【文章标题】: "随便瞎写的crackme2"破解分析
【文章作者】: netwind
【下载地址】: 自己搜索下载
【作者声明】: 只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!
--------------------------------------------------------------------------------
【详细过程】
断MessageBox找到如下代码:
00401946 . 68 847D4000 push 00407D84 ; 注册名
0040194B . 8BF1 mov esi, ecx
0040194D . 68 E8030000 push 3E8
00401952 . E8 112C0000 call <jmp.&MFC42.#3098_CWnd::GetDlgIt>
00401957 . 68 2D010000 push 12D
0040195C . 68 4C7E4000 push 00407E4C ; 注册码
00401961 . 68 EA030000 push 3EA
00401966 . 8BCE mov ecx, esi
00401968 . E8 FB2B0000 call <jmp.&MFC42.#3098_CWnd::GetDlgIt>
0040196D . 68 4C7E4000 push 00407E4C ; /Arg2 =
00401972 . 68 847D4000 push 00407D84 ; |Arg1 =
00401977 . 8BCE mov ecx, esi ; |
00401979 . E8 32FDFFFF call 004016B0 ; \crackme2.004016B0
0040197E . 84C0 test al, al
00401980 . 6A 00 push 0
00401982 . 74 13 je short 00401997
00401984 . 68 44704000 push 00407044
00401989 . 68 38704000 push 00407038
0040198E . 8BCE mov ecx, esi
00401990 . E8 D92B0000 call <jmp.&MFC42.#4224_CWnd::MessageB>
00401995 . 5E pop esi
00401996 . C3 retn
00401997 > 68 30704000 push 00407030
0040199C . 68 24704000 push 00407024
004019A1 . 8BCE mov ecx, esi
004019A3 . E8 C62B0000 call <jmp.&MFC42.#4224_CWnd::MessageB>
call 004016B0 对注册码进行验证,4016b0处代码分析如下:
0040176F |. E8 F42D0000 call <jmp.&MFC42.#3098_CWnd::GetDl>
00401774 |. 8BF8 mov edi, eax
00401776 |. 83FF 03 cmp edi, 3
00401779 |. 0F8C AE010000 jl 0040192D ; 注册名长度小于3,game over
0040177F |. E8 34370000 call 00404EB8 ; 在内存407fe0处放数据01234..9abcdef fedcba98....210
00401784 |. 57 push edi ; 注册名长度
00401785 |. 55 push ebp ; 注册名
00401786 |. E8 6D370000 call 00404EF8
0040178B |. E8 C8370000 call 00404F58 ; 很长的算法对内存放的数据修改
00401790 |. 8B08 mov ecx, dword ptr [eax]
00401792 |. 894C24 4C mov dword ptr [esp+4C], ecx
00401796 |. 8B50 04 mov edx, dword ptr [eax+4]
00401799 |. 895424 50 mov dword ptr [esp+50], edx
0040179D |. 8B48 08 mov ecx, dword ptr [eax+8]
004017A0 |. 894C24 54 mov dword ptr [esp+54], ecx
004017A4 |. 8B50 0C mov edx, dword ptr [eax+C]
004017A7 |. 8D8424 A80000>lea eax, dword ptr [esp+A8]
004017AE |. 8D4C24 4C lea ecx, dword ptr [esp+4C]
004017B2 |. 50 push eax ; 将修改后的内存的数据压栈
004017B3 |. 6A 10 push 10
004017B5 |. 51 push ecx
004017B6 |. 895424 64 mov dword ptr [esp+64], edx
004017BA |. E8 A1FEFFFF call 00401660 ; 将内存里的数据当做字符并把对应asm码放入堆栈
004017BF |. 8BAC24 740100>mov ebp, dword ptr [esp+174] ; 取注册码
004017C6 |. 83C4 0C add esp, 0C
004017C9 |. 8BCE mov ecx, esi
004017CB |. 68 2D010000 push 12D
004017D0 |. 55 push ebp
004017D1 |. 68 EA030000 push 3EA
004017D6 |. E8 8D2D0000 call <jmp.&MFC42.#3098_CWnd::GetDl>
004017DB |. 8B3D D4614000 mov edi, dword ptr [<&MSVCRT.isxd>; msvcrt.isxdigit
004017E1 |. 33F6 xor esi, esi
004017E3 |> 0FBE142E /movsx edx, byte ptr [esi+ebp] ; 取注册码的一个字符
004017E7 |. 52 |push edx
004017E8 |. FFD7 |call edi ; 判断是否是16进制数 a-f ,A-F,0-9之间
004017EA |. 83C4 04 |add esp, 4
004017ED |. 85C0 |test eax, eax
004017EF |. 0F84 38010000 |je 0040192D ; 跳了就挂
004017F5 |. 46 |inc esi
004017F6 |. 83FE 09 |cmp esi, 9 ; 取前9位
004017F9 |.^ 7C E8 \jl short 004017E3
004017FB |. BE 0A000000 mov esi, 0A
