能力值:
( LV2,RANK:10 )
|
-
-
2 楼
一开始就觉得楼主有点阴险哦刚开始就给了一个假的level000的serial JPL-168-39,其实这个crackme没有level 0,哪个是一个假的serial,我刚开始的时候就上当了啊,转了老半天,后来才明白的。下面就是我的过程看看咯(我破的是0.5,楼主的板本升级好快啊,我看到level6)
所用工具:OD
每次破解成功一级level就会写一次文件CrG.ini,下次程序就会去读取这个文件来决定switch
00402261 |. 6A 0A push 0A
00402263 |. 68 4C404000 push CR-Game0.0040404C
00402268 |. E8 93EDFFFF call CR-Game0.00401000 ;这里转换eax到level
0040226D |. 40 inc eax ; Switch (cases -1..5)
0040226E |. 83F8 06 cmp eax,6
00402271 |. 73 52 jnb short CR-Game0.004022C5
00402273 |. 83F8 01 cmp eax,1
00402276 |. 75 0D jnz short CR-Game0.00402285
00402278 |. FF75 08 push dword ptr ss:[ebp+8] ; /Arg1; Case 0 of switch 0040226D
0040227B |. E8 93F7FFFF call CR-Game0.00401A13 ; \CR-Game0.00401A13
00402280 |. E9 D2000000 jmp CR-Game0.00402357
00402285 |> 83F8 02 cmp eax,2
00402288 |. 75 0A jnz short CR-Game0.00402294
0040228A |. E8 4BF8FFFF call CR-Game0.00401ADA ; Case 1 of switch 0040226D
0040228F |. E9 C3000000 jmp CR-Game0.00402357
00402294 |> 83F8 03 cmp eax,3
00402297 |. 75 0A jnz short CR-Game0.004022A3
00402299 |. E8 C0F8FFFF call CR-Game0.00401B5E ; Case 2 of switch 0040226D
0040229E |. E9 B4000000 jmp CR-Game0.00402357
004022A3 |> 83F8 04 cmp eax,4
004022A6 |. 75 0A jnz short CR-Game0.004022B2
004022A8 |. E8 68F9FFFF call CR-Game0.00401C15 ; Case 3 of switch 0040226D
004022AD |. E9 A5000000 jmp CR-Game0.00402357
004022B2 |> 83F8 05 cmp eax,5
004022B5 |. 0F85 9C000000 jnz CR-Game0.00402357
004022BB |. E8 80FAFFFF call CR-Game0.00401D40 ; Case 4 of switch 0040226D
004022C0 |. E9 92000000 jmp CR-Game0.00402357
004022C5 |> 83F8 06 cmp eax,6
004022C8 |. 75 0A jnz short CR-Game0.004022D4
004022CA |. E8 67FBFFFF call CR-Game0.00401E36 ; Case 5 of switch 0040226D
004022CF |. E9 83000000 jmp CR-Game0.00402357
004022D4 |> E8 81F6FFFF call CR-Game0.0040195A ; Default case of switch 0040226D
level 1:
0040227B |. E8 93F7FFFF call CR-Game0.00401A13 ; \CR-Game0.00401A13
这一句call跳到了level1
00401A13 /$ 55 push ebp
00401A14 |. 8BEC mov ebp,esp
00401A16 |. 83C4 F4 add esp,-0C
00401A19 |. 8D45 F4 lea eax,dword ptr ss:[ebp-C]
00401A1C |. 50 push eax ; /lParam
00401A1D |. 6A 0C push 0C ; |wParam = C
00401A1F |. 6A 0D push 0D ; |Message = WM_GETTEXT
00401A21 |. FF35 2C404000 push dword ptr ds:[40402C] ; |hWnd = NULL
