第一个算法call运算强度比较大,没耐心玩了
比较跳转太多了,太消耗耐心。等高手来keygen004013AB 55 PUSH EBP
004013AC 8BEC MOV EBP,ESP
004013AE 83C4 FC ADD ESP,-4
004013B1 60 PUSHAD
004013B2 8B7D 0C MOV EDI,DWORD PTR SS:
004013B5 8D57 03 LEA EDX,DWORD PTR DS:
004013B8 C1EA 02 SHR EDX,2
004013BB 8955 0C MOV DWORD PTR SS:,EDX
004013BE 8B7D 10 MOV EDI,DWORD PTR SS:
004013C1 8B5D 08 MOV EBX,DWORD PTR SS:
004013C4 8A03 MOV AL,BYTE PTR DS:
004013C6 33C9 XOR ECX,ECX
004013C8 894D FC MOV DWORD PTR SS:,ECX
004013CB 84C0 TEST AL,AL
004013CD 74 6B JE SHORT CrackMeV.0040143A
004013CF 43 INC EBX ; ebx就是code字符串
004013D0 3C 41 CMP AL,41
004013D2 7C 0C JL SHORT CrackMeV.004013E0
004013D4 3C 5A CMP AL,5A
004013D6 7F 08 JG SHORT CrackMeV.004013E0
004013D8 0FBEC0 MOVSX EAX,AL
004013DB 83E8 41 SUB EAX,41
004013DE EB 47 JMP SHORT CrackMeV.00401427
004013E0 3C 61 CMP AL,61
004013E2 7C 0C JL SHORT CrackMeV.004013F0
004013E4 3C 7A CMP AL,7A
004013E6 7F 08 JG SHORT CrackMeV.004013F0
004013E8 0FBEC0 MOVSX EAX,AL
004013EB 83E8 47 SUB EAX,47
004013EE EB 37 JMP SHORT CrackMeV.00401427
004013F0 3C 30 CMP AL,30
004013F2 7C 0C JL SHORT CrackMeV.00401400
004013F4 3C 39 CMP AL,39
004013F6 7F 08 JG SHORT CrackMeV.00401400
004013F8 0FBEC0 MOVSX EAX,AL
004013FB 83C0 04 ADD EAX,4
004013FE EB 27 JMP SHORT CrackMeV.00401427
00401400 3C 2B CMP AL,2B
00401402 74 06 JE SHORT CrackMeV.0040140A
00401404 3C 2A CMP AL,2A
00401406 74 02 JE SHORT CrackMeV.0040140A
00401408 EB 07 JMP SHORT CrackMeV.00401411
0040140A B8 3E000000 MOV EAX,3E
0040140F EB 16 JMP SHORT CrackMeV.00401427
00401411 3C 2F CMP AL,2F
00401413 74 06 JE SHORT CrackMeV.0040141B
00401415 3C 24 CMP AL,24
00401417 74 02 JE SHORT CrackMeV.0040141B
00401419 EB 07 JMP SHORT CrackMeV.00401422
0040141B B8 3F000000 MOV EAX,3F
00401420 EB 05 JMP SHORT CrackMeV.00401427
00401422 B8 40000000 MOV EAX,40
00401427 83E8 0A SUB EAX,0A
0040142A 7D 03 JGE SHORT CrackMeV.0040142F
0040142C 83C0 41 ADD EAX,41
0040142F 83E0 3F AND EAX,3F
00401432 C1E0 12 SHL EAX,12
00401435 8BC8 MOV ECX,EAX
00401437 894D FC MOV DWORD PTR SS:,ECX
0040143A 8A03 MOV AL,BYTE PTR DS:
0040143C 84C0 TEST AL,AL
0040143E 74 73 JE SHORT CrackMeV.004014B3
00401440 43 INC EBX
00401441 3C 41 CMP AL,41
00401443 7C 0C JL SHORT CrackMeV.00401451