00401800 |> 0FBE042E /movsx eax, byte ptr [esi+ebp]
00401804 |. 50 |push eax
00401805 |. FFD7 |call edi
00401807 |. 83C4 04 |add esp, 4
0040180A |. 85C0 |test eax, eax
0040180C |. 0F84 1B010000 |je 0040192D ; 跳了就挂
00401812 |. 46 |inc esi
00401813 |. 83FE 13 |cmp esi, 13
00401816 |.^ 7C E8 \jl short 00401800
00401818 |. 8A4D 09 mov cl, byte ptr [ebp+9] ; 取第10位
0040181B |. B0 2D mov al, 2D
0040181D |. 3AC8 cmp cl, al ; 第10位要为2D //这个符号把注册码三个串分开了
0040181F |. 0F85 08010000 jnz 0040192D ; 跳了就挂
00401825 |. 3845 13 cmp byte ptr [ebp+13], al ; 第20位要为2d
00401828 |. 0F85 FF000000 jnz 0040192D ; 跳了就挂
0040182E |. 8D7D 14 lea edi, dword ptr [ebp+14] ; 取第20位以后的串
00401831 |. 83C9 FF or ecx, FFFFFFFF
00401834 |. 33C0 xor eax, eax
00401836 |. 8D9424 040100>lea edx, dword ptr [esp+104]
0040183D |. F2:AE repne scas byte ptr es:[edi]
0040183F |. F7D1 not ecx
00401841 |. 2BF9 sub edi, ecx
00401843 |. 8BC1 mov eax, ecx
00401845 |. 8BF7 mov esi, edi
00401847 |. 8BFA mov edi, edx
00401849 |. C1E9 02 shr ecx, 2 ; 串长除以4
0040184C |. F3:A5 rep movs dword ptr es:[edi], dwor>
0040184E |. 8BC8 mov ecx, eax
00401850 |. 8D8424 040100>lea eax, dword ptr [esp+104]
00401857 |. 83E1 03 and ecx, 3
0040185A |. F3:A4 rep movs byte ptr es:[edi], byte >
0040185C |. 8DB424 A80000>lea esi, dword ptr [esp+A8] ; 把前面内存的数据拿出来了,估计要比较了hoho
00401863 |> 8A10 /mov dl, byte ptr [eax] ; 这个循环就是进行比较的(对注册码第三部分比较)
00401865 |. 8ACA |mov cl, dl
00401867 |. 3A16 |cmp dl, byte ptr [esi]
00401869 |. 75 1C |jnz short 00401887
0040186B |. 3ACB |cmp cl, bl
0040186D |. 74 14 |je short 00401883
0040186F |. 8A50 01 |mov dl, byte ptr [eax+1]
00401872 |. 8ACA |mov cl, dl
00401874 |. 3A56 01 |cmp dl, byte ptr [esi+1]
00401877 |. 75 0E |jnz short 00401887
00401879 |. 83C0 02 |add eax, 2
0040187C |. 83C6 02 |add esi, 2
0040187F |. 3ACB |cmp cl, bl
00401881 |.^ 75 E0 \jnz short 00401863
00401883 |> 33C0 xor eax, eax
00401885 |. EB 05 jmp short 0040188C
00401887 |> 1BC0 sbb eax, eax
00401889 |. 83D8 FF sbb eax, -1
0040188C |> 3BC3 cmp eax, ebx
0040188E |. 0F85 99000000 jnz 0040192D ; 跳了就挂
00401894 |. 8BC5 mov eax, ebp
00401896 |. 8D7D 0A lea edi, dword ptr [ebp+A]
00401899 |. 8B08 mov ecx, dword ptr [eax]
0040189B |. 894C24 24 mov dword ptr [esp+24], ecx
0040189F |. 83C9 FF or ecx, FFFFFFFF
004018A2 |. 8B50 04 mov edx, dword ptr [eax+4]
004018A5 |. 895424 28 mov dword ptr [esp+28], edx
004018A9 |. 8D5424 38 lea edx, dword ptr [esp+38]
004018AD |. 8A40 08 mov al, byte ptr [eax+8]
004018B0 |. 884424 2C mov byte ptr [esp+2C], al
004018B4 |. 33C0 xor eax, eax
004018B6 |. F2:AE repne scas byte ptr es:[edi]
004018B8 |. F7D1 not ecx
004018BA |. 2BF9 sub edi, ecx
004018BC |. 8BC1 mov eax, ecx
004018BE |. 8BF7 mov esi, edi
004018C0 |. 8BFA mov edi, edx
004018C2 |. C1E9 02 shr ecx, 2
004018C5 |. F3:A5 rep movs dword ptr es:[edi], dwor>
004018C7 |. 8BC8 mov ecx, eax
004018C9 |. 83E1 03 and ecx, 3
004018CC |. F3:A4 rep movs byte ptr es:[edi], byte >
004018CE |. 8B4C24 38 mov ecx, dword ptr [esp+38]
004018D2 |. 8B5424 3C mov edx, dword ptr [esp+3C]
004018D6 |. 8A4424 40 mov al, byte ptr [esp+40]
004018DA |. 894C24 10 mov dword ptr [esp+10], ecx
004018DE |. 8D4C24 24 lea ecx, dword ptr [esp+24]
