第二个CrackMe by deletex简单算法分析+VB注册机源码-CTF对抗-看雪-安全社区|安全招聘|kanxue.com

第二个CrackMe by deletex简单算法分析+VB注册机源码

发表于: 2007-11-25 20:37 6146

第二个CrackMe by deletex简单算法分析+VB注册机源码

hrbx

2007-11-25 20:37

6146

【破文标题】第二个CrackMe by deletex简单算法分析+VB注册机源码
【破解作者】hrbx
【使用工具】OllDbg1.10、Peid
【破解日期】2007-11-25
【下载地址】http://bbs.chinapyg.com/viewthread.php?tid=16561
【软件简介】第二个CrackMe by deletex
-----------------------------------------------------------------------------------------
【破解声明】我是一只小菜鸟，偶得一点心得，愿与大家分享：）
-----------------------------------------------------------------------------------------
【破解过程】
1.查壳。用Peid扫描程序，显示为：Microsoft Visual C++ 6.0，无壳。
2.试运行。运行程序，输入注册信息后，点"OK"按钮没有任何提示。
3.追出算法。OD载入CrackMe，F9运行，输入注册信息：

====================================================
RegName:hrbx
RegCode:9876543210
====================================================
命令栏输入: bp GetWindowTextLengthA，回车，点"OK"按钮，立即中断：

77D4EF2B U>  8BFF          mov edi,edi                               ; 中断在这，USER32.GetDlgItem
77D4EF2D    55             push ebp
77D4EF2E    8BEC          mov ebp,esp
77D4EF30    8B4D 08       mov ecx,dword ptr ss:[ebp+8]

观察堆栈友好提示:

0012FA6C    0040150B       /CALL 到 GetWindowTextLengthA 来自 CrackMe.00401509
0012FA70    0005047C       \hWnd = 0005047C (class='Edit',parent=001903E8)

Alt+F9返回，来到:

004014F4    8B3D A8504000 mov edi,dword ptr ds:[<&USER32.GetDlgItem>] ; USER32.GetDlgItem
004014FA    68 EA030000    push 3EA                                     ; 获取用户名文本框控件的指针
004014FF    50             push eax
00401500    FFD7          call edi
00401502    8B35 9C504000 mov esi,dword ptr ds:[<&USER32.GetWindowTextL>; USER32.GetWindowTextLengthA
00401508    50             push eax
00401509    FFD6          call esi                                     ; 获取用户名长度
0040150B    8B0D A4644000 mov ecx,dword ptr ds:[4064A4]                ; Alt+F9返回到这里
00401511    68 E8030000    push 3E8
00401516    51             push ecx
00401517    894424 20    mov dword ptr ss:[esp+20],eax                ; 用户名长度保存,EAX=0x4
0040151B    FFD7          call edi                                     ; USER32.GetDlgItem
0040151D    50             push eax                                     ; 获取注册码文本框控件的指针
0040151E    FFD6          call esi                                     ; 获取注册码长度
00401520    6A 1E          push 1E
00401522    8BD8          mov ebx,eax                                  ; 注册码长度保存,EBX=EAX=0xA
00401524    E8 67020000    call CrackMe.00401790
00401529    83C4 04       add esp,4
0040152C    33ED          xor ebp,ebp
0040152E    83FB 10       cmp ebx,10                                  ; 注册码长度与0x10(16)比较
00401531    8BF0          mov esi,eax
00401533    75 5B          jnz short CrackMe.00401590                   ; 不等则Over,
00401535    837C24 18 04 cmp dword ptr ss:[esp+18],4                ; 用户名长度与0x4比较
0040153A    7C 54          jl short CrackMe.00401590                   ; 小于则Over,
0040153C    8B15 A4644000 mov edx,dword ptr ds:[4064A4]
00401542    6A 1E          push 1E
00401544    56             push esi
00401545    68 EA030000    push 3EA
0040154A    52             push edx
0040154B    FFD7          call edi
0040154D    50             push eax
0040154E    FF15 A0504000 call dword ptr ds:[<&USER32.GetWindowTextA>]  ; USER32.GetWindowTextA
00401554    8A06          mov al,byte ptr ds:[esi]                   ; 取用户名第一位字符的ASCII值
00401556    84C0          test al,al
00401558    74 0F          je short CrackMe.00401569
0040155A    25 FF000000    and eax,0FF
0040155F    03E8          add ebp,eax                                  ; EBP=EBP+EAX,用户名每一位字符的ASCII值累加
00401561    8A46 01       mov al,byte ptr ds:[esi+1]                   ; 取用户名下一位字符的ASCII值
00401564    46             inc esi
00401565    84C0          test al,al
00401567 ^ 75 F1          jnz short CrackMe.0040155A
00401569    8BC5          mov eax,ebp                                  ; EBP=0x1B4
0040156B    B9 1A000000    mov ecx,1A                                  ; ECX=0x1A
00401570    99             cdq
00401571    F7F9          idiv ecx                                     ; EAX/ECX,商给EAX,余数给EDX
00401573    6A 00          push 0
00401575    6A 00          push 0
00401577    68 01040000    push 401
0040157C    80C2 41       add dl,41                                  ; DL=DL+0x41
0040157F    8815 90644000 mov byte ptr ds:[406490],dl                ; DL保存,DL=55 ('U')
00401585    8B5424 20    mov edx,dword ptr ss:[esp+20]
00401589    52             push edx
0040158A    FF15 98504000 call dword ptr ds:[<&USER32.SendMessageA>] ; F8步过,中断
00401590    5F             pop edi
00401591    5E             pop esi
00401592    5D             pop ebp
00401593    B8 01000000    mov eax,1
00401598    5B             pop ebx
00401599    C2 1000       retn 10

