飘云阁CrackMe 1.1 By Gue(7月6日更新) - Powered by Discuz! Archiver

网站 › ≮ CrackMe讨论 ≯ › CrackMe 1.1 By Gue(7月6日更新)

baof 发表于 2007-7-5 19:16:30

用户名：Gue
注册码：$$$$$$$$$$$$$$$$F
正解这么多的$到最后都是假/:017

飘云发表于 2007-7-6 02:46:47

原帖由 acafeel 于 2007-6-26 00:13 发表 https://www.chinapyg.com/images/common/back.gif
看完电影了，睡觉前写个东东，准备迎接新的一天～

KOL就是小~~ /:017

ws00858190 发表于 2007-7-7 17:22:51

帅吧。。。

johnroot 发表于 2007-7-9 12:12:11

CrackMe1.1 的算法分析

004017E0/$51          PUSH ECX
004017E1|.53          PUSH EBX
004017E2|.8B59 04    MOV EBX,DWORD PTR DS:
004017E5|.33C0       XOR EAX,EAX
004017E7|.56          PUSH ESI
004017E8|.8941 0C    MOV DWORD PTR DS:,EAX
004017EB|.8B73 F8    MOV ESI,DWORD PTR DS:
004017EE|.4E          DEC ESI
004017EF|.894424 08 MOV DWORD PTR SS:,EAX
004017F3|.78 23       JS SHORT CrackMe.00401818
004017F5|.55          PUSH EBP
004017F6|.57          PUSH EDI
004017F7|.8D3C33    LEA EDI,DWORD PTR DS:
004017FA|>0FBE2F    /MOVSX EBP,BYTE PTR DS:                ;从NAME的倒数第一位开始取n位的asc 为a
004017FD|.0FBE1403    |MOVSX EDX,BYTE PTR DS:       ;从NAME的第一位开始取n位的asc 为b
00401801|.45          |INC EBP                                                    ;//a+1
00401802|.33EA       |XOR EBP,EDX                                           ; // (a+1) xor b
00401804|.8D5455 00 |LEA EDX,DWORD PTR SS:    ;d:=((a+1) xor b) +b*2 ;
00401808|.8B69 0C    |MOV EBP,DWORD PTR DS:
0040180B|.03EA       |ADD EBP,EDX                                           ;c:=c+d;
0040180D|.40          |INC EAX
0040180E|.4F          |DEC EDI
0040180F|.3BC6       |CMP EAX,ESI
00401811|.8969 0C    |MOV DWORD PTR DS:,EBP
00401814|.^ 7E E4       \JLE SHORT CrackMe.004017FA
00401816|.5F          POP EDI
00401817|.5D          POP EBP
00401818|>8B7424 10 MOV ESI,DWORD PTR SS:
0040181C|.68 40414000 PUSH CrackMe.00404140
00401821|.8BCE       MOV ECX,ESI
00401823|.E8 66030000 CALL <JMP.&MFC42.#537_CString::CString>
00401828|.8BC6       MOV EAX,ESI
0040182A|.5E          POP ESI
0040182B|.5B          POP EBX
0040182C|.59          POP ECX
0040182D\.C2 0400    RETN 4
00401830/$51          PUSH ECX
00401831|.56          PUSH ESI
00401832|.8B71 08    MOV ESI,DWORD PTR DS:
00401835|.33C0       XOR EAX,EAX
00401837|.57          PUSH EDI
00401838|.8B56 F8    MOV EDX,DWORD PTR DS:
0040183B|.894424 08 MOV DWORD PTR SS:,EAX
0040183F|.4A          DEC EDX
00401840|.BF 02000000 MOV EDI,2                                           ;a1:=2
00401845|.78 0D       JS SHORT CrackMe.00401854
00401847|.53          PUSH EBX
00401848|>0FBE1C06    /MOVSX EBX,BYTE PTR DS:       ;从regsn的第一位开始取n位的asc 为b1
0040184C|.03FB       |ADD EDI,EBX                                           ;a1:=a1+b1
0040184E|.40          |INC EAX
0040184F|.3BC2       |CMP EAX,EDX
00401851|.^ 7E F5       \JLE SHORT CrackMe.00401848
00401853|.5B          POP EBX
00401854|>8B41 0C    MOV EAX,DWORD PTR DS:
00401857|.8B7424 10 MOV ESI,DWORD PTR SS:
0040185B|.50          PUSH EAX
0040185C    57          PUSH EDI                                                    //爆破点，改为 push eax 就爆破了
0040185D|.56          PUSH ESI
0040185E|.E8 0D000000 CALL CrackMe.00401870                         ;如果a1 = c则注册成功
00401863|.8BC6       MOV EAX,ESI
00401865|.5F          POP EDI
00401866|.5E          POP ESI
00401867|.59          POP ECX
00401868\.C2 0400    RETN 4

[ 本帖最后由 johnroot 于 2007-7-9 12:15 编辑 ]

Gue 发表于 2007-8-3 19:16:36

/:good 厉害啊.

页: 1 [2]

查看完整版本: CrackMe 1.1 By Gue(7月6日更新)