004018E2 |. 895424 14 mov dword ptr [esp+14], edx
004018E6 |. 51 push ecx
004018E7 |. 884424 1C mov byte ptr [esp+1C], al
004018EB |. E8 E0FBFFFF call 004014D0 ; 将字符转整数
004018F0 |. 83C4 04 add esp, 4
004018F3 |. 84C0 test al, al
004018F5 |. 74 36 je short 0040192D ; 跳了就挂
004018F7 |. 8D5424 10 lea edx, dword ptr [esp+10]
004018FB |. 52 push edx
004018FC |. E8 CFFBFFFF call 004014D0
00401901 |. 83C4 04 add esp, 4
00401904 |. 84C0 test al, al
00401906 |. 74 25 je short 0040192D ; 跳了就挂
00401908 |. 8D4424 10 lea eax, dword ptr [esp+10]
0040190C |. 8D4C24 24 lea ecx, dword ptr [esp+24]
00401910 |. 50 push eax
00401911 |. 51 push ecx
00401912 |. E8 F9FBFFFF call 00401510 ; 把注册码前两部分进行验证
00401917 |. 83C4 08 add esp, 8
0040191A |. 84C0 test al, al
0040191C |. 74 0F je short 0040192D ; 跳了就挂
0040191E |. 5F pop edi
0040191F |. 5E pop esi
00401920 |. 5D pop ebp
00401921 |. B0 01 mov al, 1
00401923 |. 5B pop ebx
00401924 |. 81C4 50010000 add esp, 150
0040192A |. C2 0800 retn 8
0040192D |> 5F pop edi
0040192E |. 5E pop esi
0040192F |. 5D pop ebp
00401930 |. 32C0 xor al, al
00401932 |. 5B pop ebx
00401933 |. 81C4 50010000 add esp, 150
00401939 \. C2 0800 retn 8
这是个整体的轮廓,
一、我们看看第三部分串是怎么来的
下面对404f58处分析,这个call 实际上算出来的就是注册码第三部分串
00404F58 /$ 56 push esi
00404F59 |. 57 push edi
00404F5A |. 8B0D F47F4000 mov ecx, dword ptr [407FF4]
00404F60 |. C681 A07F4000>mov byte ptr [ecx+407FA0], 80 ; 这里在用户名串后放了个常量
00404F67 |. 83F9 38 cmp ecx, 38 ; 注册名长度比较
00404F6A |. 72 18 jb short 00404F84
00404F6C |. E8 6FF9FFFF call 004048E0
00404F71 |. 33C0 xor eax, eax
00404F73 |. A3 F47F4000 mov dword ptr [407FF4], eax
00404F78 |. BF A07F4000 mov edi, 00407FA0
00404F7D |. B9 10000000 mov ecx, 10
00404F82 |. F3:AB rep stos dword ptr es:[edi]
00404F84 |> A1 F07F4000 mov eax, dword ptr [407FF0] ; 取注册名长度
00404F89 |. 33D2 xor edx, edx
00404F8B |. 0FA4C2 03 shld edx, eax, 3
00404F8F |. C1E0 03 shl eax, 3 ; 把长度左移动了3位
00404F92 |. A3 D87F4000 mov dword ptr [407FD8], eax ; 这里写了个关键的数据,参与后面的对注册名的运算
00404F97 |. 8915 DC7F4000 mov dword ptr [407FDC], edx
00404F9D |. E8 3EF9FFFF call 004048E0 ; 很长的运算把前面放入的内存数据改变了
00404FA2 |. B8 E07F4000 mov eax, 00407FE0
00404FA7 |. 5F pop edi
00404FA8 |. 5E pop esi
00404FA9 \. C3 retn
我们再看4048e0处:
004048E0 /$ 60 pushad
004048E1 |. BE E07F4000 mov esi, 00407FE0 //内存放的数据01234......
004048E6 |. BF A07F4000 mov edi, 00407FA0 //注册名
004048EB |. 8B06 mov eax, dword ptr [esi]
004048ED |. 8B5E 04 mov ebx, dword ptr [esi+4]
004048F0 |. 8B4E 08 mov ecx, dword ptr [esi+8]
004048F3 |. 8BEF mov ebp, edi
004048F5 |. 8B56 0C mov edx, dword ptr [esi+C]
004048F8 |. 8BF9 mov edi, ecx
004048FA |. 33FA xor edi, edx
004048FC |. 23FB and edi, ebx
004048FE |. 33FA xor edi, edx
00404900 |. 0345 00 add eax, dword ptr [ebp] ; 注册名
00404903 |. 8D8438 78A46A>lea eax, dword ptr [eax+edi+D76AA>
0040490A |. C1C0 07 rol eax, 7
0040490D |. 03C3 add eax, ebx
0040490F |. 8BFB mov edi, ebx
.................................................
00404A42 |. 034D 38 add ecx, dword ptr [ebp+38] //那个注册名左移3位后的数据
00404A45 |. 8D8C39 8E4379>lea ecx, dword ptr [ecx+edi+A6794>
00404A4C |. C1C1 11 rol ecx, 11
...........................................
