2005年就注册了,虽然注册早,但是现在还是菜鸟一只,潜水一段时间后发现自己还只是会爆破就放下了4年了。最近一个哥们公司的软件找我去注册窗口才让我又来了兴趣,这次一定坚持下去。第一次发有什么不妥之处请指出,一个非常简单的crackme。
peid查无壳,od载入下断GetDlgItemTextA来到
00401248 |. 6A 28 PUSH 28 ; /Count = 28 (40.)
0040124A |. 68 8C314000 PUSH 0040318C ; |Buffer = d2k2_cra.0040318C
0040124F |. 6A 02 PUSH 2 ; |ControlID = 2
00401251 |. FF75 08 PUSH DWORD PTR SS:[EBP+8] ; |hWnd
00401254 |. E8 8F010000 CALL <JMP.&USER32.GetDlgItemTextA> ; \GetDlgItemTextA
00401259 |. 84C0 TEST AL,AL
0040125B |. 0F84 06010000 JE 00401367
00401261 |. 3C 20 CMP AL,20
00401263 |. 0F8F 13010000 JG 0040137C
00401269 |. 3C 05 CMP AL,5
0040126B |. 0F8C 20010000 JL 00401391
00401271 |. 8D1D 8C314000 LEA EBX,DWORD PTR DS:[40318C]
00401277 |. 33C9 XOR ECX,ECX
00401279 |. B0 05 MOV AL,5
前5位
0040127B |. 33D2 XOR EDX,EDX
0040127D |> 8A0C1A MOV CL,BYTE PTR DS:[EDX+EBX]
00401280 |. 80F1 29 XOR CL,29 ; 用户名ascii码与29H异或
00401283 |. 02C8 ADD CL,AL ; 异或后的值加用户名剩余位数
00401285 |. 80F9 41 CMP CL,41
00401288 |. 7C 1C JL SHORT 004012A6 ; 值小于41H跳
0040128A |. 80F9 5A CMP CL,5A
0040128D |. 7F 17 JG SHORT 004012A6 ; 值大于5AH跳
0040128F |> 888A 3C314000 MOV BYTE PTR DS:[EDX+40313C],CL
00401295 |. C682 3D314000>MOV BYTE PTR DS:[EDX+40313D],0
0040129C |. FEC2 INC DL
0040129E |. FEC8 DEC AL
004012A0 |. 3C 00 CMP AL,0
004012A2 |. 74 08 JE SHORT 004012AC
004012A4 |.^ EB D7 JMP SHORT 0040127D
004012A6 |> B1 52 MOV CL,52
004012A8 |. 02C8 ADD CL,AL
004012AA |.^ EB E3 JMP SHORT 0040128F
后5位处理
004012AC |> 33D2 XOR EDX,EDX
004012AE |. B8 05000000 MOV EAX,5
004012B3 |> 8A0C1A MOV CL,BYTE PTR DS:[EDX+EBX]
004012B6 |. 80F1 27 XOR CL,27 ; 用户名ascii码与27H异或
004012B9 |. 02C8 ADD CL,AL ; 异或后的值加用户名剩余位数
004012BB |. 80C1 01 ADD CL,1 ; 值再加1
004012BE |. 80F9 41 CMP CL,41
004012C1 |. 7C 1C JL SHORT 004012DF
004012C3 |. 80F9 5A CMP CL,5A
004012C6 |. 7F 17 JG SHORT 004012DF
004012C8 |> 888A 41314000 MOV BYTE PTR DS:[EDX+403141],CL
004012CE |. C682 42314000>MOV BYTE PTR DS:[EDX+403142],0
004012D5 |. FEC2 INC DL
004012D7 |. FEC8 DEC AL
004012D9 |. 3C 00 CMP AL,0
004012DB |. 74 08 JE SHORT 004012E5
004012DD |.^ EB D4 JMP SHORT 004012B3
004012DF |> B1 4D MOV CL,4D ; 替换成4D
004012E1 |. 02C8 ADD CL,AL ; 4D加用户名剩余位数
004012E3 |.^ EB E3 JMP SHORT 004012C8
004012E5 |> 33C0 XOR EAX,EAX
004012E7 |. 6A 28 PUSH 28 ; /Count = 28 (40.)
004012E9 |. 68 B4314000 PUSH 004031B4 ; |Buffer = d2k2_cra.004031B4
004012EE |. 6A 04 PUSH 4 ; |ControlID = 4
004012F0 |. FF75 08 PUSH DWORD PTR SS:[EBP+8] ; |hWnd
004012F3 |. E8 F0000000 CALL <JMP.&USER32.GetDlgItemTextA> ; \GetDlgItemTextA
004012F8 |. 66:85C0 TEST AX,AX
004012FB |. 74 55 JE SHORT 00401352
004012FD |. 66:83F8 0A CMP AX,0A
00401301 |. 7F 4F JG SHORT 00401352
00401303 |. 7C 4D JL SHORT 00401352
2次运算加比较
00401305 |. 33C0 XOR EAX,EAX
00401307 |. 33DB XOR EBX,EBX
00401309 |. 33C9 XOR ECX,ECX
0040130B |. 33D2 XOR EDX,EDX
0040130D |. 8D05 B4314000 LEA EAX,DWORD PTR DS:[4031B4]
00401313 8A1C01 MOV BL,BYTE PTR DS:[ECX+EAX]
00401316 |. 8A91 3C314000 MOV DL,BYTE PTR DS:[ECX+40313C]
0040131C |. 80FB 00 CMP BL,0
0040131F 0F84 81000000 JE 004013A6 ; 爆破这里改jmp
00401325 |. 80C2 05 ADD DL,5 ; 运算出来的值加5
00401328 |. 80FA 5A CMP DL,5A
0040132B |. 7F 14 JG SHORT 00401341
0040132D |> 80F2 0C XOR DL,0C ; 值与0c异或
00401330 |. 80FA 41 CMP DL,41
00401333 |. 7C 11 JL SHORT 00401346
00401335 |. 80FA 5A CMP DL,5A
00401338 |. 7F 12 JG SHORT 0040134C
0040133A |> 41 INC ECX
0040133B |. 38DA CMP DL,BL ; 一位一位比较注册码
0040133D ^ 74 D4 JE SHORT 00401313 ; 爆破这里改jmp
0040133F |. EB 11 JMP SHORT 00401352
00401341 |> 80EA 0D SUB DL,0D
00401344 |.^ EB E7 JMP SHORT 0040132D
00401346 |> B2 4B MOV DL,4B
00401348 |. 02D1 ADD DL,CL
0040134A |.^ EB EE JMP SHORT 0040133A
0040134C |> B2 4B MOV DL,4B
0040134E |. 2AD1 SUB DL,CL
00401350 |.^ EB E8 JMP SHORT 0040133A
00401352 |> 6A 00 PUSH 0 ; /Style = MB_OK|MB_APPLMODAL
00401354 |. 68 49304000 PUSH 00403049 ; |Title = "Dont give up..."