F8步过0040158A，中断在如下位置:

77D4EF2B U>  8BFF          mov edi,edi                                  ; USER32.GetWindowTextLengthA
77D4EF2D    55             push ebp
77D4EF2E    8BEC          mov ebp,esp

观察堆栈友好提示:

0012F850    004015DE       /CALL 到 GetWindowTextLengthA 来自 CrackMe.004015DC
0012F854    00090480       \hWnd = 00090480 (class='Edit',parent=002003E8)

Alt+F9返回，来到:

004015DE    8B0D A4644000 mov ecx,dword ptr ds:[4064A4]          ; 返回来到
004015E4    68 E8030000    push 3E8
004015E9    51             push ecx
004015EA    8BD8          mov ebx,eax
004015EC    FFD6          call esi                               ; USER32.GetDlgItem
004015EE    50             push eax                               ; 获取用户名文本框控件的指针
004015EF    FFD7          call edi                               ; USER32.GetWindowTextLengthA
004015F1    83F8 10       cmp eax,10                               ; 注册码长度与0x10(16)比较
004015F4    74 1F          je short CrackMe.00401615                ; 不等则Over
004015F6    8B5424 10    mov edx,dword ptr ss:[esp+10]
004015FA    52             push edx
004015FB    E8 9E010000    call CrackMe.0040179E
00401600    8B4424 18    mov eax,dword ptr ss:[esp+18]
00401604    50             push eax
00401605    E8 94010000    call CrackMe.0040179E
0040160A    83C4 08       add esp,8
0040160D    5F             pop edi
0040160E    5E             pop esi
0040160F    5D             pop ebp
00401610    5B             pop ebx
00401611    83C4 08       add esp,8
00401614    C3             retn
00401615    83FB 04       cmp ebx,4                               ; 用户名长度与0x4比较
00401618    0F8C 99000000 jl CrackMe.004016B7                      ; 小于则Over
0040161E    83FB 10       cmp ebx,10                               ; 注册码长度与0x10(16)比较
00401621    0F8F 90000000 jg CrackMe.004016B7                      ; 大于则Over
00401627    8B4C24 10    mov ecx,dword ptr ss:[esp+10]
0040162B    8B15 A4644000 mov edx,dword ptr ds:[4064A4]
00401631    6A 1E          push 1E
00401633    51             push ecx
00401634    68 EA030000    push 3EA
00401639    52             push edx
0040163A    FFD6          call esi
0040163C    8B3D A0504000 mov edi,dword ptr ds:[<&USER32.GetWindowT>; USER32.GetWindowTextA
00401642    50             push eax
00401643    FFD7          call edi
00401645    8B4424 14    mov eax,dword ptr ss:[esp+14]
00401649    8B0D A4644000 mov ecx,dword ptr ds:[4064A4]
0040164F    6A 1E          push 1E
00401651    50             push eax
00401652    68 E8030000    push 3E8
00401657    51             push ecx
00401658    FFD6          call esi                               ; USER32.GetDlgItem
0040165A    50             push eax
0040165B    FFD7          call edi                               ; USER32.GetWindowTextA
0040165D    8B4C24 10    mov ecx,dword ptr ss:[esp+10]          ; 用户名"hrbx"
00401661    8A01          mov al,byte ptr ds:[ecx]
00401663    84C0          test al,al
00401665    74 0D          je short CrackMe.00401674
00401667    0FBED0       movsx edx,al
0040166A    8A41 01       mov al,byte ptr ds:[ecx+1]
0040166D    03EA          add ebp,edx                            ; 取用户名每一位字符的ASCII值累加
0040166F    41             inc ecx                                  ; EBP=0x1B4
00401670    84C0          test al,al
00401672 ^ 75 F3          jnz short CrackMe.00401667
00401674    81E5 01000080 and ebp,80000001
0040167A    79 05          jns short CrackMe.00401681
0040167C    4D             dec ebp
0040167D    83CD FE       or ebp,FFFFFFFE
00401680    45             inc ebp
00401681    74 1A          je short CrackMe.0040169D                ; 根据用户名ASCII值之和决定跳转
00401683    8D4424 14    lea eax,dword ptr ss:[esp+14]
00401687    8D4C24 10    lea ecx,dword ptr ss:[esp+10]
0040168B    50             push eax
0040168C    51             push ecx
0040168D    E8 6EF9FFFF    call CrackMe.00401000                   ; ASCII值累加和为奇数进入这里
00401692    83C4 08       add esp,8
00401695    5F             pop edi
00401696    5E             pop esi
00401697    5D             pop ebp
00401698    5B             pop ebx
00401699    83C4 08       add esp,8
0040169C    C3             retn
0040169D    8D5424 14    lea edx,dword ptr ss:[esp+14]
004016A1    8D4424 10    lea eax,dword ptr ss:[esp+10]
004016A5    52             push edx
004016A6    50             push eax
004016A7    E8 74FBFFFF    call CrackMe.00401220                   ; ASCII值累加和为偶数进入这里
004016AC    83C4 08       add esp,8                               ; 关键CALL-1,F7进入
004016AF    5F             pop edi
004016B0    5E             pop esi
004016B1    5D             pop ebp
004016B2    5B             pop ebx
004016B3    83C4 08       add esp,8
004016B6    C3             retn
004016B7    8B4C24 10    mov ecx,dword ptr ss:[esp+10]
004016BB    51             push ecx
004016BC    E8 DD000000    call CrackMe.0040179E
004016C1    8B5424 18    mov edx,dword ptr ss:[esp+18]
004016C5    52             push edx
004016C6    E8 D3000000    call CrackMe.0040179E
004016CB    83C4 08       add esp,8
004016CE    5F             pop edi
004016CF    5E             pop esi
004016D0    5D             pop ebp
004016D1    5B             pop ebx
004016D2    83C4 08       add esp,8
004016D5    C3             retn