00404E99 |. 035D 24 add ebx, dword ptr [ebp+24]
00404E9C |. 8D9C3B 91D386>lea ebx, dword ptr [ebx+edi+EB86D>
00404EA3 |. C1C3 15 rol ebx, 15
00404EA6 |. 03D9 add ebx, ecx
00404EA8 |. 0106 add dword ptr [esi], eax //这里esi得到的就是最后第三部分串
00404EAA |. 015E 04 add dword ptr [esi+4], ebx
00404EAD |. 014E 08 add dword ptr [esi+8], ecx
00404EB0 |. 0156 0C add dword ptr [esi+C], edx
00404EB3 |. 61 popad
00404EB4 \. C3 retn
二、在看看注册码前两部分怎来的:
我们到401510处看看 再搞什么
00401510 /$ 83EC 0C sub esp, 0C
00401513 |. 53 push ebx
00401514 |. 55 push ebp
00401515 |. 56 push esi
00401516 |. 57 push edi
00401517 |. 6A 10 push 10
00401519 |. 68 00020000 push 200
0040151E |. E8 6D0B0000 call 00402090 ; 开辟内存空间
00401523 |. 6A 00 push 0
00401525 |. C780 34020000>mov dword ptr [eax+234], 10
0040152F |. E8 3C090000 call 00401E70 ; 无聊的call,一切call都是纸老虎
00401534 |. 6A 00 push 0
00401536 |. 8BF8 mov edi, eax
。。。。。。。。。。。。。。。。。。。。。。。
0040156E |. 894424 3C mov dword ptr [esp+3C], eax
00401572 |. 8B4424 44 mov eax, dword ptr [esp+44]
00401576 |. 50 push eax
00401577 |. 57 push edi
00401578 |. E8 73240000 call 004039F0
0040157D |. 8B4C24 50 mov ecx, dword ptr [esp+50] ; 取注册码 把注册码当整数
00401581 |. 51 push ecx
00401582 |. 56 push esi
00401583 |. E8 68240000 call 004039F0
00401588 |. 8B5424 4C mov edx, dword ptr [esp+4C]
0040158C |. 68 20704000 push 00407020
00401591 |. 52 push edx
00401592 |. E8 59240000 call 004039F0
00401597 |. 53 push ebx
00401598 |. 57 push edi
00401599 |. 57 push edi
0040159A |. E8 E11E0000 call 00403480 ; 这里用来计算注册码前两部分
0040159F |. 8B4424 58 mov eax, dword ptr [esp+58]
004015A3 |. 83C4 48 add esp, 48
004015A6 |. 50 push eax
004015A7 |. 56 push esi
004015A8 |. 56 push esi
004015A9 |. E8 121D0000 call 004032C0
004015AE |. 8B4C24 1C mov ecx, dword ptr [esp+1C]
004015B2 |. 55 push ebp
004015B3 |. 56 push esi
004015B4 |. 51 push ecx
004015B5 |. E8 C61E0000 call 00403480
004015BA |. 8B5424 2C mov edx, dword ptr [esp+2C]
004015BE |. 8B4424 30 mov eax, dword ptr [esp+30]
004015C2 |. 52 push edx
004015C3 |. 50 push eax
004015C4 |. 53 push ebx
004015C5 |. E8 F61C0000 call 004032C0
004015CA |. 8B4C24 38 mov ecx, dword ptr [esp+38]
004015CE |. 51 push ecx
004015CF |. 55 push ebp
004015D0 |. E8 9B150000 call 00402B70 ; 前面一堆call 就这个起判断作用
004015D5 |. 83C4 2C add esp, 2C
004015D8 |. 85C0 test eax, eax
004015DA |. 53 push ebx
004015DB 75 3D jnz short 0040161A 这里错了就跳到挂
我们到00403480去看看吧,怎么在计算
来到这发现很长一串代码,跟几次你会发现 关键计算的就这部分:
004036FB |> /8B06 |/mov eax, dword ptr [esi] //串低32位
004036FD |. |83C6 04 ||add esi, 4
00403700 |. |F7E7 ||mul edi //串低32位
00403702 |. |03C5 ||add eax, ebp
00403704 |. |8B2C1E ||mov ebp, dword ptr [esi+ebx]
00403707 |. |83D2 00 ||adc edx, 0
0040370A |. |03E8 ||add ebp, eax
0040370C |. |83D2 00 ||adc edx, 0
0040370F |. |892C1E ||mov dword ptr [esi+ebx], ebp //低位相乘结果保存内存中
00403712 |. |49 ||dec ecx
00403713 |. |8BEA ||mov ebp, edx //记下进位
00403715 |.^\75 E4 |\jnz short 004036FB
00403717 |. 896C1E 04 |mov dword ptr [esi+ebx+4], ebp
0040371B |. 5D |pop ebp
0040371C |.^ EB AC \jmp short 004036CA //循环计算。
0040371E |> E9 76020000 jmp 00403999
实际上 这个call里是两个数想乘的运算,可以是大数。
用aaaaaaaaa-88888888测试你会发现 分别进行的是aaaaaaaaa*aaaaaaaaa保存 (888888888+888888888)*888888888保存
怎么知道是888888888+888888888的呢,通过下内存断点你会找到在如下这个位置产生这个数据
00403019 |> /8B3E /mov edi, dword ptr [esi] ; 生产数据 //这里循环就是将串二+自己得到新串
0040301B |. |8B042E |mov eax, dword ptr [esi+ebp]
