10000 call 0040F6F6
00401586 |. 8BD8 mov ebx, eax
00401588 |. 8D45 F4 lea eax, dword ptr [ebp-C]
0040158B |. E8 66E10000 call 0040F6F6
00401590 |. 3BD8 cmp ebx, eax
00401592 0F85 28010000 jnz 004016C0 ; //跳则死NOP掉,
00401598 |. 33D2 xor edx, edx
0040159A |. 8955 90 mov dword ptr [ebp-70], edx
0040159D |. 66:C745 C0 14>mov word ptr [ebp-40], 14
004015A3 |. EB 32 jmp short 004015D7
004015A5 |> 8D45 F8 /lea eax, dword ptr [ebp-8]
004015A8 |. E8 6B030000 |call 00401918
004015AD |. 8B55 90 |mov edx, dword ptr [ebp-70]
004015B0 |. 8A1C10 |mov bl, byte ptr [eax+edx]
004015B3 |. 8D45 F4 |lea eax, dword ptr [ebp-C]
004015B6 |. E8 5D030000 |call 00401918
004015BB |. 8B55 90 |mov edx, dword ptr [ebp-70]
004015BE |. 3A1C10 |cmp bl, byte ptr [eax+edx]
004015C1 |. 74 0D |je short 004015D0
004015C3 |. C645 A7 00 |mov byte ptr [ebp-59], 0
004015C7 |. C745 9C 02000>|mov dword ptr [ebp-64], 2
004015CE |. EB 04 |jmp short 004015D4
004015D0 |> C645 A7 01 |mov byte ptr [ebp-59], 1
004015D4 |> FF45 90 |inc dword ptr [ebp-70]
004015D7 |> 8D45 F8 lea eax, dword ptr [ebp-8]
004015DA |. E8 17E10000 |call 0040F6F6
004015DF |. 3B45 90 |cmp eax, dword ptr [ebp-70]
004015E2 |.^ 7F C1 \jg short 004015A5
004015E4 |. 807D A7 00 cmp byte ptr [ebp-59], 0
004015E8 0F84 D2000000 je 004016C0 ; //跳则死,NOP掉,
004015EE |. 837D 9C 01 cmp dword ptr [ebp-64], 1
004015F2 0F85 C8000000 jnz 004016C0 ; //跳则死,NOP掉
004015F8 |. 6A 00 push 0
004015FA |. 66:C745 C0 5C>mov word ptr [ebp-40], 5C
00401600 |. 8D45 E4 lea eax, dword ptr [ebp-1C]
00401603 |. E8 E0020000 call 004018E8
00401608 |. 8BD0 mov edx, eax
0040160A |. FF45 CC inc dword ptr [ebp-34]
0040160D |. 8B0D 606A4300 mov ecx, dword ptr [436A60]
00401613 |. 8B81 DC010000 mov eax, dword ptr [ecx+1DC]
00401619 |. E8 22910000 call 0040A740
0040161E |. 8D45 E4 lea eax, dword ptr [ebp-1C]
00401621 |. E8 F2020000 call 00401918
00401626 |. 50 push eax
00401627 |. 8D45 E0 lea eax, dword ptr [ebp-20]
0040162A |. E8 B9020000 call 004018E8
0040162F |. 8BD0 mov edx, eax
00401631 |. FF45 CC inc dword ptr [ebp-34]
00401634 |. 8B0D 606A4300 mov ecx, dword ptr [436A60]
0040163A |. 8B81 DC010000 mov eax, dword ptr [ecx+1DC]
00401640 |. E8 FB900000 call 0040A740
00401645 |. 8D45 E0 lea eax, dword ptr [ebp-20]
00401648 |. E8 CB020000 call 00401918
0040164D |. 50 push eax ; |Text
0040164E |. 6A 00 push 0 ; |hOwner = NULL
00401650 |. E8 69FA0200 call <jmp.&USER32.MessageBoxA> ; \MessageBoxA
00401655 |. FF4D CC dec dword ptr [ebp-34]
00401658 |. 8D45 E0 lea eax, dword ptr [ebp-20]
0040165B |. BA 02000000 mov edx, 2
00401660 |. E8 37DE0000 call 0040F49C
00401665 |. FF4D CC dec dword ptr [ebp-34]
00401668 |. 8D45 E4 lea eax, dword ptr [ebp-1C]
0040166B |. BA 02000000 mov edx, 2
00401670 |. E8 27DE0000 call 0040F49C
00401675 |. 6A 00 push 0
00401677 |. 68 EC254300 push 004325EC ; buzz'm_frog[scusi!]