以用户名"hrbx"为例，由于用户名字符的ASCII累加之和为偶数，于是F7进入004016A7处的关键CALL-1，来到:

00401220    55             push ebp
00401221    8BEC          mov ebp,esp
00401223    81EC B8020000 sub esp,2B8
00401229    53             push ebx
0040122A    56             push esi
0040122B    57             push edi
0040122C    B9 A8000000    mov ecx,0A8
00401231    33C0          xor eax,eax
00401233    8DBD 49FDFFFF lea edi,dword ptr ss:[ebp-2B7]
00401239    C685 48FDFFFF 0>mov byte ptr ss:[ebp-2B8],0
00401240    6A 1E          push 1E
00401242    F3:AB          rep stos dword ptr es:[edi]
00401244    66:AB          stos word ptr es:[edi]
00401246    AA             stos byte ptr es:[edi]
00401247    E8 44050000    call CrackMe.00401790
0040124C    6A 1E          push 1E
0040124E    8BD8          mov ebx,eax
00401250    E8 3B050000    call CrackMe.00401790
00401255    8A0D 90644000 mov cl,byte ptr ds:[406490]       ; ds:[00406490]=55 ('U')
0040125B    8BD0          mov edx,eax
0040125D    8D45 F8       lea eax,dword ptr ss:[ebp-8]
00401260    884D FF       mov byte ptr ss:[ebp-1],cl          ; CL=55 ('U')
00401263    8945 F0       mov dword ptr ss:[ebp-10],eax
00401266    8B45 08       mov eax,dword ptr ss:[ebp+8]
00401269    83C9 FF       or ecx,FFFFFFFF
0040126C    83C4 08       add esp,8
0040126F    8B38          mov edi,dword ptr ds:[eax]          ; 用户名"hrbx"
00401271    33C0          xor eax,eax
00401273    F2:AE          repne scas byte ptr es:[edi]
00401275    F7D1          not ecx
00401277    2BF9          sub edi,ecx
00401279    8955 F4       mov dword ptr ss:[ebp-C],edx
0040127C    8BC1          mov eax,ecx
0040127E    8BF7          mov esi,edi
00401280    8BFB          mov edi,ebx
00401282    C1E9 02       shr ecx,2
00401285    F3:A5          rep movs dword ptr es:[edi],dword pt>
00401287    8BC8          mov ecx,eax
00401289    33C0          xor eax,eax
0040128B    83E1 03       and ecx,3
0040128E    F3:A4          rep movs byte ptr es:[edi],byte ptr >
00401290    8B4D 0C       mov ecx,dword ptr ss:[ebp+C]
00401293    8B39          mov edi,dword ptr ds:[ecx]          ; 注册码"9876543210123456"
00401295    83C9 FF       or ecx,FFFFFFFF
00401298    F2:AE          repne scas byte ptr es:[edi]
0040129A    F7D1          not ecx
0040129C    2BF9          sub edi,ecx
0040129E    8BC1          mov eax,ecx
004012A0    8BF7          mov esi,edi
004012A2    8BFA          mov edi,edx
004012A4    C1E9 02       shr ecx,2
004012A7    F3:A5          rep movs dword ptr es:[edi],dword pt>
004012A9    8BC8          mov ecx,eax
004012AB    33C0          xor eax,eax
004012AD    83E1 03       and ecx,3
004012B0    F3:A4          rep movs byte ptr es:[edi],byte ptr >
004012B2    8BFB          mov edi,ebx
004012B4    83C9 FF       or ecx,FFFFFFFF
004012B7    F2:AE          repne scas byte ptr es:[edi]
004012B9    F7D1          not ecx
004012BB    49             dec ecx
004012BC    33F6          xor esi,esi
004012BE    894D EC       mov dword ptr ss:[ebp-14],ecx       ; 用户名长度,ECX=0x4
004012C1    8D8D 48FDFFFF lea ecx,dword ptr ss:[ebp-2B8]
004012C7    8975 0C       mov dword ptr ss:[ebp+C],esi
004012CA    894D 08       mov dword ptr ss:[ebp+8],ecx
004012CD    33C9          xor ecx,ecx
004012CF    8BC6          mov eax,esi
004012D1    BF 1A000000    mov edi,1A                         ; EDI=0x1A
004012D6    99             cdq
004012D7    F7FF          idiv edi                            ; EAX/EDI
004012D9    8B45 08       mov eax,dword ptr ss:[ebp+8]
004012DC    80C2 41       add dl,41                         ; DL=DL+0x41
004012DF    881408       mov byte ptr ds:[eax+ecx],dl       ; dl=41 ('A')
004012E2    41             inc ecx
004012E3    46             inc esi
004012E4    3BCF          cmp ecx,edi
004012E6 ^ 7C E7          jl short CrackMe.004012CF
004012E8    8B75 0C       mov esi,dword ptr ss:[ebp+C]
004012EB    8BC8          mov ecx,eax                         ; 形成字符串"ABCDEFGHIJKLMNOPQRSTUVWXYZ"
004012ED    83C6 02       add esi,2
004012F0    03CF          add ecx,edi
004012F2    83FE 34       cmp esi,34                         ; ESI与0x34(52)比较
004012F5    8975 0C       mov dword ptr ss:[ebp+C],esi
004012F8    894D 08       mov dword ptr ss:[ebp+8],ecx
004012FB ^ 7C D0          jl short CrackMe.004012CD          ; 小于则继续
004012FD    8B75 EC       mov esi,dword ptr ss:[ebp-14]
00401300    56             push esi
00401301    53             push ebx                            ; 用户名"hrbx"
00401302    E8 D9030000    call CrackMe.004016E0             ; 用户名转为大写"HRBX"
00401307    83C4 08       add esp,8
0040130A    85C0          test eax,eax
0040130C    0F84 1D010000 je CrackMe.0040142F
00401312    56             push esi
00401313    53             push ebx
00401314    E8 27040000    call CrackMe.00401740             ; 关键CALL-2,F7进入,用户名变换得到"HRBXCMIW"
00401319    0FBE7D FF    movsx edi,byte ptr ss:[ebp-1]       ; EDI=ss:[0012F847]=55 ('U')
0040131D    8B45 F4       mov eax,dword ptr ss:[ebp-C]
00401320    83C4 08       add esp,8
00401323    C1FF 05       sar edi,5                         ; EDI=EDI sar 5
00401326    2BC3          sub eax,ebx
00401328    C745 08 0000000>mov dword ptr ss:[ebp+8],0
0040132F    8BCB          mov ecx,ebx                         ; 变换后的用户名"HRBXCMIW"
00401331    8945 0C       mov dword ptr ss:[ebp+C],eax
00401334    33D2          xor edx,edx
00401336    BB 1A000000    mov ebx,1A                         ; EBX=0x1A
0040133B    8A11          mov dl,byte ptr ds:[ecx]          ; 依次取变换后的用户名每一位字符的ASCII值
0040133D    8BF2          mov esi,edx                         ; EDX=0x48
0040133F    8BC6          mov eax,esi
00401341    2BC7          sub eax,edi                         ; EAX=EAX-EDI
00401343    99             cdq
