- UID
- 14878
注册时间2006-6-4
阅读权限30
最后登录1970-1-1
龙战于野
该用户从未签到
|
发一篇破文,证明自已还活着~~~
【文章标题】: 寒湖鹤影_CrackMe No.7算法分析(附注算机源码)
【文章作者】: 黑夜彩虹
【软件名称】: 寒湖鹤影_CrackMe No.7.exe
【下载地址】: https://www.chinapyg.com/viewthr ... &extra=page%3D2
【作者声明】: 失误之处敬请诸位大侠赐教!
--------------------------------------------------------------------------------
【详细过程】
1、很少写算法分析,有些不知所云.见谅.^-^
2、此CM加了壳---ASPack 2.12 ESP定律脱之(略)
3、此CM是 Microsoft Visual Basic 5.0 / 6.0 编写的
4、下断 bp __vbaStrComp
00407F4F 50 push eax
00407F50 FF51 20 call dword ptr ds:[ecx+20] ; 取硬件ID
00407F53 3BC7 cmp eax,edi ; 2操作数相减,进行比较
00407F55 DBE2 fclex
00407F57 7D 15 jge short 14B0.00407F6E ; 跳至 00407f7e
00407F59 8B8D 60FFFFFF mov ecx,dword ptr ss:[ebp-A0]
00407F5F 6A 20 push 20
00407F61 68 38774000 push 14B0.00407738
00407F66 51 push ecx
00407F67 50 push eax
00407F68 FF15 4C104000 call dword ptr ds:[<&msvbvm60.__vb>; msvbvm60.__vbaHresultCheckObj
00407F6E 8B85 58FFFFFF mov eax,dword ptr ss:[ebp-A8] ; ss:[ebp-A8]移入eax
00407F74 8D95 44FFFFFF lea edx,dword ptr ss:[ebp-BC] ; ss:[ebp-BC]传送edx
00407F7A 8D4D 84 lea ecx,dword ptr ss:[ebp-7C] ; ss:[ebp-7C]传送ecx
00407F7D 89BD 58FFFFFF mov dword ptr ss:[ebp-A8],edi ; ss:[0012F460]=0016F7E4 IC25N040ATMR04-0
00407F83 8985 4CFFFFFF mov dword ptr ss:[ebp-B4],eax ; eax移ss:[ebp-B4]
00407F89 C785 44FFFFFF >mov dword ptr ss:[ebp-BC],8 ; ss:[ebp-Bc]=8
00407F93 FFD6 call esi
00407F95 8D8D 5CFFFFFF lea ecx,dword ptr ss:[ebp-A4] ; ss:[ebp-A4]传ecx
00407F9B FF15 70114000 call dword ptr ds:[<&msvbvm60.__vb>; msvbvm60.__vbaFreeStr
00407FA1 8B35 F4104000 mov esi,dword ptr ds:[<&msvbvm60._>; msvbvm60.__vbaVarCat
00407FA7 8D95 44FEFFFF lea edx,dword ptr ss:[ebp-1BC] ; ss:[ebp-1BC]入edx
00407FAD 8D45 84 lea eax,dword ptr ss:[ebp-7C]
00407FB0 52 push edx ; 压栈
00407FB1 8D8D 44FFFFFF lea ecx,dword ptr ss:[ebp-BC]
00407FB7 50 push eax
00407FB8 51 push ecx
00407FB9 C785 4CFEFFFF >mov dword ptr ss:[ebp-1B4],14B0.00>
00407FC3 C785 44FEFFFF >mov dword ptr ss:[ebp-1BC],8
00407FCD FFD6 call esi
00407FCF 50 push eax
00407FD0 FF15 1C104000 call dword ptr ds:[<&msvbvm60.__vb>; msvbvm60.__vbaStrVarMove
00407FD6 8BD0 mov edx,eax ; eax=0016A50C, (UNICODE "IC25N040ATMR04-0")
00407FD8 8D8D 5CFFFFFF lea ecx,dword ptr ss:[ebp-A4] ; ecx=0
00407FDE FF15 58114000 call dword ptr ds:[<&msvbvm60.__vb>; msvbvm60.__vbaStrMove
00407FE4 8D95 5CFFFFFF lea edx,dword ptr ss:[ebp-A4] ; ss:[ebp-A4]传edx = IC25N040ATMR04-0