00401A27 |. E8 BE120000 call <jmp.&user32.SendMessageA> ; \SendMessageA
00401A2C |. 83F8 03 cmp eax,3 ;serial长度要大于3
00401A2F |. 0F8E 9F000000 jle CR-Game0.00401AD4
00401A35 |. 52 push edx
00401A36 |. 8D55 F4 lea edx,dword ptr ss:[ebp-C]
00401A39 |. 807A 07 20 cmp byte ptr ds:[edx+7],20 ;这里比较了serial的第7位是不是空格
00401A3D |. 75 04 jnz short CR-Game0.00401A43
00401A3F |. 8042 0A 1F add byte ptr ds:[edx+A],1F ;是serial的第10位+1F
00401A43 |> 5A pop edx
00401A44 |. EB 0B jmp short CR-Game0.00401A51
00401A46 |. 4A 50 4C 2D 31>ascii "JPL-168-39",0
00401A51 |> 68 461A4000 push CR-Game0.00401A46 ; ASCII "JPL-168-39" 假的
00401A56 |. 8D45 F4 lea eax,dword ptr ss:[ebp-C]
00401A59 |. 50 push eax
00401A5A |. E8 22F8FFFF call CR-Game0.00401281 ;这个call就是level的关键了(假的)
00401A5F |. 0BC0 or eax,eax ;eax不能为0否则就跳到了假的成功00401A87
00401A61 |. 75 4A jnz short CR-Game0.00401AAD ;这里要跳
00401A63 |. EB 22 jmp short CR-Game0.00401A87
00401A65 |. 43 6F 6E 67 72>ascii "Congratulation! "
00401A75 |. 59 6F 75 20 70>ascii "You pass Level 0"
00401A85 |. 21 00 ascii "!",0
00401A87 |> EB 0C jmp short CR-Game0.00401A95
00401A89 |. 43 52 2D 47 61>ascii "CR-Game vXO",0
00401A95 |> 6A 00 push 0 ; /Style = MB_OK|MB_APPLMODAL
00401A97 |. 68 891A4000 push CR-Game0.00401A89 ; |Title = "CR-Game vXO"
00401A9C |. 68 651A4000 push CR-Game0.00401A65 ; |Text = "Congratulation! You pass Level 0!"
00401AA1 |. FF75 08 push dword ptr ss:[ebp+8] ; |hOwner
00401AA4 |. E8 23120000 call <jmp.&user32.MessageBoxA> ; \MessageBoxA
00401AA9 |. 33C0 xor eax,eax
00401AAB |. EB 29 jmp short CR-Game0.00401AD6
00401AAD |> EB 0C jmp short CR-Game0.00401ABB
00401AAF |. 43 52 2D 47 61>ascii "CR-Game vXO",0
00401ABB |> 68 AF1A4000 push CR-Game0.00401AAF ; ASCII "CR-Game vXO"(真)
00401AC0 |. 8D45 F4 lea eax,dword ptr ss:[ebp-C]
00401AC3 |. 50 push eax
00401AC4 |. E8 B8F7FFFF call CR-Game0.00401281 ;关键的call
00401AC9 |. 0BC0 or eax,eax ;这里出来的eax就要为0 了
00401ACB |. 75 07 jnz short CR-Game0.00401AD4
00401ACD |. B8 01000000 mov eax,1
00401AD2 |. EB 02 jmp short CR-Game0.00401AD6
00401AD4 |> 33C0 xor eax,eax
00401AD6 |> C9 leave
00401AD7 \. C2 0400 retn 4
看完了,那就要逆一下了,CR-Game vXO的第7位是空格,第10位的'O'就要减掉1F,'O'-1F='0',所以最后一位要是0。
最后的level 1就是CR-Game vX0。
|
能力值:
( LV2,RANK:10 )
|
-
-
3 楼
level 2:
00401ADA /$ 55 push ebp
00401ADB |. 8BEC mov ebp,esp
00401ADD |. 83C4 F4 add esp,-0C
00401AE0 |. 53 push ebx
00401AE1 |. 8D45 F6 lea eax,dword ptr ss:[ebp-A]
00401AE4 |. 50 push eax ; /lParam
00401AE5 |. 6A 0A push 0A ; |wParam = A
00401AE7 |. 6A 0D push 0D ; |Message = WM_GETTEXT
00401AE9 |. FF35 2C404000 push dword ptr ds:[40402C] ; |hWnd = C04AA
00401AEF |. E8 F6110000 call <jmp.&user32.SendMessageA> ; \SendMessageA
00401AF4 |. 83F8 08 cmp eax,8 serial的长度要大于8
00401AF7 |. 7E 60 jle short CR-Game0.00401B59
00401AF9 |. 8D5D F6 lea ebx,dword ptr ss:[ebp-A] 取serial,下面就是一串的逐位比较
00401AFC |. 803B 43 cmp byte ptr ds:[ebx],43
00401AFF |. 74 58 je short CR-Game0.00401B59
00401B01 |. 807B 01 6C cmp byte ptr ds:[ebx+1],6C
00401B05 |. 75 52 jnz short CR-Game0.00401B59
00401B07 |. 807B 02 47 cmp byte ptr ds:[ebx+2],47
00401B0B |. 75 06 jnz short CR-Game0.00401B13 **
00401B0D |. 807B 03 76 cmp byte ptr ds:[ebx+3],76
00401B11 |. 75 46 jnz short CR-Game0.00401B59
00401B13 |> 807B 04 65 cmp byte ptr ds:[ebx+4],65
00401B17 |. 75 40 jnz short CR-Game0.00401B59
00401B19 |. 807B 05 32 cmp byte ptr ds:[ebx+5],32
00401B1D |. 75 06 jnz short CR-Game0.00401B25 **
00401B1F |. 807B 06 31 cmp byte ptr ds:[ebx+6],31
00401B23 |. 75 34 jnz short CR-Game0.00401B59
00401B25 |> 807B 07 47 cmp byte ptr ds:[ebx+7],47
00401B29 |. 75 2E jnz short CR-Game0.00401B59
00401B2B |. 807B 08 43 cmp byte ptr ds:[ebx+8],43
00401B2F |. 75 28 jnz short CR-Game0.00401B59
00401B31 |. 8043 06 3B add byte ptr ds:[ebx+6],3B
00401B35 |. 803B 32 cmp byte ptr ds:[ebx],32
00401B38 |. 75 1F jnz short CR-Game0.00401B59
00401B3A |. 807B 02 65 cmp byte ptr ds:[ebx+2],65
00401B3E |. 75 19 jnz short CR-Game0.00401B59
00401B40 |. 807B 03 76 cmp byte ptr ds:[ebx+3],76
00401B44 |. 75 13 jnz short CR-Game0.00401B59
00401B46 |. 807B 05 4C cmp byte ptr ds:[ebx+5],4C
00401B4A |. 75 0D jnz short CR-Game0.00401B59
00401B4C |. 807B 06 6C cmp byte ptr ds:[ebx+6],6C
00401B50 |. 75 07 jnz short CR-Game0.00401B59
00401B52 |. B8 02000000 mov eax,2
00401B57 |. EB 02 jmp short CR-Game0.00401B5B
00401B59 |> 33C0 xor eax,eax
00401B5B |> 5B pop ebx
00401B5C |. C9 leave
00401B5D \. C3 retn
看一下应该就可以看出来,里面有一些是干扰的跳转,该跳还是要跳,筛一筛
level2: 2leveL1GC
|
能力值:
( LV2,RANK:10 )
|
-
-
4 楼
level 3:
00401BAE |. 51 57 45 52 54>ascii "QWERTYUIOPASDFGH" 把这两个字符串连接起来
00401BBE |. 4A 4B 4C 5A 58>ascii "JKLZXCVBNM",0
00401BC9 |> 68 AE1B4000 push CR-Game0.00401BAE ; /String2 = "QWERTYUIOPASDFGHJKLZXCVBNM"
00401BCE |. 57 push edi ; |String1
00401BCF |. E8 74100000 call <jmp.&kernel32.lstrcpyA> ; \lstrcpyA
00401BD4 |. 33C9 xor ecx,ecx edi=所连接出来的串QWERTYUIOPASDFGHJKLZXCVBNM
00401BD6 |. EB 0B jmp short CR-Game0.00401BE3
00401BD8 |> 803C19 61 /cmp byte ptr ds:[ecx+ebx],61
00401BDC |. 72 04 |jb short CR-Game0.00401BE2
00401BDE |. 802C19 20 |sub byte ptr ds:[ecx+ebx],20
00401BE2 |> 41 |inc ecx
00401BE3 |> 803C19 00 cmp byte ptr ds:[ecx+ebx],0
00401BE7 |.^ 75 EF \jnz short CR-Game0.00401BD8 这个循环就是把name的小写字母变成大写
00401BE9 |. 8D55 A7 lea edx,dword ptr ss:[ebp-59]
00401BEC |. 33C9 xor ecx,ecx
00401BEE |. 33C0 xor eax,eax
00401BF0 |. 8A03 mov al,byte ptr ds:[ebx]
00401BF2 |. EB 0E jmp short CR-Game0.00401C02 下面的循环就开始查表了
00401BF4 |> 2C 41 /sub al,41 从变换过的name里取一个字符-41H
00401BF6 |. 8A0438 |mov al,byte ptr ds:[eax+edi] 用得到的al查刚才的串
00401BF9 |. 3A0411 |cmp al,byte ptr ds:[ecx+edx] 比较注册码与al是否一样
00401BFC |. 75 0F |jnz short CR-Game0.00401C0D 不一样kill
00401BFE |. 41 |inc ecx
00401BFF |. 8A0419 |mov al,byte ptr ds:[ecx+ebx]
00401C02 |> 0AC0 or al,al
00401C04 |.^ 75 EE \jnz short CR-Game0.00401BF4
00401C06 |. B8 03000000 mov eax,3
00401C0B |. EB 02 jmp short CR-Game0.00401C0F
00401C0D |> 33C0 xor eax,eax
00401C0F |> 5F pop edi
00401C10 |. 5A pop edx
00401C11 |. 59 pop ecx
00401C12 |. 5B pop ebx
00401C13 |. C9 leave
00401C14 \. C3 retn
看完了,我用的name是emptywin所以第一次转换:EMPTYWIN,每一位去减掉41H,所得的查字符串
QWERTYUIOPASDFGHJKLZXCVBNM 我查出来的serial是 TDHZNVOF
level 3: name: emptywin serial: TDHZNVOF
|
能力值:
( LV2,RANK:10 )
|
-
-
5 楼
level 4:
00401CC4 |. 8A03 mov al,byte ptr ds:[ebx]
00401CC6 |. EB 2E jmp short CR-Game0.00401CF6
00401CC8 |> 3C 61 /cmp al,61
00401CCA |. 72 10 |jb short CR-Game0.00401CDC
00401CCC |. 3C 7A |cmp al,7A
00401CCE |. 77 0C |ja short CR-Game0.00401CDC
00401CD0 |. 2C 61 |sub al,61 ; Cases 61 ('a'),62 ('b'),63 ('c'),64 ('d'),65 ('e'),66 ('f'),67 ('g'),68 ('h'),69 ('i'),6A ('j'),6B ('k'),6C ('l'),6D ('m'),6E ('n'),6F ('o'),70 ('p'),71 ('q'),72 ('r'),73 ('s'),74 ('t')... of switch 00401CF6
00401CD2 |. 8A0430 |mov al,byte ptr ds:[eax+esi]
