- UID
- 2
注册时间2004-12-1
阅读权限255
最后登录1970-1-1
总坛主
TA的每日心情 | 难过
6 天前 |
|---|
签到天数: 11 天 [LV.3]偶尔看看II
|
刚才在DFCG看到一个求助的CrackMe,顺便看了一下,和适合初学者~
脱壳、找关键点就不说了,直接贴算法
00457BBE |. 55 push ebp
00457BBF |. 68 8A7E4500 push CrackMe#.00457E8A
00457BC4 |. 64:FF30 push dword ptr fs:[eax]
00457BC7 |. 64:8920 mov dword ptr fs:[eax],esp
00457BCA |. 8D55 FC lea edx,dword ptr ss:[ebp-4]
00457BCD |. 8B83 D8020000 mov eax,dword ptr ds:[ebx+2D8]
00457BD3 |. E8 08C3FCFF call CrackMe#.00423EE0
00457BD8 |. 837D FC 00 cmp dword ptr ss:[ebp-4],0 ; 输入用户名了吗?
00457BDC |. 75 18 jnz short CrackMe#.00457BF6
00457BDE |. 6A 00 push 0
00457BE0 |. B9 987E4500 mov ecx,CrackMe#.00457E98 ; ASCII "Enter your Name !"
00457BE5 |. BA AC7E4500 mov edx,CrackMe#.00457EAC ; ASCII "You must enter your Name !"
00457BEA |. A1 98A54500 mov eax,dword ptr ds:[45A598]
00457BEF |. 8B00 mov eax,dword ptr ds:[eax]
00457BF1 |. E8 3A85FEFF call CrackMe#.00440130
00457BF6 |> 8D55 FC lea edx,dword ptr ss:[ebp-4]
00457BF9 |. 8B83 DC020000 mov eax,dword ptr ds:[ebx+2DC]
00457BFF |. E8 DCC2FCFF call CrackMe#.00423EE0
00457C04 |. 837D FC 00 cmp dword ptr ss:[ebp-4],0 ; 输入注册码了吗?
00457C08 |. 75 18 jnz short CrackMe#.00457C22
00457C0A |. 6A 00 push 0
00457C0C |. B9 C87E4500 mov ecx,CrackMe#.00457EC8 ; ASCII "Enter a Serial !"
00457C11 |. BA DC7E4500 mov edx,CrackMe#.00457EDC ; ASCII "You must enter a Serial !"
00457C16 |. A1 98A54500 mov eax,dword ptr ds:[45A598]
00457C1B |. 8B00 mov eax,dword ptr ds:[eax]
00457C1D |. E8 0E85FEFF call CrackMe#.00440130
00457C22 |> 33C0 xor eax,eax
00457C24 |. A3 40B84500 mov dword ptr ds:[45B840],eax
00457C29 |. 8D55 FC lea edx,dword ptr ss:[ebp-4]
00457C2C |. 8B83 D8020000 mov eax,dword ptr ds:[ebx+2D8]
00457C32 |. E8 A9C2FCFF call CrackMe#.00423EE0
00457C37 |. 8B45 FC mov eax,dword ptr ss:[ebp-4]
00457C3A |. E8 F9BFFAFF call CrackMe#.00403C38
00457C3F |. A3 44B84500 mov dword ptr ds:[45B844],eax
00457C44 |. A1 44B84500 mov eax,dword ptr ds:[45B844]
00457C49 |. E8 82FDFAFF call CrackMe#.004079D0
00457C4E |. 83F8 06 cmp eax,6 ; 用户名大于6位吗?
00457C51 |. 73 1D jnb short CrackMe#.00457C70
00457C53 |. 6A 00 push 0
00457C55 |. B9 F87E4500 mov ecx,CrackMe#.00457EF8 ; ASCII "Name too short !"
00457C5A |. BA 0C7F4500 mov edx,CrackMe#.00457F0C ; ASCII "Your Name must be at least 6 Chars long !"
