[原创]aCaFeeL's CrackMe V5(正式版)算法分析-CTF对抗-看雪-安全社区|安全招聘|kanxue.com

[原创]aCaFeeL's CrackMe V5(正式版)算法分析

发表于: 2007-11-28 05:42 9676

[原创]aCaFeeL's CrackMe V5(正式版)算法分析

ayan

2007-11-28 05:42

9676

【破文标题】aCaFeeL's CrackMe V5(正式版)算法分析
【破文作者】ayan
【破解工具】OD PEID
【破解平台】WINXP2
【软件名称】aCaFeeL's CrackMe V5(正式版)
【软件大小】324KB
【保护方式】压缩壳注册码
【下载地址】http://www.unpack.cn/viewthread.php?tid=19526&extra=page%3D1
---------------------------------------------------------------------
【破解过程】
这个aCaFeeL's CrackMe还是挺有意思的,验证的地方比较多，还有暗桩,界面做的也比较漂亮,算法不难,就是挺麻烦的,新手可以拿来练练手!
PEID查壳,UPX V2.00-V3.0X -> Markus Oberhumer & Laszlo Molnar & John Reiser *,脱壳后有校验,即使用真码注册也会出问题,
而且水纹的图片也没有了,在OD中提示内存出错,但是可以找到下面注册验证的地方,用原版载入,在004BB0A8下断,运行注册,断下
004BB0A8  /.  55          PUSH EBP                         //在这里下断,单步分析
004BB0A9  |.  8BEC       MOV EBP,ESP
004BB0AB  |.  B9 16000000 MOV ECX,16
004BB0B0  |>  6A 00       /PUSH 0
004BB0B2  |.  6A 00       |PUSH 0
004BB0B4  |.  49          |DEC ECX
004BB0B5  |.^ 75 F9       \JNZ SHORT 1.004BB0B0
004BB0B7  |.  53          PUSH EBX
004BB0B8  |.  8BD8       MOV EBX,EAX
004BB0BA  |.  33C0       XOR EAX,EAX
004BB0BC  |.  55          PUSH EBP
004BB0BD  |.  68 41B74B00 PUSH 1.004BB741
004BB0C2  |.  64:FF30    PUSH DWORD PTR FS:[EAX]
004BB0C5  |.  64:8920    MOV DWORD PTR FS:[EAX],ESP
004BB0C8  |.  8D45 FC    LEA EAX,DWORD PTR SS:[EBP-4]
004BB0CB  |.  BA 58B74B00 MOV EDX,1.004BB758
004BB0D0  |.  E8 9F8BF4FF CALL 1.00403C74
004BB0D5  |.  8D4D F8    LEA ECX,DWORD PTR SS:[EBP-8]
004BB0D8  |.  BA 40000000 MOV EDX,40
004BB0DD  |.  8B45 FC    MOV EAX,DWORD PTR SS:[EBP-4]
004BB0E0  |.  E8 3BFFFFFF CALL 1.004BB020
004BB0E5  |.  8B55 F8    MOV EDX,DWORD PTR SS:[EBP-8]          //字符串
Hi! Cracker, I'm acafeel[DCG|OCN|PYG], I hope You like Me :) ->EDX  //字符串设为 Hi!
==========================================================
004BB0E8  |.  8D45 FC    LEA EAX,DWORD PTR SS:[EBP-4]
004BB0EB  |.  E8 848BF4FF CALL 1.00403C74
004BB0F0  |.  8D45 F4    LEA EAX,DWORD PTR SS:[EBP-C]
004BB0F3  |.  50          PUSH EAX
004BB0F4  |.  8D55 F0    LEA EDX,DWORD PTR SS:[EBP-10]
004BB0F7  |.  8B83 F8020000 MOV EAX,DWORD PTR DS:[EBX+2F8]
004BB0FD  |.  E8 A65EF7FF CALL 1.00430FA8                         //取注册码
004BB102  |.  8B45 F0    MOV EAX,DWORD PTR SS:[EBP-10]          //注册码->EAX
004BB105  |.  B9 08000000 MOV ECX,8                               //8->ECX
004BB10A  |.  BA 01000000 MOV EDX,1                               //1->EDX
装入1和8,用来取字符串用
===========================================================
004BB10F  |.  E8 508FF4FF CALL 1.00404064                         //取注册码1-8位
004BB114  |.  8B45 F4    MOV EAX,DWORD PTR SS:[EBP-C]          //注册码前8位->EAX
004BB117  |.  50          PUSH EAX                               //注册码前8位入栈
004BB118  |.  8D45 E8    LEA EAX,DWORD PTR SS:[EBP-18]
004BB11B  |.  50          PUSH EAX
004BB11C  |.  B9 01000000 MOV ECX,1
004BB121  |.  BA 12000000 MOV EDX,12
装入1和12,用来取字符用,下同
============================================================
004BB126  |.  8B45 FC    MOV EAX,DWORD PTR SS:[EBP-4]          //Hi!->EAX
004BB129  |.  E8 368FF4FF CALL 1.00404064                         //取字符串Hi!第18位a
004BB12E  |.  FF75 E8    PUSH DWORD PTR SS:[EBP-18]
004BB131  |.  8D45 E4    LEA EAX,DWORD PTR SS:[EBP-1C]
004BB134  |.  50          PUSH EAX
004BB135  |.  8D55 E0    LEA EDX,DWORD PTR SS:[EBP-20]
004BB138  |.  8B45 FC    MOV EAX,DWORD PTR SS:[EBP-4]
004BB13B  |.  E8 94D2F4FF CALL 1.004083D4
004BB140  |.  8B45 E0    MOV EAX,DWORD PTR SS:[EBP-20]
004BB143  |.  B9 01000000 MOV ECX,1
004BB148  |.  BA 13000000 MOV EDX,13
004BB14D  |.  E8 128FF4FF CALL 1.00404064                         //取字符串Hi!第19位c
004BB152  |.  FF75 E4    PUSH DWORD PTR SS:[EBP-1C]
004BB155  |.  8D45 DC    LEA EAX,DWORD PTR SS:[EBP-24]
004BB158  |.  50          PUSH EAX
004BB159  |.  B9 01000000 MOV ECX,1
004BB15E  |.  BA 14000000 MOV EDX,14
004BB163  |.  8B45 FC    MOV EAX,DWORD PTR SS:[EBP-4]
004BB166  |.  E8 F98EF4FF CALL 1.00404064                         //取字符串Hi!第20位a
004BB16B  |.  FF75 DC    PUSH DWORD PTR SS:[EBP-24]
004BB16E  |.  8D45 D8    LEA EAX,DWORD PTR SS:[EBP-28]
004BB171  |.  50          PUSH EAX
004BB172  |.  8D55 D4    LEA EDX,DWORD PTR SS:[EBP-2C]
004BB175  |.  8B45 FC    MOV EAX,DWORD PTR SS:[EBP-4]
004BB178  |.  E8 57D2F4FF CALL 1.004083D4
004BB17D  |.  8B45 D4    MOV EAX,DWORD PTR SS:[EBP-2C]
004BB180  |.  B9 01000000 MOV ECX,1
004BB185  |.  BA 15000000 MOV EDX,15
004BB18A  |.  E8 D58EF4FF CALL 1.00404064                         //取字符串Hi!第21位f
004BB18F  |.  FF75 D8    PUSH DWORD PTR SS:[EBP-28]
004BB192  |.  8D45 D0    LEA EAX,DWORD PTR SS:[EBP-30]
004BB195  |.  50          PUSH EAX
004BB196  |.  B9 02000000 MOV ECX,2
004BB19B  |.  BA 16000000 MOV EDX,16
004BB1A0  |.  8B45 FC    MOV EAX,DWORD PTR SS:[EBP-4]
004BB1A3  |.  E8 BC8EF4FF CALL 1.00404064                         //从字符串Hi!第22位开始取两位ee
004BB1A8  |.  FF75 D0    PUSH DWORD PTR SS:[EBP-30]
004BB1AB  |.  8D45 CC    LEA EAX,DWORD PTR SS:[EBP-34]
004BB1AE  |.  50          PUSH EAX
004BB1AF  |.  8D55 C8    LEA EDX,DWORD PTR SS:[EBP-38]
004BB1B2  |.  8B45 FC    MOV EAX,DWORD PTR SS:[EBP-4]
004BB1B5  |.  E8 1AD2F4FF CALL 1.004083D4
004BB1BA  |.  8B45 C8    MOV EAX,DWORD PTR SS:[EBP-38]
004BB1BD  |.  B9 01000000 MOV ECX,1
004BB1C2  |.  BA 18000000 MOV EDX,18
004BB1C7  |.  E8 988EF4FF CALL 1.00404064                         //取字符串Hi!第24位l
004BB1CC  |.  FF75 CC    PUSH DWORD PTR SS:[EBP-34]
004BB1CF  |.  8D45 C4    LEA EAX,DWORD PTR SS:[EBP-3C]
004BB1D2  |.  50          PUSH EAX
004BB1D3  |.  B9 01000000 MOV ECX,1
004BB1D8  |.  BA 3B000000 MOV EDX,3B
004BB1DD  |.  8B45 FC    MOV EAX,DWORD PTR SS:[EBP-4]
004BB1E0  |.  E8 7F8EF4FF CALL 1.00404064                         //取字符串Hi!第59位:
004BB1E5  |.  FF75 C4    PUSH DWORD PTR SS:[EBP-3C]
004BB1E8  |.  8D45 EC    LEA EAX,DWORD PTR SS:[EBP-14]
004BB1EB  |.  BA 07000000 MOV EDX,7
004BB1F0  |.  E8 278DF4FF CALL 1.00403F1C                         //连接取得的字符串
004BB1F5  |.  8B55 EC    MOV EDX,DWORD PTR SS:[EBP-14]          //连接后的字符串->EDX
004BB1F8  |.  58          POP EAX                               //注册码前8位出栈
004BB1F9  |.  E8 6E8DF4FF CALL 1.00403F6C                         //比较注册码前8位和取得的字符串
004BB1FE  |.  0F85 9B030000 JNZ 1.004BB59F                         //不等跳,断定注册码前8位为固定字符aCaFeeL:
这里可以得到注册码的前8位为aCaFeeL:                               //1
004BB204  |.  8D55 C0    LEA EDX,DWORD PTR SS:[EBP-40]
004BB207  |.  8B83 F8020000 MOV EAX,DWORD PTR DS:[EBX+2F8]
004BB20D  |.  E8 965DF7FF CALL 1.00430FA8                         //取注册码
004BB212  |.  8B45 C0    MOV EAX,DWORD PTR SS:[EBP-40]          //注册码->EAX
004BB215  |.  E8 428CF4FF CALL 1.00403E5C                         //取注册码位数
004BB21A  |.  83F8 19    CMP EAX,19                            //和19H比较
004BB21D  |.  0F8E 7C030000 JLE 1.004BB59F                         //小于等于跳,断定注册码大于25位
004BB223  |.  8D45 BC    LEA EAX,DWORD PTR SS:[EBP-44]
004BB226  |.  50          PUSH EAX
004BB227  |.  8D45 B4    LEA EAX,DWORD PTR SS:[EBP-4C]
004BB22A  |.  50          PUSH EAX
004BB22B  |.  8D55 B0    LEA EDX,DWORD PTR SS:[EBP-50]
004BB22E  |.  8B83 F8020000 MOV EAX,DWORD PTR DS:[EBX+2F8]
004BB234  |.  E8 6F5DF7FF CALL 1.00430FA8                         //取注册码
004BB239  |.  8B45 B0    MOV EAX,DWORD PTR SS:[EBP-50]          //注册码->EAX
004BB23C  |.  B9 11000000 MOV ECX,11                            //装入11H->ECX,用来截取字符串
004BB241  |.  BA 0A000000 MOV EDX,0A                            //装入0AH->EDX,用来截取字符串
004BB246  |.  E8 198EF4FF CALL 1.00404064                         //从第10开始取17位
004BB24B  |.  8B45 B4    MOV EAX,DWORD PTR SS:[EBP-4C]          //截取的17位字符串(A)->EAX
004BB24E  |.  8D55 B8    LEA EDX,DWORD PTR SS:[EBP-48]
004BB251  |.  E8 D2F7FFFF CALL 1.004BAA28                         //算法CALL1跟进
===========================================================
算法CALL1
004BAA28  /$  55          PUSH EBP
004BAA29  |.  8BEC       MOV EBP,ESP
004BAA2B  |.  51          PUSH ECX
004BAA2C  |.  53          PUSH EBX
004BAA2D  |.  56          PUSH ESI
004BAA2E  |.  57          PUSH EDI
004BAA2F  |.  8BFA       MOV EDI,EDX
004BAA31  |.  8945 FC    MOV DWORD PTR SS:[EBP-4],EAX
004BAA34  |.  8B45 FC    MOV EAX,DWORD PTR SS:[EBP-4]             //字符串A->EAX
004BAA37  |.  E8 D495F4FF CALL 1.00404010
004BAA3C  |.  33C0       XOR EAX,EAX
004BAA3E  |.  55          PUSH EBP
004BAA3F  |.  68 CFAA4B00 PUSH 1.004BAACF
004BAA44  |.  64:FF30    PUSH DWORD PTR FS:[EAX]
004BAA47  |.  64:8920    MOV DWORD PTR FS:[EAX],ESP
004BAA4A  |.  BB 01000000 MOV EBX,1                               //1->EBX
004BAA4F  |>  8BC3       /MOV EAX,EBX                            //EAX=1
004BAA51  |.  25 03000080 |AND EAX,80000003                      //EAX AND 80000003 当EAX=4和8时EAX=0
004BAA56  |.  79 05       |JNS SHORT 1.004BAA5D
004BAA58  |.  48          |DEC EAX
004BAA59  |.  83C8 FC    |OR EAX,FFFFFFFC
004BAA5C  |.  40          |INC EAX
004BAA5D  |>  85C0       |TEST EAX,EAX
004BAA5F  |.  75 25       |JNZ SHORT 1.004BAA86
004BAA61  |.  8B45 FC    |MOV EAX,DWORD PTR SS:[EBP-4]          //字符串A->EAX
004BAA64  |.  0FB64418 08 |MOVZX EAX,BYTE PTR DS:[EAX+EBX+8]       //从第13位开始取字符串A ASC->EAX
004BAA69  |.  8B55 FC    |MOV EDX,DWORD PTR SS:[EBP-4]          //字符串A->EDX
004BAA6C  |.  0FB6741A FF |MOVZX ESI,BYTE PTR DS:[EDX+EBX-1]       //从第4位开始取字符串A ASC->ESI
004BAA71  |.  83E8 30    |SUB EAX,30                            //EAX=EAX-30
004BAA74  |.  03F0       |ADD ESI,EAX                            //ESI=ESI+EAX
004BAA76  |.  8D45 FC    |LEA EAX,DWORD PTR SS:[EBP-4]          //装字符串A地址->EAX
004BAA79  |.  E8 AE95F4FF |CALL 1.0040402C
004BAA7E  |.  8BD6       |MOV EDX,ESI
004BAA80  |.  885418 FF    |MOV BYTE PTR DS:[EAX+EBX-1],DL          //结果存入内存
第13、17和4、8位字符进行上面的运算
004BAA84  |.  EB 23       |JMP SHORT 1.004BAAA9
004BAA86  |>  8B45 FC    |MOV EAX,DWORD PTR SS:[EBP-4]          //字符串A->EAX
004BAA89  |.  0FB67418 08 |MOVZX ESI,BYTE PTR DS:[EAX+EBX+8]       //从第10位开始取字符串A ASC->ESI
004BAA8E  |.  8B45 FC    |MOV EAX,DWORD PTR SS:[EBP-4]          //字符串A->EAX
004BAA91  |.  0FB64418 FF |MOVZX EAX,BYTE PTR DS:[EAX+EBX-1]       //从第1位开始取字符串A ASC->EAX
004BAA96  |.  2BF0       |SUB ESI,EAX                            //ESI=ESI-EAX字符ASC相减
004BAA98  |.  83C6 30    |ADD ESI,30                            //ESI=ESI+30相减结果+30
004BAA9B  |.  8D45 FC    |LEA EAX,DWORD PTR SS:[EBP-4]          //装字符串A地址->EAX
004BAA9E  |.  E8 8995F4FF |CALL 1.0040402C
004BAAA3  |.  8BD6       |MOV EDX,ESI
004BAAA5  |.  885418 FF    |MOV BYTE PTR DS:[EAX+EBX-1],DL          //相减后结果存入内存
第10、11、12、14、15、16和1、2、3、5、6、7位字符进行上面的运算
004BAAA9  |>  43          |INC EBX                               //EBX+1
004BAAAA  |.  83FB 09    |CMP EBX,9                               //和9比较
004BAAAD  |.^ 75 A0       \JNZ SHORT 1.004BAA4F                   //不等继续循环取
004BAAAF  |.  8BC7       MOV EAX,EDI
004BAAB1  |.  8B55 FC    MOV EDX,DWORD PTR SS:[EBP-4]             //运算后结果->EDX
算法CALL1就是对注册码的10-26位进行运算,分别为A(10~12)-A(1~3)+30、A13+A4-30、A(14~16)-A(5~7)+30、A17+A8-30得到8位字符设为B
===========================================================
004BB256  |.  8B45 B8    MOV EAX,DWORD PTR SS:[EBP-48]          //字符B->EAX
004BB259  |.  B9 08000000 MOV ECX,8                               //装入8->ECX用来截取字符串
004BB25E  |.  BA 01000000 MOV EDX,1                               //装入1->EDX用来截取字符串
004BB263  |.  E8 FC8DF4FF CALL 1.00404064                         //截取字符串B1-8位
004BB268  |.  8B45 BC    MOV EAX,DWORD PTR SS:[EBP-44]          //字符串B1~8->EAX
004BB26B  |.  50          PUSH EAX                               //字符串B1~8压栈
004BB26C  |.  8D45 A8    LEA EAX,DWORD PTR SS:[EBP-58]
004BB26F  |.  50          PUSH EAX
004BB270  |.  B9 01000000 MOV ECX,1                               //装入1->ECX用来截取字符串
004BB275  |.  BA 28000000 MOV EDX,28                               //装入28H->EDX用来截取字符串
004BB27A  |.  8B45 FC    MOV EAX,DWORD PTR SS:[EBP-4]             //字符串Hi!->EAX
004BB27D  |.  E8 E28DF4FF CALL 1.00404064                         //取字符串Hi!第40位I
004BB282  |.  FF75 A8    PUSH DWORD PTR SS:[EBP-58]
004BB285  |.  8D45 A4    LEA EAX,DWORD PTR SS:[EBP-5C]
004BB288  |.  50          PUSH EAX
004BB289  |.  B9 04000000 MOV ECX,4
004BB28E  |.  BA 33000000 MOV EDX,33
004BB293  |.  8B45 FC    MOV EAX,DWORD PTR SS:[EBP-4]
004BB296  |.  E8 C98DF4FF CALL 1.00404064                         //取字符串Hi!第51~54位like
004BB29B  |.  FF75 A4    PUSH DWORD PTR SS:[EBP-5C]
004BB29E  |.  8D45 A0    LEA EAX,DWORD PTR SS:[EBP-60]
004BB2A1  |.  50          PUSH EAX
004BB2A2  |.  B9 03000000 MOV ECX,3
004BB2A7  |.  BA 2F000000 MOV EDX,2F
004BB2AC  |.  8B45 FC    MOV EAX,DWORD PTR SS:[EBP-4]
004BB2AF  |.  E8 B08DF4FF CALL 1.00404064                         //取字符串Hi!第47~49位You
004BB2B4  |.  FF75 A0    PUSH DWORD PTR SS:[EBP-60]
004BB2B7  |.  8D45 AC    LEA EAX,DWORD PTR SS:[EBP-54]
004BB2BA  |.  BA 03000000 MOV EDX,3
004BB2BF  |.  E8 588CF4FF CALL 1.00403F1C                         //连接取得的字符串C
004BB2C4  |.  8B55 AC    MOV EDX,DWORD PTR SS:[EBP-54]          //字符串C->EDX
004BB2C7  |.  58          POP EAX                                  //字符串B1~8出栈
004BB2C8  |.  E8 9F8CF4FF CALL 1.00403F6C                         //比较两个字符串
004BB2CD  |.  0F85 CC020000 JNZ 1.004BB59F                         //不等跳,跳即OVER,可以
到这里可以判定注册码的第10~17位为任意数值,19~26位和10~17运算得到的数值转换成字符为IlikeYou,取10~17为11111111
则19~26为JmjjfZpt                                                    //2
004BB2D3  |.  8D55 9C    LEA EDX,DWORD PTR SS:[EBP-64]
004BB2D6  |.  8B83 F0020000 MOV EAX,DWORD PTR DS:[EBX+2F0]
004BB2DC  |.  E8 C75CF7FF CALL 1.00430FA8                         //取注册名位数
004BB2E1  |.  837D 9C 00 CMP DWORD PTR SS:[EBP-64],0             //注册名位数和0比较
004BB2E5  |.  0F84 B4020000 JE 1.004BB59F                            //相等跳,跳即OVER
004BB2EB  |.  8D45 98    LEA EAX,DWORD PTR SS:[EBP-68]
004BB2EE  |.  50          PUSH EAX
004BB2EF  |.  8D55 90    LEA EDX,DWORD PTR SS:[EBP-70]
004BB2F2  |.  8B83 F0020000 MOV EAX,DWORD PTR DS:[EBX+2F0]
004BB2F8  |.  E8 AB5CF7FF CALL 1.00430FA8                         //取注册名位数
004BB2FD  |.  8B45 90    MOV EAX,DWORD PTR SS:[EBP-70]          //注册名->EAX
004BB300  |.  8D55 94    LEA EDX,DWORD PTR SS:[EBP-6C]
004BB303  |.  E8 74F8FFFF CALL 1.004BAB7C                         //算法CALL2
==============================================================
算法CALL2
004BAB7C  /$  55          PUSH EBP
004BAB7D  |.  8BEC       MOV EBP,ESP
004BAB7F  |.  B9 0D000000 MOV ECX,0D
004BAB84  |>  6A 00       /PUSH 0
004BAB86  |.  6A 00       |PUSH 0
004BAB88  |.  49          |DEC ECX
004BAB89  |.^ 75 F9       \JNZ SHORT 1.004BAB84
004BAB8B  |.  51          PUSH ECX
004BAB8C  |.  53          PUSH EBX
004BAB8D  |.  56          PUSH ESI
004BAB8E  |.  57          PUSH EDI
004BAB8F  |.  8955 F8    MOV DWORD PTR SS:[EBP-8],EDX
004BAB92  |.  8945 FC    MOV DWORD PTR SS:[EBP-4],EAX
004BAB95  |.  8B45 FC    MOV EAX,DWORD PTR SS:[EBP-4]
004BAB98  |.  E8 7394F4FF CALL 1.00404010
004BAB9D  |.  33C0       XOR EAX,EAX
004BAB9F  |.  55          PUSH EBP
004BABA0  |.  68 CDAF4B00 PUSH 1.004BAFCD
004BABA5  |.  64:FF30    PUSH DWORD PTR FS:[EAX]
004BABA8  |.  64:8920    MOV DWORD PTR FS:[EAX],ESP
004BABAB  |.  8B45 FC    MOV EAX,DWORD PTR SS:[EBP-4]
004BABAE  |.  E8 A992F4FF CALL 1.00403E5C
004BABB3  |.  25 01000080 AND EAX,80000001
004BABB8  |.  79 05       JNS SHORT 1.004BABBF
004BABBA  |.  48          DEC EAX
004BABBB  |.  83C8 FE    OR EAX,FFFFFFFE
004BABBE  |.  40          INC EAX
004BABBF  |>  85C0       TEST EAX,EAX
004BABC1  |.  0F85 EA010000 JNZ 1.004BADB1
004BABC7  |.  8D55 D8    LEA EDX,DWORD PTR SS:[EBP-28]
004BABCA  |.  8B45 FC    MOV EAX,DWORD PTR SS:[EBP-4]       //注册名->EAX
004BABCD  |.  E8 0AFFFFFF CALL 1.004BAADC                      //注册名反转FNAME
004BABD2  |.  8B55 D8    MOV EDX,DWORD PTR SS:[EBP-28]       //FNAME->EDX
004BABD5  |.  8D45 FC    LEA EAX,DWORD PTR SS:[EBP-4]
004BABD8  |.  E8 9790F4FF CALL 1.00403C74
004BABDD  |.  BE 80000000 MOV ESI,80                         //80->ESI
004BABE2  |.  8D45 E8    LEA EAX,DWORD PTR SS:[EBP-18]
004BABE5  |.  BA E4AF4B00 MOV EDX,1.004BAFE4                   //固定字符WoAiZhangLiangYing!->EDX
004BABEA  |.  E8 8590F4FF CALL 1.00403C74
004BABEF  |.  8B45 FC    MOV EAX,DWORD PTR SS:[EBP-4]
004BABF2  |.  E8 6592F4FF CALL 1.00403E5C
004BABF7  |.  85C0       TEST EAX,EAX
004BABF9  |.  0F8E AF000000 JLE 1.004BACAE
004BABFF  |.  8945 DC    MOV DWORD PTR SS:[EBP-24],EAX
004BAC02  |.  BB 01000000 MOV EBX,1
004BAC07  |>  8B45 FC    /MOV EAX,DWORD PTR SS:[EBP-4]       //FNAME->EAX
004BAC0A  |.  33C9       |XOR ECX,ECX                         //ECX=0
004BAC0C  |.  8A4C18 FF    |MOV CL,BYTE PTR DS:[EAX+EBX-1]    //取FNAME ASC->CL
004BAC10  |.  03CE       |ADD ECX,ESI                         //ECX=ECX+ESI(初始为80H)
004BAC12  |.  8BC1       |MOV EAX,ECX                         //ECX->EAX用做被除数
004BAC14  |.  B9 FF000000 |MOV ECX,0FF                         //0FFH->ECX用做除数
004BAC19  |.  99          |CDQ                               //EDX=0
004BAC1A  |.  F7F9       |IDIV ECX                            //EAX/ECX 商->EAX 余数->EDX
004BAC1C  |.  8BF2       |MOV ESI,EDX                         //余数->ESI
004BAC1E  |.  8B45 E8    |MOV EAX,DWORD PTR SS:[EBP-18]       //字符串WoAi->EAX
004BAC21  |.  33C9       |XOR ECX,ECX                         //ECX=0
004BAC23  |.  8A4C18 FF    |MOV CL,BYTE PTR DS:[EAX+EBX-1]    //字符串WoAi ASC->CL
004BAC27  |.  33F1       |XOR ESI,ECX                         //ESI=ESI XOR ECX
004BAC29  |.  8BC3       |MOV EAX,EBX                         //EBX->EAX计数
004BAC2B  |.  25 01000080 |AND EAX,80000001                   //比较奇数位偶数位
004BAC30  |.  79 05       |JNS SHORT 1.004BAC37
004BAC32  |.  48          |DEC EAX
004BAC33  |.  83C8 FE    |OR EAX,FFFFFFFE
004BAC36  |.  40          |INC EAX
004BAC37  |>  85C0       |TEST EAX,EAX
004BAC39  |.  75 1C       |JNZ SHORT 1.004BAC57                //奇数位跳到004BAC57进行小循环运算
004BAC3B  |.  8D4D D4    |LEA ECX,DWORD PTR SS:[EBP-2C]
004BAC3E  |.  BA 02000000 |MOV EDX,2                         //2->EDX
004BAC43  |.  8BC6       |MOV EAX,ESI                         //ESI->EAX
004BAC45  |.  E8 7EDBF4FF |CALL 1.004087C8
004BAC4A  |.  8B55 D4    |MOV EDX,DWORD PTR SS:[EBP-2C]
004BAC4D  |.  8D45 F0    |LEA EAX,DWORD PTR SS:[EBP-10]
004BAC50  |.  E8 0F92F4FF |CALL 1.00403E64
004BAC55  |.  EB 4D       |JMP SHORT 1.004BACA4                //偶数位跳到004BACA4进行大循环
004BAC57  |>  8D4D EC    |LEA ECX,DWORD PTR SS:[EBP-14]
004BAC5A  |.  BA 02000000 |MOV EDX,2
004BAC5F  |.  8BC6       |MOV EAX,ESI
004BAC61  |.  E8 62DBF4FF |CALL 1.004087C8                   //运算结果转换成字符串
004BAC66  |.  8B45 EC    |MOV EAX,DWORD PTR SS:[EBP-14]       //运算结果字符串->EAX
004BAC69  |.  E8 EE91F4FF |CALL 1.00403E5C
004BAC6E  |.  8BF8       |MOV EDI,EAX
004BAC70  |.  85FF       |TEST EDI,EDI
004BAC72  |.  7E 30       |JLE SHORT 1.004BACA4
004BAC74  |.  C745 F4 01000>|MOV DWORD PTR SS:[EBP-C],1          //1->SS:[EBP-C]
004BAC7B  |>  8B45 EC    |/MOV EAX,DWORD PTR SS:[EBP-14]    //运算结果字符串->EAX
004BAC7E  |.  8B55 F4    ||MOV EDX,DWORD PTR SS:[EBP-C]       //1->EDX
004BAC81  |.  0FB64410 FF ||MOVZX EAX,BYTE PTR DS:[EAX+EDX-1] //运算结果字符串ASC->EAX
004BAC86  |.  8D4D D0    ||LEA ECX,DWORD PTR SS:[EBP-30]
004BAC89  |.  BA 02000000 ||MOV EDX,2                         //2->EDX
004BAC8E  |.  E8 35DBF4FF ||CALL 1.004087C8
004BAC93  |.  8B55 D0    ||MOV EDX,DWORD PTR SS:[EBP-30]    //运算结果字符串ASC->EDX
004BAC96  |.  8D45 F0    ||LEA EAX,DWORD PTR SS:[EBP-10]
004BAC99  |.  E8 C691F4FF ||CALL 1.00403E64
004BAC9E  |.  FF45 F4    ||INC DWORD PTR SS:[EBP-C]
004BACA1  |.  4F          ||DEC EDI
004BACA2  |.^ 75 D7       |\JNZ SHORT 1.004BAC7B             //奇数位进行这里循环
004BACA4  |>  43          |INC EBX
004BACA5  |.  FF4D DC    |DEC DWORD PTR SS:[EBP-24]
004BACA8  |.^ 0F85 59FFFFFF \JNZ 1.004BAC07
输入用户名:ayan
反转后:
1 2 3 4
n a y a
6E  61  79  61
W o A i ZhangLiangYing!
57  6F  41  69