0040167C |. 66:C745 C0 68>mov word ptr [ebp-40], 68
00401682 |. 8D45 DC lea eax, dword ptr [ebp-24]
00401685 |. E8 5E020000 call 004018E8
0040168A |. 8BD0 mov edx, eax
0040168C |. FF45 CC inc dword ptr [ebp-34]
0040168F |. 8B0D 606A4300 mov ecx, dword ptr [436A60]
00401695 |. 8B81 E0010000 mov eax, dword ptr [ecx+1E0]
0040169B |. E8 A0900000 call 0040A740
004016A0 |. 8D45 DC lea eax, dword ptr [ebp-24]
004016A3 |. E8 70020000 call 00401918
004016A8 |. 50 push eax ; |Text
004016A9 |. 6A 00 push 0 ; |hOwner = NULL
004016AB |. E8 0EFA0200 call <jmp.&USER32.MessageBoxA> ; \MessageBoxA
004016B0 |. FF4D CC dec dword ptr [ebp-34]
004016B3 |. 8D45 DC lea eax, dword ptr [ebp-24]
004016B6 |. BA 02000000 mov edx, 2
004016BB |. E8 DCDD0000 call 0040F49C
004016C0 |> 807D A7 00 cmp byte ptr [ebp-59], 0
004016C4 75 7D jnz short 00401743
004016C6 |. 6A 00 push 0
004016C8 |. 66:C745 C0 74>mov word ptr [ebp-40], 74
004016CE |. 8D45 D8 lea eax, dword ptr [ebp-28]
004016D1 |. E8 12020000 call 004018E8
004016D6 |. 8BD0 mov edx, eax
004016D8 |. FF45 CC inc dword ptr [ebp-34]
004016DB |. 8B0D 606A4300 mov ecx, dword ptr [436A60]
004016E1 |. 8B81 E4010000 mov eax, dword ptr [ecx+1E4]
004016E7 |. E8 54900000 call 0040A740
004016EC |. 8D45 D8 lea eax, dword ptr [ebp-28]
004016EF |. E8 24020000 call 00401918
004016F4 |. 50 push eax
004016F5 |. 8D45 D4 lea eax, dword ptr [ebp-2C]
004016F8 |. E8 EB010000 call 004018E8
004016FD |. 8BD0 mov edx, eax
004016FF |. FF45 CC inc dword ptr [ebp-34]
00401702 |. 8B0D 606A4300 mov ecx, dword ptr [436A60]
00401708 |. 8B81 E4010000 mov eax, dword ptr [ecx+1E4]
0040170E |. E8 2D900000 call 0040A740
00401713 |. 8D45 D4 lea eax, dword ptr [ebp-2C]
00401716 |. E8 FD010000 call 00401918
0040171B |. 50 push eax ; |Text
0040171C |. 6A 00 push 0 ; |hOwner = NULL
0040171E |. E8 9BF90200 call <jmp.&USER32.MessageBoxA> ; \MessageBoxA
00401723 |. FF4D CC dec dword ptr [ebp-34]
00401726 |. 8D45 D4 lea eax, dword ptr [ebp-2C]
00401729 |. BA 02000000 mov edx, 2
0040172E |. E8 69DD0000 call 0040F49C
00401733 |. FF4D CC dec dword ptr [ebp-34]
00401736 |. 8D45 D8 lea eax, dword ptr [ebp-28]
00401739 |. BA 02000000 mov edx, 2
0040173E |. E8 59DD0000 call 0040F49C
00401743 |> FF4D CC dec dword ptr [ebp-34]
00401746 |. 8D45 F4 lea eax, dword ptr [ebp-C]
00401749 |. BA 02000000 mov edx, 2
0040174E |. E8 49DD0000 call 0040F49C
00401753 |. FF4D CC dec dword ptr [ebp-34]
00401756 |. 8D45 F8 lea eax, dword ptr [ebp-8]
00401759 |. BA 02000000 mov edx, 2
0040175E |. E8 39DD0000 call 0040F49C
00401763 |. FF4D CC dec dword ptr [ebp-34]
00401766 |. 8D45 FC lea eax, dword ptr [ebp-4]
00401769 |. BA 02000000 mov edx, 2
