请大家帮忙看看 KeyGenMe2007_A
小弟初来飘云阁,这个crakckme跟了好多天了,虽然是明码比较,但是还是看不出算法,希望大家帮帮忙,给指点一下,先谢谢大家了。附件传上来了。[ 本帖最后由 missviola 于 2007-12-15 17:25 编辑 ] 难道没人肯出来指点一二?/:002 没见到下载的地方的 附件传上来了,在一楼。急呀我。
[ 本帖最后由 missviola 于 2007-12-15 17:29 编辑 ] 无语了,我附件也上传了。那么多版主,高手啥的,难道没有一个肯出来教教初学者吗?这里本来就是初学者破解组织,难道就这样对待像我这样的初学者吗?我知道这个问题很菜,我自己也动过脑子,但是实在是自己解决不了才提问的。现在看来我好像是来错地方了。如果版主啥的觉得我说的话很难听,封我帐号,IP啥的,我一点意见没有。 不是大家不帮助你,别人也有别人的困难,这个算法有点麻烦
我只看了看,退了,分析玩可能又要一两个小时了
给出我的
name: yingyue
code: 004914379 00401650 55 PUSH EBP
00401651 8BEC MOV EBP,ESP
00401653 6A FF PUSH -1
00401655 68 50324000 PUSH KeyGenMe.00403250 ; SE 处理程序安装
0040165A 64:A1 00000000MOV EAX,DWORD PTR FS:
00401660 50 PUSH EAX
00401661 64:8925 0000000>MOV DWORD PTR FS:,ESP
00401668 83EC 2C SUB ESP,2C
0040166B 53 PUSH EBX
0040166C 56 PUSH ESI
0040166D 57 PUSH EDI
0040166E 8BF1 MOV ESI,ECX
00401670 6A 01 PUSH 1
00401672 E8 6D170000 CALL <JMP.&MFC42.#6334_?UpdateData@CWnd@>; 断点下在这里
00401677 8D4D E8 LEA ECX,DWORD PTR SS:
0040167A E8 0B170000 CALL <JMP.&MFC42.#540_??0CString@@QAE@XZ>
0040167F 8D4D EC LEA ECX,DWORD PTR SS:
00401682 C745 FC 0000000>MOV DWORD PTR SS:,0
00401689 E8 FC160000 CALL <JMP.&MFC42.#540_??0CString@@QAE@XZ>
0040168E 8D4D E4 LEA ECX,DWORD PTR SS:
00401691 C645 FC 01 MOV BYTE PTR SS:,1
00401695 E8 F0160000 CALL <JMP.&MFC42.#540_??0CString@@QAE@XZ>
0040169A 8B46 6C MOV EAX,DWORD PTR DS: ; 用户名出现
0040169D 8D5E 6C LEA EBX,DWORD PTR DS:
004016A0 C645 FC 02 MOV BYTE PTR SS:,2
004016A4 8B40 F8 MOV EAX,DWORD PTR DS:
004016A7 83F8 06 CMP EAX,6 ; 用户名长度和6比较, 必须大于6
004016AA 0F8E 7B010000 JLE KeyGenMe.0040182B ; 用了花指令, 下面也是
004016B0 74 03 JE SHORT KeyGenMe.004016B5
004016B2 75 01 JNZ SHORT KeyGenMe.004016B5
004016B4 68 8B46688D PUSH 8D68468B
004016B9 7E 68 JLE SHORT KeyGenMe.00401723
004016BB 68 6C644000 PUSH KeyGenMe.0040646C
004016C0 50 PUSH EAX
004016C1 FF15 94424000 CALL DWORD PTR DS:[<&msvcrt._mbscmp>] ; msvcrt._mbscmp
004016C7 83C4 08 ADD ESP,8
004016CA 85C0 TEST EAX,EAX ; 这里是判断注册码是否为空
004016CC 0F84 59010000 JE KeyGenMe.0040182B
004016D2 74 03 JE SHORT KeyGenMe.004016D7
004016D4 75 01 JNZ SHORT KeyGenMe.004016D7
004016D6 68 8B0B8B41 PUSH 418B0B8B
004016DB F8 CLC
004016DC 83C0 FE ADD EAX,-2
004016DF 83F8 06 CMP EAX,6
004016E2 0F8D 43010000 JGE KeyGenMe.0040182B ; 用户名长度-2<6必须成立