00401445 3C 5A CMP AL,5A
00401447 7F 08 JG SHORT CrackMeV.00401451
00401449 0FBEC0 MOVSX EAX,AL
0040144C 83E8 41 SUB EAX,41
0040144F EB 47 JMP SHORT CrackMeV.00401498
00401451 3C 61 CMP AL,61
00401453 7C 0C JL SHORT CrackMeV.00401461
00401455 3C 7A CMP AL,7A
00401457 7F 08 JG SHORT CrackMeV.00401461
00401459 0FBEC0 MOVSX EAX,AL
0040145C 83E8 47 SUB EAX,47
0040145F EB 37 JMP SHORT CrackMeV.00401498
00401461 3C 30 CMP AL,30
00401463 7C 0C JL SHORT CrackMeV.00401471
00401465 3C 39 CMP AL,39
00401467 7F 08 JG SHORT CrackMeV.00401471
00401469 0FBEC0 MOVSX EAX,AL
0040146C 83C0 04 ADD EAX,4
0040146F EB 27 JMP SHORT CrackMeV.00401498
00401471 3C 2B CMP AL,2B
00401473 74 06 JE SHORT CrackMeV.0040147B
00401475 3C 2A CMP AL,2A
00401477 74 02 JE SHORT CrackMeV.0040147B
00401479 EB 07 JMP SHORT CrackMeV.00401482
0040147B B8 3E000000 MOV EAX,3E
00401480 EB 16 JMP SHORT CrackMeV.00401498
00401482 3C 2F CMP AL,2F
00401484 74 06 JE SHORT CrackMeV.0040148C
00401486 3C 24 CMP AL,24
00401488 74 02 JE SHORT CrackMeV.0040148C
0040148A EB 07 JMP SHORT CrackMeV.00401493
0040148C B8 3F000000 MOV EAX,3F
00401491 EB 05 JMP SHORT CrackMeV.00401498
00401493 B8 40000000 MOV EAX,40
00401498 83E8 0A SUB EAX,0A
0040149B 7D 03 JGE SHORT CrackMeV.004014A0
0040149D 83C0 41 ADD EAX,41
004014A0 83E0 3F AND EAX,3F
004014A3 81E1 FF0FFCFF AND ECX,FFFC0FFF
004014A9 C1E0 0C SHL EAX,0C
004014AC 0BC1 OR EAX,ECX
004014AE 8BC8 MOV ECX,EAX
004014B0 894D FC MOV DWORD PTR SS:,ECX
004014B3 8A03 MOV AL,BYTE PTR DS:
004014B5 84C0 TEST AL,AL
004014B7 74 73 JE SHORT CrackMeV.0040152C
004014B9 43 INC EBX
004014BA 3C 41 CMP AL,41
004014BC 7C 0C JL SHORT CrackMeV.004014CA
004014BE 3C 5A CMP AL,5A
004014C0 7F 08 JG SHORT CrackMeV.004014CA
004014C2 0FBEC0 MOVSX EAX,AL
004014C5 83E8 41 SUB EAX,41
004014C8 EB 47 JMP SHORT CrackMeV.00401511
004014CA 3C 61 CMP AL,61
004014CC 7C 0C JL SHORT CrackMeV.004014DA
004014CE 3C 7A CMP AL,7A
004014D0 7F 08 JG SHORT CrackMeV.004014DA
004014D2 0FBEC0 MOVSX EAX,AL
004014D5 83E8 47 SUB EAX,47
004014D8 EB 37 JMP SHORT CrackMeV.00401511
004014DA 3C 30 CMP AL,30
004014DC 7C 0C JL SHORT CrackMeV.004014EA
004014DE 3C 39 CMP AL,39
004014E0 7F 08 JG SHORT CrackMeV.004014EA