1、6E+80=EE
EE MOD FF = EE
EE XOR 57 = B9(奇数位)
B 9
42 39
2、61+B9=11A
11A MOD FF = 1B(偶数位)
1B XOR 6F = 74
3、79+74=ED
ED MOD FF = ED(奇数位)
ED XOR 41 = AC
A C
41 43
4、61+AC=10D
10D MOD FF = E(偶数位)
E XOR 69 = 67
通过上面的算法可得字符串42 39 74 41 43 67

004BACAE  |>  8D45 F0    LEA EAX,DWORD PTR SS:[EBP-10]
004BACB1  |.  50          PUSH EAX
004BACB2  |.  8D45 CC    LEA EAX,DWORD PTR SS:[EBP-34]
004BACB5  |.  B9 00B04B00 MOV ECX,1.004BB000                   //字符串6143614665654C21->ECX
004BACBA  |.  8B55 F0    MOV EDX,DWORD PTR SS:[EBP-10]       //算的字符串423974414367->EDX
004BACBD  |.  E8 E691F4FF CALL 1.00403EA8                      //连接字符串4239744143676143614665654C21
004BACC2  |.  8B45 CC    MOV EAX,DWORD PTR SS:[EBP-34]       //连接后的字符串->EAX
004BACC5  |.  B9 10000000 MOV ECX,10                         //10H->ECX用来截取字符串
004BACCA  |.  BA 01000000 MOV EDX,1                            //1->EDX用来截取字符串
004BACCF  |.  E8 9093F4FF CALL 1.00404064                      //截取字符串4239744143676143614665654C21前16位
004BACD4  |.  8B45 F0    MOV EAX,DWORD PTR SS:[EBP-10]       //截取后的字符串4239744143676143->EAX
004BACD7  |.  E8 8091F4FF CALL 1.00403E5C                      //取字符串位数
004BACDC  |.  85C0       TEST EAX,EAX                         //测试
004BACDE  |.  7E 60       JLE SHORT 1.004BAD40
004BACE0  |.  8945 DC    MOV DWORD PTR SS:[EBP-24],EAX
004BACE3  |.  BB 01000000 MOV EBX,1                            //1->EBX
004BACE8  |>  8BC3       /MOV EAX,EBX                         //EBX->EAX
004BACEA  |.  25 01000080 |AND EAX,80000001                   //EAX=EAX AND 80000001
004BACEF  |.  79 05       |JNS SHORT 1.004BACF6
004BACF1  |.  48          |DEC EAX
004BACF2  |.  83C8 FE    |OR EAX,FFFFFFFE
004BACF5  |.  40          |INC EAX
004BACF6  |>  85C0       |TEST EAX,EAX                      //测试
004BACF8  |.  74 40       |JE SHORT 1.004BAD3A                //偶数跳转
004BACFA  |.  8D45 C0    |LEA EAX,DWORD PTR SS:[EBP-40]
004BACFD  |.  50          |PUSH EAX
004BACFE  |.  B9 02000000 |MOV ECX,2                         //2->ECX用来截取字符串
004BAD03  |.  8BD3       |MOV EDX,EBX                         //EBX->EDX
004BAD05  |.  8B45 F0    |MOV EAX,DWORD PTR SS:[EBP-10]       //截取后的字符串4239744143676143->EAX
004BAD08  |.  E8 5793F4FF |CALL 1.00404064                   //截取前2位字符
004BAD0D  |.  8B4D C0    |MOV ECX,DWORD PTR SS:[EBP-40]
004BAD10  |.  8D45 C4    |LEA EAX,DWORD PTR SS:[EBP-3C]
004BAD13  |.  BA 1CB04B00 |MOV EDX,1.004BB01C                //字符$->EDX
004BAD18  |.  E8 8B91F4FF |CALL 1.00403EA8                   //连接$和截取的2位字符
004BAD1D  |.  8B45 C4    |MOV EAX,DWORD PTR SS:[EBP-3C]       //连接后的字符串->EAX
004BAD20  |.  E8 DFDAF4FF |CALL 1.00408804
004BAD25  |.  8BD0       |MOV EDX,EAX
004BAD27  |.  8D45 C8    |LEA EAX,DWORD PTR SS:[EBP-38]
004BAD2A  |.  E8 5590F4FF |CALL 1.00403D84
004BAD2F  |.  8B55 C8    |MOV EDX,DWORD PTR SS:[EBP-38]
004BAD32  |.  8D45 E4    |LEA EAX,DWORD PTR SS:[EBP-1C]
004BAD35  |.  E8 2A91F4FF |CALL 1.00403E64
004BAD3A  |>  43          |INC EBX
004BAD3B  |.  FF4D DC    |DEC DWORD PTR SS:[EBP-24]
004BAD3E  |.^ 75 A8       \JNZ SHORT 1.004BACE8
上面的循环就是将字符串4239744143676143转化为ASC码后变成字符串B9tACgaC
004BAD40  |>  8D55 BC    LEA EDX,DWORD PTR SS:[EBP-44]
004BAD43  |.  8B45 E4    MOV EAX,DWORD PTR SS:[EBP-1C]       //字符串B9tACgaC->EAX
004BAD46  |.  E8 91FDFFFF CALL 1.004BAADC                   //反转字符串B9tACgaC
004BAD4B  |.  8B55 BC    MOV EDX,DWORD PTR SS:[EBP-44]
004BAD4E  |.  8D45 E4    LEA EAX,DWORD PTR SS:[EBP-1C]
004BAD51  |.  E8 1E8FF4FF CALL 1.00403C74
004BAD56  |.  8B45 E4    MOV EAX,DWORD PTR SS:[EBP-1C]       //字符串CagCAt9B->EAX
004BAD59  |.  E8 FE90F4FF CALL 1.00403E5C
004BAD5E  |.  85C0       TEST EAX,EAX
004BAD60  |.  0F8E 2C020000 JLE 1.004BAF92
004BAD66  |.  8945 DC    MOV DWORD PTR SS:[EBP-24],EAX
004BAD69  |.  BB 01000000 MOV EBX,1                            //1->EBX
004BAD6E  |>  8B45 E4    /MOV EAX,DWORD PTR SS:[EBP-1C]       //字符串CagCAt9B->EAX
004BAD71  |.  33C9       |XOR ECX,ECX                         //ECX=0
004BAD73  |.  8A4C18 FF    |MOV CL,BYTE PTR DS:[EAX+EBX-1]    //取字符串CagCAt9B每位ASC->CL
004BAD77  |.  03CE       |ADD ECX,ESI                         //ECX=ECX+ESI(初始值为4BACA8循环计算的后两位67)
004BAD79  |.  8BC1       |MOV EAX,ECX                         //ECX->EAX用做被除数
004BAD7B  |.  B9 FF000000 |MOV ECX,0FF                         //OFFH->ECX用做除数
004BAD80  |.  99          |CDQ                               //EDX=0
004BAD81  |.  F7F9       |IDIV ECX                            //EAX/ECX 商->EAX 余数->EDX
004BAD83  |.  8BF2       |MOV ESI,EDX                         //余数->ESI
004BAD85  |.  B9 2B000000 |MOV ECX,2B                         //2B->ECX
004BAD8A  |.  33F1       |XOR ESI,ECX                         //ESI=ESI XOR ECX
004BAD8C  |.  8D4D B8    |LEA ECX,DWORD PTR SS:[EBP-48]
004BAD8F  |.  BA 12000000 |MOV EDX,12                         //12->EDX
004BAD94  |.  8BC6       |MOV EAX,ESI                         //ESI->EAX
004BAD96  |.  E8 2DDAF4FF |CALL 1.004087C8
004BAD9B  |.  8B55 B8    |MOV EDX,DWORD PTR SS:[EBP-48]
004BAD9E  |.  8D45 E0    |LEA EAX,DWORD PTR SS:[EBP-20]
004BADA1  |.  E8 BE90F4FF |CALL 1.00403E64
004BADA6  |.  43          |INC EBX
004BADA7  |.  FF4D DC    |DEC DWORD PTR SS:[EBP-24]          //循环计数
004BADAA  |.^ 75 C2       \JNZ SHORT 1.004BAD6E                //SS:[EBP-24]=0跳出循环
上面就是对字符串CagCAt9B进行运算
C  a  g C  A t  9 B
43 61 67  43 41 74  39 42