0040176E |. E8 29DD0000 call 0040F49C
00401773 |. 8B4D B0 mov ecx, dword ptr [ebp-50]
00401776 |. 64:890D 00000>mov dword ptr fs:[0], ecx
0040177D |. 5B pop ebx
0040177E |. 8BE5 mov esp, ebp
00401780 |. 5D pop ebp
00401781 \. C3 retn
以下跟进的CALL是转换为有符号十进制数的函数:
2、跟进 0040155B |. E8 69DE0000 call 0040F3C9
0040F3C9 /$ 55 push ebp
0040F3CA |. 8BEC mov ebp, esp
0040F3CC |. 83C4 D4 add esp, -2C
0040F3CF |. 53 push ebx
0040F3D0 |. 8BDA mov ebx, edx ; //三次相乘再相加的结果送给EBX
0040F3D2 |. 8945 FC mov dword ptr [ebp-4], eax
0040F3D5 |. B8 F0294300 mov eax, 004329F0 ; //送常量004329F0 给EAX
0040F3DA |. E8 85AA0100 call 00429E64
0040F3DF |. 66:C745 E4 08>mov word ptr [ebp-1C], 8
0040F3E5 |. 8B55 FC mov edx, dword ptr [ebp-4]
0040F3E8 |. 33C9 xor ecx, ecx ; //ECX清零
0040F3EA |. 890A mov dword ptr [edx], ecx
0040F3EC |. 66:C745 E4 14>mov word ptr [ebp-1C], 14
0040F3F2 |. 33C0 xor eax, eax ; //EAX清零
0040F3F4 |. 8945 F8 mov dword ptr [ebp-8], eax
0040F3F7 |. 8D55 F8 lea edx, dword ptr [ebp-8]
0040F3FA |. FF45 F0 inc dword ptr [ebp-10]
0040F3FD |. 8BC3 mov eax, ebx ; //三次相乘再相加的结果送给EAX
0040F3FF |. E8 AC420100 call 004236B0 ; //得出真码,跟进,
0040F404 |. 8D55 F8 lea edx, dword ptr [ebp-8] ; //真码送给EDX
0040F407 |. 8B45 FC mov eax, dword ptr [ebp-4] ; //真码堆栈地址送给EAX
0040F40A |. E8 BC000000 call 0040F4CB
0040F40F |. FF4D F0 dec dword ptr [ebp-10]
0040F412 |. 8D45 F8 lea eax, dword ptr [ebp-8]
0040F415 |. BA 02000000 mov edx, 2
0040F41A |. E8 7D000000 call 0040F49C ; //取出真码放EDX中,真码堆栈地址放ECX中
0040F41F |. 8B4D D4 mov ecx, dword ptr [ebp-2C]
0040F422 |. 64:67:890E 00>mov dword ptr fs:[0], ecx
0040F428 |. 8B45 FC mov eax, dword ptr [ebp-4]
0040F42B |. 5B pop ebx
0040F42C |. 8BE5 mov esp, ebp
0040F42E |. 5D pop ebp
0040F42F \. C3 retn
3、跟进 0040F3FF |. E8 AC420100 call 004236B0 ; //得出真码,跟进,
004236B0 /$ 83C4 F8 add esp, -8
004236B3 |. 6A 00 push 0 ; /Arg1 = 00000000
004236B5 |. 894424 04 mov dword ptr [esp+4], eax ; |//送计算后的结果给[0012F8A8]
004236B9 |. C64424 08 00 mov byte ptr [esp+8], 0 ; |
004236BE |. 8D4C24 04 lea ecx, dword ptr [esp+4] ; |//放算结果的堆栈地址[0012F8A8]送给ECX
004236C2 |. 8BC2 mov eax, edx ; |
004236C4 |. BA DC364200 mov edx, 004236DC ; |ASCII "%d"
004236C9 |. E8 82080000 call 00423F50 ; \//跟进
004236CE |. 59 pop ecx
004236CF |. 5A pop edx
004236D0 \. C3 retn
4、跟进 004236C9 |. E8 82080000 call 00423F50 ; \//跟进
00423F50 /$ 55 push ebp
00423F51 |. 8BEC mov ebp, esp
00423F53 |. 81C4 04F0FFFF add esp, -0FFC
00423F59 |. 50 push eax
00423F5A |. 83C4 FC add esp, -4
00423F5D |. 53 push ebx
00423F5E |. 56 push esi
00423F5F |. 57 push edi
00423F60 |. 8BF9 mov edi, ecx
00423F62 |. 8BDA mov ebx, edx
00423F64 |. 8BF0 mov esi, eax
00423F66 |. 8BC3 mov eax, ebx