004014E2 0FBEC0 MOVSX EAX,AL
004014E5 83C0 04 ADD EAX,4
004014E8 EB 27 JMP SHORT CrackMeV.00401511
004014EA 3C 2B CMP AL,2B
004014EC 74 06 JE SHORT CrackMeV.004014F4
004014EE 3C 2A CMP AL,2A
004014F0 74 02 JE SHORT CrackMeV.004014F4
004014F2 EB 07 JMP SHORT CrackMeV.004014FB
004014F4 B8 3E000000 MOV EAX,3E
004014F9 EB 16 JMP SHORT CrackMeV.00401511
004014FB 3C 2F CMP AL,2F
004014FD 74 06 JE SHORT CrackMeV.00401505
004014FF 3C 24 CMP AL,24
00401501 74 02 JE SHORT CrackMeV.00401505
00401503 EB 07 JMP SHORT CrackMeV.0040150C
00401505 B8 3F000000 MOV EAX,3F
0040150A EB 05 JMP SHORT CrackMeV.00401511
0040150C B8 40000000 MOV EAX,40
00401511 83E8 0A SUB EAX,0A
00401514 7D 03 JGE SHORT CrackMeV.00401519
00401516 83C0 41 ADD EAX,41
00401519 83E0 3F AND EAX,3F
0040151C 81E1 3FF0FFFF AND ECX,FFFFF03F
00401522 C1E0 06 SHL EAX,6
00401525 0BC1 OR EAX,ECX
00401527 8BC8 MOV ECX,EAX
00401529 894D FC MOV DWORD PTR SS:,ECX
0040152C 8A03 MOV AL,BYTE PTR DS:
0040152E 84C0 TEST AL,AL
00401530 74 6D JE SHORT CrackMeV.0040159F
00401532 43 INC EBX
00401533 3C 41 CMP AL,41
00401535 7C 0C JL SHORT CrackMeV.00401543
00401537 3C 5A CMP AL,5A
00401539 7F 08 JG SHORT CrackMeV.00401543
0040153B 0FBEC0 MOVSX EAX,AL
0040153E 83E8 41 SUB EAX,41
00401541 EB 47 JMP SHORT CrackMeV.0040158A
00401543 3C 61 CMP AL,61
00401545 7C 0C JL SHORT CrackMeV.00401553
00401547 3C 7A CMP AL,7A
00401549 7F 08 JG SHORT CrackMeV.00401553
0040154B 0FBEC0 MOVSX EAX,AL
0040154E 83E8 47 SUB EAX,47
00401551 EB 37 JMP SHORT CrackMeV.0040158A
00401553 3C 30 CMP AL,30
00401555 7C 0C JL SHORT CrackMeV.00401563
00401557 3C 39 CMP AL,39
00401559 7F 08 JG SHORT CrackMeV.00401563
0040155B 0FBEC0 MOVSX EAX,AL
0040155E 83C0 04 ADD EAX,4
00401561 EB 27 JMP SHORT CrackMeV.0040158A
00401563 3C 2B CMP AL,2B
00401565 74 06 JE SHORT CrackMeV.0040156D
00401567 3C 2A CMP AL,2A
00401569 74 02 JE SHORT CrackMeV.0040156D
0040156B EB 07 JMP SHORT CrackMeV.00401574
0040156D B8 3E000000 MOV EAX,3E
00401572 EB 16 JMP SHORT CrackMeV.0040158A
00401574 3C 2F CMP AL,2F
00401576 74 06 JE SHORT CrackMeV.0040157E
00401578 3C 24 CMP AL,24
0040157A 74 02 JE SHORT CrackMeV.0040157E
0040157C EB 07 JMP SHORT CrackMeV.00401585
0040157E B8 3F000000 MOV EAX,3F
