- UID
- 346
注册时间2005-3-21
阅读权限30
最后登录1970-1-1
龙战于野
TA的每日心情 | 奋斗
2016-10-21 20:30 |
|---|
签到天数: 1 天 [LV.1]初来乍到
|
【破文标题】hoy0a1 CrackMe 2算法分析
【破解作者】hrbx
【破解日期】2011-10-15
【软件简介】Zhoy0a1 CrackMe 2
【下载地址】https://www.chinapyg.com/viewthr ... &extra=page%3D1
-----------------------------------------------------------------------------------------------
【破解声明】我是一只小菜鸟,偶得一点心得,愿与大家分享:)
-----------------------------------------------------------------------------------------------
【破解过程】
1.查壳。用Peid扫描,显示为:Dev-C++ 4.9.9.2 -> Bloodshed Software [覆盖],无壳。
2.试运行。输入ID与SN,程序错误提示:"Wrong! Try again..."
3.算法分析。OD载入,Ultra String Reference-Find ASCII,找到如下地址:
======================================================================================================
Address Disassembly Text String
004015F5 > \C74424 04 4D4>mov dword ptr [esp+4], 0044404D ; \t\t\twrong! try again...\n\n
======================================================================================================
双击来到:
004015F5 > \C74424 04 4D4>mov dword ptr [esp+4], 0044404D ; \t\t\twrong! try again...\n\n
向上回溯,来到00401390,F2下断。
00401390 $ 55 push ebp ; F2下断
Ctrl+F2重新运行,输入注册信息:
======================================
ID:6543210
SN:987654321
======================================
回车,程序立即中断:
00401390 $ 55 push ebp ; F2下断
00401391 . 89E5 mov ebp, esp
00401393 . 57 push edi
00401394 . 56 push esi
00401395 . 53 push ebx
00401396 . 81EC 8C010000 sub esp, 18C
0040139C . 83E4 F0 and esp, FFFFFFF0
0040139F . B8 00000000 mov eax, 0
004013A4 . 83C0 0F add eax, 0F
004013A7 . 83C0 0F add eax, 0F
004013AA . C1E8 04 shr eax, 4
004013AD . C1E0 04 shl eax, 4
004013B0 . 8985 84FEFFFF mov dword ptr [ebp-17C], eax
004013B6 . 8B85 84FEFFFF mov eax, dword ptr [ebp-17C]
004013BC . E8 0FCE0000 call 0040E1D0
004013C1 . C785 CCFEFFFF 801E4000 mov dword ptr [ebp-134], 00401E80
004013CB . C785 D0FEFFFF 20174400 mov dword ptr [ebp-130], 00441720
004013D5 . 8D85 D4FEFFFF lea eax, dword ptr [ebp-12C]
004013DB . 8D55 E8 lea edx, dword ptr [ebp-18]
004013DE . 8910 mov dword ptr [eax], edx
004013E0 . BA 47154000 mov edx, 00401547
004013E5 . 8950 04 mov dword ptr [eax+4], edx
004013E8 . 8960 08 mov dword ptr [eax+8], esp
004013EB . 8D85 B4FEFFFF lea eax, dword ptr [ebp-14C]
004013F1 . 890424 mov dword ptr [esp], eax
004013F4 . E8 87C30000 call 0040D780
004013F9 . E8 B2BE0000 call 0040D2B0
004013FE . 8D45 D8 lea eax, dword ptr [ebp-28]
00401401 . 890424 mov dword ptr [esp], eax
00401404 . C785 B8FEFFFF FFFFFFFF mov dword ptr [ebp-148], -1
0040140E . E8 4DDD0200 call 0042F160