00401CD5 |. 3A0411 |cmp al,byte ptr ds:[ecx+edx]
00401CD8 |. 75 16 |jnz short CR-Game0.00401CF0
00401CDA |. EB 16 |jmp short CR-Game0.00401CF2
00401CDC |> 3C 41 |cmp al,41 ; Default case of switch 00401CF6
00401CDE |. 72 10 |jb short CR-Game0.00401CF0
00401CE0 |. 3C 5A |cmp al,5A
00401CE2 |. 77 0C |ja short CR-Game0.00401CF0
00401CE4 |. 2C 41 |sub al,41
00401CE6 |. 8A0438 |mov al,byte ptr ds:[eax+edi]
00401CE9 |. 3A0411 |cmp al,byte ptr ds:[ecx+edx]
00401CEC |. 75 02 |jnz short CR-Game0.00401CF0
00401CEE |. EB 02 |jmp short CR-Game0.00401CF2
00401CF0 |> EB 45 |jmp short CR-Game0.00401D37
00401CF2 |> 41 |inc ecx
00401CF3 |. 8A0419 |mov al,byte ptr ds:[ecx+ebx]
00401CF6 |> 0AC0 or al,al ; Switch (cases 0..7A)
00401CF8 |.^ 75 CE \jnz short CR-Game0.00401CC8
00401CFA |. 8A03 mov al,byte ptr ds:[ebx] ; Case 0 of switch 00401CF6
00401CFC |. EB 2E jmp short CR-Game0.00401D2C
00401CFE |> 3C 61 /cmp al,61
00401D00 |. 72 10 |jb short CR-Game0.00401D12
00401D02 |. 3C 7A |cmp al,7A
00401D04 |. 77 0C |ja short CR-Game0.00401D12
00401D06 |. 2C 61 |sub al,61 ; Cases 61 ('a'),62 ('b'),63 ('c'),64 ('d'),65 ('e'),66 ('f'),67 ('g'),68 ('h'),69 ('i'),6A ('j'),6B ('k'),6C ('l'),6D ('m'),6E ('n'),6F ('o'),70 ('p'),71 ('q'),72 ('r'),73 ('s'),74 ('t')... of switch 00401D2C
00401D08 |. 8A0438 |mov al,byte ptr ds:[eax+edi]
00401D0B |. 3A0411 |cmp al,byte ptr ds:[ecx+edx]
00401D0E |. 75 16 |jnz short CR-Game0.00401D26
00401D10 |. EB 16 |jmp short CR-Game0.00401D28
00401D12 |> 3C 41 |cmp al,41 ; Default case of switch 00401D2C
00401D14 |. 72 10 |jb short CR-Game0.00401D26
00401D16 |. 3C 5A |cmp al,5A
00401D18 |. 77 0C |ja short CR-Game0.00401D26
00401D1A |. 2C 41 |sub al,41
00401D1C |. 8A0430 |mov al,byte ptr ds:[eax+esi]
00401D1F |. 3A0411 |cmp al,byte ptr ds:[ecx+edx]
00401D22 |. 75 02 |jnz short CR-Game0.00401D26
00401D24 |. EB 02 |jmp short CR-Game0.00401D28
00401D26 |> EB 0F |jmp short CR-Game0.00401D37
00401D28 |> 41 |inc ecx
00401D29 |. 43 |inc ebx
00401D2A |. 8A03 |mov al,byte ptr ds:[ebx]
00401D2C |> 0AC0 or al,al ; Switch (cases 0..7A)
00401D2E |.^ 75 CE \jnz short CR-Game0.00401CFE
00401D30 |. B8 04000000 mov eax,4 ; Case 0 of switch 00401D2C
00401D35 |. EB 02 jmp short CR-Game0.00401D39
00401D37 |> 33C0 xor eax,eax
00401D39 |> 5F pop edi