0040301E |. |03C7 |add eax, edi
00403020 |. |03C1 |add eax, ecx
00403022 |. |3BC7 |cmp eax, edi
00403024 |. |76 04 |jbe short 0040302A
00403026 |. |33C9 |xor ecx, ecx
00403028 |. |EB 07 |jmp short 00403031
0040302A |> |73 05 |jnb short 00403031
0040302C |. |B9 01000000 |mov ecx, 1
00403031 |> |8B7C24 10 |mov edi, dword ptr [esp+10]
00403035 |. |83C6 04 |add esi, 4
00403038 |. |894437 FC |mov dword ptr [edi+esi-4], eax
0040303C |. |8B4424 14 |mov eax, dword ptr [esp+14]
00403040 |. |48 |dec eax
00403041 |. |894424 14 |mov dword ptr [esp+14], eax
00403045 |.^\75 D2 \jnz short 00403019
在看看对前两部分串严整的call 00402B70 :
有如下关键代码:
00402BCA |> /8B740B FC /mov esi, dword ptr [ebx+ecx-4] //取上面乘法的结果
00402BCE |. |8B79 FC |mov edi, dword ptr [ecx-4] ///。。。。
00402BD1 |. |83E9 04 |sub ecx, 4
00402BD4 |. |4A |dec edx
00402BD5 |. |3BF7 |cmp esi, edi //比较
00402BD7 |77 08 ja short 00402BE1
00402BD9 ^|72 D9 jb short 00402BB4
00402BDB |. |85D2 |test edx, edx
00402BDD |.^\7F EB \jg short 00402BCA
就是将上面两个乘法算出来的结果 比较是否相等,不相等就挂掉。
比较时我们发现aaaaaaaaa*aaaaaaaaa的值被加了1 ,我们就对存放这个值的内存地址下内存访问断点,追到下面两个段代码有对该地址写入操作
00402B2A |> /8B3401 /mov esi, dword ptr [ecx+eax]
00402B2D |. |8930 |mov dword ptr [eax], esi ; 将乘法结过放入内存 //这里就放的是aaa...*aaaa..的结果
00402B2F |. |83C0 04 |add eax, 4
00402B32 |. |4A |dec edx
00402B33 |.^\75 F5 \jnz short 00402B2A
00403019 |> /8B3E /mov edi, dword ptr [esi] ; 生产数据 //这段代码上面我们列出了是加法操作,实际上就把串一乘法结果加了1
0040301B |. |8B042E |mov eax, dword ptr [esi+ebp]
0040301E |. |03C7 |add eax, edi
00403020 |. |03C1 |add eax, ecx
00403022 |. |3BC7 |cmp eax, edi
00403024 |. |76 04 |jbe short 0040302A
00403026 |. |33C9 |xor ecx, ecx
00403028 |. |EB 07 |jmp short 00403031
0040302A |> |73 05 |jnb short 00403031
0040302C |. |B9 01000000 |mov ecx, 1
00403031 |> |8B7C24 10 |mov edi, dword ptr [esp+10]
00403035 |. |83C6 04 |add esi, 4
00403038 |. |894437 FC |mov dword ptr [edi+esi-4], eax
0040303C |. |8B4424 14 |mov eax, dword ptr [esp+14]
00403040 |. |48 |dec eax
00403041 |. |894424 14 |mov dword ptr [esp+14], eax
00403045 |.^\75 D2 \jnz short 00403019
对前面两个串的验证实际上就是满足:key1*key1+1=2*key2*ke2;
到此,我们就可以写出 生成注册码的算法了,如下:
#include <stdio.h>
#include <windows.h>
char result[0x30];
void last_str()
{
char name[0x3c],key[0x3c];
memset(name,0,0x40);
memset(key,0,0x40);
strcpy(name,"netwind\x80\x0"); //这里放上大名 运算时用户名后加了个常量0x80
int im=(strlen(name)-1)<<3;
strcpy(name+0x38,(char *)&im); /////////////这个参与运算
strcpy(key,"\x01\x23\x45\x67\x89\xab\xcd\xef\xfe\xdc\xba\x98\x76\x54\x32\x10");
long addr=(long )name;
long addr1=(long )key;
_asm //对用户名和那个key 一起运算 得到一个结果 作为第三部分串
{
pushad
mov esi,addr1
mov ebp,addr
mov eax,0x67452301
mov ebx,0xefcdab89
mov ecx,0x98badcfe
mov edx,0x10325476
mov edi, ecx
xor edi, edx
and edi, ebx
xor edi, edx
add eax, dword ptr [ebp] //取用户名了
lea eax, dword ptr [eax+edi+0xD76AA478]
rol eax, 7
add eax, ebx
mov edi, ebx
xor edi, ecx
and edi, eax
xor edi, ecx
add edx, dword ptr [ebp+0x4]
lea edx, dword ptr [edx+edi+0xE8C7B756]
rol edx, 0xC
add edx, eax
mov edi, eax
xor edi, ebx
and edi, edx
xor edi, ebx
add ecx, dword ptr [ebp+0x8]
lea ecx, dword ptr [ecx+edi+0x242070dB]
rol ecx, 0x11
add ecx, edx
mov edi, edx
xor edi, eax
and edi, ecx
xor edi, eax
add ebx, dword ptr [ebp+0xC]
lea ebx, dword ptr [ebx+edi+0xC1BDCEEE]
rol ebx, 0x16
add ebx, ecx
mov edi, ecx
xor edi, edx
and edi, ebx
xor edi, edx
add eax, dword ptr [ebp+0x10]