00401413 . 8D45 C8 lea eax, dword ptr [ebp-38]
00401416 . 890424 mov dword ptr [esp], eax
00401419 . C785 B8FEFFFF 04000000 mov dword ptr [ebp-148], 4
00401423 . E8 38DD0200 call 0042F160
00401428 . C74424 04 08000000 mov dword ptr [esp+4], 8
00401430 . C70424 10000000 mov dword ptr [esp], 10
00401437 . E8 BCF10300 call 004405F8
0040143C . 894424 04 mov dword ptr [esp+4], eax
00401440 . 8D85 08FFFFFF lea eax, dword ptr [ebp-F8]
00401446 . 890424 mov dword ptr [esp], eax
00401449 . C785 B8FEFFFF 03000000 mov dword ptr [ebp-148], 3
00401453 . E8 588F0300 call 0043A3B0
00401458 > C74424 04 00404400 mov dword ptr [esp+4], 00444000 ; \t\t\tplease input your id:
00401460 . C70424 C0734400 mov dword ptr [esp], 004473C0
00401467 . C785 B8FEFFFF 02000000 mov dword ptr [ebp-148], 2
00401471 . E8 B2E70300 call 0043FC28
00401476 . 8D45 D8 lea eax, dword ptr [ebp-28]
00401479 . 894424 04 mov dword ptr [esp+4], eax
0040147D . C70424 60744400 mov dword ptr [esp], 00447460
00401484 . E8 2BFB0300 call 00440FB4
00401489 . 8D45 D8 lea eax, dword ptr [ebp-28]
0040148C . 890424 mov dword ptr [esp], eax ; EAX地址存放ID
0040148F . E8 6C100100 call 00412500 ; \ 获取ID长度
00401494 . 83F8 05 cmp eax, 5 ; |ID长度与5比较
00401497 . 0F86 7B010000 jbe 00401618 ; |小于则Over
0040149D . 8D45 D8 lea eax, dword ptr [ebp-28] ; |
004014A0 . 890424 mov dword ptr [esp], eax ; |EAX地址存放ID
004014A3 . E8 58100100 call 00412500 ; |获取ID长度
004014A8 . 83F8 09 cmp eax, 9 ; |ID长度与9比较
004014AB . 0F87 67010000 ja 00401618 ; / 大于则Over
004014B1 . 8D45 D8 lea eax, dword ptr [ebp-28] ; ID长度应为6-9位
004014B4 . 894424 04 mov dword ptr [esp+4], eax
004014B8 . 8D85 08FFFFFF lea eax, dword ptr [ebp-F8]
004014BE . 83C0 08 add eax, 8
004014C1 . 890424 mov dword ptr [esp], eax
004014C4 . E8 BFEE0300 call 00440388
004014C9 . 8D85 04FFFFFF lea eax, dword ptr [ebp-FC]
004014CF . 894424 04 mov dword ptr [esp+4], eax
004014D3 . 8D85 08FFFFFF lea eax, dword ptr [ebp-F8]
004014D9 . 890424 mov dword ptr [esp], eax
004014DC . E8 2F7B0200 call 00429010
004014E1 . C74424 04 19404400 mov dword ptr [esp+4], 00444019 ; \t\t\tplease input your sn:
004014E9 . C70424 C0734400 mov dword ptr [esp], 004473C0
004014F0 . E8 33E70300 call 0043FC28
004014F5 . 8D45 C8 lea eax, dword ptr [ebp-38]
004014F8 . 894424 04 mov dword ptr [esp+4], eax
004014FC . C70424 60744400 mov dword ptr [esp], 00447460
00401503 . E8 ACFA0300 call 00440FB4
00401508 . 8D45 C8 lea eax, dword ptr [ebp-38]
0040150B . 894424 04 mov dword ptr [esp+4], eax
0040150F . 8D85 E8FEFFFF lea eax, dword ptr [ebp-118]
