【破文标题】第二个CrackMe by deletex简单算法分析+VB注册机源码
【破解作者】hrbx
【使用工具】OllDbg1.10、Peid
【破解日期】2007-11-25
【下载地址】http://bbs.chinapyg.com/viewthread.php?tid=16561
【软件简介】第二个CrackMe by deletex
-----------------------------------------------------------------------------------------
【破解声明】我是一只小菜鸟,偶得一点心得,愿与大家分享:)
-----------------------------------------------------------------------------------------
【破解过程】
1.查壳。用Peid扫描程序,显示为:Microsoft Visual C++ 6.0,无壳。
2.试运行。运行程序,输入注册信息后,点"OK"按钮没有任何提示。
3.追出算法。OD载入CrackMe,F9运行,输入注册信息:
====================================================
RegName:hrbx
RegCode:9876543210
====================================================
命令栏输入: bp GetWindowTextLengthA,回车,点"OK"按钮,立即中断:
77D4EF2B U> 8BFF mov edi,edi ; 中断在这,USER32.GetDlgItem
77D4EF2D 55 push ebp
77D4EF2E 8BEC mov ebp,esp
77D4EF30 8B4D 08 mov ecx,dword ptr ss:[ebp+8]
观察堆栈友好提示:
0012FA6C 0040150B /CALL 到 GetWindowTextLengthA 来自 CrackMe.00401509
0012FA70 0005047C \hWnd = 0005047C (class='Edit',parent=001903E8)
Alt+F9返回,来到:
004014F4 8B3D A8504000 mov edi,dword ptr ds:[<&USER32.GetDlgItem>] ; USER32.GetDlgItem
004014FA 68 EA030000 push 3EA ; 获取用户名文本框控件的指针
004014FF 50 push eax
00401500 FFD7 call edi
00401502 8B35 9C504000 mov esi,dword ptr ds:[<&USER32.GetWindowTextL>; USER32.GetWindowTextLengthA
00401508 50 push eax
00401509 FFD6 call esi ; 获取用户名长度
0040150B 8B0D A4644000 mov ecx,dword ptr ds:[4064A4] ; Alt+F9返回到这里
00401511 68 E8030000 push 3E8
00401516 51 push ecx
00401517 894424 20 mov dword ptr ss:[esp+20],eax ; 用户名长度保存,EAX=0x4
0040151B FFD7 call edi ; USER32.GetDlgItem
0040151D 50 push eax ; 获取注册码文本框控件的指针
0040151E FFD6 call esi ; 获取注册码长度
00401520 6A 1E push 1E
00401522 8BD8 mov ebx,eax ; 注册码长度保存,EBX=EAX=0xA
00401524 E8 67020000 call CrackMe.00401790
00401529 83C4 04 add esp,4
0040152C 33ED xor ebp,ebp
0040152E 83FB 10 cmp ebx,10 ; 注册码长度与0x10(16)比较
00401531 8BF0 mov esi,eax
00401533 75 5B jnz short CrackMe.00401590 ; 不等则Over,
00401535 837C24 18 04 cmp dword ptr ss:[esp+18],4 ; 用户名长度与0x4比较
0040153A 7C 54 jl short CrackMe.00401590 ; 小于则Over,
0040153C 8B15 A4644000 mov edx,dword ptr ds:[4064A4]
00401542 6A 1E push 1E
00401544 56 push esi
00401545 68 EA030000 push 3EA
0040154A 52 push edx
0040154B FFD7 call edi
0040154D 50 push eax
0040154E FF15 A0504000 call dword ptr ds:[<&USER32.GetWindowTextA>] ; USER32.GetWindowTextA
00401554 8A06 mov al,byte ptr ds:[esi] ; 取用户名第一位字符的ASCII值
00401556 84C0 test al,al
00401558 74 0F je short CrackMe.00401569
0040155A 25 FF000000 and eax,0FF
0040155F 03E8 add ebp,eax ; EBP=EBP+EAX,用户名每一位字符的ASCII值累加
00401561 8A46 01 mov al,byte ptr ds:[esi+1] ; 取用户名下一位字符的ASCII值
00401564 46 inc esi
00401565 84C0 test al,al
00401567 ^ 75 F1 jnz short CrackMe.0040155A
00401569 8BC5 mov eax,ebp ; EBP=0x1B4
0040156B B9 1A000000 mov ecx,1A ; ECX=0x1A
00401570 99 cdq
00401571 F7F9 idiv ecx ; EAX/ECX,商给EAX,余数给EDX
00401573 6A 00 push 0