00401583 EB 05 JMP SHORT CrackMeV.0040158A
00401585 B8 40000000 MOV EAX,40
0040158A 83E8 0A SUB EAX,0A
0040158D 7D 03 JGE SHORT CrackMeV.00401592
0040158F 83C0 41 ADD EAX,41
00401592 83E0 3F AND EAX,3F
00401595 83E1 C0 AND ECX,FFFFFFC0
00401598 0BC1 OR EAX,ECX
0040159A 8BC8 MOV ECX,EAX
0040159C 894D FC MOV DWORD PTR SS:,ECX
0040159F 880F MOV BYTE PTR DS:,CL
004015A1 886F 01 MOV BYTE PTR DS:,CH
004015A4 C1E9 10 SHR ECX,10
004015A7 884F 02 MOV BYTE PTR DS:,CL
004015AA 83C7 03 ADD EDI,3
004015AD 4A DEC EDX
004015AE^ 0F85 10FEFFFF JNZ CrackMeV.004013C4
004015B4 61 POPAD
004015B5 8B45 0C MOV EAX,DWORD PTR SS:
004015B8 C9 LEAVE
004015B9 C2 0C00 RETN 0C 确实这里的算法令人望而却步啊!现在的CM都是先来过下马威,把破戒者的信心给击退啊。 现在还不会算法,看看
过anti-debug
0040103C|.68 BC154000 push 004015BC ; /Timerproc = CrackMeV.004015BC00401041 68 20030000 push 320
00401046 6A 01 push 1 ; |TimerID = 1
00401048|.6A 00 push 0 ; |hWnd = NULL
0040104A|.E8 81060000 call <jmp.&user32.SetTimer> ; \SetTimer
改成
0040103C|.68 BC154000 push 004015BC ; /Timerproc = CrackMeV.004015BC
00401041 68 20030000 push -1
00401046 6A 01 push 1 ; |TimerID = 1
00401048|.6A 00 push 0 ; |hWnd = NULL
0040104A|.E8 81060000 call <jmp.&user32.SetTimer> ; \SetTimer 爆破已经搞的我头大了 修改这3处,就爆掉了!
0040127D|.3D 76656372 cmp eax, 72636576
00401282|.75 41 jnz short 004012C5 ;NOP掉
00401284|.8B46 04 mov eax, dword ptr
00401287|.3347 04 xor eax, dword ptr
0040128A|.3D 692D3E63 cmp eax, 633E2D69
0040128F|.75 34 jnz short 004012C5 ;NOP掉
00401291|.8B46 08 mov eax, dword ptr
00401294|.3347 08 xor eax, dword ptr
00401297|.3D 7261636B cmp eax, 6B636172
0040129C|.75 27 jnz short 004012C5 ;NOP掉
-----------------
算法类似CRC16,取转换后用户名,复杂运算循环16次后的结果.来与固定字符"rcevc>-ikcar"比较.
麻烦透了! 就个人感觉,这种算法用在 CM 上没什么意义,不是破不出来,其实我可以分段穷举的,就是在得到第二个 CALL 出来的两个数值后,用第一个 CALL 里提取的算法就可以穷举出来,只是第一个 CALL 的算法我一看就没劲跟下去,只是顺势 用 F8 向下跑了一片,明白大概内容,太长了。这种算法,我可以写更复杂的,但拿去如看雪的 CM 大赛,一定给人 BS 的,而用在软件上就更没意义,别人一看就想到用 TIT 了
[ 本帖最后由 lgjxj 于 2008-1-16 17:04 编辑 ] 很抱歉, 这是我写的第一个CrackMe, 也许lgjxj认为写的太不好。。我也承认。
不过这个CrackMe是我用了点密码学的知识写出来的。。我对密码学比较感兴趣吧, 认为加密还是与数学是息息相关的
第一个算法是变形的base64算法
第二个算法是完全没有变形的TEA算法, 是利用RadASM里密码学算法库中的TEA算法, 大家可以自己调用试试看。。我将源码贴出来了, 在CrackMe板块。。有兴趣的同志可以看下 俺除了爆破还是爆破
对算法还停留在菜鸟阶段/:012 太复杂了把?哈哈!
我刚开始学算法,加油咯!
页:
1
[2]