43+67=A9 MOD FF = AA XOR 2B = 81
61+81=E2 MOD FF = E2 XOR 2B = C9
67+C9=130 MOD FF = 31 XOR 2B = 1A
43+1A=5D MOD FF = 5D XOR 2B = 76
41+76=B7 MOD FF = B7 XOR 2B = 9C
74+9C=110 MOD FF = 11 XOR 2B = 3A
39+3A=73 MOD FF = 73 XOR 2B = 58
42+58=9A MOD FF = 9A XOR 2B = B1
连接后得到81C91A769C3A58B1
004BADAC  |.  E9 E1010000 JMP 1.004BAF92                      //得到字符串81C91A769C3A58B1循环结束跳到4BAF92
.................
004BAF92  |>  8B45 F8    MOV EAX,DWORD PTR SS:[EBP-8]
004BAF95  |.  8B55 E0    MOV EDX,DWORD PTR SS:[EBP-20]
004BAF98  |.  E8 938CF4FF CALL 1.00403C30
004BAF9D  |.  33C0       XOR EAX,EAX
004BAF9F  |.  5A          POP EDX
004BAFA0  |.  59          POP ECX
004BAFA1  |.  59          POP ECX
004BAFA2  |.  64:8910    MOV DWORD PTR FS:[EAX],EDX
004BAFA5  |.  68 D4AF4B00 PUSH 1.004BAFD4
004BAFAA  |>  8D45 94    LEA EAX,DWORD PTR SS:[EBP-6C]
004BAFAD  |.  BA 12000000 MOV EDX,12
004BAFB2  |.  E8 498CF4FF CALL 1.00403C00
004BAFB7  |.  8D45 E0    LEA EAX,DWORD PTR SS:[EBP-20]
004BAFBA  |.  BA 05000000 MOV EDX,5
004BAFBF  |.  E8 3C8CF4FF CALL 1.00403C00
004BAFC4  |.  8D45 FC    LEA EAX,DWORD PTR SS:[EBP-4]
004BAFC7  |.  E8 108CF4FF CALL 1.00403BDC
004BAFCC  \.  C3          RETN                               //返回到004BB308
上面这个CALL2就是对注册名进行一系列的运算得到字符串81C91A769C3A58B1
===================================================================
004BB308  |.  8B45 94    MOV EAX,DWORD PTR SS:[EBP-6C]       //字符串81C91A769C3A58B1->EAX
004BB30B  |.  B9 08000000 MOV ECX,8                         //装入8->ECX用来截取字符串
004BB310  |.  BA 01000000 MOV EDX,1                         //装入1->EDX用来截取字符串
004BB315  |.  E8 4A8DF4FF CALL 1.00404064                   //截取字符串81C91A769C3A58B1前8位81C91A76
004BB31A  |.  8B45 98    MOV EAX,DWORD PTR SS:[EBP-68]       //字符串81C91A76->EAX
004BB31D  |.  50          PUSH EAX                            //字符串81C91A76压栈
004BB31E  |.  8D45 8C    LEA EAX,DWORD PTR SS:[EBP-74]
004BB321  |.  50          PUSH EAX
004BB322  |.  8D55 88    LEA EDX,DWORD PTR SS:[EBP-78]
004BB325  |.  8B83 F8020000 MOV EAX,DWORD PTR DS:[EBX+2F8]
004BB32B  |.  E8 785CF7FF CALL 1.00430FA8                   //取注册码
004BB330  |.  8B45 88    MOV EAX,DWORD PTR SS:[EBP-78]       //注册码->EAX
004BB333  |.  B9 08000000 MOV ECX,8                         //装入8->ECX用来截取字符串
004BB338  |.  BA 1C000000 MOV EDX,1C                         //装入1CH->EDX用来截取字符串
004BB33D  |.  E8 228DF4FF CALL 1.00404064                   //从28位截取注册码8位
004BB342  |.  8B55 8C    MOV EDX,DWORD PTR SS:[EBP-74]       //截取的注册码->EDX
004BB345  |.  58          POP EAX                            //字符串81C91A76出栈
004BB346  |.  E8 218CF4FF CALL 1.00403F6C                   //比较截取的注册码和字符串81C91A76
004BB34B  |.  0F85 4E020000 JNZ 1.004BB59F                      //不等跳,跳即OVER
从上面的比较可得注册码的28~35位为81C91A76                      //3
004BB351  |.  8D45 84    LEA EAX,DWORD PTR SS:[EBP-7C]
004BB354  |.  50          PUSH EAX
004BB355  |.  B9 01000000 MOV ECX,1                         //1->ECX用来截取字符串
004BB35A  |.  BA 1D000000 MOV EDX,1D                         //1D->EDX用来截取字符串
004BB35F  |.  8B45 FC    MOV EAX,DWORD PTR SS:[EBP-4]       //字符串Hi!->EAX
004BB362  |.  E8 FD8CF4FF CALL 1.00404064                   //取字符串Hi!的第29位"|"
004BB367  |.  8B45 84    MOV EAX,DWORD PTR SS:[EBP-7C]       //字符串Hi!的第29位"|"ASC地址->EAX
004BB36A  |.  50          PUSH EAX                            //字符串Hi!的第29位"|"ASC地址压栈
004BB36B  |.  8D45 80    LEA EAX,DWORD PTR SS:[EBP-80]
004BB36E  |.  50          PUSH EAX
004BB36F  |.  8D95 7CFFFFFF LEA EDX,DWORD PTR SS:[EBP-84]
004BB375  |.  8B83 F8020000 MOV EAX,DWORD PTR DS:[EBX+2F8]
004BB37B  |.  E8 285CF7FF CALL 1.00430FA8                   //取注册码
004BB380  |.  8B85 7CFFFFFF MOV EAX,DWORD PTR SS:[EBP-84]       //注册码->EAX
004BB386  |.  B9 01000000 MOV ECX,1                         //1->ECX用来截取字符串
004BB38B  |.  BA 09000000 MOV EDX,9                         //9->EDX用来截取字符串
004BB390  |.  E8 CF8CF4FF CALL 1.00404064                   //取注册码第9位
004BB395  |.  8B55 80    MOV EDX,DWORD PTR SS:[EBP-80]       //注册码第9位ASC地址->EDX
004BB398  |.  58          POP EAX                            //字符串Hi!的第29位"|"ASC地址出栈
004BB399  |.  E8 CE8BF4FF CALL 1.00403F6C                   //比较两个地址保存的字符是否相等
004BB39E  |.  0F85 FB010000 JNZ 1.004BB59F                      //不等跳,跳即OVER
这里可以得到注册码第9位为字符"|"
004BB3A4  |.  8D85 78FFFFFF LEA EAX,DWORD PTR SS:[EBP-88]
004BB3AA  |.  50          PUSH EAX
004BB3AB  |.  B9 01000000 MOV ECX,1                         //1->ECX用来截取字符串
004BB3B0  |.  BA 21000000 MOV EDX,21                         //21H->EDX用来截取字符串
004BB3B5  |.  8B45 FC    MOV EAX,DWORD PTR SS:[EBP-4]       //字符串Hi!->EAX
004BB3B8  |.  E8 A78CF4FF CALL 1.00404064                   //取字符串Hi!的第33位"|"
004BB3BD  |.  8B85 78FFFFFF MOV EAX,DWORD PTR SS:[EBP-88]       //字符串Hi!的第33位"|"ASC地址->EAX
004BB3C3  |.  50          PUSH EAX                            //字符串Hi!的第33位"|"ASC地址压栈
004BB3C4  |.  8D85 74FFFFFF LEA EAX,DWORD PTR SS:[EBP-8C]
004BB3CA  |.  50          PUSH EAX
004BB3CB  |.  8D95 70FFFFFF LEA EDX,DWORD PTR SS:[EBP-90]
004BB3D1  |.  8B83 F8020000 MOV EAX,DWORD PTR DS:[EBX+2F8]
004BB3D7  |.  E8 CC5BF7FF CALL 1.00430FA8
004BB3DC  |.  8B85 70FFFFFF MOV EAX,DWORD PTR SS:[EBP-90]       //注册码->EAX
004BB3E2  |.  B9 01000000 MOV ECX,1                         //1->ECX用来截取字符串
004BB3E7  |.  BA 12000000 MOV EDX,12                         //12H->EDX用来截取字符串
004BB3EC  |.  E8 738CF4FF CALL 1.00404064                   //取注册码第18位字符
004BB3F1  |.  8B95 74FFFFFF MOV EDX,DWORD PTR SS:[EBP-8C]       //保存注册码第18位地址->EDX
004BB3F7  |.  58          POP EAX                            //字符串Hi!的第33位"|"ASC地址出栈
004BB3F8  |.  E8 6F8BF4FF CALL 1.00403F6C
004BB3FD  |.  0F85 9C010000 JNZ 1.004BB59F                      //不等跳,跳即OVER
从上面可以得出注册码的第18位为字符"|"
004BB403  |.  8D85 6CFFFFFF LEA EAX,DWORD PTR SS:[EBP-94]
004BB409  |.  50          PUSH EAX
004BB40A  |.  B9 01000000 MOV ECX,1                         //1->ECX用来截取字符串
004BB40F  |.  BA 1D000000 MOV EDX,1D                         //1DH->EDX用来截取字符串
004BB414  |.  8B45 FC    MOV EAX,DWORD PTR SS:[EBP-4]       //字符串Hi!->EAX
004BB417  |.  E8 488CF4FF CALL 1.00404064                   //截取字符串Hi!的29位"|"
004BB41C  |.  8B85 6CFFFFFF MOV EAX,DWORD PTR SS:[EBP-94]
004BB422  |.  50          PUSH EAX
004BB423  |.  8D85 68FFFFFF LEA EAX,DWORD PTR SS:[EBP-98]
004BB429  |.  50          PUSH EAX
004BB42A  |.  8D95 64FFFFFF LEA EDX,DWORD PTR SS:[EBP-9C]
004BB430  |.  8B83 F8020000 MOV EAX,DWORD PTR DS:[EBX+2F8]
004BB436  |.  E8 6D5BF7FF CALL 1.00430FA8                   //取注册码
004BB43B  |.  8B85 64FFFFFF MOV EAX,DWORD PTR SS:[EBP-9C]       //注册码->EAX
004BB441  |.  B9 01000000 MOV ECX,1                         //1->ECX用来截取字符串
004BB446  |.  BA 1B000000 MOV EDX,1B                         //1BH->EDX用来截取字符串
004BB44B  |.  E8 148CF4FF CALL 1.00404064                   //取注册码第27位字符
004BB450  |.  8B95 68FFFFFF MOV EDX,DWORD PTR SS:[EBP-98]       //保存注册码第27位地址->EDX
004BB456  |.  58          POP EAX                            //字符串Hi!的第29位"|"ASC地址出栈
004BB457  |.  E8 108BF4FF CALL 1.00403F6C                   //比较字符
004BB45C  |.  0F85 3D010000 JNZ 1.004BB59F                      //不等跳,跳即OVER
从上面可以得出注册码的第27位为字符"|"
004BB462  |.  8D85 60FFFFFF LEA EAX,DWORD PTR SS:[EBP-A0]
004BB468  |.  50          PUSH EAX
004BB469  |.  B9 01000000 MOV ECX,1                         //1->ECX用来截取字符串
004BB46E  |.  BA 21000000 MOV EDX,21                         //21H->EDX用来截取字符串
004BB473  |.  8B45 FC    MOV EAX,DWORD PTR SS:[EBP-4]       //字符串Hi!->EAX
004BB476  |.  E8 E98BF4FF CALL 1.00404064                   //取字符串Hi!的第33位"|"
004BB47B  |.  8B85 60FFFFFF MOV EAX,DWORD PTR SS:[EBP-A0]       //字符串Hi!的第33位"|"ASC地址->EAX
004BB481  |.  50          PUSH EAX                            //字符串Hi!的第33位"|"ASC地址压栈
004BB482  |.  8D85 5CFFFFFF LEA EAX,DWORD PTR SS:[EBP-A4]
004BB488  |.  50          PUSH EAX
004BB489  |.  8D95 58FFFFFF LEA EDX,DWORD PTR SS:[EBP-A8]
004BB48F  |.  8B83 F8020000 MOV EAX,DWORD PTR DS:[EBX+2F8]
004BB495  |.  E8 0E5BF7FF CALL 1.00430FA8                   //取注册码
004BB49A  |.  8B85 58FFFFFF MOV EAX,DWORD PTR SS:[EBP-A8]       //注册码->EAX
004BB4A0  |.  B9 01000000 MOV ECX,1                         //1->ECX用来截取字符串
004BB4A5  |.  BA 24000000 MOV EDX,24                         //24H->EDX用来截取字符串
004BB4AA  |.  E8 B58BF4FF CALL 1.00404064                   //取注册码第36位字符
004BB4AF  |.  8B95 5CFFFFFF MOV EDX,DWORD PTR SS:[EBP-A4]       //保存注册码第36位地址->EDX
004BB4B5  |.  58          POP EAX                            //字符串Hi!的第33位"|"ASC地址出栈
004BB4B6  |.  E8 B18AF4FF CALL 1.00403F6C                   //比较字符
004BB4BB  |.  0F85 DE000000 JNZ 1.004BB59F                      //不等跳,跳即OVER
从上面可以得出注册码的第36位为字符"|"
现在,注册码已经满足要求,下面就来到了注册成功的提示
取注册名为:ayan
此时可以得到注册码为:
注册码必须大于25位
前8位为aCaFeeL:
10~17位任意,我们取11111111
则,19~26位为JmjjfZpt
28~35位为81C91A76
中间第9、18、27、36位为字符"|"
这样可以得到注册码为aCaFeeL:|11111111|JmjjfZpt|81C91A76|
到了这里似乎我们已经计算出了真正的注册码
现在我们注册一下,晕,脱壳后的文件在OD里面读取一个内存值出错了,关闭OD再注册一下,出现了注册成功的提示
可是注册按钮并没有变灰,而且界面上的图片也没有了,用未脱壳的原程序注册,还是出现未注册成功的提示!
用OD跟一下,确实来到了提示成功的地方,还有暗桩,下面我们分析一下这个暗桩地方
注册界面上有三个输入窗口,我们只用到了两个,还有一个KEY的数值我们没有用到呢,关键肯定就在这里了,向下继续分析!
=======================================================================
注册成功提示窗口
004BB4C1  |.  8B0D 08164C00 MOV ECX,DWORD PTR DS:[4C1608]          ;  1.004C27D0
004BB4C7  |.  8B09       MOV ECX,DWORD PTR DS:[ECX]
004BB4C9  |.  B2 01       MOV DL,1
004BB4CB  |.  A1 487D4B00 MOV EAX,DWORD PTR DS:[4B7D48]
004BB4D0  |.  E8 D7CAFFFF CALL 1.004B7FAC
004BB4D5  |.  8B15 70174C00 MOV EDX,DWORD PTR DS:[4C1770]          ;  1.004C28FC
004BB4DB  |.  8902       MOV DWORD PTR DS:[EDX],EAX
004BB4DD  |.  8B15 70174C00 MOV EDX,DWORD PTR DS:[4C1770]          ;  1.004C28FC
004BB4E3  |.  8B12       MOV EDX,DWORD PTR DS:[EDX]
004BB4E5  |.  8B83 D8020000 MOV EAX,DWORD PTR DS:[EBX+2D8]
004BB4EB  |.  E8 788DFFFF CALL 1.004B4268
004BB4F0  |.  A1 70174C00 MOV EAX,DWORD PTR DS:[4C1770]
004BB4F5  |.  8B00       MOV EAX,DWORD PTR DS:[EAX]
004BB4F7  |.  BA A0B74B00 MOV EDX,1.004BB7A0                      ; Success
004BB4FC  |.  E8 D75AF7FF CALL 1.00430FD8
004BB501  |.  68 B4B74B00 PUSH 1.004BB7B4                         ;  ! Good Job !\r\rCracked By :\r
004BB506  |.  8D95 50FFFFFF LEA EDX,DWORD PTR SS:[EBP-B0]
004BB50C  |.  8B83 F0020000 MOV EAX,DWORD PTR DS:[EBX+2F0]
004BB512  |.  E8 915AF7FF CALL 1.00430FA8
004BB517  |.  FFB5 50FFFFFF PUSH DWORD PTR SS:[EBP-B0]
004BB51D  |.  68 D8B74B00 PUSH 1.004BB7D8                         ;  \r
004BB522  |.  68 D8B74B00 PUSH 1.004BB7D8                         ;  \r
004BB527  |.  68 E4B74B00 PUSH 1.004BB7E4                         ;  ! Good Job !
004BB52C  |.  8D85 54FFFFFF LEA EAX,DWORD PTR SS:[EBP-AC]
004BB532  |.  BA 05000000 MOV EDX,5
004BB537  |.  E8 E089F4FF CALL 1.00403F1C
004BB53C  |.  8B95 54FFFFFF MOV EDX,DWORD PTR SS:[EBP-AC]