00407FEA 52 push edx ; 入栈
00407FEB E8 100B0000 call 14B0.00408B00 ; md5算法
00407FF0 8D95 34FFFFFF lea edx,dword ptr ss:[ebp-CC] ; ss:[ebp-CC]入edx
00407FF6 8D4D B8 lea ecx,dword ptr ss:[ebp-48] ; ecx=ss:[ebp-48]
00407FF9 8985 3CFFFFFF mov dword ptr ss:[ebp-C4],eax ; eax=725D829A7B70514430E40320F795B2DC
00407FFF C785 34FFFFFF >mov dword ptr ss:[ebp-CC],8
00408009 FF15 10104000 call dword ptr ds:[<&msvbvm60.__vb>; msvbvm60.__vbaVarMove
0040800F 8D8D 5CFFFFFF lea ecx,dword ptr ss:[ebp-A4]
00408015 FF15 70114000 call dword ptr ds:[<&msvbvm60.__vb>; msvbvm60.__vbaFreeStr
0040801B 8D8D 44FFFFFF lea ecx,dword ptr ss:[ebp-BC]
00408021 FF15 18104000 call dword ptr ds:[<&msvbvm60.__vb>; msvbvm60.__vbaFreeVar
00408027 8D85 74FFFFFF lea eax,dword ptr ss:[ebp-8C]
0040802D 8D8D 44FEFFFF lea ecx,dword ptr ss:[ebp-1BC]
00408033 50 push eax
00408034 51 push ecx
00408035 C785 4CFEFFFF >mov dword ptr ss:[ebp-1B4],6
0040803F C785 44FEFFFF >mov dword ptr ss:[ebp-1BC],8002
00408049 FF15 50114000 call dword ptr ds:[<&msvbvm60.__vb>; msvbvm60.__vbaVarTstGe
0040804F 66:85C0 test ax,ax
00408052 0F84 1C030000 je 14B0.00408374
00408058 8D95 44FFFFFF lea edx,dword ptr ss:[ebp-BC]
0040805E 8D45 B8 lea eax,dword ptr ss:[ebp-48]
00408061 52 push edx
00408062 6A 1B push 1B
00408064 8D8D 34FFFFFF lea ecx,dword ptr ss:[ebp-CC]
0040806A 50 push eax
0040806B 51 push ecx
0040806C C785 4CFFFFFF >mov dword ptr ss:[ebp-B4],6 ; 堆栈 ss:[0012F454]=0016A50C, (UNICODE "IC25N040ATMR04-0")
00408076 C785 44FFFFFF >mov dword ptr ss:[ebp-BC],2
00408080 FF15 74104000 call dword ptr ds:[<&msvbvm60.rtcM>; msvbvm60.rtcMidCharVar
00408086 8D95 34FFFFFF lea edx,dword ptr ss:[ebp-CC]
0040808C 8D85 24FFFFFF lea eax,dword ptr ss:[ebp-DC]
00408092 52 push edx
00408093 50 push eax
00408094 FF15 38104000 call dword ptr ds:[<&msvbvm60.rtcL>; msvbvm60.rtcLowerCaseVar
0040809A B8 02000000 mov eax,2
0040809F 8D8D E4FEFFFF lea ecx,dword ptr ss:[ebp-11C]
004080A5 8985 E4FEFFFF mov dword ptr ss:[ebp-11C],eax
004080AB 8985 24FEFFFF mov dword ptr ss:[ebp-1DC],eax
004080B1 8D55 B8 lea edx,dword ptr ss:[ebp-48]
004080B4 51 push ecx
004080B5 8D85 04FFFFFF lea eax,dword ptr ss:[ebp-FC]
004080BB 52 push edx
004080BC 50 push eax
004080BD C785 3CFEFFFF >mov dword ptr ss:[ebp-1C4],14B0.00>; 连接符:-
..................................略N行................................
