- UID
- 13110
注册时间2006-5-14
阅读权限20
最后登录1970-1-1
以武会友
 
该用户从未签到
|
发表于 2007-5-12 09:27:05
|
显示全部楼层
算法分析!
C32Asm打开crackme.exe
查找字符串%04d找到3处!401726,4019be,401b84.
来到401726
XOR ECX,ECX
::00401703:: 33C0 XOR EAX,EAX
::00401705:: EB 09 JMP SHORT 00401710 \:JMPDOWN
::00401707:: 8DA424 00000000 LEA ESP,[ESP]
::0040170E:: 8BFF MOV EDI,EDI
::00401710:: 0FBE5404 14 MOVSX EDX,BYTE PTR [ESP+EAX+14] --》取用户名每位的asc码
::00401705,00401723,
::00401715:: 81F2 82000000 XOR EDX,82 //XOR $82
::0040171B:: 83C0 01 ADD EAX,1
::0040171E:: 03CA ADD ECX,EDX //累加
::00401720:: 83F8 10 CMP EAX,10 //是否10位
::00401723:: 7C EB JL SHORT 00401710 \:JMPUP
::00401725:: 51 PUSH ECX //ecx是注册码的1-4位
::00401726:: 68 048C4200 PUSH 428C04 \->: %04d
-----------------------
在目录下建立key.txt
在40143A下断
断下后会生成HELLO.EXE
copy HELLO.EXE 为ok.exe
--------------------------
用tr加载ok.exe
跟踪来到:
:0001.02F6 3D1000 cmp ax, 0010 //比较注册码是否等于或大于16位
:0001.02F9 7D03 jge 02FE
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0001.02EC(C)
|
:0001.02FB E893FF call 0291 //不是就DEL KEY.TXT
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0001.02F9(C)
|
:0001.02FE 33F6 xor si, si
:0001.0300 EB19 jmp 031B
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0001.031E(C)
|
:0001.0302 8A84AA01 mov al , [si+01AA] //取注册码的第一位起的asc
:0001.0306 98 cbw
:0001.0307 50 push ax
:0001.0308 8A84B201 mov al , [si+01B2] //取注册码的第九位起的asc
:0001.030C 98 cbw
:0001.030D BA6900 mov dx, 0069
:0001.0310 2BD0 sub dx, ax //$69-九位起的asc
:0001.0312 58 pop ax
:0001.0313 3BC2 cmp ax, dx //第一位起的asc 是否等于 ($69-九位起的asc)
:0001.0315 7403 je 031A
:0001.0317 E877FF call 0291 //不是DEL key.txt
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0001.0315(C)
|
:0001.031A 46 inc si
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0001.0300(U)
|
:0001.031B 83FE08 cmp si, 0008 //循环8次 ,就是说注册码应该为16位!
:0001.031E 7CE2 jl 0302
------------------------------------------
开始漏了第5-8位注册码的算法
补上:
::00401B50:: 33C0 XOR EAX, EAX
::00401B52:: 0FBE5404 14 MOVSX EDX, BYTE PTR [ESP+EAX+14] \:BYJMP JmpBy:00401B81,
::00401B57:: 0FBE4C04 15 MOVSX ECX, BYTE PTR [ESP+EAX+15]
::00401B5C:: 83F1 28 XOR ECX, 28
::00401B5F:: 83F2 28 XOR EDX, 28
::00401B62:: 03D1 ADD EDX, ECX
::00401B64:: 0FBE4C04 17 MOVSX ECX, BYTE PTR [ESP+EAX+17]
::00401B69:: 83F1 28 XOR ECX, 28
::00401B6C:: 03D1 ADD EDX, ECX
::00401B6E:: 0FBE4C04 16 MOVSX ECX, BYTE PTR [ESP+EAX+16]
::00401B73:: 83F1 28 XOR ECX, 28
::00401B76:: 03CF ADD ECX, EDI
::00401B78:: 83C0 04 ADD EAX, 4
::00401B7B:: 83F8 10 CMP EAX, 10
::00401B7E:: 8D3C11 LEA EDI, DWORD PTR [ECX+EDX]
::00401B81:: 7C CF JL SHORT 00401B52 \:JMPUP
用户名:johnroot
注册码:2939091570609084
注册机DELPHI代码:
procedure TForm1.Button1Click(Sender: TObject);
var
nameok,pp,gg,gg2,mm,mm2:pchar;
i,j,j2,k:integer;
begin
getmem(nameok,$10);
ZeroMemory(nameok,$10);
getmem(mm,5);
ZeroMemory(mm,5);
getmem(mm2,5);
ZeroMemory(mm2,5);
pp:=pchar(edit1.Text);
for i:=0 to (length(pp)-1) do
begin
nameok[i]:=pp[i];
end;
j:=0;
for i:=0 to $f do
begin
k:=ord(nameok[i]) xor $82;
j:=j + k;
end;
gg := pchar(inttostr(j));
j:=0;
for i:=0 to $f do
begin
k:=ord(nameok[i]) xor $28;
j2:=j2 + k;
end;
gg2 := pchar(inttostr(j2));
if length(gg2)<4 then
begin
gg2:=pchar('0' + string(gg2));
end;
for i:=0 to 3 do
begin
mm[i]:= char($69 - ord(gg[i]));
end;
for i:=0 to 3 do
begin
mm2[i]:= char($69 - ord(gg2[i]));
end;
edit2.text:=string(gg) + string(gg2) + string(mm) + string(mm2);
end;
[[i] 本帖最后由 johnroot 于 2007-5-12 15:20 编辑 [/i]] |
|
楼主: 不懂算法
IP卡
楼主
显身卡
发表于 2007-5-10 19:49:58
发表于 2007-5-11 17:46:22
发表于 2007-5-11 23:19:07
发表于 2007-5-12 08:57:27