00423F68 |. E8 83DAFFFF call 004219F0
00423F6D |. 50 push eax
00423F6E |. 57 push edi
00423F6F |. 8B45 08 mov eax, dword ptr [ebp+8]
00423F72 |. 50 push eax
00423F73 |. 8BCB mov ecx, ebx
00423F75 |. 8D85 FEEFFFFF lea eax, dword ptr [ebp-1002]
00423F7B |. BA 01100000 mov edx, 1001
00423F80 |. E8 7BFCFFFF call 00423C00 ; //计算得出真码,跟进
00423F85 |. 8BD8 mov ebx, eax
00423F87 |. 81FB 01100000 cmp ebx, 1001
00423F8D |. 75 0A jnz short 00423F99
00423F8F |. B8 A7FF0000 mov eax, 0FFA7
00423F94 |. E8 E3F3FFFF call 0042337C
00423F99 |> 8D95 FEEFFFFF lea edx, dword ptr [ebp-1002] ; //送真码
00423F9F |. 8BC6 mov eax, esi
00423FA1 |. 8BCB mov ecx, ebx
00423FA3 |. E8 B4D9FFFF call 0042195C
00423FA8 |. 5F pop edi
00423FA9 |. 5E pop esi
00423FAA |. 5B pop ebx
00423FAB |. 8BE5 mov esp, ebp
00423FAD |. 5D pop ebp
00423FAE \. C2 0400 retn 4
5、跟进 00423F80 |. E8 7BFCFFFF call 00423C00 ; //计算得出真码,跟进
这里一堆乱七八糟的比较指令,没详细跟踪,找到算法函数跟进去,
00423C00 $ 55 push ebp
00423C01 . 8BEC mov ebp, esp
00423C03 . 83C4 B8 add esp, -48
00423C06 . 53 push ebx
00423C07 . 56 push esi
00423C08 . 57 push edi
00423C09 . 89C7 mov edi, eax
00423C0B . 89CE mov esi, ecx
00423C0D . 034D 10 add ecx, dword ptr [ebp+10]
00423C10 . 897D FC mov dword ptr [ebp-4], edi
00423C13 . 31C0 xor eax, eax
00423C15 . 8945 F8 mov dword ptr [ebp-8], eax
00423C18 . 8945 F4 mov dword ptr [ebp-C], eax
00423C1B > 09D2 or edx, edx
00423C1D . 74 0E je short 00423C2D
00423C1F > 39CE cmp esi, ecx
00423C21 . 74 0A je short 00423C2D
00423C23 . AC lods byte ptr [esi]
00423C24 . 80F8 25 cmp al, 25
00423C27 . 74 0E je short 00423C37
00423C29 > AA stos byte ptr es:[edi]
00423C2A . 4A dec edx
00423C2B .^ 75 F2 jnz short 00423C1F
00423C2D > 89F8 mov eax, edi
00423C2F . 2B45 FC sub eax, dword ptr [ebp-4]
00423C32 . E9 C5020000 jmp 00423EFC
00423C37 > 39CE cmp esi, ecx
00423C39 .^ 74 F2 je short 00423C2D
00423C3B . AC lods byte ptr [esi]
00423C3C . 80F8 25 cmp al, 25
00423C3F .^ 74 E8 je short 00423C29
00423C41 . 8D5E FE lea ebx, dword ptr [esi-2]
00423C44 . 895D F0 mov dword ptr [ebp-10], ebx
00423C47 > 8845 EF mov byte ptr [ebp-11], al
00423C4A . 80F8 2D cmp al, 2D
00423C4D . 75 05 jnz short 00423C54
00423C4F . 39CE cmp esi, ecx
00423C51 .^ 74 DA je short 00423C2D
00423C53 . AC lods byte ptr [esi]
00423C54 > E8 80000000 call 00423CD9
00423C59 . 80F8 3A cmp al, 3A
00423C5C . 75 0A jnz short 00423C68
00423C5E . 895D F8 mov dword ptr [ebp-8], ebx
00423C61 . 39CE cmp esi, ecx
00423C63 .^ 74 C8 je short 00423C2D
00423C65 . AC lods byte ptr [esi]
00423C66 .^ EB DF jmp short 00423C47
00423C68 > 895D E8 mov dword ptr [ebp-18], ebx
00423C6B . BB FFFFFFFF mov ebx, -1
00423C70 . 80F8 2E cmp al, 2E