00401344    F7FB          idiv ebx                            ; EAX/EBX,商给EAX,余数给EDX
00401346    0FBEC2       movsx eax,dl                      ; EAX=DL=0x12
00401349    8D1440       lea edx,dword ptr ds:[eax+eax*2]    ; EDX=EAX+EAX*2
0040134C    8D0490       lea eax,dword ptr ds:[eax+edx*4]    ; EAX=EAX+EDX*4
0040134F    8BD6          mov edx,esi                         ; EDX=ESI=0x48
00401351    81E2 0F000080 and edx,8000000F                   ; EDX=EDX and 0x8000000F,取低4位
00401357    79 05          jns short CrackMe.0040135E
00401359    4A             dec edx
0040135A    83CA F0       or edx,FFFFFFF0
0040135D    42             inc edx
0040135E    0FBED2       movsx edx,dl                      ; EDX=DL=0x8
00401361    BB 1A000000    mov ebx,1A                         ; EBX=0x1A
00401366    8D9415 48FDFFFF lea edx,dword ptr ss:[ebp+edx-2B8] ; EDX=ss:[ebp+edx-2B8]
0040136D    0FBE3442       movsx esi,byte ptr ds:[edx+eax*2] ; 根据EDX在字符串取字符
00401371    8B45 0C       mov eax,dword ptr ss:[ebp+C]
00401374    0FBE0408       movsx eax,byte ptr ds:[eax+ecx]    ; 依次取注册码每一位字符的ASCII值
00401378    99             cdq
00401379    F7FB          idiv ebx                            ; EAX/EBX,商给EAX,余数给EDX
0040137B    83C2 41       add edx,41                         ; EDX=EDX+0x41
0040137E    3BF2          cmp esi,edx                         ; 比较根据用户名取的字符与注册码运算结果是否相等
00401380    0F85 A9000000 jnz CrackMe.0040142F                ; 不等则Over
00401386    8B45 08       mov eax,dword ptr ss:[ebp+8]
00401389    40             inc eax
0040138A    41             inc ecx
0040138B    83F8 08       cmp eax,8                         ; EAX与0x8比较,只检查注册码前8位
0040138E    8945 08       mov dword ptr ss:[ebp+8],eax
00401391 ^ 7C A1          jl short CrackMe.00401334
00401393    BB DB134000    mov ebx,CrackMe.004013DB          ; \对004013DF---00401431段解码
00401398    895D 08       mov dword ptr ss:[ebp+8],ebx       ; |
0040139B    B8 2F144000    mov eax,CrackMe.0040142F          ; |
004013A0    2BC3          sub eax,ebx                         ; |
004013A2    8B5D F0       mov ebx,dword ptr ss:[ebp-10]       ; |
004013A5    8903          mov dword ptr ds:[ebx],eax          ; |
004013A7    8B45 F8       mov eax,dword ptr ss:[ebp-8]       ; |
004013AA    33F6          xor esi,esi                         ; |
004013AC    99             cdq                               ; |
004013AD    83E2 03       and edx,3                         ; |
004013B0    03C2          add eax,edx                         ; |
004013B2    C1F8 02       sar eax,2                         ; |
004013B5    85C0          test eax,eax                      ; |
004013B7    7E 22          jle short CrackMe.004013DB          ; |
004013B9    8B4D 08       mov ecx,dword ptr ss:[ebp+8]       ; |
004013BC    8B11          mov edx,dword ptr ds:[ecx]          ; |
004013BE    83C1 04       add ecx,4                         ; |
004013C1    81F2 82044B00 xor edx,4B0482                      ; |
004013C7    46             inc esi                            ; |
004013C8    8951 FC       mov dword ptr ds:[ecx-4],edx       ; |
004013CB    8B45 F8       mov eax,dword ptr ss:[ebp-8]       ; |
004013CE    99             cdq                               ; |
004013CF    83E2 03       and edx,3                         ; |
004013D2    03C2          add eax,edx                         ; |
004013D4    C1F8 02       sar eax,2                         ; |
004013D7    3BF0          cmp esi,eax                         ; |
004013D9 ^ 7C E1          jl short CrackMe.004013BC          ; /解码结束
004013DB    40             inc eax
004013DC    48             dec eax
004013DD    40             inc eax
004013DE    48             dec eax
004013DF    0FBE75 FF    movsx esi,byte ptr ss:[ebp-1]       ; ESI=ss:[0012F847]=55 ('U')
004013E3    8B45 F4       mov eax,dword ptr ss:[ebp-C]       ; 注册码"9876543210123456"
004013E6    BF F8FFFFFF    mov edi,-8
004013EB    C1FE 02       sar esi,2                         ; ESI=ESI sar 2
004013EE    8D48 08       lea ecx,dword ptr ds:[eax+8]       ; 取注册码后8位"12345678"
004013F1    2BF8          sub edi,eax
004013F3    0FBE41 F8    movsx eax,byte ptr ds:[ecx-8]       ; 依次取注册码前8位每一位字符的ASCII值
004013F7    33C6          xor eax,esi                         ; EAX=EAX xor ESI
004013F9    BB 1A000000    mov ebx,1A                         ; EBX=0x1A
004013FE    99             cdq
004013FF    F7FB          idiv ebx                            ; EAX/EBX,商给EAX,余数给EDX
00401401    0FBE01       movsx eax,byte ptr ds:[ecx]       ; 依次取注册码后8位每一位字符的ASCII值
00401404    83C2 41       add edx,41                         ; EDX=EDX+0x41
00401407    3BC2          cmp eax,edx                         ; 比较是否相等
00401409    75 24          jnz short CrackMe.0040142F          ; 不等则Over
0040140B    41             inc ecx
0040140C    8D140F       lea edx,dword ptr ds:[edi+ecx]
0040140F    83FA 08       cmp edx,8
00401412 ^ 7C DF          jl short CrackMe.004013F3
00401414    A1 A4644000    mov eax,dword ptr ds:[4064A4]
00401419    6A 00          push 0
0040141B    6A 01          push 1
0040141D    50             push eax
0040141E    FF15 A8504000 call dword ptr ds:[<&USER32.GetDlgIt>; USER32.GetDlgItem
00401424    50             push eax                            ; 获取"OK"按钮控件的指针
00401425    FF15 AC504000 call dword ptr ds:[<&USER32.EnableWi>; USER32.EnableWindow
0040142B    90             nop                               ; 使按钮变灰
0040142C    90             nop
0040142D    90             nop
0040142E    90             nop
0040142F    5F             pop edi
00401430    5E             pop esi
00401431    5B             pop ebx
00401432    8BE5          mov esp,ebp
00401434    5D             pop ebp
00401435    C3             retn