004016E8 EB 01 JMP SHORT KeyGenMe.004016EB ; 所以用户名长度必须为7
004016EA 8568 50 TEST DWORD PTR DS:,EBP
004016ED 60 PUSHAD
004016EE 40 INC EAX
004016EF 008B CFE8E716 ADD BYTE PTR DS:,CL
004016F5 0000 ADD BYTE PTR DS:,AL
004016F7 85C0 TEST EAX,EAX
004016F9 0F8E 2C010000 JLE KeyGenMe.0040182B
004016FF 74 03 JE SHORT KeyGenMe.00401704
00401701 75 01 JNZ SHORT KeyGenMe.00401704
00401703 68 8B138B4E PUSH 4E8B138B
00401708 60 PUSHAD
00401709 8B42 F8 MOV EAX,DWORD PTR DS:
0040170C 50 PUSH EAX
0040170D 8D45 E8 LEA EAX,DWORD PTR SS:
00401710 51 PUSH ECX
00401711 50 PUSH EAX
00401712 E8 C1160000 CALL <JMP.&MFC42.#2818_?Format@CString@@>; 利用Format生成用户名长度的字符串
00401717 EB 01 JMP SHORT KeyGenMe.0040171A ; 用户名长度为7, 则生成字符串为"7"
00401719 858B 0F8D55EC TEST DWORD PTR DS:,ECX
0040171F 8B41 F8 MOV EAX,DWORD PTR DS:
00401722 8B4E 60 MOV ECX,DWORD PTR DS:
00401725 50 PUSH EAX
00401726 51 PUSH ECX
00401727 52 PUSH EDX
00401728 E8 AB160000 CALL <JMP.&MFC42.#2818_?Format@CString@@>; 利用Format生成注册码长度的字符串
0040172D 83C4 18 ADD ESP,18 ; 这里是"9"
00401730 EB 01 JMP SHORT KeyGenMe.00401733
00401732 858D 45CC6A02 TEST DWORD PTR SS:,ECX
00401738 50 PUSH EAX
00401739 8BCF MOV ECX,EDI
0040173B E8 92160000 CALL <JMP.&MFC42.#5710_?Right@CString@@Q>; 注册码最右2个字符
00401740 50 PUSH EAX
00401741 51 PUSH ECX
00401742 8BCC MOV ECX,ESP
00401744 8965 C8 MOV DWORD PTR SS:,ESP
00401747 6A 07 PUSH 7
00401749 51 PUSH ECX
0040174A 8BCF MOV ECX,EDI
0040174C C645 FC 03 MOV BYTE PTR SS:,3
00401750 E8 77160000 CALL <JMP.&MFC42.#4129_?Left@CString@@QB>; 注册码最左7个字符
00401755 8D55 D0 LEA EDX,DWORD PTR SS:
00401758 8BCE MOV ECX,ESI
0040175A 52 PUSH EDX
0040175B E8 60030000 CALL KeyGenMe.00401AC0 ; 重要函数..跟进...是个换位的函数
00401760 50 PUSH EAX
00401761 8D45 D4 LEA EAX,DWORD PTR SS:
00401764 50 PUSH EAX
00401765 C645 FC 04 MOV BYTE PTR SS:,4
00401769 E8 58160000 CALL <JMP.&MFC42.#922_??H@YG?AVCString@@>; 换位后与注册码后2位连接
0040176E 8BF8 MOV EDI,EAX
00401770 8D4D EC LEA ECX,DWORD PTR SS:
00401773 8D55 E8 LEA EDX,DWORD PTR SS:
00401776 51 PUSH ECX
00401777 52 PUSH EDX
00401778 51 PUSH ECX
00401779 C645 FC 05 MOV BYTE PTR SS:,5
0040177D 8BCC MOV ECX,ESP
0040177F 8965 C8 MOV DWORD PTR SS:,ESP
00401782 53 PUSH EBX
00401783 E8 38160000 CALL <JMP.&MFC42.#535_??0CString@@QAE@AB>