00401575 6A 00 push 0
00401577 68 01040000 push 401
0040157C 80C2 41 add dl,41 ; DL=DL+0x41
0040157F 8815 90644000 mov byte ptr ds:[406490],dl ; DL保存,DL=55 ('U')
00401585 8B5424 20 mov edx,dword ptr ss:[esp+20]
00401589 52 push edx
0040158A FF15 98504000 call dword ptr ds:[<&USER32.SendMessageA>] ; F8步过,中断
00401590 5F pop edi
00401591 5E pop esi
00401592 5D pop ebp
00401593 B8 01000000 mov eax,1
00401598 5B pop ebx
00401599 C2 1000 retn 10
F8步过0040158A,中断在如下位置:
77D4EF2B U> 8BFF mov edi,edi ; USER32.GetWindowTextLengthA
77D4EF2D 55 push ebp
77D4EF2E 8BEC mov ebp,esp
观察堆栈友好提示:
0012F850 004015DE /CALL 到 GetWindowTextLengthA 来自 CrackMe.004015DC
0012F854 00090480 \hWnd = 00090480 (class='Edit',parent=002003E8)
Alt+F9返回,来到:
004015DE 8B0D A4644000 mov ecx,dword ptr ds:[4064A4] ; 返回来到
004015E4 68 E8030000 push 3E8
004015E9 51 push ecx
004015EA 8BD8 mov ebx,eax
004015EC FFD6 call esi ; USER32.GetDlgItem
004015EE 50 push eax ; 获取用户名文本框控件的指针
004015EF FFD7 call edi ; USER32.GetWindowTextLengthA
004015F1 83F8 10 cmp eax,10 ; 注册码长度与0x10(16)比较
004015F4 74 1F je short CrackMe.00401615 ; 不等则Over
004015F6 8B5424 10 mov edx,dword ptr ss:[esp+10]
004015FA 52 push edx
004015FB E8 9E010000 call CrackMe.0040179E
00401600 8B4424 18 mov eax,dword ptr ss:[esp+18]
00401604 50 push eax
00401605 E8 94010000 call CrackMe.0040179E
0040160A 83C4 08 add esp,8
0040160D 5F pop edi
0040160E 5E pop esi
0040160F 5D pop ebp
00401610 5B pop ebx
00401611 83C4 08 add esp,8
00401614 C3 retn
00401615 83FB 04 cmp ebx,4 ; 用户名长度与0x4比较
00401618 0F8C 99000000 jl CrackMe.004016B7 ; 小于则Over
0040161E 83FB 10 cmp ebx,10 ; 注册码长度与0x10(16)比较
00401621 0F8F 90000000 jg CrackMe.004016B7 ; 大于则Over
00401627 8B4C24 10 mov ecx,dword ptr ss:[esp+10]
0040162B 8B15 A4644000 mov edx,dword ptr ds:[4064A4]
00401631 6A 1E push 1E
00401633 51 push ecx
00401634 68 EA030000 push 3EA
00401639 52 push edx
0040163A FFD6 call esi
0040163C 8B3D A0504000 mov edi,dword ptr ds:[<&USER32.GetWindowT>; USER32.GetWindowTextA
00401642 50 push eax
00401643 FFD7 call edi
00401645 8B4424 14 mov eax,dword ptr ss:[esp+14]
00401649 8B0D A4644000 mov ecx,dword ptr ds:[4064A4]
0040164F 6A 1E push 1E
00401651 50 push eax
00401652 68 E8030000 push 3E8
00401657 51 push ecx
00401658 FFD6 call esi ; USER32.GetDlgItem
0040165A 50 push eax
0040165B FFD7 call edi ; USER32.GetWindowTextA
0040165D 8B4C24 10 mov ecx,dword ptr ss:[esp+10] ; 用户名"hrbx"
00401661 8A01 mov al,byte ptr ds:[ecx]
00401663 84C0 test al,al
00401665 74 0D je short CrackMe.00401674
00401667 0FBED0 movsx edx,al
0040166A 8A41 01 mov al,byte ptr ds:[ecx+1]
0040166D 03EA add ebp,edx ; 取用户名每一位字符的ASCII值累加
0040166F 41 inc ecx ; EBP=0x1B4
00401670 84C0 test al,al
00401672 ^ 75 F3 jnz short CrackMe.00401667
00401674 81E5 01000080 and ebp,80000001
0040167A 79 05 jns short CrackMe.00401681
0040167C 4D dec ebp
0040167D 83CD FE or ebp,FFFFFFFE