00401515 . 890424 mov dword ptr [esp], eax
00401518 . E8 93D90200 call 0042EEB0
0040151D . 8D85 E8FEFFFF lea eax, dword ptr [ebp-118]
00401523 . 894424 04 mov dword ptr [esp+4], eax
00401527 . 8B85 04FFFFFF mov eax, dword ptr [ebp-FC]
0040152D . 890424 mov dword ptr [esp], eax ; EAX=0x63D76A(6543210h)
00401530 . C785 B8FEFFFF 01000000 mov dword ptr [ebp-148], 1
0040153A . E8 21020000 call 00401760 ; 关键CALL,F7进入
0040153F . 8985 ACFEFFFF mov dword ptr [ebp-154], eax ; CALL中比较真假码,相等则EAX值存入[ebp-154],EAX=0x10
00401545 . EB 77 jmp short 004015BE
00401547 . 8D6D 18 lea ebp, dword ptr [ebp+18]
0040154A . 8B85 B8FEFFFF mov eax, dword ptr [ebp-148]
00401550 . 8985 94FEFFFF mov dword ptr [ebp-16C], eax
00401556 . 8B95 BCFEFFFF mov edx, dword ptr [ebp-144]
0040155C . 8995 A4FEFFFF mov dword ptr [ebp-15C], edx
00401562 . 83BD 94FEFFFF 01 cmp dword ptr [ebp-16C], 1
00401569 . 0F84 33010000 je 004016A2
0040156F . 83BD 94FEFFFF 02 cmp dword ptr [ebp-16C], 2
00401576 . 0F84 56010000 je 004016D2
0040157C . 83BD 94FEFFFF 03 cmp dword ptr [ebp-16C], 3
00401583 . 0F84 76010000 je 004016FF
00401589 . 8B85 A4FEFFFF mov eax, dword ptr [ebp-15C]
0040158F . 8985 A8FEFFFF mov dword ptr [ebp-158], eax
00401595 . 8D85 E8FEFFFF lea eax, dword ptr [ebp-118]
0040159B . 890424 mov dword ptr [esp], eax
0040159E . C785 B8FEFFFF 00000000 mov dword ptr [ebp-148], 0
004015A8 . E8 73E00200 call 0042F620
004015AD . 8B95 A8FEFFFF mov edx, dword ptr [ebp-158]
004015B3 . 8995 A4FEFFFF mov dword ptr [ebp-15C], edx
004015B9 . E9 E4000000 jmp 004016A2
004015BE > 8D85 E8FEFFFF lea eax, dword ptr [ebp-118]
004015C4 . 890424 mov dword ptr [esp], eax
004015C7 . C785 B8FEFFFF 02000000 mov dword ptr [ebp-148], 2
004015D1 . E8 4AE00200 call 0042F620
004015D6 . 83BD ACFEFFFF 10 cmp dword ptr [ebp-154], 10 ; 比较地址[ebp-154]值是否为0x10
004015DD . 75 16 jnz short 004015F5 ; 不是则Over,暴破点,Nop
004015DF . C74424 04 32404400 mov dword ptr [esp+4], 00444032 ; 注册成功提示"very well! you win..."
004015E7 . C70424 C0734400 mov dword ptr [esp], 004473C0
004015EE . E8 35E60300 call 0043FC28
004015F3 . EB 46 jmp short 0040163B
004015F5 > C74424 04 4D404400 mov dword ptr [esp+4], 0044404D ; 错误提示"wrong! try again..."
004015FD . C70424 C0734400 mov dword ptr [esp], 004473C0
00401604 . C785 B8FEFFFF 02000000 mov dword ptr [ebp-148], 2
0040160E . E8 15E60300 call 0043FC28
00401613 .^ E9 40FEFFFF jmp 00401458
00401618 > C74424 04 68404400 mov dword ptr [esp+4], 00444068 ; ID长度范围提示"please input id in 100000 and 999999999 between!"