00423C73 . 75 0A jnz short 00423C7F
00423C75 . 39CE cmp esi, ecx
00423C77 .^ 74 B4 je short 00423C2D
00423C79 . AC lods byte ptr [esi]
00423C7A . E8 5A000000 call 00423CD9
00423C7F > 895D E4 mov dword ptr [ebp-1C], ebx
00423C82 . 8975 E0 mov dword ptr [ebp-20], esi
00423C85 . 51 push ecx
00423C86 . 52 push edx
00423C87 . E8 96000000 call 00423D22 ; //得出真码,跟进
00423C8C . 5A pop edx
00423C8D . 8B5D E8 mov ebx, dword ptr [ebp-18]
00423C90 . 29CB sub ebx, ecx
00423C92 . 73 02 jnb short 00423C96
00423C94 . 31DB xor ebx, ebx
00423C96 > 807D EF 2D cmp byte ptr [ebp-11], 2D
00423C9A . 75 0A jnz short 00423CA6
00423C9C . 29CA sub edx, ecx
00423C9E . 73 04 jnb short 00423CA4
00423CA0 . 01D1 add ecx, edx
00423CA2 . 31D2 xor edx, edx
00423CA4 > F3:A4 rep movs byte ptr es:[edi], byte ptr>
00423CA6 > 87CB xchg ebx, ecx
00423CA8 . 29CA sub edx, ecx
00423CAA . 73 04 jnb short 00423CB0
00423CAC . 01D1 add ecx, edx
00423CAE . 31D2 xor edx, edx
00423CB0 > B0 20 mov al, 20
00423CB2 . F3:AA rep stos byte ptr es:[edi]
00423CB4 . 87CB xchg ebx, ecx
00423CB6 . 29CA sub edx, ecx
00423CB8 . 73 04 jnb short 00423CBE
00423CBA . 01D1 add ecx, edx
00423CBC . 31D2 xor edx, edx
00423CBE > F3:A4 rep movs byte ptr es:[edi], byte ptr>
00423CC0 . 837D F4 00 cmp dword ptr [ebp-C], 0
00423CC4 . 74 0A je short 00423CD0
00423CC6 . 52 push edx
00423CC7 . 8D45 F4 lea eax, dword ptr [ebp-C]
00423CCA . E8 25FFFFFF call 00423BF4
00423CCF . 5A pop edx
00423CD0 > 59 pop ecx
00423CD1 . 8B75 E0 mov esi, dword ptr [ebp-20]
00423CD4 .^ E9 42FFFFFF jmp 00423C1B
00423CD9 $ 31DB xor ebx, ebx
00423CDB . 80F8 2A cmp al, 2A
00423CDE . 74 22 je short 00423D02
00423CE0 > 80F8 30 cmp al, 30
00423CE3 . 72 3C jb short 00423D21
00423CE5 . 80F8 39 cmp al, 39
00423CE8 . 77 37 ja short 00423D21
00423CEA . 6BDB 0A imul ebx, ebx, 0A
00423CED . 80E8 30 sub al, 30
00423CF0 . 0FB6C0 movzx eax, al
00423CF3 . 01C3 add ebx, eax
00423CF5 . 39CE cmp esi, ecx
00423CF7 . 74 03 je short 00423CFC
00423CF9 . AC lods byte ptr [esi]
00423CFA .^ EB E4 jmp short 00423CE0
00423CFC > 58 pop eax
00423CFD .^ E9 2BFFFFFF jmp 00423C2D
00423D02 > 8B45 F8 mov eax, dword ptr [ebp-8]
00423D05 . 3B45 08 cmp eax, dword ptr [ebp+8]
00423D08 . 77 12 ja short 00423D1C
00423D0A . FF45 F8 inc dword ptr [ebp-8]
00423D0D . 8B5D 0C mov ebx, dword ptr [ebp+C]
00423D10 . 807CC3 04 00 cmp byte ptr [ebx+eax*8+4], 0
00423D15 . 8B1CC3 mov ebx, dword ptr [ebx+eax*8]
00423D18 . 74 02 je short 00423D1C
00423D1A . 31DB xor ebx, ebx
00423D1C > 39CE cmp esi, ecx
00423D1E .^ 74 DC je short 00423CFC
00423D20 . AC lods byte ptr [esi]
00423D21 > C3 retn
6、跟进 00423C87 . E8 96000000 call 00423D22 ; //得出真码,跟进
终于到了最终算出真码的地方,累!!!