00457C5F |. A1 98A54500 mov eax,dword ptr ds:[45A598]
00457C64 |. 8B00 mov eax,dword ptr ds:[eax]
00457C66 |. E8 C584FEFF call CrackMe#.00440130
00457C6B |. E9 59010000 jmp CrackMe#.00457DC9
00457C70 |> 8D55 FC lea edx,dword ptr ss:[ebp-4]
00457C73 |. 8B83 D8020000 mov eax,dword ptr ds:[ebx+2D8]
00457C79 |. E8 62C2FCFF call CrackMe#.00423EE0 ; 取用户名长度
00457C7E |. 8B45 FC mov eax,dword ptr ss:[ebp-4]
00457C81 |. BA 01000000 mov edx,1 ; 参数1
00457C86 |. 4A dec edx
00457C87 |. 3B50 FC cmp edx,dword ptr ds:[eax-4]
00457C8A |. 72 05 jb short CrackMe#.00457C91
00457C8C |. E8 F3AEFAFF call CrackMe#.00402B84
00457C91 |> 42 inc edx
00457C92 |. 0FB64410 FF movzx eax,byte ptr ds:[eax+edx-1] ; 用户名第1位ascii送到eax
00457C97 |. 6BF0 02 imul esi,eax,2 ; eax×2送到esi
00457C9A |. 71 05 jno short CrackMe#.00457CA1
00457C9C |. E8 EBAEFAFF call CrackMe#.00402B8C
00457CA1 |> 8D55 F8 lea edx,dword ptr ss:[ebp-8]
00457CA4 |. 8B83 D8020000 mov eax,dword ptr ds:[ebx+2D8]
00457CAA |. E8 31C2FCFF call CrackMe#.00423EE0
00457CAF |. 8B45 F8 mov eax,dword ptr ss:[ebp-8]
00457CB2 |. BA 02000000 mov edx,2 ; 参数2
00457CB7 |. 4A dec edx
00457CB8 |. 3B50 FC cmp edx,dword ptr ds:[eax-4]
00457CBB |. 72 05 jb short CrackMe#.00457CC2
00457CBD |. E8 C2AEFAFF call CrackMe#.00402B84
00457CC2 |> 42 inc edx
00457CC3 |. 0FB64410 FF movzx eax,byte ptr ds:[eax+edx-1] ; 用户名第2位ascii送到eax
00457CC8 |. 6BC0 02 imul eax,eax,2 ; eax=eax×2
00457CCB |. 71 05 jno short CrackMe#.00457CD2
00457CCD |. E8 BAAEFAFF call CrackMe#.00402B8C
00457CD2 |> 03F0 add esi,eax ; 和前面的结果相加
00457CD4 |. 71 05 jno short CrackMe#.00457CDB
00457CD6 |. E8 B1AEFAFF call CrackMe#.00402B8C
00457CDB |> 8D55 F4 lea edx,dword ptr ss:[ebp-C]
00457CDE |. 8B83 D8020000 mov eax,dword ptr ds:[ebx+2D8]
00457CE4 |. E8 F7C1FCFF call CrackMe#.00423EE0
00457CE9 |. 8B45 F4 mov eax,dword ptr ss:[ebp-C]
00457CEC |. BA 03000000 mov edx,3 ; 参数3
00457CF1 |. 4A dec edx
00457CF2 |. 3B50 FC cmp edx,dword ptr ds:[eax-4]
00457CF5 |. 72 05 jb short CrackMe#.00457CFC
00457CF7 |. E8 88AEFAFF call CrackMe#.00402B84
00457CFC |> 42 inc edx
00457CFD |. 0FB64410 FF movzx eax,byte ptr ds:[eax+edx-1] ; 用户名第3位ascii送到eax
00457D02 |. 6BC0 02 imul eax,eax,2 ; eax=eax×2
00457D05 |. 71 05 jno short CrackMe#.00457D0C
00457D07 |. E8 80AEFAFF call CrackMe#.00402B8C
00457D0C |> 03F0 add esi,eax ; 和上面结果相加
00457D0E |. 71 05 jno short CrackMe#.00457D15
00457D10 |. E8 77AEFAFF call CrackMe#.00402B8C
00457D15 |> 8D55 F0 lea edx,dword ptr ss:[ebp-10]
00457D18 |. 8B83 D8020000 mov eax,dword ptr ds:[ebx+2D8]
00457D1E |. E8 BDC1FCFF call CrackMe#.00423EE0
00457D23 |. 8B45 F0 mov eax,dword ptr ss:[ebp-10]
00457D26 |. BA 04000000 mov edx,4 ; 参数4