F7进入00401314处的关键CALL-2，来到:

00401740    8B5424 08    mov edx,dword ptr ss:[esp+8]             ; 用户名长度
00401744    8B4C24 04    mov ecx,dword ptr ss:[esp+4]
00401748    83FA 08       cmp edx,8                               ; 用户长度与0x8比较
0040174B    7C 04          jl short CrackMe.00401751
0040174D    C641 08 00    mov byte ptr ds:[ecx+8],0
00401751    B8 08000000    mov eax,8                               ; EAX=8
00401756    2BC2          sub eax,edx                            ; EAX=EAX-EDX
00401758    85C0          test eax,eax
0040175A    7E 2E          jle short CrackMe.0040178A
0040175C    53             push ebx                               ; 用户名大写"HRBX"
0040175D    56             push esi
0040175E    03C8          add ecx,eax
00401760    BE 01000000    mov esi,1                               ; ESI=1
00401765    57             push edi
00401766    2BF2          sub esi,edx                            ; ESI=ESI-EDX,1-用户名长度
00401768    8D4C11 FF    lea ecx,dword ptr ds:[ecx+edx-1]
0040176C    8BF8          mov edi,eax
0040176E    33C0          xor eax,eax
00401770    BB 1A000000    mov ebx,1A                               ; EBX=0x1A
00401775    8A040E       mov al,byte ptr ds:[esi+ecx]             ; 根据ESI从用户名中倒序取字符的ASCII值(8+1-用户名长度)
00401778    83F0 64       xor eax,64                               ; EAX=EAX xor 0x64
0040177B    99             cdq
0040177C    F7FB          idiv ebx                               ; EAX/EBX,商给EAX,余数给EDX
0040177E    80C2 41       add dl,41                               ; DL=DL+0x41
00401781    8811          mov byte ptr ds:[ecx],dl                ; DL保存
00401783    49             dec ecx
00401784    4F             dec edi
00401785 ^ 75 E7          jnz short CrackMe.0040176E
00401787    5F             pop edi
00401788    5E             pop esi
00401789    5B             pop ebx
0040178A    C3             retn