00401788 8D45 D8 LEA EAX,DWORD PTR SS:
0040178B 8BCE MOV ECX,ESI
0040178D 50 PUSH EAX
0040178E E8 9D010000 CALL KeyGenMe.00401930 ; 对用户名进行计算, 跟进
00401793 8D4D DC LEA ECX,DWORD PTR SS:
00401796 50 PUSH EAX
00401797 51 PUSH ECX
00401798 C645 FC 06 MOV BYTE PTR SS:,6
0040179C E8 25160000 CALL <JMP.&MFC42.#922_??H@YG?AVCString@@>
004017A1 8D55 E0 LEA EDX,DWORD PTR SS: ; 连接上用户名长度7
004017A4 50 PUSH EAX
004017A5 52 PUSH EDX
004017A6 C645 FC 07 MOV BYTE PTR SS:,7
004017AA E8 17160000 CALL <JMP.&MFC42.#922_??H@YG?AVCString@@>; 连接上注册码长度9
004017AF 8B3F MOV EDI,DWORD PTR DS:
004017B1 8B00 MOV EAX,DWORD PTR DS:
004017B3 57 PUSH EDI
004017B4 50 PUSH EAX
004017B5 FF15 94424000 CALL DWORD PTR DS:[<&msvcrt._mbscmp>] ; msvcrt._mbscmp
004017BB 83C4 08 ADD ESP,8
004017BE 85C0 TEST EAX,EAX ; 这里比较相等就成功
004017C0 0F9545 F3 SETNE BYTE PTR SS:
004017C4 8D4D E0 LEA ECX,DWORD PTR SS:
/***********************************************************************************/
下面是对注册码变换的函数:这个函数剩余的部分都是那种左4右3换位的操作...有很多次
00401AC0 55 PUSH EBP
00401AC1 8BEC MOV EBP,ESP
00401AC3 6A FF PUSH -1
00401AC5 68 97334000 PUSH KeyGenMe.00403397 ; SE 处理程序安装
00401ACA 64:A1 00000000MOV EAX,DWORD PTR FS:
00401AD0 50 PUSH EAX
00401AD1 64:8925 0000000>MOV DWORD PTR FS:,ESP
00401AD8 83EC 14 SUB ESP,14
00401ADB 53 PUSH EBX
00401ADC 56 PUSH ESI
00401ADD C745 E0 0000000>MOV DWORD PTR SS:,0
00401AE4 8D4D F0 LEA ECX,DWORD PTR SS:
00401AE7 C745 FC 0100000>MOV DWORD PTR SS:,1
00401AEE E8 97120000 CALL <JMP.&MFC42.#540_??0CString@@QAE@XZ>
00401AF3 B3 02 MOV BL,2
00401AF5 885D FC MOV BYTE PTR SS:,BL
00401AF8 74 03 JE SHORT KeyGenMe.00401AFD
00401AFA 75 01 JNZ SHORT KeyGenMe.00401AFD
00401AFC 68 8D45E46A PUSH 6AE4458D
00401B01 04 50 ADD AL,50
00401B03 8D4D 0C LEA ECX,DWORD PTR SS:
00401B06 E8 C1120000 CALL <JMP.&MFC42.#4129_?Left@CString@@QB>; 注册码的左4个字符
00401B0B 8BF0 MOV ESI,EAX
00401B0D 8D4D E8 LEA ECX,DWORD PTR SS:
00401B10 6A 03 PUSH 3
00401B12 51 PUSH ECX
00401B13 8D4D 0C LEA ECX,DWORD PTR SS:
00401B16 C645 FC 03 MOV BYTE PTR SS:,3
00401B1A E8 B3120000 CALL <JMP.&MFC42.#5710_?Right@CString@@Q>; 注册码中间第5. 6. 7字符
00401B1F 56 PUSH ESI
00401B20 8D55 EC LEA EDX,DWORD PTR SS:
00401B23 50 PUSH EAX
00401B24 52 PUSH EDX