00401D3A |. 5E pop esi
00401D3B |. 5A pop edx
00401D3C |. 59 pop ecx
00401D3D |. 5B pop ebx
00401D3E |. C9 leave
00401D3F \. C3 retn
level 4和level 3差不多,这里要求len(serial)=2*len(name),然后连接了两个字符串
po lk iu jm nh yt gb vf re dc xs wq az
QW ER TY UI OP AS DF GH JK LZ XC VB NM
先是对name的小写字母查小写字符串,大写字母查大写字符串,就查了len(name)次,每次查都去和serial比较。查完第一次以后就对name的小写字母查大写字符串,大写字母查小写字符串(反过来),这样就有了len(serial)=2*len(name)的要求了啊
level 4: name: emptywin serial: igfcawnbTDHZNVOF
|
能力值:
( LV2,RANK:10 )
|
-
-
6 楼
level 5:
00401DE6 |. 33C9 xor ecx,ecx
00401DE8 |. EB 0B jmp short CR-Game0.00401DF5
00401DEA |> 803C19 61 /cmp byte ptr ds:[ecx+ebx],61
00401DEE |. 72 04 |jb short CR-Game0.00401DF4
00401DF0 |. 802C19 20 |sub byte ptr ds:[ecx+ebx],20
00401DF4 |> 41 |inc ecx
00401DF5 |> 803C19 00 cmp byte ptr ds:[ecx+ebx],0
00401DF9 |.^ 75 EF \jnz short CR-Game0.00401DEA
00401DFB |. 8D55 8C lea edx,dword ptr ss:[ebp-74]
00401DFE |. 33C9 xor ecx,ecx
00401E00 |. 8A03 mov al,byte ptr ds:[ebx]
00401E02 |. EB 1E jmp short CR-Game0.00401E22
00401E04 |> 51 /push ecx
00401E05 |. 33C9 |xor ecx,ecx
00401E07 |. EB 06 |jmp short CR-Game0.00401E0F
00401E09 |> 3A0431 |/cmp al,byte ptr ds:[ecx+esi]
00401E0C |. 74 07 ||je short CR-Game0.00401E15
00401E0E |. 41 ||inc ecx
00401E0F |> 803C31 00 | cmp byte ptr ds:[ecx+esi],0
00401E13 |.^ 75 F4 |\jnz short CR-Game0.00401E09
00401E15 |> 8A0439 |mov al,byte ptr ds:[ecx+edi]
00401E18 |. 59 |pop ecx
00401E19 |. 3A0411 |cmp al,byte ptr ds:[ecx+edx]
00401E1C |. 75 0F |jnz short CR-Game0.00401E2D
00401E1E |. 41 |inc ecx
00401E1F |. 8A0419 |mov al,byte ptr ds:[ecx+ebx]
00401E22 |> 0AC0 or al,al
00401E24 |.^ 75 DE \jnz short CR-Game0.00401E04
00401E26 |. B8 05000000 mov eax,5
00401E2B |. EB 02 jmp short CR-Game0.00401E2F
00401E2D |> 33C0 xor eax,eax
00401E2F |> 5F pop edi
00401E30 |. 5E pop esi
00401E31 |. 5A pop edx
00401E32 |. 59 pop ecx
00401E33 |. 5B pop ebx
00401E34 |. C9 leave
00401E35 \. C3 retn
level 5一样连接了两个字符串,然后把name变成大写,再查string1,找到字母在string1的位置,取string2同样位置的字母去和serial比较
string1: QW ER TY UI OP AS DF GH JK LZ XC VB NM
string2: pO lK iU jm nh yt gb Vf re dC XS wq aZ
level 5: name: emptywin serial: lZhiUOma
菜菜在灌水哦。level6在0.5版本有问题,今天才看到0.6版本,level6下次咯。
|
能力值:
( LV2,RANK:10 )
|
-
-
7 楼
哇, 冒泡了!
黑汽水,好功力!
高质量高效率的产品啊!