004BB542  |.  A1 70174C00 MOV EAX,DWORD PTR DS:[4C1770]
004BB547  |.  8B00       MOV EAX,DWORD PTR DS:[EAX]
004BB549  |.  8B80 D4020000 MOV EAX,DWORD PTR DS:[EAX+2D4]
004BB54F  |.  E8 845AF7FF CALL 1.00430FD8
004BB554  |.  A1 70174C00 MOV EAX,DWORD PTR DS:[4C1770]
004BB559  |.  8B00       MOV EAX,DWORD PTR DS:[EAX]
004BB55B  |.  8B80 DC020000 MOV EAX,DWORD PTR DS:[EAX+2DC]
004BB561  |.  BA FCB74B00 MOV EDX,1.004BB7FC                      ;  G o o D
004BB566  |.  E8 6D5AF7FF CALL 1.00430FD8
004BB56B  |.  A1 70174C00 MOV EAX,DWORD PTR DS:[4C1770]
004BB570  |.  8B00       MOV EAX,DWORD PTR DS:[EAX]
004BB572  |.  8B80 D8020000 MOV EAX,DWORD PTR DS:[EAX+2D8]
004BB578  |.  33D2       XOR EDX,EDX
004BB57A  |.  E8 4159F7FF CALL 1.00430EC0
004BB57F  |.  A1 70174C00 MOV EAX,DWORD PTR DS:[4C1770]
004BB584  |.  8B00       MOV EAX,DWORD PTR DS:[EAX]
004BB586  |.  8B10       MOV EDX,DWORD PTR DS:[EAX]
004BB588  |.  FF92 D8000000 CALL DWORD PTR DS:[EDX+D8]       //这里比较可疑,脱壳后的到这里就内存出错了,跟进去看看
==================================================================
跟进004BB588可以来到这里,中间略...
004B88E3 53             PUSH EBX                         //在这里下断,断下后向下单步分析
004B88E4 33C0          XOR EAX,EAX
......................
004B89E5 E8 BE85F7FF    CALL CrackMeV.00430FA8             //取KEY
004B89EA 8B45 D8       MOV EAX,DWORD PTR SS:[EBP-28]    //KEY->EAX
004B89ED E8 6AB4F4FF    CALL CrackMeV.00403E5C             //KEY位数->EAX
004B89F2 8BD3          MOV EDX,EBX                      //EBX=6FH->EDX
004B89F4 81E2 07000080 AND EDX,80000007                   //EDX=EDX AND 80000007 = 7
004B89FA 79 05          JNS SHORT CrackMeV.004B8A01
004B89FC 4A             DEC EDX
004B89FD 83CA F8       OR EDX,FFFFFFF8
004B8A00 42             INC EDX
004B8A01 3BC2          CMP EAX,EDX                      //比较KEY位数
004B8A03 0F85 DF010000 JNZ CrackMeV.004B8BE8             //不等跳,跳即OVER
这里可以得到KEY为7位
004B8A09 8D55 D4       LEA EDX,DWORD PTR SS:[EBP-2C]
004B8A0C A1 08164C00    MOV EAX,DWORD PTR DS:[4C1608]
004B8A11 8B00          MOV EAX,DWORD PTR DS:[EAX]
004B8A13 E8 F479F9FF    CALL CrackMeV.0045040C
004B8A18 8B45 D4       MOV EAX,DWORD PTR SS:[EBP-2C]
004B8A1B E8 30F7FFFF    CALL CrackMeV.004B8150
004B8A20 8BD3          MOV EDX,EBX
004B8A22 0FAFD3       IMUL EDX,EBX
004B8A25 6BD2 1D       IMUL EDX,EDX,1D
004B8A28 3BC2          CMP EAX,EDX
004B8A2A 0F8D B8010000 JGE CrackMeV.004B8BE8
004B8A30 8D55 D0       LEA EDX,DWORD PTR SS:[EBP-30]
004B8A33 A1 4C144C00    MOV EAX,DWORD PTR DS:[4C144C]
004B8A38 8B00          MOV EAX,DWORD PTR DS:[EAX]
004B8A3A 8B80 F8020000 MOV EAX,DWORD PTR DS:[EAX+2F8]
004B8A40 E8 6385F7FF    CALL CrackMeV.00430FA8             //取注册码
004B8A45 8B45 D0       MOV EAX,DWORD PTR SS:[EBP-30]       //注册码->EAX
004B8A48 E8 0FB4F4FF    CALL CrackMeV.00403E5C             //取注册码位数
004B8A4D 83F8 35       CMP EAX,35                         //和35H比较
004B8A50 0F85 92010000 JNZ CrackMeV.004B8BE8             //不等跳,跳即OVER
这里可以得到注册码为53位
004B8A56 8D55 CC       LEA EDX,DWORD PTR SS:[EBP-34]
004B8A59 A1 4C144C00    MOV EAX,DWORD PTR DS:[4C144C]
004B8A5E 8B00          MOV EAX,DWORD PTR DS:[EAX]
004B8A60 8B80 F0020000 MOV EAX,DWORD PTR DS:[EAX+2F0]
004B8A66 E8 3D85F7FF    CALL CrackMeV.00430FA8             //取注册名位数
004B8A6B 837D CC 00    CMP DWORD PTR SS:[EBP-34],0       //注册名位数和0比较
004B8A6F 0F84 73010000 JE CrackMeV.004B8BE8                //相等跳,跳即OVER
004B8A75 8D45 C8       LEA EAX,DWORD PTR SS:[EBP-38]
004B8A78 50             PUSH EAX
004B8A79 8D55 C0       LEA EDX,DWORD PTR SS:[EBP-40]
004B8A7C A1 4C144C00    MOV EAX,DWORD PTR DS:[4C144C]
004B8A81 8B00          MOV EAX,DWORD PTR DS:[EAX]
004B8A83 8B80 10030000 MOV EAX,DWORD PTR DS:[EAX+310]
004B8A89 E8 1A85F7FF    CALL CrackMeV.00430FA8             //取KEY
004B8A8E 8B45 C0       MOV EAX,DWORD PTR SS:[EBP-40]       //KEY->EAX
004B8A91 8D55 C4       LEA EDX,DWORD PTR SS:[EBP-3C]
004B8A94 E8 F7F7FFFF    CALL CrackMeV.004B8290             //算法CALL,跟进
=============================================================
跟进004B8A94
004B8290 55             PUSH EBP
004B8291 8BEC          MOV EBP,ESP
004B8293 B9 0F000000    MOV ECX,0F
004B8298 6A 00          PUSH 0
004B829A 6A 00          PUSH 0
004B829C 49             DEC ECX
004B829D  ^ 75 F9          JNZ SHORT CrackMeV.004B8298
004B829F 53             PUSH EBX
004B82A0 56             PUSH ESI
004B82A1 57             PUSH EDI
004B82A2 8955 F8       MOV DWORD PTR SS:[EBP-8],EDX
004B82A5 8945 FC       MOV DWORD PTR SS:[EBP-4],EAX
004B82A8 8B45 FC       MOV EAX,DWORD PTR SS:[EBP-4]
004B82AB E8 60BDF4FF    CALL CrackMeV.00404010
004B82B0 33C0          XOR EAX,EAX
004B82B2 55             PUSH EBP
004B82B3 68 21874B00    PUSH CrackMeV.004B8721
004B82B8 64:FF30       PUSH DWORD PTR FS:[EAX]
004B82BB 64:8920       MOV DWORD PTR FS:[EAX],ESP
004B82BE C745 F0 2400000>MOV DWORD PTR SS:[EBP-10],24
004B82C5 8B45 FC       MOV EAX,DWORD PTR SS:[EBP-4]          //KEY->EAX
004B82C8 E8 8FBBF4FF    CALL CrackMeV.00403E5C                //取KEY位数
004B82CD 25 01000080    AND EAX,80000001                      //KEY位数 AND 80000001->EAX
004B82D2 79 05          JNS SHORT CrackMeV.004B82D9
004B82D4 48             DEC EAX
004B82D5 83C8 FE       OR EAX,FFFFFFFE
004B82D8 40             INC EAX
004B82D9 85C0          TEST EAX,EAX                         //测试
004B82DB 0F85 07020000 JNZ CrackMeV.004B84E8                //不为0跳,KEY的位数如果为奇数AND80000001后
EAX=1,如果为偶数,EAX=0,因为我们的KEY为7位,这里肯定跳到004B84E8了
004B82E1 8D55 D4       LEA EDX,DWORD PTR SS:[EBP-2C]
............
004B84DE FF4D D8       DEC DWORD PTR SS:[EBP-28]
004B84E1  ^ 75 C2          JNZ SHORT CrackMeV.004B84A5
004B84E3 E9 FE010000    JMP CrackMeV.004B86E6
004B84E8 8D55 AC       LEA EDX,DWORD PTR SS:[EBP-54]       //跳到这里
004B84EB 8B45 FC       MOV EAX,DWORD PTR SS:[EBP-4]          //KEY->EAX
004B84EE E8 FDFCFFFF    CALL CrackMeV.004B81F0                //反转KEY
004B84F3 8B55 AC       MOV EDX,DWORD PTR SS:[EBP-54]       //反转KEY字符串->EAX
004B84F6 8D45 FC       LEA EAX,DWORD PTR SS:[EBP-4]
004B84F9 E8 76B7F4FF    CALL CrackMeV.00403C74
004B84FE BE 80000000    MOV ESI,80                            //80->ESI
004B8503 8D4D E4       LEA ECX,DWORD PTR SS:[EBP-1C]
004B8506 BA 58000000    MOV EDX,58                            //58->EDX
004B850B B8 38874B00    MOV EAX,CrackMeV.004B8738
004B8510 E8 B7FBFFFF    CALL CrackMeV.004B80CC                //取字符串WoAiZhangLiangYing!->EDX
004B8515 8B45 FC       MOV EAX,DWORD PTR SS:[EBP-4]          //FKEY->EAX
004B8518 E8 3FB9F4FF    CALL CrackMeV.00403E5C                //取FKEY位数
004B851D 85C0          TEST EAX,EAX                         //测试
004B851F 0F8E AF000000 JLE CrackMeV.004B85D4
004B8525 8945 D8       MOV DWORD PTR SS:[EBP-28],EAX       //FKEY位数->SS:[EBP-28]
004B8528 BB 01000000    MOV EBX,1                            //1->EBX
004B852D 8B45 FC       MOV EAX,DWORD PTR SS:[EBP-4]          //FKEY->EAX
004B8530 33C9          XOR ECX,ECX                         //ECX=0
004B8532 8A4C18 FF    MOV CL,BYTE PTR DS:[EAX+EBX-1]       //取FKEY ASC->CL
004B8536 03CE          ADD ECX,ESI                         //ECX=ECX+ESI(初始值为80)
004B8538 8BC1          MOV EAX,ECX                         //ECX->EAX做被除数
004B853A B9 FF000000    MOV ECX,0FF                         //ECX=0FFH
004B853F 99             CDQ                                  //EDX=0
004B8540 F7F9          IDIV ECX                            //EAX/ECX 商->EAX 余数->EDX
004B8542 8BF2          MOV ESI,EDX                         //余数->ESI
004B8544 8B45 E4       MOV EAX,DWORD PTR SS:[EBP-1C]       //字符串WoAiZhangLiangYing!->EAX
004B8547 33C9          XOR ECX,ECX                         //ECX=0
004B8549 8A4C18 FF    MOV CL,BYTE PTR DS:[EAX+EBX-1]       //字符串WoAiZhangLiangYing! ASC->CL
004B854D 33F1          XOR ESI,ECX                         //余数 XOR 字符串WoAiZh ASC
004B854F 8BC3          MOV EAX,EBX                         //EBX->EAX
004B8551 25 01000080    AND EAX,80000001                      //EAX=EAX AND 80000001 EAX为奇数EAX=1,偶数EAX=0
004B8556 79 05          JNS SHORT CrackMeV.004B855D
004B8558 48             DEC EAX
004B8559 83C8 FE       OR EAX,FFFFFFFE
004B855C 40             INC EAX
004B855D 85C0          TEST EAX,EAX                         //测试EAX
004B855F 74 1C          JE SHORT CrackMeV.004B857D          //为0跳,也就是偶数位跳转
004B8561 8D4D A8       LEA ECX,DWORD PTR SS:[EBP-58]
004B8564 BA 02000000    MOV EDX,2                            //2->EDX
004B8569 8BC6          MOV EAX,ESI                         //余数->EAX
004B856B E8 5802F5FF    CALL CrackMeV.004087C8                //计算结果转换成字符
004B8570 8B55 A8       MOV EDX,DWORD PTR SS:[EBP-58]       //字符->EDX
004B8573 8D45 EC       LEA EAX,DWORD PTR SS:[EBP-14]
004B8576 E8 E9B8F4FF    CALL CrackMeV.00403E64
004B857B EB 4D          JMP SHORT CrackMeV.004B85CA          //跳至下面大循环,也就是奇数发生跳
004B857D 8D4D E8       LEA ECX,DWORD PTR SS:[EBP-18]       //偶数位跳到这里
004B8580 BA 02000000    MOV EDX,2                            //2->EDX
004B8585 8BC6          MOV EAX,ESI                         //余数->EAX
004B8587 E8 3C02F5FF    CALL CrackMeV.004087C8                //将余数转换成字符
004B858C 8B45 E8       MOV EAX,DWORD PTR SS:[EBP-18]       //余数字符->EAX
004B858F E8 C8B8F4FF    CALL CrackMeV.00403E5C
004B8594 8BF8          MOV EDI,EAX
004B8596 85FF          TEST EDI,EDI
004B8598 7E 30          JLE SHORT CrackMeV.004B85CA
004B859A C745 F4 0100000>MOV DWORD PTR SS:[EBP-C],1
004B85A1 8B45 E8       MOV EAX,DWORD PTR SS:[EBP-18]       //余数字符->EAX
004B85A4 8B55 F4       MOV EDX,DWORD PTR SS:[EBP-C]          //1->EDX
004B85A7 0FB64410 FF    MOVZX EAX,BYTE PTR DS:[EAX+EDX-1]    //取字符第1~2位ASC
004B85AC 8D4D A4       LEA ECX,DWORD PTR SS:[EBP-5C]
004B85AF BA 02000000    MOV EDX,2                            //2->EDX
004B85B4 E8 0F02F5FF    CALL CrackMeV.004087C8                //将字符第1位ASC转换成字符
004B85B9 8B55 A4       MOV EDX,DWORD PTR SS:[EBP-5C]
004B85BC 8D45 EC       LEA EAX,DWORD PTR SS:[EBP-14]
004B85BF E8 A0B8F4FF    CALL CrackMeV.00403E64
004B85C4 FF45 F4       INC DWORD PTR SS:[EBP-C]
004B85C7 4F             DEC EDI
004B85C8  ^ 75 D7          JNZ SHORT CrackMeV.004B85A1          //小循环,就是将余数的字符ASC拆解成两个字符
004B85CA 43             INC EBX
004B85CB FF4D D8       DEC DWORD PTR SS:[EBP-28]             //循环计数
004B85CE  ^ 0F85 59FFFFFF JNZ CrackMeV.004B852D                //循环条件
上面这里计算如下:
输入KEY=1234567(暂定,因为这个字符要根据下面的逆算求得)
反转 7  6  5  4  3  2 1
37 36 35 34 33 32 31
W  o  A  i  Z  h  a  n  gLiangYing!
57 6F 41 69 5A 68 61 6E
计算式
37+80=B7 MOD FF = B7 XOR 57 = E0(奇数位)
36+E0=116 MOD FF = 17 XOR 6F = 78(偶数位,拆解为37 38)
35+78=AD MOD FF = AD XOR 41 = EC(奇数位)
34+EC=120 MOD FF = 21 XOR 69 = 48(偶数位,拆解为34 38)
33+48=7B MOD FF = 7B XOR 5A = 21(奇数位)
32+21=53 MOD FF = 53 XOR 68 = 3B(偶数位,拆解为33 42)
31+3B=6C MOD FF = 6C XIR 61 = 0D(奇数位)
可以得到字符串E03738EC34382133420D