00401B25 C645 FC 04 MOV BYTE PTR SS:,4
00401B29 E8 98120000 CALL <JMP.&MFC42.#922_??H@YG?AVCString@@>
00401B2E 50 PUSH EAX ; 上面两个字符串连接
00401B2F 8D4D F0 LEA ECX,DWORD PTR SS: ; 也就是左4字符与5.6.7字符换位
00401B32 C645 FC 05 MOV BYTE PTR SS:,5
00401B36 E8 AF120000 CALL <JMP.&MFC42.#858_??4CString@@QAEABV>
00401B3B 8D4D EC LEA ECX,DWORD PTR SS:
00401B3E C645 FC 04 MOV BYTE PTR SS:,4
00401B42 E8 59110000 CALL <JMP.&MFC42.#800_??1CString@@QAE@XZ>
00401B47 8D4D E8 LEA ECX,DWORD PTR SS:
00401B4A C645 FC 03 MOV BYTE PTR SS:,3
00401B4E E8 4D110000 CALL <JMP.&MFC42.#800_??1CString@@QAE@XZ>
00401B53 8D4D E4 LEA ECX,DWORD PTR SS:
00401B56 885D FC MOV BYTE PTR SS:,BL
00401B59 E8 42110000 CALL <JMP.&MFC42.#800_??1CString@@QAE@XZ>
00401B5E 74 03 JE SHORT KeyGenMe.00401B63
00401B60 75 01 JNZ SHORT KeyGenMe.00401B63
00401B62 68 8D45EC6A PUSH 6AEC458D
00401B67 04 50 ADD AL,50
00401B69 8D4D F0 LEA ECX,DWORD PTR SS:
00401B6C E8 5B120000 CALL <JMP.&MFC42.#4129_?Left@CString@@QB>; 对上面结果再取左4个字符
00401B71 8BF0 MOV ESI,EAX
00401B73 8D4D E8 LEA ECX,DWORD PTR SS:
00401B76 6A 03 PUSH 3
00401B78 51 PUSH ECX
00401B79 8D4D F0 LEA ECX,DWORD PTR SS:
00401B7C C645 FC 06 MOV BYTE PTR SS:,6
00401B80 E8 4D120000 CALL <JMP.&MFC42.#5710_?Right@CString@@Q>; 取右3字符
00401B85 56 PUSH ESI
00401B86 8D55 E4 LEA EDX,DWORD PTR SS:
00401B89 50 PUSH EAX
00401B8A 52 PUSH EDX
00401B8B C645 FC 07 MOV BYTE PTR SS:,7
00401B8F E8 32120000 CALL <JMP.&MFC42.#922_??H@YG?AVCString@@>; 再连接
00401B94 50 PUSH EAX
00401B95 8D4D F0 LEA ECX,DWORD PTR SS:
00401B98 C645 FC 08 MOV BYTE PTR SS:,8
00401B9C E8 49120000 CALL <JMP.&MFC42.#858_??4CString@@QAEABV>
00401BA1 8D4D E4 LEA ECX,DWORD PTR SS:
00401BA4 C645 FC 07 MOV BYTE PTR SS:,7
00401BA8 E8 F3100000 CALL <JMP.&MFC42.#800_??1CString@@QAE@XZ>
00401BAD 8D4D E8 LEA ECX,DWORD PTR SS:
00401BB0 C645 FC 06 MOV BYTE PTR SS:,6
00401BB4 E8 E7100000 CALL <JMP.&MFC42.#800_??1CString@@QAE@XZ>
00401BB9 8D4D EC LEA ECX,DWORD PTR SS:
00401BBC 885D FC MOV BYTE PTR SS:,BL
00401BBF E8 DC100000 CALL <JMP.&MFC42.#800_??1CString@@QAE@XZ>
00401BC4 74 03 JE SHORT KeyGenMe.00401BC9
00401BC6 75 01 JNZ SHORT KeyGenMe.00401BC9
/*******************************************************************************
下面是对用户名计算的函数, 其中的一个分支没看..不知道对注册机制作有影响没...