|
能力值:
( LV2,RANK:10 )
|
-
-
8 楼
level 6:
00401E91 |. 8D5D A0 lea ebx,dword ptr ss:[ebp-60] ;get serial
00401E94 |. 8A03 mov al,byte ptr ds:[ebx] ;取第一位
00401E96 |. 04 03 add al,3 ;+3和4D比较,不等kill
00401E98 |. 3C 4D cmp al,4D ;逆出来4D-3=4A('J')
00401E9A |. 74 0A je short CR-Game0.00401EA6
00401E9C |. 33C9 xor ecx,ecx
00401E9E |> 41 /inc ecx
00401E9F |. 83F9 64 |cmp ecx,64
00401EA2 |.^ 72 FA \jb short CR-Game0.00401E9E
00401EA4 |. EB 28 jmp short CR-Game0.00401ECE
00401EA6 |> 8A43 01 mov al,byte ptr ds:[ebx+1] ;取第2位
00401EA9 |. 34 69 xor al,69 ;异或69H要等于0,所以第2位'i'
00401EAB |. 74 0D je short CR-Game0.00401EBA
00401EAD |. 33C9 xor ecx,ecx
00401EAF |> 41 /inc ecx
00401EB0 |. 81F9 C8000000 |cmp ecx,0C8
00401EB6 |.^ 72 F7 \jb short CR-Game0.00401EAF
00401EB8 |. EB 14 jmp short CR-Game0.00401ECE
00401EBA |> 8A43 02 mov al,byte ptr ds:[ebx+2] ;取第3位
00401EBD |. 2C 03 sub al,3 ;-3h==4D
00401EBF |. 3C 4D cmp al,4D ;所以第3位'P'
00401EC1 |. 74 10 je short CR-Game0.00401ED3
00401EC3 |. 33C9 xor ecx,ecx
00401EC5 |> 41 /inc ecx
00401EC6 |. 81F9 2C010000 |cmp ecx,12C
00401ECC |.^ 72 F7 \jb short CR-Game0.00401EC5
00401ECE |> E9 A3000000 jmp CR-Game0.00401F76 ;下面是变换第4,5位
00401ED3 |> 8D75 E0 lea esi,dword ptr ss:[ebp-20] ;get name
00401ED6 |. 8D7D C0 lea edi,dword ptr ss:[ebp-40] ;get company
00401ED9 |. 8A27 mov ah,byte ptr ds:[edi]
00401EDB |. 80E4 06 and ah,6
00401EDE |. 8A06 mov al,byte ptr ds:[esi]
00401EE0 |. 02C4 add al,ah
00401EE2 |. 2A43 03 sub al,byte ptr ds:[ebx+3] ;ah&6+al=serial[3]
00401EE5 |. 0F85 8B000000 jnz CR-Game0.00401F76
00401EEB |. 8A26 mov ah,byte ptr ds:[esi]
00401EED |. 80E4 09 and ah,9
00401EF0 |. 8A07 mov al,byte ptr ds:[edi]
00401EF2 |. 02C4 add al,ah
00401EF4 |. 2A43 04 sub al,byte ptr ds:[ebx+4] ;ah&9+al=serial[4]简单变换了前5个
00401EF7 |. 75 7D jnz short CR-Game0.00401F76 ;下面就复杂点了
00401EF9 |. 8B43 05 mov eax,dword ptr ds:[ebx+5]
00401EFC |. 8B16 mov edx,dword ptr ds:[esi]
00401EFE |. 33D0 xor edx,eax
00401F00 |. 81E2 03050709 and edx,9070503
00401F06 |. 0316 add edx,dword ptr ds:[esi]
00401F08 |. 8B43 09 mov eax,dword ptr ds:[ebx+9]
00401F0B |. 2BC2 sub eax,edx
00401F0D |.^ 75 BF jnz short CR-Game0.00401ECE
00401F0F |. 33C9 xor ecx,ecx
00401F11 |. EB 0B jmp short CR-Game0.00401F1E
00401F13 |> 803C31 61 /cmp byte ptr ds:[ecx+esi],61 ;小写变大写
00401F17 |. 72 04 |jb short CR-Game0.00401F1D
00401F19 |. 802C31 20 |sub byte ptr ds:[ecx+esi],20
00401F1D |> 41 |inc ecx