00401680 45 inc ebp
00401681 74 1A je short CrackMe.0040169D ; 根据用户名ASCII值之和决定跳转
00401683 8D4424 14 lea eax,dword ptr ss:[esp+14]
00401687 8D4C24 10 lea ecx,dword ptr ss:[esp+10]
0040168B 50 push eax
0040168C 51 push ecx
0040168D E8 6EF9FFFF call CrackMe.00401000 ; ASCII值累加和为奇数进入这里
00401692 83C4 08 add esp,8
00401695 5F pop edi
00401696 5E pop esi
00401697 5D pop ebp
00401698 5B pop ebx
00401699 83C4 08 add esp,8
0040169C C3 retn
0040169D 8D5424 14 lea edx,dword ptr ss:[esp+14]
004016A1 8D4424 10 lea eax,dword ptr ss:[esp+10]
004016A5 52 push edx
004016A6 50 push eax
004016A7 E8 74FBFFFF call CrackMe.00401220 ; ASCII值累加和为偶数进入这里
004016AC 83C4 08 add esp,8 ; 关键CALL-1,F7进入
004016AF 5F pop edi
004016B0 5E pop esi
004016B1 5D pop ebp
004016B2 5B pop ebx
004016B3 83C4 08 add esp,8
004016B6 C3 retn
004016B7 8B4C24 10 mov ecx,dword ptr ss:[esp+10]
004016BB 51 push ecx
004016BC E8 DD000000 call CrackMe.0040179E
004016C1 8B5424 18 mov edx,dword ptr ss:[esp+18]
004016C5 52 push edx
004016C6 E8 D3000000 call CrackMe.0040179E
004016CB 83C4 08 add esp,8
004016CE 5F pop edi
004016CF 5E pop esi
004016D0 5D pop ebp
004016D1 5B pop ebx
004016D2 83C4 08 add esp,8
004016D5 C3 retn
以用户名"hrbx"为例,由于用户名字符的ASCII累加之和为偶数,于是F7进入004016A7处的关键CALL-1,来到:
00401220 55 push ebp
00401221 8BEC mov ebp,esp
00401223 81EC B8020000 sub esp,2B8
00401229 53 push ebx
0040122A 56 push esi
0040122B 57 push edi
0040122C B9 A8000000 mov ecx,0A8
00401231 33C0 xor eax,eax
00401233 8DBD 49FDFFFF lea edi,dword ptr ss:[ebp-2B7]
00401239 C685 48FDFFFF 0>mov byte ptr ss:[ebp-2B8],0
00401240 6A 1E push 1E
00401242 F3:AB rep stos dword ptr es:[edi]
00401244 66:AB stos word ptr es:[edi]
00401246 AA stos byte ptr es:[edi]
00401247 E8 44050000 call CrackMe.00401790
0040124C 6A 1E push 1E
0040124E 8BD8 mov ebx,eax
00401250 E8 3B050000 call CrackMe.00401790
00401255 8A0D 90644000 mov cl,byte ptr ds:[406490] ; ds:[00406490]=55 ('U')
0040125B 8BD0 mov edx,eax
0040125D 8D45 F8 lea eax,dword ptr ss:[ebp-8]
00401260 884D FF mov byte ptr ss:[ebp-1],cl ; CL=55 ('U')
00401263 8945 F0 mov dword ptr ss:[ebp-10],eax
00401266 8B45 08 mov eax,dword ptr ss:[ebp+8]
00401269 83C9 FF or ecx,FFFFFFFF
0040126C 83C4 08 add esp,8
0040126F 8B38 mov edi,dword ptr ds:[eax] ; 用户名"hrbx"
00401271 33C0 xor eax,eax
00401273 F2:AE repne scas byte ptr es:[edi]
00401275 F7D1 not ecx
00401277 2BF9 sub edi,ecx
00401279 8955 F4 mov dword ptr ss:[ebp-C],edx
0040127C 8BC1 mov eax,ecx
0040127E 8BF7 mov esi,edi
00401280 8BFB mov edi,ebx
00401282 C1E9 02 shr ecx,2
00401285 F3:A5 rep movs dword ptr es:[edi],dword pt>
00401287 8BC8 mov ecx,eax
00401289 33C0 xor eax,eax
0040128B 83E1 03 and ecx,3
0040128E F3:A4 rep movs byte ptr es:[edi],byte ptr >
00401290 8B4D 0C mov ecx,dword ptr ss:[ebp+C]
00401293 8B39 mov edi,dword ptr ds:[ecx] ; 注册码"9876543210123456"
00401295 83C9 FF or ecx,FFFFFFFF