00457D2B |. 4A dec edx
00457D2C |. 3B50 FC cmp edx,dword ptr ds:[eax-4]
00457D2F |. 72 05 jb short CrackMe#.00457D36
00457D31 |. E8 4EAEFAFF call CrackMe#.00402B84
00457D36 |> 42 inc edx
00457D37 |. 0FB64410 FF movzx eax,byte ptr ds:[eax+edx-1] ; 用户名第4位ascii送到eax
00457D3C |. 6BC0 02 imul eax,eax,2 ; eax=eax×2
00457D3F |. 71 05 jno short CrackMe#.00457D46
00457D41 |. E8 46AEFAFF call CrackMe#.00402B8C
00457D46 |> 03F0 add esi,eax ; 和上面结果相加
00457D48 |. 71 05 jno short CrackMe#.00457D4F
00457D4A |. E8 3DAEFAFF call CrackMe#.00402B8C
00457D4F |> 8D55 EC lea edx,dword ptr ss:[ebp-14]
00457D52 |. 8B83 D8020000 mov eax,dword ptr ds:[ebx+2D8]
00457D58 |. E8 83C1FCFF call CrackMe#.00423EE0
00457D5D |. 8B45 EC mov eax,dword ptr ss:[ebp-14]
00457D60 |. BA 05000000 mov edx,5 ; 参数5
00457D65 |. 4A dec edx
00457D66 |. 3B50 FC cmp edx,dword ptr ds:[eax-4]
00457D69 |. 72 05 jb short CrackMe#.00457D70
00457D6B |. E8 14AEFAFF call CrackMe#.00402B84
00457D70 |> 42 inc edx
00457D71 |. 0FB64410 FF movzx eax,byte ptr ds:[eax+edx-1] ; 用户名第5位ascii送到eax
00457D76 |. 6BC0 02 imul eax,eax,2 ; eax=eax×2
00457D79 |. 71 05 jno short CrackMe#.00457D80
00457D7B |. E8 0CAEFAFF call CrackMe#.00402B8C
00457D80 |> 03F0 add esi,eax ; 和上面结果相加
00457D82 |. 71 05 jno short CrackMe#.00457D89
00457D84 |. E8 03AEFAFF call CrackMe#.00402B8C
00457D89 |> 8D55 E8 lea edx,dword ptr ss:[ebp-18]
00457D8C |. 8B83 D8020000 mov eax,dword ptr ds:[ebx+2D8]
00457D92 |. E8 49C1FCFF call CrackMe#.00423EE0
00457D97 |. 8B45 E8 mov eax,dword ptr ss:[ebp-18]
00457D9A |. BA 06000000 mov edx,6 ; 参数6
00457D9F |. 4A dec edx
00457DA0 |. 3B50 FC cmp edx,dword ptr ds:[eax-4]
00457DA3 |. 72 05 jb short CrackMe#.00457DAA
00457DA5 |. E8 DAADFAFF call CrackMe#.00402B84
00457DAA |> 42 inc edx
00457DAB |. 0FB64410 FF movzx eax,byte ptr ds:[eax+edx-1] ; 用户名第6位ascii送到eax
00457DB0 |. 6BC0 02 imul eax,eax,2 ; eax=eax×2
00457DB3 |. 71 05 jno short CrackMe#.00457DBA
00457DB5 |. E8 D2ADFAFF call CrackMe#.00402B8C
00457DBA |> 03F0 add esi,eax ; 和上面结果相加
00457DBC |. 71 05 jno short CrackMe#.00457DC3
00457DBE |. E8 C9ADFAFF call CrackMe#.00402B8C
00457DC3 |> 8935 40B84500 mov dword ptr ds:[45B840],esi
00457DC9 |> A1 44B84500 mov eax,dword ptr ds:[45B844]
00457DCE |. E8 FDFBFAFF call CrackMe#.004079D0 ; 取用户名位数到eax
00457DD3 |. 6BC0 02 imul eax,eax,2 ; eax=eax×2
00457DD6 |. 73 05 jnb short CrackMe#.00457DDD
00457DD8 |. E8 AFADFAFF call CrackMe#.00402B8C
00457DDD |> 33D2 xor edx,edx
00457DDF |. 52 push edx
00457DE0 |. 50 push eax
00457DE1 |. A1 40B84500 mov eax,dword ptr ds:[45B840]
00457DE6 |. 99 cdq
00457DE7 |. 030424 add eax,dword ptr ss:[esp] ; 和上面累加的和相加
00457DEA |. 135424 04 adc edx,dword ptr ss:[esp+4]