00401620 . C70424 C0734400 mov dword ptr [esp], 004473C0
00401627 . C785 B8FEFFFF 02000000 mov dword ptr [ebp-148], 2
00401631 . E8 F2E50300 call 0043FC28
00401636 .^ E9 1DFEFFFF jmp 00401458
0040163B > C70424 9E404400 mov dword ptr [esp], 0044409E ; |pause
00401642 . C785 B8FEFFFF 02000000 mov dword ptr [ebp-148], 2 ; |
0040164C . E8 0FF60000 call <jmp.&msvcrt.system> ; \system
00401651 . 8D85 08FFFFFF lea eax, dword ptr [ebp-F8]
00401657 . 890424 mov dword ptr [esp], eax
0040165A . C785 B8FEFFFF 03000000 mov dword ptr [ebp-148], 3
00401664 . E8 F7930300 call 0043AA60
00401669 . 8D45 C8 lea eax, dword ptr [ebp-38]
0040166C . 890424 mov dword ptr [esp], eax
0040166F . C785 B8FEFFFF 04000000 mov dword ptr [ebp-148], 4
00401679 . E8 A2DF0200 call 0042F620
0040167E . 8D45 D8 lea eax, dword ptr [ebp-28]
00401681 . 890424 mov dword ptr [esp], eax
00401684 . C785 B8FEFFFF FFFFFFFF mov dword ptr [ebp-148], -1
0040168E . E8 8DDF0200 call 0042F620
00401693 . C785 B0FEFFFF 00000000 mov dword ptr [ebp-150], 0
0040169D . E9 A2000000 jmp 00401744
004016A2 > 8B85 A4FEFFFF mov eax, dword ptr [ebp-15C]
004016A8 . 8985 A0FEFFFF mov dword ptr [ebp-160], eax
004016AE . 8D85 08FFFFFF lea eax, dword ptr [ebp-F8]
004016B4 . 890424 mov dword ptr [esp], eax
004016B7 . C785 B8FEFFFF 00000000 mov dword ptr [ebp-148], 0
004016C1 . E8 9A930300 call 0043AA60
004016C6 . 8B95 A0FEFFFF mov edx, dword ptr [ebp-160]
004016CC . 8995 A4FEFFFF mov dword ptr [ebp-15C], edx
004016D2 > 8B85 A4FEFFFF mov eax, dword ptr [ebp-15C]
004016D8 . 8985 9CFEFFFF mov dword ptr [ebp-164], eax
004016DE . 8D45 C8 lea eax, dword ptr [ebp-38]
004016E1 . 890424 mov dword ptr [esp], eax
004016E4 . C785 B8FEFFFF 00000000 mov dword ptr [ebp-148], 0
004016EE . E8 2DDF0200 call 0042F620
004016F3 . 8B95 9CFEFFFF mov edx, dword ptr [ebp-164]
004016F9 . 8995 A4FEFFFF mov dword ptr [ebp-15C], edx
004016FF > 8B85 A4FEFFFF mov eax, dword ptr [ebp-15C]
00401705 . 8985 98FEFFFF mov dword ptr [ebp-168], eax
0040170B . 8D45 D8 lea eax, dword ptr [ebp-28]
0040170E . 890424 mov dword ptr [esp], eax
00401711 . C785 B8FEFFFF 00000000 mov dword ptr [ebp-148], 0
0040171B . E8 00DF0200 call 0042F620
00401720 . 8B95 98FEFFFF mov edx, dword ptr [ebp-168]
00401726 . 8995 A4FEFFFF mov dword ptr [ebp-15C], edx
0040172C . 8B85 A4FEFFFF mov eax, dword ptr [ebp-15C]
00401732 . 890424 mov dword ptr [esp], eax
00401735 . C785 B8FEFFFF FFFFFFFF mov dword ptr [ebp-148], -1
0040173F . E8 FCC60000 call 0040DE40
00401744 > 8D85 B4FEFFFF lea eax, dword ptr [ebp-14C]
0040174A . 890424 mov dword ptr [esp], eax
0040174D . E8 0EC10000 call 0040D860
00401752 . 8B85 B0FEFFFF mov eax, dword ptr [ebp-150]