004B85D4 8D45 EC       LEA EAX,DWORD PTR SS:[EBP-14]
004B85D7 50             PUSH EAX
004B85D8 8D4D 9C       LEA ECX,DWORD PTR SS:[EBP-64]
004B85DB BA 6F000000    MOV EDX,6F                            //6F->EDX
004B85E0 B8 54874B00    MOV EAX,CrackMeV.004B8754
004B85E5 E8 E2FAFFFF    CALL CrackMeV.004B80CC
004B85EA 8B4D 9C       MOV ECX,DWORD PTR SS:[EBP-64]          //固定字符串6143614665654C21->ECX
004B85ED 8D45 A0       LEA EAX,DWORD PTR SS:[EBP-60]
004B85F0 8B55 EC       MOV EDX,DWORD PTR SS:[EBP-14]          //字符串E03738EC34382133420D->EDX
004B85F3 E8 B0B8F4FF    CALL CrackMeV.00403EA8                //连接两个字符串
004B85F8 8B45 A0       MOV EAX,DWORD PTR SS:[EBP-60]          //E03738EC34382133420D6143614665654C21->EAX
004B85FB B9 10000000    MOV ECX,10                            //10H->ECX用来截取字符串
004B8600 BA 01000000    MOV EDX,1                            //1->EDX用来截取字符串
004B8605 E8 5ABAF4FF    CALL CrackMeV.00404064                //取连接后的字符串前16位
004B860A 8B45 EC       MOV EAX,DWORD PTR SS:[EBP-14]          //截取的字符串E03738EC34382133->EAX
004B860D E8 4AB8F4FF    CALL CrackMeV.00403E5C                //取得位数
004B8612 85C0          TEST EAX,EAX                         //测试
004B8614 7E 68          JLE SHORT CrackMeV.004B867E
004B8616 8945 D8       MOV DWORD PTR SS:[EBP-28],EAX          //0AH->SS:[EBP-28]计数
004B8619 BB 01000000    MOV EBX,1                            //1->EBX
004B861E 8BC3          MOV EAX,EBX                            //EBX->EAX
004B8620 25 01000080    AND EAX,80000001                      //EAX=EAX AND 80000001
004B8625 79 05          JNS SHORT CrackMeV.004B862C
004B8627 48             DEC EAX
004B8628 83C8 FE       OR EAX,FFFFFFFE
004B862B 40             INC EAX
004B862C 85C0          TEST EAX,EAX                            //测试
004B862E 74 48          JE SHORT CrackMeV.004B8678             //为0跳,也就是偶数位跳
004B8630 8D45 94       LEA EAX,DWORD PTR SS:[EBP-6C]
004B8633 8B55 F0       MOV EDX,DWORD PTR SS:[EBP-10]
004B8636 E8 49B7F4FF    CALL CrackMeV.00403D84
004B863B 8D45 94       LEA EAX,DWORD PTR SS:[EBP-6C]
004B863E 50             PUSH EAX
004B863F 8D45 90       LEA EAX,DWORD PTR SS:[EBP-70]
004B8642 50             PUSH EAX
004B8643 B9 02000000    MOV ECX,2
004B8648 8BD3          MOV EDX,EBX
004B864A 8B45 EC       MOV EAX,DWORD PTR SS:[EBP-14]
004B864D E8 12BAF4FF    CALL CrackMeV.00404064
004B8652 8B55 90       MOV EDX,DWORD PTR SS:[EBP-70]
004B8655 58             POP EAX
004B8656 E8 09B8F4FF    CALL CrackMeV.00403E64
004B865B 8B45 94       MOV EAX,DWORD PTR SS:[EBP-6C]
004B865E E8 A101F5FF    CALL CrackMeV.00408804                ; +$
004B8663 8BD0          MOV EDX,EAX
004B8665 8D45 98       LEA EAX,DWORD PTR SS:[EBP-68]
004B8668 E8 17B7F4FF    CALL CrackMeV.00403D84
004B866D 8B55 98       MOV EDX,DWORD PTR SS:[EBP-68]
004B8670 8D45 E0       LEA EAX,DWORD PTR SS:[EBP-20]
004B8673 E8 ECB7F4FF    CALL CrackMeV.00403E64
004B8678 43             INC EBX
004B8679 FF4D D8       DEC DWORD PTR SS:[EBP-28]
004B867C  ^ 75 A0          JNZ SHORT CrackMeV.004B861E             //循环
004B867E 8D55 8C       LEA EDX,DWORD PTR SS:[EBP-74]
004B8681 8B45 E0       MOV EAX,DWORD PTR SS:[EBP-20]
004B8684 E8 67FBFFFF    CALL CrackMeV.004B81F0                   //反转字符串E03738EC34382133为33213834EC3837E0
004B8689 8B55 8C       MOV EDX,DWORD PTR SS:[EBP-74]
004B868C 8D45 E0       LEA EAX,DWORD PTR SS:[EBP-20]
004B868F E8 E0B5F4FF    CALL CrackMeV.00403C74
004B8694 8B45 E0       MOV EAX,DWORD PTR SS:[EBP-20]
004B8697 E8 C0B7F4FF    CALL CrackMeV.00403E5C
004B869C 85C0          TEST EAX,EAX
004B869E 7E 46          JLE SHORT CrackMeV.004B86E6
004B86A0 8945 D8       MOV DWORD PTR SS:[EBP-28],EAX
004B86A3 BB 01000000    MOV EBX,1
004B86A8 8B45 E0       MOV EAX,DWORD PTR SS:[EBP-20]          //反转的字符串->EAX
004B86AB 33C9          XOR ECX,ECX
004B86AD 8A4C18 FF    MOV CL,BYTE PTR DS:[EAX+EBX-1]          //反转的字符串ASC->CL
004B86B1 03CE          ADD ECX,ESI                            //ECX=ECX ADD ESI(ESI初始值为上面得到的数值0D)
004B86B3 8BC1          MOV EAX,ECX                            //ECX->EAX
004B86B5 B9 FF000000    MOV ECX,0FF                            //ECX=FF
004B86BA 99             CDQ                                     //EDX=0
004B86BB F7F9          IDIV ECX                               //除法商->EAX 余数->EDX
004B86BD 8BF2          MOV ESI,EDX                            //余数->ESI
004B86BF B9 2B000000    MOV ECX,2B                            //2B->ECX
004B86C4 33F1          XOR ESI,ECX                            //ESI=ESI XOR 2B
004B86C6 8D4D 88       LEA ECX,DWORD PTR SS:[EBP-78]
004B86C9 BA 12000000    MOV EDX,12                            //12->EDX
004B86CE 8BC6          MOV EAX,ESI                            //ESI->EAX
004B86D0 E8 F300F5FF    CALL CrackMeV.004087C8
004B86D5 8B55 88       MOV EDX,DWORD PTR SS:[EBP-78]
004B86D8 8D45 DC       LEA EAX,DWORD PTR SS:[EBP-24]
004B86DB E8 84B7F4FF    CALL CrackMeV.00403E64
004B86E0 43             INC EBX
004B86E1 FF4D D8       DEC DWORD PTR SS:[EBP-28]                //计数
004B86E4  ^ 75 C2          JNZ SHORT CrackMeV.004B86A8             //循环
上面这里计算如下:
33 21 38 34 EC 38 37 E0
33+0D=40 MOD FF = 40 XOR 2B = 6B
21+6B=8C MOD FF = 8C XOR 2B = A7
38+A7=DF MOD FF = DF XOR 2B = F4
34+F4=128 MOD FF = 29 XOR 2B = 02
EC+02=EF MOD FF = EE XOR 2B = C5
38+C5=FC MOD FF = FD XOR 2B = D6
37+D6=10D MOD FF = 0E XOR 2B = 25
E0+25=105 MOD FF = 6 XOR 2B = 2D
得到字符串6BA7F42C5D6252D