00423D22 /$ 24 DF and al, 0DF
00423D24 |. 88C1 mov cl, al
00423D26 |. B8 01000000 mov eax, 1
00423D2B |. 8B5D F8 mov ebx, dword ptr [ebp-8]
00423D2E |. 3B5D 08 cmp ebx, dword ptr [ebp+8]
00423D31 |. 77 50 ja short 00423D83
00423D33 |. FF45 F8 inc dword ptr [ebp-8]
00423D36 |. 8B75 0C mov esi, dword ptr [ebp+C]
00423D39 |. 8D34DE lea esi, dword ptr [esi+ebx*8]
00423D3C |. 8B06 mov eax, dword ptr [esi] ; //送前面的计算结果给EAX
00423D3E |. 0FB65E 04 movzx ebx, byte ptr [esi+4]
00423D42 |. FF249D 493D42>jmp dword ptr [ebx*4+423D49]
00423D49 |. 903D4200 dd 1.00423D90 ; 分支表 被用于 00423D42
00423D4D |. 813D4200 dd 1.00423D81
00423D51 |. F33D4200 dd 1.00423DF3
00423D55 |. 8A3E4200 dd 1.00423E8A
00423D59 |. 1F3E4200 dd 1.00423E1F
00423D5D |. 6C3E4200 dd 1.00423E6C
00423D61 |. 4C3E4200 dd 1.00423E4C
00423D65 |. 813D4200 dd 1.00423D81
00423D69 |. 813D4200 dd 1.00423D81
00423D6D |. 813D4200 dd 1.00423D81
00423D71 |. 813D4200 dd 1.00423D81
00423D75 |. 303E4200 dd 1.00423E30
00423D79 |. 863E4200 dd 1.00423E86
00423D7D |. FE3D4200 dd 1.00423DFE
00423D81 |> 31C0 xor eax, eax ; Default case of switch 00423E90
00423D83 |> 8B55 F0 mov edx, dword ptr [ebp-10]
00423D86 |. 8B4D E0 mov ecx, dword ptr [ebp-20]
00423D89 |. 29D1 sub ecx, edx
00423D8B |. E8 F8FDFFFF call 00423B88
00423D90 |> 80F9 44 cmp cl, 44 ; Switch (cases 44..58)
00423D93 |. 74 11 je short 00423DA6
00423D95 |. 80F9 55 cmp cl, 55
00423D98 |. 74 1E je short 00423DB8
00423D9A |. 80F9 58 cmp cl, 58
00423D9D |.^ 75 E2 jnz short 00423D81
00423D9F |. B9 10000000 mov ecx, 10 ; Case 58 ('X') of switch 00423D90
00423DA4 |. EB 17 jmp short 00423DBD
00423DA6 |> 09C0 or eax, eax ; Case 44 ('D') of switch 00423D90
00423DA8 |. 79 0E jns short 00423DB8
00423DAA |. F7D8 neg eax ; //取补
00423DAC |. E8 07000000 call 00423DB8 ; //计算出真码,跟进,
00423DB1 |. B0 2D mov al, 2D ; //真码前面加“-”号
00423DB3 |. 41 inc ecx
00423DB4 |. 4E dec esi
00423DB5 |. 8806 mov byte ptr [esi], al
00423DB7 |. C3 retn
00423DB8 |$ B9 0A000000 mov ecx, 0A ; //送除数10给ECX; Case 55 ('U') of switch
00423D90
00423DBD |> 8D75 C8 lea esi, dword ptr [ebp-38]
00423DC0 |> 31D2 /xor edx, edx ; //EDX清零
00423DC2 |. F7F1 |div ecx ; //除10
00423DC4 |. 80C2 30 |add dl, 30 ; //余数+30
00423DC7 |. 80FA 3A |cmp dl, 3A ; //与:比较