00401758 . 8D65 F4 lea esp, dword ptr [ebp-C]
0040175B . 5B pop ebx
0040175C . 5E pop esi
0040175D . 5F pop edi
0040175E . 5D pop ebp
0040175F . C3 retn
F7进入0040153A处的关键CALL,来到:
00401760 $ 55 push ebp ; 算法CALL
00401761 . 89E5 mov ebp, esp
00401763 . 57 push edi
00401764 . 56 push esi
00401765 . 53 push ebx
00401766 . 81EC 4C050000 sub esp, 54C
0040176C . C785 ECFAFFFF 801E4000 mov dword ptr [ebp-514], 00401E80
00401776 . C785 F0FAFFFF 2C174400 mov dword ptr [ebp-510], 0044172C
00401780 . 8D85 F4FAFFFF lea eax, dword ptr [ebp-50C]
00401786 . 8D55 E8 lea edx, dword ptr [ebp-18]
00401789 . 8910 mov dword ptr [eax], edx
0040178B . BA BC184000 mov edx, 004018BC
00401790 . 8950 04 mov dword ptr [eax+4], edx
00401793 . 8960 08 mov dword ptr [eax+8], esp
00401796 . 8D85 D4FAFFFF lea eax, dword ptr [ebp-52C]
0040179C . 890424 mov dword ptr [esp], eax
0040179F . E8 DCBF0000 call 0040D780
004017A4 . C74424 04 08000000 mov dword ptr [esp+4], 8
004017AC . C70424 10000000 mov dword ptr [esp], 10
004017B3 . E8 40EE0300 call 004405F8
004017B8 . 894424 04 mov dword ptr [esp+4], eax
004017BC . 8D85 28FFFFFF lea eax, dword ptr [ebp-D8]
004017C2 . 890424 mov dword ptr [esp], eax
004017C5 . C785 D8FAFFFF FFFFFFFF mov dword ptr [ebp-528], -1
004017CF . E8 DC8B0300 call 0043A3B0
004017D4 . C785 24FBFFFF 00000000 mov dword ptr [ebp-4DC], 0
004017DE > 837D 08 00 cmp dword ptr [ebp+8], 0 ; 比较地址[ebp+8]是否为0,不为0则继续
004017E2 . 7E 4D jle short 00401831
004017E4 . 8B9D 24FBFFFF mov ebx, dword ptr [ebp-4DC]
004017EA . 8B4D 08 mov ecx, dword ptr [ebp+8] ; ECX=0x63D76A(6543210h),ID
004017ED . B8 67666666 mov eax, 66666667 ; EAX=0x66666667
004017F2 . F7E9 imul ecx ; EAX=EAX*ECX=0x66666667*0x63D76A=27EFC4003BE7A6
004017F4 . D1FA sar edx, 1 ; 算法结果高8位放入EDX,EDX=0027EFC4,EDX=EDX sar 1=0013F7E2
004017F6 . 89C8 mov eax, ecx ; EAX=ECX=0x63D76A(6543210h)
004017F8 . C1F8 1F sar eax, 1F ; EAX=EAX sar 1F=0
004017FB . 29C2 sub edx, eax ; EDX=EDX-EAX=0013F7E2
004017FD . 89D0 mov eax, edx ; EAX=EDX=0013F7E2
004017FF . C1E0 02 shl eax, 2 ; EAX=EAX shl 2=004FDF88
00401802 . 01D0 add eax, edx ; EAX=EAX+EDX=0063D76A
00401804 . 29C1 sub ecx, eax ; ECX=ECX-EAX
00401806 . 89C8 mov eax, ecx ; EAX=ECX=0
00401808 . 89849D 28FBFFFF mov dword ptr [ebp+ebx*4-4D8], eax ; 每次运算结果保存入地址[ebp+ebx*4-4D8]
0040180F . 8B4D 08 mov ecx, dword ptr [ebp+8] ; ECX=0x63D76A(6543210h),ID
00401812 . B8 67666666 mov eax, 66666667 ; EAX=0x66666667
00401817 . F7E9 imul ecx ; EAX=EAX*ECX=0x66666667*0x63D76A=27EFC4003BE7A6
00401819 . D1FA sar edx, 1 ; EDX=0027EFC4,EAX=003BE7A6,EDX=EDX sar 1=0013F7E2
0040181B . 89C8 mov eax, ecx ; EAX=ECX=0x63D76A(6543210h)
0040181D . C1F8 1F sar eax, 1F ; EAX=EAX sar 1F=0