-----------------------------------------------------------------------------------------
【破解总结】
1.用户名必须不小于4位,注册码必须为0x10(16)位。
2.设用户名所有字符的ASCII值之和为Sum，计算(Sum Mod 0x1A)+0x41，结果设为Num，设用户名长度为Length。
3.用户名转为大写,若用户名长度小于8,则对用户名时行变换，具体为：从用户名第(8+1-Length)位倒序取字符的ASCII值，记为S[I]。
计算S[I]=(S[I] xor 0x64) Mod 0x1A +0x41，取S[I]对应的字符连接在用户名最后位置，直到用户名凑足8位，变换后的用户名记为Name。
4.根据Sum为奇数或偶数进行相应的计算。
  4.1.若Sum为偶数,则:
   4.1.1.形成固定字符串Str1(见附表1)。
   4.1.2.依次取Name每一位字符的ASCII值，记为N[I]。
   4.1.3.计算TmpNum1=(((N[I]-(Num sar 5)) Mod 0x1A)*0xD。
   4.1.4.计算TmpNum2=N[I] and 0x8000000F。
   4.1.5.根据(TmpNum2+TmpNum1*2)在字符串Str1中取相应位置的字符。
   4.1.6.依次取注册码前8位字符的ASCII值，记为C[I]，计算 ((C[I] Mod 0x1A) +0x41)。
   4.1.7.比较4.1.5与4.1.6计算得到的字符是否相等，相等则注册码前8位通过。
   4.1.8.计算(((C[I] xor (Num sar 2)) Mod 0x1A+0x41))。
   4.1.9.依次取注册码后8位字符的ASCII值，记为C[I+8]。
   4.1.10.比较4.1.8与4.1.9计算得到的字符是否相等，相等则注册码后8位通过。
  4.2.若Sum为奇数,则:
   4.2.1.形成固定字符串Str2(见附表2)。
   4.2.2.依次取Name每一位字符的ASCII值，记为N[I]。
   4.2.3.计算TmpNum1=(((N[I]-(Num sar 5)) Mod 0x1A)*0xD。
   4.2.4.计算TmpNum2=(((N[I]-(Num sar 4)) Mod 0x1A)。
   4.2.5.根据(TmpNum2+TmpNum1*2)在字符串Str1中取相应位置的字符。
   4.2.6.依次取注册码前8位字符的ASCII值，记为C[I]，计算 ((C[I] Mod 0x1A) +0x41)。
   4.2.7.比较4.2.5与4.2.6计算得到的字符是否相等，相等则注册码前8位通过。
   4.2.8.计算(((C[I] xor (Num sar 2)) Mod 0x1A+0x41))。
   4.2.9.依次取注册码后8位字符的ASCII值，记为C[I+8]。
   4.2.10.比较4.2.8与4.2.9计算得到的字符是否相等，相等则注册码后8位通过。

字符串Str1(附表1)
=============================
ABCDEFGHIJKLMNOPQRSTUVWXYZ
CDEFGHIJKLMNOPQRSTUVWXYZAB
EFGHIJKLMNOPQRSTUVWXYZABCD
GHIJKLMNOPQRSTUVWXYZABCDEF
IJKLMNOPQRSTUVWXYZABCDEFGH
KLMNOPQRSTUVWXYZABCDEFGHIJ
MNOPQRSTUVWXYZABCDEFGHIJKL
OPQRSTUVWXYZABCDEFGHIJKLMN
QRSTUVWXYZABCDEFGHIJKLMNOP
STUVWXYZABCDEFGHIJKLMNOPQR
UVWXYZABCDEFGHIJKLMNOPQRST
WXYZABCDEFGHIJKLMNOPQRSTUV
YZABCDEFGHIJKLMNOPQRSTUVWX
ABCDEFGHIJKLMNOPQRSTUVWXYZ
CDEFGHIJKLMNOPQRSTUVWXYZAB
EFGHIJKLMNOPQRSTUVWXYZABCD
GHIJKLMNOPQRSTUVWXYZABCDEF
IJKLMNOPQRSTUVWXYZABCDEFGH
KLMNOPQRSTUVWXYZABCDEFGHIJ
MNOPQRSTUVWXYZABCDEFGHIJKL
OPQRSTUVWXYZABCDEFGHIJKLMN
QRSTUVWXYZABCDEFGHIJKLMNOP
STUVWXYZABCDEFGHIJKLMNOPQR
UVWXYZABCDEFGHIJKLMNOPQRST
WXYZABCDEFGHIJKLMNOPQRSTUV
YZABCDEFGHIJKLMNOPQRSTUVWX
=============================