00401298 F2:AE repne scas byte ptr es:[edi]
0040129A F7D1 not ecx
0040129C 2BF9 sub edi,ecx
0040129E 8BC1 mov eax,ecx
004012A0 8BF7 mov esi,edi
004012A2 8BFA mov edi,edx
004012A4 C1E9 02 shr ecx,2
004012A7 F3:A5 rep movs dword ptr es:[edi],dword pt>
004012A9 8BC8 mov ecx,eax
004012AB 33C0 xor eax,eax
004012AD 83E1 03 and ecx,3
004012B0 F3:A4 rep movs byte ptr es:[edi],byte ptr >
004012B2 8BFB mov edi,ebx
004012B4 83C9 FF or ecx,FFFFFFFF
004012B7 F2:AE repne scas byte ptr es:[edi]
004012B9 F7D1 not ecx
004012BB 49 dec ecx
004012BC 33F6 xor esi,esi
004012BE 894D EC mov dword ptr ss:[ebp-14],ecx ; 用户名长度,ECX=0x4
004012C1 8D8D 48FDFFFF lea ecx,dword ptr ss:[ebp-2B8]
004012C7 8975 0C mov dword ptr ss:[ebp+C],esi
004012CA 894D 08 mov dword ptr ss:[ebp+8],ecx
004012CD 33C9 xor ecx,ecx
004012CF 8BC6 mov eax,esi
004012D1 BF 1A000000 mov edi,1A ; EDI=0x1A
004012D6 99 cdq
004012D7 F7FF idiv edi ; EAX/EDI
004012D9 8B45 08 mov eax,dword ptr ss:[ebp+8]
004012DC 80C2 41 add dl,41 ; DL=DL+0x41
004012DF 881408 mov byte ptr ds:[eax+ecx],dl ; dl=41 ('A')
004012E2 41 inc ecx
004012E3 46 inc esi
004012E4 3BCF cmp ecx,edi
004012E6 ^ 7C E7 jl short CrackMe.004012CF
004012E8 8B75 0C mov esi,dword ptr ss:[ebp+C]
004012EB 8BC8 mov ecx,eax ; 形成字符串"ABCDEFGHIJKLMNOPQRSTUVWXYZ"
004012ED 83C6 02 add esi,2
004012F0 03CF add ecx,edi
004012F2 83FE 34 cmp esi,34 ; ESI与0x34(52)比较
004012F5 8975 0C mov dword ptr ss:[ebp+C],esi
004012F8 894D 08 mov dword ptr ss:[ebp+8],ecx
004012FB ^ 7C D0 jl short CrackMe.004012CD ; 小于则继续
004012FD 8B75 EC mov esi,dword ptr ss:[ebp-14]
00401300 56 push esi
00401301 53 push ebx ; 用户名"hrbx"
00401302 E8 D9030000 call CrackMe.004016E0 ; 用户名转为大写"HRBX"
00401307 83C4 08 add esp,8
0040130A 85C0 test eax,eax
0040130C 0F84 1D010000 je CrackMe.0040142F
00401312 56 push esi
00401313 53 push ebx
00401314 E8 27040000 call CrackMe.00401740 ; 关键CALL-2,F7进入,用户名变换得到"HRBXCMIW"
00401319 0FBE7D FF movsx edi,byte ptr ss:[ebp-1] ; EDI=ss:[0012F847]=55 ('U')
0040131D 8B45 F4 mov eax,dword ptr ss:[ebp-C]
00401320 83C4 08 add esp,8
00401323 C1FF 05 sar edi,5 ; EDI=EDI sar 5
00401326 2BC3 sub eax,ebx
00401328 C745 08 0000000>mov dword ptr ss:[ebp+8],0
0040132F 8BCB mov ecx,ebx ; 变换后的用户名"HRBXCMIW"
00401331 8945 0C mov dword ptr ss:[ebp+C],eax
00401334 33D2 xor edx,edx
00401336 BB 1A000000 mov ebx,1A ; EBX=0x1A
0040133B 8A11 mov dl,byte ptr ds:[ecx] ; 依次取变换后的用户名每一位字符的ASCII值
0040133D 8BF2 mov esi,edx ; EDX=0x48
0040133F 8BC6 mov eax,esi
00401341 2BC7 sub eax,edi ; EAX=EAX-EDI
00401343 99 cdq
00401344 F7FB idiv ebx ; EAX/EBX,商给EAX,余数给EDX
00401346 0FBEC2 movsx eax,dl ; EAX=DL=0x12
00401349 8D1440 lea edx,dword ptr ds:[eax+eax*2] ; EDX=EAX+EAX*2
0040134C 8D0490 lea eax,dword ptr ds:[eax+edx*4] ; EAX=EAX+EDX*4
0040134F 8BD6 mov edx,esi ; EDX=ESI=0x48
00401351 81E2 0F000080 and edx,8000000F ; EDX=EDX and 0x8000000F,取低4位
00401357 79 05 jns short CrackMe.0040135E