0040199E 0FBEC3 MOVSX EAX,BL
004019A1 0FBE5D F2 MOVSX EBX,BYTE PTR SS:
004019A5 0FAFF0 IMUL ESI,EAX ; 3.5字母相乘
004019A8 0FBE45 F3 MOVSX EAX,BYTE PTR SS:
004019AC 0FAFC3 IMUL EAX,EBX ; 6. 2字母相乘
004019AF 03F0 ADD ESI,EAX
004019B1 0FBED2 MOVSX EDX,DL
004019B4 0FBEC1 MOVSX EAX,CL
004019B7 0FAFD0 IMUL EDX,EAX ; 1,7字母相乘
004019BA 03F2 ADD ESI,EDX ; 三者相加
004019BC EB 01 JMP SHORT KeyGenMe.004019BF
004019BE 850F TEST DWORD PTR DS:,ECX
004019C0 AF SCAS DWORD PTR ES:
004019C1 F6 ??? ; 未知命令
004019C2 8B4D 0C MOV ECX,DWORD PTR SS:
004019C5 8A41 03 MOV AL,BYTE PTR DS:
004019C8 0FBED0 MOVSX EDX,AL
004019CB 33F2 XOR ESI,EDX ; 和第4个字母xor
004019CD 74 03 JE SHORT KeyGenMe.004019D2
004019CF 75 01 JNZ SHORT KeyGenMe.004019D2
004019D1 68 8B476056 PUSH 5660478B
004019D6 50 PUSH EAX
004019D7 8D45 EC LEA EAX,DWORD PTR SS:
004019DA 50 PUSH EAX
004019DB E8 F8130000 CALL <JMP.&MFC42.#2818_?Format@CString@@>; 将上面的结果Format成字符串
004019E0 8B4D EC MOV ECX,DWORD PTR SS:
004019E3 83C4 0C ADD ESP,0C
004019E6 8B41 F8 MOV EAX,DWORD PTR DS:
004019E9 83F8 06 CMP EAX,6
004019EC 7E 2B JLE SHORT KeyGenMe.00401A19
004019EE 74 03 JE SHORT KeyGenMe.004019F3
004019F0 75 01 JNZ SHORT KeyGenMe.004019F3
004019F2 68 6A078D55 PUSH 558D076A
004019F7 E4 6A IN AL,6A ; I/O 命令
004019F9 0052 8D ADD BYTE PTR DS:,DL
004019FC 4D DEC EBP
004019FD EC IN AL,DX ; I/O 命令
004019FE E8 F3130000 CALL <JMP.&MFC42.#4278_?Mid@CString@@QBE>; 左7个字符
00401A03 50 PUSH EAX
00401A04 8D4D E8 LEA ECX,DWORD PTR SS:
00401A07 C645 FC 04 MOV BYTE PTR SS:,4
00401A0B E8 DA130000 CALL <JMP.&MFC42.#858_??4CString@@QAEABV>
00401A10 C645 FC 03 MOV BYTE PTR SS:,3
00401A14 8D4D E4 LEA ECX,DWORD PTR SS:
00401A17 EB 4D JMP SHORT KeyGenMe.00401A66
00401A19 EB 01 JMP SHORT KeyGenMe.00401A1C
00401A1B 858B C68B4F60 TEST DWORD PTR DS:,ECX
00401A21 0FAFF0 IMUL ESI,EAX
00401A24 8BC6 MOV EAX,ESI
00401A26 99 CDQ
00401A27 33C2 XOR EAX,EDX
00401A29 2BC2 SUB EAX,EDX
00401A2B 50 PUSH EAX
00401A2C 51 PUSH ECX
00401A2D 8D4D EC LEA ECX,DWORD PTR SS:
00401A30 51 PUSH ECX
00401A31 E8 A2130000 CALL <JMP.&MFC42.#2818_?Format@CString@@>
00401A36 8B55 EC MOV EDX,DWORD PTR SS:
00401A39 83C4 0C ADD ESP,0C
00401A3C 837A F8 06 CMP DWORD PTR DS:,6