lea eax, dword ptr [eax+edi+0xF57C0fAF]
rol eax, 7
add eax, ebx
mov edi, ebx
xor edi, ecx
and edi, eax
xor edi, ecx
add edx, dword ptr [ebp+0x14]
lea edx, dword ptr [edx+edi+0x4787C62A]
rol edx, 0xC
add edx, eax
mov edi, eax
xor edi, ebx
and edi, edx
xor edi, ebx
add ecx, dword ptr [ebp+0x18]
lea ecx, dword ptr [ecx+edi+0xA8304613]
rol ecx, 0x11
add ecx, edx
mov edi, edx
xor edi, eax
and edi, ecx
xor edi, eax
add ebx, dword ptr [ebp+0x1C]
lea ebx, dword ptr [ebx+edi+0xFD469501]
rol ebx, 0x16
add ebx, ecx
mov edi, ecx
xor edi, edx
and edi, ebx
xor edi, edx
add eax, dword ptr [ebp+0x20]
lea eax, dword ptr [eax+edi+0x698098D8]
rol eax, 7
add eax, ebx
mov edi, ebx
xor edi, ecx
and edi, eax
xor edi, ecx
add edx, dword ptr [ebp+0x24]
lea edx, dword ptr [edx+edi+0x8B44F7AF]
rol edx, 0xC
add edx, eax
mov edi, eax
xor edi, ebx
and edi, edx
xor edi, ebx
add ecx, dword ptr [ebp+0x28]
lea ecx, dword ptr [ecx+edi+0xFFFF5BB1]
rol ecx, 0x11
add ecx, edx
mov edi, edx
xor edi, eax
and edi, ecx
xor edi, eax
add ebx, dword ptr [ebp+0x2C]
lea ebx, dword ptr [ebx+edi+0x895CD7BE]
rol ebx, 0x16
add ebx, ecx
mov edi, ecx
xor edi, edx
and edi, ebx
xor edi, edx
add eax, dword ptr [ebp+0x30]
lea eax, dword ptr [eax+edi+0x6B901122]
rol eax, 7
add eax, ebx
mov edi, ebx
xor edi, ecx
and edi, eax
xor edi, ecx
add edx, dword ptr [ebp+0x34]
lea edx, dword ptr [edx+edi+0xFD987193]
rol edx, 0xC
add edx, eax
mov edi, eax
xor edi, ebx
and edi, edx
xor edi, ebx
add ecx, dword ptr [ebp+0x38]
lea ecx, dword ptr [ecx+edi+0xA679438E]
rol ecx, 0x11
add ecx, edx
mov edi, edx
xor edi, eax
and edi, ecx
xor edi, eax
add ebx, dword ptr [ebp+0x3C]
lea ebx, dword ptr [ebx+edi+0x49B40821]
rol ebx, 0x16
add ebx, ecx
mov edi, ecx
xor edi, ebx
and edi, edx
xor edi, ecx
add eax, dword ptr [ebp+0x4]
lea eax, dword ptr [eax+edi+0xF61E2562]
rol eax, 5
add eax, ebx
mov edi, ebx
xor edi, eax
and edi, ecx
xor edi, ebx
add edx, dword ptr [ebp+0x18]
lea edx, dword ptr [edx+edi+0xC040B340]
rol edx, 9
add edx, eax
mov edi, eax
xor edi, edx
and edi, ebx
xor edi, eax
add ecx, dword ptr [ebp+0x2C]
lea ecx, dword ptr [ecx+edi+0x265E5A51]
rol ecx, 0xe
add ecx, edx
mov edi, edx
xor edi, ecx
and edi, eax
xor edi, edx
add ebx, dword ptr [ebp]
lea ebx, dword ptr [ebx+edi+0xE9B6C7AA]
rol ebx, 0x14
add ebx, ecx
mov edi, ecx
xor edi, ebx
and edi, edx
xor edi, ecx
add eax, dword ptr [ebp+0x14]
lea eax, dword ptr [eax+edi+0xD62F105D]
rol eax, 5
add eax, ebx
mov edi, ebx
xor edi, eax
and edi, ecx
xor edi, ebx
add edx, dword ptr [ebp+0x28]
lea edx, dword ptr [edx+edi+0x2441453]
rol edx, 9
add edx, eax
mov edi, eax
xor edi, edx
and edi, ebx
xor edi, eax
add ecx, dword ptr [ebp+0x3C]
lea ecx, dword ptr [ecx+edi+0xD8A1E681]
rol ecx, 0xe
add ecx, edx
mov edi, edx
xor edi, ecx
and edi, eax
xor edi, edx
add ebx, dword ptr [ebp+0x10]
lea ebx, dword ptr [ebx+edi+0xE7D3FBC8]
rol ebx, 0x14
add ebx, ecx
mov edi, ecx
xor edi, ebx
and edi, edx
xor edi, ecx
add eax, dword ptr [ebp+0x24]
lea eax, dword ptr [eax+edi+0x21E1CDE6]
rol eax, 5
add eax, ebx
mov edi, ebx
xor edi, eax
and edi, ecx
xor edi, ebx
add edx, dword ptr [ebp+0x38]
lea edx, dword ptr [edx+edi+0xC33707D6]
rol edx, 9
add edx, eax
mov edi, eax
xor edi, edx
and edi, ebx
xor edi, eax
add ecx, dword ptr [ebp+0xC]
lea ecx, dword ptr [ecx+edi+0xF4D50d87]
rol ecx, 0xe
add ecx, edx
mov edi, edx
xor edi, ecx
and edi, eax
xor edi, edx