00401359 4A dec edx
0040135A 83CA F0 or edx,FFFFFFF0
0040135D 42 inc edx
0040135E 0FBED2 movsx edx,dl ; EDX=DL=0x8
00401361 BB 1A000000 mov ebx,1A ; EBX=0x1A
00401366 8D9415 48FDFFFF lea edx,dword ptr ss:[ebp+edx-2B8] ; EDX=ss:[ebp+edx-2B8]
0040136D 0FBE3442 movsx esi,byte ptr ds:[edx+eax*2] ; 根据EDX在字符串取字符
00401371 8B45 0C mov eax,dword ptr ss:[ebp+C]
00401374 0FBE0408 movsx eax,byte ptr ds:[eax+ecx] ; 依次取注册码每一位字符的ASCII值
00401378 99 cdq
00401379 F7FB idiv ebx ; EAX/EBX,商给EAX,余数给EDX
0040137B 83C2 41 add edx,41 ; EDX=EDX+0x41
0040137E 3BF2 cmp esi,edx ; 比较根据用户名取的字符与注册码运算结果是否相等
00401380 0F85 A9000000 jnz CrackMe.0040142F ; 不等则Over
00401386 8B45 08 mov eax,dword ptr ss:[ebp+8]
00401389 40 inc eax
0040138A 41 inc ecx
0040138B 83F8 08 cmp eax,8 ; EAX与0x8比较,只检查注册码前8位
0040138E 8945 08 mov dword ptr ss:[ebp+8],eax
00401391 ^ 7C A1 jl short CrackMe.00401334
00401393 BB DB134000 mov ebx,CrackMe.004013DB ; \对004013DF---00401431段解码
00401398 895D 08 mov dword ptr ss:[ebp+8],ebx ; |
0040139B B8 2F144000 mov eax,CrackMe.0040142F ; |
004013A0 2BC3 sub eax,ebx ; |
004013A2 8B5D F0 mov ebx,dword ptr ss:[ebp-10] ; |
004013A5 8903 mov dword ptr ds:[ebx],eax ; |
004013A7 8B45 F8 mov eax,dword ptr ss:[ebp-8] ; |
004013AA 33F6 xor esi,esi ; |
004013AC 99 cdq ; |
004013AD 83E2 03 and edx,3 ; |
004013B0 03C2 add eax,edx ; |
004013B2 C1F8 02 sar eax,2 ; |
004013B5 85C0 test eax,eax ; |
004013B7 7E 22 jle short CrackMe.004013DB ; |
004013B9 8B4D 08 mov ecx,dword ptr ss:[ebp+8] ; |
004013BC 8B11 mov edx,dword ptr ds:[ecx] ; |
004013BE 83C1 04 add ecx,4 ; |
004013C1 81F2 82044B00 xor edx,4B0482 ; |
004013C7 46 inc esi ; |
004013C8 8951 FC mov dword ptr ds:[ecx-4],edx ; |
004013CB 8B45 F8 mov eax,dword ptr ss:[ebp-8] ; |
004013CE 99 cdq ; |
004013CF 83E2 03 and edx,3 ; |
004013D2 03C2 add eax,edx ; |
004013D4 C1F8 02 sar eax,2 ; |
004013D7 3BF0 cmp esi,eax ; |
004013D9 ^ 7C E1 jl short CrackMe.004013BC ; /解码结束
004013DB 40 inc eax
004013DC 48 dec eax
004013DD 40 inc eax
004013DE 48 dec eax
004013DF 0FBE75 FF movsx esi,byte ptr ss:[ebp-1] ; ESI=ss:[0012F847]=55 ('U')
004013E3 8B45 F4 mov eax,dword ptr ss:[ebp-C] ; 注册码"9876543210123456"
004013E6 BF F8FFFFFF mov edi,-8
004013EB C1FE 02 sar esi,2 ; ESI=ESI sar 2
004013EE 8D48 08 lea ecx,dword ptr ds:[eax+8] ; 取注册码后8位"12345678"
004013F1 2BF8 sub edi,eax
004013F3 0FBE41 F8 movsx eax,byte ptr ds:[ecx-8] ; 依次取注册码前8位每一位字符的ASCII值
004013F7 33C6 xor eax,esi ; EAX=EAX xor ESI
004013F9 BB 1A000000 mov ebx,1A ; EBX=0x1A
004013FE 99 cdq
004013FF F7FB idiv ebx ; EAX/EBX,商给EAX,余数给EDX
00401401 0FBE01 movsx eax,byte ptr ds:[ecx] ; 依次取注册码后8位每一位字符的ASCII值
00401404 83C2 41 add edx,41 ; EDX=EDX+0x41
00401407 3BC2 cmp eax,edx ; 比较是否相等
00401409 75 24 jnz short CrackMe.0040142F ; 不等则Over
0040140B 41 inc ecx
0040140C 8D140F lea edx,dword ptr ds:[edi+ecx]
0040140F 83FA 08 cmp edx,8
00401412 ^ 7C DF jl short CrackMe.004013F3