==================================================================
004B8A99 8B45 C4       MOV EAX,DWORD PTR SS:[EBP-3C]          //计算出来的字符串6BA7F42C5D6252D->EAX
004B8A9C B9 08000000    MOV ECX,8                               //8->ECX用来截取字符串
004B8AA1 BA 08000000    MOV EDX,8                               //8->EDX用来截取字符串
004B8AA6 E8 B9B5F4FF    CALL CrackMeV.00404064                //从字符串6BA7F42C5D6252D第8位开始取8位
004B8AAB 8B45 C8       MOV EAX,DWORD PTR SS:[EBP-38]          //截取字符串C5D6252D->EAX
004B8AAE 50             PUSH EAX                               //入栈
004B8AAF 8D4D BC       LEA ECX,DWORD PTR SS:[EBP-44]
004B8AB2 BA 21000000    MOV EDX,21                            //21->EDX
004B8AB7 B8 5C8D4B00    MOV EAX,CrackMeV.004B8D5C
004B8ABC E8 87F5FFFF    CALL CrackMeV.004B8048                //去固定字符串334DAABA
004B8AC1 8B55 BC       MOV EDX,DWORD PTR SS:[EBP-44]          //字符串334DAABA->EAX
004B8AC4 58             POP EAX                               //截取字符串C5D6252D出栈
004B8AC5 E8 A2B4F4FF    CALL CrackMeV.00403F6C                //比较两个字符串
004B8ACA 0F85 18010000 JNZ CrackMeV.004B8BE8                   //不等跳,跳即OVER
这里可以看到,KEY字符串要经过一系列运算最后截取的8位字符要等于334DAABA,那么这里就可以逆推KEY了
因为只是取后面的8位字符进行比较,那么影响这8位的字符值就是33213834EC3837E0后面的8个字符EC3837E0
因为这8位是通过前面的8位运算得来的,可以设定前面的8位不变,只是要改变后面的8位运算后得到334DAABA
33 21 38 34 EC 38 37 E0
      2  33 4D AA BA
         18 66 81 91
可以逆推得到
18 XOR 2D = 33
66 XOR 2D = 4D
81 XOR 2D = AA
91 XOR 2D = BA
18-2=16
66-33=33
81-4D=34
91+FF-AA=E6
则经过004B8540计算后的值应为42 33 21 38 34 16 33 34 E6才能使004B86C4计算出的后面8位字符满足条件
42 33 21 38 34 16 33 34 E6
反转
   E6 34 33 16 34 38 21 33 42
      43    48    3B
   W o A i Z h angLiangYing!
   57 6F 41  69  5A 68
因为
57 XOR B1 = E6
6F XOR 2C = 43
41 XOR 57 = 16
69 XOR 21 = 48
5A XOR 7B = 21
68 XOR 53 = 3B