00457DEE |. 71 05 jno short CrackMe#.00457DF5
00457DF0 |. E8 97ADFAFF call CrackMe#.00402B8C
00457DF5 |> 83C4 08 add esp,8
00457DF8 |. 50 push eax
00457DF9 |. C1F8 1F sar eax,1F
00457DFC |. 3BC2 cmp eax,edx
00457DFE |. 58 pop eax
00457DFF |. 74 05 je short CrackMe#.00457E06
00457E01 |. E8 7EADFAFF call CrackMe#.00402B84
00457E06 |> A3 40B84500 mov dword ptr ds:[45B840],eax
00457E0B |. 8D55 E4 lea edx,dword ptr ss:[ebp-1C]
00457E0E |. A1 40B84500 mov eax,dword ptr ds:[45B840]
00457E13 |. E8 2CF9FAFF call CrackMe#.00407744 ; 转换成10进制
00457E18 |. 8B45 E4 mov eax,dword ptr ss:[ebp-1C]
00457E1B |. 50 push eax ; 此处见真码
00457E1C |. 8D55 FC lea edx,dword ptr ss:[ebp-4]
00457E1F |. 8B83 DC020000 mov eax,dword ptr ds:[ebx+2DC]
00457E25 |. E8 B6C0FCFF call CrackMe#.00423EE0
00457E2A |. 8B55 FC mov edx,dword ptr ss:[ebp-4]
00457E2D |. 58 pop eax
00457E2E |. E8 51BDFAFF call CrackMe#.00403B84 ; 经典部分
00457E33 |. 75 1A jnz short CrackMe#.00457E4F ; 爆破点
00457E35 |. 6A 00 push 0
00457E37 |. B9 387F4500 mov ecx,CrackMe#.00457F38 ; ASCII "Congratz !"
00457E3C |. BA 447F4500 mov edx,CrackMe#.00457F44 ; ASCII "You cracked the CFF CrackMe #4 ! Please send your solution to acidbytes@gmx.net !"
00457E41 |. A1 98A54500 mov eax,dword ptr ds:[45A598]
00457E46 |. 8B00 mov eax,dword ptr ds:[eax]
00457E48 |. E8 E382FEFF call CrackMe#.00440130
00457E4D |. EB 18 jmp short CrackMe#.00457E67
00457E4F |> 6A 00 push 0
00457E51 |. B9 987F4500 mov ecx,CrackMe#.00457F98 ; ASCII "Serial not valid"
00457E56 |. BA AC7F4500 mov edx,CrackMe#.00457FAC ; ASCII "The Serial you entered is in any case not valid !"
00457E5B |. A1 98A54500 mov eax,dword ptr ds:[45A598]
00457E60 |. 8B00 mov eax,dword ptr ds:[eax]
00457E62 |. E8 C982FEFF call CrackMe#.00440130
00457E67 |> 33C0 xor eax,eax
00457E69 |. 5A pop edx
00457E6A |. 59 pop ecx
00457E6B |. 59 pop ecx
00457E6C |. 64:8910 mov dword ptr fs:[eax],edx
00457E6F |. 68 917E4500 push CrackMe#.00457E91
00457E74 |> 8D45 E4 lea eax,dword ptr ss:[ebp-1C]
00457E77 |. E8 7CB9FAFF call CrackMe#.004037F8
00457E7C |. 8D45 E8 lea eax,dword ptr ss:[ebp-18]
00457E7F |. BA 06000000 mov edx,6
00457E84 |. E8 93B9FAFF call CrackMe#.0040381C
00457E89 \. C3 retn
算法总结:
用户名前6位(逐位的ascii×2)的和,然后加上(用户名位数×2)
转换成10进制就ok~
VB注册机:
Dim name, code, sum
name = Text1.Text
If Len(name) > 6 Then
For i = 1 To 6
sum = sum + Asc(Mid(name, i, 1)) * 2
Next
code = sum + Len(name) * 2
Text2.Text = code
Else
MsgBox "Your Name must be at least 6 chars long!"
End If |
|
IP卡
发表于 2005-8-24 10:34:16
提升卡
置顶卡
变色卡
千斤顶
显身卡
发表于 2005-8-25 17:07:14
发表于 2005-9-2 13:17:49
发表于 2005-9-18 10:20:39
发表于 2005-10-4 18:10:30
发表于 2006-5-5 20:50:25