00401414 A1 A4644000 mov eax,dword ptr ds:[4064A4]
00401419 6A 00 push 0
0040141B 6A 01 push 1
0040141D 50 push eax
0040141E FF15 A8504000 call dword ptr ds:[<&USER32.GetDlgIt>; USER32.GetDlgItem
00401424 50 push eax ; 获取"OK"按钮控件的指针
00401425 FF15 AC504000 call dword ptr ds:[<&USER32.EnableWi>; USER32.EnableWindow
0040142B 90 nop ; 使按钮变灰
0040142C 90 nop
0040142D 90 nop
0040142E 90 nop
0040142F 5F pop edi
00401430 5E pop esi
00401431 5B pop ebx
00401432 8BE5 mov esp,ebp
00401434 5D pop ebp
00401435 C3 retn
F7进入00401314处的关键CALL-2,来到:
00401740 8B5424 08 mov edx,dword ptr ss:[esp+8] ; 用户名长度
00401744 8B4C24 04 mov ecx,dword ptr ss:[esp+4]
00401748 83FA 08 cmp edx,8 ; 用户长度与0x8比较
0040174B 7C 04 jl short CrackMe.00401751
0040174D C641 08 00 mov byte ptr ds:[ecx+8],0
00401751 B8 08000000 mov eax,8 ; EAX=8
00401756 2BC2 sub eax,edx ; EAX=EAX-EDX
00401758 85C0 test eax,eax
0040175A 7E 2E jle short CrackMe.0040178A
0040175C 53 push ebx ; 用户名大写"HRBX"
0040175D 56 push esi
0040175E 03C8 add ecx,eax
00401760 BE 01000000 mov esi,1 ; ESI=1
00401765 57 push edi
00401766 2BF2 sub esi,edx ; ESI=ESI-EDX,1-用户名长度
00401768 8D4C11 FF lea ecx,dword ptr ds:[ecx+edx-1]
0040176C 8BF8 mov edi,eax
0040176E 33C0 xor eax,eax
00401770 BB 1A000000 mov ebx,1A ; EBX=0x1A
00401775 8A040E mov al,byte ptr ds:[esi+ecx] ; 根据ESI从用户名中倒序取字符的ASCII值(8+1-用户名长度)
00401778 83F0 64 xor eax,64 ; EAX=EAX xor 0x64
0040177B 99 cdq
0040177C F7FB idiv ebx ; EAX/EBX,商给EAX,余数给EDX
0040177E 80C2 41 add dl,41 ; DL=DL+0x41
00401781 8811 mov byte ptr ds:[ecx],dl ; DL保存
00401783 49 dec ecx
00401784 4F dec edi
00401785 ^ 75 E7 jnz short CrackMe.0040176E
00401787 5F pop edi
00401788 5E pop esi
00401789 5B pop ebx
0040178A C3 retn
-----------------------------------------------------------------------------------------
【破解总结】
1.用户名必须不小于4位,注册码必须为0x10(16)位。
2.设用户名所有字符的ASCII值之和为Sum,计算(Sum Mod 0x1A)+0x41,结果设为Num,设用户名长度为Length。
3.用户名转为大写,若用户名长度小于8,则对用户名时行变换,具体为:从用户名第(8+1-Length)位倒序取字符的ASCII值,记为S[I]。
计算S[I]=(S[I] xor 0x64) Mod 0x1A +0x41,取S[I]对应的字符连接在用户名最后位置,直到用户名凑足8位,变换后的用户名记为Name。
4.根据Sum为奇数或偶数进行相应的计算。
4.1.若Sum为偶数,则:
4.1.1.形成固定字符串Str1(见附表1)。
4.1.2.依次取Name每一位字符的ASCII值,记为N[I]。
4.1.3.计算TmpNum1=(((N[I]-(Num sar 5)) Mod 0x1A)*0xD。
4.1.4.计算TmpNum2=N[I] and 0x8000000F。
4.1.5.根据(TmpNum2+TmpNum1*2)在字符串Str1中取相应位置的字符。
4.1.6.依次取注册码前8位字符的ASCII值,记为C[I],计算 ((C[I] Mod 0x1A) +0x41)。
4.1.7.比较4.1.5与4.1.6计算得到的字符是否相等,相等则注册码前8位通过。
4.1.8.计算(((C[I] xor (Num sar 2)) Mod 0x1A+0x41))。
4.1.9.依次取注册码后8位字符的ASCII值,记为C[I+8]。
4.1.10.比较4.1.8与4.1.9计算得到的字符是否相等,相等则注册码后8位通过。
4.2.若Sum为奇数,则:
4.2.1.形成固定字符串Str2(见附表2)。
4.2.2.依次取Name每一位字符的ASCII值,记为N[I]。
4.2.3.计算TmpNum1=(((N[I]-(Num sar 5)) Mod 0x1A)*0xD。
4.2.4.计算TmpNum2=(((N[I]-(Num sar 4)) Mod 0x1A)。
4.2.5.根据(TmpNum2+TmpNum1*2)在字符串Str1中取相应位置的字符。
4.2.6.依次取注册码前8位字符的ASCII值,记为C[I],计算 ((C[I] Mod 0x1A) +0x41)。
4.2.7.比较4.2.5与4.2.6计算得到的字符是否相等,相等则注册码前8位通过。