00401A40^ 7E D7 JLE SHORT KeyGenMe.00401A19
00401A42 6A 07 PUSH 7
00401A44 8D45 E4 LEA EAX,DWORD PTR SS:
00401A47 6A 00 PUSH 0
00401A49 50 PUSH EAX
00401A4A 8D4D EC LEA ECX,DWORD PTR SS:
00401A4D E8 A4130000 CALL <JMP.&MFC42.#4278_?Mid@CString@@QBE>
00401A52 50 PUSH EAX
00401A53 8D4D E8 LEA ECX,DWORD PTR SS:
00401A56 C645 FC 05 MOV BYTE PTR SS:,5
00401A5A E8 8B130000 CALL <JMP.&MFC42.#858_??4CString@@QAEABV>
00401A5F C645 FC 03 MOV BYTE PTR SS:,3
00401A63 8D4D E4 LEA ECX,DWORD PTR SS:
00401A66 E8 35120000 CALL <JMP.&MFC42.#800_??1CString@@QAE@XZ>
00401A6B 8B75 08 MOV ESI,DWORD PTR SS:
00401A6E 8D4D E8 LEA ECX,DWORD PTR SS:
00401A71 51 PUSH ECX
00401A72 8BCE MOV ECX,ESI
00401A74 E8 47130000 CALL <JMP.&MFC42.#535_??0CString@@QAE@AB>
00401A79 BB 01000000 MOV EBX,1
00401A7E 895D E0 MOV DWORD PTR SS:,EBX
00401A81 8D4D E8 LEA ECX,DWORD PTR SS:
00401A84 C645 FC 02 MOV BYTE PTR SS:,2
00401A88 E8 13120000 CALL <JMP.&MFC42.#800_??1CString@@QAE@XZ>
00401A8D 8D4D EC LEA ECX,DWORD PTR SS:
00401A90 885D FC MOV BYTE PTR SS:,BL
00401A93 E8 08120000 CALL <JMP.&MFC42.#800_??1CString@@QAE@XZ>
00401A98 8D4D 0C LEA ECX,DWORD PTR SS:
00401A9B C645 FC 00 MOV BYTE PTR SS:,0
00401A9F E8 FC110000 CALL <JMP.&MFC42.#800_??1CString@@QAE@XZ>
00401AA4 8B4D F4 MOV ECX,DWORD PTR SS:
00401AA7 8BC6 MOV EAX,ESI
00401AA9 5F POP EDI
00401AAA 5E POP ESI
00401AAB 5B POP EBX
00401AAC 64:890D 0000000>MOV DWORD PTR FS:,ECX
00401AB3 8BE5 MOV ESP,EBP
00401AB5 5D POP EBP
00401AB6 C2 0800 RETN 8
附上C++写的注册机:
#include<iostream>
#include<sstream>
usingnamespacestd;
voidmain()
{
unsignedcharname = "vecri22"; //用户名进行代替..注意必须是7个字节
unsignedlongsum = 0;
sum = (unsigned long)name * name;
sum +=(unsigned long)name * name;
sum +=(unsigned long)name * name;
sum *= sum;
sum ^= (unsigned long)name;
char namecode = {0};
sprintf(namecode, "%d", sum);
charregcode = {0};
regcode = namecode;
regcode = namecode;
regcode = namecode;
regcode = namecode;
regcode = namecode;
regcode = namecode;
regcode = namecode;
regcode = '7';
regcode = '9';
cout << regcode << endl;
} 感谢楼上两位的帮助,谢谢。也为自己昨天的一些话说声对不起。 确实狗麻烦的。学习一下。 已经有人分析了,兄弟不能急噪,毕竟大家也都有自己的事,能抽出时间来看看就不错了,既然能跟了好多天,怎么就等不了一会呢
页:
[1]
2