00401359 |. 68 59304000 PUSH 00403059 ; |Text = "Wrong Code!Try Again!"
0040135E |. 6A 00 PUSH 0 ; |hOwner = NULL
00401360 |. E8 A1000000 CALL <JMP.&USER32.MessageBoxA> ; \MessageBoxA
00401365 |. EB 52 JMP SHORT 004013B9
00401367 |> 6A 00 PUSH 0 ; /Style = MB_OK|MB_APPLMODAL
00401369 |. 68 6F304000 PUSH 0040306F ; |Title = "Sorry..."
0040136E |. 68 97304000 PUSH 00403097 ; |Text = "Enter Name!"
00401373 |. 6A 00 PUSH 0 ; |hOwner = NULL
00401375 |. E8 8C000000 CALL <JMP.&USER32.MessageBoxA> ; \MessageBoxA
0040137A |. EB 3D JMP SHORT 004013B9
0040137C |> 6A 00 PUSH 0 ; /Style = MB_OK|MB_APPLMODAL
0040137E |. 68 6F304000 PUSH 0040306F ; |Title = "Sorry..."
00401383 |. 68 A3304000 PUSH 004030A3 ; |Text = "Name can be max 32 Chars long!"
00401388 |. 6A 00 PUSH 0 ; |hOwner = NULL
0040138A |. E8 77000000 CALL <JMP.&USER32.MessageBoxA> ; \MessageBoxA
0040138F |. EB 28 JMP SHORT 004013B9
00401391 |> 6A 00 PUSH 0 ; /Style = MB_OK|MB_APPLMODAL
00401393 |. 68 6F304000 PUSH 0040306F ; |Title = "Sorry..."
00401398 |. 68 78304000 PUSH 00403078 ; |Text = "Name must be min 5 Chars long!"
0040139D |. 6A 00 PUSH 0 ; |hOwner = NULL
0040139F |. E8 62000000 CALL <JMP.&USER32.MessageBoxA> ; \MessageBoxA
004013A4 |. EB 13 JMP SHORT 004013B9
004013A6 |> 6A 00 PUSH 0 ; /Style = MB_OK|MB_APPLMODAL
004013A8 |. 68 C2304000 PUSH 004030C2 ; |Title = "Good Cracker"
004013AD |. 68 CF304000 PUSH 004030CF ; |Text = "Serial is correct! Now write a keygen + tut and send it to: diablo2oo2@gmx.net !"
004013B2 |. 6A 00 PUSH 0 ; |hOwner = NULL
004013B4 |. E8 4D000000 CALL <JMP.&USER32.MessageBoxA> ; \MessageBoxA
算法分析:
用户名只取前5位运算2次
注册码必须10位
前5位注册码用户名ascii码与29H异或--值加用户名剩余位数值,小于41h或大于5ah就把值换成52+剩余位数
后5位用户名ascii码与27H异或---值加用户名剩余位数值+1,小于41h或大于5ah就把值换成4D+剩余位数
|值小于41,值换成4B+处理次数
2次处理值加5是否大于5a---不是与0c异或,是值减去0d再与0c异或---|
|值大于5a,置换成4B-处理次数
vb注册机源码
Private Sub Command1_Click()
Dim uname, upass As String
Dim i, j, k, temp(10) As Long
uname = Text1.Text
k = 1
For i = 1 To 5
j = (Asc(Mid(uname, i, 1)) Xor 41) + (6 - i)
If j < 65 Or j > 90 Then
j = 82 + (6 - i)
End If
temp(k) = j
k = k + 1
Next
For i = 1 To 5
j = (Asc(Mid(uname, i, 1)) Xor 39) + (6 - i + 1)
If j < 65 Or j > 90 Then
j = 77 + (6 - i)
End If
temp(k) = j
k = k + 1
Next
For i = 1 To 10
If temp(i) + 5 > 90 Then
temp(i) = (temp(i) + 5 - 13) Xor 12
Else
temp(i) = (temp(i) + 5) Xor 12
End If
If temp(i) < 65 Then
temp(i) = 75 + i - 1
ElseIf temp(i) > 90 Then
temp(i) = 75 - i + 1
End If
upass = upass + Chr(temp(i))
Next
Text2.Text = upass
End Sub
就对vb还熟悉一点,写的很烂。最近想学delphi...
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
上传的附件:
看了顶下