4.2.8.计算(((C[I] xor (Num sar 2)) Mod 0x1A+0x41))。
4.2.9.依次取注册码后8位字符的ASCII值,记为C[I+8]。
4.2.10.比较4.2.8与4.2.9计算得到的字符是否相等,相等则注册码后8位通过。
字符串Str1(附表1)
=============================
ABCDEFGHIJKLMNOPQRSTUVWXYZ
CDEFGHIJKLMNOPQRSTUVWXYZAB
EFGHIJKLMNOPQRSTUVWXYZABCD
GHIJKLMNOPQRSTUVWXYZABCDEF
IJKLMNOPQRSTUVWXYZABCDEFGH
KLMNOPQRSTUVWXYZABCDEFGHIJ
MNOPQRSTUVWXYZABCDEFGHIJKL
OPQRSTUVWXYZABCDEFGHIJKLMN
QRSTUVWXYZABCDEFGHIJKLMNOP
STUVWXYZABCDEFGHIJKLMNOPQR
UVWXYZABCDEFGHIJKLMNOPQRST
WXYZABCDEFGHIJKLMNOPQRSTUV
YZABCDEFGHIJKLMNOPQRSTUVWX
ABCDEFGHIJKLMNOPQRSTUVWXYZ
CDEFGHIJKLMNOPQRSTUVWXYZAB
EFGHIJKLMNOPQRSTUVWXYZABCD
GHIJKLMNOPQRSTUVWXYZABCDEF
IJKLMNOPQRSTUVWXYZABCDEFGH
KLMNOPQRSTUVWXYZABCDEFGHIJ
MNOPQRSTUVWXYZABCDEFGHIJKL
OPQRSTUVWXYZABCDEFGHIJKLMN
QRSTUVWXYZABCDEFGHIJKLMNOP
STUVWXYZABCDEFGHIJKLMNOPQR
UVWXYZABCDEFGHIJKLMNOPQRST
WXYZABCDEFGHIJKLMNOPQRSTUV
YZABCDEFGHIJKLMNOPQRSTUVWX
=============================
字符串Str2(附表2)
=============================
ACEGIKMOQSUWYACEGIKMOQSUWY
BDFHJLNPRTVXZBDFHJLNPRTVXZ
CEGIKMOQSUWYACEGIKMOQSUWYA
DFHJLNPRTVXZBDFHJLNPRTVXZB
EGIKMOQSUWYACEGIKMOQSUWYAC
FHJLNPRTVXZBDFHJLNPRTVXZBD
GIKMOQSUWYACEGIKMOQSUWYACE
HJLNPRTVXZBDFHJLNPRTVXZBDF
IKMOQSUWYACEGIKMOQSUWYACEG
JLNPRTVXZBDFHJLNPRTVXZBDFH
KMOQSUWYACEGIKMOQSUWYACEGI
LNPRTVXZBDFHJLNPRTVXZBDFHJ
MOQSUWYACEGIKMOQSUWYACEGIK
NPRTVXZBDFHJLNPRTVXZBDFHJL
OQSUWYACEGIKMOQSUWYACEGIKM
PRTVXZBDFHJLNPRTVXZBDFHJLN
QSUWYACEGIKMOQSUWYACEGIKMO
RTVXZBDFHJLNPRTVXZBDFHJLNP
SUWYACEGIKMOQSUWYACEGIKMOQ
TVXZBDFHJLNPRTVXZBDFHJLNPR
UWYACEGIKMOQSUWYACEGIKMOQS
VXZBDFHJLNPRTVXZBDFHJLNPRT
WYACEGIKMOQSUWYACEGIKMOQSU
XZBDFHJLNPRTVXZBDFHJLNPRTV
YACEGIKMOQSUWYACEGIKMOQSUW
ZBDFHJLNPRTVXZBDFHJLNPRTVX
=============================
一组可用注册信息:
====================================================
RegName:hrbx
RegCode:, 427!//FBHNIAGG
====================================================
-----------------------------------------------------------------------------------------
【VB注册机源码】
Private Sub Generate_Click()
Dim UserName As String
Dim Serial As String
Dim TmpUserName As String
Dim TmpStr1 As String
Dim TmpStr2 As String
Dim Str1 As String
Dim Str2 As String
Dim Sum As Integer
Dim Num As Integer
Dim i As Integer
Dim Length As Integer
Dim TmpNum As Long
Dim TmpNum1 As Long
Dim TmpNum2 As Long
Dim TmpNum3 As Long
On Error Resume Next
Str1 = "ABCDEFGHIJKLMNOPQRSTUVWXYZCDEFGHIJKLMNOPQRSTUVWXYZAB" & _
"EFGHIJKLMNOPQRSTUVWXYZABCDGHIJKLMNOPQRSTUVWXYZABCDEF" & _
"IJKLMNOPQRSTUVWXYZABCDEFGHKLMNOPQRSTUVWXYZABCDEFGHIJ" & _
"MNOPQRSTUVWXYZABCDEFGHIJKLOPQRSTUVWXYZABCDEFGHIJKLMN" & _
"QRSTUVWXYZABCDEFGHIJKLMNOPSTUVWXYZABCDEFGHIJKLMNOPQR" & _
"UVWXYZABCDEFGHIJKLMNOPQRSTWXYZABCDEFGHIJKLMNOPQRSTUV" & _
"YZABCDEFGHIJKLMNOPQRSTUVWXABCDEFGHIJKLMNOPQRSTUVWXYZ" & _
"CDEFGHIJKLMNOPQRSTUVWXYZABEFGHIJKLMNOPQRSTUVWXYZABCD" & _
"GHIJKLMNOPQRSTUVWXYZABCDEFIJKLMNOPQRSTUVWXYZABCDEFGH" & _
"KLMNOPQRSTUVWXYZABCDEFGHIJMNOPQRSTUVWXYZABCDEFGHIJKL" & _