得到B1 2C 57 21 7B 53  ESI初始值为80H
B1-80=31(KEY第7位ASC)
2C+FF-E6=45(KEY第6位ASC)
57-43=14(KEY第5位ASC)
21-16=5(KEY第4位ASC)
7B-48=33(KEY第3位ASC)
53-21=32(KEY第2位ASC)
可以看到KEY的前3位没有变化,依然是123,后4位为E1(其中第4、5位为ASC码为5、14的特殊字符，键盘不能输入，可以用复制粘贴的办法)
==================================================================
004B8AD0 8D45 B8       LEA EAX,DWORD PTR SS:[EBP-48]
004B8AD3 50             PUSH EAX
004B8AD4 8D55 B4       LEA EDX,DWORD PTR SS:[EBP-4C]
004B8AD7 A1 4C144C00    MOV EAX,DWORD PTR DS:[4C144C]
004B8ADC 8B00          MOV EAX,DWORD PTR DS:[EAX]
004B8ADE 8B80 F8020000 MOV EAX,DWORD PTR DS:[EAX+2F8]
004B8AE4 E8 BF84F7FF    CALL CrackMeV.00430FA8                   //取注册码
004B8AE9 8B45 B4       MOV EAX,DWORD PTR SS:[EBP-4C]             //注册码->EAX
004B8AEC B9 08000000    MOV ECX,8                               //8->ECX用来截取字符串
004B8AF1 BA 25000000    MOV EDX,25                               //25H->EDX用来截取字符串
004B8AF6 E8 69B5F4FF    CALL CrackMeV.00404064                   //从注册码的第37位开始取8位
004B8AFB 8B45 B8       MOV EAX,DWORD PTR SS:[EBP-48]             //注册码37~44位->EAX
004B8AFE 50             PUSH EAX                                  //注册码37~44位压栈
004B8AFF 8D45 B0       LEA EAX,DWORD PTR SS:[EBP-50]
004B8B02 50             PUSH EAX
004B8B03 8D55 A8       LEA EDX,DWORD PTR SS:[EBP-58]
004B8B06 A1 4C144C00    MOV EAX,DWORD PTR DS:[4C144C]
004B8B0B 8B00          MOV EAX,DWORD PTR DS:[EAX]
004B8B0D 8B80 10030000 MOV EAX,DWORD PTR DS:[EAX+310]
004B8B13 E8 9084F7FF    CALL CrackMeV.00430FA8                   //取KEY字符串
004B8B18 8B45 A8       MOV EAX,DWORD PTR SS:[EBP-58]             //KEY字符串->EAX
004B8B1B 8D55 AC       LEA EDX,DWORD PTR SS:[EBP-54]
004B8B1E E8 6DF7FFFF    CALL CrackMeV.004B8290                   //还是进行上面的算发得到字符串
004B8B23 8B45 AC       MOV EAX,DWORD PTR SS:[EBP-54]             //字符串->EAX
004B8B26 B9 08000000    MOV ECX,8                               //8->ECX用来截取字符串
004B8B2B BA 08000000    MOV EDX,8                               //8->EDX用来截取字符串
004B8B30 E8 2FB5F4FF    CALL CrackMeV.00404064                   //截取字符串
004B8B35 8B55 B0       MOV EDX,DWORD PTR SS:[EBP-50]             //截取字符串->EAX
004B8B38 58             POP EAX                                  //注册码37~44位出栈
004B8B39 E8 2EB4F4FF    CALL CrackMeV.00403F6C                   //比较
004B8B3E 0F85 A4000000 JNZ CrackMeV.004B8BE8                   //不等跳,跳即OVER
这里可以得到注册码的37~44位为334DAABA
004B8B44 8D45 A4       LEA EAX,DWORD PTR SS:[EBP-5C]
004B8B47 50             PUSH EAX
004B8B48 8D55 A0       LEA EDX,DWORD PTR SS:[EBP-60]
004B8B4B A1 4C144C00    MOV EAX,DWORD PTR DS:[4C144C]
004B8B50 8B00          MOV EAX,DWORD PTR DS:[EAX]
004B8B52 8B80 F8020000 MOV EAX,DWORD PTR DS:[EAX+2F8]
004B8B58 E8 4B84F7FF    CALL CrackMeV.00430FA8                   //取注册码
004B8B5D 8B45 A0       MOV EAX,DWORD PTR SS:[EBP-60]             //注册码->EAX
004B8B60 B9 08000000    MOV ECX,8                               //8->ECX用来截取字符串
004B8B65 BA 25000000    MOV EDX,25                               //25H->EDX用来截取字符串
004B8B6A E8 F5B4F4FF    CALL CrackMeV.00404064                   //从注册码的第37位开始取8位
004B8B6F 8B45 A4       MOV EAX,DWORD PTR SS:[EBP-5C]             //注册码37~44->EAX
004B8B72 50             PUSH EAX                                  //注册码37~44位压栈
004B8B73 8D45 98       LEA EAX,DWORD PTR SS:[EBP-68]
004B8B76 50             PUSH EAX
004B8B77 8D55 94       LEA EDX,DWORD PTR SS:[EBP-6C]
004B8B7A A1 4C144C00    MOV EAX,DWORD PTR DS:[4C144C]
004B8B7F 8B00          MOV EAX,DWORD PTR DS:[EAX]
004B8B81 8B80 F8020000 MOV EAX,DWORD PTR DS:[EAX+2F8]
004B8B87 E8 1C84F7FF    CALL CrackMeV.00430FA8                   //取注册码
004B8B8C 8B45 94       MOV EAX,DWORD PTR SS:[EBP-6C]             //注册码->EAX
004B8B8F B9 08000000    MOV ECX,8                               //8->ECX用来截取字符串
004B8B94 BA 2E000000    MOV EDX,2E                               //2EH->EDX用来截取字符串
004B8B99 E8 C6B4F4FF    CALL CrackMeV.00404064                   //截取注册码46~53位
004B8B9E 8B45 98       MOV EAX,DWORD PTR SS:[EBP-68]             //注册码46~53位->EAX
004B8BA1 50             PUSH EAX                                  //注册码46~53位压栈
004B8BA2 8D55 90       LEA EDX,DWORD PTR SS:[EBP-70]
004B8BA5 A1 4C144C00    MOV EAX,DWORD PTR DS:[4C144C]
004B8BAA 8B00          MOV EAX,DWORD PTR DS:[EAX]
004B8BAC 8B80 10030000 MOV EAX,DWORD PTR DS:[EAX+310]
004B8BB2 E8 F183F7FF    CALL CrackMeV.00430FA8                   //取KEY字符串
004B8BB7 8B45 90       MOV EAX,DWORD PTR SS:[EBP-70]             //KEY字符串->EAX
004B8BBA E8 9DB2F4FF    CALL CrackMeV.00403E5C                   //取KEY字符串位数
004B8BBF 8BD0          MOV EDX,EAX                               //位数->EDX
004B8BC1 8D4D 9C       LEA ECX,DWORD PTR SS:[EBP-64]
004B8BC4 58             POP EAX                                  //注册码46~53位出栈
004B8BC5 E8 02F5FFFF    CALL CrackMeV.004B80CC                   //算法CALL,跟进
=====================================================================
跟进004B8BC5
004B80CC 55             PUSH EBP
004B80CD 8BEC          MOV EBP,ESP
004B80CF 83C4 F8       ADD ESP,-8
004B80D2 53             PUSH EBX
004B80D3 56             PUSH ESI
004B80D4 57             PUSH EDI
004B80D5 894D F8       MOV DWORD PTR SS:[EBP-8],ECX
004B80D8 8BFA          MOV EDI,EDX
004B80DA 8945 FC       MOV DWORD PTR SS:[EBP-4],EAX
004B80DD 8B45 FC       MOV EAX,DWORD PTR SS:[EBP-4]
004B80E0 E8 2BBFF4FF    CALL CrackMeV.00404010
004B80E5 33C0          XOR EAX,EAX
004B80E7 55             PUSH EBP
004B80E8 68 41814B00    PUSH CrackMeV.004B8141
004B80ED 64:FF30       PUSH DWORD PTR FS:[EAX]
004B80F0 64:8920       MOV DWORD PTR FS:[EAX],ESP
004B80F3 8B45 FC       MOV EAX,DWORD PTR SS:[EBP-4]             //注册码46~53位->EAX
004B80F6 E8 61BDF4FF    CALL CrackMeV.00403E5C                   //取注册码46~53位位数
004B80FB 8BF0          MOV ESI,EAX                               //EAX->ESI
004B80FD 85F6          TEST ESI,ESI                            //测试
004B80FF 7E 1F          JLE SHORT CrackMeV.004B8120
004B8101 BB 01000000    MOV EBX,1                               //1->EBX
004B8106 8D45 FC       LEA EAX,DWORD PTR SS:[EBP-4]
004B8109 E8 1EBFF4FF    CALL CrackMeV.0040402C                   //取注册码46~53位字符串
004B810E 8B55 FC       MOV EDX,DWORD PTR SS:[EBP-4]             //注册码46~53位->EDX
004B8111 0FB6541A FF    MOVZX EDX,BYTE PTR DS:[EDX+EBX-1]       //注册码46~53位 ASC ->EDX
004B8116 2BD7          SUB EDX,EDI                               //EDX=注册码46~53位每位ASC-7
004B8118 885418 FF    MOV BYTE PTR DS:[EAX+EBX-1],DL          //保存运算结果
004B811C 43             INC EBX                                  //EBX+1
004B811D 4E             DEC ESI                                  //ESI-1
004B811E  ^ 75 E6          JNZ SHORT CrackMeV.004B8106             //没取完继续
004B8120 8B45 F8       MOV EAX,DWORD PTR SS:[EBP-8]             //运算结果->EAX
004B8123 8B55 FC       MOV EDX,DWORD PTR SS:[EBP-4]
004B8126 E8 05BBF4FF    CALL CrackMeV.00403C30
004B812B 33C0          XOR EAX,EAX
004B812D 5A             POP EDX
004B812E 59             POP ECX
004B812F 59             POP ECX
004B8130 64:8910       MOV DWORD PTR FS:[EAX],EDX
004B8133 68 48814B00    PUSH CrackMeV.004B8148
004B8138 8D45 FC       LEA EAX,DWORD PTR SS:[EBP-4]
004B813B E8 9CBAF4FF    CALL CrackMeV.00403BDC
004B8140 C3             RETN
==================================================================
004B8BCA 8B55 9C       MOV EDX,DWORD PTR SS:[EBP-64]             //运算结果->EDX
004B8BCD 58             POP EAX                                  //334DAABA出栈
004B8BCE E8 99B3F4FF    CALL CrackMeV.00403F6C                   //比较运算结果和334DAABA
004B8BD3 75 13          JNZ SHORT CrackMeV.004B8BE8                //不等跳,跳即OVER
这里可以得到注册码46~53位为::;KHHIH
004B8BD5 A1 4C144C00    MOV EAX,DWORD PTR DS:[4C144C]
004B8BDA 8B00          MOV EAX,DWORD PTR DS:[EAX]
004B8BDC 8B80 E0020000 MOV EAX,DWORD PTR DS:[EAX+2E0]
004B8BE2 8078 38 01    CMP BYTE PTR DS:[EAX+38],1
004B8BE6 74 43          JE SHORT CrackMeV.004B8C2B                //这里就飞向成功彼岸
004B8BE8 E8 0BF3FFFF    CALL CrackMeV.004B7EF8
004B8BED 8B15 04294C00 MOV EDX,DWORD PTR DS:[4C2904]
004B8BF3 A1 FC284C00    MOV EAX,DWORD PTR DS:[4C28FC]
004B8BF8 E8 DB83F7FF    CALL CrackMeV.00430FD8
004B8BFD A1 FC284C00    MOV EAX,DWORD PTR DS:[4C28FC]
004B8C02 8B80 D4020000 MOV EAX,DWORD PTR DS:[EAX+2D4]
004B8C08 8B15 08294C00 MOV EDX,DWORD PTR DS:[4C2908]
004B8C0E E8 C583F7FF    CALL CrackMeV.00430FD8
004B8C13 A1 FC284C00    MOV EAX,DWORD PTR DS:[4C28FC]
004B8C18 8B80 DC020000 MOV EAX,DWORD PTR DS:[EAX+2DC]
004B8C1E 8B15 0C294C00 MOV EDX,DWORD PTR DS:[4C290C]
004B8C24 E8 AF83F7FF    CALL CrackMeV.00430FD8
004B8C29 EB 55          JMP SHORT CrackMeV.004B8C8
==================================================================
004BB58E  |.  A1 70174C00 MOV EAX,DWORD PTR DS:[4C1770]
004BB593  |.  8B00       MOV EAX,DWORD PTR DS:[EAX]
004BB595  |.  E8 7A79F4FF CALL 1.00402F14
004BB59A  |.  E9 9D000000 JMP 1.004BB63C
===================================================================
注册错误提示窗口
004BB59F  |>  8B0D 08164C00 MOV ECX,DWORD PTR DS:[4C1608]          ;  1.004C27D0
004BB5A5  |.  8B09       MOV ECX,DWORD PTR DS:[ECX]
004BB5A7  |.  B2 01       MOV DL,1
004BB5A9  |.  A1 487D4B00 MOV EAX,DWORD PTR DS:[4B7D48]
004BB5AE  |.  E8 F9C9FFFF CALL 1.004B7FAC
004BB5B3  |.  8B15 70174C00 MOV EDX,DWORD PTR DS:[4C1770]          ;  1.004C28FC
004BB5B9  |.  8902       MOV DWORD PTR DS:[EDX],EAX
004BB5BB  |.  8B15 70174C00 MOV EDX,DWORD PTR DS:[4C1770]          ;  1.004C28FC
004BB5C1  |.  8B12       MOV EDX,DWORD PTR DS:[EDX]
004BB5C3  |.  8B83 D8020000 MOV EAX,DWORD PTR DS:[EBX+2D8]
004BB5C9  |.  E8 9A8CFFFF CALL 1.004B4268
004BB5CE  |.  A1 70174C00 MOV EAX,DWORD PTR DS:[4C1770]
004BB5D3  |.  8B00       MOV EAX,DWORD PTR DS:[EAX]
004BB5D5  |.  BA 0CB84B00 MOV EDX,1.004BB80C                      ; Wrong
004BB5DA  |.  E8 F959F7FF CALL 1.00430FD8
004BB5DF  |.  A1 70174C00 MOV EAX,DWORD PTR DS:[4C1770]
004BB5E4  |.  8B00       MOV EAX,DWORD PTR DS:[EAX]
004BB5E6  |.  8B80 D4020000 MOV EAX,DWORD PTR DS:[EAX+2D4]
004BB5EC  |.  BA 1CB84B00 MOV EDX,1.004BB81C                      ;  ! Wrong Code !\r\rNot CrackED\rTry It Again\r\r! Wrong Code !