字符串Str2(附表2)
=============================
ACEGIKMOQSUWYACEGIKMOQSUWY
BDFHJLNPRTVXZBDFHJLNPRTVXZ
CEGIKMOQSUWYACEGIKMOQSUWYA
DFHJLNPRTVXZBDFHJLNPRTVXZB
EGIKMOQSUWYACEGIKMOQSUWYAC
FHJLNPRTVXZBDFHJLNPRTVXZBD
GIKMOQSUWYACEGIKMOQSUWYACE
HJLNPRTVXZBDFHJLNPRTVXZBDF
IKMOQSUWYACEGIKMOQSUWYACEG
JLNPRTVXZBDFHJLNPRTVXZBDFH
KMOQSUWYACEGIKMOQSUWYACEGI
LNPRTVXZBDFHJLNPRTVXZBDFHJ
MOQSUWYACEGIKMOQSUWYACEGIK
NPRTVXZBDFHJLNPRTVXZBDFHJL
OQSUWYACEGIKMOQSUWYACEGIKM
PRTVXZBDFHJLNPRTVXZBDFHJLN
QSUWYACEGIKMOQSUWYACEGIKMO
RTVXZBDFHJLNPRTVXZBDFHJLNP
SUWYACEGIKMOQSUWYACEGIKMOQ
TVXZBDFHJLNPRTVXZBDFHJLNPR
UWYACEGIKMOQSUWYACEGIKMOQS
VXZBDFHJLNPRTVXZBDFHJLNPRT
WYACEGIKMOQSUWYACEGIKMOQSU
XZBDFHJLNPRTVXZBDFHJLNPRTV
YACEGIKMOQSUWYACEGIKMOQSUW
ZBDFHJLNPRTVXZBDFHJLNPRTVX
=============================

一组可用注册信息：

====================================================
RegName:hrbx
RegCode:, 427!//FBHNIAGG
====================================================

-----------------------------------------------------------------------------------------
【VB注册机源码】

Private Sub Generate_Click()
Dim UserName As String
Dim Serial As String
Dim TmpUserName As String
Dim TmpStr1 As String
Dim TmpStr2 As String
Dim Str1 As String
Dim Str2 As String
Dim Sum As Integer
Dim Num As Integer
Dim i As Integer
Dim Length As Integer
Dim TmpNum As Long
Dim TmpNum1 As Long
Dim TmpNum2 As Long
Dim TmpNum3 As Long

On Error Resume Next

Str1 = "ABCDEFGHIJKLMNOPQRSTUVWXYZCDEFGHIJKLMNOPQRSTUVWXYZAB" & _
   "EFGHIJKLMNOPQRSTUVWXYZABCDGHIJKLMNOPQRSTUVWXYZABCDEF" & _
   "IJKLMNOPQRSTUVWXYZABCDEFGHKLMNOPQRSTUVWXYZABCDEFGHIJ" & _
   "MNOPQRSTUVWXYZABCDEFGHIJKLOPQRSTUVWXYZABCDEFGHIJKLMN" & _
   "QRSTUVWXYZABCDEFGHIJKLMNOPSTUVWXYZABCDEFGHIJKLMNOPQR" & _
   "UVWXYZABCDEFGHIJKLMNOPQRSTWXYZABCDEFGHIJKLMNOPQRSTUV" & _
   "YZABCDEFGHIJKLMNOPQRSTUVWXABCDEFGHIJKLMNOPQRSTUVWXYZ" & _
   "CDEFGHIJKLMNOPQRSTUVWXYZABEFGHIJKLMNOPQRSTUVWXYZABCD" & _
   "GHIJKLMNOPQRSTUVWXYZABCDEFIJKLMNOPQRSTUVWXYZABCDEFGH" & _
   "KLMNOPQRSTUVWXYZABCDEFGHIJMNOPQRSTUVWXYZABCDEFGHIJKL" & _
   "OPQRSTUVWXYZABCDEFGHIJKLMNQRSTUVWXYZABCDEFGHIJKLMNOP" & _
   "STUVWXYZABCDEFGHIJKLMNOPQRUVWXYZABCDEFGHIJKLMNOPQRST" & _
   "WXYZABCDEFGHIJKLMNOPQRSTUVYZABCDEFGHIJKLMNOPQRSTUVWX"

Str2 = "ACEGIKMOQSUWYACEGIKMOQSUWYBDFHJLNPRTVXZBDFHJLNPRTVXZ" & _
   "CEGIKMOQSUWYACEGIKMOQSUWYADFHJLNPRTVXZBDFHJLNPRTVXZB" & _
   "EGIKMOQSUWYACEGIKMOQSUWYACFHJLNPRTVXZBDFHJLNPRTVXZBD" & _
   "GIKMOQSUWYACEGIKMOQSUWYACEHJLNPRTVXZBDFHJLNPRTVXZBDF" & _
   "IKMOQSUWYACEGIKMOQSUWYACEGJLNPRTVXZBDFHJLNPRTVXZBDFH" & _
   "KMOQSUWYACEGIKMOQSUWYACEGILNPRTVXZBDFHJLNPRTVXZBDFHJ" & _
   "MOQSUWYACEGIKMOQSUWYACEGIKNPRTVXZBDFHJLNPRTVXZBDFHJL" & _
   "OQSUWYACEGIKMOQSUWYACEGIKMPRTVXZBDFHJLNPRTVXZBDFHJLN" & _
   "QSUWYACEGIKMOQSUWYACEGIKMORTVXZBDFHJLNPRTVXZBDFHJLNP" & _
   "SUWYACEGIKMOQSUWYACEGIKMOQTVXZBDFHJLNPRTVXZBDFHJLNPR" & _
   "UWYACEGIKMOQSUWYACEGIKMOQSVXZBDFHJLNPRTVXZBDFHJLNPRT" & _
   "WYACEGIKMOQSUWYACEGIKMOQSUXZBDFHJLNPRTVXZBDFHJLNPRTV" & _
   "YACEGIKMOQSUWYACEGIKMOQSUWZBDFHJLNPRTVXZBDFHJLNPRTVX"