"OPQRSTUVWXYZABCDEFGHIJKLMNQRSTUVWXYZABCDEFGHIJKLMNOP" & _
"STUVWXYZABCDEFGHIJKLMNOPQRUVWXYZABCDEFGHIJKLMNOPQRST" & _
"WXYZABCDEFGHIJKLMNOPQRSTUVYZABCDEFGHIJKLMNOPQRSTUVWX"
Str2 = "ACEGIKMOQSUWYACEGIKMOQSUWYBDFHJLNPRTVXZBDFHJLNPRTVXZ" & _
"CEGIKMOQSUWYACEGIKMOQSUWYADFHJLNPRTVXZBDFHJLNPRTVXZB" & _
"EGIKMOQSUWYACEGIKMOQSUWYACFHJLNPRTVXZBDFHJLNPRTVXZBD" & _
"GIKMOQSUWYACEGIKMOQSUWYACEHJLNPRTVXZBDFHJLNPRTVXZBDF" & _
"IKMOQSUWYACEGIKMOQSUWYACEGJLNPRTVXZBDFHJLNPRTVXZBDFH" & _
"KMOQSUWYACEGIKMOQSUWYACEGILNPRTVXZBDFHJLNPRTVXZBDFHJ" & _
"MOQSUWYACEGIKMOQSUWYACEGIKNPRTVXZBDFHJLNPRTVXZBDFHJL" & _
"OQSUWYACEGIKMOQSUWYACEGIKMPRTVXZBDFHJLNPRTVXZBDFHJLN" & _
"QSUWYACEGIKMOQSUWYACEGIKMORTVXZBDFHJLNPRTVXZBDFHJLNP" & _
"SUWYACEGIKMOQSUWYACEGIKMOQTVXZBDFHJLNPRTVXZBDFHJLNPR" & _
"UWYACEGIKMOQSUWYACEGIKMOQSVXZBDFHJLNPRTVXZBDFHJLNPRT" & _
"WYACEGIKMOQSUWYACEGIKMOQSUXZBDFHJLNPRTVXZBDFHJLNPRTV" & _
"YACEGIKMOQSUWYACEGIKMOQSUWZBDFHJLNPRTVXZBDFHJLNPRTVX"
UserName = Trim(Text1.Text)
Length = Len(UserName)
If Length < 4 Then
Text2.Text = "用户名至少必须为4位!"
Else
For i = 1 To Length
Sum = Sum + Asc(Mid(UserName, i, 1))
Next i
Num = (Sum Mod &H1A) + &H41
UserName = UCase(UserName)
If Length = 4 Then
For i = 2 To 4
TmpUserName = TmpUserName & Chr((Asc(Mid(UserName, i, 1)) Xor &H64) Mod &H1A + &H41)
Next i
UserName = UserName & TmpUserName & Chr((0 Xor &H64) Mod &H1A + &H41)
End If
If (Length > 4 And Length < 8) Then
For i = 2 To (9 - Length)
TmpUserName = TmpUserName & Chr((Mid(UserName, i, 1) Xor &H64) Mod &H1A + &H41)
Next i
UserName = UserName & TmpUserName
End If
If (Sum Mod 2 = 0) Then
For i = 1 To 8
TmpNum1 = ((Asc(Mid(UserName, i, 1)) - Int((Num / (2 ^ 5)))) Mod &H1A) * &HD
TmpNum2 = Asc(Mid(UserName, i, 1)) And &H8000000F
TmpNum3 = TmpNum1 * 2 + TmpNum2
TmpNum = Asc(Mid(Str1, TmpNum3 + 1, 1)) - &H41
Do While (TmpNum < &H20)
TmpNum = TmpNum + &H1A
Loop
TmpStr1 = TmpStr1 & Chr(TmpNum)
Next i
For i = 1 To 8
TmpNum = ((Asc(Mid(TmpStr1, i, 1)) Xor Int((Num / (2 ^ 2)))) Mod &H1A) + &H41
TmpStr2 = TmpStr2 & Chr(TmpNum)
Next i
Serial = TmpStr1 & TmpStr2
End If
If (Sum Mod 2 = 1) Then
For i = 1 To 8
TmpNum1 = ((Asc(Mid(UserName, i, 1)) - Int((Num / (2 ^ 5)))) Mod &H1A) * &HD
TmpNum2 = (Asc(Mid(UserName, i, 1)) - Int((Num / (2 ^ 4)))) Mod &H1A
TmpNum3 = TmpNum1 * 2 + TmpNum2
TmpNum = Asc(Mid(Str2, TmpNum3 + 1, 1)) - &H41
Do While (TmpNum < &H20)
TmpNum = TmpNum + &H1A
Loop
TmpStr1 = TmpStr1 & Chr(TmpNum)
Next i
For i = 1 To 8
TmpNum = ((Asc(Mid(TmpStr1, i, 1)) Xor Int((Num / (2 ^ 2)))) Mod &H1A) + &H41
TmpStr2 = TmpStr2 & Chr(TmpNum)
Next i
Serial = TmpStr1 & TmpStr2
End If
Text2.Text = Serial
End If
End Sub
-----------------------------------------------------------------------------------------
【版权声明】本文纯属技术交流, 转载请注明作者并保持文章的完整, 谢谢!
[培训]《安卓高级研修班(网课)》月薪三万计划,掌握调试、分析还原ollvm、vmp的方法,定制art虚拟机自动化脱壳的方法
上传的附件:
外加一句 强悍.