一组可用的注册码:
NAME:ayan
KEY:123  E1(中间两位特殊字符,ASC分别为5、14可以用复制粘贴的方法实现)
CODE:aCaFeeL:|11111111|JmjjfZpt|81C91A76|334DAABA9::;KHHIH

登录后可查看完整内容

[招生]科锐逆向工程师培训(2024年11月15日实地，远程教学同时开班, 第51期)

收藏・3

免费・7

支持

最新回复 (15)
ayan 雪币： 207 活跃值： (10) 能力值： ( LV4，RANK：50 ) 在线值：发帖 1 回帖 17 粉丝 0 关注私信	ayan 1 2 楼成功截图：上传的附件： 3.GIF （9.80kb，143次下载） 2007-11-28 05:58 0
风间仁雪币： 29235 活跃值： (7759) 能力值： ( LV15，RANK：3306 ) 在线值：发帖 111 回帖 591 粉丝 83 关注私信	风间仁 19 3 楼很好，很强大。 2007-11-28 10:13 0
rubo 雪币： 200 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 1 回帖 24 粉丝 0 关注私信	rubo 4 楼强大，支持！ 2007-11-28 10:16 0
大菜一号雪币： 424 活跃值： (10) 能力值： ( LV9，RANK：850 ) 在线值：发帖 58 回帖 1536 粉丝 0 关注私信	大菜一号 21 5 楼很好，很和谐 2007-11-28 11:55 0
奈落雪币： 201 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 16 回帖 69 粉丝 0 关注私信	奈落 6 楼学习了~应该加精了~浪费你不少时间吧？ 2007-11-28 13:24 0
acafeel 雪币： 333 活跃值： (116) 能力值： ( LV9，RANK：570 ) 在线值：发帖 31 回帖 219 粉丝 1 关注私信	acafeel 14 7 楼 ayan太强悍了！把我的Key都逆出了一组来，佩服呀！Key一出来，难度减了60%呀！但是Key不止一组哟！比如 Key: AcAfEE1 也OK的，呵呵~ 2007-11-28 15:53 0
humourkyo 雪币： 926 活跃值： (387) 能力值： (RANK：500 ) 在线值：发帖 42 回帖 251 粉丝 16 关注私信	humourkyo 12 8 楼 acafeel ,张靓颖???有品位啊前传里也是爱张靓颖呵呵 2007-11-28 15:57 0
风间仁雪币： 29235 活跃值： (7759) 能力值： ( LV15，RANK：3306 ) 在线值：发帖 111 回帖 591 粉丝 83 关注私信	风间仁 19 9 楼唉，原来纯字符的key也是有无数的。。 2007-11-28 16:45 0
dewar 雪币： 297 活跃值： (21) 能力值： ( LV9，RANK：330 ) 在线值：发帖 9 回帖 125 粉丝 0 关注私信	dewar 8 10 楼高,实在是高!楼主耐力非同一般 2007-11-28 19:37 0
网络断魂雪币： 259 活跃值： (10) 能力值： ( LV8，RANK：130 ) 在线值：发帖 18 回帖 182 粉丝 1 关注私信	网络断魂 3 11 楼 [QUOTE=;]...[/QUOTE] 高手,向你学习了,偶只分析出前半,与KEY相关的都没分析到, 功力有限,向你致敬!!! 2007-11-28 20:14 0
wyzbuaa 雪币： 200 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 2 回帖 22 粉丝 0 关注私信	wyzbuaa 12 楼强大，支持！ 2007-11-30 15:34 0
riijj 雪币： 2319 活跃值： (565) 能力值： (RANK：300 ) 在线值：发帖 150 回帖 1307 粉丝 10 关注私信	riijj 7 13 楼很好的耐性，十分欣赏 2007-12-1 00:17 0
Kinkai 雪币： 202 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 1 回帖 26 粉丝 0 关注私信	Kinkai 14 楼简直佩服死了,五体投地. 2008-1-4 09:54 0
share 雪币： 222 活跃值： (40) 能力值： ( LV2，RANK：10 ) 在线值：发帖 10 回帖 60 粉丝 0 关注私信	share 15 楼谢谢分享。。。 2008-1-4 14:14 0
binliao 雪币： 1373 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 1 回帖 68 粉丝 1 关注私信	binliao 16 楼很详细........ 2008-1-4 22:53 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复

ayan

发帖

回帖

RANK

关注

私信

他的文章

[原创]aCaFeeL's CrackMe V5(正式版)算法分析 9677

关于我们

联系我们

企业服务

看雪公众号

最新回复 (15)
ayan 雪币： 207 活跃值： (10) 能力值： ( LV4，RANK：50 ) 在线值：发帖 1 回帖 17 粉丝 0 关注私信	ayan 1 2 楼成功截图：上传的附件： 3.GIF （9.80kb，143次下载） 2007-11-28 05:58 0
风间仁雪币： 29235 活跃值： (7759) 能力值： ( LV15，RANK：3306 ) 在线值：发帖 111 回帖 591 粉丝 83 关注私信	风间仁 19 3 楼很好，很强大。 2007-11-28 10:13 0
rubo 雪币： 200 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 1 回帖 24 粉丝 0 关注私信	rubo 4 楼强大，支持！ 2007-11-28 10:16 0
大菜一号雪币： 424 活跃值： (10) 能力值： ( LV9，RANK：850 ) 在线值：发帖 58 回帖 1536 粉丝 0 关注私信	大菜一号 21 5 楼很好，很和谐 2007-11-28 11:55 0
奈落雪币： 201 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 16 回帖 69 粉丝 0 关注私信	奈落 6 楼学习了~应该加精了~浪费你不少时间吧？ 2007-11-28 13:24 0
acafeel 雪币： 333 活跃值： (116) 能力值： ( LV9，RANK：570 ) 在线值：发帖 31 回帖 219 粉丝 1 关注私信	acafeel 14 7 楼 ayan太强悍了！把我的Key都逆出了一组来，佩服呀！Key一出来，难度减了60%呀！但是Key不止一组哟！比如 Key: AcAfEE1 也OK的，呵呵~ 2007-11-28 15:53 0
humourkyo 雪币： 926 活跃值： (387) 能力值： (RANK：500 ) 在线值：发帖 42 回帖 251 粉丝 16 关注私信	humourkyo 12 8 楼 acafeel ,张靓颖???有品位啊前传里也是爱张靓颖呵呵 2007-11-28 15:57 0
风间仁雪币： 29235 活跃值： (7759) 能力值： ( LV15，RANK：3306 ) 在线值：发帖 111 回帖 591 粉丝 83 关注私信	风间仁 19 9 楼唉，原来纯字符的key也是有无数的。。 2007-11-28 16:45 0
dewar 雪币： 297 活跃值： (21) 能力值： ( LV9，RANK：330 ) 在线值：发帖 9 回帖 125 粉丝 0 关注私信	dewar 8 10 楼高,实在是高!楼主耐力非同一般 2007-11-28 19:37 0
网络断魂雪币： 259 活跃值： (10) 能力值： ( LV8，RANK：130 ) 在线值：发帖 18 回帖 182 粉丝 1 关注私信	网络断魂 3 11 楼 [QUOTE=;]...[/QUOTE] 高手,向你学习了,偶只分析出前半,与KEY相关的都没分析到, 功力有限,向你致敬!!! 2007-11-28 20:14 0
wyzbuaa 雪币： 200 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 2 回帖 22 粉丝 0 关注私信	wyzbuaa 12 楼强大，支持！ 2007-11-30 15:34 0
riijj 雪币： 2319 活跃值： (565) 能力值： (RANK：300 ) 在线值：发帖 150 回帖 1307 粉丝 10 关注私信	riijj 7 13 楼很好的耐性，十分欣赏 2007-12-1 00:17 0
Kinkai 雪币： 202 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 1 回帖 26 粉丝 0 关注私信	Kinkai 14 楼简直佩服死了,五体投地. 2008-1-4 09:54 0
share 雪币： 222 活跃值： (40) 能力值： ( LV2，RANK：10 ) 在线值：发帖 10 回帖 60 粉丝 0 关注私信	share 15 楼谢谢分享。。。 2008-1-4 14:14 0
binliao 雪币： 1373 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 1 回帖 68 粉丝 1 关注私信	binliao 16 楼很详细........ 2008-1-4 22:53 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复