00401F1E |> 803C31 00 cmp byte ptr ds:[ecx+esi],0
00401F22 |.^ 75 EF \jnz short CR-Game0.00401F13
00401F24 |. 8D7D 80 lea edi,dword ptr ss:[ebp-80]
00401F27 |. EB 1F jmp short CR-Game0.00401F48
00401F29 |. 4A 69 50 34 5A>ascii "JiP4ZAQWSXCDERFV"
00401F39 |. 42 47 54 59 48>ascii "BGTYHNMJUIKLOP",0
00401F48 |> 68 291F4000 push CR-Game0.00401F29 ; /String2 = "JiP4ZAQWSXCDERFVBGTYHNMJUIKLOP"
00401F4D |. 57 push edi ; |String1
00401F4E |. E8 F50C0000 call <jmp.&kernel32.lstrcpyA> ; \lstrcpyA
00401F53 |. 33C0 xor eax,eax ;连接字符串
00401F55 |. 33C9 xor ecx,ecx ;JiP4ZAQWSXCDERFVBGTYHNMJUIKLOP
00401F57 |. 8A06 mov al,byte ptr ds:[esi]
00401F59 |. EB 0F jmp short CR-Game0.00401F6A
00401F5B |> 2C 3D /sub al,3D
00401F5D |. 8A0438 |mov al,byte ptr ds:[eax+edi]
00401F60 |. 3A4419 0D |cmp al,byte ptr ds:[ecx+ebx+D]
00401F64 |. 75 10 |jnz short CR-Game0.00401F76
00401F66 |. 41 |inc ecx
00401F67 |. 8A0431 |mov al,byte ptr ds:[ecx+esi]
00401F6A |> 0AC0 or al,al
00401F6C |.^ 75 ED \jnz short CR-Game0.00401F5B
00401F6E |. 61 popad
00401F6F |. B8 06000000 mov eax,6
00401F74 |. EB 02 jmp short CR-Game0.00401F78
00401F76 |> 33C0 xor eax,eax
00401F78 |> C9 leave
00401F79 \. C3 retn
看完了咯,相当于是前面几次的复合,从头来看看。
name: emptywin company: china
1.变换了前面3个字符,是固定的:JiP(楼主)
2.变换了后面2个字符,ah&6+al=serial[3],ah&9+al=serial[4],第1次ah是company al是name,第2次ah是name al是company。变换得到了: gd
3.取双字,由serial接着的前4个和name运算变换出后4个。不过变换出来的有可能不是可显示字符:
'7878' ,eax=0x38373837 (内存里面是按照高高低低来放数据的)
'empt' ,edx=0x74706D65 , edx=eax^edx=4C475552 , edx=edx&0x9070503=0x08070502
edx=edx+0x74706D65(name)=0x7C777267, 转换成ascii='grw|',0x7C是不可显示字符,我用UltranEdit 来转换得到了'|'。
4.在过完上面的3步后,我就得到了JiPgd7878grw|,下面就是要查字符串来得到下面的啦
连接后的字符串 JiP4ZAQWSXCDERFVBGTYHNMJUIKLOP ,把名字全部变成大写(41~5A),然后减掉0x3D去取字符串 我取到的是SBYJOKEG
5.终于走到最后面了啊,只要前面没有跳到00401F76 33C0 xor eax,eax 这一句就可以了。
level 6:
name: emptywin company: china serial: JiPgd7878grw|SBYJOKEG
ps: 有level 7吗? 看也看不太明白啊,不太像有算法的啊。我用name: emptywin company: c serial:(空) 就pass 了,是不是啊,就是一些长度的判断
|
能力值:
( LV2,RANK:10 )
|
-
-
9 楼
不错 ,高质量的贴啊!
|
能力值:
( LV2,RANK:10 )
|
-
-
10 楼
除了最终版本外,所有的CR-Game的最后一级都是搞笑级。
所以CR-Game0.6 (6+1级)的level 7级是。。。
用 name: emptywin company: c serial:(空) 应该不能pass啊?
应用 name: em company: c serial:(空) 才行。
可能是程序的虫子吧?
ps: CR--Game0.7 (7+1级) 版本可能要好几天后才能发布,因为JiP是一个大懒虫。
呵呵呵。。。哈哈哈。。。
打个广告:
有兴趣的朋友可先试试 CR-Game0.6 (6+1级) 。
软件没有加密,没有防反编译,没有防测试。
是具有一定经验的PJ者的 试手升级史丹姆。
适合于入门级至中级的朋友,或者无聊手痒的高手们。
|
|
|
|