add ebx, dword ptr [ebp+0x20]
lea ebx, dword ptr [ebx+edi+0x455A14ED]
rol ebx, 0x14
add ebx, ecx
mov edi, ecx
xor edi, ebx
and edi, edx
xor edi, ecx
add eax, dword ptr [ebp+0x34]
lea eax, dword ptr [eax+edi+0xA9E3E905]
rol eax, 5
add eax, ebx
mov edi, ebx
xor edi, eax
and edi, ecx
xor edi, ebx
add edx, dword ptr [ebp+0x8]
lea edx, dword ptr [edx+edi+0xFCEFA3F8]
rol edx, 9
add edx, eax
mov edi, eax
xor edi, edx
and edi, ebx
xor edi, eax
add ecx, dword ptr [ebp+0x1C]
lea ecx, dword ptr [ecx+edi+0x676F02D9]
rol ecx, 0xe
add ecx, edx
mov edi, edx
xor edi, ecx
and edi, eax
xor edi, edx
add ebx, dword ptr [ebp+0x30]
lea ebx, dword ptr [ebx+edi+0x8D2A4C8A]
rol ebx, 0x14
add ebx, ecx
mov edi, ecx
xor edi, edx
xor edi, ebx
add eax, dword ptr [ebp+0x14]
lea eax, dword ptr [edi+eax+0xFFFA3942]
rol eax, 4
add eax, ebx
mov edi, ebx
xor edi, ecx
xor edi, eax
add edx, dword ptr [ebp+0x20]
lea edx, dword ptr [edi+edx+0x8771F681]
rol edx, 0xB
add edx, eax
mov edi, eax
xor edi, ebx
xor edi, edx
add ecx, dword ptr [ebp+0x2C]
lea ecx, dword ptr [edi+ecx+0x6D9D6122]
rol ecx, 0x10
add ecx, edx
mov edi, edx
xor edi, eax
xor edi, ecx
add ebx, dword ptr [ebp+0x38]
lea ebx, dword ptr [edi+ebx+0xFDE5380C]
rol ebx, 0x17
add ebx, ecx
mov edi, ecx
xor edi, edx
xor edi, ebx
add eax, dword ptr [ebp+0x4]
lea eax, dword ptr [edi+eax+0xA4BEEA44]
rol eax, 4
add eax, ebx
mov edi, ebx
xor edi, ecx
xor edi, eax
add edx, dword ptr [ebp+0x10]
lea edx, dword ptr [edi+edx+0x4BDECFA9]
rol edx, 0xB
add edx, eax
mov edi, eax
xor edi, ebx
xor edi, edx
add ecx, dword ptr [ebp+0x1C]
lea ecx, dword ptr [edi+ecx+0xF6BB4B60]
rol ecx, 0x10
add ecx, edx
mov edi, edx
xor edi, eax
xor edi, ecx
add ebx, dword ptr [ebp+0x28]
lea ebx, dword ptr [edi+ebx+0xBEBFBC70]
rol ebx, 0x17
add ebx, ecx
mov edi, ecx
xor edi, edx
xor edi, ebx
add eax, dword ptr [ebp+0x34]
lea eax, dword ptr [edi+eax+0x289B7EC6]
rol eax, 4
add eax, ebx
mov edi, ebx
xor edi, ecx
xor edi, eax
add edx, dword ptr [ebp]
lea edx, dword ptr [edi+edx+0xEAA127FA]
rol edx,0xB
add edx, eax
mov edi, eax
xor edi, ebx
xor edi, edx
add ecx, dword ptr [ebp+0xC]
lea ecx, dword ptr [edi+ecx+0xD4EF3085]
rol ecx, 0x10
add ecx, edx
mov edi, edx
xor edi, eax
xor edi, ecx
add ebx, dword ptr [ebp+0x18]
lea ebx, dword ptr [edi+ebx+0x4881D05]
rol ebx, 0x17
add ebx, ecx
mov edi, ecx
xor edi, edx
xor edi, ebx
add eax, dword ptr [ebp+0x24]
lea eax, dword ptr [edi+eax+0xD9D4D039]
rol eax, 4
add eax, ebx
mov edi, ebx
xor edi, ecx
xor edi, eax
add edx, dword ptr [ebp+0x30]
lea edx, dword ptr [edi+edx+0xE6DB99E5]
rol edx, 0xB
add edx, eax
mov edi, eax
xor edi, ebx
xor edi, edx
add ecx, dword ptr [ebp+0x3C]
lea ecx, dword ptr [edi+ecx+0x1FA27CF8]
rol ecx, 0x10
add ecx, edx
mov edi, edx
xor edi, eax
xor edi, ecx
add ebx, dword ptr [ebp+0x8]
lea ebx, dword ptr [edi+ebx+0xC4AC5665]
rol ebx, 0x17
add ebx, ecx
mov edi, edx
xor edi, 0xFFFFFFFF
or edi, ebx
xor edi, ecx
add eax, dword ptr [ebp]
lea eax, dword ptr [eax+edi+0xF4292244]
rol eax, 6
add eax, ebx
mov edi, ecx
xor edi, 0xFFFFFFFF
or edi, eax
xor edi, ebx
add edx, dword ptr [ebp+0x1C]
lea edx, dword ptr [edx+edi+0x432AFF97]
rol edx, 0xA
add edx, eax
mov edi, ebx
xor edi, 0xFFFFFFFF
or edi, edx
xor edi, eax
add ecx, dword ptr [ebp+0x38]
lea ecx, dword ptr [ecx+edi+0xAB9423A7]
rol ecx, 0xf
add ecx, edx
mov edi, eax
xor edi, 0xFFFFFFFF
or edi, ecx