00401820 . 29C2 sub edx, eax ; EDX=EDX-EAX=0013F7E2
00401822 . 89D0 mov eax, edx ; EAX=EDX=0013F7E2
00401824 . 8945 08 mov dword ptr [ebp+8], eax ; EAX保存入地址[ebp+8],作为下次循环运算数
00401827 . 8D85 24FBFFFF lea eax, dword ptr [ebp-4DC]
0040182D . FF00 inc dword ptr [eax]
0040182F .^ EB AD jmp short 004017DE
00401831 > 83BD 24FBFFFF 00 cmp dword ptr [ebp-4DC], 0
00401838 . 7E 36 jle short 00401870
0040183A . 8B85 24FBFFFF mov eax, dword ptr [ebp-4DC] ; EAX=0xA,上面运算循环次数,即注册码长度
00401840 . 8B8485 24FBFFFF mov eax, dword ptr [ebp+eax*4-4DC] ; 从地址[ebp+eax*4-4DC]取数据,即从401808处倒取每次运算结果
00401847 . 894424 04 mov dword ptr [esp+4], eax ; 3133340320
0040184B . 8D85 28FFFFFF lea eax, dword ptr [ebp-D8]
00401851 . 83C0 08 add eax, 8
00401854 . 890424 mov dword ptr [esp], eax
00401857 . C785 D8FAFFFF 02000000 mov dword ptr [ebp-528], 2
00401861 . E8 AAA00200 call 0042B910
00401866 . 8D85 24FBFFFF lea eax, dword ptr [ebp-4DC]
0040186C . FF08 dec dword ptr [eax]
0040186E .^ EB C1 jmp short 00401831
00401870 > 8D95 08FBFFFF lea edx, dword ptr [ebp-4F8]
00401876 . 8D85 28FFFFFF lea eax, dword ptr [ebp-D8]
0040187C . 894424 04 mov dword ptr [esp+4], eax
00401880 . 891424 mov dword ptr [esp], edx
00401883 . C785 D8FAFFFF 02000000 mov dword ptr [ebp-528], 2
0040188D . E8 7E210100 call 00413A10 ; 真码"3133340320"
00401892 . 83EC 04 sub esp, 4
00401895 . 8D85 08FBFFFF lea eax, dword ptr [ebp-4F8]
0040189B . 894424 04 mov dword ptr [esp+4], eax
0040189F . 8B45 0C mov eax, dword ptr [ebp+C]
004018A2 . 890424 mov dword ptr [esp], eax ; D EAX 假码"9876543210"
004018A5 . C785 D8FAFFFF 01000000 mov dword ptr [ebp-528], 1
004018AF . E8 34E30300 call 0043FBE8 ; 真假码比较,相等则AL=1,反之AL=0
004018B4 . 8885 CFFAFFFF mov byte ptr [ebp-531], al ; AL存入[ebp-531]
004018BA . EB 50 jmp short 0040190C
004018BC . 8D6D 18 lea ebp, dword ptr [ebp+18]
004018BF . 8B85 D8FAFFFF mov eax, dword ptr [ebp-528]
004018C5 . 8B95 DCFAFFFF mov edx, dword ptr [ebp-524]
004018CB . 8995 C4FAFFFF mov dword ptr [ebp-53C], edx
004018D1 . 83F8 01 cmp eax, 1
004018D4 . 0F84 9B000000 je 00401975
004018DA . 8B85 C4FAFFFF mov eax, dword ptr [ebp-53C]
004018E0 . 8985 C8FAFFFF mov dword ptr [ebp-538], eax
004018E6 . 8D85 08FBFFFF lea eax, dword ptr [ebp-4F8]
004018EC . 890424 mov dword ptr [esp], eax
004018EF . C785 D8FAFFFF 00000000 mov dword ptr [ebp-528], 0
004018F9 . E8 22DD0200 call 0042F620
004018FE . 8B95 C8FAFFFF mov edx, dword ptr [ebp-538]
00401904 . 8995 C4FAFFFF mov dword ptr [ebp-53C], edx
0040190A . EB 69 jmp short 00401975
0040190C > 8D85 08FBFFFF lea eax, dword ptr [ebp-4F8]
00401912 . 890424 mov dword ptr [esp], eax
00401915 . C785 D8FAFFFF 02000000 mov dword ptr [ebp-528], 2