00423DCA |. 72 03 |jb short 00423DCF ; //低于或不高于等于时转移(小于等于则转移),
较验是否数字
00423DCC |. 80C2 07 |add dl, 7 ; //或不为数字,则ASCII值-7
00423DCF |> 4E |dec esi ; //存储位置-1
00423DD0 |. 8816 |mov byte ptr [esi], dl ; //存结果,作为真码
00423DD2 |. 09C0 |or eax, eax ; //是否除完
00423DD4 |.^ 75 EA \jnz short 00423DC0
00423DD6 |. 8D4D C8 lea ecx, dword ptr [ebp-38]
00423DD9 |. 29F1 sub ecx, esi
00423DDB |. 8B55 E4 mov edx, dword ptr [ebp-1C]
00423DDE |. 83FA 10 cmp edx, 10
00423DE1 |. 72 01 jb short 00423DE4
00423DE3 |. C3 retn
00423DE4 |> 29CA sub edx, ecx
00423DE6 |. 76 0A jbe short 00423DF2
00423DE8 |. 01D1 add ecx, edx
00423DEA |. B0 30 mov al, 30
00423DEC |> 4E /dec esi
00423DED |. 8806 |mov byte ptr [esi], al
00423DEF |. 4A |dec edx
00423DF0 |.^ 75 FA \jnz short 00423DEC
00423DF2 |> C3 retn
00423DF3 |> 80F9 53 cmp cl, 53
00423DF6 |.^ 75 89 jnz short 00423D81
00423DF8 |. B9 01000000 mov ecx, 1
00423DFD |. C3 retn
00423DFE |> 80F9 53 cmp cl, 53
00423E01 |.^ 0F85 7AFFFFFF jnz 00423D81
00423E07 |. 66:8338 01 cmp word ptr [eax], 1
00423E0B |. 76 0F jbe short 00423E1C
00423E0D |. 89C2 mov edx, eax
00423E0F |. 8D45 F4 lea eax, dword ptr [ebp-C]
00423E12 |. E8 C9FDFFFF call 00423BE0
00423E17 |. 8B75 F4 mov esi, dword ptr [ebp-C]
00423E1A |. EB 1F jmp short 00423E3B
00423E1C |> 31C9 xor ecx, ecx
00423E1E |. C3 retn
00423E1F |> 80F9 53 cmp cl, 53
00423E22 |.^ 0F85 59FFFFFF jnz 00423D81
00423E28 |. 89C6 mov esi, eax
00423E2A |. AC lods byte ptr [esi]
00423E2B |. 0FB6C8 movzx ecx, al
00423E2E |. EB 12 jmp short 00423E42
00423E30 |> 80F9 53 cmp cl, 53
00423E33 |.^ 0F85 48FFFFFF jnz 00423D81
00423E39 |. 89C6 mov esi, eax
00423E3B |> 09F6 or esi, esi
00423E3D |.^ 74 DD je short 00423E1C
00423E3F |. 8B4E FC mov ecx, dword ptr [esi-4]
00423E42 |> 3B4D E4 cmp ecx, dword ptr [ebp-1C]
00423E45 |. 77 01 ja short 00423E48
00423E47 |. C3 retn
00423E48 |> 8B4D E4 mov ecx, dword ptr [ebp-1C]
00423E4B |. C3 retn
00423E4C |> 80F9 53 cmp cl, 53
00423E4F |.^ 0F85 2CFFFFFF jnz 00423D81
00423E55 |. 89C6 mov esi, eax
00423E57 |. 57 push edi
00423E58 |. 89C7 mov edi, eax
00423E5A |. 30C0 xor al, al
00423E5C |. 8B4D E4 mov ecx, dword ptr [ebp-1C]
00423E5F |. E3 05 jecxz short 00423E66
00423E61 |. F2:AE repne scas byte ptr es:[edi]
00423E63 |. 75 01 jnz short 00423E66