xor edi, edx
add ebx, dword ptr [ebp+0x14]
lea ebx, dword ptr [ebx+edi+0xFC93A039]
rol ebx, 0x15
add ebx, ecx
mov edi, edx
xor edi, 0xFFFFFFFF
or edi, ebx
xor edi, ecx
add eax, dword ptr [ebp+0x30]
lea eax, dword ptr [eax+edi+0x655B59C3]
rol eax, 6
add eax, ebx
mov edi, ecx
xor edi, 0xFFFFFFFF
or edi, eax
xor edi, ebx
add edx, dword ptr [ebp+0xC]
lea edx, dword ptr [edx+edi+0x8F0CCC92]
rol edx, 0xA
add edx, eax
mov edi, ebx
xor edi, 0xFFFFFFFF
or edi, edx
xor edi, eax
add ecx, dword ptr [ebp+0x28]
lea ecx, dword ptr [ecx+edi+0xFFEFF47D]
rol ecx, 0xf
add ecx, edx
mov edi, eax
xor edi, 0xFFFFFFFF
or edi, ecx
xor edi, edx
add ebx, dword ptr [ebp+0x4]
lea ebx, dword ptr [ebx+edi+0x85845DD1]
rol ebx, 0x15
add ebx, ecx
mov edi, edx
xor edi, 0xFFFFFFFF
or edi, ebx
xor edi, ecx
add eax, dword ptr [ebp+0x20]
lea eax, dword ptr [eax+edi+0x6FA87E4F]
rol eax, 6
add eax, ebx
mov edi, ecx
xor edi, 0xFFFFFFFF
or edi, eax
xor edi, ebx
add edx, dword ptr [ebp+0x3C]
lea edx, dword ptr [edx+edi+0xFE2CE6E0]
rol edx, 0xA
add edx, eax
mov edi, ebx
xor edi, 0xFFFFFFFF
or edi, edx
xor edi, eax
add ecx, dword ptr [ebp+0x18]
lea ecx, dword ptr [ecx+edi+0xA3014314]
rol ecx, 0xf
add ecx, edx
mov edi, eax
xor edi, 0xFFFFFFFF
or edi, ecx
xor edi, edx
add ebx, dword ptr [ebp+0x34]
lea ebx, dword ptr [ebx+edi+0x4E0811A1]
rol ebx, 0x15
add ebx, ecx
mov edi, edx
xor edi, 0xFFFFFFFF
or edi, ebx
xor edi, ecx
add eax, dword ptr [ebp+0x10]
lea eax, dword ptr [eax+edi+0xF7537E82]
rol eax, 6
add eax, ebx
mov edi, ecx
xor edi, 0xFFFFFFFF
or edi, eax
xor edi, ebx
add edx, dword ptr [ebp+0x2C]
lea edx, dword ptr [edx+edi+0xBD3AF235]
rol edx, 0xA
add edx, eax
mov edi, ebx
xor edi, 0xFFFFFFFF
or edi, edx
xor edi, eax
add ecx, dword ptr [ebp+0x8]
lea ecx, dword ptr [ecx+edi+0x2AD7D2BB]
rol ecx, 0xf
add ecx, edx
mov edi, eax
xor edi, 0xFFFFFFFF
or edi, ecx
xor edi, edx
add ebx, dword ptr [ebp+0x24]
lea ebx, dword ptr [ebx+edi+0xEB86D391]
rol ebx, 0x15
add ebx, ecx
add dword ptr [esi], eax
add dword ptr [esi+4], ebx
add dword ptr [esi+8], ecx
add dword ptr [esi+0xC], edx
popad
}
int i,j=0;
for(i=0;key[i];i++) //将上面算完的后得到的数据打印出来 字母要大写
{
int t=((int )key[i]>>4)&0xf;
if(!(t>=0&&t<0xa))
t=t-0xa+0x11;
t+='0';
result[j++]=t;
t=(int )key[i]&0xf;
if(!(t>=0&&t<0xa))
t=t-0xA+0x11;
t+='0';
result[j++]=t;
}
result[j]='\0';
}
void mul9(_int64 key1,_int64 key2,_int64 &a,int &b) //9 字节大数相乘低64位放a中,高4位放b中
{
_int64 temp;
_int64 m,n,m1,n1;
m=key1&0xffffffff;
m1=key2&0xffffffff;
n=key1>>32&0xff;
n1=key2>>32&0xff;
temp=key1*key2;
a=temp;
b=(((m*m1>>32)+n1*m+n*m1)>>32)+n*n1;
}
void print(int b) //打印结果
{
int ok[10],i,count=8,t;
for(i=0;i<9;i++)
ok[i]=0;
while(b)
{
t=0xf;
t&=b;
ok[count--]=t;
b>>=4;
}
count=0;
while(count<9)
printf("%x",ok[count++]);
}
void main()
{
_int64 key1,key2,key3,a,c;
int b,d,t;
_asm{ //保护ebp
push ebp
}
last_str();
_asm{
pop ebp
}
for(key1=0;key1<0xfff;key1++)
{
for(key2=0;key2<0xfff;key2++)
{
mul9(key1,key1,a,b); //key1*key1
a+=1;
key3=key2+key2;
mul9(key2,key3,c,d); //2*key2*key2
if(b==d&&a==c) //判断 key1*key1+1是否等于2*key2*key2
{
b=key1;
d=key2;
print(b); //打印第一部分
printf("-");
print(d); //打印第二部分
printf("-");
puts(result); //打印第三部分串
}
}
}
}
--------------------------------------------------------------------------------
【版权声明】: 本文原创于看雪技术论坛, 转载请注明作者并保持文章的完整, 谢谢!
2008年01月11日 15:41:26
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