0040191F . E8 FCDC0200 call 0042F620
00401924 . 80BD CFFAFFFF 00 cmp byte ptr [ebp-531], 0 ; 地址[ebp-531]处的值与0比较
0040192B . 74 24 je short 00401951 ; 相等则Over
0040192D . 8D85 28FFFFFF lea eax, dword ptr [ebp-D8]
00401933 . 890424 mov dword ptr [esp], eax
00401936 . C785 D8FAFFFF FFFFFFFF mov dword ptr [ebp-528], -1
00401940 . E8 1B910300 call 0043AA60
00401945 . C785 D0FAFFFF 10000000 mov dword ptr [ebp-530], 10 ; 不等则将地址[ebp-530]处赋值0x10
0040194F . EB 6C jmp short 004019BD
00401951 > 8D85 28FFFFFF lea eax, dword ptr [ebp-D8]
00401957 . 890424 mov dword ptr [esp], eax
0040195A . C785 D8FAFFFF FFFFFFFF mov dword ptr [ebp-528], -1
00401964 . E8 F7900300 call 0043AA60
00401969 . C785 D0FAFFFF 08000000 mov dword ptr [ebp-530], 8
00401973 . EB 48 jmp short 004019BD
00401975 > 8B85 C4FAFFFF mov eax, dword ptr [ebp-53C]
0040197B . 8985 C0FAFFFF mov dword ptr [ebp-540], eax
00401981 . 8D85 28FFFFFF lea eax, dword ptr [ebp-D8]
00401987 . 890424 mov dword ptr [esp], eax
0040198A . C785 D8FAFFFF 00000000 mov dword ptr [ebp-528], 0
00401994 . E8 C7900300 call 0043AA60
00401999 . 8B95 C0FAFFFF mov edx, dword ptr [ebp-540]
0040199F . 8995 C4FAFFFF mov dword ptr [ebp-53C], edx
004019A5 . 8B85 C4FAFFFF mov eax, dword ptr [ebp-53C]
004019AB . 890424 mov dword ptr [esp], eax
004019AE . C785 D8FAFFFF FFFFFFFF mov dword ptr [ebp-528], -1
004019B8 . E8 83C40000 call 0040DE40
004019BD > 8D85 D4FAFFFF lea eax, dword ptr [ebp-52C]
004019C3 . 890424 mov dword ptr [esp], eax
004019C6 . E8 95BE0000 call 0040D860
004019CB . 8B85 D0FAFFFF mov eax, dword ptr [ebp-530] ; 地址[ebp-530]处的值给EAX
004019D1 . 8D65 F4 lea esp, dword ptr [ebp-C]
004019D4 . 5B pop ebx
004019D5 . 5E pop esi
004019D6 . 5F pop edi
004019D7 . 5D pop ebp
004019D8 . C3 retn
-----------------------------------------------------------------------------------------------
【破解总结】
1.注册ID长度应为6-9位。
2.将注册ID与0x66666667相乘,积右移1位(sar 1)取结果数值的高8位,然后sar 1F、shl 2、sub、add等运算将结果存入地址[ebp+ebx*4-4D8]。
3.第二步注册ID与0x66666667相乘,积右移1位(sar 1)取结果数值的高8位,然后sar 1F、shl 2、sub等运算结果替换成注册ID做为运算,循环第二步,直到运算数结果为0。
4.倒序依次取地址[ebp+ebx*4-4D8]的值,连接即为注册码。
5.真假码比较,相等则将[ebp-154]处赋值0x10。
一组可用注册信息:
==========================================
ID:6543210
SN:3133340320
==========================================
暴破更改以下位置:
004015DD jnz short 004015F5 ; jnz=====>Nop
004015DE jnz short 004015F5 ; jnz=====>Nop
或者:
0043FBE8 push ebp ; push ebp=====>mov al, 1
0043FBE9 mov ebp, esp ; mov ebp, esp=====>retn
-----------------------------------------------------------------------------------------------
【版权声明】本文纯属技术交流, 转载请注明作者并保持文章的完整, 谢谢! |
评分
-
查看全部评分
|
IP卡
发表于 2011-10-15 10:41:59
提升卡
置顶卡
变色卡
千斤顶
显身卡
楼主