00423E65 |. 4F dec edi
00423E66 |> 89F9 mov ecx, edi
00423E68 |. 29F1 sub ecx, esi
00423E6A |. 5F pop edi
00423E6B |. C3 retn
00423E6C |> 80F9 50 cmp cl, 50
00423E6F |.^ 0F85 0CFFFFFF jnz 00423D81
00423E75 |. C745 E4 08000>mov dword ptr [ebp-1C], 8
00423E7C |. B9 10000000 mov ecx, 10
00423E81 |.^ E9 37FFFFFF jmp 00423DBD
00423E86 |> B7 01 mov bh, 1
00423E88 |. EB 02 jmp short 00423E8C
00423E8A |> B7 00 mov bh, 0
00423E8C |> 89C6 mov esi, eax
00423E8E |. B3 00 mov bl, 0
00423E90 |. 80F9 47 cmp cl, 47 ; Switch (cases 45..4E)
00423E93 |. 74 3F je short 00423ED4
00423E95 |. B3 01 mov bl, 1
00423E97 |. 80F9 45 cmp cl, 45
00423E9A |. 74 38 je short 00423ED4
00423E9C |. B3 02 mov bl, 2
00423E9E |. 80F9 46 cmp cl, 46
00423EA1 |. 74 12 je short 00423EB5
00423EA3 |. B3 03 mov bl, 3
00423EA5 |. 80F9 4E cmp cl, 4E
00423EA8 |. 74 0B je short 00423EB5
00423EAA |. 80F9 4D cmp cl, 4D
00423EAD |.^ 0F85 CEFEFFFF jnz 00423D81
00423EB3 |. B3 04 mov bl, 4 ; Case 4D ('M') of switch 00423E90
00423EB5 |> B8 12000000 mov eax, 12 ; Cases 46 ('F'),4E ('N') of switch 00423E90
00423EBA |. 8B55 E4 mov edx, dword ptr [ebp-1C]
00423EBD |. 39C2 cmp edx, eax
00423EBF |. 76 25 jbe short 00423EE6
00423EC1 |. BA 02000000 mov edx, 2
00423EC6 |. 80F9 4D cmp cl, 4D
00423EC9 |. 75 1B jnz short 00423EE6
00423ECB |. 0FB615 707043>movzx edx, byte ptr [437070]
00423ED2 |. EB 12 jmp short 00423EE6
00423ED4 |> 8B45 E4 mov eax, dword ptr [ebp-1C] ; Cases 45 ('E'),47 ('G') of switch 00423E90
00423ED7 |. BA 03000000 mov edx, 3
00423EDC |. 83F8 12 cmp eax, 12
00423EDF |. 76 05 jbe short 00423EE6
00423EE1 |. B8 0F000000 mov eax, 0F
00423EE6 |> 53 push ebx ; /Arg3
00423EE7 |. 50 push eax ; |Arg2
00423EE8 |. 52 push edx ; |Arg1
00423EE9 |. 8D45 B8 lea eax, dword ptr [ebp-48] ; |
00423EEC |. 89F2 mov edx, esi ; |
00423EEE |. 0FB6CF movzx ecx, bh ; |
00423EF1 |. E8 E0E4FFFF call 004223D6 ; \1.004223D6
00423EF6 |. 89C1 mov ecx, eax
00423EF8 |. 8D75 B8 lea esi, dword ptr [ebp-48]
00423EFB \. C3 retn
00423EFC > 5F pop edi
00423EFD . 5E pop esi
00423EFE . 5B pop ebx
00423EFF . 8BE5 mov esp, ebp
00423F01 . 5D pop ebp
00423F02 . C2 0C00 retn 0C
总结:
用户名ASCII值累加,三次乘于1332,结果+0F4A, 结果转换为有符号十进制数作为最终注册码!
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)