0004081A7 50 push eax
004081A8 8D8D B4FEFFFF lea ecx,dword ptr ss:[ebp-14C] ; ecx=ss:[ebp-14c]
004081AE 51 push ecx ; 入栈
004081AF FFD6 call esi
004081B1 50 push eax
004081B2 8D55 CC lea edx,dword ptr ss:[ebp-34]
004081B5 8D85 A4FEFFFF lea eax,dword ptr ss:[ebp-15C]
004081BB 52 push edx
004081BC 50 push eax
004081BD FFD6 call esi
004081BF 8D8D F4FDFFFF lea ecx,dword ptr ss:[ebp-20C]
004081C5 50 push eax
004081C6 8D95 94FEFFFF lea edx,dword ptr ss:[ebp-16C]
004081CC 51 push ecx
004081CD 52 push edx
004081CE FFD6 call esi
004081D0 50 push eax
004081D1 8D85 64FEFFFF lea eax,dword ptr ss:[ebp-19C] ; eax=ss:[ebp-19c]
004081D7 8D8D 54FEFFFF lea ecx,dword ptr ss:[ebp-1AC]
004081DD 50 push eax
004081DE 51 push ecx
004081DF FFD6 call esi
004081E1 50 push eax
004081E2 FF15 1C104000 call dword ptr ds:[<&msvbvm60.__vb>; F7跟进
004081E8 8BD0 mov edx,eax ; eax=0016A50C, (UNICODE "95b2dc-795B-joe-lu-a7b70514")
004081EA 8D4D 94 lea ecx,dword ptr ss:[ebp-6C]
004081ED FF15 58114000 call dword ptr ds:[<&msvbvm60.__vb>; msvbvm60.__vbaStrMove
===================================算法======================================
6A2A540D msvbvm60> 56 push esi ; 压栈
6A2A540E 8B7424 08 mov esi,dword ptr ss:[esp+8] ; ss:[esp+8]入esi
6A2A5412 66:833E 08 cmp word ptr ds:[esi],8 ; 两数进行相减,进行比较
6A2A5416 0F85 FF140200 jnz msvbvm60.6A2C691B
6A2A541C 66:8326 00 and word ptr ds:[esi],0 ; 逻辑与运算
6A2A5420 8B46 08 mov eax,dword ptr ds:[esi+8] ; 堆栈 ds:[0012F364]=0016A50C, (UNICODE "95b2dc-795B-joe-lu-a7b70514")
6A2A5423 5E pop esi ; msvbvm60.__vbaVarCat
6A2A5424 C2 0400 retn 4
==================================================================================
算法总结:
1、取硬件ID=IC25N040ATMR04-0 设为 CodeA
2、硬件ID(IC25N040ATMR04-0)MD5加密=725D829A7B70514430E40320F795B2DC 设为 CodeB
3、重新分解CodeB= 95B2DC(code1) + 795B(code2) +用户名+a7b70514(code3)
注册机:
procedure TForm1.Button1Click(Sender: TObject);
var code1,code2,code3:string;
begin
if length(Edit_Name.Text)>5 then
begin
code1:=RightStr(MD5Print(MD5String(Edit_ID.text)),6);
Code2:=RightStr(MD5Print(MD5String(Edit_ID.text)),7);
Code2:=LeftStr(code2,4);
Code3:=copy(MD5Print(MD5String(Edit_ID.text)),7,9);
Edit_No.Text:=(code1+'-'+code2+'-'+Edit_Name.Text+'-'+code3);
end;
end; |
|
IP卡
发表于 2006-10-13 20:05:02
提升卡
置顶卡
变色卡
千斤顶
显身卡
发表于 2006-10-13 22:07:54
发表于 2006-10-14 19:34:38
楼主