UserName = Trim(Text1.Text)
Length = Len(UserName)

If Length < 4 Then
   Text2.Text = "用户名至少必须为4位！"
Else

For i = 1 To Length
   Sum = Sum + Asc(Mid(UserName, i, 1))
Next i

Num = (Sum Mod &H1A) + &H41
UserName = UCase(UserName)

   If Length = 4 Then

   For i = 2 To 4
   TmpUserName = TmpUserName & Chr((Asc(Mid(UserName, i, 1)) Xor &H64) Mod &H1A + &H41)
   Next i

   UserName = UserName & TmpUserName & Chr((0 Xor &H64) Mod &H1A + &H41)
End If

If (Length > 4 And Length < 8) Then

   For i = 2 To (9 - Length)
   TmpUserName = TmpUserName & Chr((Mid(UserName, i, 1) Xor &H64) Mod &H1A + &H41)
   Next i

   UserName = UserName & TmpUserName
End If

If (Sum Mod 2 = 0) Then
      For i = 1 To 8
      TmpNum1 = ((Asc(Mid(UserName, i, 1)) - Int((Num / (2 ^ 5)))) Mod &H1A) * &HD
      TmpNum2 = Asc(Mid(UserName, i, 1)) And &H8000000F
      TmpNum3 = TmpNum1 * 2 + TmpNum2
      TmpNum = Asc(Mid(Str1, TmpNum3 + 1, 1)) - &H41
      Do While (TmpNum < &H20)
         TmpNum = TmpNum + &H1A
      Loop
      TmpStr1 = TmpStr1 & Chr(TmpNum)

      Next i

      For i = 1 To 8
      TmpNum = ((Asc(Mid(TmpStr1, i, 1)) Xor Int((Num / (2 ^ 2)))) Mod &H1A) + &H41
      TmpStr2 = TmpStr2 & Chr(TmpNum)
      Next i

      Serial = TmpStr1 & TmpStr2
End If

If (Sum Mod 2 = 1) Then
      For i = 1 To 8
      TmpNum1 = ((Asc(Mid(UserName, i, 1)) - Int((Num / (2 ^ 5)))) Mod &H1A) * &HD
      TmpNum2 = (Asc(Mid(UserName, i, 1)) - Int((Num / (2 ^ 4)))) Mod &H1A
      TmpNum3 = TmpNum1 * 2 + TmpNum2
      TmpNum = Asc(Mid(Str2, TmpNum3 + 1, 1)) - &H41
      Do While (TmpNum < &H20)
         TmpNum = TmpNum + &H1A
      Loop
      TmpStr1 = TmpStr1 & Chr(TmpNum)

      Next i

      For i = 1 To 8
      TmpNum = ((Asc(Mid(TmpStr1, i, 1)) Xor Int((Num / (2 ^ 2)))) Mod &H1A) + &H41
      TmpStr2 = TmpStr2 & Chr(TmpNum)
      Next i

      Serial = TmpStr1 & TmpStr2
End If

Text2.Text = Serial

End If

End Sub

-----------------------------------------------------------------------------------------
【版权声明】本文纯属技术交流, 转载请注明作者并保持文章的完整, 谢谢!

登录后可查看完整内容

[培训]内核驱动高级班，冲击BAT一流互联网大厂工作，每周日13:00-18:00直播授课

上传的附件：

CrackMe.rar （9.33kb，35次下载）

收藏・1

免费・7

支持

最新回复 (3)
wyfe 雪币： 2575 活跃值： (502) 能力值： ( LV2，RANK：85 ) 在线值：发帖 65 回帖 461 粉丝 0 关注私信	wyfe 2 楼楼主功力强，分析的很详细 2007-11-25 20:59 0
CrAXk 雪币： 222 活跃值： (11) 能力值： ( LV2，RANK：10 ) 在线值：发帖 15 回帖 131 粉丝 0 关注私信	CrAXk 3 楼掌柜的说：偶的神啊～书生说：hrbx曰跑堂的说：葵花破解手女侠说：破山倒软小孩说：我要写吃糖葫芦不要钱的代码。厨子说：明天准备写啥呢我：上面都是我说的外加一句强悍. 2007-11-29 16:22 0
wyzbuaa 雪币： 200 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 2 回帖 22 粉丝 0 关注私信	wyzbuaa 4 楼楼主功力强，分析的很详细 2007-11-30 15:33 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复

hrbx

发帖

195

回帖

330

RANK

关注

私信

他的文章

关于我们

联系我们

企业服务

看雪公众号

最新回复 (3)
wyfe 雪币： 2575 活跃值： (502) 能力值： ( LV2，RANK：85 ) 在线值：发帖 65 回帖 461 粉丝 0 关注私信	wyfe 2 楼楼主功力强，分析的很详细 2007-11-25 20:59 0
CrAXk 雪币： 222 活跃值： (11) 能力值： ( LV2，RANK：10 ) 在线值：发帖 15 回帖 131 粉丝 0 关注私信	CrAXk 3 楼掌柜的说：偶的神啊～书生说：hrbx曰跑堂的说：葵花破解手女侠说：破山倒软小孩说：我要写吃糖葫芦不要钱的代码。厨子说：明天准备写啥呢我：上面都是我说的外加一句强悍. 2007-11-29 16:22 0
wyzbuaa 雪币： 200 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 2 回帖 22 粉丝 0 关注私信	wyzbuaa 4 楼楼主功力强，分析的很详细 2007-11-30 15:33 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复